I pretty much agree with this Via the instapundit.
It boils down to two lines.
He is no longer John McCain. He is McCain-Feingold. . . . Americans do not like to be told to shut up.
McCain-Feingold told Americans to shut up.
More interesting to me is that it is so early and the field for both the Republicans and the Democrats is already getting crowded.
I don't remember it being like this ever before. I think it is probably a good thing overall. Debate and contention is good.
I honestly have no idea which way I will go this time but I am fairly certain it isn't going to be McCain.
Rudy looks pretty good to me and Edwards isn't an unattractive choice.
28 February, 2007
27 February, 2007
Transport Layer Security - Part 1
Part of the Security Layer Series
Layer 4 is where the rubber meets the road as far as actual connectivity to the applications and logic of the controllers.
Layer 4 is the transport layer and for IP it typically means either TCP (Transmission control protocol) or UDP (User Datagram protocol).
I mentioned earlier that IP is inherently not deterministic and that has implications for automated control. Layer four is the first place where the compensations for this occur.
A quick run through of how TCP works will help some. I am going to grossly oversimplify here so if someone wants to correct or provide more detail feel free.
TCP establishes a session to ensure data delivery. A host initiates the communication by sending a TCP/SYN packet. The recipient of the SYN responds with a SYN/ACK with session identification information and the original host responds with an ACK/ACK establishing the session. Periodically during the communication stream the acknowledge process is repeated to ensure the communication is maintained. Checksums are included as an inherent part of the protocol. Time sent between packets received is monitored to determine if a session is lost and to initiate reestablishment of the communication stream.
What this means in a nutshell is that TCP has many mechanisms built into it that compensate (in part) for the issues introduced by the fact that IP is non deterministic. It doesn’t by any stretch of the imagination mean that TCP itself is secure in any way. There are many ways to game the system and hackers and worms use them to their full advantage. If you really want to get into the details take a look at NMAP and the lists at www.Insecure.org .
The most common one and the one I have seen cause issues on PLC’s is the syn scan. It basically works by opening up a listening port then streaming syn’s to all of the selected ports on every address that is to be inspected. Everything that responds with a syn/ack is logged. The connection is never completed with an ackack. This is where the problem is (especially for controllers with older IP stacks). The receiving host uses some resources to sit there waiting for that ack/ack. There are DoS attacks related to this but for the most part they are not that effective for newer IP stacks. (Syn floods can still cause headaches though) Unfortunately PLC’s do not always have newer stacks so they are often particularly vulnerable to this.
Aside:
This is directly relevant to the scanning discussions that have occurred with some level of passion on this blog’s comments and in the background via email. My advice here if you plan on scanning a scada system for the first time and you have done the change management it is best to start with a TCP connect scan that exits gracefully as your initial connection enumeration method. Limit the scan to a few interesting ports and don’t hit all 65k (at first at least). I wouldn’t even do fast scan ports. After you have a few under the belt for that address range then slowly expand. Do the fast scan ports then if wanted the whole 65k. After you are comfortable with this make sure you have people watching the equipment and have a recovery plan then try the syn scans. Once you have gotten past this point you can go on to the rest of your vulnerability assessment or pen test. I know this is insanely conservative for most Security professionals but the critics are not exaggerating when they want that bad things can (and will) happen. I am an advocate for scanning systems and have done so many times without significant issue on Rockwell/ABB, Honeywell, Siemens, and other vendor control systems but there is always a risk. My typical response to the DON”T SCAN crowd is “Sooner or later the systems are going to be hit by an actual attack or something that is functionally identical to one so wouldn’t you rather that happen in a controlled manner?”.
End of Aside
Many PLC vendors use TCP as their primary IP communication method to their controllers and all of them use it for their historians, MES, and control aggregation systems. I have seen a bit of an explosion in HTTP access to endpoints and I have mentioned ModBusIP in earlier posts in this series. I am not going to go into detail on what ports are used here. If you want to find out ask your vendor they will tell you. What you should do however is make sure that is possible you block access to the TCP port used as the primary PLC communication protocol at the point closest to the controllers as possible. ACL’s are acceptable if actual firewalls are not available. For vendors that use standard ports such as telnet, http, or RPC this can be somewhat more difficult to do. Take advantage of point to point and point to multipoint (subnet) rules. The key here is to not allow access to the PLC’s from an uncontrolled network. Access to the Historians and central control systems should be controlled primarily on a white list basis. For really large engagements such as regional operation centers it is often possible to isolate both the central and the local subnets and connect them via VPN tunnels. If you are doing this it is best to isolate remote sites from each other.
Enough for today
Rest of TCP and UDP continued later.
Layer 4 is where the rubber meets the road as far as actual connectivity to the applications and logic of the controllers.
Layer 4 is the transport layer and for IP it typically means either TCP (Transmission control protocol) or UDP (User Datagram protocol).
I mentioned earlier that IP is inherently not deterministic and that has implications for automated control. Layer four is the first place where the compensations for this occur.
A quick run through of how TCP works will help some. I am going to grossly oversimplify here so if someone wants to correct or provide more detail feel free.
TCP establishes a session to ensure data delivery. A host initiates the communication by sending a TCP/SYN packet. The recipient of the SYN responds with a SYN/ACK with session identification information and the original host responds with an ACK/ACK establishing the session. Periodically during the communication stream the acknowledge process is repeated to ensure the communication is maintained. Checksums are included as an inherent part of the protocol. Time sent between packets received is monitored to determine if a session is lost and to initiate reestablishment of the communication stream.
What this means in a nutshell is that TCP has many mechanisms built into it that compensate (in part) for the issues introduced by the fact that IP is non deterministic. It doesn’t by any stretch of the imagination mean that TCP itself is secure in any way. There are many ways to game the system and hackers and worms use them to their full advantage. If you really want to get into the details take a look at NMAP and the lists at www.Insecure.org .
The most common one and the one I have seen cause issues on PLC’s is the syn scan. It basically works by opening up a listening port then streaming syn’s to all of the selected ports on every address that is to be inspected. Everything that responds with a syn/ack is logged. The connection is never completed with an ackack. This is where the problem is (especially for controllers with older IP stacks). The receiving host uses some resources to sit there waiting for that ack/ack. There are DoS attacks related to this but for the most part they are not that effective for newer IP stacks. (Syn floods can still cause headaches though) Unfortunately PLC’s do not always have newer stacks so they are often particularly vulnerable to this.
Aside:
This is directly relevant to the scanning discussions that have occurred with some level of passion on this blog’s comments and in the background via email. My advice here if you plan on scanning a scada system for the first time and you have done the change management it is best to start with a TCP connect scan that exits gracefully as your initial connection enumeration method. Limit the scan to a few interesting ports and don’t hit all 65k (at first at least). I wouldn’t even do fast scan ports. After you have a few under the belt for that address range then slowly expand. Do the fast scan ports then if wanted the whole 65k. After you are comfortable with this make sure you have people watching the equipment and have a recovery plan then try the syn scans. Once you have gotten past this point you can go on to the rest of your vulnerability assessment or pen test. I know this is insanely conservative for most Security professionals but the critics are not exaggerating when they want that bad things can (and will) happen. I am an advocate for scanning systems and have done so many times without significant issue on Rockwell/ABB, Honeywell, Siemens, and other vendor control systems but there is always a risk. My typical response to the DON”T SCAN crowd is “Sooner or later the systems are going to be hit by an actual attack or something that is functionally identical to one so wouldn’t you rather that happen in a controlled manner?”.
End of Aside
Many PLC vendors use TCP as their primary IP communication method to their controllers and all of them use it for their historians, MES, and control aggregation systems. I have seen a bit of an explosion in HTTP access to endpoints and I have mentioned ModBusIP in earlier posts in this series. I am not going to go into detail on what ports are used here. If you want to find out ask your vendor they will tell you. What you should do however is make sure that is possible you block access to the TCP port used as the primary PLC communication protocol at the point closest to the controllers as possible. ACL’s are acceptable if actual firewalls are not available. For vendors that use standard ports such as telnet, http, or RPC this can be somewhat more difficult to do. Take advantage of point to point and point to multipoint (subnet) rules. The key here is to not allow access to the PLC’s from an uncontrolled network. Access to the Historians and central control systems should be controlled primarily on a white list basis. For really large engagements such as regional operation centers it is often possible to isolate both the central and the local subnets and connect them via VPN tunnels. If you are doing this it is best to isolate remote sites from each other.
