Running DMC

DMC is not devastating mic control in this case. It's Disproportionate Minority Contact - a regime that seeks to answer with statistical reporting the following questions.

• Are there differences in the rates of contact (e.g., arrest) based on race/ethnicity? If so, at what stages of the justice system are these differences more pronounced?
• Are there differences in the processing of juveniles within the justice system based on race/ethnicity? If so, at what stages of the justice system are these differences more pronounced?
• Are the racial/ethnic differences in contact and processing similar across jurisdictions within a state? If not, in which jurisdictions are these differences more pronounced?
• Are the differences in contact and processing similar across all racial and ethnic groups? If not, which groups seem to show the greatest differences?
• Are racial/ethnic differences in contact and processing changing over time?

Now here's the opening qualification taken directly from the same manual. I'm going to put it in bold so that you don't overlook it.

It is important to note what is not included at this stage: any attribution about the reasons for the differences. Therefore, the identification phase of information neither describes the reasons for any differences that occur nor creates strategies to reduce those differences.

In other words, although they can say with great precision that they are observing race, they cannot and will not say at all whether or not they are observing racism. So therein may be answers to what and perhaps how, but not why? Except that why is a presumption that plays into the politics of counting noses by race anyway. Essentially people are invited to speculate why and your guess is as good as mine.

Me? I was trolling for data. It is my job actually to make the meaning of such numbers plain and accessible, so I may as well have some fun doing it. The problem is that this data is dirty. They don't say that in so many words, they say it with too many words. Take the following paragraph as an example:

Studying More Jurisdictions and More Categories of Youth and Offenses
States may use the basic RRI method described above to extend the number of jurisdictions to be studied, subdivide the types of youth being studied, and subdivide the types of offenses (and other features) being studied to broaden their analysis of DMC issues. Each such refinement adds analytic power and specificity to the search for ways in which to address DMC issues. A few examples of such refinements would include separate identification analysis for males and females or for older and younger age groups. The logic that jurisdictions might use to justify such endeavors would be that there is some additional contact risk that attaches to younger (or older) male youth. Likewise, jurisdictions might add additional stages to the basic RRI model to track the implementation of specific additional statutory provisions such as the application of determinate sentencing or of automatic transfers to adult court for some offenses. For such policies to be fruitful for analysis, states would have to demonstrate that the policies actually apply to a substantial number of youth. In a similar fashion, it might be feasible to conduct the RRI analyses separately for various classes of offenses, such as those involving crimes against persons, property, drug offenses or public order. Again, the need is to ensure that a sufficient number of cases are processed to make the search for patterns potentially fruitful. If one is engaged in analysis of subsets of offenses, it is also necessary to recognize that the processes of plea-bargaining and diversion programming may lead to situations in which the classification of an offense changes as the case proceeds through the systems.

In short they know race but they don't know gender. They also don't know crime, nor do they have a good taxonomy for the crimes. They don't know age, nor do they have a taxonomy for aging. They don't have attributes for charges or sentencing.

Now it's true that a brother like me gets 250 an hour building analytical systems. Now you know why I get no municipal government work. Their data is weak. You cannot make sound analytical decisions on data this dirty and arbitrarily qualified. I know that sounds like a dismissal but you do grow a sense about these things after 20 years in the business. More's the pity. It almost wants to make me join Connorly.

Connorly's quest of eliminating all racial data collection is fraught with the peril of knowing to little and disabling analysis altogether. Yet there is the peril on the other side which is that of 'knowing' too much about very dense and well-qualified data sets. These aren't data these are people. And as much as I'd love to march every human on the planet through a 48 byte universal identifying system I know that runs the serious risk of treating people like things we think we can all too easily abstract. Of course there are greater risks in the world, and somehow I think we'll end up doing that anyway.

I'm for adding more and more data to a singly authenticatable person. This one of the reasons I don't blog anonymously. And I think people should be able to assume multiple pseuds which link (under their control) to their root, unchangeable one.

When you really recognize how difficult it is to get simple demographic information correct it makes you wonder how much we think we know about each other's digital information is just wrong, wrong, wrong.

Red Thomas Redux

(from the archives, originally c. October 2001 )

I posted this over three years ago and it came out long before that. It's probably a good thing to review it. Snopes says that this is the real deal, so it's probably still good advice.

One of my original angles on surviving the threat had to do with my basic understanding that in a crisis, people accellerate what they already do, and that experts are not likely to change their behavior. However the people, having no prior experience or knowledge, are most likely to change their behavior. Consequently, the best way to leverage the power of the US would be in terms of self-defense, IE millions of Americans doing something slightly different. (Like buying tube socks or duct taping windows). But seriously, an immunized public is the greatest defense against assymetrics. The theory is that if one terrorist can do X, than one civilian can do 1/x.

A Soldier's Viewpoint on Surviving Nuclear, Chemical and Biological Attacks
From: SFC Red Thomas (Ret)
Armor Master Gunner
Mesa, AZ 

Unlimited reproduction and distribution is authorized. Just give me credit for my work, and, keep in context. 

Since the media has decided to scare everyone with predictions of chemical, biological, or nuclear warfare on our turf I decided to write a paper and keep things in their proper perspective. I am a retired military weapons, munitions, and training expert.

Lesson number one: In the mid 1990s there were a series of nerve gas attacks on crowded Japanese subway stations. Given perfect conditions for an attack less than 10% of the people there were injured (the injured were better in a few hours) and only one percent of the injured died.

60 Minutes once had a fellow telling us that one drop of nerve gas could kill a thousand people, well he didn't tell you the thousand dead people per drop was theoretical.

Drill Sergeants exaggerate how terrible this stuff was to keep the recruits awake in class (I know this because I was a Drill Sergeant too). Forget everything you've ever seen on TV, in the movies, or read in a novel about this stuff, it was all a lie (read this sentence again out loud!). These weapons are about terror, if you remain calm, you will probably not die. This is far less scary than the media and their "Experts," make it sound.

Chemical Weapons
Chemical weapons are categorized as nerve, blood, blister, and Incapacitating agents. Contrary to the hype of reporters and politicians they are not weapons of mass destruction they are "area denial," and terror weapons that don't destroy anything. When you leave the area you almost always leave the risk. That's the difference; you can leave the area and the risk but soldiers may have to stay put and sit through it and that's why they need all that spiffy gear.

These are not gasses, they are vapors and/or air borne particles. The agent must be delivered in sufficient quantity to kill/injure, and that defines when/how it's used. Every day we have a morning and evening inversion where "stuff," suspended in the air gets pushed down. This inversion is why allergies (pollen) and air pollution are worst at these times of the day.

So, a chemical attack will have it's best effect an hour of so either side of sunrise/sunset. Also, being vapors and airborne particles they are heavier than air so they will seek low places like ditches, basements and underground garages. This stuff won't work when it's freezing, it doesn't last when it's hot, and wind spreads it too thin too fast. They've got to get this stuff on you, or, get you to inhale it for it to work. They also have to get the concentration of chemicals high enough to kill or wound you. Too little and it's nothing, too much and it's wasted.

What I hope you've gathered by this point is that a chemical weapons attack that kills a lot of people is incredibly hard to do with military grade agents and equipment so you can imagine how hard it will be for terrorists. The more you know about this stuff the more you realize how hard it is to use.

We'll start by talking about nerve agents. You have these in your house, plain old bug killer (like Raid) is nerve agent. All nerve agents work the same way; they are cholinesterase inhibitors that mess up the signals your nervous system uses to make your body function. It can harm you if you get it on your skin but it works best if they can get you to inhale it. If you don't die in the first minute and you can leave the area you're probably gonna live. The military's antidote for all nerve agents is atropine and pralidoxime chloride. Neither one of these does anything to cure the nerve agent, they send your body into overdrive to keep you alive for five minutes,
after that the agent is used up. Your best protection is fresh air and staying calm. 

Listed below are the symptoms for nerve agent poisoning: 

Sudden headache, Dimness of vision (someone you're looking at will have pinpointed pupils), runny nose, excessive saliva or drooling, difficulty breathing, tightness in chest, nausea, stomach cramps, twitching of exposed skin where a liquid just got on you.

If you are in public and you start experiencing these symptoms, first ask yourself, did anything out of the ordinary just happen, a loud pop, did someone spray something on the crowd? Are other people getting sick too? Is there an odor of new mown hay, green corn, something fruity, or camphor where it shouldn't be? If the answer is yes, then calmly (if you panic you breathe faster and inhale more air/poison) leave the area and head up wind, or, outside.

Fresh air is the best "right now antidote." If you have a blob of liquid that looks like molasses or Kayro syrup on you; blot it or scrape it off and away from yourself with anything disposable. This stuff works based on your body weight, what a crop duster uses to kill bugs won't hurt you unless you stand there and breathe it in real deep, then lick the residue off the ground for a while. Remember they have to do all the work, they have to get the concentration up and keep it up for several minutes while all you have to do is quit getting it on you/quit breathing it by putting space between you and the attack.

Blood agents are cyanide or arsine which effect your blood's ability to provide oxygen to your tissue. The scenario for attack would be the same as nerve agent. Look for a pop or someone splashing/spraying something and folks around there getting woozy/falling down. The telltale smells are bitter almonds or garlic where it shouldn't be. The symptoms are blue lips, blue under the fingernails rapid breathing.

The military's antidote is amyl nitride and just like nerve agent antidote it just keeps your body working for five minutes till the toxins are used up. Fresh air is the your best individual chance.

Blister agents (distilled mustard) are so nasty that nobody wants to even handle it let alone use it. It's almost impossible to handle safely and may have delayed effect of up to 12 hours. The attack scenario is also limited to the things you'd see from other chemicals. If you do get large, painful blisters for no apparent reason, don't pop them, if you must, don't let the liquid from the blister get on any other area, the stuff just keeps on spreading. It's just as likely to harm the user as the target. Soap, water, sunshine, and fresh air are this stuff's enemy.

Bottom line on chemical weapons (it's the same if they use industrial chemical spills); they are intended to make you panic, to terrorize you, to heard you like sheep to the wolves. If there is an attack, leave the area and go upwind, or to the sides of the wind stream. They have to get the stuff to you, and on you. You're more likely to be hurt by a drunk driver on any given day than be hurt by one of these attacks. Your odds get better if you leave the area. Soap, water, time, and fresh air really deal this stuff a knock-out-punch. Don't let fear of an isolated attack rule your life. The odds are really on your side.

Nuclear Weapons
Nuclear bombs. These are the only weapons of mass destruction on earth. The effects of a nuclear bomb are heat, blast, EMP, and radiation. If you see a bright flash of light like the sun, where the sun isn't, fall to the ground! The heat will be over a second. Then there will be two blast waves, one out going, and one on it's way back. Don't stand up to see what happened after the first wave; anything that's going to happen will have happened in two full minutes.

These will be low yield devices and will not level whole cities. If you live through the heat, blast, and initial burst of radiation, you'll probably live for a very, very long time. Radiation will not create fifty foot tall women, or giant ants and grass hoppers the size of tanks. These will be at the most 1 kiloton bombs; that's the equivalent of 1,000 tons of TNT.

