Politics, Weather, Photography, and the Dog
Page 1 of 3 in the SoftwareSecurity category Next Page
Wednesday 9 July 2014

For the last couple of days, I've had trouble getting to Microsoft's Azure blog. From my office in downtown Chicago, clicking the link gives me an error message:

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

However, going to the same URL from a virtual machine on Azure takes me to the blog. So what's going on here? It took a little detective work, but I think Microsoft has a configuration error one of a set of geographically-distributed Azure web sites, they don't know about it, and there's no way to tell them.

The first step in diagnosing a problem like this is to see if it's local. Is there something about the network I'm on that prevents me from seeing the website? This is unlikely for a few big reasons: first, when a local network blocks or fails to connect to an outside site, usually nothing at all happens. This is how the Great Firewall of China works, because someone trying to get to a "forbidden" address may get there slowly, normally, or not at all—and it just looks like a glitch. Second, though, the root Azure site is completely accessible. Only the Blog directory has an error message. Finally, the error message is coming from the foreign system. Chrome confirms this; there's a HTTP 200 (OK) response with the content I see.

All right, so the Azure Blog is down. But that doesn't make a lot of sense. Thousands of people read the Azure blog every day; if it were down, surely Microsoft would have noticed, right?

So for my next test, I spun up an Azure Virtual Machine (VM) and tried to connect from there. Bing! No problem. There's the blog.

Now we're onto something. So let's take a look at where my local computer thinks it's going, and where the VM thinks it's going. Here's the nslookup result for my local machine, both from my company's DNS server and from Google's 8.8.8.8 server:

Now here's what the VM sees:

Well, now, that is interesting.

From my local computer, sitting in downtown Chicago, both Google and my company's DNS servers point "azure.microsoft.com" to an Azure web site sitting in the North Central U.S. data center, right here in Chicago. But for the VM, which itself is running in the East U.S. data center in southern Virginia, both Microsoft's and Google's DNS servers point the same domain to an Azure web site also within the East U.S. data center.

It looks like both Microsoft and Google are using geographic load-balancing and some clever routing to return DNS addresses based on where the DNS request comes from. I'd bet if I spun up an Azure VM in the U.S. West data center, both would send me to the Azure blog running out there.

This is what massive load balancing looks like from the outside, by the way. If you've put your systems together correctly, users will go to the nearest servers for your content, and they'll never realize it.

Unfortunately, the North Central U.S. instance of the Microsoft Azure blog is down, has been down for several days, and won't come up again until someone at Microsoft realizes it's down. Also, Microsoft makes it practically impossible to notify them that something is broken. So those of us in Chicago will just have to read about Azure on our Azure VMs until someone in Redmond fixes their broken server. I hope they read my blog.

Wednesday 9 July 2014 10:26:44 CDT (UTC-05:00)  |  | Blogs | Cloud | Security | Windows Azure#
Thursday 19 June 2014

No, not aviation routing; IP routing.

From the Terminal 2 American Airlines club, I am unable to hit most *.cloudapp.net IP addresses. This is significant because it's basically all of Microsoft Azure, including logon.microsoft.net, Weather Now, and a bunch of other sites I use or have some responsibility for.

I've just spent a few minutes testing DNS (everything is fine there) and then using tracert and pathping, and it looks like the entire 168.62.0.0/16 and 168.61.0.0/16 ranges are just not visible from here. (The Daily Parker is also in Azure, but its IP is in the 191.238.0.0/16 subnet, which seems to be visible just fine.)

I wonder if Microsoft knows that its U.S. East data center is being blocked by some French ISP? Or why?

Thursday 19 June 2014 15:53:25 CEST (UTC+02:00)  |  | Cloud | Security#
Tuesday 13 May 2014

Security expert Bruce Schneier is not an alarmist, but he is alarmed:

In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back.

By weakening security, we are weakening it against all attackers. By inserting vulnerabilities, we are making everyone vulnerable. The same vulnerabilities used by intelligence agencies to spy on each other are used by criminals to steal your passwords. It is surveillance versus security, and we all rise and fall together.

Security needs to win. The Internet is too important to the world -- and trust is too important to the Internet -- to squander it like this. We'll never get every power in the world to agree not to subvert the parts of the Internet they control, but we can stop subverting the parts we control. Most of the high-tech companies that make the Internet work are US companies, so our influence is disproportionate. And once we stop subverting, we can credibly devote our resources to detecting and preventing subversion by others.

It really is kind of stunning how much damage our intelligence services have done to the security they claim to be protecting. I don't think everyone gets it right now, but the NSA's crippling the Internet will probably be our generation's Mosaddegh.

Monday 12 May 2014 21:06:16 CDT (UTC-05:00)  |  | US | World | Security#
Wednesday 30 April 2014

If so, these are queued up:

More later...

Wednesday 30 April 2014 09:38:27 CDT (UTC-05:00)  |  | Chicago | Cubs | US | Security#
Wednesday 9 April 2014

Bruce Schneier, not one for hyperbole, calls the Heartbleed defect an 11 on a 10 scale:

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word.

At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

It turns out, Windows systems don't use OpenSSL very much, favoring TLS 1.2 these days. So if you're visiting a Windows system (basically anything with ".aspx" at the end), you're fine.

Still, if you've used Yahoo! or any other system that has this bug, change your password. Now.

Wednesday 9 April 2014 08:34:32 CDT (UTC-05:00)  |  | Security#
Tuesday 18 March 2014

At 8:16 this morning, a long-time client sent me an email saying that one of his customers couldn't was getting a strange bug in their scheduling application. They could see everything except for the tabbed UI control they needed to use. In other words, there was a hole in the screen where the data entry should have been.

Here's how the rest of the day went around this issue. It's the kind of thing that makes me proud to be an engineer, in the same way the guys who built Galloping Gertie were proud.

The whole story is past the jump...

Monday 17 March 2014 23:26:14 CDT (UTC-05:00)  |  | Business | Cloud | Security | Windows Azure | Work#
Thursday 27 February 2014

Security guru Bruce Schneier wonders if the iOS security flaw recently reported was deliberate:

Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement.

The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is a single line of code: a second "goto fail;" statement. Since that statement isn't a conditional, it causes the whole procedure to terminate.

If the Apple auditing system is any good, they would be able to trace this errant goto line not just to the source-code check-in details, but to the specific login that made the change. And they would quickly know whether this was just an error, or a deliberate change by a bad actor. Does anyone know what's going on inside Apple?

Schneier has argued previously that the NSA's biggest mistake was dishonesty. Because we don't know what they're up to, and because they've lied so often about it, people start to believe the worst about technology flaws. This Apple error could have been a stupid programmer error, merge conflict, or something in that category. But we no longer trust Apple to work in our best interests.

This is a sad state of affairs.

