Tuesday, September 30, 2008

Patent for Aurora Vuln Fix: A Good One

I nearly spit up my Mountain Dew (an early morning had to brave 270/495 down to Alexandria) when I read Dales blog on patenting the Aurora fix.

I only have two words for this: Country First!

Sunday, September 28, 2008

Historic Days, Historic Times

Sure there is a lot of the same old stump speech here, and yes there are way too many promises, but in the rain yesterday that has drifted in and out of the Mid-Atlantic states, in the darkness, with his sleeves rolled up, you get glimpses of of Big-H History is happening. Something is going on here.

Twenty years ago I went down to Texas to college, but now I'm full circle. And what stands out over the past two decades.

The collapse of the Soviet Union. The Fall of the Berlin Wall. The night the first bombs fell over Baghdad. The loaded railcars from Fort Hood going through College Station, some vehicles painted brown, others still the woodland camo for the Fulda.

The long superficial years of Clinton interrupted by Waco and Oklahoma City. Watching the TV's in JFK (en route to Moscow where we'd adopt me oldest son) about the DDOS. The Dot Com crash. And 9/11 and shell's of half-completed office parks in Austin when the money ran out.

And now.

Cutty and the Parable of Two Sons

Cutty/Dennis is one of my favorite characters from The Wire and I was reminded of this scene in a sermon I heard today on The Parable of the Two Sons.

Lessons from the Other Company that Turned Ten

Sure you knew Google turned turned ten but so did Digital Bond.

I never regretted by decision to leave Cisco and do my usual "18 month tour" there. It was the perfect antidote for all the cynicism and negativity that entered my bloodstream after five years of working at Cisco in Austin. 

Some days I wish I could have stuck around to see the dramatic growth over the past few years,  but patience has never been one of my virtues. 

But among the many things I learned from the experience is that in small companies is that you are not happy, you only have your self to blame. You can't blame the status quo, the slow pace of change, politics, dysfunctional teams because it is all on you. And particularly relevant to periods of economic anxiety, is the good feeling working on teams (or projects) that you can directly trace revenue for the organization to your own deliverables. That's one of the reasons I like what I'm doing at Tenable right now. Just as with consulting, developing and delivering training provides a tangible, concrete metric on the value you are providing to an organization.

And last but not least Dale introduced me to to Tom Peters who at first I thought was sort of cheesy, but I continue to read today.

Saturday, September 27, 2008

Vetrans for Obama: Action not Rhetoric

Bejtlich Metablogs

Why Blog? has some good ones:
Blogging organizes thoughts. Recently I nodded in agreement when I heard a prolific author explain why he writes. He said the primary purpose for writing his latest book was to organize his thoughts on a certain topic. Writing an entire book is too much for most of us, but consolidating your ideas into a coherent statement is usually sufficient.

Blogging captures and shares thoughts. Once your thoughts are recorded in electronic form, you can refer to them and point others to them. If I am asked for an opinion, I can often point to a previous blog post. If the question is interesting enough, I might write a new post. That satisfies this reason and the previous one.

Blogging facilitates public self-expression. This is a positive aspect of the modern Web, if approached responsibly. Many social networking sites contain information people would not want to preserve for all time, but a carefully nutured blog can establish a positive presence on the Web. If you blog on certain topics that interest me, I am going to recognize you if you contact me.

Blogging establishes communities. The vast majority of the blogs I read are professionally-oriented (i.e., digital security). I follow blogs of people handling the same sorts of problems I do. I often meet other bloggers at conferences and can easily speak with them, because I've followed their thoughts for months or years. Book authors share a similar trait, although books are a much less fluid medium.

Blogging can contribute original knowledge faster than any other medium. Blogging is just about the easiest way to contribute knowledge to the global community that I can imagine. It costs nothing, requires only literacy, is easily searchable, and can encourage feedback when comments are supported.

