This Week in Petard-Hoisting, the Palin Edition

pitbull.jpg

If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not a temporary copy that is needed for the communications (like a mail spool), and not a backup.

This reasoning is bizarre to people who use protocols like IMAP precisely as a backup. It’s also bizarre to people who wonder why the DOJ would argue that stored communications are not Stored Communications. Those people tend to think that perhaps this would mean that if those stored emails are not Stored, then it wouldn’t be illegal for the DOJ to just kindly request that copies of them be pulled from an ISP’s storage (as opposed to their Storage) and be handed over, just in case you’ve been doing whatever.

The EFF has posted an interesting opinion, one that points out that if stored email is not Stored, then the people who reset Sarah Palin’s password and read her email probably did not commit a crime under the DOJ’s own interpretations of the law.

There doesn’t seem to be much wrong with this reasoning. In any event, it’s going to make it hard to prosecute the miscreants, because they will have to explain to a judge why they changed their mind, or why there is one law for veep candidates and one or everyone else. Way to go, guys.

Whatever one’s opinion of Ms Palin, it’s hard to defend violating her privacy. Let’s hope this leads the DOJ to conclude that when you take communications and store them that they would be protected under the Stored Communications Act. As usual, the word is “oops.”

(Many people will note that there are undoubtably plenty of other laws to charge them under, starting with the Computer Fraud and Abuse Act. But any good prosecutor can find something to charge someone with. The point is about upholding and enforcing existing laws.)

Photo “Hockey Mom Makeover” by julie.anna.

Help fund historic computers at Bletchley Park

transport for London.jpg

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen years by a dedicated team, who have managed to figure out how it was constructed despite all the plans and actual machines having been dismantled.

Of course, keeping such things running requires cash, and Bletchley Park has been scrambling for it for years now. The BBC reports that IBM and PGP have started a consortium of high-tech companies to help fund the museum, starting with £57,000 (which appears to be what the exchange rate is on $100,000). PGP has also set up a web page for contributions through PayPal at http://www.pgp.com/stationx, and if you contribute at least £25 (these days actually less than $50), you get a limited-edition t-shirt complete with a cryptographic message on it.

An interesting facet of the news is that Bletchley Park is a British site and the companies starting this funding initiative are each American companies. Additionally, while PGP is an encryption company and thus has a connection to Bletchley Park as a codebreaking organization, one of the major points that PGP and IBM are making is that Bletchley Park is indeed a birthplace (if not the birthplace) of computing in general.

This is an interesting viewpoint, particularly if you consider the connection of Alan Turing himself. Turing’s impact on computing in general is more than his specific contributions to computers — he was a mathematician far more than an engineer. He was involved in designing Colossus, but the real credit goes to Tommy Flowers, who actually built the thing.

If we look at the history of computing, an interesting thing seems to have happened. The Allies built Colossus during the war, and then when the war ended agreed to forget about it. The Colossi were all smashed, but many people involved went elsewhere and took what they learned from Colossus to make all the early computers that seemed to have names that end in “-IAC.”

(A major exception is the work of Konrad Zuse, who not only built mechanical programmable computers before these electronic ones, but some early electronic ones, as well.)

This outgrowth from Colossus also seems to include the work that turned IBM from being a company that primarily made punched cards and typewriters to one that made computers. It is thus nice to see IBM the computing giant pointing to Colossus and Bletchley as a piece of history worth saving along with the cryptographers at PGP. It is their history, too.

I think this dual parentage makes Bletchley Park doubly worth saving. The information economy has computers and information security at its core, and Colossus sits at the origins of both. Please join us in helping save the history of the information society.

The Hazards of Not Using RFC 1918

ie8_smartscreen.jpg

RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won’t use globally. They get used for private networks, NAT ranges and so on. There are three ranges:

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

They are thus the Internet equivalent of the American phone system not using the exchange 555, only more useful. If you need to give an example IP address, you can use one of those without causing anyone consternation or irritation.