Thursday 27 February 2014 08:27:46 CST (UTC-06:00)  |  | US | Software | Business | Security#
Saturday 8 February 2014

I've figured out the hotel's WiFi. It's not the slowest Internet connection in the world; it's the slowest SSL in the world. In other words, they're not really throttling the Internet per se. But somewhere between here and the U.S., someone is only letting through a very few secure packets.

The genius of this is that things like restaurant reviews (think: TripAdvisor.com) come up normally. But just try to get your email, check your airline reservations, or heaven forbid, get to your bank's website. It's excruciating.

Normal port-80 traffic is running about 500 kbps. That's not especially fast, but it's not painful. But SSL traffic is getting to my laptop at 100 kbps peak speeds and 30 kbps average speeds. Let's party like it's 1999! W00t!

Further, I can't tell where the bottleneck is. Anyone from here to Miami could be throttling SSL: the local Sint Maarten ISP, the hotel, the government of Sint Maarten, the government of the U.S....there's no way to tell. It's just like the Chinese firewall, maddening, inefficient, almost certainly deliberate, but too difficult to diagnose to ever find the right face to punch.

I have a very simple problem to solve that my hotel's WiFi is preventing me from solving. That makes me very annoyed. This will, I assure you, go on my Trip Advisor review.

Saturday 8 February 2014 19:45:29 AST (UTC-04:00)  |  | Security | Travel#
Tuesday 4 February 2014

If most of what Jason Harrington wrote in Politico last week is true, I'm disappointed to have my suspicions confirmed:

Each day I had to look into the eyes of passengers in niqabs and thawbs undergoing full-body pat-downs, having been guilty of nothing besides holding passports from the wrong nations. As the son of a German-American mother and an African-American father who was born in the Jim Crow South, I can pass for Middle Eastern, so the glares directed at me felt particularly accusatory. The thought nagged at me that I was enabling the same government-sanctioned bigotry my father had fought so hard to escape.

Most of us knew the directives were questionable, but orders were orders. And in practice, officers with common sense were able to cut corners on the most absurd rules, provided supervisors or managers weren’t looking.

[T]he only people who hated the body-scanners more than the public were TSA employees themselves. Many of my co-workers felt uncomfortable even standing next to the radiation-emitting machines we were forcing members of the public to stand inside. Several told me they submitted formal requests for dosimeters, to measure their exposure to radiation. The agency’s stance was that dosimeters were not necessary—the radiation doses from the machines were perfectly acceptable, they told us. We would just have to take their word for it. When concerned passengers—usually pregnant women—asked how much radiation the machines emitted and whether they were safe, we were instructed by our superiors to assure them everything was fine.

In one of his blog posts, Harrington points to "the neurotic, collectively 9/11-traumatized, pathological nature of American airport security" as the source of all this wasted effort and money.

I've always thought TSA screeners are doing the best they can with the ridiculous, contradictory orders they have. It's got to be at least as frustrating for them as it is for us. Harrington pretty much confirms that.

Tuesday 4 February 2014 09:23:43 CST (UTC-06:00)  |  | Aviation | Security | Travel#
Tuesday 14 January 2014

CNN national-security analyst Peter Bergen argues that the NSA, CIA, and FBI had all the information they needed to prevent 9/11, but the Bush Administration failed to follow through. Providing more tools to the NSA would do nothing except give them more power:

The government missed multiple opportunities to catch al Qaeda hijacker Khalid al-Mihdhar when he was living in San Diego for a year and a half in the run up to 9/11, not because it lacked access to all Americans phone records but because it didn't share the information it already possessed about the soon-to-be hijacker within other branches of the government.

The CIA also did not alert the FBI about the identities of the suspected terrorists so that the bureau could look for them once they were inside the United States.

These multiple missed opportunities challenge the administration's claims that the NSA's bulk phone data surveillance program could have prevented the 9/11 attacks. The key problem was one of information sharing, not the lack of information.

Since we can't run history backward, all we can say with certainty is that it is an indisputable fact that the proper sharing of intelligence by the CIA with other agencies about al-Mihdhar may well have derailed the 9/11 plot. And it is merely an untestable hypothesis that if the NSA bulk phone collection program had been in place at the time that it might have helped to find the soon-to-be-hijackers in San Diego.

Indeed, the overall problem for U.S. counterterrorism officials is not that they don't gather enough information from the bulk surveillance of American phone data but that they don't sufficiently understand or widely share the information they already possess that is derived from conventional law enforcement and intelligence techniques.

The blanket Hoovering up of data by the NSA threatens everyone's liberties. But that cost isn't worth the results by any measure, since the NSA isn't actually making us safer. Their arguments to fear don't change the existing evidence.

Tuesday 14 January 2014 11:23:03 CST (UTC-06:00)  |  | US | Security#
Monday 13 January 2014

Bruce Schneier makes the case:

We have no evidence that any of this surveillance makes us safer. NSA Director General Keith Alexander responded to these stories in June by claiming that he disrupted 54 terrorist plots. In October, he revised that number downward to 13, and then to "one or two." At this point, the only "plot" prevented was that of a San Diego man sending $8,500 to support a Somali militant group. We have been repeatedly told that these surveillance programs would have been able to stop 9/11, yet the NSA didn't detect the Boston bombings -- even though one of the two terrorists was on the watch list and the other had a sloppy social media trail. Bulk collection of data and metadata is an ineffective counterterrorism tool.

Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don't mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I'm also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as US computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.

It's all stuff he's said before, but it needs saying again.

Monday 13 January 2014 13:18:42 CST (UTC-06:00)  |  | US | Security#
Monday 28 October 2013

I just received an alert on a credit card I used to share with an ex. The account, which is in her name since we split, has a small balance for the first time in 6 years.

There are two possibilities here, which should be obvious:

1. My ex does not know I still receive alerts on her credit card.

2. My ex does not know the card is active again.

Regardless of which is true (and they both may be), she needs to know about it. Given that (2) could expose her to liability for fraud, so does the card issuer.

So I called Bank of America to point out these twin possibilities, and after arguing with their phone system for five minutes, finally got to speak with an agent. I cannot say the conversation went well. After I explained the situation, I said, "so you should let her know about this."

"Is Miss ---- there with you?"

"What? No, we haven't seen each other in years, which is why this is so odd."

"OK, but without her authorization I can't give out account information."

"I don't want any account information. You need to tell her that I am getting account information by email, and that an account I thought we closed in 2007 is active again."

"OK, she is getting the alerts too, so I will make a note on the account for when she calls in next time."

"She may not be getting the alerts, if she has a new email address. Look, I'm talking about potential fraud here, you need to call her today."

"OK, we will call her and let her know."

Look, I understand that some aspects of technology security are too esoteric for most people, and I'm sorry there wasn't a Customer Service script for this. But some flaw in B of A's systems allowed personal financial data to leak to someone who shouldn't have it (me), in such a way that the account owner (my ex) doesn't know about the leak. I'm trying to help you here.

