The FBI has put together a committee of university presidents to root out foreign spies who have infiltrated American colleges:

While overshadowed by espionage against corporations, efforts by foreign countries to penetrate universities have increased in the past five years, [Frank] Figliuzzi, [Federal Bureau of Investigation assistant director for counterintelligence] said. The FBI and academia, which have often been at loggerheads, are working together to combat the threat, he said.

Attempts by countries in East Asia, including China, to obtain classified or proprietary information by “academic solicitation,” such as requests to review academic papers or study with professors, jumped eightfold in 2010 from a year earlier, according to a 2011 U.S. Defense Department report. Such approaches from the Middle East doubled, it said.

The problem with this, as a number of people pointed out in the article, is that academics share information freely. That's their freaking job. And the U.S. has hundreds of thousands of foreign students—76,000 from China alone—because, for now anyway, we have the best schools in the world.

Of course the FBI should go after real spies, and discovering former Russian intelligence agent Sergei Tretyakov probably prevented Russia from stealing information that would have helped them catch up to where we'd gotten ten years earlier.

The university presidents on the FBI's committee need to remember their first duty. I hope some of them will remind the FBI that suspecting lots of foreigners of trying to spy on us will cost more than it will save.

This is a very old conversation. There are always people who see enemies everywhere. Sometimes they're right; but we need to make sure that when they're wrong, they don't cause more damage than they're trying to prevent.

Raganwald yesterday posted a facetious resignation outlining the dangers to employers of asking prospective employees to disclose social media information:

I have been interviewing senior hires for the crucial tech lead position on the Fizz Buzz team, and while several walked out in a huff when I asked them to let me look at their Facebook, one young lady smiled and said I could help myself. She logged into her Facebook as I requested, and as I followed the COO’s instructions to scan her timeline and friends list looking for evidence of moral turpitude, I became aware she was writing something on her iPad.

“Taking notes?” I asked politely.

“No,” she smiled, “Emailing a human rights lawyer I know.” To say that the tension in the room could be cut with a knife would be understatement of the highest order. “Oh?” I asked. I waited, and as I am an expert in out-waiting people, she eventually cracked and explained herself.

“If you are surfing my Facebook, you could reasonably be expected to discover that I am a Lesbian. Since discrimination against me on this basis is illegal in Ontario, I am just preparing myself for the possibility that you might refuse to hire me and instead hire someone who is a heterosexual but less qualified in any way. Likewise, if you do hire me, I might need to have your employment contracts disclosed to ensure you aren’t paying me less than any male and/or heterosexual colleagues with equivalent responsibilities and experience.”

Three things:

• He's right on the main point. Looking through employees' Facebook pages uninvited is tricky enough. Determining whether or not to hire someone based on a Facebook page is closer to the line. Forcing the disclosure crosses the line, surveys the land, plants a flag, and invites the natives to kill you in your sleep.
• Disclosing a password to anyone for any reason is, almost always, a bad idea. Authentication is half of security (the other is authorization, which depends on you being who you say you are). The corollary to authentication is deniability. If you lose control over your Facebook password, you expose yourself to identity theft. To emphasize this point, in our office we routinely prank developers who leave their keyboards unlocked when they leave the room. Walking away at a client site could let clients see other clients' materials, for starters, but it also could allow someone to send email or make Facebook posts in your name.
• I am proud to report that Illinois is right now passing a law to prohibit this practice. It will probably be signed later this month.

I don't want to lose these things:

• The Economist hosted an online debate about aviation security between security expert Bruce Schneier and TSA director Kip Hawley.
• The Atlantic explains why conservatives are afraid of cities.
• a la card Chicago, which sells a deck of 52 $10-off coupons to area restaurants, has a one-day promotion today for 50% off. (Enter code "SPRING2012" in the appropriate box.

That is all. More UK and France photos later today.

I've spent the morning working at the Peet's Coffee in Half Moon Bay, Calif.. For some reason, this location has blocked HTTP access to most Google addresses.

The most obvious symptom is that browser requests to Google, Youtube, and other Google properties (including GMail) simply don't go through. Chrome reports "connection reset" after timing out; IE simply spins into oblivion. Another symptom, which took me a few moments to figure out, is that sites that have Google Analytics bugs (like this one) sometimes, but not always, fail to load. Reading the page source shows that the entire page has loaded, but the browser doesn't render the page because part of it is being blocked.

Using nothing more sophisticated than Ping and Tracert, I've determined that the block occurs pretty close to my laptop, possibly even in the WiFi router or in Peet's proxy server. Pinging Google's public DNS service (8.8.8.8) works fine, as does making nslookup requests against it. But pinging www.google.com, www.youtu.be, and www.gmail.com all fail. Tracerts to these URLs and directly to their public IPs also fail at the very first hop.

Google IPs appear to start with 74.125.x.y. Tracert to 8.8.4.4 passes through 74.125.49.85 a few hops away; www.google.com resolves to 74.125.224.84; etc. However, reverse DNS lookups show something slightly different. 8.8.4.4 resolves back to google-public-dns-b.google.com; however, 74.125.224.84 resolves back to nuq04s07-in-f20.1e100.com. 74.125.224.69 (www.youtu.be) resolves back to another 1e100.com address.

All other sites appear to work fine, with decent (megabit-speed) throughput.

So, the mystery is: who has blocked Google from this Peet's store, and why? I have sent Peet's a request for comment.

