20 December, 2007

Wicked Cool but can you Hack it?

200KW self regulating Mini Reactor with 40 year lifespan


I want to know if it is a true fission reactor or just a decay based one.

More here don't think it is the same thing though this one looks more like an RTG.

and Here

And here Homeland Security angle

This one talks about the 4S mentioned above

14 December, 2007

Not a Huff Fan - But write for free anyway

Found this via Instapundit (If you haven't noticed he is a daily read for me).

I am certainly not a Huff fan Pretty much the opposite (I am not a moron Huffington Pseudo Int zombie political hack) but it is hard to criticize the model. After all I write for Google via Blogger for pretty much free.

Almost all of us do.

Hell I don't even write for the hit count fix anymore.

29 October, 2007

TNR Beauchamp - NEI ?

I have been following the Beauchamp TNR storry for a while and while it disgusts me I haven't had much to say that many others are not already saying more effectively.

This morning I read this post at that I found via instapundit.

I was quite surprised to see the NEI as one of their advertisers.

I have cross linked with the NEI blog a number of times and am a regular reader of TNR online. Believe me when I say that it is unlikely that ardent readers of TNR are unlikely to support NEI's goals of increasing the acceptance of nuclear power. It seems their advertising budget would be better spent in less hostile venues.

Do I have a fundamental misunderstanding of either of the organizations? Or could this be a case of the Yankee picking algorithm planted adds and equating them with direct advertisement? An understandable mistake but still possibly a mistake. If so we might want to be judicious in approaching the advertisers or laying blame.

Was this in the paper publication or did it only appear on their site?

In any case I agree with the general need to press TNR to stop presenting lies targeting the military.

17 October, 2007

Gamer Super Computer

This is pretty cool

So here is the Crazy Idea

Cheap Game console

Three parts

Totally wireless (Including Power)

Controlled Main Console but VM's that are standard architecture so you can run Linux (or whatever other OS you want to buy from the "mother site"

Linkable so multiple consoles in the same vicinity or with IP access can share each others computing power.

More Later

07 September, 2007

Gasp For Breath - Political Success or at least progress

I am still alive. I am not even going to try to say that I will regularly post but I do not plan on abandoning the blog. So what has been happening.

I discovered that some of my previous posts were telegraphing my intentions so I quieted down. It worked. Long story short I followed the advice I recommended in several of my earlier posts with high emphasis on keeping to the truth and more importantly the provable truth. I did my best to keep pretty much everybody out of the muck.

Security By Self Delusion 1 and

Security By Self Delusion 2

Transforming Negligence to Non Compliance - Hat tip to Steve

and the beginning of 12 steps

Will give you an Idea of what was going on.

Mike at Episteme was being polite in his description but we are emerging from the dark.

Many of us have cooperated and the result is that one team's existence has been saved and even enhanced. A new team has been created and pushed up in the organizational hierarchy and I have been lucky (OK I worked pretty hard for it) enough to get a Director position and a heavy role in designing the new organization.

Of course the down side of the good news is that I have been completely buried and unable (and when I had time unwilling) to blog.

In any case I am back at least in part and will try to put up something close to weekly. Perhaps I can describe how we made progress in an intractable environment.

By the way for the Nukes out there there have been some interesting comments on the Brussard post and the Tokamak one. Thanks for the feedback it is encouraging.

Till sometime in the next month

Jim C

27 July, 2007

Sample Security Priorities - Industrial

1. Protect the Safety of People and Facilities
2. Protect Integrity of Key Financial Data
3. Protect Customer Privacy

4. Protect Restricted Data
5. Facilitate External Communications

Any thoughts?

Sample Security Priorities - Insurance

1. Protect Customer Data Privacy
2. Protect Integrity of Key Financial Data
3. Protect Restricted Data
4. Protect Partner Connections
5. Facilitate External Communications

Any thoughts or additions?

26 July, 2007

"Well We're not doing that any more."

I should say not.


Yes I am still alive.

Yes I intend to start blogging again soon.

No it will not be as much as when I started.

All that said this is cool.

16 July, 2007

Nuclear Safety in Japan


Oh my!!!

I might be calling this one a bit early because the news is just coming out but I suspect that this will be much ado about nothing.

From what I have read so far there was almost a gallon of water and it was contained in the containment building. No release of fission products.

So there is a 6.8 magnitude quake that left 3 foot fissures and the nuke plant only had a small leak that was contained.

I would call this a success in engineering. If this had been a gasoline or heaven forbid a LNG storage facility the result would almost certainly be worse.


Oh this is priceless

"Aileen Mioko Smith, of the environmentalist group Green Action, said the fire showed that some facilities at nuclear power plants such as electrical transformers were built to lower quake-resistance levels than other equipment such as reactor cores."

Duh - You think they might want to give higher priority to the safety of the reactor core maybe?? Sheesh presenting ggod engineering as a problem.

11 July, 2007


I know most of you probably feel like this some (or most) of the time.

Twelve eggs in the air
Six hidden rotten and fake
Three Ostrich
Three Robin
Three Chicken
Two Fabergie
One viable Dodo Bird
Just wanna set the rotten ones down
Which ones are they?

No it is not a puzzle just a crappy poem.

06 July, 2007

Trip to Camden

Sorry for the light posting - no excuses.

If you want to check out what I have been up to in the last week or so check out my wife's blog.


Yes that is me with the big stomach climbing the Boulder.

22 June, 2007

My name is Rather. And I’m a dick.


Not much money, but they didn’t ask too many questions and they didn’t have any nosy “fact checkers.”

“Well, well, well. If it isn’t little Katie Couric,”

She stood there, perky and defiant, atop a pair of muscular cheerleader’s calves that looked powerful enough to snap a co-anchor in two.

“Oh Danny, Danny, Danny!” she sobbed. “I’m in an awful fix! The auditors found over three million missing from the Nielsen account, and they’re blaming it on me!

20 June, 2007


I'm not paralyzed but I seem to be struck by you

I want to make you move because your standing still

If your body matches what your eyes can do

You'd probably move right through me on my way to you

Finger 11

Buy it here

12 June, 2007

Gods of Fusion

Funny but geekily twisted

"I would not want to be taken prisoner by people who entertain themselves by burning puppies to death."

That's a quote from this post at Classical Values.

I have to agree with it and will go quite a bit further. I have been following Balko's tracking of these incidents and the tragedies related to SWAT raids for quite some time but they had become numbing to me.

Like a lot of blog topics you see it over and over again until interest wains. Of course in this case that reaction is horrible. These are human beings (and in the dogs case humans property [and friends]) that are being killed or harmed in these false or stupidly incorrect raids. Unfortunately I was pretty numb to them. I would check Balko out periodically but what can you really do?

This weekend I saw something that woke me up to it again (at least for a little while) I was watching a COPS type show on the Dallas SWAT team and what I saw appalled me. The show was glorifying it and clearly playing up the "hero" factor but I saw a bunch of nearly juvenile thugs. There were three raids in the show for all three put together they must have gotten almost a pound of marijuana and a dozen or so crack rocks. To clear the obviously massive amount of illicit material from the streets they literally pulled the side of two houses off and destroyed the doors and windows of the third. The tear gassed and held children (3 to 7 year olds) at gun point and clubbed clearly disoriented (but not resisting) people of many ages.

I'll admit they found some drugs in each house but the amount in each case makes me believe it is far more likely that it was the family's teen that had it than any trafficking.

So these people's houses were destroyed, the children traumatized, the parents beaten, machine guns shoved into their heads, professional lives probably ruined (can you imagine explaining why you need time off for something like this) because their teenager had a few cigarettes worth of illegal drugs.

The culmination of the show was them using a .50 cal rifle to take out the engine block of a hijacked semi. This one was a little bit closer to acceptable to me because of the fact that there was definitely an armed and dangerous person on board but I couldn't help but thinking this was a needless action. Where was the semi going to go to? It couldn't possibly outrun the police and it was being driven by a sane person (even though she was at gun point). Which is more likely to make the hijacker freak out and kill the driver? Running out of gas after a 4 hour cooling down time or being shot at with a .50 cal sniper rifle from the back of an armored personnel carrier? Well? At least they didn't shoot her dog when it jumped out of the cab.