Also, I'm posting these details here on the off-chance they don't let her know and that she ever reads this blog. So, if this post applies to you, I did what I could. And you may want to switch to a less-moronic card provider.

Monday 28 October 2013 11:30:36 CDT (UTC-05:00)  |  | Security#
Thursday 17 October 2013

The Chicago technology scene is tight. I just had a meeting with a guy I worked with from 2003-2004. Back then, we were both consultants on a project with a local financial services company. Today he's CTO of the company that bought it—so, really, the same company. Apparently, they're still using software I wrote back then, too.

I love when these things happen.

This guy was also witness to my biggest-ever screw-up. (By "biggest" I mean "costliest.") I won't go into details, except to say that whenever I write a SQL delete statement today, I do this first:

-- DELETE
SELECT *
FROM MissionCriticalDataWorthMillionsOfDollars
WHERE ID = 12345

That way, I get to see exactly what rows will be deleted before committing to the delete. Also, even if I accidentally hit <F5> before verifying the WHERE clause, all it will do is select more rows than I expect.

You can fill in the rest of the story on your own.

Thursday 17 October 2013 11:19:27 CDT (UTC-05:00)  |  | Kitchen Sink | Software | Business | Security | Work#
Friday 11 October 2013
Friday 11 October 2013 14:32:41 CDT (UTC-05:00)  |  | US | World | Security#
Friday 6 September 2013

Security guru Bruce Schneier has two essays in the Guardian this week. The first explains how the US government betrayed the Internet:

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.

He followed up today with a guide to staying secure against the NSA:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

There are three other points, all pretty simple.

Friday 6 September 2013 10:56:32 CDT (UTC-05:00)  |  | US | World | Security#
Monday 12 August 2013

Bruce Schneier thinks the NSA's plan to fire 90% of its sysadmins and replace them with automation has a flaw:

Does anyone know a sysadmin anywhere who believes it's possible to automate 90% of his job? Or who thinks any such automation will actually improve security?

[NSA Director Kieth Alexander is] stuck. Computerized systems require trusted people to administer them. And any agency with all that computing power is going to need thousands of sysadmins. Some of them are going to be whistleblowers.

Leaking secret information is the civil disobedience of our age. Alexander has to get used to it.

The agency's leaks have also forced the president's hand by opening up our security apparatus to public scrutiny—which he may have wanted to do anyway.

Monday 12 August 2013 18:19:43 CDT (UTC-05:00)  |  | US | Security#
Sunday 11 August 2013

Yes, I know the weather's beautiful in Chicago this weekend, but sometimes you just have to run with things. So that's what I did the last day and a half.

A few things collided in my head yesterday morning, and this afternoon my computing landscape looks completely different.

Sunday 11 August 2013 16:30:24 CDT (UTC-05:00)  |  | Business | Cloud | Security | Windows Azure | Work#
Wednesday 7 August 2013

Security guru Bruce Schneier warns about the lack of trust resulting from revelations about NSA domestic spying:

Both government agencies and corporations have cloaked themselves in so much secrecy that it's impossible to verify anything they say; revelation after revelation demonstrates that they've been lying to us regularly and tell the truth only when there's no alternative.

There's much more to come. Right now, the press has published only a tiny percentage of the documents Snowden took with him. And Snowden's files are only a tiny percentage of the number of secrets our government is keeping, awaiting the next whistle-blower.

Ronald Reagan once said "trust but verify." That works only if we can verify. In a world where everyone lies to us all the time, we have no choice but to trust blindly, and we have no reason to believe that anyone is worthy of blind trust. It's no wonder that most people are ignoring the story; it's just too much cognitive dissonance to try to cope with it.

Meanwhile, at the Wall Street Journal, Ted Koppel has an op-ed warning about our over-reactions to terrorism:

[O]nly 18 months [after 9/11], with the invasion of Iraq in 2003, ... the U.S. began to inflict upon itself a degree of damage that no external power could have achieved. Even bin Laden must have been astounded. He had, it has been reported, hoped that the U.S. would be drawn into a ground war in Afghanistan, that graveyard to so many foreign armies. But Iraq! In the end, the war left 4,500 American soldiers dead and 32,000 wounded. It cost well in excess of a trillion dollars—every penny of which was borrowed money.

Saddam was killed, it's true, and the world is a better place for it. What prior U.S. administrations understood, however, was Saddam's value as a regional counterweight to Iran. It is hard to look at Iraq today and find that the U.S. gained much for its sacrifices there. Nor, as we seek to untangle ourselves from Afghanistan, can U.S. achievements there be seen as much of a bargain for the price paid in blood and treasure.

At home, the U.S. has constructed an antiterrorism enterprise so immense, so costly and so inexorably interwoven with the defense establishment, police and intelligence agencies, communications systems, and with social media, travel networks and their attendant security apparatus, that the idea of downsizing, let alone disbanding such a construct, is an exercise in futility.

Do you feel safer now?

Wednesday 7 August 2013 11:19:38 CDT (UTC-05:00)  |  | US | World | Security#
Thursday 25 July 2013

Our company needs a specific Microsoft account, not attached to a specific employee, to be the "Account Holder" for our Azure subscriptions.

Azure only allows one and only one account holder, you see, and more than one person needs access to the billing information for these accounts. Setting up a specific account for that purpose solves that problem.

So, I went ahead and set up an email account for our putative Azure administrator, and then went to the Live ID signup process. It asked me for my "birthdate." Figuring, what the hell?, I entered the birthdate of the company.

That got me here:

Annoying, but fine, I get why they do this.

So I got all the way through the process, including giving them a credit card to prove I'm real, and then I got this:

By the way, those screen-shots are from the third attempt, including one giving them a different credit card.

I have sent a message to Microsoft customer support, but haven't gotten an acknowledgement yet. I think I'm just going to cancel the account and start over.

Update: Yes, killing the account and starting over (by denying the email verification step) worked. So why couldn't the average pre-teen figure this out too? This has to be one of the dumber things companies do.

Thursday 25 July 2013 15:36:22 CDT (UTC-05:00)  |  | Business | Security#
Thursday 18 July 2013

Security guru Bruce Schneier suggests Snowden might not have considered all the likely outcomes:

Edward Snowden has set up a dead man's switch. He's distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him.

Dead man's switches have a long history, both for safety (the machinery automatically stops if the operator's hand goes slack) and security reasons. WikiLeaks did the same thing with the State Department cables.

I'm not sure he's thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it's important to keep all of them in mind when designing a security system.

Possibly spending a few years at the Moscow airport might be his safest option. But then again, his whole strategy seemed flawed from the start.

Thursday 18 July 2013 10:05:24 CDT (UTC-05:00)  |  | US | World | Security#
Thursday 4 July 2013

I like keeping in touch with friends on Facebook. I also enjoy playing Scrabble. Soon-to-be-Internet-flameout Zynga has a Scrabble-like game called Words With Friends that many of my friends play. Right now I've got about 10 games going.