An example of why you want to use one of these addresses can be found (at least for the next few minutes) at Microsoft’s site for the IE 8 beta. One of the IE 8 features is the “SmartScreen Filter” which can tell you IP addresses you’re best not going to. An example is the picture accompanying my post.

If you check out that address, 207.68.196.170, at ARIN Whois, you find out that it’s owned by Microsoft themselves.

I suppose that using one of your own addresses as a hazardous address is better than using someone else’s, but immature people like Your Friendly Author will titter over it and point it out to other people as well.

There’s a reason RFC 1918 exists, and this is one of them. Oh, by the way, be sure to look at RFC 2606, which reserves the domains example.com, example.net, and example.org. It also reserves the top-level domains .test, .example, .invalid, and .localhost. Remember them.

Write Keyloggers Professionally!

keylogger.jpg

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

The Omnivore’s Hundred

I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you would never try or try again.

I found it via Cygnoir, who also gave a pointer to an easy-to-fill-out web page that will give HTML.

My results of that page are below.

—————————————–

The Food tasting meme


  1. Copy this list into your blog or journal, including these instructions.
  2. Bold all the items you.ve eaten.
  3. Cross out any items that you would never consider eating (or eating again)
  4. Optional extra: Post a comment http://www.verygoodtaste.co.uk linking to your results.

To make the filling out of this form and generating the HTML for it a bit easier, [info]reddywhp has played around with some PHP. Go to http://reddywhip.org/lj/foods/ and fill it out there. After filling it out, you will be given the code to copy and paste into your blog.

Livejournal users, remember to use your LJ-Cuts!

  1. Venison
  2. Nettle tea
  3. Huevos rancheros
  4. Steak tartare
  5. Crocodile
  6. Black pudding
  7. Cheese fondue
  8. Carp
  9. Borscht
  10. Baba ghanoush
  11. Calamari
  12. Pho
  13. PB&J sandwich
  14. Aloo gobi
  15. Hot dog from a street cart
  16. Epoisses
  17. Black truffle
  18. Fruit wine made from something other than grapes
  19. Steamed pork buns
  20. Pistachio ice cream
  21. Heirloom tomatoes
  22. Fresh wild berries
  23. Foie gras
  24. Rice and beans
  25. Brawn, or head cheese
  26. Raw Scotch Bonnet pepper
  27. Dulce de leche
  28. Oysters
  29. Baklava
  30. Bagna cauda
  31. Wasabi peas
  32. Clam chowder in a sourdough bowl
  33. Salted lassi
  34. Sauerkraut
  35. Root beer float
  36. Cognac with a fat cigar
  37. Clotted cream tea
  38. Vodka jelly
  39. Gumbo
  40. Oxtail
  41. Curried goat
  42. Whole insects
  43. Phaal
  44. Goat’s milk
  45. Malt whisky from a bottle worth $120 or more
  46. Fugu
  47. Chicken tikka masala
  48. Eel
  49. Krispy Kreme original glazed doughnut
  50. Sea urchin
  51. Prickly pear
  52. Umeboshi
  53. Abalone
  54. Paneer
  55. McDonald’s Big Mac Meal
  56. Spaetzle
  57. Dirty gin martini
  58. Beer above 8% ABV
  59. Poutine
  60. Carob chips
  61. S’mores
  62. Sweetbreads
  63. Kaolin
  64. Currywurst
  65. Durian
  66. Frog’s Legs
  67. Beignets, churros, elephant ears or funnel cake
  68. Haggis
  69. Fried plantain
  70. Chitterlings or andouillette
  71. Gazpacho
  72. Caviar and blini
  73. Louche absinthe
  74. Gjetost or brunost
  75. Roadkill
  76. Baijiu
  77. Hostess Fruit Pie
  78. Snail
  79. Lapsang souchong
  80. Bellini
  81. Tom yum
  82. Eggs Benedict
  83. Pocky
  84. Tasting menu at a three-Michelin-star restaurant
  85. Kobe beef
  86. Hare
  87. Goulash
  88. Flowers
  89. Horse
  90. Criollo chocolate
  91. Spam
  92. Soft shell crab
  93. Rose harissa
  94. Catfish
  95. Mole poblano
  96. Bagel and lox
  97. Lobster Thermidor
  98. Polenta
  99. Jamaican Blue Mountain coffee
  100. Snake