Here's the real deal, flying debris and radiation will kill a lot of exposed (not all!) people within a half mile of the blast. Under perfect conditions this is about a half mile circle of death and destruction, but, when it's done it's done. EMP stands for Electro Magnetic Pulse and it will fry every electronic device for a good distance, it's impossible to say what and how far but probably not over a couple of miles from ground zero is a good guess. Cars, cell phones, computers, ATMs, you name it, all will be out of order.

There are lots of kinds of radiation, you only need to worry about three, the others you have lived with for years. You need to worry about "Ionizing radiation," these are little sub atomic particles that go whizzing along at the speed of light. They hit individual cells in your body, kill the nucleus and keep on going. That's how you get radiation poisoning, you have so many dead cells in your body that the decaying cells poison you.

It's the same as people getting radiation treatments for cancer, only a bigger area gets radiated. The good news is you don't have to just sit there and take it, and there's lots you can do rather than panic. First; your skin will stop alpha particles, a page of a news paper or your clothing will stop beta particles, you just gotta try and avoid inhaling dust that's contaminated with atoms that are emitting these things and you'll be generally safe from them.

Gamma rays are particles that travel like rays (quantum physics makes my brain hurt) and they create the same damage as alpha and beta particles only they keep going and kill lots of cells as they go all the way through your body. It takes a lot to stop these things, lots of dense material, on the other hand it takes a lot of this to kill you.

Your defense is as always to not panic. Basic hygiene and normal preparation are your friends. All canned or frozen food is safe to eat. The radiation poisoning will not effect plants so fruits and vegetables are OK if there's no dust on em (rinse em off if there is). If you don't have running water and you need to collect rain water or use water from wherever, just let it sit for thirty minutes and skim off the water gently from the top. The dust with the bad stuff in it will settle and the remaining water can be used for the toilet which will still work if you have a bucket of water to pour in the
tank. 

Biological Weapons
Finally there's biological warfare. There's not much to cover here. Basic personal hygiene and sanitation will take you further than a million doctors. Wash your hands often, don't share drinks, food, sloppy kisses, etc., .... with strangers. Keep your garbage can with a tight lid on it, don't have standing water (like old buckets, ditches, or kiddie pools) laying around to allow mosquitoes breeding room. This stuff is carried by vectors, that is bugs, rodents, and contaminated material. If biological warfare is so easy as the TV makes it sound, why has Saddam Hussein spent twenty years, millions, and millions of dollars trying to get it right? If you're clean of person and home you eat well and are active you're gonna live.

Overall preparation for any terrorist attack is the same as you'd take for a big storm. If you want a gas mask, fine, go get one. I know this stuff and I'm not getting one and I told my Mom not to bother with one either (how's that for confidence). We have a week's worth of cash, several days worth of canned goods and plenty of soap and water. We don't leave stuff out to attract bugs or rodents so we don't have them.

These people can't conceive a nation this big with this much resources. These weapons are made to cause panic, terror, and to demoralize. If we don't run around like sheep they won't use this stuff after they find out it's no fun. The government is going nuts over this stuff because they have to protect every inch of America. You've only gotta protect yourself, and by doing that, you help the country.

Finally, there are millions of caveats to everything I wrote here and you can think up specific scenarios where my advice isn't the best. This letter is supposed to help the greatest number of people under the greatest number of situations. If you don't like my work, don't nit pick, just sit down and explain chemical, nuclear, and biological warfare in a document around three pages long yourself. This is how we the people of the United States can rob these people of their most desired goal, your terror.

Secret Prisons: Fact

So there's this place, you know, called the Salt Pit, you know? No you didn't know. You couldn't know, but now you know. Well, click here and you'll know. You'll know 'that', you can guess 'why', but you'll never know 'how' or 'to what extent'. That's why they call them secret prisons.

The WaPo reports:

The CIA has been hiding and interrogating some of its most important al Qaeda captives at a Soviet-era compound in Eastern Europe, according to U.S. and foreign officials familiar with the arrangement.

The secret facility is part of a covert prison system set up by the CIA nearly four years ago that at various times has included sites in eight countries, including Thailand, Afghanistan and several democracies in Eastern Europe, as well as a small center at the Guantanamo Bay prison in Cuba, according to current and former intelligence officials and diplomats from three continents.

Out here in the amature paranoia zone, we had an inkling that such things existed. I mean, why wouldn't they? Astute paranoids can google this number N4476S and find interesting yet inconclusive facts. It's hard to hide aircraft.

Be all that as it may, we at Cobb expected as much. And I hope people start taking Posner's advice more seriously. Because you cannot just say to the world that you're going to bring people tp justice, if you don't eventually bring them. So as long as we take prisoners, which in and of itself is an act of moral, civilized behavior, we're going to have to keep certain folks incommunicado. Sounds fair to me.

Clearly, the transparency of the American system is admirable. No wonder we have so many dissidents.  They get their day. Oh and one more thing before knees start jerking. Congress knew.

Richard Posner & The CT Circuit

Judge Richard Posner has made a rather startling insight in his podcast with Glenn Reynolds. It is a very simple idea to understand, and that is that given a choice between countering terror and protecting civil liberties, most courts in the US will protect civil liberties. That is because most  judges in the US don't know much about countering terror, and judges tend to talk what they know. He suggests that what we need is a Counterterrorism Court. Something akin to what the French have is what I interpret, but I may be wrong. I'm not particulary fond of the nomenclature of an Inquisitorial Court, but then neither am I particularly sanguine about the prospects for a purely executive solution to terror.

I have argued that I expect that the more terrorist trials we hold in this country the better we will get at it. If the GWOT is to be refocused as an international police action we are going to have to do a  better job of investigating. Posner opines that the FISA Court is really too narrowly focused on SIGINT to be broadly effective. I agree.

It is also becoming clearer to me that between what we have at Gitmo, old treaties, the Hamdan decision, it's a patchwork. I think there is a strong case for a new type of circuit court with new powers of investigation to handle the kinds of cases we are likely to encounter with Jihadists and non-state actors going forward. I think those who have, even under the influence of BDS, suggested that there is too much Executive power arrogated by GWBush are backing into the truth. I say that the Congress clearly isn't doing a decent enough job, and that anybody with gripes about Gitmo should be behind a new sort of judiciary power.

Everything is not war. War powers are not properly defined by precedent. GWB's lattitude given the mistakes of Iraq have wasted life and resources. Posner is onto something.

So what kind of confidence can we have that a special court will focus on terror suspects and not be especially corrosive of civil liberty? Is Posner someone we could trust in this regard? If not, then who? Are having new powers assigned to the judiciary a road to hell? Is the French model worthy of emulation? Or will we just shoot Osama in the head and be done with it - ie a take no prisoners attitude towards Jihadism.

I am particularly fond of Bush's phrasing of bringing the enemy to justice. The same old justice won't do.

Flushing the Stash

I'm reading about the Spanish Civil War and trying to understand it because it has been said that there are parallels to the recent conflict in Lebanon. Here's the thing about Spain.

Although the British government proclaimed itself neutral, its diplomats in Spain urged support for the Nationalists. Britain froze all Spanish assets, an act that affected primarily the loyalist side because the government had transferred its gold reserves to Britain for safe keeping at the start of the war. Similarly, the Anglo-French arms embargo hit the Republicans disproportionately and did not prevent the Nationalists from getting weapons from Italy and Germany. Britain also discouraged activity by its citizens supporting the Republicans. The last Republican prime minister, Juan Negrín, hoped that a general outbreak of war in Europe would compel the European powers (mainly Britain and France) to finally help the republic, but World War II would not commence until months after the Spanish conflict had ended. Ultimately neither Britain nor France intervened to any significant extent. Britain supplied food and medicine to the Republic, but actively discouraged the French government of Léon Blum from supplying weapons.

Where does American money go when our Republic is in jeopardy? I don't think I've thought of that scenario before. I mean our money isn't gold, it's 'numbers' in 'bank accounts'. But who is doing the backup to tape of the zillions of transactions? Lay that aside for a moment, and we'll get back to it.

The extent to which America is rich depends on our ability to transact. That is to say $30,000 in the bank feels good because we know that at any minute we can go purchase that new car. It matters that it's fungible. It doesn't matter to us if it's a money order, cashier's check, cash, credit card, credit union loan or backed out of home equity. It's fungible. And that is all consumer goods and services I'm talking about upon which a significantly large part of our GDP is based. But what is it? It's people paying a premium for Green Giant peas & pearl onions instead of the store brand. How much of our economic security is based on the meager but marketing-driven differences between plain-wrap and premium? If Americans actually sacrificed luxury and disposable-income type items, a zillion dollar economy would disappear.

It's a frightening thing to consider what our domestic world would be like if we didn't have so many millionaires who made their fortunes on suntan lotion or cheap sunglasses (echoing Neil Simon's Wax Fruit King from 'Come Blow Your Horn') What would it take to get us culturally focused on national unity? I would greatly fear that hypno-toad.

But really. Where does the real money in real accounts go if the paperwork disappears? To the courts? New obligations materialize? Does the Army commandeer assets to keep moving? Is it gold? Diamonds?

Granted, we probably don't have to think about these things. But if there is an Islamic Bomb in our future, perhaps we do. I'm sure somebody already has, but what was the answer?

The Iranian Infonuke

There's a bunch of fretting over the presentability of Crazy A's new blog. Well let me pre-empt the biggest bomb he can drop on American citizens and the West. What he can do, or anyone could conceivably do to undermine confidence of the American electorate in their government. That is to divulge American state secrets discovered by Iran.

Imagine a scenario in which some information about which the American insurgents at Kos or Firedoglake (for gratuitous example) were being widely denounced by the political powers that be, us. Let's say they argued in moonbatese that the Downing Street Memo for example was proof positive of some debatable point. We go back and forth with our various accusations of treachery and then Boom, the head of the Iran drops a hot document onto his blog that provides corroboration. It would be an incredibly bold and destructive move, one that could further destabilize the chatting classes of the West. We already have ingrown mistrust of government and the mainstream media, what if our fears were confirmed by the enemy? What if the enemy becomes a more reliable source of transparency than our own government? What if, in order to keep our loyalty, our government had to lie about the truth other governments were divulging?

It could happen.

Mel Gibson & Police Melodrama

The full title to this blog post is 'Mel Gibson, Police Melodrama and the Declining Significance of Jury Trials', which is my way of parsing this very important paragraph over at Thought, Word & Deed.

There is more to this than is being discussed in the mainstream media. It is why the mass media is not a source of news or information, but a source of US policy imperatives. Those imperatives do NOT indicate clearly what the US intends to do, but they do indicate what the US wants people to believe.

That paragraph is not referring to Mel Gibson but rather some speculation about hidden motives in an energy war between China and the US. The gist: Hezbollah may not be the tip of an Islamic spear as far as the US is really concerned, rather it's all about China's new energy business with Iran that is the subtext. So if the headlines are full of blather about anti-semitism of Mel Gibson, it's all about preparing Americans to support Israel.