Don't get me wrong I am all for police being able to defend themselves and even aggressively pursuing potential culprits. I am not a drug legalization freak either. They are increadably harmful (even weed) and need to stay illegal. I think that police need to be given a great amount of leeway in how they deal with threats. I also think they need to do everything in their power to deescalate and there has to be some accountability. This is triply true in the case of mistaken identity.

In my job I can get fired and in the case of SoX possibly sent to jail for unknowingly making a mistake. Are you telling me a demonstrably innocent person can get killed and the police involved don't get any scrutiny at all? Or only a few days suspension. I am sorry that is just unacceptable.

I am also of the opinion that it isn't always directly the officer's fault. Someone running the department created the environment where these things can happen. In the case of accidental deaths in forced entry of the wrong address the police chief should be at least as culpable as the CEO of a mismanaged company.

This is just wrong.

11 June, 2007

Bigotry of Condescension

Very interesting interview with Spiegel

Money Quote

"So you end up with some African biochemist driving an aid worker around, distributing European food, and forcing local farmers out of their jobs."

Via Instapundit

08 June, 2007

Same as it ever was

Tesla did this a long time ago.

I kind of wonder what kind of ionizing effect this has on cells (Specifically the DNA in the cells) exposed to the energy. I hope they study that some first.

07 June, 2007

Disturbing Babies from Wired

I am not sure which is more disturbing the Cthulhu baby


The Giant Robot Baby

Has Wired be acquired by the Enquirer while I was reading some Lovecraft?

Bit Bucket Reasearch

From Wired

Mildly interesting article.

06 June, 2007

All he said was, 'Retired captain. USMC.' I said, "You'll do"

Believe it or not a great article at the Boston Globe

Money Quotes

"a couple of grandfathers took care of the situation."

"I figured he would go up there and step on somebody's neck, and that would be the end of it."

Found Via BlackFive

Neural Networks in Process Control Environments

This is pretty interesting at Emerson

I found it via the Emerson Process Control Blog

I would think you would have to be very careful on how feedback paths (internally to the controllers or within the process itself) effect variability in the control functions (especially unforeseen cascades) but it does look like it has quite a few interesting applications.

04 June, 2007

Quote of the Week

So I was discussing the relative merits of the US and Canadian health care systems with a Canadian friend of mine at lunch and he was pointing out for most services the Canadian health care system is exactly like the US one but free.

He then put out a deliberately snarky quote that made me laugh till I couldn't breath.

"I'd rather have a life threatening disease in the US though..."

Radiation Eating Fungi?

This is a pretty interesting Article from Sci Am

17 May, 2007


One of the best comments I have ever seen.

"It seemed to me that on one side you had representatives of a fanatical cult trying to foist its views on the rest of the world and on the other... the Church of Scientology.

Truly, they deserve one another."

Posted by Patrick Crozier

About the BBC

On Samzidata

Via the Instapundit.

What is even more funny is that I am sure this will top Google for a while when someone looks up Scientology.


I am sorry I haven't been keeping up the posting. I am very loaded down in my day job and giving it all my bandwidth. To be honest I will probably go to a few posts a week vs the few posts a day I used to do. I will try to pick up the quality of those posts but I am not sure how much time. The good thing is that I am actually fully engaged at work and the items that are taking up my time seem likely to result in some long term benefit to me. I don't want to jinx it and honestly am not sure of the direction but it is far more positive that some of my posts from last month might lead one to believe.

14 May, 2007

Control System Cyber Security Conference Registration Information

Joe Weiss is putting on a control system cyber security conference August 13th - 16th.

Here is his announcement.

The website for the August 13-16th Annual Control System Cyber Security Conference to be held this year in Knoxville, Tennessee is ready for registrants at http://realtimeacs.com/. (Please go to www.realtimeacs.com and click on Register for the Conference on the right toolbar.). The host hotel for this exciting event is the Knoxville Marriott.

The Conference is focused on industrial control systems. There is more commonality between control systems, control system suppliers, and control system communication protocols between different industries than the IT infrastructure within a company. This was the rational for ISA establishing SP99 to address cyber security on an industry-independent basis. Common control system policies, procedures and cyber vulnerabilities apply to electric power, water, oil/gas, chemicals, manufacturing, etc. Focusing on any one industry diminishes the value of information sharing.

The term “cyber security” is an IT artifact that does not reflect the need to assure control system reliability and availability. Generally, the term cyber security refers to protection against attackers. For this Conference, the term cyber security refers to all electronic communications that could impact the performance of control systems. This definition includes intentional events (eg, viruses and worms), malicious events (eg, hackers), and unintentional events (eg, inappropriate policies and testing). Based on the data I have collected, there have been significantly more unintentional events than intentional ones. Some of these unintentional events have caused significant damage. I believe there will be significantly more unintentional events than intentional events until appropriate awareness, policies, procedures, technologies, training, and testing are in place. Consequently, the Conference will focus on the need to maintain control system reliability and availability in the age of interconnected systems and modern communications.

The draft agenda will continue to be updated. As in the past, the agenda will remain flexible enough to address recent issues of interest. Two topics that I believe will be of interest to all are:
(1) The detailed analysis of a cyber incident that directly contributed to a gasoline pipeline rupture resulting in significant environmental damage and deaths, and
(2) A discussion of a recent broadcast storm at a commercial nuclear power plant affecting plant equipment that significantly reduced power production and resulted in a manual scram of the plant.
In addition, there will be a poster session of current industry and standards organizations efforts on control system cyber security. These are just a sampling of some of this year’s instructive and enlightening topics that you won’t want to miss.

The Kingston Steam Plant Tour promises to be one of the many highlights of the Conference, but since Kingston is an operating power plant and August is a power-hungry month, we must limit the number of attendees to the first 40 interested registrants. Consequently, when you fill out your registration form, please indicate if you wish to take the tour by checking the appropriate box and filling out the corresponding TVA forms.

We would also like to get an accurate count for the Monday afternoon training session and the Thursday afternoon - Friday morning NIST workshop. Again, please check the appropriate box on the registration form to assure your space.

If you have any questions on the technical content of the Conference, please let me know. If you have questions concerning the Knoxville Marriott Hotel or other administrative questions, please contact MaryAnn Gerst at
maryann@atfab.com or (505) 822-1705.

I look forward to seeing you in Knoxville,

Joe is a good guy and quite enthusiastic about the field.

09 May, 2007

Cool I want 42 or or 2112 or or 8675309 or or the possibilities are endless.

How to stomp out XSS and SQL injection at your company

Faced with a Cross Site Scripting and SQL injection problem the following compliance based info security process .should be implemented

After long intense thought and some discussion with colleagues, and in keeping with the successful SOX attestation control program I think the obvious solution is as follows.

Send a mail to all employees stating that for information security purposes it is a policy to remove the following keys from all company keyboards.
< >

Keys should be removed promptly and kept in a locked cabinet on the second floor. Only three people may have access to this cabinet.

If it is necessary to use one of these key it is possible to gain temporary access to them by filling out the appropriate Emergency Access Request ticket. Within 1 hour A temporary combination to the cabinet will be mailed to you and a log entry will be made so that any injected code can be traced back to the person that has the access at the time of the injection.

You can then retrieve the keys and use them for up to one day. (at your own risk)

For individuals that have need to use these keys on a regular basis it is possible to file for a SOX attestation exception so that you can be given access to a keyboard in a locked room when needed.

Yep I think this will match the spirit and effectiveness of most SOX Compliance processes perfectly.


I Support Democracy in Iraq

I have been stewing on this post for quite a while. Everybody knows I shed my "just blogging on info security and process control" take a while ago basically because I don't need this site to support a business and I get bored talking about work even in my off time. So that hasn't stopped me. What has stopped me is that a good chunk of my readers are in a community that leans pretty liberal and the default liberal take on this stand might cost me what little patronage I have. As I thought about it though I realized that this assumption is pretty dumb. For one I am not giving everyone credit for their ability to dispassionately assess the implications and not blindly react and for another item I am overlooking the possibility that many might agree with me.