I'll add some others:
  • With 3 kids, ranging from 10 to 9 months, I don't get out much.
  • You'd be how fast you can get in the top 5 on google searches for certain obscure (or not so obscure) technical topics if you time it right.
  • As historical record and reference to the sorts of technical (and personal) problems you were interested (or disinterested) in over the long run.
  • Packet loss. Since my memory has gone to shit over the past 3 years documenting sites, tools, or common tasks here vs. depending on someone else's site to be there.
  • Rattling the cages/venting. I should do this less often, but I can't help myself and I know a few readers find it amusing. Whether it is bitching about SCADASEC or GNUCITIZEN I'm always amused folks get so defensive about someone calling their baby ugly.
  • I used to consider myself a writer. And it gives me the illusion of writing. I spent most of my undergraduate years (as an English major with a creative writing concentration and I met my wife in a writing workshop) struggling to write short fiction and poetry. I racked up a hundred or so rejection slips and perhaps 2-3 publications in small literary journals. It is a counterbalance to the guilt I feel about selling out for the big bucks and the technology gods.
  • To share, damnnit. To get an audience. That might be one of the reasons I became a public school teacher 15 years ago and why I recently went back to doing training for a living (what he's doing training, I thought he was technical?) this year, as a way to remain interest in the security field. It is about making connections. To readers/students.

So what will the stunt be before the VP debate?

So they can only "suspend" the campaign once. What will Palin-McCain do next week?

Palin quits for personal reasons and Joe Lieberman steps in right before the the debate?

Palin has to return to Alaska for some "critical energy emergency?"

What is another gamble that will put "Country First?"

Cobbler & Func

Having devoured all the debate coverage I ran across Cobbler on Freshmeat the morning:

Cobbler is a Linux installation server that allows for rapid setup of network installation environments. With a simple series of commands, network installs can be configured for PXE, reinstallations, media-based net-installs, and virtualized installs (supporting Xen, qemu, KVM, and VMware Server). Cobbler uses a helper program called 'koan' (which interacts with Cobbler) for reinstallation and virtualization support.

And func, almost makes me want to be responsible for a few hundred *NIX boxes, again.

Friday, September 26, 2008

Mental/Behavioral Health Care Parity Bill Passes

Well a least Congress got something done this week in HR 6983 Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008. It will be interesting to see how this trickles down into behavioral health care plans, co-payments, etc. Although I'm ambivalent about substance abuse and psychiatric conditions being lumped together.

Wednesday, September 24, 2008

Who has their game face on?

Piss off the press and they print wimpy pictures of you. From NY Times and WaPo

I couldn't multitask either

I'm sympathetic. I was supposed to speak at a Water SCADA Cyber event today in San Jose, but I bailed as well.

Tuesday, September 23, 2008

I don't get e-learning 2.0

So I find blogs like Examples of eLearning 2.0 sort of curious.

* Alongside Formal Learning
o Blog as writing tool
o Wiki as a collaborative learning tool
* Editable reference materials (Wiki)
o Internal / External Product information
o Process information
o Sales scenarios
o Frequently Asked Questions (FAQ) / support information
o Online reference / glossary
* Experience Capture
o New-hire blog
o Maintaining a “lab or project notebook”
* RSS Reader, Podcasts - Steady Drip

While these examples make sense and I've been using (and advocating the use of) wikis as fundamental tools within teams since 2003 ever since I ran across the Cisco Engineering Wiki which ran MoinMoin, I just don't get why folks are trying to lump in these core technologies as "e-learning."

RSS, Blog, Wikis, etc. are fundamental workplace tools in the same way that other tools (office applications, web applications, the Internet etc.) are also tools, but think of the absurdity of making a big deal of Excel as an "e-learning 1.0 tool."

Is it because corporate trainers (I am one now, so I can critique them) are so backward and 2.0-illiterate? Is that why this is a big deal? To me if you make the definition of "e-learning" so expansive (and yes, I realize there is overlap between e-learning and knowledge management but to classify knowledge management activities as learning seem silly) it makes the term almost meaningless. Yes, everything you do should be about learning and creating knowledge, but this is different from Learning with a Big-L and little-l learning. What am I missing here?

Monday, September 22, 2008

MySQL Query Logging on CentOS5 and external Moodle Authentication DB's

When I'm not blogging about two-bit Alaska mayors/governors, most of the point is to jot down things that aren't necessarily profound but that are useful, and it did not up easily in one minute of googling.

