Cobb

Container Nukes

An interesting discussion about recently confirmed cold fusion is going on over at Slashdot. Here's a real gem that puts some nuke fears into perspective. I never really thought about what quality nukes a terrorist might actually get their hands on.

Modern nuclear weapons are around 1 MT, usually a bit less, as that's the optimal size for a weapon you can target accurately. The larger nukes of old were designed to crack silos with a near miss, were extremely expensive for their mission, and were taken out of service long ago. If a terrorist gets a nuclear weapon, it's either going to be a sub-MT military weapon, or a quite a bit smaller "home made" fission only device (modern nukes are pretty sophisticated fusion-pumped-fission devices).

Let's do the math [nuclearweaponarchive.org]. A 1 MT nuke detonated at optimal blast height will knock down residential structures at a radius of 10 km, more solid buildings at 7 km, and at 5 km knock down reinfored buildings and kill people outright from the blast (and all other effects, such as high doses of radiation, have smaller radii). A surface blast would have a far smaller effect. The only real point of a surface blast is to generate radioactive fallout (an air blast generates surprisingly little, though it would still hinder clean-up and rebuilding).

So yes, in theory, a terrorist with a high-quality military nuke (let's imagine a few were sold out of the old USSR armory, and somehow still worked today (the tritium would have to be replaced, which is quite technical, but lets imagine a scientist came with the bomb)) could sit a couple of kilometers off the coast and destroy some structures along the coast. Good for psycological impact, but not much else, and insanely expensive to carry out. A 50 kt fission bomb, a far more likely scenario for a terrorist, would have less than 40% of the blast radius of the high quality military bomb, and would probably need to be within 1 km to be effective.

A surface blast over *land* is what a terrorist wants, because the radioactive fallout would cause a world of hurt. You'd get very little of that even 1 km off the coast, and even a ship at a dock would produce far less fallout than a bomb 1 km inland. It's *definitely* worth checking for nukes at ports of entry: the threat just goes down very fast as the bomb moves away from land.

The Nuclear Weapon Archive is extrarodinarily cool.

Google Masking

The problem with me is that I've done roller disco at Venice Beach and breakdancing at an awards banquet. The rest of you might be more easily embarrassed by con-men and blackmailers. So if you think you may have surfed some porn and that Google might know something about it, you might want to anonymize your Google cookie. I find it difficult to give a gnat's gonads, but it might just be that I'm not paranoid in the proper dimensions. I worry a lot more about people finding out that I might have bad breath.

Those of you on the inside of the bubble may have already been there, and I may adjust my habits in due time. In the meantime here's the link.

Bamboozled

I hereby punch myself in the nose and admit that I have been taken in by viral marketing. All that Dave Chappelle business is clever marketing hype for a new Charlie Murphy movie. But now I'm not even sure that it's a real movie.

Trust no one. Especially not friends who send you IMs in the middle of the night with hot news about Dave Chappelle.

Let the record show that the last page was not there two days ago. At least that's my source's excuse. My excuse? I write too much.

If I ever see Charlie Murphy, that fool owes me a beer.

Public Whistleblower's Escrow

I must confess that although most of my passion about the Plame Affair is spent, the idea that Karl Rove is the dealer of dirt makes for a healthy bashing. I say whomever did it should go down, but I won't get particularly purturbed if it doesn't happen. Part of the reason has to do with the complexity of the shield privileges and my orientation towards technology.

I always believed that some private companies or entities (and I had always thought it would be banks until I realized how wealthy and powerful ISPs have become) would do the public a great favor by providing digital escrow accounts. The basic idea was for an individual to be able to do the 'swiss banking' thing with their digital data.

Anyway, cut to the chase, here's what I'm looking for. I am looking for bloggers and cypherpunks to come up with a way to shield and serve whistleblowers, and I want Pajamas Media to be the place. If you don't trust Time or the MSM, trust the blogosphere.

Now the only question is how.

Novaya Zemyla

I am fascinated by Wall Street bond trading and nuclear weapons. You can talk about these things all your life and never really understand them. I am also fascinated by remote places on the globe, not because they are particularly hostile, but because they are remote. So this evening by chance navigation by way of Google Earth and Alamogordo, NM, I have arrived at a Russian nuclear test site. It's an island called Novaya Zemlya.