So simply put I Support Democracy in Iraq.

And at Classical Values

I probably take a bit of a different approach than the sites linked above but I still support it.

Regardless of the reason we entered the war. Regardless of whether it was right or the result of stupidity, negligence, disinformation or outright lies. What matters is that we (and several other countries) took actions that resulted in the destruction of infrastructure as well as political and social stability. One can argue whether that was good or bad all day but the end point is that

We Took Action.

Taking action and initiative results in assuming responsibility.

We have a responsibility to the people of Iraq to other countries in the region and ultimately to the world to ensure what stability and humanity that we can. Anything else is selfish and shortsighted.

So at this point the question becomes - Would stability and the human welfare of the people of Iraq be better served if we removed military presence or maintained it?

I don't think that the answer to that is as simple as either side would have you believe.

Most of the violence right now is Iraqi on Iraqi so it is naive to assume that will stop because we withdraw our troops. Likewise it is almost certain that our troops presence in many places serves as either a source of resentment or at the least as a target of existing resentment.

There are two extreme possible results of a troop withdrawal and draw down.

One extreme is that there is a intense civil war followed by a Pol Pot type ethnic cleansing in which hundreds of thousands of people (possibly millions) are maimed, tortured and killed and certainly millions are displaced. The violence spreads into neighboring states and results in a large scale regional upheaval that results in significant unrest and possibly violence in European and Asian Muslim populations.

The other possible extreme is that now that the American (and British because I doubt they will be willing to fill a gap left by us) antagonist is gone all of the factions sit around a campfire and sing Kumbiya.

Obviously the first is far more likely than the latter.

The most likely outcome is probably an extended civil war with hundreds of thousands of casualties ending with a Balkanized Iraq with Sunni, Shia and Kurdish Quasi-States possibly the the Shia being absorbed by Iran (in effect if not in fact) and the Kurdish State causing significant problems in Turkey (for right or wrong).

I say that we have a responsibility to ensure that Iraq turns out closer to Germany than Vietnam.

We have a responsibility based on having taken action.

We choose whether we "win" or "loose" this one based on our actions. In the long run we are perfectly capable of achieving any outcome unless we choose to accept a lesser one.

As for me. I choose to support democracy in Iraq.

Digg this post

03 May, 2007

When the Prophet Speaks - AI


Not certain that I buy it implicitly but the time lines continue to match even after the last several years. More significantly if you go to Drexler's stuff you would almost have to be convinced that it has tracked in general terms since then.

02 May, 2007

Yahoo Music Night

Mindy Smith - Come to Jesus
Gospel inspiring amazing voice beautiful wholesome song

Seether - Remedy
Dark antagonistic energy

Fall Out Boy - A little less 16 candles
Definately know how to make videos from a different angle

The Bravery - Time Won't let Go
Its OK might grow on me

Seether and Amy Lee - Broken

I can't decide if Amy Lee or Mindy Smith has a more amazing voice. Two sides of a coin image wise as well.

Justin Timberlake - What Goes Around
I know I said the same thing last time but I can't believe it but it doesn't suck
I have never liked anything by him before. But this is pretty good.

30 April, 2007

Fusion - Some thoughts on Tokamak

Back in January I got caught up in one of my crazy idea posts after reading about Boron fusion over at Classical Values and Power and Control.

I have been stewing on those for a while and doing some light research and what has really troubled me was the implications of this on Tokamak designs that I had never considered. I caught the beginning inclination of this in my post but have clarified it somewhat lately.

I am not saying they haven't been considered but I hadn't though of them. Some of this post is going to come off as anti nuke and anti fusion. Nothing could be further from the truth in all honesty nuclear power is our only realistic long term solution to the energy challenges we will have in the future and fission despite its advantages has some pretty significant drawbacks as well.

Fusion has always been served as the Holy Grail to solve these disadvantages and despite my background in Nuclear Physics and operation I never really questioned it. I have eagerly read about the development of toroidal field reactors and overlooked one key issue.

They have to use Neutron energy as the means to transfer energy from the fusion reaction to the power generation or transfer mechanism.

The impact of this is huge. In order to get any real power out of a fusion reaction in this manner the neutron flux would have to be insanely large. To put it in context in u235 fission reactions the neutrons produce on average less than 3 percent of the energy transfer. It results in a few degrees of heat in the primary coolant and further a few degrees in the shield tanks. While it does this it is also one of the primary problem creators for the entire reactor (of course one that by definition must be present).

It causes embrittlement and metallurgical changes in all of the reactor materials.

It is the mechanism of radioactive contamination creation.

It is the most difficult radiation to shield from with the most perplexing health impacts for people exposed.


It fundamentally alters the chemistry of the complex materials used to operate and control the reactor over time.

None of these issues go away in a Tokamak they way they identify the energy transfer mechanisms. As a matter of fact they would be about 20-30 times worse for the same thermal power output. I am not sure how anyone could ever make a viable case for a net energy producing Toroidal design and certainly not an economical one with that in mind. To go a step further it would create far more waste and more dangerous waste (admittedly only in the short term due to the lack of transuranic long lived waste) than existing fission designs.

So Dr. Bussard is quite right when he questions why we are spending the money on those approaches.

As far as the video and presentation, they make sense. I could see them adding injection fields that might use some of the toroidal design properties to help mitigate some of the electron leakage problems he mentioned in their existing designs but he has me sold.

If anyone wants to chime in and correct me feel free especially if I am missing something fundamental in the way Physicists are planning on getting power out of the Tokamaks.

27 April, 2007

Security By Self Delusion - Cont

In continuation of my Security by Self-Delusion and Transforming Negligence to Non-Complaince I have a few more thoughts.

The first is relating to attestation making senior managment feel good about their security profile.

Lets drop into another cheesy security analogy.

In many cases attestation is kind of like keeping a log of all of the times you drive the speed limit. It might make youself feel better but if you are managment you should be very wary. If a cop pulls me over for doing 80 in a 65 I doubt he will let me off because I show him a log of all the times I did 65. For that matter the judge won't be so impressed either.

Compliance can (and should) be used to drive improvement in security but managment and executives must not delude themselves into thinking they are secure because they have successfully passed an attestation stage.

25 April, 2007

Green Gasoline???

This is pretty cool from futurepundit

So the question is is there a catalyst that will attach Hydrogen atoms to free carbon with exposure to sunlight or other energy?

24 April, 2007

PCI fodder

Security focus has an article on consumer response to data breaches.

This is substantially higher than the 19% I have seen from some more rigorous studies but either one is significant.

If you feed this in with mandatory reporting laws then there are some very easy RIO calculations that can be used to justify many security expenses.

23 April, 2007

Pre-apologise for the gross factor - warning don't read this

I am all for enviro friendly but clearly I have a hairier butt than her.

Sorry TMI

Well now I am pretty much guaranteed not to ever get a link from my wife's blog.
You have no privacy get over it.

20 April, 2007

On vacation till Monday

I should have mentioned it last Friday but I have been on vacation since last Friday and haven't touched the blog. I will start posting again on Monday th 23rd.

13 April, 2007

Nano - Singularity

"Studying Active devices and nanosystems"

Is the key phrase.

Better start getting controls in line because it is going to take off like a rocket and when an information based virus can cause physical ramifications on a massive scale nothing will quite be the same.

When the information is the action then he who controls the meme controls the actions.

Imus Firing a Fratricide?

I think it is dawning on some that they shot someone on the progressive side.

Even if he did say somthing insensitive and stupid.

This is an interesting take on it.

Besides Like I said here Imus did less to make the Rutgers players real victims than the rest of the fiasco did.

12 April, 2007


If you can keep your head when all about you are losing theirs, it's just possible you haven't grasped the situation.

11 April, 2007

Organizational Jujitsu - NOT

It's a NOT joke

If your bosses boss gets an organizational demotion does that mean you got demoted?
Cribbage of course

Unless you are a Hornblower fan then it is Whist.