I knew I'd done this before, but like so many things you don't use every day, it is easy to forget. Fortunately I discovered the nice Windows GUI admin tools for MySQL so I wouldn't have to write command-line PHP. Something else I do like every 3-4 years.

So my goal is to enable database queries so you can debug a web app. In my case I'm trying to enable Moodle to use and external authentication database and of course it fails the first time.

So the command line argument to enable query logging is "--log=/var/log/mysql.queries"

That is easy enough, but where to put it in /etc/init.d/mysqld?

Ideally I'd like to put in the global MySQL options file (/etc/my.cnf) which gets read in by get_mysql_option() but this doesn't work although I did get it to show up with my_print_defaults (a new one for me) so I'm not sure what is up. Tried both under [mysqld] and [mysqld_safe] so I did it the old fashioned way and added it to the line that starts up mysql_safe

/usr/bin/mysqld_safe --datadir="$datadir" --socket="$socketfile" \
--log=/var/log/mysql.queries \
--log-error="$errlogfile" \
>/dev/null 2>&1 &

Not pretty but good enough and discovered that I had not granted by local user access to the database.

Sunday, September 21, 2008

Wolves, Threats, and Action

My first reaction is to think all the taxpayer bellyaching about the bailot is just plain ignorance but on the other hand if you've been lied to and had the government exploit fears of security threats for personal, political, and financial gain, it might make you a bit cynical.

And then there is the minor issue that if the govt. can't manage a relatively simple operation like the invasion/occupation of Iraq (I'm not sure if I'm being facetious but it works either way) how the hell can the fix the global financial system?

But I dunno, I guess I'm too trustworthy, because I heard Paulson on ABC this week this morning and I tend to want to give him the benefit of the doubt. I'd also like to believe what David Brooks said on PBS about Paulson and Gates being the two "stars" of Bush's 2nd term.

System Survivability, Individual Responsibility, and Critical Infrastucture Protection

The financial upheavals of the last week have highlighted some the of cliches of critical infrastructure protection I've heard over the years.

First is the notion of "public-private partnership" that is necessary for the successful operation of these public services we all depend on to keep us sliding back into the dark ages of decaying big box stores with empty parking lots that are the fare of post-apocalyptic movies and fiction.

Meaning the government can not do it all and that industry and government agencies must work together to protect the integrity of the system.

Several weeks back I heard somebody from DHS on C-SPAN Radio (perhaps it was even Secretary Chertoff himself) talking about how individual asset owners have best suited to make the risk decisions (based on self-interest) to implementing controls. The government could not and should not make those decisions. At best they should define standards to raise the bar. There is a certain logic to this but it assumes that said individuals and organizations can think strategically and not take shortcuts that achieve short term objectives. Buy that flatscreen (or new laptop!) you cannot afford. Or that 4000 square foot house in the suburbs you cannot afford.

Although history has yet to be written it is obviously clear that this did not happen with the financial markets or with individual Americans. And we see the financial analogue of home users not implementing best practices (patching, firewalls, wireless security) resulting in zombie armies launching attacks that undermine the critical network infrastructure.

If enough individuals make risky decisions, the integrity of the system is compromised.

When confronted with regulation the class response from the private sector is that it stifles innovation. This was the argument you heard from vendors such as Microsoft or Cisco when the spectre of regulation was raised with regard to software security or product liabilities. The market it will handle it.

Obviously that did not happen and it should to be a wake up call for those in Critical Infrastructure (the financial sector is one, remember? I hate it how the power folks think they are the only one) that if things get out of hand that result in system collapse, the government will (and should) step in to preserve its integrity.

Of course the second cliche is the complex interdependencies among systems.

What more do you need to know? A Chinese bank hold some fraction of the mortgage for your house in Skokie or Phoenix or Plano.

Tomorrow ought to be interesting on the market. I'm wondering how many other folks put in sell orders for some of their mutual funds over the weekend with the goal of getting more liquid in uncertain times.

As I fed my 9 month old at lunch today I couldn't help but think about the future. Are the times as tumultuous as the pundits proclaim? What does a global economic meltdown really look like? And channeling Cormac McCarthy's the Road, how long does it take from the first flash in the distance to the point you wandering through the countryside with shopping carts with a revolver with 2 rounds left.