But I'm not so much worried about an energy war with China as I am the possible disintegration of the court system. Is our desire for swift justice so achy breaky that we swarm over scribbled police reports in order to pontificate? Uh.. yeah. So Christopher Hitchens is declaring him guilty and Disney executives are declaring him not guilty. That's the real trial that's going on here, forget what the cops and attorneys and court think this is about.

Scary?

If you think that's not scary, then try to ignore the story. If you're reading this blog, you're already too well informed, so count the number of times and angles from which it drones.

A Successful War on Drugs

What if you could do this in the real world?

Electronic Arts has announced that it has confiscated approximately 15 trillion gold pieces from within its long running PC massively multiplayer online role-playing game (MMORPG) Ultima Online, which the company claims was obtained “through the abuse of bugs or exploitation of game mechanics”.

In relation to this, in a statement posted on the game's official website, the company noted that it has canceled over 180 user accounts that it found connected to the accumulation of what EA referred to as “dirty money.”

Neither Sources Nor Methods

USA Today has been duped. They are now retracting their claims after retracing their steps. Apparently, they cannot come up with any evidence of a contractual agreement between the accused telcos and the NSA.

Based on its reporting after the May 11 article, USA TODAY has now concluded that while the NSA has built a massive domestic calls record database involving the domestic call records of telecommunications companies, the newspaper cannot confirm that BellSouth or Verizon contracted with the NSA to provide bulk calling records to that database.

Now if I was a spymaster at the NSA and it was my job to give the agency plausible deniability, this would be a happy day for me. And you can be sure that if Arthur Andersen can shred records for Enron, the spymasters who may have arranged to suck the data out of the telcos are an order of magnitude more stealthy.

What I've learned from reading Kolb is that there are pros in the world of stealth that know how to make money rather untraceable. And it seems to me that one of the first things one would do in order to make such trails hard to find is to use proprietaries and cutouts. A proprietary is a company that does the business for an agency like a subcontractor. A cutout is a person that does a job but doesn't necessarily know who he is doing it for. Then of course there are just theives for hire or blackmail. Somebody who does a bit of dirty work and then is gone.

So here's how you do it. Maybe. You set up a company, say in Italy. It's a telecom and you buy the super sniffing hardware and software. You get your engineers to customize the software. You fold the company and disperse the assets to a cutout. The cutout's well-insured building burns down and the insurance claim says 'electonic equipment'. Now the asset is effectively destroyed. Only it didn't. It just disappeared and what burned in the fire was an ordinary PBX.

Next you find out interesting places where contractors and subcontractors have access to ports of entry into telecom and one day one of the normal contractors is out sick and your replacement dude puts in the wires. 'Out sick' means maybe he accidently got a flat tire and the 'dispatcher' said don't worry we'll send another guy.

Now you've got the super hardware in place, you've got the deniability on the actual asset sold by the legitimate sniffer company. Now you paper up your front-end. Which is to say, you make official overtures to try and accomplish through above board channels what you've already secretively done. This insulates both parties whether or not such overtures are accepted. If they are, all the better, you have a second source with which to validate your secret source.

I would be ashamed and embarrassed if our intelligence organizations weren't clever enough to jack USA Today and the NYT. So let the NYT have its moment of treacherous glory. Remember, the more incompetent the CIA appears, the more dangerous it actually becomes.

We Need Chloe

I am Chloe.

Everyday at work, and sometimes during lunchtime on my Treo and often at home, I am working IT systems to the bone. I'm usually the guy who understands what's going on in the log files and other strange places where users and developers don't go. I swear just the other day, I was looking to see if a particular employee tasked to our project was responsible for erasing data in one of our many databases. I was getting an IM from the guy who asked for this information just as said employee was walking into my office.

Maureen Dowd is right about one thing. There's a whole lot of rebooting going on. But these systems are far more capable, sophisticated and flaky than most people can even think of understanding.

At the moment I am struck about how those interpreting the '24' fantasy of CTU as a club against the awkward reality of the FBI and their inability to connect the dots. For the sake of hypocrisy, I hope these aren't the same people who grumble aloud about domestic surveillance. When it comes to domestic surveillance, critics seem to think the intelligence agencies are capable of panoptic evil, ie spying on you and me and knowing who is on our friends and family calling plan. But when it comes to finding Osama, the intelligence agencies are bumbling Keystone Kops of the first order.

I was thinking about the difference inserting an anonymizing lookup table in the middle of a downselect for terror suspects or other data mining targets. In theory, such a thing is relatively simple. In practice, it's just another moving part. As we in the systems business know, everything that can go wrong, will go wrong, and the more moving parts you have, the more likely something is to go wrong, the harder it's going to be to figure out what went wrong, and the more difficult it is to fix when it does. Beyond that, when things go wrong, the temptation is always to fix, rather than redesign and rebuild. That's what gets us systems guys in trouble.

But anybody who watched the famous hacker qualification scene in the film 'Swordfish' knows the kinds of situations that we systems people are put in when somebody wants something done NOW. If you haven't, suffice it to say that the pressure can be enormous, and often unrealistic.

So it came as no surprise that one of the earlier versions of the domestic surveillance programs did indeed have the provision for anonymization of records to be searched but the idea was dropped. But the simple insertion or deletion of such anonymization procedures isn't all that has to be done when a functional decision is made to go one way or another. There are consequences of being willfully blind in a system designed to find thing for you.

Does Google Know Your Password?

I've gone through a bunch of crap recently with Bank of America. Apparently they are yet another in the line of dupes who have been namejacked. I hereby invent the meme, namejack, btw. 'Identity Theft' is so legalese. And so, about a month ago I discover that all of my cards have been locked and I suddenly was trasported back to 1982 when there were no ATMs and on Friday you had to get to the bank with your checkbook in hand so that you'd have enough cash to get through the weekend. The problem was that nobody told me about it until I was running late for work one day trying to get my car out of the shop.

The guy runs my ATM and it rejects. What? Admittedly 900 bucks isn't peanuts, but I had more than double that when I checked the account by phone just before the Spousal Unit dropped me off. I can't explain it, I don't know what's going on, I'm just standing there like a putz in front of the guy with greasy hands. And quite frankly, let me tell you something, I'd trade places with homeboy in a heartbeat. Think about it, he's got a parking lot full of Benzs and BMWs right on Pacific Coast Highway in Manhattan Beach. He doesn't work weekends, and it took him a day to turn around my 900 dollar job, netting him some 400 odd in labor. It's like being a ski instructor in Vail. Anyway, I decide to use the company expense card which has no ceiling, and then I get by butt chewed out for that one month later.

Bank of America was at least being proactive, the problem was that they got to the Spousal Unit before they got to me. Now we're enrolled in some scam that cost us 200 bucks. She, like millions of others, forgot to opt out. So I had to spend an hour on the phone getting my online banking running again. So today they hit me again, proactively, and force me to change my password.

I did so, using one generated by Schneier's PasswordSafe, which is one of the best pieces of software on Windows. Just to make sure, I thought of a cool idea. I wobbled over to another machine (thinking about caches here) and entered the password into Google Search. I figure if Google never heard of it, I'm probably pretty safe, considering that every published password cracklist is on the web, and Google has likely seen it.

You may remember the old George Carlin joke. He said, "I'm going to say a combination of words that you've never, ever heard before. Listen. You've never heard anybody say this: I'm going to take this red hot iron poker and stick it up my ass." It's true of course. Before that moment at the comedy club, I'd never heard anyone say that. But it's a good way to remember that if you're going to use non-generated passwords,  you should at least Googlewhack it to be on the safe side. BUT. Don't do it on a machine that you own, or at least wipe the local cache on your browser.

Then again, if you're a glutton for punishment and want to get namejacked, go ahead and stick that hot iron poker of a stupid password.. Nobody is safe.

Whose LUDs?

So the guys and I are standing in line at the Subway waiting for the tatooed slackers behind the counter to be done with the sandwich-making for the 3 people who have been in front of us for 15 minutes. The subject turns to the NSA in the news today. I fall back on a couple old saws.

Back in the Bubble days, we went through all this privacy crisis about cookies and who knew what about your websurfing habits. So since I was a sales guy I had to put the whole thing in terms of money and risk - things I figured my audience would understand. So I repeat them today, bottom line, the government doesn't want to invade your privacy half as much as you think they do, and you couldn't stop them if they did want to. The question lies primarily in understanding what your value is as a target of investigation.

So the cookies, credit cards and fear objection to shopping online went a little something like this (recall that this was when Orbitz was a startup). Your travel agent (that almost extinct creature) has all kinds of information about you. Multiple credit card numbers, what kind or rental car you like, what kind of food you like on the plane, what hotels you prefer, your home address and all that. If you're a business traveller, you'll spend thousands and thousands of dollars with this person that you will never see in your life. Now admit it, have you ever in life met your travel agent? So the question was, how much do you think companies pay to get information out of your travel agent? The answer is basically nothing. You volunteer up all that information for something called 'frequent flyer miles'. You (your company) basically has to spend about $20,000 for you to get something worth about $500. That's a real economy.

So my killer question was, how much do you think anybody is going to spend to find out information about you if you're just spending $300 a year online at Barnes & Noble? Very little.  You're not worth it. If anybody is going to cheat you out of your cretid card info, it's going to be that pissed off waiter getting paid minimum wage who watches you wolf down that gourmet meal at the restaurant when you under tip.

The other thing I pull out of my hat was my experience with Safeway. Now this was several years ago so I think I can break the silence. But basically they told us that all of that shopping cart data that was attached to your personal ID was collected, but it was too damned expensive to process. They had terabytes and terabytes of data but all the compute time it took to mine it for potential savings based upon the gathered information was so expensive in terms of expertise that it wasn't worth it to try and process it. They told us to shutup about it because they wanted their competitors to believe that they actually were doing it so that the competitors would buy the same huge Sun servers and Oracle software that didn't work for them. They just sat on top of the data and squirreled it away in hopes that someday data mining techniques and supercomputing would get cheap enough to do it.  Safeway basically should have done what Walmart did, just forget marketbasket analysis and customer profiling and deal with basic supply and demand for the purposes of smarter pricing. Profiling is a much more difficult problem.

It might surprise you to know that there about an average of 16 thousand murders every year in the US. And I think it's reasonable to believe that NYC's clearance rate of about 2/3rds is probably typical. Considering the massive amount of resources America's largest city has to offer it is probably parallel to the federal effort at anti-terrorism. So here is another factor to deal with. If there are about 5000 unsolved murders in the US every year what can be predicted about the amount of terrorism we might foil, and given that we don't pre-empt them, how many terrorists will get away with murder? For the sake of argument, imagine that the Department of Homeland Security is twice as good at their job as the NYPD. That means we could expect that 17% of all terrorists will escape.

Anybody who watches Law & Order knows about LUDs. Anytime somebody is murdered, the first thing the detectives do is go to the phone company and get the records of who the last person was that the deceased talked to. They don't have the content of those conversations, just what number, who that person is who owns the number (but not any proof that the owner was the one talking) and how long the call was. According to what I've seen, a warrant isn't required in real life. And yet even with this tool, a maximum of about 70% of murder investigations are solved.