Enough for today
Rest of TCP and UDP continued later.
Have I escaped the Vogon's?
I have been contacted by both Sony and Service Net customer service and am trying to work this out the best I can right now. The issue has not been resolved yet but at this point I have little doubt that it will. All I really want is a working laptop. I don't really care who fixes it I just want it fixed. It seems I might be moving out of the SEP field right now. At the same time I wouldn't mind helping them with their customer service. It was a uselessly unpleasant experience but it is possible that I was one of the flukes. I doubt it but it is possible. In any case I am going to drop this unless they are unable (unwilling) to help me. Blogs obviously do have some power.
26 February, 2007
EU Faux Pas in the US
Excellent post
More importantly you can flip most of them around and apply them as American Faux Pas elsewhere in the world.
I have done a lot of global traveling in my career and have stepped in a few muck piles in the process.
This comment I found particullarly appropiate in both directions.
" by far the majority believe that America itself has fundamentally very good intentions, and that the country really does want the best for everyone. This is not a concept you should challenge until you know someone at least quite well."
Not only is this point true but the essence of it often seems to be missed. Most Americans truly do want what is best for everyone. This is true regardless of the political persuasion of the person you are talking to. The most vehement anti war protester is motivated to improve things for people elsewhere and at the same time the most vehement adherent of nation building wants what is best as well.
This inherent good will is borne out by the fact that nations that happen to have been at war with the USA are far better off in the long run if we won (Germany, Japan, more recently Panama) than if they won or it was a stalemate (North Korea, Vietnam, even Mexico). Once we are done eliminating the perceived threat we want to leave (hell typically before we are done).
It is also one of our biggest weaknesses in that (I feel at least) we sometimes pull the trigger before the real threat is identified and help other entities and nations achieve their geopolitical goals by eliminating their rivals. The imbalances created cause no end of chaos.
The Flip side of this rule is also absolutely true.
Any European will absolutely not appreciate being told that the US helped them out in any war and will typically be insulted by it. I am certain that my above paragraphs are insulting to many for exactly that reason. Furthermore because they have seen and been impacted many nefarious intentions they certainly will not give the benefit of the doubt to any military actions initiated by the USA (or any power for that matter). If WW I or II are brought up they will almost immediately point out that far fewer Americans sacrificed their lives than Europeans.
Excellent post
More importantly you can flip most of them around and apply them as American Faux Pas elsewhere in the world.
I have done a lot of global traveling in my career and have stepped in a few muck piles in the process.
This comment I found particullarly appropiate in both directions.
" by far the majority believe that America itself has fundamentally very good intentions, and that the country really does want the best for everyone. This is not a concept you should challenge until you know someone at least quite well."
Not only is this point true but the essence of it often seems to be missed. Most Americans truly do want what is best for everyone. This is true regardless of the political persuasion of the person you are talking to. The most vehement anti war protester is motivated to improve things for people elsewhere and at the same time the most vehement adherent of nation building wants what is best as well.
This inherent good will is borne out by the fact that nations that happen to have been at war with the USA are far better off in the long run if we won (Germany, Japan, more recently Panama) than if they won or it was a stalemate (North Korea, Vietnam, even Mexico). Once we are done eliminating the perceived threat we want to leave (hell typically before we are done).
It is also one of our biggest weaknesses in that (I feel at least) we sometimes pull the trigger before the real threat is identified and help other entities and nations achieve their geopolitical goals by eliminating their rivals. The imbalances created cause no end of chaos.
The Flip side of this rule is also absolutely true.
Any European will absolutely not appreciate being told that the US helped them out in any war and will typically be insulted by it. I am certain that my above paragraphs are insulting to many for exactly that reason. Furthermore because they have seen and been impacted many nefarious intentions they certainly will not give the benefit of the doubt to any military actions initiated by the USA (or any power for that matter). If WW I or II are brought up they will almost immediately point out that far fewer Americans sacrificed their lives than Europeans.
Excellent post
25 February, 2007
Prosoft Security
I hammered Prosoft for the typical "We have security" marketing approach but they really anted up with this post. It doesn't provide details for their solutions (which I would still like to see) but it does show that they understand this problem.
23 February, 2007
Yahoo Music Video Night
At least until the battery dies.
My Dreams - They aren't as empty Discover Don't Worry
How Precious did that Grace appear the hour I first believed
I want to hold you high and steal your pain --- Because I'm Broken
Despondent dark angel -- Flip Side of the Coin -- Gothic Red Riding hood telekinetic Deva
Must be exhausting to loose your own game Sober I've made up your mind
-- Man she can sing
A bit harder now
Sweet little words unlike anything I have heard Coming Undone Funky springs
Couldn't possibly be more different than this
Turn the music up Pon De Replay
Speak the truth or make your peace some other way I'd kinda like one of those bikes.
Ok I can't believe I am going to say this
But what Goes Around Comes Around is pretty good
batt is dying
My Dreams - They aren't as empty Discover Don't Worry
How Precious did that Grace appear the hour I first believed
I want to hold you high and steal your pain --- Because I'm Broken
Despondent dark angel -- Flip Side of the Coin -- Gothic Red Riding hood telekinetic Deva
Must be exhausting to loose your own game Sober I've made up your mind
-- Man she can sing
A bit harder now
Sweet little words unlike anything I have heard Coming Undone Funky springs
Couldn't possibly be more different than this
Turn the music up Pon De Replay
Speak the truth or make your peace some other way I'd kinda like one of those bikes.
Ok I can't believe I am going to say this
But what Goes Around Comes Around is pretty good
batt is dying
Meet the Vogon's - Sony Anti Customer Service
I am very, very, very, VERY unhappy with Sony Customer service right now.
My wife did a far more level headed post on it here but long story short my home laptop is barely usable and despite the fact that it is only a 6 month old Sony Viao Laptop (and we payed hundreds of dollars for the extended warranty and accidental damage) the company the extended warrenty is with refuses to fix it or even look at it.
We get 30 min bursts of work out of it at best and I can't get any of my posting done.
I plan on writing at length in the near future (on a better laptop any suggestions? perhaps a Dell?) on just how bad the Service Net customer service is and how poorly engineered the Sony products are but in the mean time I am just going to make a bleg of sorts.
Please if you read this and have a blog link to it. Include the words "Sony" "Viao" "Laptop" and "Service Net" in the post if possible.
I will absolutely link back to anyone (even if they defend Sony or Service net) that does this.
If you happen to have had some problems with Sony Laptops in the past feel free to let your angst out.
This will be updated and continued.
Digg this Post
Update:
Someone looking for a laptop. I'd obviously avoid the Viao.
I have been contacted by both Sony and Service Net customer service and am trying to work this out the best I can right now. The issue has not been resolved yet but at this point I have little doubt that it will. All I really want is a working laptop. I don't really care who fixes it I just want it fixed. It seems I might be moving out of the SEP field right now. At the same time I wouldn't mind helping them with their customer service. It was a uselessly unpleasant experience but it is possible that I was one of the flukes. I doubt it but it is possible. In any case I am going to drop this unless they are unable (unwilling) to help me. Blogs obviously do have some power.
My wife did a far more level headed post on it here but long story short my home laptop is barely usable and despite the fact that it is only a 6 month old Sony Viao Laptop (and we payed hundreds of dollars for the extended warranty and accidental damage) the company the extended warrenty is with refuses to fix it or even look at it.
We get 30 min bursts of work out of it at best and I can't get any of my posting done.
I plan on writing at length in the near future (on a better laptop any suggestions? perhaps a Dell?) on just how bad the Service Net customer service is and how poorly engineered the Sony products are but in the mean time I am just going to make a bleg of sorts.
Please if you read this and have a blog link to it. Include the words "Sony" "Viao" "Laptop" and "Service Net" in the post if possible.
I will absolutely link back to anyone (even if they defend Sony or Service net) that does this.
If you happen to have had some problems with Sony Laptops in the past feel free to let your angst out.
This will be updated and continued.
Digg this Post
Update:
Someone looking for a laptop. I'd obviously avoid the Viao.
I have been contacted by both Sony and Service Net customer service and am trying to work this out the best I can right now. The issue has not been resolved yet but at this point I have little doubt that it will. All I really want is a working laptop. I don't really care who fixes it I just want it fixed. It seems I might be moving out of the SEP field right now. At the same time I wouldn't mind helping them with their customer service. It was a uselessly unpleasant experience but it is possible that I was one of the flukes. I doubt it but it is possible. In any case I am going to drop this unless they are unable (unwilling) to help me. Blogs obviously do have some power.