A man accused of rape in Alabama got into an online argument with the Jefferson County Sheriff's Office on the office's Facebook page:

U.S. Marshals took Dustin McCombs into custody today in Ohio, said Chief Deputy Randy Christian.

The U.S. Marshal's Gulf Coast Regional Task for in Birmingham shared information with their counterparts in Ohio who tracked down the fugitive.

McComb's was featured on the Jefferson County Sheriff Department's Facebook page as its "Creep of the Week" because of an outstanding forcible rape charge.

McCombs apparently decided that was a challenge, taking up a posting duel with the department on Facebook, according to the website Gizmodo.

Of course, McCombs has not been convicted of the crime that led to his arrest warrant, but wow is he stupid. The entire exchange is still available on Failbook, and worth a look. So is the sheriff's Facebook page, which seems like an effective use of social media by government.

Welcome back. We were dark today to protest two flawed legislative proposals, the Stop Online Piracy Act and the Protect IP Act.

The administration today hinted at a threat to veto SOPA, while several senators have withdrawn support for PIPA in response to the blackout protests around the Internet:

Co-sponsors who say they can no longer support their own legislation include Senators Marco Rubio, a Florida Republican, Roy Blunt, a Missouri Republican, and Ben Cardin, a Maryland Democrat. Republican Representatives Ben Quayle of Arizona, Lee Terry of Nebraska, and Dennis Ross of Florida also said they would withdraw their backing of the House bill.

Rubio said he switched his position on the Senate measure, the Protect IP Act, after examining opponents’ contention that it would present a “potentially unreasonable expansion of the federal government’s power to impact the Internet,” according to a posting today on Facebook. Blunt said in a statement today he is withdrawing as a co-sponsor of the Senate bill.

The Washington Monthly explains the administration's volte face on SOPA:

The White House didn’t issue a veto threat, per se, but the administration’s chief technology officials concluded, “We will not support legislation that reduces freedom of expression, increases cybersecurity risk or undermines the dynamic, innovative global Internet.” The statement added that any proposed legislation “must not tamper with the technical architecture of the Internet.” The White House’s position left SOPA and PIPA, at least in their current form, effectively dead.

The state of play in the Senate is a little different — a PIPA vote is likely next Tuesday — but even in the upper chamber, the bill is quickly losing friends. Sen. Scott Brown (R-Mass.) announced his opposition yesterday, and Sen. Ben Cardin (D-Md.), a former co-sponsor of PIPA, is also now against it.

The President did, however, shut down the Keystone XL pipeline (at least for now).

So, in all, this was a pretty good day for the people.

Update: Via Coding Horror, Mozilla Foundation Chair Mitchell Baker has a great description of why PIPA and SOPA are so awful.

The largest encyclopedia ever assembled will go offline tomorrow to protest against the Stop Online Piracy Act, currently working its way through Congress's collective bowels. From Wikipedia's public statement:

[T]he Wikimedia Foundation is asked to allocate resources and assist the community in blacking out the project globally for 24 hours starting at 05:00 UTC on January 18, 2012, or at another time as determined by the Wikimedia Foundation. This should be carried out while respecting technical limitations of the underlying software, and should specifically prevent editing wherever possible. Provisions for emergency access to the site should be included in the blackout software. In order to assist our readers and the community at large to educate themselves about SOPA and PIPA, these articles and those closely related to them will remain accessible for reading purposes if possible. Wikipedians are urged to work with WMF staff to develop effective messaging for the "blackout screens" that directs readers to suitable online resources. Sister projects, such as the German and Italian Wikipedias and Wikimedia Commons, have indicated an intention to support the same principles with banners on those sites, and the support of other projects is welcome and appreciated.

Twitter CEO Dick Costolo is unimpressed: " 'That's just silly. Closing a global business in reaction to single-issue national politics is foolish,' Costolo [said]."

For what it's worth, my U.S. Senators are split: Senator Mark Kirk (R-IL) claims to be opposed to it, while Senator Dick Durbin (D-IL) is a co-sponsor of the Senate's version. Neither has any material on his website about it. I have written to Senator Durbin and to Representative Mike Quigley (D-IL) for comment.

Via Sullivan, a constitutional analysis of the Stop Online Piracy Act:

To begin with, the bills represent an unprecedented, legally sanctioned assault on the Internet’s critical technical infrastructure. Based upon nothing more than an application by a federal prosecutor alleging that a foreign website is “dedicated to infringing activities,” Protect IP authorizes courts to order all U.S. Internet service providers, domain name registries, domain name registrars, and operators of domain name servers—a category that includes hundreds of thousands of small and medium-sized businesses, colleges, universities, nonprofit organizations, and the like—to take steps to prevent the offending site’s domain name from translating to the correct Internet protocol address.

This not only violates basic principles of due process by depriving persons of property without a fair hearing and a reasonable opportunity to be heard, it also constitutes an unconstitutional abridgement of the freedom of speech protected by the First Amendment. The Supreme Court has made it abundantly clear that governmental action suppressing speech, if taken prior to an adversary proceeding and subsequent judicial determination that the speech in question is unlawful, is a presumptively unconstitutional “prior restraint.” In other words, it is the “most serious and the least tolerable infringement on First Amendment rights,” permissible only in the narrowest range of circumstances. The Constitution requires a court “to make a final determination” that the material in question is unlawful “after an adversary hearing before the material is completely removed from circulation.”

(Emphasis in quoted blog post; references removed.)

I've already written to my representative in Congress; have you written to yours?