Friday, September 19, 2008

Spaf: You can't have 94 centers of excellence

I have a 45 minute commute (not bad at all for the region) each way so I spend lots of time listening to the radio and one of the first (annoying) things I noticed was the amount of advertising about "information assurance" training programs out there targeting the "hot IT security field." Some of these justify their expertise ("you'll learn from the best!") based on their NSA Center of Excellence accreditation.


And Spaf nails it when he justifies Purdue's decision not to remain in the program

More importantly, this goes to the heart of what it means to be “trustworthy.” Security and privacy issues are based on a concept of trust and that also implies honesty. It simply is not honest to continue to participate in (and thereby support) a designation that is misleading. There are not 94 centers of excellence in information and cyber security in the US. You might ask the personnel at some of the schools that are so designated as to why they feel the need to participate and shore up that unfortunate canard.
While this is true, I think there is definitely something else going on here that reflects the changes (and more importantly the ambivalence about the changes) in [Computer|Network|Information] field over the last decade. As knowledge goes mainstream, as a discipline no longer remains in the realm of experts or "the Academy" (as they would say in the culture wars of the 90s) there is always the temptation to lament the "watering down" of a field of expertise. This is also seen in the division between the "Security Education" v. "Security Training" and I'm not sure what the difference is.  As Liberal Arts grad, I saw (and still see) Computer Science/Engineer programs essentially all as training whether the program is at a suburban community college or a major land grant university. 

Wednesday, September 17, 2008

RNC in the House!

Not PC (do folks use that term anymore?) but damn funny.

From Black Comic Introduces McCain

And you know he got to marry that girl, too. Because … her momma done shot a moose.


She shot a motherfucking moose! Put its head up on the wall and everything. That’s cold, man. That’s like Al Qaeda shit. Post that shit on the Internet as a warning to other moose.


’Cause when a girl’s momma shoot a moose, that’s, like, a red flag for me. I take that shit into consideration. I do! It’s like, ‘Yeah, you fine. No doubt. You real fine. And you got a great personality. And you drunk. But … ain’t your momma the one done shot a moose? I’ll be seeing you later on.’ I practice abstinence with moose-shooting-momma-having bitches.


Reform Prosperity Peace


Monday, September 15, 2008

Is there any point in writing a standalone SCADA vuln scanner/fuzzer in 2008?

It seems like the Modscan talk at defcon has got some folks thinking

Over the last couple of weeks I’ve been writing it in Ruby. At the moment it is more of a series of classes as a framework for communicating with SCADA ModBus devices either over TCP/IP or Serial. Included are some specific functionality to Enumerate Functions supported by a device, along with discovering the Slave Devices on the ‘network’. I say network as a more generic term as the Serial Connections are not specifically a network, but the code is able to enumerate slaves on a serial bus none the less.

The code doesn’t implement a full all singing and dancing ModBus API just a subset, but it is extendable to allow this. It provides a usable framework for building a valid message that can be sent, which is key for Fuzzing a device.

One of the key features is the code is able to be extended to include other SCADA protocols, I’m looking at a couple of others there too. Another element I’m looking at is code to test against Master devices on the SCADA network, at the moment the majority of the code is designed to look at a Slave device. But I’ve put together the basics of a ModBus Slave to allow me to do bad things to a Master that connects to it.

Now I'm probably letting my own jaded view of both fuzzing and dealing with SCADA protocol implementations cloud my judgment, but my take is that writing a Modbus (Serial or TCP) fuzzer in late 2008 is about as pointless as writing an FTP fuzzer in 2005.

But this blog entry is further evidence that the cat is out of the bag. By 2008 most of the big vendors have found all the low hanging fruit with Codenomicon, Mu, or Wurldtech but who knows, maybe some of the more obscure SCADA protocol implementations will end up at Defcon next year and we'll see yet another SCADA vuln press cycle.

Saturday, September 13, 2008

Palin as Bush-Cheney: Secrecy

From Once Elected, Palin Hired Friends and Lashed Foes (NY Times)

Yeah, that's the change we need

Interviews show that Ms. Palin runs an administration that puts a premium on loyalty and secrecy. The governor and her top officials sometimes use personal e-mail accounts for state business; dozens of e-mail messages obtained by The New York Times show that her staff members studied whether that could allow them to circumvent subpoenas seeking public records.