21 February, 2007
Don't say I'm out of touch
With this rampant chaos, your reality
I know well what lies beyond my sleeping refuge
The nightmare I built my own world to escape
Evanescence
Gulp - Just got a breath of air.
Will resurface again later
Ok -- weird I know -- but we can't all be the same and knowone ever said I was completely sane
With this rampant chaos, your reality
I know well what lies beyond my sleeping refuge
The nightmare I built my own world to escape
Evanescence
Gulp - Just got a breath of air.
Will resurface again later
Ok -- weird I know -- but we can't all be the same and knowone ever said I was completely sane
19 February, 2007
Still Here
I haven't disappeared and haven't stopped posting. I am just really loaded lately and have had very little access to my laptop other than at work. Once I get a chance to come up for breath a few times I will be posting away again.
14 February, 2007
Snow lots of Snow
I was late into the office so I doubt I will even have time to put up all of my staged posts. Yes I know I am delinquent on the layers I will get to them but real work takes priority.
13 February, 2007
CyberCzar to fix security
Again.
Holding breath... ...
...
...
Turning Blue...
Gasp
Well perhaps it will go better this time around.
Pelgrin at New York State has the best government program I have seen.
At the very least the good things from there should be modeled.
Holding breath... ...
...
...
Turning Blue...
Gasp
Well perhaps it will go better this time around.
Pelgrin at New York State has the best government program I have seen.
At the very least the good things from there should be modeled.
12 February, 2007
Yahoo Music Evening
Little Big Town - Boondocks - "I can taste that honeysuckle and its still so sweet"
Just a sweet drop not enough to really get the full taste - a hint, a smell
Lithium - Evanescence - Gothic Punk Yes I know they sound the same but just like Natilie Merchant how can you not love those pipes.
Papa Roach - Scars -- "The scars remind us that the past is real" "I can't help you fix yourself but at least I can say I tried. I'm sorry but I have to move on with my own life"
Drowning Pool - Step Up - a little rough completely cliche but still wicked good rock
Pink - Stupid Girl - The anti - Britney/Paris/Lindsey/Jessica Thank god someone is
OK my wife wants the laptop
Just a sweet drop not enough to really get the full taste - a hint, a smell
Lithium - Evanescence - Gothic Punk Yes I know they sound the same but just like Natilie Merchant how can you not love those pipes.
Papa Roach - Scars -- "The scars remind us that the past is real" "I can't help you fix yourself but at least I can say I tried. I'm sorry but I have to move on with my own life"
Drowning Pool - Step Up - a little rough completely cliche but still wicked good rock
Pink - Stupid Girl - The anti - Britney/Paris/Lindsey/Jessica Thank god someone is
OK my wife wants the laptop
Logical Arguments
Good Post on logic in arguments
A hypothetical example of a Type C argument would be, "Well, Arnold, studies actually show that the minimum wage does not cost jobs. If you read the work of Krueger and Card, you would see that the minimum wage probably reduces poverty."
A hypothetical example of a Type M argument would be, "People who want to get rid of the minimum wage are just trying to help the corporate plutocrats."
Paul, my question for you is this:
Do you see any differences between those two types of arguments?
I see differences, and to me they are important. Type C arguments are about the consequences of policies. Type M arguments are about the alleged motives of individuals who advocate policies.
In this example, the type C argument says that the consequences of eliminating the minimum wage would not be those that I expect and desire.
We can have a constructive discussion of the Type C argument -- I can cite theory and evidence that contradicts Krueger and Card -- and eventually one of us could change his mind, based on the facts.
Type M arguments deny the legitimacy of one's opponents to even state their case. Type M arguments do not give rise to constructive discussion. They are almost impossible to test empirically.
A hypothetical example of a Type C argument would be, "Well, Arnold, studies actually show that the minimum wage does not cost jobs. If you read the work of Krueger and Card, you would see that the minimum wage probably reduces poverty."
A hypothetical example of a Type M argument would be, "People who want to get rid of the minimum wage are just trying to help the corporate plutocrats."
Paul, my question for you is this:
Do you see any differences between those two types of arguments?
I see differences, and to me they are important. Type C arguments are about the consequences of policies. Type M arguments are about the alleged motives of individuals who advocate policies.
In this example, the type C argument says that the consequences of eliminating the minimum wage would not be those that I expect and desire.
We can have a constructive discussion of the Type C argument -- I can cite theory and evidence that contradicts Krueger and Card -- and eventually one of us could change his mind, based on the facts.
Type M arguments deny the legitimacy of one's opponents to even state their case. Type M arguments do not give rise to constructive discussion. They are almost impossible to test empirically.
Birds without Passengers
I think the last possibility is the most likely though probably not the intended one.
Hybrid Sports Car
This would be a wonderful replacement for my Honda Civic Hybrid. I wonder what the mileage is. Just because it is a hybrid doesn't mean the mileage is great.
After all this is technically a hybrid as well. Somehow I doubt it get that great of mileage.
The Toyota on the other hand.
After all this is technically a hybrid as well. Somehow I doubt it get that great of mileage.
The Toyota on the other hand.
Ray - Singularity
"With computers in everything from clothing to eyeglasses, software security becomes the quintessential issue," he said.
I am not sure the writer of this Article has read any, Kurzweil or Drexler.
He clearly doesn't grasp the potentials or some of the evidence that is currently staring us in the face.
There really isn't any doubt that Information processing technology is expanding at an exponential pace and feeding on itself. Even in biology (which the author gives short shift) it is obvious that the ability to asses and increasingly adjust biological information is changing at an incredible pace.
The real question is where are the speed bumps and are any of them significant enough to plateau things for a while?
The real key to all of this is that whoever controls the keys within the singularity controls where it goes and how it interacts with others. Security is central to that discussion.
I would have liked to see the speech.
I am not sure the writer of this Article has read any, Kurzweil or Drexler.
He clearly doesn't grasp the potentials or some of the evidence that is currently staring us in the face.
There really isn't any doubt that Information processing technology is expanding at an exponential pace and feeding on itself. Even in biology (which the author gives short shift) it is obvious that the ability to asses and increasingly adjust biological information is changing at an incredible pace.
The real question is where are the speed bumps and are any of them significant enough to plateau things for a while?
The real key to all of this is that whoever controls the keys within the singularity controls where it goes and how it interacts with others. Security is central to that discussion.
I would have liked to see the speech.
RIAA looses in court
This is good news and seems to be the right way to deal with the problem of gratuitous suits while still maintaining the IP rights.
I don't think it is as huge as some have implied though. Incurring court costs isn't unheard of. What is significant is that if enough people publicly recoup their costs in suits it might inspire more to challenge the blackmail letters that are being sent. If enough people do challenge then the model that the RIAA has built will collapse.
I don't think it is as huge as some have implied though. Incurring court costs isn't unheard of. What is significant is that if enough people publicly recoup their costs in suits it might inspire more to challenge the blackmail letters that are being sent. If enough people do challenge then the model that the RIAA has built will collapse.
10 February, 2007
A solution to the CO2 Imbalance - Global Warming
Instapundit Linked to the Gore Branson challenge
I also think it is a great idea. Of coursre there is already at least one solution that has met the goals.
all we have to do is more of it.
Nuclear Power via Nei blog
of course more options is always better how about my biofuel crazy idea
I also think it is a great idea. Of coursre there is already at least one solution that has met the goals.
all we have to do is more of it.
Nuclear Power via Nei blog
of course more options is always better how about my biofuel crazy idea
09 February, 2007
Adiabatic Quantum Computing
Well someone is giving it a go.
It will be significant if they succeed but I am going to give this one long odds.
Here is some background on adiabatic quantum computing if you are interested in some pretty detailed reading.
The key hurdle I found that casts some doubt on the attempt in the tech world article is that increasing complexities require exponentially increasing time. The test is being done with 16 qubits which is below the previous experiments of 20 qubits mentioned in the detailed paper so this potential problem won't show up even if the rest of the test is successful. My warning to any VC's or Angel's out there is to check about this before sinking any money. Don't just assume it is just going to scale up based on the initial test.
That said this could have some pretty significant effects on other areas (such as cryptography) if the test is successful. Depending on the speed and architecture individual scaling may not be necessary for it to have value. I do have some trouble with thinking it will make much of a difference though since 64K calculations isn't that much.