This Is Not Writing; You Are Not Reading

The Paper of Record has a hilarious article, “Literacy Debate: Online, R U Really Reading?” which asks important questions about what Those Darn Kids are doing — spending their time using a mixture of hot media and cold media delivered to them over the internets.

I’ll get right to the point before I start ridiculing the ridiculous, and answer the question. No. Of course not. It’s not really reading. This is not text. It is not the product of hot lead type lovingly smearing a mix of kerosene and soot over wood pulp. It’s a bunch of pixels, and those pixels are whispering directly into your brain. You are not reading, you’re hearing my snarky voice directly massaging your neurons. That doesn’t happen when you read. People don’t see things or hear things when they read. Ask Anne Fadiman if you don’t believe me. She knows.

Let’s look at some of the statements in the article:

Few who believe in the potential of the Web deny the value of books. But they argue that it is unrealistic to expect all children to read “To Kill a Mockingbird??? or “Pride and Prejudice??? for fun.

It is unrealistic to expect any children to read Austen. Austen is arguably the second best writer in all of English, but she requires emotional experiences that children do not have. Pride and Prejudice is no more children’s reading than 1984 is. Trust me on this, I know. I read 1984 when I was ten, and when I re-read it in college, I was gobsmacked to learn that there is sex in it.

Some traditionalists warn that digital reading is the intellectual equivalent of empty calories. Often, they argue, writers on the Internet employ a cryptic argot that vexes teachers and parents. Zigzagging through a cornucopia of words, pictures, video and sounds, they say, distracts more than strengthens readers.

They said pretty much the same about Dickens. Until relatively recently, no serious scholar of literature (read college professor) would admit to reading Dickens. Personally, I agree. These days he’s considered a classic, and the non-serious scholars won’t admit to reading him.

Last fall the National Endowment for the Arts issued a sobering report linking flat or declining national reading test scores among teenagers with the slump in the proportion of adolescents who said they read for fun.

And of course we can fix this by denigrating what they do read, as opposed to finding things for them worth reading.

“Whatever the benefits of newer electronic media,??? Dana Gioia, the chairman of the N.E.A., wrote in the report’s introduction, “they provide no measurable substitute for the intellectual and personal development initiated and sustained by frequent reading.???

I’ll do my part. I resolve to start writing my blog posts, okay? Do you want them in printing or copperplate?

[Synopsis: Nadia’s mother tries to instill a love of books in Nadia. Nadia does not respond until they get a computer, when Nadia gives up TV for fanfic.]

Now [Nadia] regularly reads stories that run as long as 45 Web pages. Many of them have elliptical plots and are sprinkled with spelling and grammatical errors.

Which the masters of modern literature such as Pynchon and Joyce would never do. Austen never had elliptical plots, they were circular, and she was merely eccentric.

Nadia said she wanted to major in English at college and someday hopes to be published. She does not see a problem with reading few books. “No one’s ever said you should read more books to get into college,??? she said.

And this is a problem?

Reading skills are also valued by employers. A 2006 survey by the Conference Board, which conducts research for business leaders, found that nearly 90 percent of employers rated “reading comprehension??? as “very important??? for workers with bachelor’s degrees.

I don’t know about you, but I wonder what sort of people the 10+% of employers are who think that reading comprehension is not very important. What sort of Dilbert-refugees are they? I find that “nearly 90%” to be disturbing.