Given my activities yesterday (i.e., going through airport security), I found the latest interview with Bruce Schneier timely and once again correct:

As we came by the checkpoint line, Schneier described one of these aspects: the ease with which people can pass through airport security with fake boarding passes. First, scan an old boarding pass, he said—more loudly than necessary, it seemed to me. Alter it with Photoshop, then print the result with a laser printer. In his hand was an example, complete with the little squiggle the T.S.A. agent had drawn on it to indicate that it had been checked. “Feeling safer?” he asked.

To a large number of security analysts, [the billions we've spent on security theater] makes no sense. The vast cost is not worth the infinitesimal benefit. Not only has the actual threat from terror been exaggerated, they say, but the great bulk of the post-9/11 measures to contain it are little more than what Schneier mocks as “security theater”: actions that accomplish nothing but are designed to make the government look like it is on the job. In fact, the continuing expenditure on security may actually have made the United States less safe.

Yes. We spend money on high-tech, whiz-bang solutions to human-intelligence problems. The attack on 9/11 can't happen again in the U.S., not because of full-body scanners at airports, but because of reinforced cockpit doors and vigilant passengers. Should we let just anyone board a transport airplane without a security check[1]? No, of course not; but we should make the checks effective, rather than flamboyant.

Security, however, tends to ratchet up, because no one wants to be the guy who relaxed security right before an attack. And we know an attack will happen someday; nihilists are not easily dissuaded from their crimes. Still, one can hope.

A little housekeeping: if the blog seems slow today, thank this entry, which has got over 70,000 page views yesterday through 19:00 CDT and continues to get hit today. (Usual site traffic is about 4,000 page views per day, total.)

So, there's nothing wrong with either the blog or with your carrier. It's just a lot more traffic than my servers usually get.

I'm David Braverman, this is my blog, and Parker is my 5-year-old mutt. I last updated this About... page in February, but some things have changed. In the interest of enlightened laziness I'm starting with the most powerful keystroke combination in the universe: Ctrl-C, Ctrl-V.

Twice. Thus, the "point one" in the title.

The Daily Parker is about:

• Parker, my dog, whom I adopted on 1 September 2006.
• Politics. I'm a moderate-lefty by international standards, which makes me a radical left-winger in today's United States.
• Photography. I took tens of thousands of photos as a kid, then drifted away from making art until a few months ago when I got the first digital camera I've ever had that rivals a film camera. That got me reading more, practicing more, and throwing more photos on the blog. In my initial burst of enthusiasm I posted a photo every day. I've pulled back from that a bit—it takes about 30 minutes to prep and post one of those puppies—but I'm still shooting and still learning.
• The weather. I've operated a weather website for more than ten years. That site deals with raw data and objective observations. Many weather posts also touch politics, given the political implications of addressing climate change, though happily we no longer have to do so under a president beholden to the oil industry.
• Chicago, the greatest city in North America, and the other ones I visit whenever I can.

I've deprecated the Software category, but only because I don't post much about it here. That said, I write a lot of software. I work for 10th Magnitude, a startup software consultancy in Chicago, I've got about 20 years experience writing the stuff, and I continue to own a micro-sized software company. (I have an online resume, if you're curious.) I see a lot of code, and since I often get called in to projects in crisis, I see a lot of bad code, some of which may appear here.

I strive to write about these and other things with fluency and concision. "Fast, good, cheap: pick two" applies to writing as much as to any other creative process (cf: software). I hope to find an appropriate balance between the three, as streams of consciousness and literacy have always struggled against each other since the first blog twenty years ago.

If you like what you see here, you'll probably also like Andrew Sullivan, James Fallows, Josh Marshall, and Bruce Schneier. Even if you don't like my politics, you probably agree that everyone ought to read Strunk and White, and you probably have an opinion about the Oxford comma—punctuation de rigeur in my opinion.

Another, non-trivial point. Facebook reads the blog's RSS feed, so many people reading this may think I'm just posting notes on Facebook. Facebook's lawyers would like you to believe this, too. Now, I've reconnected with tons of old friends and classmates through Facebook, I play Scrabble on Facebook, and I eagerly read every advertisement that appears next to its relevant content. But Facebook's terms of use assert ownership of everything that appears on their site, regardless of prior claims, which contravenes four centuries of law.

Everything that shows up on my Facebook profile gets published on The Daily Paker first, and I own the copyrights to all of it (unless otherwise disclosed). I publish the blog's text under a Creative Commons attribution-nonderivative-noncommercial license; republication is usually OK for non-commercial purposes, as long as you don't change what I write and you attribute it to me. My photos, however, are published under strict copyright, with no republication license, even if I upload them to other public websites. If you want to republish one of my photos, just let me know and we'll work something out.

Anyway, thanks for reading, and I hope you continue to enjoy The Daily Parker.

I don't have all the details, but it looks like an employee at one of the hospital's vendors did something really stupid:

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

One can easily see how this happened: someone on the billing contractor's staff was taking a class of some kind and decided to use real, live, HIPAA-protected data for a project. My law-school Wills instructor, Jerry Leitner, would explain this by the "omnibus explanation," the thing that explains nearly every human endeavor that ends badly: stupidity.

The article mentions Stanford got fined $250,000 from the breach. I wonder if they'll be able to get a contribution award from the contractor?