I would add one more talking point to this discussion which is obvious. The telephone companies already have this information. What rights do they have to it? What contract might have been breached in selling or giving away that information about your phone calls? What is the dollar value of that transfer of information and how much is it worth it to mine data about you?

Long ago when online banking first came to us, I envisioned a new kind of entity. I assumed that people would trust banks to be trustees for their digital deposits. I thought there might be a such thing as a digital safe deposit box in which you might secure your bits. It hasn't happened. The technology appropriate for that has been decentralized and you can do it yourself. However there isn't much protection easily applicable to your phone and other communications. What I think is needed is some kind of attorney-client privilege shield, the kind that hasn't been broken often, for such matters. One presumes that Google might have done well by the expectation of privacy geeks online, that may or may not be. But what is clear is that people have not been willing to pay for security in a way that might sustain such a bank as I envisioned, and it is unlikely to become a recognizeable business any time soon. It will just be something that geeks know for the benefit of geeks but won't be successfully commercialized. At some point it could be, but how much would you pay?

To be snarky about it, I should ask what protections those people whining most loudly about their privacy concerns have taken to safeguard themselves. I ask those who bleat in fear of global warming why they haven't moved north to Canada. In the end, despite their complaints, they realize it's just not warm enough yet, besides moving would be too expensive. I say likewise the NSA isn't invasive enough and there's no money in it.

The Non-Islamic Bomb

OK so I just wrote about how I thave a good amount of confidence that we'er going to survive a nuke or two on our major cities. Well, not explicitly, but I implied it. And I'm pretty sure that cancer is not going to kill us all off - in fact it makes us tougher. But what if there were something even more insidious and potentially deadly out there?

I am starting to discover what people think about me. My mind is fertile and lots of ideas are capable of taking root and growing there. In other words, my head is full of steer manure. As if I didn't have enough to concern me, and old buddy I met here in Vegas has got something growing under his fingernails that he scratched into me. Nanobiotech.

Nano who? OK here's the deal and we'll go straight to the scary part. What if you were a mad scientist bent on destruction? With nanobiotech you could conceivably manuafacture Marburg in your garage. Or if you were bored and a tiny bit more clever, you could give the Bird Flu virus just the kick it needs to be transformed into something that passes from birds to humans. Not that it would necessarily be deadly in the communicable form, but you certainly wouldn't take the blame. Most of the planet already thinks it is inevitable. Play god by doing science.

The problem of the 21st century is what to do with the power that will soon trickle down to elite cliques. There used to be a time when the kind of doing that got respect and power in this world, was the doing done by very large organizations. If you wanted to accomplish something of significance and note in the world, you had to have a several hundred million dollars and several hundred bureaucrats, logicians and assorted henchmen at your command. Well that's still the case, except that there are a lot more individuals who have those kinds of resources at their disposal, and it is not altogether clear that they are as well regulated by the force of nations any longer. Of course there are billionaires in the mix too. This level of player is not so well tethered by the would-be Leviathans of society. And while human beings are still meatbags with particular weaknesses, a couple cliques with people like Mark Rich or George Soros in them can wreak interesting havoc.

Since we still live in an era of Scientific Animism, a general belief in progress and riches can collude with self-interest in dangerous ways. What if Bill Gates and a few of his best buds decided that we really need cloned sheep? What's a couple billion in research dollars? Not only a drop in the ocean of big governments but multinationals and global drug traders too.

So we know that there is ability out there. We could argue about motive forever. The bottom line is that sooner or later, especially if we elect another born-again pro-lifer who despises medical research of the godlike variety, some non-government entity is going to start engineering some very small potentially very dangerous microbes.  I'm not paranoid, but I'm not falsely secure either. Government doesn't make it better, but it makes it slower so more people can figure out what's going on. In the case of nanobiotechnology, maybe that's the best thing.

Islam isn't the only force for radical change in this world which can spliter off into unhinged areas. Every billionaire and his tribe, every multi-millionaire and his country club / yacht club / health club contingent is a medium-sized disaster waiting to happen. They'll call it investment in biotech..

What Color Fish Are In the Narus Net?

A question of legality.

In the news today is the revelation that the NSA has been using something called a Narus 6400, which I take to be a very high capacity and fully programmable packet sniffer, to intercept massive amounts of data from AT&T and one presumes, a bunch of carriers in order to persue the President's initiative on connecting the dots.

We know that Congress has been briefed and we have the assurances of key 'critters that the scope of these investigations, while pushing the envelope of the FISA warrant protocol, is most certainly aimed at terrorists and their associates. So while there are plenty of folks who appear permanently outraged, an interesting question did pop up over at Kevin Drum's joint.

Data mining means what you do with the data after you've collected it. You use statistical analysis and other techniques to discover relationships and patterns, on the basis of which you can take further action.

Where did you get the data? That's what is at issue. They giot the data illegally without a warrant. THEN they used data mining to narrow the scope of their privacy invasion, so that they could get more data illegally without a warrant.

Kevin Drumfuk, the ex marketing guy, knows enough about marketing to be dangerous. By dismissing all this as "data mining" he has led countless other moderates to be relatively unconcerned about this NSA thing -- except for the technical issue of Bush not obtaining warrants for the deeper penetration.

It was logically clear from the beginning why Bush didn't go for the warrants. He couldn't, because the evidence he would have had to use to justify the warrants had been illegally obtained in the first place, by wide-scale and indiscriminate wiretapping. Whether they used sophisticated data miningh strategies or just plain common sense mdoesn't matter. It was illegal from the word go.

Once you cut through the screaming, the question boils down to this. If you're tasked with catching and skinning only blue fish, is it legal to use a net that catches every colored fish?  The common sense answer is (whether or not the legal answer is) that so long as you throw the other fish back, it doesn't matter. Or does it?

What little I know about domestic surveillance I learned chasing down some arguments about how the LAPD or FBI might deal with a drug dealer, as well as when the discussion was on Carnivore. Basically, when you tap the wire you tap the entire wire - ie you use the big net. While you listen, and tape, the only part of the conversations that are admissible in court are those relevant to charge. So part of the data mining question is not so much whether or not the Narus box is located at AT&T's central switches, but what volume of data they are sending back to NSA, in other words the collection protocol.

Forget the instrumentality for a moment. If I were the NSA, I would allow the box to be remotely programmed so that if I have a new target profile, I wouldn't have to send a tech to each site. I would also take the smallest reasonable amount of data out of the switch center to make my searches more efficient (reduce the data mining universe and insure against false positive hits) and to reduce my legal liability for eavesdropping. Not to mention that the more data that travels from AT&T to the NSA, the less relatively secure it is. 

Drum's nemisis is arguing that NSA is collecting an un-audited & ungodly amount of data from which to mine nuggets of terrorist conspiracy, and that Republicans will necessarily keep a huge amount of this data for their own nefarious and corrupt purposes.

The disconnect between the NSA and the Republicans is something that lots of whiners blithely pave over. NSA professionals are of a different breed than GOP apparatchiks, let us keep that in mind. But here's where it gets interesting.

If I were the NSA, I would want to reverse-engineering Narus' technology. Why rent the cow when you can own the farm? The question on Narus' liability would depend a bit on whether or not its machine was doing all it was supposed to do, and if NSA hacks it and makes it grab more than it should, then Narus could be in trouble. But if the NSA had a reputation for doing such dirt, it would be difficult for them to ever get outside help, and I seem to recall that they were trying to improve their ability to leverage tech that wasn't invented there. Clearly EMC has done alright for itself (and it comes as no surprise that they own VMWare when you think about it). Still, the NSA's interest in domestic surveillance is basically 4 years old.

Container Nukes

An interesting discussion about recently confirmed cold fusion is going on over at Slashdot. Here's a real gem that puts some nuke fears into perspective. I never really thought about what quality nukes a terrorist might actually get their hands on.

Modern nuclear weapons are around 1 MT, usually a bit less, as that's the optimal size for a weapon you can target accurately. The larger nukes of old were designed to crack silos with a near miss, were extremely expensive for their mission, and were taken out of service long ago. If a terrorist gets a nuclear weapon, it's either going to be a sub-MT military weapon, or a quite a bit smaller "home made" fission only device (modern nukes are pretty sophisticated fusion-pumped-fission devices).

Let's do the math [nuclearweaponarchive.org]. A 1 MT nuke detonated at optimal blast height will knock down residential structures at a radius of 10 km, more solid buildings at 7 km, and at 5 km knock down reinfored buildings and kill people outright from the blast (and all other effects, such as high doses of radiation, have smaller radii). A surface blast would have a far smaller effect. The only real point of a surface blast is to generate radioactive fallout (an air blast generates surprisingly little, though it would still hinder clean-up and rebuilding).

So yes, in theory, a terrorist with a high-quality military nuke (let's imagine a few were sold out of the old USSR armory, and somehow still worked today (the tritium would have to be replaced, which is quite technical, but lets imagine a scientist came with the bomb)) could sit a couple of kilometers off the coast and destroy some structures along the coast. Good for psycological impact, but not much else, and insanely expensive to carry out. A 50 kt fission bomb, a far more likely scenario for a terrorist, would have less than 40% of the blast radius of the high quality military bomb, and would probably need to be within 1 km to be effective.

A surface blast over *land* is what a terrorist wants, because the radioactive fallout would cause a world of hurt. You'd get very little of that even 1 km off the coast, and even a ship at a dock would produce far less fallout than a bomb 1 km inland. It's *definitely* worth checking for nukes at ports of entry: the threat just goes down very fast as the bomb moves away from land.

The Nuclear Weapon Archive is extrarodinarily cool.

Spying on You and Me

When I was a California teenager, I used to roller disco. In fact I was about as good in that as in most things I do - the lower upper middle class. Which means that I was good enough to be an extra in a first rate deal. Always mindful of such matters at the ridiculous age of 19, I often made it a habit to hang out at Venice Beach and Hollywood Blvd. As a measure of my own vanity and success at roller disco, I would perform and get people to take pictures of me. These would be tourists of course, locals would recognize me, and I would always be welcome to hang out with the cool guys and girls as we skated our way into that particularly Californish oblivion. Somehow I am reminded of this by the Cameo song 'Shake Your Pants' as well as 'Gloria' by Laura Branigan.

But I was also reminded of this by my trip to Hollywood the other night as I found myself in the viewfinder of half a dozen folks with digital cameras. And I wasn't even showing off. Everybody has got digital cameras it seems. Outside of your home, it's the big bad public boys and girls. Be prepared for reality TV. I'm quite adjusted to this reality because I recognize my ability, abetted by Google and you lovely trackbackers and readers, to create a self-portrait which is better than the average Joe. That is to say while it would take a bunch of you a while to figure out what my zipcode was in 1993, it's actually published somewhere in mdcbowen.org. And because mdcbowen.org has been growing steadily for over a decade, it would take quite a bit of disinformation to destroy the public record I have created about myself. I'm not saying that it would be impossible, but that it would have to be a professionally done job, a contract of non-trivial figures would be required to undo what I have done in public.