Some literacy experts say that reading itself should be redefined. Interpreting videos or pictures, they say, may be as important a skill as analyzing a novel or a poem.

Ah, the word “may.” I’ve ranted about it before. It is true that interpreting pictures may be as important as analyzing a novel. It certainly is if you want to appreciate El Greco. But that’s not the point. As much as I like sneering at moderns who think Dickens is literature, times change. It may, indeed. Joyce may have written grammatically. Austen may be suitable for children. Reading comprehension may be important for workers with bachelor’s degrees. And Shakespeare’s works may have been written by another man of the same name.

I am disdainful of hot media, but the Web is the rennaissance of cold media. It’s an aberration in a slide to hotter and hotter media. Also realize that cold media is relatively recent. Most of human history had its literature in songs and pantomime.

Lastly, remember that kids have been no damned good for as long as we’ve been writing at all. The pinnacle of civilization was when we were in the caves, and it’s been a long slow slide into perdition ever since. Every generation is worse than the previous one. It will continue to be that way. These kids are going to sigh with exasperation and not understand why their kids roll their eyes at Sailor Moon. And they just not going to understand the true art form of fanfic and slashfic. Tsk.

Instant Ice Age

Science reports in, “The Year the World Froze Over:”

It sounds like the stuff of science fiction, but nearly 13 millennia ago Europe was plunged suddenly into a deep freeze that lasted 1300 years–and the change happened in little more than a year, according to new data. The evidence also suggests that strong winds, not ocean currents, drove the rapid climate change.

Well worth reading.

Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways.

An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid in crime fighting and whatever. This will work until criminals start collecting DNA samples and scatter them at a crime scene creating confusion.

Angell didn’t mention a counter-measure, and I have one that I’m sure the politicos will want to use: make the possession of DNA a crime. There’s the obvious exemption for your own DNA, but this brings new and important expansions of the old standby of “inappropriate contact.”

This brings me to a complaint and irony about the “improvements” to Black Hat this year. The ironies occurred to me as Angell was speaking, talking about the ways added complexity brings new ways to fail.

One of the Black Hat improvements is that Black Hat is adopting a number of cool web-isms. There’s a Twitter feed, for example. They’re encouraging blogging by handing out blogging credentials for Defcon. This good and cool.

However, one of the other improvements is to move The Wall of Sheep from Defcon to Blackhat. Professor Angell’s cat Oscar would have a thing or two to say about that. However, Nick Matthewson of Tor said it best, I think.

If you are not familiar with The Wall of Sheep, it is a project in which the shepherds run a protocol analyzer on the network looking people using insecure protocols, plaintext passwords, and the lot. They quasi-anonymize them and then offer them up for what in Puritan days would be a pillory.

Nick’s comment about this, was that it’s a very 1990s thing. Here we are in the late aughties, and you have assume that if someone is at a security conference and using a non-secure protocol, that it is a lot like not wearing pants. If you’re at a conference in Vegas and someone there is not wearing pants, it’s probably wise to assume that they know they’re not wearing pants, and that they are not wearing pants for some reason.

I was paying enough attention at the time to note that Nick was wearing a kilt when he said that.

The Wall of Sheep is the Pants Police. They run a Pants Panopticon in which they rush around madly looking for people with no pants and posting them up on the Wall of No Pants. They’ve decided on their own that a lack of pants is a ridiculable offense, even for people who know they’re not wearing pants, and don’t care what you can see. Even moreso, they also post the mere rumor of pantslessness. I have heard tell that some people enjoy hacking the Pants Police by telnetting to some service and typing in usernames and passwords to be sniffed. I would never do that myself, but I’ve heard stories. They’re actually more the Pants TSA than the Pants Police, but Pants TSA doesn’t alliterate.

The Angell-quality irony here is that all these new communications systems that on the one hand we’re being encouraged to use are — questionable. Twitter looks a lot like knickers to me. And let’s face it, WordPress won a Pwnie award for the incredible number of vulns they’ve coded.