Gulliver this afternoon examines whether we might want to examine them:

A new academic paper [PDF] from John Mueller (of The Ohio State University) and Mark Stewart (of the University of Newcastle in Australia) attempts to determine whether the return on investment justified those huge expenditures. ... [T]he findings in this paper are truly remarkable. By 2008, according to the authors, America's spending on counterterrorism outpaced all anti-crime spending by some $15 billion. Messrs Mueller and Stewart do not even include things like the wars in Iraq and Afghanistan (which they call "certainly terrorism-determined") in their trillion-plus tally.

"[A] most common misjudgment has been to embrace extreme events as harbingers presaging a dire departure from historical patterns. In the months and then years after 9/11, as noted at the outset, it was almost universally assumed that the terrorist event was a harbinger rather than an aberration. There were similar reactions to Timothy McVeigh’s 1995 truck bomb attack in Oklahoma City as concerns about a repetition soared. And in 1996, shortly after the terrorist group Aum Shinrikyo set off deadly gas in a Tokyo subway station, one of terrorism studies' top gurus, Walter Laqueur, assured the world that some terrorist groups 'almost certainly' will use weapons of mass destruction 'in the foreseeable future.' Presumably any future foreseeable in 1996 is now history, and Laqueur’s near 'certainty' has yet to occur."

The paper also found that anti-terror spending has outpaced anti-crime spending by some $15 bn, despite crime costing society significantly more. The paper doesn't go into the politics of why this might be so, but I'll hazard a guess that cutting crime benefits more people a little while spending on anti-terror measures benefits a few people quite a bit. Lowering the likelihood that my car will suffer $300 in damage from a break-in has less immediacy than a $30m contract for a new security gadget would were I in that line of business.

Via Bruce Schneier, the author of How the End Begins describes how no one can ever be absolutely certain an order to destroy civilization is authentic:

Can the president start a nuclear war on his own authority—his own whim or will—alone? The way Brigadier Gen. Jack D. Ripper did in Dr. Strangelove? What if a president went off his meds, as we'd say today, and decided to pull a Ripper himself? Or what if a Ripper-type madman succeeded in sending a falsely authenticated launch order? You're about to kill 10 million people, after all.

Anyway, back down there in your launch capsule you might allow yourself to wonder: "This launch order, is this for real or for Nixon's indigestion?"

If you were asking yourself that question, you wouldn't be the only one. James Schlesinger, secretary of defense at that time, No. 2 in the nuclear chain of command, was reported to be so concerned about Nixon's behavior that he sent word down the chain of command that if anyone received any "unusual orders" from the president they should double-check with him before carrying them out.

So there you are, having just received the order to launch nuclear genocide. Should you suppress any doubts, twist your launch key in the slot simultaneously with your fellow crewman and send death hurtling toward millions of civilians halfway around the world? Without asking questions? That's what you're trained to do, not ask questions. Trainees who asked questions were supposed to be weeded out by the Air Force's "psychiatric consideration of human reliability" requirement. I've read this absurd Strangelovian document, which defined sane and reliable as being willing to kill 10 or 20 million people with the twist of a wrist, no questions asked.

Oh, yeah, I'll sleep well tonight.

In no particular order:

• Today is the 100th anniversary of the deadly Triangle Shirtwaist factory fire in New York, in which 146 workers died. If you want to know why we have unions in the U.S., read the story. This is the world to which the radical right are happy to return us.
• I have to hand it to Citibank and their crack team of fraud preventatives. Last week I bought a plane ticket from Chicago to London for about $700. A few hours later I attempted to put down a £100 deposit on a hotel room in London. Citibank declined the smaller charge, because it was an international purchase without card-in-hand, as they say. Note I bought the airline ticket online also.
  A 10-minute phone call to them, followed by an apologetic phone call to the hotel, and it went through fine. This morning, I bought a £58 round trip rail ticket from London to York on a day within both the air ticket and hotel reservation (both of which Citibank knows about), and their computer called me within seconds to warn me of yet more fraud. Fifteen minutes later they have finally—finally!—acknowledged that I might be in the UK for a couple of days, and possibly will be using my credit card to make reservations ahead of the trip. Note to people outside the US: They're not trying to protect me; they're trying to protect themselves. In the US, card holders have a $50 liability limit for fraudulent transactions; the bank's liability is essentially limitless. But still, guys?
• Microsoft's Raymond Chen has a funny anecdote about the Seattle Symphony Orchestra's front office getting confused between Paul Cézanne and Camille Saint-Saëns, complete with a handy chart to tell the difference.

That is all.

Via Bruce Schneier, a retired CIA codebreaker recently decoded a message sent to Confederate Lt. Gen. John Pemberton in July 1863:

The encrypted, 6-line message was dated July 4, 1863, the date of Pemberton's surrender to Union forces led by Ulysses S. Grant, ending the Siege of Vicksburg in what historians say was a turning point midway into the Civil War.

The message is from a Confederate commander on the west side of the Mississippi River across from Pemberton.

"He's saying, 'I can't help you. I have no troops, I have no supplies, I have no way to get over there,'" Museum of the Confederacy collections manager Catherine M. Wright said of the author of the dispiriting message. "It was just another punctuation mark to just how desperate and dire everything was."

That day, 4 July 1863, the Union not only captured Vicksburg but also prevailed at Gettysburg. Historians generally agree the two victories effectively ended any possibility of the Confederacy winning the war, though they would continue to fight for another 20 months.