Since I am a member of the Bear Flag League and the Conservative Brotherhood, for example, it would be particularly difficult to make the case against my character as a domestic terrorist. Hell, people believe that I follow and defend George W. Bush blindly.

But what if? What would I have to do in order to be the target of the kinds of extra-FISA spying that is going on these days? What kind of finger has to point me out? It would certainly be more than a random happenstance. What keeps me safe from the prying eyes of the government? Nothing. Absolutely nothing. I understand this. I know that every code I know everything I am could be put under a microscope. You might say that I am paranoid about it, but I think it would be more appropriate to say that I am Jewish about it. I understand that there is an almighty power that certainly capable and willing to judge everything I have ever done in my life. Whether it is God or the Government makes little difference to the extent that I discipline myself to be exactly what I intend to be. That is to say, my belief that I will ultimately be called into account for my life is a self-directed kind of thing.

It's facile to say that only terrorists should be afraid. We should all be mindful of whether our laws are just and whether they are followed whether or not our own personal privacy is at risk. I'm all for the disclosure that Congress is forcing upon the Administration. It's about time that they do their job, and while they're posing and being shrill, they are doing a decent job in giving us all something more to chew on.  Nevertheless what is at the bottom of all this war on terrorism is a matter of character. Some people who believe they are only accountable to God and not to their neighbors have decided to hide their character and intent. They are, not like young American teens, shameless and wanting to be seen and admired by everyone. No they carry secret burdens and secret shames and are trying to conduct their business in secret. But we're all watching and listening and trying to ferret out those who would destroy our society and peace. Everybody has a camera. Everybody is being watched. What if the enemy is us?

In the end there's only one way to find out. Follow your suspicions and clues and expose the motives and intents of your suspects. It means everyone may be called into account. There's no better case for improving one's character than that.

EO 12333 & The Meaning of Death

I try not to go through life with my jaw dropped, but I have to admit there are some awesome things to marvel at. Today I have marveled at the pretense of objectivity by Nina Totenberg and the whole NPR staff that pre-empted Terri Gross with their idiotic 'Special Report' on the Intelligence Hearings. I marveled at the arrogance of those Congresscritters who do nothing all day but suck up to lobbyists and their wacko constituents instead of really bothering to get into the guts of understanding how the President is actually approaching FISA. The nerve of their speculation!

Not too many people are blogging about E0 12333 (in plain sight), but I hope some (like Bloggledygook) get into the thick of it. Because if Leahy isn't going to moderate his mouthing off about the NSA professionals and Administration lawyers blindly breaking the law, and if NPR isn't going to be reasonable in their coverage we're going to have to do some fisking. The way they were pushing Gonzales all over the map like W had gone apeshit was really embarrassing.

But there are astonishingly good things to marvel at as well. Today I found this essay which I hope people all over the 'sphere gang-tackle. It's great! O would it I were Instapundit. Hmm.

The only point to death is a point you make yourself. You make your death have meaning by giving your life meaning. You give your life meaning by choosing a project to accomplish, or by accepting as your own a project given to you by others or by God. That's it; but that's everything. The young marines who have died in Iraq did not die pointless deaths or meaningless deaths.

Definitely read the entire piece and find a way to spit once again in the face of Joel Whatshisname. You see we live in a country where there is a huge population of loud people with access to mass communications who are mentally and morally incapable of understanding the honor due soldiers who fight in defense of our liberty. So you can hardly expect them to see the value in electronic surveillance. If there is a sliver of a law they could use to decapitate executive leadership, they'll use it.

I wonder if they would dedicate their lives to it.

Tom Holsinger: The Last Word on FISA

Basically, it's outmoded and requires an overhaul.

My father was the adminstrative assistant to a Congressman on the House Intelligence Committee at the time FISA was enacted in 1978. I was and am familiar with the public and Congressional debate on FISA at that time. I was engaged in the private practice of law at that time and so able to follow the details.

My brief conversations with my father and his boss about FISA taught me that Congress was determined to head off future domestic abuses of what was then perceived as the NSA's rapidly growing eavesdropping ability. They didn't care at all about "foreign communications" - those into or out of the U.S. The Executive Branch was adamant about Congress not touching the NSA's surveillance of foreign communications, and Congress didn't care at all about that so the Executive Branch got its way there.

He has more at Volokh.

As Drezner suggests, the administration should throw this back to the Congress and get an updated statute. There's no way the President should be breaking the law, and this one is broken.

Google Masking

The problem with me is that I've done roller disco at Venice Beach and breakdancing at an awards banquet. The rest of you might be more easily embarrassed by con-men and blackmailers. So if you think you may have surfed some porn and that Google might know something about it, you might want to anonymize your Google cookie. I find it difficult to give a gnat's gonads, but it might just be that I'm not paranoid in the proper dimensions. I worry a lot more about people finding out that I might have bad breath.

Those of you on the inside of the bubble may have already been there, and I may adjust my habits in due time. In the meantime here's the link.

Bamboozled

I hereby punch myself in the nose and admit that I have been taken in by viral marketing. All that Dave Chappelle business is clever marketing hype for a new Charlie Murphy movie. But now I'm not even sure that it's a real movie.

Trust no one. Especially not friends who send you IMs in the middle of the night with hot news about Dave Chappelle.

Let the record show that the last page was not there two days ago. At least that's my source's excuse. My excuse? I write too much.

If I ever see Charlie Murphy, that fool owes me a beer.

Public Whistleblower's Escrow

I must confess that although most of my passion about the Plame Affair is spent, the idea that Karl Rove is the dealer of dirt makes for a healthy bashing. I say whomever did it should go down, but I won't get particularly purturbed if it doesn't happen. Part of the reason has to do with the complexity of the shield privileges and my orientation towards technology.

I always believed that some private companies or entities (and I had always thought it would be banks until I realized how wealthy and powerful ISPs have become) would do the public a great favor by providing digital escrow accounts. The basic idea was for an individual to be able to do the 'swiss banking' thing with their digital data.

Anyway, cut to the chase, here's what I'm looking for. I am looking for bloggers and cypherpunks to come up with a way to shield and serve whistleblowers, and I want Pajamas Media to be the place. If you don't trust Time or the MSM, trust the blogosphere.

Now the only question is how.

Novaya Zemlya

I am fascinated by Wall Street bond trading and nuclear weapons. You can talk about these things all your life and never really understand them. I am also fascinated by remote places on the globe, not because they are particularly hostile, but because they are remote. So this evening by chance navigation by way of Google Earth and Alamogordo, NM, I have arrived at a Russian nuclear test site. It's an island called Novaya Zemlya.

Chances are you've never heard of the place before. I know I haven't. And yet isn't that extraordinary? The biggest explosions in the history of mankind, these nukes. But none of us know where they happened or might be happening.

Do you rembmer when the Kursk went down in the Barents Sea? It's still there. Makes you wonder what else is out there.

Internet Privacy: Knowing vs Doing

Despite all the guns out there, chances are, you're not going to get shot. Despite all the credit cards you have, chances are your identity is not going to get stolen.

I've been a little lax on following up on the many interests I've cultivated in my life, among them security and paranoia. So I've only vaguely heard tell of Bank of America's loss of private information to crackers and identity fraudsters. But I'm not really worried.

Back in the days, before the internet bubble, our division got into a lot of PR hot water over the matter of privacy. I had a nicely complex argument that shot down most arguments against our cookies and weblog inspections that went a little something like this. You need to take into consideration the value of your information. Why would a thief buy $500 tools to steal a $50 item? And while it may be true that part of the value of these recent identity theft break-ins is the size of the theft, sooner or later there has to be a fence value for each one. What is, indeed, the value of you mother's maiden name?

I've been thinking about what the value of my writing on the internet for the past 12 years has been. I've always assumed that some poor graduate student would have to troll through it after I'm gone to make some anthropological sense of the contribution of the post-civil rights black middle class. But more recently, especially since my mother says I confess too much, I've been thinking about its value to my own children. After all, they're probably the only ones who really care enough to read more than a little bit. I don't tell people to read my blog, and I don't often mention that I do blog, but I think that most of my friends know about it - and don't read it. I know that my mother is the only family member that reads Cobb on the regular. Such facts, combined with the fact that my IQ is right about at the same level as my FICO score, I don't particularly worry about my identity being stolen.

I have several issues with 'action at a distance', and so while I am often the first to indulge in the latest technological goody, I am far from being dependent or overly respectful of all this stuff. I know how fragile it is and how wrong it can be.

Since I'm not cheating on my wife or stealing from my employer or blackmailing anyone, I can see no particular enemies looking to do me in. When you think of the guns and violence, we know that people are generally killed by people they know for reasons that don't take long to figure out. It's likely to be your own son who is out joyriding in the family sedan. Because it's a family sedan, it's not so attractive to professional thieves. My identity is no Mercedes Benz, at least my identity as tied to financial data about me in hackable computers somewhere. But if there is dirt doable to me, it would most likely be by an insider. Did I spend 200 bucks on a dinner in Salt Lake City? My wife would kill me if she found out. That's my kind of worry. (Actually it was only 74 bucks).

So considering the massive amount of information about me through my blog, and who knows what the google archive has via google groups, there's a lot to know, but little to do. What's the motivation? How is the information valued? Moe importantly, how does it get fungible? Which is to say, where is the fence? What is the eqivalent of a pawn shop for the last four digits of your social security number? What do you care if your eyeglasses perscription falls into the wrong hands?

Still, I'd be a bit more comfortable if we had the option to generate our own passwords and identifyers. PGP with a picture and a signature would be plenty. Some joint like the UPS Store (where my favorite Notary Public can be found) or Kinkos could provide this service to customers - live authentication. Banks would be uniquely qualified to do similar things. In fact, I could see a privatized national ID system coming to fruition sooner than a Federal one, and I'd be all for it. Until then, all my business is in the street, and who cares?

Emmitt Till and the Panopticon

Emmitt Louis Till died about 50 years ago, but it has been decided that his body should be exhumed in order to discover new forensic evidence which might lead to others who might have participated in his killing.

In a related story, a registered Oklahoma sex offender was not captured in a Georgia arrest because of a 'failure' to match his fingerprints with all of his known aliases in the FBI database.

People keep mumbling about national ID cards and drivers license requirements. All three subjects are fueling the fire for construction of the American Panopitcon.

Since I'm a civil libertarian, as is most of the Old School, considering that it was our Civil Rights Movement that gave birth to that infrastructure, I have my reservations about panoptic security. That means that I recognize the tension between liberty and security. If I remember correctly, Patrick Henry didn't say "Give me security and give them death." I think we're on the same side of the fence.

And yet the more we try to get justice 50 years late, by using new techologies, the more we tip the balance towards building the perfect system of security. Sure murder is murder and there is not statute of limitations on that, but such matters cannot be taken in isolation. The proper legacy of Emmitt Till is not to be found in a murder conviction, but the moral conviction his death fired in 1950s America. To ask more of Till's dead body is to enable the panoptic forces.