In short, you’d be a fool to use Twitter at Black Hat, or to blog, or — well, use DNS. For Pete’s sake, we’re being told to set up manual arp entries. (Yes, I know. You can use a VPN, or you mobile, or something else. That’s all very good, but once the Pants Police decide your Bermudas look like Speedos to them….)

The message of Black Hat that people should take away is that nothing is safe. That’s not necessarily bad. If we wanted houses to be safe as houses, we’d take out the windows and turn off the electricity. Technology is risk, as Angell said eloquently and entertainingly.

This is just more of the security wags naming, shaming, and blaming the victims. Is the message that one should take away from Black Hat is not to use a computer there? Even Professor Angell isn’t that pessimistic. He thinks that four ounces in an eight-ounce tumbler means you have too much glass.

Which is it at Black Hat? Web or no web? Pick one. Either Black Hat is (like Defcon) an open free-for-all in which griefing is just another way to spell 1337 and you’re a fool to bring electronics, or it’s an information exchange between smart people who blog, Tweet, and Plurk. Is a handshake a greeting, or a way to get a DNA sample? Are we using cutting edge or trailing edge technologies? If the former, remember that their security is going to suck until they get beat up — cutting edge techs can make you bleed. To phrase it another way, pick a century we’re in — 20 or 21. It matters less which one you pick than that you pick.

I hope it’s 21. I think Twitter is twee, but I’ve been using it and I smile when I do. (Plurk is much cooler, but I can hear The Good, The Bad, and The Ugly theme every time I go there.) I truly believe that blogging is just journalism in the cheapest free press civilization has ever had. AJAX is scary, but it’s scary in the way that driving a go-cart is scary. I don’t want to have to worry about the Pants Police, too, to make fun of me if I’ve misconfigured something I’m not as adept at as IRC. I’d like to deliver a live blog about the opening keynote on the day it was given, as opposed to while I’m still alive.

I think Black Hat is moving in a very good direction to make information flow better, more interesting, and more fun. Let’s just leave the old school hectoring back in dot.com era, and find out how to fix the new things by using them.

Does this mean we can revise our opinion of Friday the 13th?

Knights Templar Being Burned

According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.)

This adds up to a nice round €100 billion. The Telegraph didn’t say whether that is American billions (thousand million, 109) or English billions (million million, 1012), and given that the Templars were The World Bank of the turn of the previous millennium and there’s 700 years of interest involved, it’s not obvious how many zeroes need to go at the end.

Last October, the Vatican released copies of the parchments documenting the Templar Trials after having them been “misfiled” for over three hundred years. (My house has nearly as many books as the Vatican, squished into a much smaller space, so I completely understand how that could happen.)

These parchments reveal that in fact the Templars were found to be not guilty of heresy at the time, but Pope Clement V let them be disbanded and burned at the stake anyway because King Philip IV of France was being really cranky about it. (If you follow US foreign policy, you should completely understand how that could happen, as well.)

The major dodgy thing about the suit is that the Spanish group claims that their suit is not to reclaim damages but only to restore the good name of the Templars. Yeah, uh huh, sure. Then why aren’t you suing for a single Euro?

Perhaps the Freemasons will weigh in on this. Among the many Fun Templar Facts, there’s a surprisingly good theory that they’re founded by escaped Templars. Other Fun Templar Facts include that Friday the 13th is considered unlucky because that’s when they were all rounded up; that the burned Templar Grand Master, Jacques de Molay, was the 23rd Grand Master; and that Jacques de Molay was the inventor of Molé sauce.

Photo is of Jacques de Molay being sent to burn at the stake, via the GETTY and the Daily Telegraph web site.

Cleared Traveler Data Lost

Finger on print reader

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including

names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not include applicants’ credit card information or Social Security numbers, according to the company.