Not to be confused with adiabatic methods in standard computing (Here)
Update:
Here is the blog link to the the announcement and some good details as well. I am slightly more optimistic at this point because they are taking a somewhat different approach than I originally thought. Since it is a blog perhaps we can take advantage of the medium and ask him to explain some of the differences.
More Update:
I like his Blogroll - UFC, Dawkin's and Kurzweil - Can't be that bad of a guy. :)
Update 3:
I got some comments back from the blogger. I did read the paper but he was right about it only being a theoretical assesment. That would make their attempt the first real atempt. There are two major questions that they need to answer before this has any chance of being a truely significant breakthoguh. How long does it take for them to perform the 64K calculations (actually 1 calcualation that asseses 64K prosibilities) and if they add additional qubits how does that affect the time of the calculations? Is it a linear impact or exponential?
It will be significant if they succeed but I am going to give this one long odds.
Here is some background on adiabatic quantum computing if you are interested in some pretty detailed reading.
The key hurdle I found that casts some doubt on the attempt in the tech world article is that increasing complexities require exponentially increasing time. The test is being done with 16 qubits which is below the previous experiments of 20 qubits mentioned in the detailed paper so this potential problem won't show up even if the rest of the test is successful. My warning to any VC's or Angel's out there is to check about this before sinking any money. Don't just assume it is just going to scale up based on the initial test.
That said this could have some pretty significant effects on other areas (such as cryptography) if the test is successful. Depending on the speed and architecture individual scaling may not be necessary for it to have value. I do have some trouble with thinking it will make much of a difference though since 64K calculations isn't that much.
Not to be confused with adiabatic methods in standard computing (Here)
Update:
Here is the blog link to the the announcement and some good details as well. I am slightly more optimistic at this point because they are taking a somewhat different approach than I originally thought. Since it is a blog perhaps we can take advantage of the medium and ask him to explain some of the differences.
More Update:
I like his Blogroll - UFC, Dawkin's and Kurzweil - Can't be that bad of a guy. :)
Update 3:
I got some comments back from the blogger. I did read the paper but he was right about it only being a theoretical assesment. That would make their attempt the first real atempt. There are two major questions that they need to answer before this has any chance of being a truely significant breakthoguh. How long does it take for them to perform the 64K calculations (actually 1 calcualation that asseses 64K prosibilities) and if they add additional qubits how does that affect the time of the calculations? Is it a linear impact or exponential?
Vista Vulnerabilities
Two friends of mine Max and Ivan from Core Security talk with SC magazine about one of the weaknesses that Microsoft has not been able to completely close in Vista.
Good article and they are spot on about the ASLR issue. It randomizes memory utilization to help minimize the potential effectiveness (an attempt to get rid of them completely) of buffer overflow attacks. If it is used it will stop a lot and I would put it easily in the 80-90% effectiveness category but not perfect.
This is why I have been pointing to the solution offered by Determina for a while in this category. To be honest I am surprised Microsoft has hasn't bought them yet and integrated their product. I haven't been able to find any instance in which it didn't work to stop the overflow and it protects all the applications on the system.
Update:
I just discovered that Determina has started up a blog. If you get a chance Sandy or Alex why don't you tell us what the difference is between what you do and what he standard memory randomization methods do?
Good article and they are spot on about the ASLR issue. It randomizes memory utilization to help minimize the potential effectiveness (an attempt to get rid of them completely) of buffer overflow attacks. If it is used it will stop a lot and I would put it easily in the 80-90% effectiveness category but not perfect.
This is why I have been pointing to the solution offered by Determina for a while in this category. To be honest I am surprised Microsoft has hasn't bought them yet and integrated their product. I haven't been able to find any instance in which it didn't work to stop the overflow and it protects all the applications on the system.
Update:
I just discovered that Determina has started up a blog. If you get a chance Sandy or Alex why don't you tell us what the difference is between what you do and what he standard memory randomization methods do?
08 February, 2007
Layered Security Control Series Aggregation Post
This is the overview summary of a series of posts mapping Information Security Controls to SCADA, DCS, and ACS environments. The primary approach of the control structure is to map the controls to a modified OSI model. This is imperfect but does provide a technical framework to serve as the seed of the structure. The last half of the layers (pretty much everything beyond the host layers) departs from this model.
While these posts have specific data relating to SCADA and other control system environments much of the information is applicable to any information security environment. Many of the concepts and much of the data in the posts is relatively basic and most useful for people who are just entering into the information security and SCADA security field but there should be enough good nuggets of data that even experienced professionals will find some value in reading them.
My intention is to convert each of the sections into extended PDF’s and Pamphlets that have additional data and details over the initial posts. I am not certain when this will be done.
Building controls in multiple layers provides very strong security even with imperfect individual controls.
From an earlier post on layered controls
So if you can’t get 100% with a single control how do you get 100% or close to it?
I’ll use worms as the example because it is easy not because I think they are the most likely current threat.
If you can stop 80% of the worms with your companies external firewall.
Then stop 80% of the remaining worms with segmentation to your PCN.
Then stop 80% with a NIPS device
Then stop 80% of the remaining with a Host based firewall
Then 80% with patching
Then 80% with HIPS
Then 80% with Memory Based Protection
Etc…
If you can get an 80% reduction with each layer then you have reached your .001% likelihood layer with 6 controls even if you had a 100% certainty of the threat event occurring to begin with.
So the trick is identifying the applicable controls, determining how they (and how much they) reduce the likelihood, and if they can be layered with outer controls.
By not relying on an individual control being perfect you reduce cost (because you have a greater choice of solutions), you reduce impact on the overall system design, and you increase flexibility for your designers and end users.
The post of the series in order are:
Physical Security Layer
Data Link Layer Security Part 1
Data Link Layer Security Part 2
Networking Layer Security Part 1
Networking Layer Security Part 2
Transport Layer Security Part 1
Host Security Control Layers (being planned)
Process Controls including standards and procedural structures (TBD)
Governance Controls including visibility and audit feedback mechanism (TBD)
Financial incentives (Budgeting and leveraging business unit decisions using money and risk) (TBD)
Memetic Controls (Training, Expectation setting and Marketing) (TBD)
By properly combining the controls in these layers it is possible to get a working flexible and highly secure Operating environment that is able to adjust to problems quickly with the least amount of cost.
While these posts have specific data relating to SCADA and other control system environments much of the information is applicable to any information security environment. Many of the concepts and much of the data in the posts is relatively basic and most useful for people who are just entering into the information security and SCADA security field but there should be enough good nuggets of data that even experienced professionals will find some value in reading them.
My intention is to convert each of the sections into extended PDF’s and Pamphlets that have additional data and details over the initial posts. I am not certain when this will be done.
Building controls in multiple layers provides very strong security even with imperfect individual controls.
From an earlier post on layered controls
So if you can’t get 100% with a single control how do you get 100% or close to it?
I’ll use worms as the example because it is easy not because I think they are the most likely current threat.
If you can stop 80% of the worms with your companies external firewall.
Then stop 80% of the remaining worms with segmentation to your PCN.
Then stop 80% with a NIPS device
Then stop 80% of the remaining with a Host based firewall
Then 80% with patching
Then 80% with HIPS
Then 80% with Memory Based Protection
Etc…
If you can get an 80% reduction with each layer then you have reached your .001% likelihood layer with 6 controls even if you had a 100% certainty of the threat event occurring to begin with.
So the trick is identifying the applicable controls, determining how they (and how much they) reduce the likelihood, and if they can be layered with outer controls.
By not relying on an individual control being perfect you reduce cost (because you have a greater choice of solutions), you reduce impact on the overall system design, and you increase flexibility for your designers and end users.
The post of the series in order are:
Physical Security Layer
Data Link Layer Security Part 1
Data Link Layer Security Part 2
Networking Layer Security Part 1
Networking Layer Security Part 2
Transport Layer Security Part 1
Host Security Control Layers (being planned)
Process Controls including standards and procedural structures (TBD)
Governance Controls including visibility and audit feedback mechanism (TBD)
Financial incentives (Budgeting and leveraging business unit decisions using money and risk) (TBD)
Memetic Controls (Training, Expectation setting and Marketing) (TBD)
By properly combining the controls in these layers it is possible to get a working flexible and highly secure Operating environment that is able to adjust to problems quickly with the least amount of cost.
Safety Valve design options
Some Good safety valve designs and tips at the Emerson blog.
Is a follow on from this post on Partial Stroke testing as a supplement to standard full stroke testing.