The full text of the message to Pemberton reads:

"Gen'l Pemberton:

You can expect no help from this side of the river. Let Gen'l Johnston know, if possible, when you can attack the same point on the enemy's lines. Inform me also and I will endeavor to make a diversion. I have sent some caps (explosive devices). I subjoin a despatch from General Johnston."

The last line, Wright said, seems to suggest a separate delivery to Pemberton would be the code to break the message.

The news story has more details about how they found the message, and how they broke the code.

I've recently had the opportunity to work on-site with a client who has a strong interest in protecting its customers' privacy. They have understandably strict policies regarding who can see what network data, who can get what access to which applications, etc. And they're interested in the physical security of their buildings.

At some point, however, process can stymie progress, and this client recently added a physical security measure that can stand as a proxy for everything else about how they function. Not content with having a full-time security guard at each lobby entrance, and with doors that require an ID to open, they now have a man-trap-style revolving door system. Only one person can enter the door at a time, or alarms sound. The doors move slowly enough that even the slowest walkers—and this is far Suburbistan, so there are many—can get through without hurrying. And to make extra-special-certain, these doors require a second ID badge.

Now, the client building is 30 km from the nearest city of any size, and that city doesn't even rank in the top 50 by population. In order to get to the building you have to drive some distance from anyplace you'd ever want to be, then cross a parking lot whose area, according to Google Maps, is four times greater than the building's footprint. In other words, they're protecting the building from...nobody. Nobody will ever lay siege to this place.

This aptly demonstrates the philosophy throughout the organization: they have immense barriers that have no purpose except to prevent any actual work from happening. My effort for this particular client lasted several long weeks and produced, in the end, about fifteen lines of code. They brought 60 developers onto the project to speed it up, with the result that 60 developers tripped over procedures and project management at immense cost to the company to produce something four guys in a garage could have done in the same length of time.

There's a punchline, a poignant one for the day after Elizabeth Edwards died: the client is a major health-insurance company.

Do you want to know why the U.S. spends more on health care than any other country? I think I have the answer.

N.B.: The title of this post comes from one of my favorite quotes, usually ascribed to Napoleon Bonaparte but probably coined by Robert Heinlein: "Never attribute to malice that which is adequately explained by stupidity."

Via Schneier, the Department of Homeland Security will soon get rid of color-coded warnings:

In an interview on “The Daily Show” last year, the homeland security chief, Janet Napolitano, said the department was “revisiting the whole issue of color codes and schemes as to whether, you know, these things really communicate anything to the American people any more.”

The answer, apparently, is no.

The Homeland Security Department said the colors would be replaced with a new system — recommendations are still under review — that should provide more clarity and guidance. The change was first reported by The Associated Press.

I wonder what that guy at O'Hare—the one who says "The current threat advisory level is orange" all day—I wonder what he'll do now?

Security guru Bruce Schneier has great advice about when to change your passwords:

The primary reason to give an authentication credential -- not just a password, but any authentication credential -- an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.

... An attacker who gets the password to your bank account by guessing or stealing it isn't going to eavesdrop. He's going to transfer money out of your account -- and then you're going to notice. In this case, it doesn't make a lot of sense to change your password regularly -- but it's vital to change it immediately after the fraud occurs.

... So in general: you don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.

A good friend woke up this morning to find her email and Facebook accounts hacked, with a message sent out to everyone in her address book that she'd been robbed at gunpoint while visiting London and desperately needed a credit card to get on the plane back home.

Other than the story's baseline implausibility (a gun robbery in London being about as likely as getting trampled by a moose in Atlanta), there were other clues it was a phisher. For one thing, my friend is an American lawyer, not a Nigerian criminal, so she has a direct, concise, and moreover punctuated writing style not immediately in evidence in the phishing message.

The take-away, to all the would-be phishers reading this: you'll get farther with your frauds if you learn better English. Next time, instead of asking for credit-card numbers, write this: "Help! I am being held captive unless I can draft a 500-word essay on epistemology, and they'll only allow me one reference book! Please, I'm desperate, send me Strunk and White before I use unnecessary words!"

Oh, and also try hacking your victim's spouse's account, which will make it harder for people to verify the dodge.

Waaaaay back in ancient history, I actually reported a Nigerian scammer to the FBI. This was, oh, 1997 or so, maybe 1998. The FBI already had a cybercrimes unit in San Francisco, and I had a half-hour conversation with one of the agents there about a bizarre email I'd received from a Nigerian IP address. We actually did some IP tracing and header analysis on the email to determine its origin. Yes, the scam was that new.

Who was it that said, the more things change, the more they stay the same? Right:

OFFICER IN-CHARGE:
NAME: Mr. Robert Stephen Sien @
FBI UK Internet Fraud Watch/Alert
Phone: +44 792 457 7408

We are writing in response to our track light monitoring device which we received today in our office about your transactions.

The Federal Bureau Of Investigation (FBI) Washington DC, in conjunction with the Scotland Yard, Has screened through our various Monitoring Networks also our German counterpart the anti fraud unit reported that your identity/information was used to dupe a German Business man to the tune of $5 Million USD by some Africa/Nigerian Fraudsters.

After all the series of investigations conducted here in our office we tracked your record and we found out that you have never had any fraudulent case that may jeopardize your image and personality.

We have concluded our investigation and you have been approved to be compensated from the total amount recovered for scam victims compensation. So all you need to do right now in other to receive your compensation and clear your name from the list of these Con Men which has already been forwarded to our office is to secure the CLEAN BILL CERTIFICATE immediately.