Still more Childhood Bipolar

Articles like The Bipolar Puzzle come out every so often am I'm not sure what the attraction among journalists but I'm probably too close to the problem space to be objective.

But these is a pretty decent article, if "you wanted to know what it is like" (of course there is stuff in there I haven't seen and there is stuff I've seen that isn't in there, but overall it rings true) if you don't have to deal with this stuff on a regular basis.

And if you do, I wish you luck on wherever you are on the terrible journey and the one word of advice I'd say is don't be afraid to think outside the box on the meds, meaning consider those that are typically verboten for "bipolar" children.

Low doses of stimulants and antidepressants in particular can literally perform miracles. And despite the risks, these classes are meds (stims and SSRI's) seem a lot less scary than mood stabilizers and anti-psychotics.

And near the end of the article, the million dollar question that parents of "bipolar" children never actually ask because you are living day by day and you don't have the luxury to ponder it all that often...

The most basic question about bipolar kids remains a mystery: Will they grow up to be bipolar adults? Because diagnosing the condition in children is still relatively new, no studies have yet followed a large number of them fully into adulthood. One fact is suggestive: bipolar kids are predominantly male, while the adult bipolar population skews slightly toward the female. The likelihood is that many of these kids will grow up to have mental-health issues of some kind, but which issues, and how chronic or severe they will be, no one really knows.

How I got Moodle and Captivate Flash Playing Nicely

I've been spending a lot of time with Moodle latey and although it is quite powerful and flexible, it doesn't "just work" the first time.

And what I beat my head against this problem for 2-3 hours on Friday, until I finally figured it out by looking at the Apache error logs, was how to get flash software simulations created with Adobe Captivate to render properly and completely within a lesson.

Flash Output from Captivate
When you publish your projects to flash you get a bunch of files like so.

Most of the blogs and tutorials I found for using Captivate flash output focused on creating an HTML document that has your skin for your flash content when you Create a Resource but I never got this working. I tried pasting in the output from the ".htm" above into a web page but that didn't work for a number of reasons I won't get into.

Adding them as repository files
I had better luck using the "add a link to a file or web site." When I created a link to a file in the Apache document root it just worked. But the problem is you don't have all the access controls on that content. So anyone that knows the URL can get that content.

So the answer is to upload files to the local file repository within each course. A separate task was to increased the global file upload size and http post size (in my case I did to 8MB)

So I added a link to a file instead so your "location field" will be to the some_training.swf on the local filesystem (and will be accessed with something like

Unfortunately a couple of my projects seemed to work with only using some_training.swf but then others were not complete. I would only get audio. Now the red herring was that all of the projects I couldn't get to render properly were browser simulations, which had a much larger screen geometry the previous movies that worked properly.

The Solution
Make sure you add all the "Fullmotion* files" to your file repository although you only need to link to the top flash file.

Uck: Could have used this 3 years ago

I can't honestly say I was as productive as I should of been my last year at Cisco, but one of the things I did accomplish was porting our Knoppix based Security Testing LiveCD to Ubuntu. So I became intimately aware of the process of building LiveCDs and how painful the process can be. I did write some scripts to automate the process but Ubuntu Customization Kit would have been very useful. At least based on the description. Haven't tried it yet.

McCain v. Obama Legislation (I was suprised)

Hilzoy has a nice compare & contrast on their legislative records

The interesting part, for me, is seeing how the comparisons come out. I never really know in advance; one reason I do this is as a check on my own objectivity. In this case, I assumed that McCain would absolutely dominate during the 109th Congress, both because his party was in power and because of his seniority. (These affect not just how likely his bills are to pass, but how likely they are to be listed as his bills: there's a reason that the bill Dick Lugar and Barack Obama wrote on nonproliferation was introduced as Lugar-Obama.) I wasn't sure about the 110th: Obama's party was in control, but McCain still had seniority; probably more importantly, both candidates were off campaigning. Was I right? No. Why not? See for yourselves, below the fold.