It is a nice reminder for me that despite the fact that IP connected systems are increasing in frequency the simple designs are best especially when it comes to safety.
This brings me back to something I should have included in original Physical Security Layer and somewhat touched on in my Continuation of the Network Layer Security. It is essential that your safety systems cannot be adversely impacted by the operations or failures of any of your other systems. I mentioned in the Network layer post that they should be separate from the other networks but the real advice is that they should be as simple as possible, physically and logically isolated from all other systems (in terms of connectivity obviously placement is dependant on need and overall system design), and most importantly protected from failure modes that the other control systems might be subjected to.
This is a great blog.
Does anyone out there know if Invensys, Honeywell, Rockwell/ABB, or Siemens have a blog like this? I haven't been able to find one but if they do I would really like to add it to my RSS stack.
Is a follow on from this post on Partial Stroke testing as a supplement to standard full stroke testing.
It is a nice reminder for me that despite the fact that IP connected systems are increasing in frequency the simple designs are best especially when it comes to safety.
This brings me back to something I should have included in original Physical Security Layer and somewhat touched on in my Continuation of the Network Layer Security. It is essential that your safety systems cannot be adversely impacted by the operations or failures of any of your other systems. I mentioned in the Network layer post that they should be separate from the other networks but the real advice is that they should be as simple as possible, physically and logically isolated from all other systems (in terms of connectivity obviously placement is dependant on need and overall system design), and most importantly protected from failure modes that the other control systems might be subjected to.
This is a great blog.
Does anyone out there know if Invensys, Honeywell, Rockwell/ABB, or Siemens have a blog like this? I haven't been able to find one but if they do I would really like to add it to my RSS stack.
07 February, 2007
Guardian talks Truther - 9-11 Conspiracy
Sanity from the far left?
Should be interesting to see if the immune system rejects him and if so how the rejection occurs.
Update:
First attempted rejection here. Looks like it got buried but not by Monboit's ideological peers. Sadly I participated in a way that is usually beneath me. Digg comments can bring that out of one.
Should be interesting to see if the immune system rejects him and if so how the rejection occurs.
Update:
First attempted rejection here. Looks like it got buried but not by Monboit's ideological peers. Sadly I participated in a way that is usually beneath me. Digg comments can bring that out of one.
UK Bank Card Hack
CNET is picking up on a Cambridge researchers hack on the new UK Bank Cards
It is a legitimate attack but I don't know that I would call it a hack. Any time you can own the hardware doing the processing it is possible to find a way to deceive the customer.
There was another attack earlier that was essentially possible due to the older data providing a Rosetta stone. I wouldn't call that one a failure of the new approach either.
I am going to come out and say I am a bit biased on this though because I know a few of the people that were involved in the project from the beginning. If anyone wants to dispute me please feel free to comment and I will move it up to the main page.
It is a legitimate attack but I don't know that I would call it a hack. Any time you can own the hardware doing the processing it is possible to find a way to deceive the customer.
There was another attack earlier that was essentially possible due to the older data providing a Rosetta stone. I wouldn't call that one a failure of the new approach either.
I am going to come out and say I am a bit biased on this though because I know a few of the people that were involved in the project from the beginning. If anyone wants to dispute me please feel free to comment and I will move it up to the main page.
Data Breach Legislation
Good Article at CNET on up an coming data breach legislation.
I know it doesn't have much to to with SCADA security but most companies will be impacted in one way or another if either of these make it through the gauntlet. If you are a security professional at a large company that does business in the US you should take a peak.
I know it doesn't have much to to with SCADA security but most companies will be impacted in one way or another if either of these make it through the gauntlet. If you are a security professional at a large company that does business in the US you should take a peak.
Root Server Attack
Yes I know everyone already knows and is linking to it.
From Security Focus.
I usually like their write ups.
From Security Focus.
I usually like their write ups.
06 February, 2007
Yucca Mountain and Edwards
Interesting post on Yucca Mountain and John Edwards stand on it.
In defense of Edwards there are concerns about the long term viability of any site that stores large amounts of very long lived waste. The post's authors are right in pointing out the advantages of nuclear power and in emphasising that distributed long term storage really isn't a viable option but I wouldn't expect any politician to understand these arguments completely.
There are a lot of studies and plans that have been aggressively researched regarding the Yucca storage location and most have reinforced its potential viability but residents have legitimate doubts and rights that should be addressed.
I doubt Edwards realizes that continued operation with local storage isn't viable for much more than another 50 years. Failure to resolve the issue will result in shutdown of the facilities (which is exactly the goal of many ignorant activists). The loss of nuclear power as a source of energy would result in the need to replace 20% of the Nations base load power supply. That would require 1 Rhode Island of solar power (and even then only during the day during the summer)
Another Cubic mile of oil a year (in addition to the one we currently use) along with attendant CO2 emissions over 100 Coal power plants (again with CO2 and other pollutants) tens of thousands of wind turbines (as long as they are not off the Cape)
You get the point.
Most people (let alone politicians who are bombarded by activist lobbies) really don't understand the role that base load nuclear fission energy already plays in the US. The US version of light water reactors have the best safety and environmental record of any industry anywhere ever for the amount of energy produced and total time of operations. Pebble beds will be even better. Somehow we have to get that through to the politicians.
My advice if you don't like what the candidates are saying write to them. They probably won't read it of course but if their staff is any good they will and not discard it. Enough people write and the message will get to the candidate.
In any case it is a great blog with lots of good data.
Please Digg It
In defense of Edwards there are concerns about the long term viability of any site that stores large amounts of very long lived waste. The post's authors are right in pointing out the advantages of nuclear power and in emphasising that distributed long term storage really isn't a viable option but I wouldn't expect any politician to understand these arguments completely.
There are a lot of studies and plans that have been aggressively researched regarding the Yucca storage location and most have reinforced its potential viability but residents have legitimate doubts and rights that should be addressed.
I doubt Edwards realizes that continued operation with local storage isn't viable for much more than another 50 years. Failure to resolve the issue will result in shutdown of the facilities (which is exactly the goal of many ignorant activists). The loss of nuclear power as a source of energy would result in the need to replace 20% of the Nations base load power supply. That would require 1 Rhode Island of solar power (and even then only during the day during the summer)
Another Cubic mile of oil a year (in addition to the one we currently use) along with attendant CO2 emissions over 100 Coal power plants (again with CO2 and other pollutants) tens of thousands of wind turbines (as long as they are not off the Cape)
You get the point.
Most people (let alone politicians who are bombarded by activist lobbies) really don't understand the role that base load nuclear fission energy already plays in the US. The US version of light water reactors have the best safety and environmental record of any industry anywhere ever for the amount of energy produced and total time of operations. Pebble beds will be even better. Somehow we have to get that through to the politicians.
My advice if you don't like what the candidates are saying write to them. They probably won't read it of course but if their staff is any good they will and not discard it. Enough people write and the message will get to the candidate.
In any case it is a great blog with lots of good data.
Please Digg It
IDC Conference in ZA includes Security
The March South African IDC Conference will include Security
To bad it is in Joburg if it was in Capetown I would fight to go.
To bad it is in Joburg if it was in Capetown I would fight to go.
Nuclear Fission - Ping Pong Ball Experiment
Before the Super-Bowl there was an ad on about the propagation of ideas that I really liked (though it failed in its marketing because I cannot remember who it was for).
The narrator of the ad held a ping pong ball over a basketball court covered with mousetraps with ping pong balls on them. When he dropped the ball on one it went off and launched its ball in the air which landed on several others which launched theirs and so on.
This struck me as an awesome way to display the principles behind nuclear fission chain reactions.
It hits all of the key concepts.
Neutron absorption cross section is simulated by the relative size of the traps and the balls. Fuel density by how close the traps are to each other. Neutron escape by the proximity to the edge of the court. Balls that are launched too energetically bounce fewer times so they display absorption resonance zones and fast neutron escape. If you wanted to simulate thermalizing effects on the probability of absorption you could place curtains or sheets to knock energetic ones back into the field of traps. Poisons could be simulated by pillows or sticky mats to stop or slow down the bouncing balls. Try different shapes to see how geometry affects the likelihood of escape.
You could judge efficiency of the designs based on how many traps are left unsprung and how fast or slow the entire reaction takes to finish.
Of course it is all two dimensional but it still gives a good idea of what happens.
All in all a pretty good science experiment for someone who wants to do it. Of course you probably want to replace the mouse traps with something less likely to break a student’s fingers. Has anyone done this this way before?