For the past week or so, Zynga has been shoving entire 30-second commercials between my turns. That is, I play a word, and I either spend the next 35 seconds or so with my computer muted and the Facebook window hidden, or I leave Words With Friends entirely. Since the advertisements all seem to be for cleaning products and—I kid you not—something to make my yeast infection go away, I'm leaving the game a lot more often.

Today I was finally annoyed enough to complain to Zynga on their player support page. It turns out, many, many people are complaining. Everyone seems to agree: we all understand that Zynga has to make some money, so we all understand we're going to see ads. But 30-second TV spots? After every move? No. That has to stop.

So here I was, about to post my own complaint, and I got this:

No, Zynga, you may not have access to my friends just so I can post a complaint. Anyway, you already have access to my friends through Facebook, because I had to consent to that to play the game—so why remind me?

Thursday 4 July 2013 13:03:36 CDT (UTC-05:00)  |  | Security#
Monday 24 June 2013

Overnight, a commenter from Ireland took issue with my last post. I responded directly, but I thought my response might be worth repeating. I'm not sure I stated my point clearly enough: I wasn't actually discussing Snowden's leak; I'm saying we can't have an adult discussion about the leak any more, because he screwed up the end game.

The anonymous commenter wrote, inter alia:

Einstein fled. So did Hedy Lamar. So did thousands of others - including many who aided Germany's enemies. Were they cowards? Is the Dali Lama a coward?

It's interesting, I've just finished a history of inter-war Berlin, so I have some insight into Einstein's and Lamar's flights from Germany. The commenter essentially suggests that the U.S. has degenerated to the point where a plurality of voters are considering giving power to a group of armed thugs who have publicly and repeatedly announced plans to commit genocide.

Lamar, Einstein, the Dalai Lama—these people were persecuted for who they were, not for what they had done. Their departures from their home countries reflected their beliefs (correctly, it turns out) that their governments weren't worth preserving, that disobedience had no hope of changing anything, that they'd given up hope. Well, I haven't given up.

The commenter also pointed out:

Multiple nations collaborated to aid Snowden's journey. They did so in spite of huge amounts of US pressure. American soft power is an incredibly important thing if America wants to push her agenda - and this incident shows how damaged it is. Mass spying and deception has consequences.

Exactly right. And that's why I say Snowden scored an own goal.

We need to have an open and vociferous debate in the U.S. about the trade-offs between security and liberty, and Snowden could have done a lot to open up that discussion. Instead he ran, and that's all anyone will ever say about him. He conceded the argument on irrelevant grounds.

I agree that Manning and Schwartz deserved better. So did Mandela. But take a look at the example Ellsberg set. Snowden, if he'd been less narcissistic, might have done a lot of good for the country. It's really a shame.

Monday 24 June 2013 08:43:34 CDT (UTC-05:00)  |  | US | Security#

Someday, when a far-future Gibson writes about this time in the American Republic, he'll have a paragraph about Edward Snowden. I've got a fantasy in which the future historian remarks on Snowden sounding the alarm against unprecedented government and private collusion against personal privacy, and how his leak sparked a re-evaluation of the relationships between convenience and security, and between government and industry.

But I've actually got a degree in history, and I can tell you that the future Gibson will probably write about how Snowden's cowardice gave those who crave security over liberty the greatest gift they could have gotten. (The same study of history, by the way, leads me to the conclusion that this happy circumstance really does come from Snowden and not from some shadowy conspiracy. Never mistake incompetence for malice.)

I don't have a lot to say, other than Snowden's flight to Venezuela by way of Russia and China allows the people who value security over liberty to claim that Snowden was an enemy of the state, so we shouldn't pay any attention to his message. Have American security services over-reached? Do we have less privacy than ever before? Does this give a future politician the tools to take the United States from a republic to a dictatorship? Yes to all three. But no one will be thinking about that any more.

For the record: I don't think we have any immediate worries. I don't know what the consequences of these disclosures will actually be; no one does. And I'm not scraping together all the gold I can find so I can make a midnight passage to Canada.

I am saying only this: Edward Snowden is an idiot. King went to jail. Mandela went to jail. Hell, Ellsberg was willing to go to jail, but he at least had the pulse of the public before stepping forward.

The thought has occurred to others, I'm sure: Snowden could have done a lot more good as a confidential source, or as a man of conviction, than he can do as a defector.

Oh, and Ed: good luck enjoying your freedom in Venezuela. There's a reason we have chilly relations with the Venezuelan government, and it's not entirely about oil.

Sunday 23 June 2013 21:22:08 CDT (UTC-05:00)  |  | US | Security#
Friday 3 May 2013

After a lot of really difficult work and evaluating a half-dozen 3rd-party libraries, I've finally gotten a round-trip between a local ASP.NET application and SalesForce. This is the first victory in two big battles against the SalesForce integration model I've been fighting for the last two weeks.

The next hurdle will be to get the SalesForce API to accept my application's SAML assertion after the user is authenticated. I really have no idea how to do that yet—and no one I've spoken with knows, either.

Still, this was a good way to end a long work-week. And soon: pizza.

Friday 3 May 2013 17:46:06 CDT (UTC-05:00)  |  | Security#
Tuesday 23 April 2013

As a large part of my brain noodles on how to get multiple IDPs to work with a single RP, a smaller part of my brain has looked out the window and realized Chicago is having a normally crappy April:

  • The are 5-13 after allowing a run in the bottom of the 13th last night in Milwaukee;
  • It's 13°C 7°C and raining, which is great because we need the rain and cool weather; and
  • ...well, that's all I got right now.

I had a third thing, but SAML got in the way, I guess.

Tuesday 23 April 2013 15:36:02 CDT (UTC-05:00)  |  | Chicago | Cubs | Security#

...you know it's going to be bad. And it really is:

Passed in 2012 after a 60 Minutes report on insider trading practices in Congress, the STOCK Act banned members of Congress and senior executive and legislative branch officials from trading based on government knowledge. To give the ban teeth, the law directed that many of these officials' financial disclosure forms be posted online and their contents placed into public databases. However, in March, a report ordered by Congress found that airing this information on the Internet could put public servants and national security at risk. The report urged that the database, and the public disclosure for everyone but members of Congress and the highest-ranking executive branch officials -- measures that had never been implemented -- be thrown out.

The government sprang into action: last week, both chambers of Congress unanimously agreed to adopt the report's recommendations. Days later, Obama signed the changes into law.

Bluntest of all was Bruce Schneier, a leading security technologist and cryptographer. "They put them personally at risk by holding them accountable," Schneier said of the impact of disclosure rules on Congress members and DC staffers. "That's why they repealed it. The national security bit is bullshit you're supposed to repeat." (Three of the four experts we consulted opted for the same term of choice.)

As Schneier said, "There was a security risk, but it was not a national security risk. It was a personal Congressperson risk." And that was enough to stymie transparency.