This Certificate will clear your name from the scam list which will enable you receive the sum of $500,000.00 Usd compensation fund.

You are required to contact Robert S. Sien by email: rssien@aol.com with your full name and contact details for easy communication also to guild you on how to secure the CLEAN BILL CERTIFICATE and claim your money.

THANKS FOR YOUR CO-OPERATION.

Robert Stephen Sien.
FBI SPECIAL AGENT

You know what tipped me off? What made me certain this was a 419 scammer? Because, you can see, it's quite well crafted, no loose ends, nothing to arouse suspicion.

What tipped me off was this:

When real FBI agents refer to their employer, they never capitalize "of".

It's obvious when you look at it.

Bruce Schneier gives three main reasons:

One, terrorist attacks are harder to pull off than popular imagination -- and the movies -- lead everyone to believe. Two, there are far fewer terrorists than the political rhetoric of the past eight years leads everyone to believe. And three, random minor terrorist attacks don't serve Islamic terrorists' interests right now.

... So, to sum up: If you're just a loner wannabe who wants to go out with a bang, terrorism is easy. You're more likely to get caught if you take a long time to plan or involve a bunch of people, but you might succeed. If you're a representative of al-Qaida trying to make a statement in the U.S., it's much harder. You just don't have the people, and you're probably going to slip up and get caught.

Brilliant:

If the TSA Were Running New York

- All vans or SUVs headed into Midtown Manhattan would have to stop and have their contents inspected. If any vehicle seemed for any reason to have escaped inspection, Midtown in its entirety would be evacuated;

- A whole new uniformed force -- the Times Square Security Administration, or TsSA - would be formed for this purpose;

- The restrictions would never be lifted and the TsSA would have permanent life, because the political incentives here work only one way.

... The point of terrorism is not to "destroy." It is to terrify. And for eight and a half years now, the dominant federal government response to terrorist threats and attacks has been to magnify their harm by increasing a mood of fear and intimidation. That is the real case against the ludicrous "orange threat level" announcements we hear every three minutes at the airport. It's not just that they're pointless, uninformative, and insulting to our collective intelligence; it's that their larger effect is to make people feel frightened rather than brave.

It always strikes me that Israel, which has actual, ongoing terrorism, doesn't x-ray people's shoes.

I'm back in the US, and mostly sure it's Monday evening. Beyond that I'm still recovering from my 14-hour flight yesterday. I'm also waiting for a new hard disk from Dell for my laptop, as the old one died. Fortunately, I back it up religiously.

While I get my creativity back, enjoy someone else's: WW2 As Seen On Facebook.

The Internet experience at Pudong International Airport differs markedly from the experience at our hotel. I've noticed a pattern, whereby unencrypted data, like The Daily Parker, seems to move about an order of magnitude faster than encrypted data, like the HTTPS connection I've got going with my mail server. The interesting part is that both sites are going through the same router back in Chicago. So, either the Web terminal I'm using has a particularly hard time with secure websites, or something is slowing down the mail packets. Hmmm...can't think what that might be...

Compounding my Internet woes, my laptop's hard drive corrupted its boot sector Saturday afternoon. I have no idea how this happened. The Bitlocker recovery key no longer works. I expect tomorrow I'm going to have to install a new hard drive and then install all my software again. This does not make me happy. On the other hand, I have two episodes of Lost to catch up on before Tuesday.

This, anyway, explains why I didn't post anything yesterday, and why the video clip of the world's fastest land vehicle will have to wait until later today. (Because of the International Date Line, even though I have a 13-hour overnight flight, I arrive at O'Hare 30 minutes after I leave Shanghai.)

Two hours until my flight home. Maybe my email will finish downloading by then?

If this story is true, someone needs time in jail to think about civic responsibility:

In a lawsuit filed Tuesday in federal court, [a Pennsylvania] family said the school's assistant principal had confronted their son, told him he had "engaged in improper behavior in [his] home, and cited as evidence a photograph from the webcam embedded in [his] personal laptop issued by the school district."

The suit contends the Lower Merion School District, one of the most prosperous and highest-achieving in the state, had the ability to turn on students' webcams and illegally invade their privacy.

The suit says that in November, assistant principal Lynn Matsko called in sophomore Blake Robbins and told him that he had "engaged in improper behavior in his home," and cited as evidence a photograph from the webcam in his school-issued laptop.

Matsko later told Robbins' father, Michael, that the district "could remotely activate the webcam contained in a student's personal laptop . . . at any time it chose and to view and capture whatever images were in front of the webcam" without the knowledge or approval of the laptop's users, the suit says.

A security professional in New York has investigated the technical claims and found them convincing. He also expanded on the original news story with some circumstantial evidence:

The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

• Possession of a monitored Macbook was required for classes
• Possession of an unmonitored personal computer was forbidden and would be confiscated
• Disabling the camera was impossible
• Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion

When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case.

I can't wait to see how this turns out.

Software entrepreneur Joel Spolsky says that's a good start, but only part of it:

[L]et’s stop talking about “backups.” Doing a backup is too low a bar. Any experienced system administrator will tell you that they have a great backup plan, the trouble comes when you have to restore.

And that’s when you discover that:

• The backed-up files were encrypted with a cryptographically-secure key, the only copy of which was on the machine that was lost
• The server had enormous amounts of configuration information stored in the IIS metabase which wasn’t backed up
• The backup files were being copied to a FAT partition and were silently being truncated to 2GB
• Your backups were on an LTO drive which was lost with the data center, and you can’t get another LTO drive for three days
• And a million other things that can go wrong even when you “have” “backups.”