Update:
This commercial demonstates an old science experiment I once saw on PBS and on a science video shown in a science classroom. It goes back 20 years I think. Todd
The narrator of the ad held a ping pong ball over a basketball court covered with mousetraps with ping pong balls on them. When he dropped the ball on one it went off and launched its ball in the air which landed on several others which launched theirs and so on.
This struck me as an awesome way to display the principles behind nuclear fission chain reactions.
It hits all of the key concepts.
Neutron absorption cross section is simulated by the relative size of the traps and the balls. Fuel density by how close the traps are to each other. Neutron escape by the proximity to the edge of the court. Balls that are launched too energetically bounce fewer times so they display absorption resonance zones and fast neutron escape. If you wanted to simulate thermalizing effects on the probability of absorption you could place curtains or sheets to knock energetic ones back into the field of traps. Poisons could be simulated by pillows or sticky mats to stop or slow down the bouncing balls. Try different shapes to see how geometry affects the likelihood of escape.
You could judge efficiency of the designs based on how many traps are left unsprung and how fast or slow the entire reaction takes to finish.
Of course it is all two dimensional but it still gives a good idea of what happens.
All in all a pretty good science experiment for someone who wants to do it. Of course you probably want to replace the mouse traps with something less likely to break a student’s fingers. Has anyone done this this way before?
Update:
This commercial demonstates an old science experiment I once saw on PBS and on a science video shown in a science classroom. It goes back 20 years I think. Todd
05 February, 2007
Internet Privacy - correction and expansion
Contrary but good comment from Ryan on my last privacy post.
It was wrong of me to state that he defended a pervert. He was legitimately trying to identify what he and other coworkers considered a small triumph for computer privacy in the court system.
My opinion is that this is a terrible case to hold up as a victory for privacy in the court system.
I certainly should have stated it that way instead of the way I did. I am well aware that Ryan continually defends both privacy and ownership rights. That is why I love reading his blog and do on a fairly regular basis.
That is also why I got irritated by the spin I thought I saw in the post. My interpretation of that spin is that it was a good thing in principle that data that was voluntarily turned over to the government by the legitimate owner of that data was disallowed as evidence.
Obviously I disagree with that spin.
So now I am done with my correction. Time for the expansion.
In his comment Ryan pointed out that his interest in the case was based on principles not on "particulars".
Immediately prior to that argument he implied that I was too ideologically driven to wrap my mind around the complexities of the case.
"you are so wrapped up in libertarian ideology you can't help but see the federal government impinging on property rights."
Rock... Glass House...
I believe that to a large extent Ryan and Jennifer's positive opinion of the final outcome of this case was based on "principle" and not "particulars" but when cheering an ideological victory for their side of the argument they should not forget that the "particulars" in this case would have resulted in the dismissal of charges for an individual that DID commit the crime and is a possible threat to his community.
As to my mental deficiencies.
Well, I can wrap my mind around the details and complexities of the case.
Instead of using ascribed ideology to dismiss Ryans arguments lets use the actual case.
Original Opinion Here are the details
Final Opinion Here
I am uncertain if Ryan actually read the opinion, I assume he did, but this is the argument he used to defend the "principles" in the comments of his blog post.
Under the new ruling, a company could look through, copy or provide data from the computer to the government so long as someone with proper authority at the company agrees to it. So if the gov asks the IT manager and she says yes, then the search is legal. If the government asks the night watchman to do it, and she says yes, the search would be illegal.
This is akin to searching a teenager's room in a house. If a parent gives consent to law enforcement, the search is fine. If they get consent from the five year old that opened the door, that wouldn't be legal.
Unfortunately this interpretation doesn't jibe with the facts of the arguments in the case.
From the actual case:
Shortly thereafter, Michael Freeman, Frontline’s corporate
counsel, contacted Agent Kennedy and informed him that
Frontline would cooperate fully in the investigation. Freeman
indicated that the company would voluntarily turn over
Ziegler’s computer to the FBI and thus explicitly suggested
that a search warrant would be unnecessary.
The Corporate counsel expressly stated that a warrant was not necessary. The IT Administrator and the CFO both had already given permission.
This wasn't a 5 year old giving access to her sisters room. It also wasn't a night watchman. This was the IT management, CFO and Counsel.
The key initial findings of the case do revolve around the interpretation of an expectation of privacy.
Ziegler argues that “[t]he district court erred in its finding
that Ziegler did not have a legitimate expectation of privacy
in his office and computer.” He likens the workplace computer
to the desk drawer or file cabinet given Fourth Amendment
protection in cases such as O’Connor v. Ortega, 480
U.S. 709 (1987).
It all comes down to what a reasonable and legitimate expectation of privacy is.
These findings ultimately were never overturned.
My argument (which doesn't matter one wit in the ninth circuit) is that users should have no expectation of privacy on their work machine unless they work for a company that doesn't own or claim ownership of their machines or the data on the machines.
More importantly organizations should not be under a real or perceived obligation to request a warrant before cooperating with the government with information and data they own.
Ironically the final decisions on the case revolve around whether or not an office entry is acceptable not whether or not computer data is private so perhaps the spin was off in the first place.
Instead of holding a case like this up as a victory and paragon of emerging information privacy rights perhaps something better can be found.
It was wrong of me to state that he defended a pervert. He was legitimately trying to identify what he and other coworkers considered a small triumph for computer privacy in the court system.
My opinion is that this is a terrible case to hold up as a victory for privacy in the court system.
I certainly should have stated it that way instead of the way I did. I am well aware that Ryan continually defends both privacy and ownership rights. That is why I love reading his blog and do on a fairly regular basis.
That is also why I got irritated by the spin I thought I saw in the post. My interpretation of that spin is that it was a good thing in principle that data that was voluntarily turned over to the government by the legitimate owner of that data was disallowed as evidence.
Obviously I disagree with that spin.
So now I am done with my correction. Time for the expansion.
In his comment Ryan pointed out that his interest in the case was based on principles not on "particulars".
Immediately prior to that argument he implied that I was too ideologically driven to wrap my mind around the complexities of the case.
"you are so wrapped up in libertarian ideology you can't help but see the federal government impinging on property rights."
Rock... Glass House...
I believe that to a large extent Ryan and Jennifer's positive opinion of the final outcome of this case was based on "principle" and not "particulars" but when cheering an ideological victory for their side of the argument they should not forget that the "particulars" in this case would have resulted in the dismissal of charges for an individual that DID commit the crime and is a possible threat to his community.
As to my mental deficiencies.
Well, I can wrap my mind around the details and complexities of the case.
Instead of using ascribed ideology to dismiss Ryans arguments lets use the actual case.
Original Opinion Here are the details
Final Opinion Here
I am uncertain if Ryan actually read the opinion, I assume he did, but this is the argument he used to defend the "principles" in the comments of his blog post.
Under the new ruling, a company could look through, copy or provide data from the computer to the government so long as someone with proper authority at the company agrees to it. So if the gov asks the IT manager and she says yes, then the search is legal. If the government asks the night watchman to do it, and she says yes, the search would be illegal.
This is akin to searching a teenager's room in a house. If a parent gives consent to law enforcement, the search is fine. If they get consent from the five year old that opened the door, that wouldn't be legal.
Unfortunately this interpretation doesn't jibe with the facts of the arguments in the case.
From the actual case:
Shortly thereafter, Michael Freeman, Frontline’s corporate
counsel, contacted Agent Kennedy and informed him that
Frontline would cooperate fully in the investigation. Freeman
indicated that the company would voluntarily turn over
Ziegler’s computer to the FBI and thus explicitly suggested
that a search warrant would be unnecessary.
The Corporate counsel expressly stated that a warrant was not necessary. The IT Administrator and the CFO both had already given permission.
This wasn't a 5 year old giving access to her sisters room. It also wasn't a night watchman. This was the IT management, CFO and Counsel.
The key initial findings of the case do revolve around the interpretation of an expectation of privacy.
Ziegler argues that “[t]he district court erred in its finding
that Ziegler did not have a legitimate expectation of privacy
in his office and computer.” He likens the workplace computer
to the desk drawer or file cabinet given Fourth Amendment
protection in cases such as O’Connor v. Ortega, 480
U.S. 709 (1987).
It all comes down to what a reasonable and legitimate expectation of privacy is.
These findings ultimately were never overturned.
My argument (which doesn't matter one wit in the ninth circuit) is that users should have no expectation of privacy on their work machine unless they work for a company that doesn't own or claim ownership of their machines or the data on the machines.