Gladwell's best aphorism of 'Blink' comes to me in the form of the notion of panoptics and chess. Those who argue that enabling the electronic eyes ears and noses of the Justice Department (or the Defence Department or the Intelligence Services) will make us win, because we'll be able to see and hear everything. But consider a chess game. Surely there is nothing you can't see in a chess game. But does seeing everything help you win? No. You cannot see what your opponent is thinking. All you know are the moves he has made in the past.

Surely providing for our security is more complex than a chess game and it's better to see than to be blind. But there are limits at which the price of seeing is not worth the marginal benefit of security. We should be more robust in ourselves and stop wishing for intervention under all circumstances.

Little Brother

Little Brother
The cases brought against protesters in NYC during the Republican National Convention have had a stunning failure rate of 91% according to this story in the NYTimes.

I take this one at face value as further evidence of what the decentralization of technology will enable citizens to accomplish independent of large slow traditional organizations. This is clearly smartmobbery, which can be a good thing. On the other hand, it can start an escalation in the sophistication with which red-handed authorities handle their tech. I predict the upper hand will remain with the crowds for the forseeable future.

Driven to Security

Apart from the fact that I am doing it between 9pm and 2am, my quest to master elements of electronic security are very good for me.

When I took my first full-time job in 1979, it was at the radio department at Fedco La Cienega. As much as it's possible to be something of a local celeb, it was a very cool job to have back in those days. Hmm. I do need to do some more writing about those days. At any rate, I spent a lot of time at the high end audio concession and had a serious case of audiophilia, traces of which infect me to this day. What astounded me was that I discovered that there were turntables which didn't wear out records or skip. In my entire life up until that point, I took it as the nature of the beast that eventually all vinyl records skip and that you need to tape coins onto the tonearm so they wouldn't. Then I started learning about the subtlties of tracking force, anti-skate and the rest of turntable physics and I began to understand a new dimension. I soon purchased a Dual 440 and showed off the fact that I could play records upside down. Freaked people out, and underscored my lust for the technology. These days I am lusting after the unattainable beauty of perfect security. I'm actually starting to have dreams about it.

I've gotten my GnuPG working through Enigmail and a crufty little tray app called WinPT, but I'm digging the CLI. I've also been coming up with a series of code schemes to assist me. As I continue on this quest, several aspects of security are becoming clearer to me - to the point at which the hitherto impenetrable language is actually starting to make sense. But that means bigger questions.

Halo Ring Triggered

This magnetar story is incredible.

A huge explosion halfway across the galaxy packed so much power it briefly altered Earth's upper atmosphere in December, astronomers said Friday.

No known eruption beyond our solar system has ever appeared as bright upon arrival.

But you could not have seen it, unless you can top the X-ray vision of Superman: In gamma rays, the event equaled the brightness of the full Moon's reflected visible light.

OK what does this mean. It means a couple things. If there were a neutron star that flashed like this somewhere in this galaxy, we'd be dead. No only that, since gamma rays and light and all that fun stuff travels at the same time, there would be no warning. Warning would be impossible. One side of the planet would get fried immediately, and depending on how long the flare was so would the other. Then if all of our best scientists and equipment were to survive, it would take them two months to figure out what happened.

Lovely.

SHA1 Broken

Just yesterday I downloaded cfv, a cool CLI tool for win32 that gives me some version checking stuff. I'm going to build a general purpose thingy that helps me build some automatic versioning tools and tripwire stuff. There are plenty of applications for it and I'm going to try to work it to make a secure file system, which is to say one that allows me to eyeball a log of changed files on a daily basis, extra coolness eh?

Anyway, the cfv package hosts a myriad of hash functions which are of varying length and sophistication. I'm a bit paranoid, now that I mention it, of the PGP 8.1 version that I got from PGP.com because its signature file has a dead or revoked key and the pgp keyserver isn't very responsive. I'm beginning to think that PGP itself is a honeypot. So my trust of hash functions has come pretty much down to MD5. But even so, since I use SlavaSoft's HashCalc, I had some interest in SHA1 since its result is a little bit longer. (This by the way made me think of whether or not that's what Google or other websites use to make an ID cookie...) Either way, it appears that it's now broken. This means work for security guys everywhere. Flight to quality. Must be nice.

In English from Frobnicator:

Yes, they found a way to break the hash function. But as the parent said, it does not mean it's suddenly invalid. Sure, the group found a way to break the algorithim, but look at According to TFA a collision can be found in about 2**69 hash operations. That's 590295810358705651712 attempts before they can find a match, as opposed to the 2**80 (1208925819614629174706176) that was expected before the paper. While the paper means it is orders of magnitude less work, it still means a lot of work for the attacker. Lets look at two relevant examples: disc images and passwords. Lets say I have an ISO disk image. I hack it, and want to modify some of the 'junk' bits using their algorithm. I'd still need to perform 590295810358705651712 hash operations on that image. Computing the hash of a disc is a slow operation. That's not something I could do in a day, week, or even a few months. Perhaps if I had a massivly parallel computer available, I could do it, but not as an individual. For a password, hopefully your system would lock the account long before there are that many failed login attempts. However, if your attacker has that kind of resources, you can assume it is feasable for them to find a hash collision. That's really only significant for governments, multi-national organizations, and other major enterprises, but not for most people.

So down here on earth, it's not a big deal, especially for those of us who don't shred all our trash.

Cell: Processing Jail

IBM's new Cell chip could be revolutionary.

"It’s hard to avoid the conclusion that Cell processors will have an extraordinarily secure but cumbersome memory model. For each main-memory access, the processor would have to consult four lookup tables... Three of those tables are in DRAM, which implies slow off-chip memory references; the other table is in the DMA controller’s SRAM. In some cases, the delays caused by the table lookups might eat more clock cycles than reading or writing the actual data. The patent hints that some keys might unlock multiple memory locations or sandboxes, perhaps granting blanket permission for a rapid series of accesses, within certain bounds."

The Cell chip promises to destroy spam, viruses and spyware. That's the good news. The bad news is that here we have the makings of the beginning of the end of file sharing, basically the ability to put DRM security into hardware.

While it's certainly true that security schemes like DVD decoding can be 'chipped', those are rare individuals who can. The ability to short circuit the memory model of the CPU is going to be a rarer quality still. So, practically speaking, once Cell chips are common, the world loses the power of the masses to overcome industry security.

This is yet another indication to me that we are coming closer to the surveillance society, that more and more of our activities can and will be monitored. There are many ways out, but not for the urbane. Some other time, I will talk about life off the grid, which I predict will be the return of the rugged 70s, which was actually a pretty interesting time in its own right. But now, let's consider life in the grid.

The promise of grid computing is delicious, and the Cell processor will be a great enabler of that. A moment's consideration suggests to me that somehow, there are going to be fingerprints on processes. In certain ways this too is very exciting. For those of you who are less technically inclined, think of it this way. If you are using windows, if you bring up the task manager, you can see all of the programs your computer is using, sorta. Notice the difference between 'Applications' and 'Processes'. As I write this I show 9 applications running, which corresponds exactly to the number of windows open on my desktop. But when I pop over to Processes, I show 76. One of the things Unix guys (like me) fuss about is that some of these processes can be made invisible to Windows. There might be 10 or 20 more running that I don't know about. That's a simple definition of spyware, and it's a big security hole in Windows. In Unix and Linux systems a command called 'ps' gives a much more comprehensive view. That is, unless your kernel has been hacked.

The general solution to knowing what exactly is running on your machine is 'fingerprinting'. There are algorithms called 'hashes' that can uniquely identify that every bit in a collection of bytes are in the right place and order. The one I like is called MD5. You could take a huge file, say a 10GB picture of yourself, and change one pixel on a nose hair and MD5 will generate a completely different fingerprint of it. The security tool ZoneAlarm maintains a table of hashes for every program that your computer allows to talk to the internet. But a more advanced kind of security program would have fingerprints of every process that your CPU runs at all. Digital Rights Management extends this concept to certain types of data as well. Whereas ZoneAlarm gives the authority for allowing or restricting programs to you personally, DRM would have third parties determine that authority.

The Cell chip facilitates such matters by having its own unique ID which can be checked. It doesn't take long for a database guy like me to add two plus two. If you think online registration of programs you buy is a pain, imagine the day when it's done for you whether you like it or not. That's what DRM architecture is all about, and the backdoors will only be in hardware, or at least that's the plan the way I would plan it.

The great exciting advantage of this is that I could conceivably authorize my mother's computer, with her permission, to help me crunch some numbers. In fact, I could join a computing pool and authorize some fingerprinted programs and/or data to be run simultaeously by the group.

Now here's the killer, which I never thought of until this moment. I could create a program within which is some encrypted data, that can only run on processors I designate. I could, in effect, create my own DRM scheme. 'I' meaning Al Qaeda. Of course, there will always be 'old' computers and those who don't run Cell processors, and there will conceivably be ways to disassemble code compiled for Cell use only, so there will always be ways to crack the uncrackable. But this is just one more escalation in the complexity of modern computing. It's like an arms race.

US Search

I just wasted a perfectly good 2 hours at US Search looking up random people in my contacts list. I found every one of them. It's rather astounding that so much information is available, and yet when you really think about it, it's not so much at all. It's only because I know the people that I know that any of the information is correct. If I didn't know the people at all, I'd take more of the information presented as credible. They say that the test of intelligence is knowing what to discard. True.

I'm buying Schneier's book on IT security, 'Secrets and Lies' to get myself up to date on some basic concepts of security. As well I'm thinking about Ricky Jay and different kinds of confidence games. There's so little we actually know about people, and so many people out there. I am finding at this point in my life that I'm feeling a bit like a teen - that everybody else is having fun with everybody else except me. Only this time I know that people are very disconnected.

Every time I think about the old demographic chestnut that about half of the people in the US are born, live and die within a 50 mile radius it makes me think about Foucault's ideas about sex and proximity. We only think that we are falling in love with the right person, but our experience is far too limited. We love the one we're with, and we try to change them, and we resign ourselves. I'm comfortable with all that, except now I know where several of my ex-girlfriends live. A little knowledge is a dangerous thing.

But we are getting better about understanding the connections between people. For example, I had no idea that there was a difference between the sexual activity of teens and adults.

Still I didn't pay the 40 bucks it costs to deliver the details for any of my foundlings, which illustrates a principle about privacy. It costs time, effort and money to invade someone's privacy. No security analysis is useful without a cost/benefit analysis. What your information is worth to somebody else is usually a whole lot less than what it's worth to you, so little in fact that it may not be worth going after, even when it's in plain sight.

Lastly, I want to give a plug for HUMINT. I really have a ball watching '24' and shows like that. Go Jack.

Face Recongition, NOT

Don't believe the hype.

I spoofed this analysis eight ways to Sunday. If this is the state of the art, we've got another generation to go before we can do even basic stuff. This thing is so pathetically bad, I don't even know why they bother. It may as well be random.

Circle of Trust

I'm creating a Circle of Trust.