The Citect Exploit: A Week Later

I resisted the temptation last week but this article sent me over the edge

Desautels said he stands by the decision.

First the exploit will motivate people to patch by giving them a way to test their systems against the vulnerability, he said. Second, it will encourage SCADA software developers to write more secure code.

"I think releasing the exploit code was actually necessary," he said. "He's actually doing a free service. I would believe Kevin has actually reduced risk."

This is 2008 right? Spare us your simplistic 1998 BUGTRAQ arguments. Please. You can't be serious. This, like most vulnerability disclosures are all about the marketing and rattling the cages. There is nothing richer than consultant/researchers that have not clue about designing, developing, shipping, and supporting products spouting application security cliches that are easier said than done: "add security to your development process", "get rid of stack based overflows," "do security testing before your release."

The CORE disclosure was handled professionally, but this is amateur hour. But you knew that if you follow SCADASEC or read Kevin's adolescent rant.

And actually that was my key problem with the release. Not what was released, but how it was released. All the posturing. Listing all the impacted sites and end users? All the little sarcastic comments and the NRA-inspired rhetoric.

Release the exploit, fine. Not a bad thing. But spare us the bullshit, it just undermines your credibility.

Thursday, September 11, 2008

Is Russia the Other War

Pretty frightening stuff.. Especially from "pick your city" Scott Ritter

In What Respect, Charlie?

See HuffPost excerpts.

  • It is all about energy
  • It is all about reform
  • No clue on the Bush doctrine
  • We might need to invade Russia over Georgia
And the best thing is the look in her eyes.

And for a mildly sexist comment. She might be easy on the eyes but that voice. Straight of Prairie Home Companion.

God help us if he she gets elected.

A Northwestern Hick accent is far less appealing than a Southern (or Texas) accent.

Wednesday, September 10, 2008

ABC on Palin Book Banning

I've always founds liberals whining about censorship sort of hard to take, so the real issue is causality between the following events: (1) Fundamentalist churches launch a "crusade" (quite literally) to get rid of "inappropriate" books (2) Palin asks the librarian what she would do about certain books (3) Palin fires the librarian 2 weeks later


Have 9/11 Analogies in Infosec become the new Godwin's Law?

Perhaps some may consider this blog blasphemous but I really think invoking 9/11 (and yes I remember it well, I went into work early that blue-sky-September morning to get ready for a concall with a Cisco EMBU team out in San Jose and after the 2nd tower was hit, a bunch of us went a conference room in Building 3 and watched the towers fall live then went home early to be with our families) has become tiresome and I've had it with infosec practitioners (or presidential candidates) invoking 9/11 for marketing (or political) purposes.

Curphey on Building vs. Breaking

True that

I have grown increasingly disillusioned with the information security industry and especially disillusioned with the application security industry (whatever that really is). Why? I will get onto the information security part where fluffy compliance and best practice culture seems to be gaining acceptance in future posts (probably after a few glasses of wine) but if we take the application security industry specifically then I personally find it is disappointing that after a decade of it being considered a discipline in it’s own right, it is still predominantly made up of breakers and not builders.

I, too, have had anxiety about much vuln work and that is why I'm not in the product/application security bidness anymore. And there is much in Linus's monkey comments that I found hard to disagree with. And bonus points for going after the OpenBSD crowd.

Finding your first vuln, crashing a PIX (or 7200 in IOS) is fun the first time, but bug hunting is ultimately a cheap thrill. And educating product teams to find their own bugs, change their processes, document and design products better is ultimately more rewarding.

Saturday, September 06, 2008

Snosoft: If you outlaw SCADA exploits, only outlaws will have SCADA exploits.

I've unsubscribed from all the SCADA mailing lists cause they raised my blood pressure too much (well that and the amount of rubbish that was sent to the list and that anything of value would show up on Digital Bond,) but The Five Ws of Citect ODBC Vulnerability CVE-2008-2639 came up in my Google Alerts this morning.

I definitely have opinions on this, but I've exceeded my quota of comments on vulnerability disclosure for the decade.

McCain-Palin as Bush: Theocracy

I'm sure all of this will become "off limits" for the media (kind of like she is right now, at an "undisclosed location") but you make the personal political (the is the watchword of identity politics, right?) it is fair game.