One commenter on the original CRJ article points out, "Right, they're concerned about people getting their personal info online...as they pass CISPA."

This was a bipartisan effort, by the way.

Tuesday 23 April 2013 11:41:06 CDT (UTC-05:00)  |  | US | Security#
Friday 12 April 2013

Via Sullivan, a new Google Chrome plugin that allows you to embed secret messages in photos you post on Facebook:

That’s the idea behind Secretbook, a browser extension released this week by 21-year-old Oxford University computer science student and former Google intern Owen-Campbell Moore. With the extension, anyone — you, your sister, a terrorist — could share messages hidden in JPEG images uploaded to Facebook without the prying eyes of the company, the government or anyone else noticing or figuring out what the messages say. The only way to unlock them is through a password you create.

The extension is only available for the Google Chrome browser — Campbell-Moore cites its developer tools and popularity — and the messages are restricted to 140 characters. Less certain is what Facebook thinks; a spokesman declined to comment. But it’s still the first time anyone’s managed to figure out how to automate digital steganography — the practice of concealing messages inside computer files — through Facebook, the world’s biggest social media platform. Unlike cryptography, which uses ciphertext to encrypt messages, steganographic messages are simply hidden where no one would think to look.

Calling Bruce Schneier...

Friday 12 April 2013 09:05:42 CDT (UTC-05:00)  |  | Security#
Friday 22 March 2013

Too much going on:

Now, I will go back to drafting documentation while I wait for AT&T to reconfigure my DSL and kill my landline. I've had a POTS ("plain old telephone service") twisted-pair line longer than most people on earth have been alive. After today, no longer. I don't think I'll miss it, either. I only have it because I have a business-class DSL, which I don't need anymore, and the only people who call it want money from me.

Friday 22 March 2013 09:12:03 CDT (UTC-05:00)  |  | Kitchen Sink | US | World | Business | Cloud | Security | Windows Azure#
Friday 22 February 2013

Security guru Bruce Schneier examines Papal election security:

Probably the biggest risk is complacency. What might seem beautiful in its tradition and ritual during the first ballot could easily become cumbersome and annoying after the twentieth ballot, and there will be a temptation to cut corners to save time. If the Cardinals do that, the election process becomes more vulnerable.

A 1996 change in the process lets the cardinals go back and forth from the chapel to their dorm rooms, instead of being locked in the chapel the whole time, as was done previously. This makes the process slightly less secure but a lot more comfortable.

There are also enormous social -- religious, actually -- disincentives to hacking the vote. The election takes place in a chapel and at an altar. The cardinals swear an oath as they are casting their ballot -- further discouragement. The chalice and paten are the implements used to celebrate the Eucharist, the holiest act of the Catholic Church. And the scrutineers are explicitly exhorted not to form any sort of cabal or make any plans to sway the election, under pain of excommunication.

Of course, no amount of security in the world will prevent the electors from replacing Joseph Ratzinger with someone at least as out-of-touch and reactionary as he is, given the constitution of the cardinality these days.

Friday 22 February 2013 16:27:03 CST (UTC-06:00)  |  | World | Security#
Wednesday 6 February 2013

More things I gotta read later:

Now, back to rewriting an authentication provider...

Wednesday 6 February 2013 12:01:46 CST (UTC-06:00)  |  | Geography | Security#
Tuesday 27 November 2012

Via Bruce Schneier, apparently some of the confetti thrown at the Macy's Thanksgiving Day Parade last weekend came from the Nassau County Police:

A closer look shows that the documents are from the Nassau County Police Department. The papers were shredded, but clearly not well enough.

They even contain information about Mitt Romney's motorcade, apparently from the final presidential debate, which took place at Hofstra University in Nassau County last month.

Most significant, the confetti strips identified Nassau County detectives by name. Some of them are apparently undercover. Their social security numbers, dates of birth and other highly sensitive personal information was also printed on the confetti strips.

I expect the follow-up story to describe how a document destruction company now faces a massive lawsuit...

Tuesday 27 November 2012 12:54:16 CST (UTC-06:00)  |  | Security#
Tuesday 13 November 2012

James Fallows, reacting to the Patreaus debacle, reminds everyone of the obvious:

Here is the secret plan:

Never put anything in an email message, to anyone, that would cause you serious problems if it fell into the wrong hands.

That's the plan™. All of it. Never do this. Ever.

Yep. This is the advice security experts have given for, well, ever.

Tuesday 13 November 2012 17:01:35 CST (UTC-06:00)  |  | US | Security#
Thursday 11 October 2012

My latest entry is up on the 10th Magnitude tech blog.

You can also read it right here.

Thursday 11 October 2012 13:23:29 CDT (UTC-05:00)  |  | Business | Cloud | Security#
Wednesday 18 July 2012

Via Sullivan, artist Heather Dewey-Hagborg is creating 3D portraits from random hairs:

Collecting hairs she finds in random public places – bathrooms, libraries, and subway seats – she uses a battery of newly developing technologies to create physical, life-sized portraits of the owners of these hairs. You can see the portrait she’s made from her own hair in the photo below. While the actual likeness is a point of contention, these images bring about some creepy-yet-amazing comments; on genetic identity (how much of “you” really resides in your DNA?); on the possibilities of surveillance (what if your jealous partner started making portraits from hairs they found around your house?); and on the subjectivity inherent in working with “hard” data and computer systems (how much of a role do human assumptions play in this machine made portrait?).

The artist's site is here.

All right. This came a little sooner than I expected, and from a different source. I've long recognize the necessity of adapting to, rather than raging impotently against, the fundamental changes to the security and privacy mores we've had for several thousand years. (As Bruce Schneier has pointed out, "Fifteen years ago, [CCTV cameras] weren't everywhere. Fifteen years from now, they'll be so small we won't be able to see them.") But this project, if it works as hoped, actually freaks me out a little.

I'm going to whistle past this graveyard for the time being...

Tuesday 17 July 2012 20:31:01 CDT (UTC-05:00)  |  | Cool links | Security#
Sunday 24 June 2012

I have just spent an hour of my life—one that I will never get back—trying to figure out why I couldn't install any software from .msi files on one of my Windows 7 machines. Every time I tried, I would get a message that the installer "could not find the file specified."

If you're interested in this, or you want to see a stupid rage comic face, click through:

Sunday 24 June 2012 15:14:36 CDT (UTC-05:00)  |  | Software | Security#
Saturday 23 June 2012

Last weekend I described moving my email hosting from my living room home office out to Microsoft Exchange Online. And Thursday I spent all day at a Microsoft workshop about Windows Azure, the cloud computing platform on which my employer, 10th Magnitude, has developed software for the past two years.

In this post, I'm going to describe the actual process of migrating from an on-site Exchange 2007 server to Exchange Online. If you'd prefer more photos of Parker or discussions about politics, go ahead and skip this one.