The spousal unit as well as at least two others have expressed concern for my bumpy black butt as I take it to the Far East. As well, I will be involved in some high finance as someone close to pure capitalists and dealmakers in what is ostensibly a communist and repressive society. I like the quote I recently read that the heads of the Chinese government are 30% Communist and 70% Sopranos. So it makes sense for me to watch my back.

But that is also true in any circumstance and it is part of a theme I will be repeating as my review of the film 'Hotel Rwanda' takes shape this week. Anonymity can be deadly.

So I will endeavor to implement various features of, for lack of a better term, a cell-based distributive circle of confidants, starting with those of you who comment here at Cobb. You know me, literarily, and have access to my Cobbian style and voice.

I hear tell that one of my new associates, being the scion of international wealth and power, will have access to goods of eye-popping capability. So it makes me drool a bit to be in the company of those who literally have to read science fiction in order to get excited about what is possible, because they've seen everything that actually exists in physical form on Earth. Me, I get excited about stuff like the Mac Mini, and Tivo To Go. While it still makes me feel clever that I can reasonably debug the plot devices on 24, I know there are people, John Lee, for example, who may have already been bored by cloning cellphones and hacking bluetooth linking protocols. So at some point I may have access to some real-deal executive security insights. But for now PGP will suffice. Plus it's cheap, if not free.

Starting with you all, I'd like to update my network of PGP folks. I think PGP is a start unless you have better ideas.

Encryption Export Restrictions

I wonder if there are any cypherpunks out there who might be able to clarify my interpretation that Clinton took all commercially available crypto off the US Munitions List in 2000. That's what this seems to say, but I'm just looking for a quick abstract.

UPDATE: I think it's pretty obvious here...

SUMMARY: This rule amends the Export Administration Regulations (EAR) to allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non-government end-users in all destinations. It also allows exports and reexports of retail encryption commodities and software to all end-users in all destinations. Post-export reporting requirements are streamlined, and changes are made to reflect amendments to the Wassenaar Arrangement. This rule implements the encryption policy announced by the White House on September 16 and will simplify U.S. encryption export rules. Restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria), their nationals and other sanctioned entities are not changed by this rule.

yay!

Gary Webb: Dead

You've got to be brilliant or crazy or a bit of both to take on the CIA singlehandedly. The bigger question is whether you can survive the success or failure of such an endeavor. All in all, the odds are against you, and now another David lies dead in the shadow of Goliath.

It was a suicide according to this article, but it might be more appropriately called a collective execution. Webb long ago lost the support of the profession, despite his willingness to go the extra mile to make his case.

The publication of his book 'Dark Alliance' set a lot of tongues wagging and eyebrows raising. But in the end it didn't prove enough to be the kind of damnation CIA haters would prefer or vindication CIA suckups desired. It showed a complicated and convoluted series of events with plenty of dirt and blame to go around. In the end, I believe that his profession abandoned him.

Webb's job may someday be internalized by massive organizations. Investigations of the sort he embarked upon over continents and years are the only way anyone can find out what goes on aside from those directing operations. In a publicly funded organization we have a right to know, even if most of us would prefer not to know.

Webb's death reminds us that there remain high prices to pay for the burden of unwelcome knowledge. Truth serves no man.

Hack Verizon

Verizon is digging their own grave, but only because clever folks are speaking up.

These guys are right for setting up the attention. A couple thousand bucks might not be enough to do anything, but when it gets to 5,000 then hackers will come forward. It's an eyebrow-raising proposition.

Bluetooth hasn't really fulfilled much of its promise. I wish it would because as nice as USB is, I sure would like to get rid of all the cables behind my desk and television. Let's get it started.

Literal Rednecks

In somebody's neck of the woods, some rednecks talking out the side of their necks got their necks broken.

The truck driver and father of six had come up from his home in St. Paul, Minn., intending to hunt on public land. He got lost in the dense forest and, wandering near a swamp, climbed onto a tree stand — a wooden platform built on a branch. A hunter approached and told him he was on private property. Though he hadn't noticed a No Trespassing sign, Vang said, he climbed down and walked away.

Then, Vang said, five or six hunters in all-terrain vehicles drove up and demanded to know why he had trespassed. He told them he was lost. They surrounded him and began spitting out racial slurs. The men told him they would report him to authorities. They cursed him. One of the hunters was carrying a gun, he said. Vang, walking away, turned and saw the gun pointed at him. He dropped to the ground. A bullet whizzed by him.

Thus sayeth Vang, who turned out to be more than these airheads bargained for. I don't understand what it is with people who think they can just provoke anybody without repercussions. Rule number one is never point a gun at somebody unless you're aiming to shoot. And if you shoot, don't miss.

And so..

He shot the man who had pointed the gun at him. The man dropped. The other hunters ran toward their vehicles. Vang kept shooting. More men fell. He chased those still standing, shooting one in the back. He heard the man groan. He walked past the body.

As the hunters' friends — alerted by walkie-talkie — arrived in two more ATVs, Vang took off his blaze-orange coat and turned it inside out so the camouflage pattern showed. He reloaded. An ATV whipped past, a man steering with one hand and holding a gun with the other. Vang shot him and the young woman sitting behind him.

I think Vang knew he was a dead man walking as soon as he killed the first man. Anyone for gun control?

Reverse Spoofing?

OK now I've seen it all. I'm just checking the blog for referrers which are a bit high today and I see that I have been cited as a 'sponsor' for a popup. I have no idea how that happened.

Somebody at Fastclick.net has pulled an interesting fast one. Somehow their popup pops up from somewhere and then it redirects the victim to here. So I've got to figure out how they did that.

Obviously you could see how bloggers might be reluctant to undo the spoof, since it attracts traffic to your blog. But I'm not associated with fastclick.net and I don't want to be, despite their being rather clever bastards.

UPDATE:
Nevermind. I actually *am* happy to be associated with fastclick.net because they are part of the conglomerate that hosts my racism test. Thanks to Kyle for discovering this.

Jacking Al-Jazeera

My brother Doc, in his heady froth of patriotism, gave me a bit to think about the other day. It's a simple question I'd never considered before. Why doesn't the CIA just jack Al-Jazeera?

When I began listening to Chomsky a long time ago when he manufactured his own version of Manufactured Consent by dominating progressive left thought, I have believed that the CIA had moles operating in joints like the NYTimes. While I've come to a bit more sophisticated understanding of information theory, I understand there's no need for a physical arm-twisting editor on board. Information can be contained and parsed out in such a way as to appear complete and suggest without confirmation or denial of a concealed truth. In other words, my ability to influence what you think exists independently of my capacity to control what you think. When nits comes to grits, influence is enough, especially when you are the CIA and can always restrain what anybody can know without your permission. The point of all this is that I've always believed the CIA capable of great manipulations, and influencing any media outlet or conglomeration of them doesn't seem beyond the pale. In fact, it is not beyond the realm of possibility, as far as I'm concerned that Rupert Murdoch himself is operating according to a CIA plan.

I don't concern myself with such far fetched ideas, I just concede the possibility that they might be in somebody's interest.

Considering that symbolically, OBL is the most wanted man in the world one wonders what lengths our boys have gone to track his whereabouts. How difficult would it be for the CIA to figure out which reporters at Al-J are getting the periodic videotaped bloviations of Public Enemy Number One. There is a transaction that occurs here on the regular and clearly his emissary has mastered the art of the dead drop. But we've busted spies before, how hard can it be to bust a reporter for an enterprise as green as Al-J?

I believe that an organization like Al-Jazeera, despite its editorial position whatever it may be at the moment, is more valuable in the long run to US interests than one that is compromised and embarrassed by our spymasters and CI agents. Nevertheless, I have few doubts that there are more bugs in that joint than anybody there suspects. If not now, then soon.

What's In Your Wallet?

A few weeks ago I bought some business card software. These days I'm brainstorming about a new website concept that I'm putting together. Part of the idea is that people need to moderate their social circles with a bit more sophistication than has previously been done. How do we help manage that? I'm spending more time around the Corante Crew to catch a clue or two. Greg has an interesting set of ideas.

I've cranked out 6 different business cards, and I keep at least 4 versions onhand at all times. The first is the Daddy Card. When I'm at a school function, or out with the kids on a day trip, I leave the business mind far behind. It's lavender with a Matisse kind of graphical sun in purple. It has my home address and phone number. I give this out to potential refrigerator pals - people I wouldn't mind dropping by to grab a snack out of the fridge.

I also have a blog card, the title of which has me listed as a 'Large Mammal'. It also has the Cobb icon on it. My generic business card is for employees of companies where I work strictly pointing them to my website. And the detailed business card is the one shown here, that I give to people I believe may actually give me some business. There are a few others that I rarely use, one with me as publisher of Vision Circle and an older version of the blog card. There's also one that has me listed as a technical specialist in my partner's business. There are two other jobs I do for which I have no cards, but that doesn't concern me much.

I have been multiple people online, and still have mail from at least 6 domains coming to me at gmail and on Outlook (I'm leaving Eudora and GMail for Outlook (and Lookout & Google Desktop Search) and GMail). So I am accustomed to juggling multiple identities. I'm also an online gamer and none of those people fraternize with any of the other people. I need to be different things at different times, and I need different ways of presenting myself on different occasions.

This basic concept, a kind of extended code-switching, is something I think lots of people do. So our identities online need that multiplicity. Speaking of which, I have registered at Multiply (and Friendster, and Linked-In, and Orkut) and none of them really works for me. The best thing that works for me is my blog within my large, constantly evolving website. This is key to the concepts that interest me vis a vis virtual and extended self-representation.

In some ways, I am concerned that the online gamers I play with don't discover that I'm over 40. In other ways I am concerned that potential employers don't discover that I'm a political cartoonist. Most of the time I'm concerned that my blog readers don't discover the names of my kids, but in all those ways I know I'm not truly secure. Still, the illusion that I can hide parts of my life is satisfying. So with that in mind I wonder if we don't work a bit too hard in ensuring a kind of privacy that, with certain selected people, we actually want breached.

It makes me think about reality television. We have, in many ways, become the defensive, cocooned, SUV driving, stay at home people we forswore two decades ago. To that extent reality TV is a way for us to see that other people are as weird as we are - to confirm that our foibles are common ones, given that we cannot communicate them publicly. We want to be accepted for who we are, warts and all, but only to a select few.

As Shrek said, we're like onions. Wouldn't it be nice if I could decide how many layes to peel, on demand, without making anyone cry?

The North Korean Bomb

Q: If the DPRK did successfully explode a nuclear device on Thursday, why did we not hear about it until today?

Answer 1: It didn't happen.
Arrogant Analysis 1: Stupid fascists just blew up their own plant trying to stage a bogus test and make everyone fear them. Another escalation of rhetoric will ensue. The North Koreans are all hostages.

Answer 2: That's just how long it takes newspapers to find out because North Korea is so isolated.
Arrogant Analysis 2: Which only proves that the North Koreans are a threat to nobody but themselves. If they dared make a move against anyone, they would be crushed. Blowing up a remote part of their own country is all they can do. The North Koreans are all hostages.