When To Shortsell

This is an interesting Article

I suppose it matches my expectations. If senior executives are more focused on the glitz than the performance then what else would you expect than an under performing company.

So go out and search the real estate records for the CEO's who have recently purchased.

10 April, 2007

IMUS Debacle

It is interesting to me that yet another personality is being dragged through the coals. I used to listen to Imus quite a bit but in the last few years his show has basically become an infomercial for his salsa, mugs, jackets and other products. There is rarely a 10 min spot in which one of them is not plugged. If you add to that that much of the rest of the time is spent spewing his wife's pseudo-intellectual pseudo-scientific drek in trying to keep people from getting vaccinated well it just isn't worth my drive time. I would rather turn the radio off.

Still there is some ironic humor in what has happened. In the last 5 years he has chosen to get in bed with the Chris Mathews, John Kerry, et al crowd and it seems that he is paying the price now. If he had real power like Byrd, or Clinton (pick one) perhaps they would just look the other way (with the typical double standard) but since he doesn't and he is just on the outskirts of the group he is really paying for his choice of an audience.

As for what he said. It was certainly unacceptable from the standpoint of a work conversation. Clearly yellow or even red zone but in the context of a comedy routine? I could see how it would be a mild irritant to the ladies on the team but lets be honest here. They are College level competitive athletes. If they haven't been called far worse and in specific intentional context I would be surprised. I know my coaches let alone the spectators were not delicate with us. I think people are doing an injustice to them by forcing them to be outraged. These women are competent, resilient, tough, intelligent and capable or they wouldn't be in College at Rutgers and wouldn't be competing (successfully or not) at the national level. In the real scheme of things being forced into victim-hood is probably more damaging to them than idle ramblings of a senile talk show host with a shrinking audience of self hating apologists with weekly visiting friends.

When I was a kid (I guess about 7) my parents went as part of a church group to Mississippi (and brought me along) to serve as activists, volunteers and monitors to help support the right of people to vote . I vaguely remember the night we left in a hurry. Several other people (young guys) in our group stumbled into the group cabin bloody and beaten. It was pretty traumatic for me and though I can't remember details I do remember that we almost immediately left back to Pittsburgh. I suppose that we allowed ourselves to be intimidated but I would like to think that my parents chose my safety over anything else. Now later in my life I realize that what I saw was a very minor and almost negligible piece of the overall violence that was occurring in the south in that time and I cannot begin to appreciate the hardship, fear and determination of the people that had no choice but to stay and fight for their own rights. This has certainly left an echo.

I think the national news coverage and obsession of this particular incident does two things.

First and on the positive side it shows how far we have come. The fact that injudicious use of words could start such a firestorm of condemnation (justified or not) means that we have clearly entered a different stage of the dialog. If you compare this to what was occurring forty or even twenty years ago the difference is stark.

On a negative side focusing on items like this obfuscates actual acts of bigotry that are still occurring regardless of the group that is initiating the racism.

In closing give the athletes some credit they are undeniably a lot tougher than they are being portrayed and making them victims harms them more than the initial attack. As for Imus himself... Who really cares???

09 April, 2007

SC Mag doing the Blog thing.

This is goodness

Found it via Alan

He is right Frank is a good guy and it looks like they are starting a foray into the blog territory. I know Illena has trusted Franks take on this for a while. I wish them luck.

06 April, 2007

Friday night yahoo music

Evanescence - Sweet Sacrifice
Same goth a bit of grudge vid shifts good music could grow on me

Papa Roach - Forever

bandwidth blows tonight

FOB - Arms dealer
Vamp Spaceman??? guitarist likes to spin

Santana an Michelle Branch

NIN - Starsuckers inc

Planet to be incenerated by March 26th

Via Classical Values

Instead we got this on April 4th.

Looks like his latter graphs might be right on.

04 April, 2007

Yahoo Music Video Night

NiN - Survivalism
Nine Inch Nails what else to say - Song Rocks

Shiny Toy Guns - You Are The One
Pretty good kinda 80's feel touch of goth not sure it will grow on me though

Korn - Live Freak on a leash (live performance)
Amy Lee is in it. not bad but acoustic takes kinda freaks me out in this song

Mindy Smith - Jolene
Beutiful voice haunting song disturbingly pathetic sad and desperate - good song

Brandy Carlile - The Story
Really pulls the most out of her voice kinda Joplinish better vioce when she isn't pushing though not quite as much soul

Weezer - Keep Fishin
Those crazy muppets :)

Fall Out Boy - Thnks Fr th Mmrs
chess with chimps product placements and a rockin band that "raises the roof" :)

03 April, 2007

02 April, 2007

Meshed defense

Pretty good Defense in Depth post at Matasano

My question now is can you give me one working example of a working "Mesh" security design? (not Crypto?)

More detail on it at setuid just for you


Hole in SCADA talked about at EWeek

Contrary to what they say this is not the "first hole found" in SCADA software though it does seem to be widely disseminated at this point. Probably falls into the category of first fully disclosed.

It is similar to a lot of the OPC crap floating around in the rest of the IT world.

To be honest with a lot of the current SCADA Ethernet equipment you don't need a hole. The front door is open.

Definitely a matter of concern if for no other reason than the spotlight is a bit brighter now. Decent article.


Dale has more on it.

30 March, 2007

Way off topic


Key Quote

“If liberals interpreted the Second Amendment the way they interpret the rest of the Bill of Rights, there would be law professors arguing that gun ownership is mandatory.”

29 March, 2007

Not quite 12 steps

I have gotten a few emails regarding the "Transforming Negligence to Non-Compliance"

Basically they said what the heck are you talking about.

It was part of a discussion I had with a counterpart and I thought it was a great quote.

Now I am going to say something a bit odd. "Transforming Negligence to Non-Compliance" is not a bad thing. It is a good thing and one of the only ways to get things rolling in an organization that is truly out of touch with its security risk profile.

Think of it as several stages of organizational growth.

Perhaps a counter part to Grossman's 5 stages of security grief.

It is just a nacient thought process for me so if anyone wants to expound or make it better feel free I'll be happy to point to you.

So here are the first few steps.

"Security by Self delusion" where institutional practices and political momentum make it virtually impossible to point out real security risks.

"Lethargic Negligence" - the problem is just too big to address for every fire I put out a dozen pop up. This isn't always intentional negligence (though for some people [mostly comfortable managers] it might be) but it always stands in the way of needed changes.

Transformation from Negligence to True Non-Compliance - This comes from a realization that something must be done and taking the responsibility for acknowledging that fact at a senior organizational level.

Maturing from Compliance to true Security. This stage is necessary if you ever want to prevent slipping all the way back to security by self delusion.

Proactive risk management - The actual practice of identifying true business concerns and risks of impacts and placing true security around them.

Any organization cycles through these at one time or another. Usually they are at slightly different stages for different parts of their security architecture as a whole. Their firewalls might be good but their OS's and Application Security is crap or their OS and App security fine but the linkage between their business controls and their IT SoD is crap. The worst organizations will institutionalize the Self Delusion model and actually swear and sign off that every thing is fine. After all "I have a Policy for that".

So how do you move up. I imagine it is a bit different for every organization. It will always involve some politics. As a matter of fact if you wanted to you might be able to call these the "political layers of info security".

The key to moving beyond "Security by Self Delusion" is visibility. True visibility not the pseudo transparency provided by 20,000 pages of attestation saying "yea we have a policy for that". True visibility is gained by actually identifying what is open in your firewalls. How good or bad is your patching process not just on the "managed" machines but on all of the ones connected to your network. As well as dozens of other specific facts. Get the whole picture then draw conclusions. Lets be honest here FUD might not be totally out of place if things are bad enough and it is based on facts. You achieve this by actually having the guts to run vulnerability scans, pen tests and even things as simple as port scans. If your organization is so resistant to transparency that they won't allow that how about a honey pot and some open sniffers. Outbound IDS's might help as well.

I know there is a lot of talk about how Vuln scans are not of value or IDS's are useless. That might be partially true in a healthy security environment or in one where IPS or even stronger protections are in place but if your organization is mired in the "Security by Self Delusion" mode they serve as one potential way beyond.