Saturday 23 June 2012 09:43:52 CDT (UTC-05:00)  |  | Business | Security#
Tuesday 10 April 2012

The FBI has put together a committee of university presidents to root out foreign spies who have infiltrated American colleges:

While overshadowed by espionage against corporations, efforts by foreign countries to penetrate universities have increased in the past five years, [Frank] Figliuzzi, [Federal Bureau of Investigation assistant director for counterintelligence] said. The FBI and academia, which have often been at loggerheads, are working together to combat the threat, he said.

Attempts by countries in East Asia, including China, to obtain classified or proprietary information by “academic solicitation,” such as requests to review academic papers or study with professors, jumped eightfold in 2010 from a year earlier, according to a 2011 U.S. Defense Department report. Such approaches from the Middle East doubled, it said.

The problem with this, as a number of people pointed out in the article, is that academics share information freely. That's their freaking job. And the U.S. has hundreds of thousands of foreign students—76,000 from China alone—because, for now anyway, we have the best schools in the world.

Of course the FBI should go after real spies, and discovering former Russian intelligence agent Sergei Tretyakov probably prevented Russia from stealing information that would have helped them catch up to where we'd gotten ten years earlier.

The university presidents on the FBI's committee need to remember their first duty. I hope some of them will remind the FBI that suspecting lots of foreigners of trying to spy on us will cost more than it will save.

This is a very old conversation. There are always people who see enemies everywhere. Sometimes they're right; but we need to make sure that when they're wrong, they don't cause more damage than they're trying to prevent.

Tuesday 10 April 2012 10:40:32 CDT (UTC-05:00)  |  | US | Security#
Tuesday 3 April 2012

Raganwald yesterday posted a facetious resignation outlining the dangers to employers of asking prospective employees to disclose social media information:

I have been interviewing senior hires for the crucial tech lead position on the Fizz Buzz team, and while several walked out in a huff when I asked them to let me look at their Facebook, one young lady smiled and said I could help myself. She logged into her Facebook as I requested, and as I followed the COO’s instructions to scan her timeline and friends list looking for evidence of moral turpitude, I became aware she was writing something on her iPad.

“Taking notes?” I asked politely.

“No,” she smiled, “Emailing a human rights lawyer I know.” To say that the tension in the room could be cut with a knife would be understatement of the highest order. “Oh?” I asked. I waited, and as I am an expert in out-waiting people, she eventually cracked and explained herself.

“If you are surfing my Facebook, you could reasonably be expected to discover that I am a Lesbian. Since discrimination against me on this basis is illegal in Ontario, I am just preparing myself for the possibility that you might refuse to hire me and instead hire someone who is a heterosexual but less qualified in any way. Likewise, if you do hire me, I might need to have your employment contracts disclosed to ensure you aren’t paying me less than any male and/or heterosexual colleagues with equivalent responsibilities and experience.”

Three things:

  • He's right on the main point. Looking through employees' Facebook pages uninvited is tricky enough. Determining whether or not to hire someone based on a Facebook page is closer to the line. Forcing the disclosure crosses the line, surveys the land, plants a flag, and invites the natives to kill you in your sleep.
  • Disclosing a password to anyone for any reason is, almost always, a bad idea. Authentication is half of security (the other is authorization, which depends on you being who you say you are). The corollary to authentication is deniability. If you lose control over your Facebook password, you expose yourself to identity theft. To emphasize this point, in our office we routinely prank developers who leave their keyboards unlocked when they leave the room. Walking away at a client site could let clients see other clients' materials, for starters, but it also could allow someone to send email or make Facebook posts in your name.
  • I am proud to report that Illinois is right now passing a law to prohibit this practice. It will probably be signed later this month.
Tuesday 3 April 2012 08:55:13 CDT (UTC-05:00)  |  | US | Security#
Tuesday 20 March 2012

I don't want to lose these things:

That is all. More UK and France photos later today.

Tuesday 20 March 2012 12:05:45 CDT (UTC-05:00)  |  | Aviation | Chicago | Kitchen Sink | US | Security#
Sunday 12 February 2012

I've spent the morning working at the Peet's Coffee in Half Moon Bay, Calif.. For some reason, this location has blocked HTTP access to most Google addresses.

The most obvious symptom is that browser requests to Google, Youtube, and other Google properties (including GMail) simply don't go through. Chrome reports "connection reset" after timing out; IE simply spins into oblivion. Another symptom, which took me a few moments to figure out, is that sites that have Google Analytics bugs (like this one) sometimes, but not always, fail to load. Reading the page source shows that the entire page has loaded, but the browser doesn't render the page because part of it is being blocked.

Using nothing more sophisticated than Ping and Tracert, I've determined that the block occurs pretty close to my laptop, possibly even in the WiFi router or in Peet's proxy server. Pinging Google's public DNS service (8.8.8.8) works fine, as does making nslookup requests against it. But pinging www.google.com, www.youtu.be, and www.gmail.com all fail. Tracerts to these URLs and directly to their public IPs also fail at the very first hop.

Google IPs appear to start with 74.125.x.y. Tracert to 8.8.4.4 passes through 74.125.49.85 a few hops away; www.google.com resolves to 74.125.224.84; etc. However, reverse DNS lookups show something slightly different. 8.8.4.4 resolves back to google-public-dns-b.google.com; however, 74.125.224.84 resolves back to nuq04s07-in-f20.1e100.com. 74.125.224.69 (www.youtu.be) resolves back to another 1e100.com address.

All other sites appear to work fine, with decent (megabit-speed) throughput.

So, the mystery is: who has blocked Google from this Peet's store, and why? I have sent Peet's a request for comment.

Sunday 12 February 2012 11:54:07 PST (UTC-08:00)  |  | Security#
Tuesday 7 February 2012

A man accused of rape in Alabama got into an online argument with the Jefferson County Sheriff's Office on the office's Facebook page:

U.S. Marshals took Dustin McCombs into custody today in Ohio, said Chief Deputy Randy Christian.

The U.S. Marshal's Gulf Coast Regional Task for in Birmingham shared information with their counterparts in Ohio who tracked down the fugitive.

McComb's was featured on the Jefferson County Sheriff Department's Facebook page as its "Creep of the Week" because of an outstanding forcible rape charge.

McCombs apparently decided that was a challenge, taking up a posting duel with the department on Facebook, according to the website Gizmodo.

Of course, McCombs has not been convicted of the crime that led to his arrest warrant, but wow is he stupid. The entire exchange is still available on Failbook, and worth a look. So is the sheriff's Facebook page, which seems like an effective use of social media by government.

Tuesday 7 February 2012 08:10:16 CST (UTC-06:00)  |  | US | Security#
Wednesday 18 January 2012

Welcome back. We were dark today to protest two flawed legislative proposals, the Stop Online Piracy Act and the Protect IP Act.