Chances are you've never heard of the place before. I know I haven't. And yet isn't that extraordinary? The biggest explosions in the history of mankind, these nukes. But none of us know where they happened or might be happening.

Do you rembmer when the Kursk went down in the Barents Sea? It's still there. Makes you wonder what else is out there.

Internet Privacy: Knowing vs Doing

Despite all the guns out there, chances are, you're not going to get shot. Despite all the credit cards you have, chances are your identity is not going to get stolen.

I've been a little lax on following up on the many interests I've cultivated in my life, among them security and paranoia. So I've only vaguely heard tell of Bank of America's loss of private information to crackers and identity fraudsters. But I'm not really worried.

Back in the days, before the internet bubble, our division got into a lot of PR hot water over the matter of privacy. I had a nicely complex argument that shot down most arguments against our cookies and weblog inspections that went a little something like this. You need to take into consideration the value of your information. Why would a thief buy $500 tools to steal a $50 item? And while it may be true that part of the value of these recent identity theft break-ins is the size of the theft, sooner or later there has to be a fence value for each one. What is, indeed, the value of you mother's maiden name?

I've been thinking about what the value of my writing on the internet for the past 12 years has been. I've always assumed that some poor graduate student would have to troll through it after I'm gone to make some anthropological sense of the contribution of the post-civil rights black middle class. But more recently, especially since my mother says I confess too much, I've been thinking about its value to my own children. After all, they're probably the only ones who really care enough to read more than a little bit. I don't tell people to read my blog, and I don't often mention that I do blog, but I think that most of my friends know about it - and don't read it. I know that my mother is the only family member that reads Cobb on the regular. Such facts, combined with the fact that my IQ is right about at the same level as my FICO score, I don't particularly worry about my identity being stolen.

I have several issues with 'action at a distance', and so while I am often the first to indulge in the latest technological goody, I am far from being dependent or overly respectful of all this stuff. I know how fragile it is and how wrong it can be.

Since I'm not cheating on my wife or stealing from my employer or blackmailing anyone, I can see no particular enemies looking to do me in. When you think of the guns and violence, we know that people are generally killed by people they know for reasons that don't take long to figure out. It's likely to be your own son who is out joyriding in the family sedan. Because it's a family sedan, it's not so attractive to professional thieves. My identity is no Mercedes Benz, at least my identity as tied to financial data about me in hackable computers somewhere. But if there is dirt doable to me, it would most likely be by an insider. Did I spend 200 bucks on a dinner in Salt Lake City? My wife would kill me if she found out. That's my kind of worry. (Actually it was only 74 bucks).

So considering the massive amount of information about me through my blog, and who knows what the google archive has via google groups, there's a lot to know, but little to do. What's the motivation? How is the information valued? Moe importantly, how does it get fungible? Which is to say, where is the fence? What is the eqivalent of a pawn shop for the last four digits of your social security number? What do you care if your eyeglasses perscription falls into the wrong hands?

Still, I'd be a bit more comfortable if we had the option to generate our own passwords and identifyers. PGP with a picture and a signature would be plenty. Some joint like the UPS Store (where my favorite Notary Public can be found) or Kinkos could provide this service to customers - live authentication. Banks would be uniquely qualified to do similar things. In fact, I could see a privatized national ID system coming to fruition sooner than a Federal one, and I'd be all for it. Until then, all my business is in the street, and who cares?

Emmitt Till and the Panopticon

Emmitt Louis Till died about 50 years ago, but it has been decided that his body should be exhumed in order to discover new forensic evidence which might lead to others who might have participated in his killing.

In a related story, a registered Oklahoma sex offender was not captured in a Georgia arrest because of a 'failure' to match his fingerprints with all of his known aliases in the FBI database.

People keep mumbling about national ID cards and drivers license requirements. All three subjects are fueling the fire for construction of the American Panopitcon.