So what happens when senior management finally realizes that they have a problem and not just one but an entire systemic failure? Well Denial, Despondence, Anger, blame all of the not so fun reactions. Yes they often shoot the messenger. I am not able to tell anyone how to maneuver around these ones. What I will say is that if you have the facts and avoid placing individual blame (can be really hard if it is justified especially if someone is intentionally obfuscating issues) you can probably survive the series of back flashes. At this point the best bet is a series of tactical solutions that provide strategic benefit. Gain control (indirectly) of the Firewall and IPS rulesets, facilitate cross system visibility, HIPS, Identification of critical data, ... Every organisation will have different tactical needs but pick a few and fix them as best that you can.

Now is the tricky part. The gut reaction of senior management will be to say "Great we're ok. Now let's move on to more important things" That is fine to an extent after all the real business of IT is to facilitate the real business but you also have to put structure in place to maintain and improve the other real issues that didn't seem as painful but might very well carry more risk. You have to put in place a Governance and Policy structure that actually has some teeth but doesn't cripple the company. This is where you start transforming Negligence to Non-Compliance.

I am going to have to try to finish this tomorrow.

21 March, 2007

"Ok cool, ... anyone fancy a pint?"


Headline says it all.

I wonder how well the data will balance against the pay out information. It strikes me that a "mistake" on unrecoverable data like this would be an ideal way to cover the loss of quite a bit of money.

This would certainly qualify as a material deficiency in SOX speak. At least in some attestations I have seen. Good thing it is a government if it was a company the entire executive team would be hauled before a Congressional subcommittee and sent to jail. So who is that here? The Governor and staff? Somehow I doubt that anything like that will happen here though. Of course it shouldn't happen. It probably is a mistake but it does show how SOA requirements could be misinterpreted.

20 March, 2007

PC Based Control - Huh?!?!

When the hell was this first written?

NT 4.0? "Deterministic, hard real-time operating system"? Huh? "The PLC is fundamentally a box or computer with a processor. "???

The article is dated March 2007 but if this is recent and a legit take then it shows exactly what we have to worry about, albeit unintentionally.

Don't get me wrong there is a place in many industries for properly developed "PC based" systems (whether Windows Linux or other OS) to directly control processes but I have to wonder if the author of this ever developed and implemented a truly complex integrated control environment.

Woefully uninformed and simplistic.

I have to assume this was written years ago and just dug up or perhaps relabeled. If so it shows how we got to where we are from a security perspective in the SCADA and DCS world. If not it shows very well how far we have to go.

Beware - Flattery Injection Attack

Matasano - Pretty funny post.

Real Censorship

Excellent site.

It really gives a good glance at the state of censorship on the web. There are a lot of gaps, all of the blank countries makes it look like there is a lot of data that they still need to gather but it seems pretty neutral in terms of who is getting the finger pointed at.

I will say that they are very absolute in terms of mentioning any form of stopping traffic. I am an enthusiastic supporter of free speech on the Internet but I also want some level of protection for my children when they are on publicly supplied computers. I know that all filtering mechanisms are flawed but I am sure that most library's and universities would be willing to turn off the filter if someone is doing research on breast cancer or even something that might be questionable provided they are an adult. Also I am not aware of any coordinated effort in the US or Canada to actively block sites unless it involves minors.

I also noticed that political hacking seemed to be counted as censorship in some instances but not others. I would like to see the criteria that was used to elevate it to the level of mention. There were certainly instances within the US of attacks on sites specifically because of what they said. These instances include attacks on political sites that were not mentioned. Perhaps it would be best to focus on government initiated censorship unless the attacks are particularly egregious.

It is striking how significant the documented censorship is in some countries.

All in all an interesting site.

19 March, 2007

Bad way to get an upgrade

Don't think I would like either method of being upgraded to first in this article.

Of course if I was the first class passenger I would hope I would be a bit more sympathetic. I like BA probably one of my favorite airlines so even though it would have creeped me out I wouldn't dump them in the future.


Dale has a series of posts up on Achilles that are pretty good.

I have mentioned it before in a post about fuzzing but he has even more detail now.

I am not sure where the project is going now that Eric is no longer directly in the picture but am sure that properly integrated into a testing regimen it will be quite beneficial. (correct me if I am wrong here he might be still doing stuff I don't know about I have been out of that loop)

Cool toy

I seem to be reading Alan today.

I had a 8525 as my main phone and PDA at my last company and I loved it. I particularly liked the Wireless Internet capability that let me surf fast from pretty much anywhere in the world. It worked very well anywhere I traveled.

Don't have to take it.

I'd be pretty ticked off as well.

The question I would ask is does this void the contract I have with AT&T et al? If so goto another vendor.

16 March, 2007

Laptop - End of the crappy service saga

I have my Viao back. I am satisfied with the quality of repairs but the entire experience has left me quite jaded.

It is possible that this incident was an irregularity in the way it was handled both from Sony customer service and from Service Net but the way the calls and questions seemed scripted and the excuses that were provided to me imply otherwise. Obviously what follows is my opinion but it is an opinion based on my experience dealing with them.

My attempts at escalating the issues within the call trees and even directly with the people I was able to get on the phone met consistently with dead ends. I am convinced that their business model is to receive a cut of the extended warranty money and then do whatever they can to not provide any service that costs them money. If that means that they make excuses and refuse to escalate to the decision makers within the standard contact paths then so be it. I wouldn't even be surprised if the CS people on the phone are compensated based on how many calls they handle without incurring additional expense to Service Net. Their choice of questions asked and manner of interpreting them implies to me that their primary focus is to use semantics to get out of meeting their contractual obligations. The fact that they have such prominence on an "adjudication" group at their web site implies to me that they place more focus on shirking responsibility than fixing customer issues.

I bought this laptop in a store and purchased the $~500 extended warranty with accidental damage because I wanted the additional protection that I mistakenly thought it offered. For that matter the entire reason I spent the premium on a Sony laptop instead of saving the money and going with another company was because I believed I would have better service. I have 6 kids and it was not unreasonable to assume that some significant accident would happen to it over the course of 3 years so the accident insurance would have made sense if it was reasonable to expect it would be honored. In the end even when all I wanted fixed was a $5 to $20 part they tried to weasel out of that and used the fact that they were two separate entities to redirect responsibility (or at least make the call short).

It wasn't until I put up a blog post and got dozens of hits from addresses in Japan that I got any semblance of help. Shortly after that I got contacted and the issue was taken seriously. The address I got contacted at was my blog email address and not the one I left several times with the various customer service people we called. You'll have to forgive me if I have trouble believing the issue would have been satisfactorily resolved without the blog. So I guess blogging is the real hero here.

So for productive advice. I have run successful service centers before so perhaps they should listen.

If I was a manager at Service Net I would

  1. Make sure there is a clear escalation path for customer complaints that is known to the call center people.
  2. Before any possibly disgruntled customer gets off their first phone call they know what that path is.
  3. Customers should never be told in a service call that there is no further point of contact beyond the person speaking especially if they have only spoken to two people and neither of them could resolve the issue.
  4. I would add a process at the end of all calls where the customer is asked if their needs and expectations were met and if the answer is no I would have someone contact them the next day.
  5. Make sure Customer Service Reps do not provide contradictory information during the call or provide multiple different reasons for disapproval. (that happen to sound like grasping for straws to avoid work)
  6. I would increase training for the Customer Service team and the management team that runs them.
  7. Extensively audit customer calls for the last several months to determine if this is systemic or just an irregularity.
  8. If the audits show it was an irregularity contact to customers that were effected and apologise (both the client companies and direct customers).
  9. If it is systemic have a massive overhaul.

Then again the focus of my call centers was actual customer service and not limitation of liability so perhaps they don't really need to listen.

If I was a company that was trusting in Service Net to provide customer service to me I would

Quick note here this company services many customer service accounts including Dell, CDW, FuJitsu, Sirius, Toshiba and several others. It is possible that customer service problems with any of these companies are due to this one source.