From NY Times

In the address at the Assembly of God Church here, Ms. Palin’s ease in talking about the intersection of faith and public life was clear. Among other things, she encouraged the group of young church leaders to pray that “God’s will” be done in bringing about the construction of a big pipeline in the state, and suggested her work as governor would be hampered “if the people of Alaska’s heart isn’t right with God.”


“The churches that Sarah has attended all believe in a literal translation of the Bible,” Ms. Kincaid said. “Her principal ethical and moral beliefs stem from this.”

This Biblical Literalism is most problematic as it gets applied to foreign policy (the country becomes and agent of God to punish the evildoers) and lids to an intellectual rigidity based on the ignorance of certainty. That is what we are looking at here, that is what we've seen for the past 8 years.

And if you haven't seen the videos...

McCain-Palin as Bush: Abuse of Power

From Newsweek

Key Alaska allies of John McCain are trying to derail a politically charged investigation into Gov. Sarah Palin's firing of her public safety commissioner in order to prevent a so-called "October surprise" that would produce embarrassing information about the vice presidential candidate on the eve of the election.

Hat Tip: TPM

Friday, September 05, 2008

Spaf on Security Through Obscurity

For a few years now, I've suspicious of folks that are quick to label something as "security through obscurity."

Not only has this become a robotic cliche (the only one I hate that is worse is so and so provides a "false sense of security"), obscurity often does provide you security (or at least reduces risk) so I was pleased to see some Sanity from Spaf

However, the usual intent behind the current use of the phrase “security through obscurity” is not correct. One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. The obscurity may also help expose an attacker because it will require some probing to penetrate the obscurity, thus allowing some instrumentation and advanced warning.

Thursday, September 04, 2008

I don't want a nation just for me

What is different from four years ago when (I'm not ashamed at all) to admit I voted Republican? 

In 2008, I know how much health care costs and how easy you can be denied coverage. I paid COBRA (from Cisco) for over year (over $1300/month)  when I worked for a small company and how individual plans drop (or won't even cover) you.

Now I have a multicultural family. I traveled to China and have a Chinese daughter. Seen curious the stares from "hard working white Americans."  I lived in Skokie, Illinois for over a year and saw the benefits of living in a diverse community for myself and for my daughter.

I have fought with Behavioral Health Care providers over benefits for serious mental health issues for a family member. Have you ever heard McCain talk about parity for mental health care?

I was a strong supporter of the invasion of Iraq (and "the surge,") but there was been no accountability, no realistic assessment, no reckoning. 

Denial and delusion is what McCain-Palin will bring.

We need less Rumsfeld and more Gates. More strategy less tactics. 

I certainly don't agree with much of the Democratic platform, but a party dominated by social and cultural conservatives with ignorance fueling their certainty.

We need more gray. Less black and white.

And most of all I don't have the energy to be cynical anymore. 

Dell Netbook is finally here!

It's called the Inspiron Mini 9. Of course there is no way in hell I could justify getting one. The config above cost $539 (sans postage)

Funny the white one costs $25 more than the black one -- the exact opposites of MacBooks.

When Obama brings the troops home and can stop spending $10 billion/month so we can get a tax cut (or equally unlikely, Palin can give us all some of her oil money) I can use that money to get one.

Palin Speech: the less said the better

I didn't actually watch it (way past my bedtime) but my wife read it this morning (and the accolades from CNN and Yahoo News) and she was pissed, saying things that if a man said it, would be considered sexist.

The blogs have been pretty quiet on the speech, but Cognitive Dissonance caught my attention.

But I don't think the speech will be effective beyond the very near term (the next 3-7 days) at moving votes in McCain's direction, if it moves them at all. And here's why:

I think some of you are underestimating the percentage of voters for whom Sarah Palin lacks the standing to make this critique of Barack Obama. To many voters, she is either entirely unknown, or is known as an US Weekly caricature of a woman who eats mooseburgers and has a pregnant daughter. To change someone's opinion, you have to do one of two things. Either, you have to be a trusted voice of authority, or you have to persuade them. Palin is not a trusted voice of authority -- she's much too new. But neither was this a persuasive speech. It was staccato, insistent, a little corny. It preached to the proverbial choir. It was also, as one of my commentors astutely noted, a speech written by a man and for a man, but delivered by a woman, which produces a certain amount of cognitive dissonance.