More importantly organizations should not be under a real or perceived obligation to request a warrant before cooperating with the government with information and data they own.
Ironically the final decisions on the case revolve around whether or not an office entry is acceptable not whether or not computer data is private so perhaps the spin was off in the first place.
Instead of holding a case like this up as a victory and paragon of emerging information privacy rights perhaps something better can be found.
Internet Privacy - The real need
OK this one is probably going to chap some people off. Sorry if it does.
These are the real privacy items we should be working on and advocating instead of defending a pervert by attacking private property rights.
We have a lot of smart people out there and if we keep providing secure and difficult to trace communications we can help solve problems for people that actually have to worry about the government spying on them.
Last time I checked protesters that go to Washington aren't being dragged off and having their fingernails pulled out. If they do get arrested it is because they are damaging other peoples property or physically intimidating, threatening and spitting on people who dare to disagree with them. Hell, even then they aren't being arrested. Apparently they can stymie others rights but because they are part of the "in" Hollywood crowd their rights are more important. One visit to Kos, DemocraticUnderground, or MyDD will quickly show you that free speech rights are alive, well and unchallenged in the US even on borderline insane writings. They have done a good job at pushing the intellectually weak conformists into their camp. It is almost like watching a few dozen nearly identical goths walk by. Each of them comfortable in their (pseudo)intellectual superiority, artistic originality and nonconformism.
In Iran, China, Sudan, Saudi Arabia, North Korea, Russia, ... The list goes on. People do get arrested for what they say. In many countries they get tortured and killed for criticisims and even the potential of thoughts that are mearly implied in their words let alone the outright hostility that can easily be found in the conformist camps.
But I digress into a political realm that has the possibility of loosing me half of my readers.
There is a dire need to improve privacy on the Internet in the world. What we really need to do is provide secure anonymous access to communications.
A great list of tools is here.
We also need to help people in these countries know how they can be watched and tracked with existing systems so they can avoid falling into traps.
People should know that it is trivial to track posts and browsing back to the entry point to the Internet. If the government owns the network this is even easier. Anytime you browse a site or send an email it can be tracked back.
They should know that if you want to draw their governments attention to data they are sending around, placing it in a steganographically altered image is the digital equivalent of turning on a a flashing neon "Interesting Data Here" sign.
We should teach people how to use wireless access, burst postings and mail and easily managed mac address wireless cards to help keep themselves anonymous.
We should quietly but consistently pressure organizations and companies to help defend the privacy of their customers by making policies that help them protect their own data as well as data owned by the customer. Clear data property rights will help here not only by directly protecting the customers and company but also by allowing them to leverage existing treaties to defend their (the companies) positions in draconian countries (when they have the guts to stand up). We should reject policies and EULA's that give data ownership to others than the individuals that create the data or pay for its creation. (ironic that that statement is on blogger huh)
This ownership and defense of individual intellectual property rights will also serve dividends here in the form of increased privacy from the very concerns that Wired inaccurately portended to defend.
These are the real privacy items we should be working on and advocating instead of defending a pervert by attacking private property rights.
We have a lot of smart people out there and if we keep providing secure and difficult to trace communications we can help solve problems for people that actually have to worry about the government spying on them.
Last time I checked protesters that go to Washington aren't being dragged off and having their fingernails pulled out. If they do get arrested it is because they are damaging other peoples property or physically intimidating, threatening and spitting on people who dare to disagree with them. Hell, even then they aren't being arrested. Apparently they can stymie others rights but because they are part of the "in" Hollywood crowd their rights are more important. One visit to Kos, DemocraticUnderground, or MyDD will quickly show you that free speech rights are alive, well and unchallenged in the US even on borderline insane writings. They have done a good job at pushing the intellectually weak conformists into their camp. It is almost like watching a few dozen nearly identical goths walk by. Each of them comfortable in their (pseudo)intellectual superiority, artistic originality and nonconformism.
In Iran, China, Sudan, Saudi Arabia, North Korea, Russia, ... The list goes on. People do get arrested for what they say. In many countries they get tortured and killed for criticisims and even the potential of thoughts that are mearly implied in their words let alone the outright hostility that can easily be found in the conformist camps.
But I digress into a political realm that has the possibility of loosing me half of my readers.
There is a dire need to improve privacy on the Internet in the world. What we really need to do is provide secure anonymous access to communications.
A great list of tools is here.
We also need to help people in these countries know how they can be watched and tracked with existing systems so they can avoid falling into traps.
People should know that it is trivial to track posts and browsing back to the entry point to the Internet. If the government owns the network this is even easier. Anytime you browse a site or send an email it can be tracked back.
They should know that if you want to draw their governments attention to data they are sending around, placing it in a steganographically altered image is the digital equivalent of turning on a a flashing neon "Interesting Data Here" sign.
We should teach people how to use wireless access, burst postings and mail and easily managed mac address wireless cards to help keep themselves anonymous.
We should quietly but consistently pressure organizations and companies to help defend the privacy of their customers by making policies that help them protect their own data as well as data owned by the customer. Clear data property rights will help here not only by directly protecting the customers and company but also by allowing them to leverage existing treaties to defend their (the companies) positions in draconian countries (when they have the guts to stand up). We should reject policies and EULA's that give data ownership to others than the individuals that create the data or pay for its creation. (ironic that that statement is on blogger huh)
This ownership and defense of individual intellectual property rights will also serve dividends here in the form of increased privacy from the very concerns that Wired inaccurately portended to defend.
Global Warming Denier!!! - Get a rope
Pretty good post at ComputerDefense on Global Warming
He does a good job at voicing one side of the argument that I often think gets short shift.
Anyone who has read me for a while will know that I take the Global Warming discussion pretty seriously. I have several posts on the topic and like to advocate bio fuels and other environmental causes.
There is a comment on his blog that I think portrays a huge flaw in the current nature of the conversation primarily from the Government mandated change crowd.
Angela says "Although you do try to consider material from both believers and non-believers in global warming"
The first sentence portrays exactly what is wrong in the whole global warming discussion as it exists right now. People divide the groups into "believers" and "non believers". This ideologically faith based approach is what the entire debate has turned into. Unfortunately people have been burning others at the stake for thousands of years because they "made the drought happen by killing a pig" or by "giving the evil eye" . What is the difference between roasting them in a bronze idol to appease Marduk or Al? The real discussion cannot exist if the only mechanism of argument is to classify then dismiss.
The second stage of this argument is "that research must be excluded because it was funded by the oil companies (or Greenpeace take your pick)". This method of argument is slightly more legitimate but it cannot be used to discard information only to increase the scrutiny of it.
I'll restate that. The only valid use of the second argument is to identify potential biases and require a more thorough review of the data. They cannot legitimately be used to disprove the data directly. Both sides are guilty of having ulterior motives for their arguments. Professors have trouble getting grants and promotions if they don't jump on the Global Warming is killing the planet bandwagon. Oil companies are making a lot of money but their already paper thin margins will be even smaller if they have to start pumping CO2 back into the earth. For that matter we are not truly sure what pumping it back into the ground will do.
Hey I am all for (actually strongly for) bio fuels and CO2 reduction tech. I think that anything we can do to reduce our footprint on the world around us has some value. The real question is how much value in comparison to what we trade off for it. If we didn't have an environmental movement we would literally be choking to death on coal smog like we were in the 1800's. We wouldn't have the automobile (which in the early days was marketed as a way of reducing the number of rotting horse and cow carcass and manure in the cities).
Right now I have seen a lot of evidence pointing to the fact that Global Warming is occurring. Enough to convince me that it is happening until proven otherwise at least for the short term (next century or so).
Despite the recent findings advocated by the UN
Or Detailed counterpoint here (sorry about the popups it is a Canadian Rag)
I have not seen an overwhelming set of evidence to support Global Warming being an anthropomorphic event. I think we have a lot of hubris when we assume that our .1% of the Biomass and 3% of total global energy use that we create or even the 2% of total greenhouse gases on the planet that are due to humans have that great of an effect. There are certainly models that show that it does but we do not have a large enough data pool to know. In all of these models the contribution of greenhouse gases is an exponential function (which it is). Anyone who plays with math knows how easily misunderstandings of the role of an exponential variable can really skew the outcome of a model. Neither do we have a good data set to draw on. 200 years out of 4 billion isn't that big of a data set.