Since I'm a civil libertarian, as is most of the Old School, considering that it was our Civil Rights Movement that gave birth to that infrastructure, I have my reservations about panoptic security. That means that I recognize the tension between liberty and security. If I remember correctly, Patrick Henry didn't say "Give me security and give them death." I think we're on the same side of the fence.

And yet the more we try to get justice 50 years late, by using new techologies, the more we tip the balance towards building the perfect system of security. Sure murder is murder and there is not statute of limitations on that, but such matters cannot be taken in isolation. The proper legacy of Emmitt Till is not to be found in a murder conviction, but the moral conviction his death fired in 1950s America. To ask more of Till's dead body is to enable the panoptic forces.

Gladwell's best aphorism of 'Blink' comes to me in the form of the notion of panoptics and chess. Those who argue that enabling the electronic eyes ears and noses of the Justice Department (or the Defence Department or the Intelligence Services) will make us win, because we'll be able to see and hear everything. But consider a chess game. Surely there is nothing you can't see in a chess game. But does seeing everything help you win? No. You cannot see what your opponent is thinking. All you know are the moves he has made in the past.

Surely providing for our security is more complex than a chess game and it's better to see than to be blind. But there are limits at which the price of seeing is not worth the marginal benefit of security. We should be more robust in ourselves and stop wishing for intervention under all circumstances.

Little Brother

Little Brother
The cases brought against protesters in NYC during the Republican National Convention have had a stunning failure rate of 91% according to this story in the NYTimes.

I take this one at face value as further evidence of what the decentralization of technology will enable citizens to accomplish independent of large slow traditional organizations. This is clearly smartmobbery, which can be a good thing. On the other hand, it can start an escalation in the sophistication with which red-handed authorities handle their tech. I predict the upper hand will remain with the crowds for the forseeable future.

Driven to Security

Apart from the fact that I am doing it between 9pm and 2am, my quest to master elements of electronic security are very good for me.

When I took my first full-time job in 1979, it was at the radio department at Fedco La Cienega. As much as it's possible to be something of a local celeb, it was a very cool job to have back in those days. Hmm. I do need to do some more writing about those days. At any rate, I spent a lot of time at the high end audio concession and had a serious case of audiophilia, traces of which infect me to this day. What astounded me was that I discovered that there were turntables which didn't wear out records or skip. In my entire life up until that point, I took it as the nature of the beast that eventually all vinyl records skip and that you need to tape coins onto the tonearm so they wouldn't. Then I started learning about the subtlties of tracking force, anti-skate and the rest of turntable physics and I began to understand a new dimension. I soon purchased a Dual 440 and showed off the fact that I could play records upside down. Freaked people out, and underscored my lust for the technology. These days I am lusting after the unattainable beauty of perfect security. I'm actually starting to have dreams about it.

I've gotten my GnuPG working through Enigmail and a crufty little tray app called WinPT, but I'm digging the CLI. I've also been coming up with a series of code schemes to assist me. As I continue on this quest, several aspects of security are becoming clearer to me - to the point at which the hitherto impenetrable language is actually starting to make sense. But that means bigger questions.

Fzample, a PRNG is a pseudo-random number generator. This is something that a computer does because a computer is not a random machine. Certain algorithms do what they can to be as random as possible to generate a stream... The idea is that a computer can approach the perfect security of a one-time pad, but can't match it because the very fact that computers can be emulated make them incapable of perfect randomness. The idea of a one-time pad is that if you have a message that is x characters long and you mate it with a totally random key that is the same length and never use that key again, you basically have perfect security, because there is never a clue or a reason for that key to be determined. So the point is to come up with as random a key as possible.

How? Well that's the science. There are lots of ways to try to come up with random sequences of numbers but you have to start somewhere. That's called a seed. It's more difficult than it sounds. Take for example the first idea that I came up with:

Get yourself a baseball bat and a digital camera. Go out into the yard and make like one of those idiots on America's Funniest Videos. Put your head down on the upright bat and spin around until you are sick dizzy. As you are about to fall, wip out your digital camera and take a picture. Now come to your senses, download the digital picture and point to a random part on the screen. Find the color of the pixel you pointed to and use the digital code of that that as your seed.