Answer 3: That's just how long it takes newspapers to find out when the US Government wants the news suppressed.
Arrogant Analysis 3: Worry.

Richard Forno

Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.

Keep this man's name in mind when you start hearing discussions on security. I'm thinking these days of the amateur CT person who helped the FBI nail the latest domestic traitor to AQ.

Here's a few of Forno's wise words:

Let’s play devil’s advocate for a moment and see what the real consequences of a cyber-terror attack would be. Could someone shut down part of a power grid or water system via a remote dial-up connection? Perhaps, but the same could be accomplished if someone managed to gain physical access to such facilities to throw a few switches and turn a few knobs. Besides, we’ve proven during countless natural weather disasters that we can live without electricity for short periods of time. Should critical networks be compromised, we can still pay for groceries with cash.

Even if any of these scenarios were realized, life might be a bit inconvenient or slower than normal at times, but we will still be alive, and buildings won’t have toppled. Life will continue to go on, and soon return to normal, likely more quickly than if recovering from a physical type of terror attack. A potential compromise of the air traffic control system doesn’t necessarily mean that planes will start falling from the sky: airplanes have arcane backup systems known as “pilots” and “co-pilots” who can fly and land them safely.

I've recently signed up to Cryptogram and started perusing back issues. Great stuff. If you don't know Bruce Schneier, you should.

The New Security

This morning I sent out an invoice to one of my customers - an Adobe PDF file. Since GMail wasn't working, a periodic annoyance, I used my old Eudora client. As the mail went out, I noticed that there was a lack of an outbound virus scan. Usually when I send out a large document, it takes several extra seconds as Norton AV checks to make sure I'm not poisoning my email recipient unintentionally. This time, the little window didn't pop up.

Is Norton turned off? Yes, but only for outbound mail. Now I remember. When my buddy made his debut as a bassist in a reggae band, I spammed several hundred people on his behalf. In order to accomplish that, I turned off the outbound scanner.

It has been about 20 years since I first started using anti-virus software. I was getting McAfee updates even before Mitnick's famous worm. Back in those days, the threat level was nowhere near as consistent as it is today. Viruses are much more sophisticated, but ironically, they tend to be a lot less deadly. Back in those days, many virues just erased hard drives - they were just plain destructive. Today virus hackers seem to be more interested in owning fully functional machines. It's more like brainwashing than killing. We are a nation of potential Manchurian Candidates for today's crackers. I'm fairly safe however, but my safety has more to do with my own awareness than what any tools do for me. It was the fact that I know my outbound mail should be scanned rather that the fact that Norton does it for me, that adds to my security.

What I'm particularly pleased about this morning is that this consciousness is embedded in me after all these years. It doesn't hurt using it. I think about surgeons that I know, they'll drink themselves under a table, but they won't touch cigarettes. When you understand what the bad guys can do to you, it's not paranoia any longer, and after you've been practiced the safe regime for a long enough time, it starts to feel more like common sence than 'preparedness'.

I bring up this notion because I know that it's important for the future of our country, in the face of terrorism, that we all begin preparing ourselves. For what it's worth, I think people are getting accustomed to airport security. Whenever I have to go through a terminal, I know to wear my Oakleys. They come off in a second, they pop on in a second.

But I also know that, as a civil libertarian, I am particularly sensitive to this boiling frog effect on our important freedoms. The important thing to know is that once your security conciousness becomes elevated - when you begin to understand more about the threat against you, so does your understanding of the value of the tools in place (or not) to protect you. Again, it is the consciousness that is your strength, not the tool. Because as time goes forward, the nature of the threat will change in terms of its manifestations. Terrorists might want to blow up hard drives now, but next season they may want to brainwash us. The point is not to get overly dependent on one defensive tactic. We'll then have the options to trade-off. Maybe we want to spam for the sake of our friends, so we'll turn something off for a while. Maybe we'll want to encourage American students to study abroad, so we'll lift exit visa restrictions for a while.

In order for us to accomplish this kind of preparedness consciousness, we need to have some transparency from our government. Way back in the day, when I first loaded McAfee (or was it Norton?), I remember that the virus definitions all had names and descriptions. It gave me a great deal of comfort to know that any day I could look up the name of one of xhundred viruses and their variants to understand what kind of damage they might do and how likely it was that I would be infected by it. They still provide services like this today, even though I don't use them, I'm glad to know that they are there.

Twenty years ago, most Americans didn't even have PCs much less any knowledge of viruses or how to defend against them. But the fact that companies like McAffee and the Norton guys (who have been owned by several different entities) have been open about virus threat assessment and detection let a sizeable group of Americans operate securely. We've been able to internalize and maintain our preparedness consciousness because of that transparency. Now we would no more likely leave our machines unprotected than a cardiologist would smoke or an AIDS worker sleep around. But we know average Americans are not always so informed and disciplined.

When it comes to Homeland Security, some of us are going to know what's behind the big Orange Light, but most of us don't. Somebody somewhere is going to have to be our Surgeon General and start spreading some details and transparency. Even if she's going to be frank about masturbation like our old friend from Arkansas, Dr. Elders. Better safe and embarrassed than smug and in danger.

I'll vote for a president who does that.

Spy Geekery

I'm having a paranoid moment.

What if somebody came into my house, or better yet, what if somebody were eyeballing me as I type this? They'd have to notice the DVDs next to my flat panel: {Ronin, Enemy of the State, Spy Game, Swordfish, Heist, Heat}. They'd have to notice my bookshelf {Ludlum, Bamford, Littell, Clancy}. They'd notice all my books on hacking. And as I write this I'm desparately trying to find out what a TR105 is and how I could get one.

I need to get outside.

Pub Tagged

Silly me. I've been pub-tagged by PsychoDad.

I have a box on the web that I've kept a few ports open on in order to have a nice way to access files at home. I opened up the FTP port in order to handle a 3gig file I had to get from a customer site. Ordinarily I would just use one of my hosted domains for that kind of stuff, but I obviuosly didn't have 3 gig sitting around...

The symptoms are easy to spot. A whole tree of undeletable directories. MS can be somewhat helpful, and I've used solution number 3, to a certain extent. But I want to know exactly what my vulnerability is.

Of course there are utilities from people who are ready and willing to help me, for a fee. But I'm going to read the little doc on it and work my way out of the mess I stumbled into.

Beware.

Earthlink.biz

Somebody sure does hate Earthlink.

Spammers have created an ever more sophisticated set of ruses to get people to send them credit card information. They have been fairly sloppy enough in the past to leave the URLs in their new forms pointing to their bogus domains.

But today, they seem to have gotten control of Earthlink.biz and somehow a redirection for tr.earthlink.net. It didn't fool me because I'm in security awareness mode this week, but this latest was a pretty good spoof.

Be alert.

Unix Viruses &cetera

A Taste of Computer Security

Given the nature and scope of the field, it would require one or more books to even briefly touch upon all that is known about computer security. This document's goal is only to give you a taste of (a subset of) the subject. The various sections are not uniform in their depth or breadth, and the document's overall structure is not pedagogical. I could have titled it Thinking Aloud On Computer Security, if not for the somewhat pompous undertone.

Shoe Bombs

I've actually had enough free time to read a book. Although I'm not finished with 'The Man Who Warned America' I have read enough about Ramzi Yousef to be significantly impressed with this whole shoe bomb thing.

To put it briefly, Yousef got busted and they found his computer describing his elaborate plans to sneak explosives onto commercial aircraft. So while most of us were laughing at the British guy they arrested with the shoe bomb, Yousef showed that it could be a very capable weapon.

Coup

Mike Ruppert is at it again. I had almost forgot about this ex-LAPD officer who shouted down DCI Deutch when he came to Los Angeles' First AME Church to try and explain the CIA-Crack connection. This time Ruppert sees devilish doings in the resignation of Tenet having to do with the Plame investigation. His angle? It's part of a setup by the CIA to take W down.

If you have nothing better to do than stew in Ruppert's juices, take a peek. Of course there's more than a grain of truth. But who can tell which through his breathlessness?

For the record, I think Ruppert's not a loony, but he'll never get dignified. He's a muckraker whom any day might find himself in a politically engineered character assassination. In other words, he's pissed off the powers that be, and for that he has earned the title of lone wacko, whether or not he deserves it. He has been deep enough undercover in joint LAPD / intelligence community activities to understand how twisted our tactics can get, but he's betrayed the colors. He's always looking over his shoulder, poor blighter.

What the Hey @ CIA?

Trigger Fish shows scuffling and rumbling for a new head honcho at CIA. I don't know what the hell is going on over there. Is it just me or does it strike anyone strange that there have been too many DCIs over the past 20 years? After Casey came (Webster, Gates, Woolsey & Deutch) four in 10 years. Tenet seems to have stuck around longer than any, and 7 years is a good long time. But did he turn it around? Is the CIA over its shuffling at the top? Every time they have a new head of the CIA or FBI I get a very weird feeling.

I think something big and dirty has gone down, let's see if the insider gets it.

Chalabi Dropped

Today's news about Chalabi is especially juicy, and I think it points directly to the storms of intrigue and infighting between the White House, Pentagon, CIA and FBI. In particular, I think Richard Perle is looking especially egg-faced today.

Assuming you know the story and/or are vaguely familiar with basic spycraft and/or information theory, you were probably laughing out loud at this paragraph in today's NYT.

According to American officials, the Iranian official in Baghdad, possibly not believing Mr. Chalabi's account, sent a cable to Tehran detailing his conversation with Mr. Chalabi, using the broken code. That encrypted cable, intercepted and read by the United States, tipped off American officials to the fact that Mr. Chalabi had betrayed the code-breaking operation, the American officials said.

That's rich. Echoes of Cryptonomicon huffduff.

My money says some spymaster at DIA who has been pissed at Chalabi for a long time put into motion this plot to discredit him once and for all, with the possible cooperation of State (or at least with the knowledge that Colin Powell could benefit from a discredited Chalabi who now becomes the 'source' of 'all' the 'bad intelligence' about Iraqi WMDs).

Sooner or later, Chalabi would become expendable especially given the way things have turned out in Iraq which make the PNAC crew look better than they deserved to. What career Pentagon intel officer could stomach Perle's pontifications and the general besmirching of CIA and other US intelligence organizations? Time to show what they can do.

So, suspecting as any spymaster should, that Chalabi is playing both sides of the fence, they set him up with a 'drunk' agent who 'inadvertantly' says that Iranian codes are broken. Chalabi falls into the honey pot and spills the beans.

The other possibility here, as suggested by Canistraro is that some guy really was drunk and no US intelligence agency knows any other Iranian codes. That would be incredibly stupid, in fact, unbelievably so. But in any case, Iranian agents in Iraq are going to have to be restrained considering that this news is all over the place and their codes and cyphers are going to be changed anyway.

I say this is a fairly interesting turn of events. The question now is, where are Chalabi's deadly enemies and what excuses are they going to find to wreck the Iraqi National Congress? Hmmm.