The administration today hinted at a threat to veto SOPA, while several senators have withdrawn support for PIPA in response to the blackout protests around the Internet:

Co-sponsors who say they can no longer support their own legislation include Senators Marco Rubio, a Florida Republican, Roy Blunt, a Missouri Republican, and Ben Cardin, a Maryland Democrat. Republican Representatives Ben Quayle of Arizona, Lee Terry of Nebraska, and Dennis Ross of Florida also said they would withdraw their backing of the House bill.

Rubio said he switched his position on the Senate measure, the Protect IP Act, after examining opponents’ contention that it would present a “potentially unreasonable expansion of the federal government’s power to impact the Internet,” according to a posting today on Facebook. Blunt said in a statement today he is withdrawing as a co-sponsor of the Senate bill.

The Washington Monthly explains the administration's volte face on SOPA:

The White House didn’t issue a veto threat, per se, but the administration’s chief technology officials concluded, “We will not support legislation that reduces freedom of expression, increases cybersecurity risk or undermines the dynamic, innovative global Internet.” The statement added that any proposed legislation “must not tamper with the technical architecture of the Internet.” The White House’s position left SOPA and PIPA, at least in their current form, effectively dead.

The state of play in the Senate is a little different — a PIPA vote is likely next Tuesday — but even in the upper chamber, the bill is quickly losing friends. Sen. Scott Brown (R-Mass.) announced his opposition yesterday, and Sen. Ben Cardin (D-Md.), a former co-sponsor of PIPA, is also now against it.

The President did, however, shut down the Keystone XL pipeline (at least for now).

So, in all, this was a pretty good day for the people.

Update: Via Coding Horror, Mozilla Foundation Chair Mitchell Baker has a great description of why PIPA and SOPA are so awful.

Wednesday 18 January 2012 17:36:05 CST (UTC-06:00)  |  | US | Business | Security#
Tuesday 17 January 2012

The largest encyclopedia ever assembled will go offline tomorrow to protest against the Stop Online Piracy Act, currently working its way through Congress's collective bowels. From Wikipedia's public statement:

[T]he Wikimedia Foundation is asked to allocate resources and assist the community in blacking out the project globally for 24 hours starting at 05:00 UTC on January 18, 2012, or at another time as determined by the Wikimedia Foundation. This should be carried out while respecting technical limitations of the underlying software, and should specifically prevent editing wherever possible. Provisions for emergency access to the site should be included in the blackout software. In order to assist our readers and the community at large to educate themselves about SOPA and PIPA, these articles and those closely related to them will remain accessible for reading purposes if possible. Wikipedians are urged to work with WMF staff to develop effective messaging for the "blackout screens" that directs readers to suitable online resources. Sister projects, such as the German and Italian Wikipedias and Wikimedia Commons, have indicated an intention to support the same principles with banners on those sites, and the support of other projects is welcome and appreciated.

Twitter CEO Dick Costolo is unimpressed: " 'That's just silly. Closing a global business in reaction to single-issue national politics is foolish,' Costolo [said]."

For what it's worth, my U.S. Senators are split: Senator Mark Kirk (R-IL) claims to be opposed to it, while Senator Dick Durbin (D-IL) is a co-sponsor of the Senate's version. Neither has any material on his website about it. I have written to Senator Durbin and to Representative Mike Quigley (D-IL) for comment.

Tuesday 17 January 2012 13:47:33 CST (UTC-06:00)  |  | US | Business | Security#
Saturday 24 December 2011

Via Sullivan, a constitutional analysis of the Stop Online Piracy Act:

To begin with, the bills represent an unprecedented, legally sanctioned assault on the Internet’s critical technical infrastructure. Based upon nothing more than an application by a federal prosecutor alleging that a foreign website is “dedicated to infringing activities,” Protect IP authorizes courts to order all U.S. Internet service providers, domain name registries, domain name registrars, and operators of domain name servers—a category that includes hundreds of thousands of small and medium-sized businesses, colleges, universities, nonprofit organizations, and the like—to take steps to prevent the offending site’s domain name from translating to the correct Internet protocol address.

This not only violates basic principles of due process by depriving persons of property without a fair hearing and a reasonable opportunity to be heard, it also constitutes an unconstitutional abridgement of the freedom of speech protected by the First Amendment. The Supreme Court has made it abundantly clear that governmental action suppressing speech, if taken prior to an adversary proceeding and subsequent judicial determination that the speech in question is unlawful, is a presumptively unconstitutional “prior restraint.” In other words, it is the “most serious and the least tolerable infringement on First Amendment rights,” permissible only in the narrowest range of circumstances. The Constitution requires a court “to make a final determination” that the material in question is unlawful “after an adversary hearing before the material is completely removed from circulation.”

(Emphasis in quoted blog post; references removed.)

I've already written to my representative in Congress; have you written to yours?

Friday 23 December 2011 20:19:05 PST (UTC-08:00)  |  | US | Business | Security#
Friday 23 December 2011

Given my activities yesterday (i.e., going through airport security), I found the latest interview with Bruce Schneier timely and once again correct:

As we came by the checkpoint line, Schneier described one of these aspects: the ease with which people can pass through airport security with fake boarding passes. First, scan an old boarding pass, he said—more loudly than necessary, it seemed to me. Alter it with Photoshop, then print the result with a laser printer. In his hand was an example, complete with the little squiggle the T.S.A. agent had drawn on it to indicate that it had been checked. “Feeling safer?” he asked.

To a large number of security analysts, [the billions we've spent on security theater] makes no sense. The vast cost is not worth the infinitesimal benefit. Not only has the actual threat from terror been exaggerated, they say, but the great bulk of the post-9/11 measures to contain it are little more than what Schneier mocks as “security theater”: actions that accomplish nothing but are designed to make the government look like it is on the job. In fact, the continuing expenditure on security may actually have made the United States less safe.

Yes. We spend money on high-tech, whiz-bang solutions to human-intelligence problems. The attack on 9/11 can't happen again in the U.S., not because of full-body scanners at airports, but because of reinforced cockpit doors and vigilant passengers. Should we let just anyone board a transport airplane without a security check[1]? No, of course not; but we should make the checks effective, rather than flamboyant.

Security, however, tends to ratchet up, because no one wants to be the guy who relaxed security right before an attack. And we know an attack will happen someday; nihilists are not easily dissuaded from their crimes. Still, one can hope.

Friday 23 December 2011 10:40:56 PST (UTC-08:00)  |  | Aviation | Security#
Friday 7 October 2011

A little housekeeping: if the blog seems slow today, thank this entry, which has got over 70,000 page views yesterday through 19:00 CDT and continues to get hit today. (Usual site traffic is about 4,000 page views per day, total.)

So, there's nothing wrong with either the blog or with your carrier. It's just a lot more traffic than my servers usually get.

Friday 7 October 2011 09:35:38 CDT (UTC-05:00)  |  | Business | Security#
Friday 16 September 2011

ParkerI'm David Braverman, this is my blog, and Parker is my 5-year-old mutt. I last updated this About... page in February, but some things have changed. In the interest of enlightened laziness I'm starting with the most powerful keystroke combination in the universe: Ctrl-C, Ctrl-V.