Now how could I attack this method and come up with ways to guess the seed? I could look at green grass and blue sky and figure out the percentages of the time those numbers come up. I could guess that most people are right-handed when they point that their pixels could tend toward the right. I know most people won't try this at night and that they are not so likely to point at pitch black and a few degrees away from that, or perfect white and a few degrees from that. So what might seem to be random is actually not because of limitations of human perception. What we think might be a good random number simply isn't because of the ways humans think. Magicians do this kind of stuff when they're guessing your card.

One of the ironic principles of security is that 'security through obscurity' is a fallacy. Simply because a human being is highly unlikely to think of something does not make that something more secure. This is the challenge that I face in coming up with my coding schemes, and I'm trying to work my way through it. I am coming up with several coding schemes of varying strengths. The first one is called 'X' which is all of the memorized passwords I have used in my life, which could be reduced to a set of about 30. That includes bank PINs and simple passwords I use for website accounts and other kinds of stuff like that. (I've also been using PWS for several years and several other methods, so I'm not so vulnerable.) But of course I forget some of these passwords. Then there is 'Q' in which I take the chapter titles from certain a certain book and run an MD5 hash on it. The result gives me a nice 32 character passphrase which I use in a blowfish cypher. The cool thing about this method is that I can name the encrypted file with a Q10 and know that to generate the passphrase, I just need MD5 and a copy of the book (and a blowfish decoder of course). But what I don't need to do is remember the actual password for the file. What I do have to remember is the 'Q' coding scheme.

The question I have is whether coming up with coding schemes that help me systematically generate strong passwords is actually useful. In other words, does naming a file with some clue to its decryption key make that file more secure because the passkeys are immediately unknown to me, or should I use one master passkey and encrypt all files with that passkey?

I understand that the encrypted file is only as safe as the encryption method. The essential question is whether using multiple passkeys (not to encrypt the same file, for heavens sake) makes a single cipher better, and if so what is a good repeatable scheme?

I know that if I use codewords in the plaintext, that makes message that much more safe in case the cipher is successfully attacked, but my problem is password management. I don't like the idea of having all of my passwords to everything in one file under a master password. I'd like some files to live independently of my having a stored password.

Halo Ring Triggered

This magnetar story is incredible.

A huge explosion halfway across the galaxy packed so much power it briefly altered Earth's upper atmosphere in December, astronomers said Friday.

No known eruption beyond our solar system has ever appeared as bright upon arrival.

But you could not have seen it, unless you can top the X-ray vision of Superman: In gamma rays, the event equaled the brightness of the full Moon's reflected visible light.

OK what does this mean. It means a couple things. If there were a neutron star that flashed like this somewhere in this galaxy, we'd be dead. No only that, since gamma rays and light and all that fun stuff travels at the same time, there would be no warning. Warning would be impossible. One side of the planet would get fried immediately, and depending on how long the flare was so would the other. Then if all of our best scientists and equipment were to survive, it would take them two months to figure out what happened.

Lovely.

SHA1 Broken

Just yesterday I downloaded cfv, a cool CLI tool for win32 that gives me some version checking stuff. I'm going to build a general purpose thingy that helps me build some automatic versioning tools and tripwire stuff. There are plenty of applications for it and I'm going to try to work it to make a secure file system, which is to say one that allows me to eyeball a log of changed files on a daily basis, extra coolness eh?

Anyway, the cfv package hosts a myriad of hash functions which are of varying length and sophistication. I'm a bit paranoid, now that I mention it, of the PGP 8.1 version that I got from PGP.com because its signature file has a dead or revoked key and the pgp keyserver isn't very responsive. I'm beginning to think that PGP itself is a honeypot. So my trust of hash functions has come pretty much down to MD5. But even so, since I use SlavaSoft's HashCalc, I had some interest in SHA1 since its result is a little bit longer. (This by the way made me think of whether or not that's what Google or other websites use to make an ID cookie...) Either way, it appears that it's now broken. This means work for security guys everywhere. Flight to quality. Must be nice.