I am also not much of an advocate of the precautionary principle. Anyone who really is should never get in a car. For that matter they should never leave their house... Actually that is faulty as well since most accidents occur at home... Whoopie we're all gonna die.
You get my point.
None of these counter arguments should be construed to mean we shouldn't do anything. On the contrary we should be aggressively pursuing more data and debate. We can't do that by disregarding the points and arguments of either side of the conversation. We should also constantly be working for more efficient and renewable energy sources and means of doing what ever we do daily. This provides us other advantages as well. Reduced reliance on energy sources controlled by questionable entities, reduced costs, and operational streamlining. We wouldn't have moved to coal if wood didn't have problems or oil if coal or Natural Gas if oil...
Besides in the long run this is probably the answer. Got it from Here
Digg It
He does a good job at voicing one side of the argument that I often think gets short shift.
Anyone who has read me for a while will know that I take the Global Warming discussion pretty seriously. I have several posts on the topic and like to advocate bio fuels and other environmental causes.
There is a comment on his blog that I think portrays a huge flaw in the current nature of the conversation primarily from the Government mandated change crowd.
Angela says "Although you do try to consider material from both believers and non-believers in global warming"
The first sentence portrays exactly what is wrong in the whole global warming discussion as it exists right now. People divide the groups into "believers" and "non believers". This ideologically faith based approach is what the entire debate has turned into. Unfortunately people have been burning others at the stake for thousands of years because they "made the drought happen by killing a pig" or by "giving the evil eye" . What is the difference between roasting them in a bronze idol to appease Marduk or Al? The real discussion cannot exist if the only mechanism of argument is to classify then dismiss.
The second stage of this argument is "that research must be excluded because it was funded by the oil companies (or Greenpeace take your pick)". This method of argument is slightly more legitimate but it cannot be used to discard information only to increase the scrutiny of it.
I'll restate that. The only valid use of the second argument is to identify potential biases and require a more thorough review of the data. They cannot legitimately be used to disprove the data directly. Both sides are guilty of having ulterior motives for their arguments. Professors have trouble getting grants and promotions if they don't jump on the Global Warming is killing the planet bandwagon. Oil companies are making a lot of money but their already paper thin margins will be even smaller if they have to start pumping CO2 back into the earth. For that matter we are not truly sure what pumping it back into the ground will do.
Hey I am all for (actually strongly for) bio fuels and CO2 reduction tech. I think that anything we can do to reduce our footprint on the world around us has some value. The real question is how much value in comparison to what we trade off for it. If we didn't have an environmental movement we would literally be choking to death on coal smog like we were in the 1800's. We wouldn't have the automobile (which in the early days was marketed as a way of reducing the number of rotting horse and cow carcass and manure in the cities).
Right now I have seen a lot of evidence pointing to the fact that Global Warming is occurring. Enough to convince me that it is happening until proven otherwise at least for the short term (next century or so).
Despite the recent findings advocated by the UN
Or Detailed counterpoint here (sorry about the popups it is a Canadian Rag)
I have not seen an overwhelming set of evidence to support Global Warming being an anthropomorphic event. I think we have a lot of hubris when we assume that our .1% of the Biomass and 3% of total global energy use that we create or even the 2% of total greenhouse gases on the planet that are due to humans have that great of an effect. There are certainly models that show that it does but we do not have a large enough data pool to know. In all of these models the contribution of greenhouse gases is an exponential function (which it is). Anyone who plays with math knows how easily misunderstandings of the role of an exponential variable can really skew the outcome of a model. Neither do we have a good data set to draw on. 200 years out of 4 billion isn't that big of a data set.
I am also not much of an advocate of the precautionary principle. Anyone who really is should never get in a car. For that matter they should never leave their house... Actually that is faulty as well since most accidents occur at home... Whoopie we're all gonna die.
You get my point.
None of these counter arguments should be construed to mean we shouldn't do anything. On the contrary we should be aggressively pursuing more data and debate. We can't do that by disregarding the points and arguments of either side of the conversation. We should also constantly be working for more efficient and renewable energy sources and means of doing what ever we do daily. This provides us other advantages as well. Reduced reliance on energy sources controlled by questionable entities, reduced costs, and operational streamlining. We wouldn't have moved to coal if wood didn't have problems or oil if coal or Natural Gas if oil...
Besides in the long run this is probably the answer. Got it from Here
Digg It
02 February, 2007
01 February, 2007
Biofuels not to Blame
Register Wrong
It isn't biofuels that drove the price spike it was the switch from MTBE to ethanol as the additive to reduce smog.
That switch is also the primary reason for the gasoline price spike last summer. All US refineries had to adjust to a different mix in a short period of time resulting in a relative reduction in gasoline stock. Supply goes down price goes up. Imagine that.
By the way that switch to ethanol was a good thing and worth the price. MTBE was mandated as an additive by many States in the US even though it is a pretty nasty carcinogen. It is the chemical that Erin Brokovich made famous when suing companies that were required by law to use it. Hhhmmm...
On the other side of the coin MTBE was responsible for significantly reducing the smog levels in urban areas across the country. Everyone thinks that the environment is worse now than ever but forgets that there were days were you couldn't breath in LA or NY in the '70's.
We found a mix using ethanol that was less dangerous and the government decided to switch (for good reason) everyone freaked at the 3.50USD a gallon gas which was still a third of the price in Europe. Things balanced out but now corn costs more.
It just goes to show that decisions involving environmental requirements sometimes have unforeseen consequences.
Oh yea
Biofuels are not to blame and if we are smart we can use them to turn the bread basket into one of the next global energy sources and a huge cash cow for the US as a whole again if we are smart. That will have an impact in unforeseen ways on other prices. No matter how hard governments try they cannot repeal the law of supply and demand. Just ask the USSR.
Update:
From the author in the Comments
I wouldn't say we are wrong, though.
We wrote: "Demand for eco-friendly bio-fuels in the US is being blamed for a massive rise in the price of corn in Mexico."
Ah I see, so we shouldn't take the title to be the meaning of the article.
It isn't biofuels that drove the price spike it was the switch from MTBE to ethanol as the additive to reduce smog.
That switch is also the primary reason for the gasoline price spike last summer. All US refineries had to adjust to a different mix in a short period of time resulting in a relative reduction in gasoline stock. Supply goes down price goes up. Imagine that.
By the way that switch to ethanol was a good thing and worth the price. MTBE was mandated as an additive by many States in the US even though it is a pretty nasty carcinogen. It is the chemical that Erin Brokovich made famous when suing companies that were required by law to use it. Hhhmmm...
On the other side of the coin MTBE was responsible for significantly reducing the smog levels in urban areas across the country. Everyone thinks that the environment is worse now than ever but forgets that there were days were you couldn't breath in LA or NY in the '70's.
We found a mix using ethanol that was less dangerous and the government decided to switch (for good reason) everyone freaked at the 3.50USD a gallon gas which was still a third of the price in Europe. Things balanced out but now corn costs more.
It just goes to show that decisions involving environmental requirements sometimes have unforeseen consequences.
Oh yea
Biofuels are not to blame and if we are smart we can use them to turn the bread basket into one of the next global energy sources and a huge cash cow for the US as a whole again if we are smart. That will have an impact in unforeseen ways on other prices. No matter how hard governments try they cannot repeal the law of supply and demand. Just ask the USSR.
Update:
From the author in the Comments
I wouldn't say we are wrong, though.
We wrote: "Demand for eco-friendly bio-fuels in the US is being blamed for a massive rise in the price of corn in Mexico."
Ah I see, so we shouldn't take the title to be the meaning of the article.
Now that is cold
Hey the Pig
My old boat.
I used to love standing manuvering phone talker on the way in. When you round Montauk Point you know you are almost home.
That must have been a miserable trip even coming home though.
That ice came from salt water so it is a lot colder out than just freezing.
Welcome back to port guys I hope you have had a chance to warm up.
My old boat.
I used to love standing manuvering phone talker on the way in. When you round Montauk Point you know you are almost home.
That must have been a miserable trip even coming home though.
That ice came from salt water so it is a lot colder out than just freezing.
Welcome back to port guys I hope you have had a chance to warm up.
A Demon Tamed - Nanomotor
Maxwell's Demon Results in a Nanomotor well 150 years later anyway.
A significant development that at the same time underscores the validity of visionary ideas to actually occur but also shows that they might take longer than optimists think.
A significant development that at the same time underscores the validity of visionary ideas to actually occur but also shows that they might take longer than optimists think.
Subscribe to:
Posts (Atom)