The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.

As someone who's got reliable, clockwork backups running, and has had them fail for one of the reasons Spolsky listed (and others that he didn't), I think this is tremendously good advice.

I don't know where this came from originally, but...well, look:

(Full size after the jump.)

And you don't let a convicted hacker near the prison computers, either:

Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.

How could this be worse? Glad you asked:

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

It's scary when the Mirror starts to sound like the Onion...

(Via Bruce Schneier.

I can't wait to see what they'll have us do after this:

On the evening of Aug. 28, Prince Mohammed bin Nayef, the Saudi Deputy Interior Minister — and the man in charge of the kingdom’s counterterrorism efforts — was receiving members of the public in connection with the celebration of Ramadan....

One of the highlights of the Friday gathering was supposed to be the prince’s meeting with Abdullah Hassan Taleh al-Asiri, a Saudi man who was a wanted militant from al Qaeda in the Arabian Peninsula (AQAP). Al-Asiri had allegedly renounced terrorism and had requested to meet the prince in order to repent and then be accepted into the kingdom’s amnesty program. Such surrenders are not unprecedented....

But the al-Asiri case ended very differently from the al-Awfi case. Unlike al-Awfi, al-Asiri was not a genuine repentant — he was a human Trojan horse. After al-Asiri entered a small room to speak with Prince Mohammed, he activated a small improvised explosive device (IED) he had been carrying inside his anal cavity. The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince — the target of al-Asiri’s unsuccessful assassination attempt.

(Via Bruce Schneier.)

I learned a valuable lesson yesterday: when you lock your computer to your hotel room desk, and you put the cable-lock key in your pocket, you have to remove the key from your pocket before sending the slacks down to the laundry.

This realization crept up on me over a very quiet 90-second period that started when I looked in my room safe for the key and didn't find it there.

I won't keep you in suspense: housekeeping found and returned the key this morning. This is good, because I had no idea how I was going to fit the desk in the overhead compartment on my flight home.

Photos and reviews of Ribfest tomorrow morning. Right now, though, I'm all about the novelty of updating TDP from my phone. Also tomorrow, I'll explain why this is a bigger deal than it seems.

Via Bruce Schneier, a demonstrably incompetent police chief in the UK has resigned after mishandling a secret document:

Police were forced to carry out raids on addresses in the north-west of England in broad daylight yesterday, earlier than planned, after [Bob] Quick, the Metropolitan police's assistant commissioner [and senior-most counter-terrorism official], was photographed carrying sensitive documents as he arrived for a meeting in Downing Street.

A white document marked "secret", which carried details of the operation being planned by MI5 and several police forces, was clearly visible to press photographers equipped with telephoto lenses.

Yesterday, realising the existence of the ­photographs of the ­document – which included the names of several senior officers, sensitive locations and details about the nature of the overseas threat – the government imposed a "D notice" to restrict the media from revealing the contents of the picture.

The Guardian article has a photo of the document, taken as Quick got out of his car.

Police also revealed that Quick's Windows password was "bob1" and that he routinely leaves his keys in his car "so [he'll know] where to find them."

Two examples of totally ineffective security responses in today's news. First, in suburban Chicago, a commuter-rail ticket agent called police about a man with a gun boarding a train, causing a two-hour delay as heavily-armed cops evacuated and searched the train. They found the man with the gun when the man in question saw the commotion and identified himself as a Secret Service agent, not realizing he was himself the target of the search:

Metra spokeswoman Judy Pardonnet said the incident began when a plainclothes Secret Service agent asked a Naperville ticket agent whether there were metal detectors aboard the BNSF Line train and indicated he was carrying a gun.

Via Bruce Schneier, a woman brought clearly-labeled gunpowder through a TSA checkpoint, in the regulation size baggies:

Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As a good citizen, I had packed the resulting pastes into a quart-sized "3-1-1" plastic bag, along with my shampoo and hand cream. This bag I took out of my messenger bag and put on top of my bin of belongings, turned so that the labels were easy for the TSA inspector to read.

I expect she'll get noticed the next time she flies...

From my dad, yet another New York Times article to make you all warm and fuzzy inside:

Thieves Winning Online War, Maybe in Your PC

Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.

As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.

Sigh.

I spent part of this afternoon rooting around in my email correspondance from 1999 and 2000. Forgetting the wherefores and whatnots of the emails themselves, just getting into the Outlook files proved difficult. How many passwords does anyone remember from nine years ago? I actually remember a few, but not, unfortunately, the ones I needed.

Sure, I found them eventually, but heavens. That's half an hour of my life I'll never get back, and it was my own fault.

I've largely solved Yesterday's frustration (more of a PEBCAK issue than anything else, wouldn't you know?) so now I have a new one: the touchpad on my laptop isn't working. It's probably a driver issue, but still, it makes navigating—doing anything, really—that much more difficult.

Anyway. On to New York for my first-and-only Yankees game.

Forgot to mention: Philadelphia beat Altanta 12-10 yesterday. As soon as I get my technical problems fixed I'll have photos of the massive thunderstorm that caused a two-hour rain delay. And after a nail-biting day when the Cubs and Milwaukee were tied for first place, the Cubs won and Milwaukee lost, putting us a full game up once again.

Windows is designed to be secure (don't laugh). One security measure is to lock users out after a certain number of failed login attempts. Vista, however, tries lots more times to login than you might think. So, even if you mis-type your password once or twice, Vista might think the KGB is trying to break into your laptop and lock you out.