In English from Frobnicator:

Yes, they found a way to break the hash function. But as the parent said, it does not mean it's suddenly invalid. Sure, the group found a way to break the algorithim, but look at According to TFA a collision can be found in about 2**69 hash operations. That's 590295810358705651712 attempts before they can find a match, as opposed to the 2**80 (1208925819614629174706176) that was expected before the paper. While the paper means it is orders of magnitude less work, it still means a lot of work for the attacker. Lets look at two relevant examples: disc images and passwords. Lets say I have an ISO disk image. I hack it, and want to modify some of the 'junk' bits using their algorithm. I'd still need to perform 590295810358705651712 hash operations on that image. Computing the hash of a disc is a slow operation. That's not something I could do in a day, week, or even a few months. Perhaps if I had a massivly parallel computer available, I could do it, but not as an individual. For a password, hopefully your system would lock the account long before there are that many failed login attempts. However, if your attacker has that kind of resources, you can assume it is feasable for them to find a hash collision. That's really only significant for governments, multi-national organizations, and other major enterprises, but not for most people.

So down here on earth, it's not a big deal, especially for those of us who don't shred all our trash.

Cell: Processing Jail

IBM's new Cell chip could be revolutionary.

"It’s hard to avoid the conclusion that Cell processors will have an extraordinarily secure but cumbersome memory model. For each main-memory access, the processor would have to consult four lookup tables... Three of those tables are in DRAM, which implies slow off-chip memory references; the other table is in the DMA controller’s SRAM. In some cases, the delays caused by the table lookups might eat more clock cycles than reading or writing the actual data. The patent hints that some keys might unlock multiple memory locations or sandboxes, perhaps granting blanket permission for a rapid series of accesses, within certain bounds."

The Cell chip promises to destroy spam, viruses and spyware. That's the good news. The bad news is that here we have the makings of the beginning of the end of file sharing, basically the ability to put DRM security into hardware.

While it's certainly true that security schemes like DVD decoding can be 'chipped', those are rare individuals who can. The ability to short circuit the memory model of the CPU is going to be a rarer quality still. So, practically speaking, once Cell chips are common, the world loses the power of the masses to overcome industry security.

This is yet another indication to me that we are coming closer to the surveillance society, that more and more of our activities can and will be monitored. There are many ways out, but not for the urbane. Some other time, I will talk about life off the grid, which I predict will be the return of the rugged 70s, which was actually a pretty interesting time in its own right. But now, let's consider life in the grid.

The promise of grid computing is delicious, and the Cell processor will be a great enabler of that. A moment's consideration suggests to me that somehow, there are going to be fingerprints on processes. In certain ways this too is very exciting. For those of you who are less technically inclined, think of it this way. If you are using windows, if you bring up the task manager, you can see all of the programs your computer is using, sorta. Notice the difference between 'Applications' and 'Processes'. As I write this I show 9 applications running, which corresponds exactly to the number of windows open on my desktop. But when I pop over to Processes, I show 76. One of the things Unix guys (like me) fuss about is that some of these processes can be made invisible to Windows. There might be 10 or 20 more running that I don't know about. That's a simple definition of spyware, and it's a big security hole in Windows. In Unix and Linux systems a command called 'ps' gives a much more comprehensive view. That is, unless your kernel has been hacked.

The general solution to knowing what exactly is running on your machine is 'fingerprinting'. There are algorithms called 'hashes' that can uniquely identify that every bit in a collection of bytes are in the right place and order. The one I like is called MD5. You could take a huge file, say a 10GB picture of yourself, and change one pixel on a nose hair and MD5 will generate a completely different fingerprint of it. The security tool ZoneAlarm maintains a table of hashes for every program that your computer allows to talk to the internet. But a more advanced kind of security program would have fingerprints of every process that your CPU runs at all. Digital Rights Management extends this concept to certain types of data as well. Whereas ZoneAlarm gives the authority for allowing or restricting programs to you personally, DRM would have third parties determine that authority.

The Cell chip facilitates such matters by having its own unique ID which can be checked. It doesn't take long for a database guy like me to add two plus two. If you think online registration of programs you buy is a pain, imagine the day when it's done for you whether you like it or not. That's what DRM architecture is all about, and the backdoors will only be in hardware, or at least that's the plan the way I would plan it.