  1. Request a log of all calls related to my account for the last three months and call and ask the customers if they were happy with their service.
  2. Randomly perform customer service test calls to ensure they are properly treat customers that view them as supporting my (the company calling) brand.
  3. Audit their practices and books associated with the account.

If I was a customer I wouldn't bother to buy extended warranties or accidental coverage. Here is why.

The other day on my drive in (1 hour + each direction) I added up all of the Sony products I have purchased in the last few years. 2 Large flat screen TV’s (50 something and 40 something inches) one wall hanging LCD TV, a stereo, three small TV’s, 2 PSP’s, a DVD player and my laptop. All in all close to $20,000. I am not sure how much of that money went to extended warranties. My guess is close to $2000 perhaps more.

Next time I will just put that $500 in savings. Over time I will clearly be better off.

In any case I will probably never willingly or directly buy a Sony product again unless it is truly needed and there is no other vendor. I certainly won't buy their extended warranty. I am certain that at dinner conversations over the year I will be happy to talk about how crappy their customer service is as well so perhaps the lost revenue won't be limited to me. Yes I will try to make it funny and not angst filled. No use ruining dinner.

So now I am done. I don't intend to bring this up again unless something else happens bad. Blogging should pick back up over the next few days until I am back to normal.

12 March, 2007

Still Waiting on Laptop

Still no time to blog at work. I am going to hold off posting till I have time to write a decent post. Yes I know I am leaving the door open for comments on that one in the comments.


09 March, 2007

Still no Laptop - Not happy with Sony

I'm Stewing and becoming increasingly frustrated. Still no word on the laptop. We mailed it off to get fixed. We are going on three weeks total time now. Sony Customer service leaves a lot to be desired. I have been giving them the benefit of the doubt but I an starting to get mad. At this point I don't have one at home to even try to stage posts.

08 March, 2007

Quote of the Week Scratch that Month

Suppose you were an idiot and suppose you were a member of Congress. But I repeat myself.

07 March, 2007

Don't you dare take away my steak

w3 Ar3 0wN3zD a11 YoUr GiGaHrtZ

1.21 Jigawatts

Via Molten Eagle

Digg this Post

Unfortunately the real threat from the Iranian theocracy has nothing to do with its Navy (if we could only be so lucky).

The real threat is that by using a nuclear weapon as a deterrent to retaliation (either economic or military) they can extend and increase their funding of terrorism with impunity. Unlike the terrorism of Anarchism (with a big A from the late 1800's and early 1900's) or even the terrorism of the IRA the Iranian terrorism has a realistically achievable goal (indeed it has been quite effective in Lebanon). That goal is the Dhimmification of non Muslim countries and reduction in prominence of non Shia Islamic Theocracies relative to Iran itself. If we (Europe and the US) are lucky the latter will take precedence but I wouldn't count on it. Both of these processes have already started even without the bomb as a deterrent to retaliation. They will only escalate (substantially) if they publicly get the bomb (it is remotely possible that they already have it which is why the kid gloves are on).

Europeans will be at the greatest risk in terms of substantial change to their existing environment in this scenario. With their large and demographically monolithic Islamic communities they are ideal breeding grounds for this kind of strategy. At this point these communities lean toward other regional variants of the belief system but I suspect that would change if there is less restricted actions on Iran's part. Even without specific belief changes (which are unlikely) alliances, actions (in the form of increased aggression to the European indigenous population) and meme systems can change. In many cases Europeans are already being forced to alter their liberal belief systems to avoid violence or the threat of violence. Imagine if they didn't have the ability to stop funding and intentional state action that was intended to facilitate this violence. The tilt point isn't that far aways so something has to be done soon or the only two alternatives are extreme levels of violence or functional Dhimmi status (probably coupled with extreme violence to maintain it).

Obviously other countries in the region with Iran are also at great risk. I am somewhat surprised they are not taking fairly aggressive action right now. They are clearly the most likely to be subject to aggressive military and terror funded actions. Indeed some of them such as Lebanon already are and frankly loosing the battle.

Until recently countries that achieved nuclear weapons have to a certain extent become more mature in their actions. They were less likely to go to open war with their neighbors, they begin reigning back their clandestine activities (especially with other nuclear powers) and in general they have behaved in a more globally mature fashion. I don't know if the is part of MAD or if it is just the ultimate realization of the terrible possibilities and responsibilities attendant with nuclear weapons but it does seem to be true. Although I wouldn't have predicted it this has even occurred with India and Pakistan. Unfortunately even with the maturity and sophistication of the Persian society as a whole with its current leadership I think this pattern is very unlikely in Iran.

Now that I think of it leadership might be the key. Russia, the US, France and China have all had periods of aggression as a Nuclear power even if that aggression might have been muted compared to pre nuclear levels. Right now the political and theocratic leadership in Iran does not inspire me with confidence in their ability to be mature.

The real question is what are the regional powers and European powers (who are at the most risk) going to do about it. The US has chosen to trade (intentionally or not) military strategic advantage (in the form of ownership of the crossroads in Iraq) for political strategic advantage so we are now unable to realistically respond to the threat. Sun Tzu says that seizing the remote crossroads is best done politically so perhaps this was an error. On the other hand we are not one of the countries at greatest risk of a true loss of our identity here.

I suppose we will see how this will play out.

Sorry for the depressing start of the day.

Please Digg this Post

06 March, 2007

Virgin Prize

The Virgin - Gore CO2 reduction prize has a new contender.

Perhaps if everyone adds another hour or two to our sleep time we can help.

Security by Self-Delusion

Covering Up Problems at Sandia.

I imagine that parts of this quote could apply to many companies.
"This was the first time that my activities uncovered evidence that entities outside Sandia were compromised, and data was being stolen. They were not willing to contact the proper authorities because outside law enforcement would certainly inquire about how the data was obtained -- bringing unwelcome scrutiny upon Sandia."

Fortunately until recently I had never worked at one. Now that I have I can see the the consternation it causes throughout the organization.

To a certain extent this is the ultimate end point of the "Compliance" centric Security management model. Organizations that are very good at "Security by Self-Delusion" may not even have problems with external audit (though internal audit often knows [or at least suspects] the truth). After all they are very good at filling out paperwork and forcing their employees to perform onerous tasks with "Security" as the primary reason for the task. It is also common for the average user to have virtually no control over their computing environment at all causing near complete cessation of information based innovation within the business itself. That is as or more likely to be fatal to a company than any security breach.

Now I will admit that the Sandia case is quite a bit greyer than it might seem. The employee was actually engaged in "Hacking" of some sort and there were probably cases where he could have gotten caught and caused problems for Lockheed completely separate from the issues they were trying to cover up. Without knowing exactly what he did to chase down the data path it is even possible that some of his actions were illegal. Any company would be justified in stopping illegal activities but it appears that the interest in his actions was not in the initial activities but his subsequent work with the FBI.

I am sure that it is rare for most organizations to have to decide between letting an employee go for actively hacking external entities or for covering up internal security failures. It is not however, uncommon for them to have conflicts between disclosing internal security failures in other ways. Indeed it is often politically difficult within an organization to facilitate honest transparency of security issues. At what point does one have to decide if their organization is deliberately deciding not to look at internal issues as opposed to trying to save money or even institutional incompetence. I have to confess that I don't know where that line is. I am inclined to agree with one of my co-workers when he repeats the quote "never assign to malice that which can be attributed to negligence" but when does it not matter?

Well enough of this complaining, back to real work.

That is if they will let me do it.

Scary Smart Rootkits

Almost enough to make one just give up.

05 March, 2007

Still Waiting

Still Waiting for my Viao to get fixed.

So still have an excuse for the light blogging.

The Mac is looking better everyday.

XBox Hack


Of course it is cheaper to by a new computer than an equiped XBox so other than the challenge what is the purpose?

01 March, 2007

Drive in music

Great random string of music for the drive in this morning. I caught them all randomly flipping through channels.

Started with Rush Red Barchetta

Three Doors Down

Papa Roach


Nine Inch Nails

Then to end it off Lord of the Dance by Dan Tymenski (sp?)