Twice. Thus, the "point one" in the title.

The Daily Parker is about:

  • Parker, my dog, whom I adopted on 1 September 2006.
  • Politics. I'm a moderate-lefty by international standards, which makes me a radical left-winger in today's United States.
  • Photography. I took tens of thousands of photos as a kid, then drifted away from making art until a few months ago when I got the first digital camera I've ever had that rivals a film camera. That got me reading more, practicing more, and throwing more photos on the blog. In my initial burst of enthusiasm I posted a photo every day. I've pulled back from that a bit—it takes about 30 minutes to prep and post one of those puppies—but I'm still shooting and still learning.
  • The weather. I've operated a weather website for more than ten years. That site deals with raw data and objective observations. Many weather posts also touch politics, given the political implications of addressing climate change, though happily we no longer have to do so under a president beholden to the oil industry.
  • Chicago, the greatest city in North America, and the other ones I visit whenever I can.

I've deprecated the Software category, but only because I don't post much about it here. That said, I write a lot of software. I work for 10th Magnitude, a startup software consultancy in Chicago, I've got about 20 years experience writing the stuff, and I continue to own a micro-sized software company. (I have an online resume, if you're curious.) I see a lot of code, and since I often get called in to projects in crisis, I see a lot of bad code, some of which may appear here.

I strive to write about these and other things with fluency and concision. "Fast, good, cheap: pick two" applies to writing as much as to any other creative process (cf: software). I hope to find an appropriate balance between the three, as streams of consciousness and literacy have always struggled against each other since the first blog twenty years ago.

If you like what you see here, you'll probably also like Andrew Sullivan, James Fallows, Josh Marshall, and Bruce Schneier. Even if you don't like my politics, you probably agree that everyone ought to read Strunk and White, and you probably have an opinion about the Oxford comma—punctuation de rigeur in my opinion.

Another, non-trivial point. Facebook reads the blog's RSS feed, so many people reading this may think I'm just posting notes on Facebook. Facebook's lawyers would like you to believe this, too. Now, I've reconnected with tons of old friends and classmates through Facebook, I play Scrabble on Facebook, and I eagerly read every advertisement that appears next to its relevant content. But Facebook's terms of use assert ownership of everything that appears on their site, regardless of prior claims, which contravenes four centuries of law.

Everything that shows up on my Facebook profile gets published on The Daily Paker first, and I own the copyrights to all of it (unless otherwise disclosed). I publish the blog's text under a Creative Commons attribution-nonderivative-noncommercial license; republication is usually OK for non-commercial purposes, as long as you don't change what I write and you attribute it to me. My photos, however, are published under strict copyright, with no republication license, even if I upload them to other public websites. If you want to republish one of my photos, just let me know and we'll work something out.

Anyway, thanks for reading, and I hope you continue to enjoy The Daily Parker.

Friday 16 September 2011 18:36:32 CDT (UTC-05:00)  |  | Aviation | Baseball | Biking | Chicago | Cubs | Duke | Geography | Jokes | Kitchen Sink | Parker | Daily | Photography | Politics | US | World | Raleigh | Religion | San Francisco | Software | Blogs | Business | Cool links | Security | Weather | Astronomy | Work#
Friday 9 September 2011

I don't have all the details, but it looks like an employee at one of the hospital's vendors did something really stupid:

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

One can easily see how this happened: someone on the billing contractor's staff was taking a class of some kind and decided to use real, live, HIPAA-protected data for a project. My law-school Wills instructor, Jerry Leitner, would explain this by the "omnibus explanation," the thing that explains nearly every human endeavor that ends badly: stupidity.

The article mentions Stanford got fined $250,000 from the breach. I wonder if they'll be able to get a contribution award from the contractor?

Friday 9 September 2011 13:05:21 CDT (UTC-05:00)  |  | US | Security#
Search
On this page....
What's going on with the Microsoft Azure blog?
Weird routing issues at CDG
Schneier on why the NSA has made us less safe
Maybe I'll have free time later today
The heart bleeds for OpenSSL
And the day started so well...
About that iOS "flaw"
How to really irritate Internet users
Confessions of a TSA agent
Can the NSA prevent another 9/11? Well, it failed to prevent the first one
How the NSA is making us less safe
Customer service that can't think for itself
Small world
Wrapping up the work week, no time to read these
Institutional failure in Internet security
Quis custodiet robote?
Unexpectedly productive weekend
The national security state
Microsoft ID age-verification hell
Edward Snowden's dead-man's switch
Why I'm going to play less Words With Friends
Clarifying my last post
Edward Snowden scores an own-goal
Slammin' SAML
Chicago in the spring
When Bruce Schneier blogs about politics
Steganography for the masses
Things I might have time to read this weekend
Hacking the Vatican
More links
Document disposal mishap in New York
Fallows' "Secret Strategy™" to avoid email pitfalls
Windows Azure deployment credentials
Grant me the serenity
Troubleshooting software installation on Windows 7
Out of the apartment, into the cloud (Part 2)
Terrorists! Communists! Anarchists! Roundheads! Saxons!
Disclosing Facebook passwords
Other things of note
Google blocked at Peet's Coffee in HMB
You have the right to remain silent
Vox populi
Wikipedia joins SOPA protest; Twitter boss scoffs
SOPA would be unconstitutional
Bruce Schneier gives another interview
My 15 minutes, your download speeds
About this blog (v. 4.1.6)
Significant data disclosure at Stanford Hospital
Countdowns
The Daily Parker +3267d 20h 05m
To London +8d 21h 45m
Parker's 9th birthday 233d 17h 09m
My next birthday 314d 21h 14m
Categories
Aviation (338) Baseball (110) Best Bars (6) Biking (44) Chicago (893) Cubs (197) Duke (132) Geography (330) Higher Ground (5) Jokes (282) Kitchen Sink (638) London (52) Parker (189) Daily (204) Photography (142) Politics (303) US (1080) World (252) Raleigh (21) Readings (8) Religion (66) San Francisco (87) Software (200) Blogs (74) Business (225) Cloud (89) Cool links (132) Security (98) Travel (202) Weather (688) Astronomy (85) Windows Azure (59) Work (54) Writing (8)
Links
Archive
<October 2014>
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678
Full archive
Blogroll
About
David Braverman and Parker
David Braverman is a software developer in Chicago, and the creator of Weather Now. Parker is the most adorable dog on the planet, 80% of the time.
Legal
All content Copyright ©2014 David Braverman.
Creative Commons License
The Daily Parker by David Braverman is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License, excluding photographs, which may not be republished unless otherwise noted.
Admin Login
Sign In
Blog Stats
Total Posts: 4518
This Year: 416
This Month: 31
This Week: 7
Comments: 0