I know this because, 36 hours into a 7-day trip, I appear to be locked out of my laptop.

Now, I can unlock my laptop in seconds by logging in while connected physically my network. Only problem, my network is 1100 km away and I won't reconnect to it for a few days.

So, great, at least my laptop is secure from someone who knows my UID and password. Of course, if someone ripped the hard drive out and connected it to another machine, he could read the unencrypted parts without any problem. Since I would like to keep the laptop intact, and it's the encrypted parts that I kind of need right now, it's inconvenient, to say the least.

When I calm down and I don't want to beat the Windows Vista team lead over the head repeatedly with my laptop, I'll explain why this "security" only matters if you aren't actually a malicious hacker, and why if you are a malicious hacker it's irrelevant. In other words, what I'm going through at this exact moment is much like the people lining up for crosses in Monty Python's Life of Brian: it'll only hurt if you're honest.

Via Bruce Schneier:

Via Dad, it seems a network administrator for the City of San Francisco has locked out all the other administrators:

A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.

Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

...

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.

He's about to find out that you can sit in jail on a contempt of court charge for, well, ever.

The first—the most serious one—comes from David Brooks via my friend RB:

Let’s take a look at what [Clinton is] going to put her party through for the sake of [a] 5 percent chance [of winning]: The Democratic Party is probably going to have to endure another three months of daily sniping. ... For three more months (maybe more!) the campaign will proceed along in its Verdun-like pattern.

Via Bruce Schneier, a true horror.

Via Bruce Schneier, apparently the physical security of British nuclear weapons until around 1998 consisted of, essentially, a bicycle key:

To arm the weapons you just open a panel held by two captive screws - like a battery cover on a radio - using a thumbnail or a coin.

Inside are the arming switch and a series of dials which you can turn with an Allen key to select high yield or low yield, air burst or groundburst and other parameters.

The Bomb is actually armed by inserting a bicycle lock key into the arming switch and turning it through 90 degrees. There is no code which needs to be entered or dual key system to prevent a rogue individual from arming the Bomb.

Oh. Well. Of course. Why use a hard-to-forge sequence of letters and numbers like the U.S. or U.S.S.R. when a little key will do?

So what prevented an accidental (or deliberate) British detonation until Tony Blair fixed the problem? Why, tradition, of course, what what!

The Royal Navy argued that officers of the Royal Navy as the Senior Service could be trusted: "It would be invidious to suggest... that Senior Service officers may, in difficult circumstances, act in defiance of their clear orders."

(Insert nervous laughter here.)

Via Bruce Schneier, Cory Doctorow: "The DRM business model is the urinary tract infection of media experiences: all of the uses that used to come in an easy gush now come in a mingy, painful dribble..."

A larger-than-usual bunch of news stories piqued my interest this morning:

• Scientists may have a break in the case of the mysterious bee die-offs;
• The Cook County, Ill., Clerk is putting public records online all the way back to 1871;
• A German company has started piecing together Stasi documents the East German security service shredded in the final hours before the Berlin Wall fell; and
• An Australian comedy troupe successfully infiltrated the APEC conference by—how else?—dressing up as Osama bin Laden and walking in the front door.

Terrorism only works if people allow themselves to be terrorized. People like, for example, shoppers in New Haven, Conn.:

Two people who sprinkled flour in a parking lot to mark a trail for their offbeat running club [the Hash House Harriers] inadvertently caused a bioterrorism scare and now face a felony charge.

New Haven ophthalmologist Daniel Salchow, 36, and his sister, Dorothee, 31, who is visiting from Hamburg, Germany, were both charged with first-degree breach of peace, a felony.

The siblings set off the scare while organizing a run for a local chapter of the Hash House Harriers, a worldwide group that bills itself as a "drinking club with a running problem."

...

Mayoral spokeswoman Jessica Mayorga said the city plans to seek restitution from the Salchows, who are due in court Sept. 14. "You see powder connected by arrows and chalk, you never know," she said. "It could be a terrorist, it could be something more serious. We're thankful it wasn't, but there were a lot of resources that went into figuring that out."

Maybe there's something about New England that prevents the police there from exercising common sense (see, e.g., blinking advertisements).

Update, 15:20 CDT: Security expert Bruce Schneier has declared this the "stupidest terrorist overreaction yet."

Via Bruce Schneier, a really good article about security theater:

At the time, it seemed reasonable. Richard Reid tried to ignite explosives hidden in his shoe while aboard a December 2001 flight from Paris, so Congress banned butane lighters on planes.

But in retrospect, the costs of the ban outweighed the benefits. Airport retailers had to stop selling lighters. Lighter vendor Zippo Manufacturing Co. laid off more than 100 workers in part because of the prohibition. Transportation Security Administration screeners at one point had to confiscate 30,000 lighters every day, quadrupling the amount of garbage the agency had to dispose of. TSA even had to hire a contractor to help with all the extra trash.

Welcome to homeland security, where everyone has an incentive to exaggerate threats. A Congress member whose district includes a port has little to lose and much to gain by playing up the potential for container-borne terrorism. A city with a dam talks up the need to protect critical infrastructure. A company selling weapons-detection technology stresses the vulnerability of commercial aviation. A civil servant evaluating homeland security grant applications has an interest in over-estimating dangers that might be addressed by grantees rather than denying funding and risk blame in the event of a disaster.