I hadn't heard the last one in a while and am not sure I have ever heard it on the radio before.

Good lyrics

I am the heart he is the heartbeat

I am the eyes he is the sight.

I move my feet I go through the motion but he gives purpose to chance

Nice way to start the day.

28 February, 2007

The problem with McCain

I pretty much agree with this Via the instapundit.

It boils down to two lines.

He is no longer John McCain. He is McCain-Feingold. . . . Americans do not like to be told to shut up.

McCain-Feingold told Americans to shut up.

More interesting to me is that it is so early and the field for both the Republicans and the Democrats is already getting crowded.

I don't remember it being like this ever before. I think it is probably a good thing overall. Debate and contention is good.

I honestly have no idea which way I will go this time but I am fairly certain it isn't going to be McCain.

Rudy looks pretty good to me and Edwards isn't an unattractive choice.

27 February, 2007

The Sky is falling!!!

Alex is swinging over at Riskanalysis.

He makes contact a few times.

Transport Layer Security - Part 1

Part of the Security Layer Series

Layer 4 is where the rubber meets the road as far as actual connectivity to the applications and logic of the controllers.

Layer 4 is the transport layer and for IP it typically means either TCP (Transmission control protocol) or UDP (User Datagram protocol).

I mentioned earlier that IP is inherently not deterministic and that has implications for automated control. Layer four is the first place where the compensations for this occur.

A quick run through of how TCP works will help some. I am going to grossly oversimplify here so if someone wants to correct or provide more detail feel free.

TCP establishes a session to ensure data delivery. A host initiates the communication by sending a TCP/SYN packet. The recipient of the SYN responds with a SYN/ACK with session identification information and the original host responds with an ACK/ACK establishing the session. Periodically during the communication stream the acknowledge process is repeated to ensure the communication is maintained. Checksums are included as an inherent part of the protocol. Time sent between packets received is monitored to determine if a session is lost and to initiate reestablishment of the communication stream.

What this means in a nutshell is that TCP has many mechanisms built into it that compensate (in part) for the issues introduced by the fact that IP is non deterministic. It doesn’t by any stretch of the imagination mean that TCP itself is secure in any way. There are many ways to game the system and hackers and worms use them to their full advantage. If you really want to get into the details take a look at NMAP and the lists at www.Insecure.org .

The most common one and the one I have seen cause issues on PLC’s is the syn scan. It basically works by opening up a listening port then streaming syn’s to all of the selected ports on every address that is to be inspected. Everything that responds with a syn/ack is logged. The connection is never completed with an ackack. This is where the problem is (especially for controllers with older IP stacks). The receiving host uses some resources to sit there waiting for that ack/ack. There are DoS attacks related to this but for the most part they are not that effective for newer IP stacks. (Syn floods can still cause headaches though) Unfortunately PLC’s do not always have newer stacks so they are often particularly vulnerable to this.


This is directly relevant to the scanning discussions that have occurred with some level of passion on this blog’s comments and in the background via email. My advice here if you plan on scanning a scada system for the first time and you have done the change management it is best to start with a TCP connect scan that exits gracefully as your initial connection enumeration method. Limit the scan to a few interesting ports and don’t hit all 65k (at first at least). I wouldn’t even do fast scan ports. After you have a few under the belt for that address range then slowly expand. Do the fast scan ports then if wanted the whole 65k. After you are comfortable with this make sure you have people watching the equipment and have a recovery plan then try the syn scans. Once you have gotten past this point you can go on to the rest of your vulnerability assessment or pen test. I know this is insanely conservative for most Security professionals but the critics are not exaggerating when they want that bad things can (and will) happen. I am an advocate for scanning systems and have done so many times without significant issue on Rockwell/ABB, Honeywell, Siemens, and other vendor control systems but there is always a risk. My typical response to the DON”T SCAN crowd is “Sooner or later the systems are going to be hit by an actual attack or something that is functionally identical to one so wouldn’t you rather that happen in a controlled manner?”.

End of Aside

Many PLC vendors use TCP as their primary IP communication method to their controllers and all of them use it for their historians, MES, and control aggregation systems. I have seen a bit of an explosion in HTTP access to endpoints and I have mentioned ModBusIP in earlier posts in this series. I am not going to go into detail on what ports are used here. If you want to find out ask your vendor they will tell you. What you should do however is make sure that is possible you block access to the TCP port used as the primary PLC communication protocol at the point closest to the controllers as possible. ACL’s are acceptable if actual firewalls are not available. For vendors that use standard ports such as telnet, http, or RPC this can be somewhat more difficult to do. Take advantage of point to point and point to multipoint (subnet) rules. The key here is to not allow access to the PLC’s from an uncontrolled network. Access to the Historians and central control systems should be controlled primarily on a white list basis. For really large engagements such as regional operation centers it is often possible to isolate both the central and the local subnets and connect them via VPN tunnels. If you are doing this it is best to isolate remote sites from each other.

Enough for today

Rest of TCP and UDP continued later.

Have I escaped the Vogon's?

I have been contacted by both Sony and Service Net customer service and am trying to work this out the best I can right now. The issue has not been resolved yet but at this point I have little doubt that it will. All I really want is a working laptop. I don't really care who fixes it I just want it fixed. It seems I might be moving out of the SEP field right now. At the same time I wouldn't mind helping them with their customer service. It was a uselessly unpleasant experience but it is possible that I was one of the flukes. I doubt it but it is possible. In any case I am going to drop this unless they are unable (unwilling) to help me. Blogs obviously do have some power.

26 February, 2007

EU Faux Pas in the US

Excellent post

More importantly you can flip most of them around and apply them as American Faux Pas elsewhere in the world.

I have done a lot of global traveling in my career and have stepped in a few muck piles in the process.

This comment I found particullarly appropiate in both directions.

" by far the majority believe that America itself has fundamentally very good intentions, and that the country really does want the best for everyone. This is not a concept you should challenge until you know someone at least quite well."

Not only is this point true but the essence of it often seems to be missed. Most Americans truly do want what is best for everyone. This is true regardless of the political persuasion of the person you are talking to. The most vehement anti war protester is motivated to improve things for people elsewhere and at the same time the most vehement adherent of nation building wants what is best as well.

This inherent good will is borne out by the fact that nations that happen to have been at war with the USA are far better off in the long run if we won (Germany, Japan, more recently Panama) than if they won or it was a stalemate (North Korea, Vietnam, even Mexico). Once we are done eliminating the perceived threat we want to leave (hell typically before we are done).

It is also one of our biggest weaknesses in that (I feel at least) we sometimes pull the trigger before the real threat is identified and help other entities and nations achieve their geopolitical goals by eliminating their rivals. The imbalances created cause no end of chaos.

The Flip side of this rule is also absolutely true.

Any European will absolutely not appreciate being told that the US helped them out in any war and will typically be insulted by it. I am certain that my above paragraphs are insulting to many for exactly that reason. Furthermore because they have seen and been impacted many nefarious intentions they certainly will not give the benefit of the doubt to any military actions initiated by the USA (or any power for that matter). If WW I or II are brought up they will almost immediately point out that far fewer Americans sacrificed their lives than Europeans.

Excellent post

25 February, 2007

Prosoft Security

I hammered Prosoft for the typical "We have security" marketing approach but they really anted up with this post. It doesn't provide details for their solutions (which I would still like to see) but it does show that they understand this problem.

23 February, 2007

Yahoo Music Video Night

At least until the battery dies.

My Dreams - They aren't as empty Discover Don't Worry

How Precious did that Grace appear the hour I first believed

I want to hold you high and steal your pain --- Because I'm Broken

Despondent dark angel -- Flip Side of the Coin -- Gothic Red Riding hood telekinetic Deva

Must be exhausting to loose your own game Sober I've made up your mind

-- Man she can sing

A bit harder now

Sweet little words unlike anything I have heard Coming Undone Funky springs

Couldn't possibly be more different than this

Turn the music up Pon De Replay

Speak the truth or make your peace some other way I'd kinda like one of those bikes.