In exceedingly plain English, I think there's a pretty big who the fuck does she think she is? factor. And not just among us Daily Kos reading, merlot-drinking liberals. I think Palin's speech will be instinctively unappealing to other whole demographics of voters, including particuarly working-class men (among whom there may be a misogyny factor) and professional post-menopausal women.

Let's hope so. And for "if God be for us, who can be against us" (and we all know God is on the side of George W. Bush and Sarah Palin, right?) crowd, no that is the only authority that is needed.

Tuesday, September 02, 2008

Chrome: Definitely Snappier for Google Apps

And they have cool comic book, style documentation too.

And you thought I was going to blog about Palin again.


Since you were talking about Churches?

From Palestinian Attack In Israel Part of God's Judgment, Said Recent Guest At Palin's Church

In a talk entitled "The Jerusalem Dilemma," Brickner also went on to describe all of the problems in the Middle East as related to Jerusalem. "But what we see in Israel, the conflict that is spilled through the Middle East, really which is all about Jerusalem, is an ongoing reflection of the fact that there is judgment," Brickner told Palin's church, adding: "Judgment is very real and we see it played out on the pages of the newspapers and on the television. It's very real. When Isaac [Brickner's son] was in Jerusalem he was there to witness some of that judgment, some of that conflict, when a Palestinian from East Jerusalem took a bulldozer and went plowing through a score of cars, killing numbers of people. Judgment -- you can't miss it."

A Gamechanger All Right

Obama breaks 50% for the first time and Bush will talk about 9/11 again in his speech again tonight. That is a fastball ready to be hit out of the park.

"To protect America, we must stay on the offense, stop attacks before they happen and not wait to be hit again. The man we need is John McCain," Bush will say, according to the excerpts.

And Republican's will go after the media tonight. Yeah. Tell me where the the panic is. How did attacks against the "biased" media work for Hillary. I thought so.

Live by the sword. Die by the sword.

Monday, September 01, 2008

Tide (in media) is Turning v. Palin?

Yeah, definitely looks like the euphoria on Friday of the "bold choice" is wearing thin. Really quite sad to watch. Command of National Guard? Proximity to Alaska? Come on guys, dig the hole deeper. The real interesting thing is to see how this resolves itself. I wonder what is going on behind the scenes in the GOP? It is one thing to hear Hannity and Rush, but I heard Jack Kemp spewing the party line on Palin. The thing I wondered when McCain was introducing her, was did he really believe what he was saying. And if he didn't, did he really care?

Found on TPM

And regarding this whole
Alaska Independence Party thing, that sort of thing doesn't surprise me one bit. There was quite a bit of that in Texas and I used to bring in news articles from these sorts of secessionist groups when I talk 7th Grade Texas History down in San Antonio.

Good to go back to work tomorrow so I can stop all this political soap opera, although truth be told I actually did a bunch of Python coding over the 3-day weekend and made it down to the Mall today and saw the WW II Memorial, which from ground level was sort of underwhelming, but once you go down next to the pool, it starts to grow on you.

Wiki as an Intel Source?

There was an interesting article in the NY Times on last minute edits to Palin's Wikipedia page

The fact that campaign officials or others sympathetic to the McCain-Palin ticket spiced up here Bio is not surprising -- but using Wikipedia (or other Open Source collaborative knowledge-bases) to predict events in the real world, is.

Last year, a graduate student, Virgil Griffith, created a clever Web site, WikiScanner, that made it easy to detect where anonymous editors of Wikipedia were accessing the site. In the process, companies, government agencies and, yes, politicians were caught in the act of spiffing up their Wikipedia entries, even as many assumed that anonymity would make them safe. (Wikipedia, incredibly and mercilessly, keeps a record of every change made to every article.)

YoungTrigg made the last edit Friday morning, hours before the news of the Palin selection became official. But in the wee hours the day before, when no one was really paying attention, YoungTrigg did contact other Wikipedians, who were initially impressed by the rapid improvements to the article.