We are also told:

The information is secured by two levels of password protection, the company reported.

Two levels of passwords. Wow. I guess you don’t need to encrypt if you have two levels of passwords.

The TSA suspended enrollment of new customers, but existing customers can still use the service. So if you stole the data and can use it, you’re Clear.

Update: They found the device. Chron article here. “It was not in an obvious location,” said a spokesperson.

New FISA Analysis

Vox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, “I think I understand the FISA bill. Do I?

Vox Libertas has taken an approach that I can appreciate. On the one hand, many people are unhappy with the telecom immunity. I’m one of them. But people I respect are also saying that it’s a good compromise, and compromise means you don’t get everything you want.

Vox Libertas goes to the trouble of (shock, horror) reading the primary sources and explaining what’s in the new FISA bill. He also shows his own sources.

No matter what you think, this is worth reading.

Laptops and border crossings

The New York Times has in an editorial, “The Government and Your Laptop” a plea for Congress to pass a law to ensure that laptops (along with phones, etc.) are not seized at borders without reasonable suspicion.

The have the interesting statistic that in a survey by the Association of Corporate Travel Executives, 7 of 100 respondents reported a laptop or other electronic device seized. Of course, this indicates a problem with metrics. It almost certainly does not mean a 7% seizure rate, as I’ve seen this inflated to. These seizures are such an outrageous thing that the people who have been subjected to them are properly and justifiably outraged. They’re not going to toss the survey in the trash.

I’m not sure how much I like the idea that Congress should pass a law to ensure that the fourth amendment is met. Part of me grits my teeth, as I think it should happen on its own. But if the courts aren’t going to agree, that probably has to happen.

On Gaming Security

Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens.

Since I have the ability to comment here, I shall.

This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues.

It’s been a year or so since I read on El Reg that on the black market, a credit card number sells for (as I remember) £5, but a WoW account sells for £7. I would look up the exact reference, but I’m not in the mood. Your search skills are likely as good as mine.

The exact reasons for this are a bit of a mystery, but there are some non-mysterious ones. There is a black market for WoW gold and (to a lesser extent) artifacts. That black market is shuddering because Blizzard has done a lot to crack down on it. (Blizzard’s countermeasures are one main reason that the artifact market is low. Most artifacts become bound to one character when used, and so are not transferrable and so are not salable.) Nonetheless, many WoW players have gold in their pockets that would sell for hundreds to thousands of dollars on this black market.

(If you think from this, that WoW can be a profitable hobby, think again. That many players have gold worth some real change says more about the time they have spent playing than anything else. If you live in a first-world country, you can earn far more flipping burgers than playing WoW. It is only if you are in a third-world country that WoW is a reasonable career choice.)

This means that by putting a keylogger on someone’s system, you can steal a pretty penny from them and sell it on the black market. A not-insignificant number of WoW players have logged into their accounts to find their characters naked and penniless. However, there’s an interesting twist on this. Blizzard can and does restore the lost gold and items.

Presumably, Blizzard has a transaction log and can rewind it. However, this is work for them and annoyance for the victim. Two-factor authentication will lower Blizzard’s costs but fear of robbery is high enough among the players that they’re snapping these things up and are willing to pay for them.

Bank customers rightly think that increased security is something that the bank should pay for. So in the banking world, the cost-benefit calculation of two-factor authentication is complex. In the gaming world, it’s pretty straightforward. Since Blizzard can shift the cost of the device to the customer base, it’s easier to justify.

Sounds Like — Chomsky

The book Talking Hands

The New Scientist reports that “Charades reveals a universal sentence structure.”

Susan Golden-Meadow, a linguistic psychologist at the University of Chicago, led a team that found that speakers of most languages use the same simple sentence structure when miming, regardless of the structure of the language they speak. A demonstration movie is here.

That structure is postfix notation — subject, object, verb. For example, mice cheese eat.