Ok I can't believe I am going to say this

But what Goes Around Comes Around is pretty good

batt is dying

Meet the Vogon's - Sony Anti Customer Service

I am very, very, very, VERY unhappy with Sony Customer service right now.

My wife did a far more level headed post on it here but long story short my home laptop is barely usable and despite the fact that it is only a 6 month old Sony Viao Laptop (and we payed hundreds of dollars for the extended warranty and accidental damage) the company the extended warrenty is with refuses to fix it or even look at it.

We get 30 min bursts of work out of it at best and I can't get any of my posting done.

I plan on writing at length in the near future (on a better laptop any suggestions? perhaps a Dell?) on just how bad the Service Net customer service is and how poorly engineered the Sony products are but in the mean time I am just going to make a bleg of sorts.

Please if you read this and have a blog link to it. Include the words "Sony" "Viao" "Laptop" and "Service Net" in the post if possible.

I will absolutely link back to anyone (even if they defend Sony or Service net) that does this.

If you happen to have had some problems with Sony Laptops in the past feel free to let your angst out.

This will be updated and continued.

Digg this Post

Someone looking for a laptop. I'd obviously avoid the Viao.

I have been contacted by both Sony and Service Net customer service and am trying to work this out the best I can right now. The issue has not been resolved yet but at this point I have little doubt that it will. All I really want is a working laptop. I don't really care who fixes it I just want it fixed. It seems I might be moving out of the SEP field right now. At the same time I wouldn't mind helping them with their customer service. It was a uselessly unpleasant experience but it is possible that I was one of the flukes. I doubt it but it is possible. In any case I am going to drop this unless they are unable (unwilling) to help me. Blogs obviously do have some power.

21 February, 2007

Don't say I'm out of touch

With this rampant chaos, your reality

I know well what lies beyond my sleeping refuge

The nightmare I built my own world to escape


Gulp - Just got a breath of air.

Will resurface again later

Ok -- weird I know -- but we can't all be the same and knowone ever said I was completely sane

19 February, 2007

Still Here

I haven't disappeared and haven't stopped posting. I am just really loaded lately and have had very little access to my laptop other than at work. Once I get a chance to come up for breath a few times I will be posting away again.

14 February, 2007

Snow lots of Snow

I was late into the office so I doubt I will even have time to put up all of my staged posts. Yes I know I am delinquent on the layers I will get to them but real work takes priority.

13 February, 2007

CyberCzar to fix security


Holding breath... ...



Turning Blue...


Well perhaps it will go better this time around.

Pelgrin at New York State has the best government program I have seen.

At the very least the good things from there should be modeled.

Global Warming - Carbon Offsets (Kyoto)

Offsets = Indulgences

This is so true.

Killer Rabbit

So this is where Monte Python got it from. I was too young to draw the connection.

12 February, 2007

Yahoo Music Evening

Little Big Town - Boondocks - "I can taste that honeysuckle and its still so sweet"

Just a sweet drop not enough to really get the full taste - a hint, a smell

Lithium - Evanescence - Gothic Punk Yes I know they sound the same but just like Natilie Merchant how can you not love those pipes.

Papa Roach - Scars -- "The scars remind us that the past is real" "I can't help you fix yourself but at least I can say I tried. I'm sorry but I have to move on with my own life"

Drowning Pool - Step Up - a little rough completely cliche but still wicked good rock

Pink - Stupid Girl - The anti - Britney/Paris/Lindsey/Jessica Thank god someone is

OK my wife wants the laptop

Crazy Frog

Check out Axel F

Logical Arguments

Good Post on logic in arguments

A hypothetical example of a Type C argument would be, "Well, Arnold, studies actually show that the minimum wage does not cost jobs. If you read the work of Krueger and Card, you would see that the minimum wage probably reduces poverty."

A hypothetical example of a Type M argument would be, "People who want to get rid of the minimum wage are just trying to help the corporate plutocrats."

Paul, my question for you is this:

Do you see any differences between those two types of arguments?

I see differences, and to me they are important. Type C arguments are about the consequences of policies. Type M arguments are about the alleged motives of individuals who advocate policies.

In this example, the type C argument says that the consequences of eliminating the minimum wage would not be those that I expect and desire.

We can have a constructive discussion of the Type C argument -- I can cite theory and evidence that contradicts Krueger and Card -- and eventually one of us could change his mind, based on the facts.

Type M arguments deny the legitimacy of one's opponents to even state their case. Type M arguments do not give rise to constructive discussion. They are almost impossible to test empirically.

Birds without Passengers

I think the last possibility is the most likely though probably not the intended one.

Hybrid Sports Car

This would be a wonderful replacement for my Honda Civic Hybrid. I wonder what the mileage is. Just because it is a hybrid doesn't mean the mileage is great.

After all this is technically a hybrid as well. Somehow I doubt it get that great of mileage.

The Toyota on the other hand.


Tell us what you really think Bruce.

Ray - Singularity

"With computers in everything from clothing to eyeglasses, software security becomes the quintessential issue," he said.

I am not sure the writer of this Article has read any, Kurzweil or Drexler.

He clearly doesn't grasp the potentials or some of the evidence that is currently staring us in the face.

There really isn't any doubt that Information processing technology is expanding at an exponential pace and feeding on itself. Even in biology (which the author gives short shift) it is obvious that the ability to asses and increasingly adjust biological information is changing at an incredible pace.

The real question is where are the speed bumps and are any of them significant enough to plateau things for a while?

The real key to all of this is that whoever controls the keys within the singularity controls where it goes and how it interacts with others. Security is central to that discussion.

I would have liked to see the speech.

RIAA looses in court

This is good news and seems to be the right way to deal with the problem of gratuitous suits while still maintaining the IP rights.

I don't think it is as huge as some have implied though. Incurring court costs isn't unheard of. What is significant is that if enough people publicly recoup their costs in suits it might inspire more to challenge the blackmail letters that are being sent. If enough people do challenge then the model that the RIAA has built will collapse.

10 February, 2007

A solution to the CO2 Imbalance - Global Warming

Instapundit Linked to the Gore Branson challenge

I also think it is a great idea. Of coursre there is already at least one solution that has met the goals.

all we have to do is more of it.

Nuclear Power via Nei blog

of course more options is always better how about my biofuel crazy idea

Security BullS--t

Funny and sadly true site

via RiskAnalys.is

Home Nanomanufacturing

Shades of Diamond Age in Business in the Nanocosm

09 February, 2007

Adiabatic Quantum Computing

Well someone is giving it a go.

It will be significant if they succeed but I am going to give this one long odds.

Here is some background on adiabatic quantum computing if you are interested in some pretty detailed reading.

The key hurdle I found that casts some doubt on the attempt in the tech world article is that increasing complexities require exponentially increasing time. The test is being done with 16 qubits which is below the previous experiments of 20 qubits mentioned in the detailed paper so this potential problem won't show up even if the rest of the test is successful. My warning to any VC's or Angel's out there is to check about this before sinking any money. Don't just assume it is just going to scale up based on the initial test.

That said this could have some pretty significant effects on other areas (such as cryptography) if the test is successful. Depending on the speed and architecture individual scaling may not be necessary for it to have value. I do have some trouble with thinking it will make much of a difference though since 64K calculations isn't that much.

Not to be confused with adiabatic methods in standard computing (Here)

Here is the blog link to the the announcement and some good details as well. I am slightly more optimistic at this point because they are taking a somewhat different approach than I originally thought. Since it is a blog perhaps we can take advantage of the medium and ask him to explain some of the differences.

More Update:

I like his Blogroll - UFC, Dawkin's and Kurzweil - Can't be that bad of a guy. :)

Update 3:

I got some comments back from the blogger. I did read the paper but he was right about it only being a theoretical assesment. That would make their attempt the first real atempt. There are two major questions that they need to answer before this has any chance of being a truely significant breakthoguh. How long does it take for them to perform the 64K calculations (actually 1 calcualation that asseses 64K prosibilities) and if they add additional qubits how does that affect the time of the calculations? Is it a linear impact or exponential?