The great exciting advantage of this is that I could conceivably authorize my mother's computer, with her permission, to help me crunch some numbers. In fact, I could join a computing pool and authorize some fingerprinted programs and/or data to be run simultaeously by the group.

Now here's the killer, which I never thought of until this moment. I could create a program within which is some encrypted data, that can only run on processors I designate. I could, in effect, create my own DRM scheme. 'I' meaning Al Qaeda. Of course, there will always be 'old' computers and those who don't run Cell processors, and there will conceivably be ways to disassemble code compiled for Cell use only, so there will always be ways to crack the uncrackable. But this is just one more escalation in the complexity of modern computing. It's like an arms race.

US Search

I just wasted a perfectly good 2 hours at US Search looking up random people in my contacts list. I found every one of them. It's rather astounding that so much information is available, and yet when you really think about it, it's not so much at all. It's only because I know the people that I know that any of the information is correct. If I didn't know the people at all, I'd take more of the information presented as credible. They say that the test of intelligence is knowing what to discard. True.

I'm buying Schneier's book on IT security, 'Secrets and Lies' to get myself up to date on some basic concepts of security. As well I'm thinking about Ricky Jay and different kinds of confidence games. There's so little we actually know about people, and so many people out there. I am finding at this point in my life that I'm feeling a bit like a teen - that everybody else is having fun with everybody else except me. Only this time I know that people are very disconnected.

Every time I think about the old demographic chestnut that about half of the people in the US are born, live and die within a 50 mile radius it makes me think about Foucault's ideas about sex and proximity. We only think that we are falling in love with the right person, but our experience is far too limited. We love the one we're with, and we try to change them, and we resign ourselves. I'm comfortable with all that, except now I know where several of my ex-girlfriends live. A little knowledge is a dangerous thing.

But we are getting better about understanding the connections between people. For example, I had no idea that there was a difference between the sexual activity of teens and adults.

Still I didn't pay the 40 bucks it costs to deliver the details for any of my foundlings, which illustrates a principle about privacy. It costs time, effort and money to invade someone's privacy. No security analysis is useful without a cost/benefit analysis. What your information is worth to somebody else is usually a whole lot less than what it's worth to you, so little in fact that it may not be worth going after, even when it's in plain sight.

Lastly, I want to give a plug for HUMINT. I really have a ball watching '24' and shows like that. Go Jack.

Face Recongition, NOT

Don't believe the hype.

I spoofed this analysis eight ways to Sunday. If this is the state of the art, we've got another generation to go before we can do even basic stuff. This thing is so pathetically bad, I don't even know why they bother. It may as well be random.

Circle of Trust

I'm creating a Circle of Trust.

The spousal unit as well as at least two others have expressed concern for my bumpy black butt as I take it to the Far East. As well, I will be involved in some high finance as someone close to pure capitalists and dealmakers in what is ostensibly a communist and repressive society. I like the quote I recently read that the heads of the Chinese government are 30% Communist and 70% Sopranos. So it makes sense for me to watch my back.

But that is also true in any circumstance and it is part of a theme I will be repeating as my review of the film 'Hotel Rwanda' takes shape this week. Anonymity can be deadly.

So I will endeavor to implement various features of, for lack of a better term, a cell-based distributive circle of confidants, starting with those of you who comment here at Cobb. You know me, literarily, and have access to my Cobbian style and voice.

I hear tell that one of my new associates, being the scion of international wealth and power, will have access to goods of eye-popping capability. So it makes me drool a bit to be in the company of those who literally have to read science fiction in order to get excited about what is possible, because they've seen everything that actually exists in physical form on Earth. Me, I get excited about stuff like the Mac Mini, and Tivo To Go. While it still makes me feel clever that I can reasonably debug the plot devices on 24, I know there are people, John Lee, for example, who may have already been bored by cloning cellphones and hacking bluetooth linking protocols. So at some point I may have access to some real-deal executive security insights. But for now PGP will suffice. Plus it's cheap, if not free.

Starting with you all, I'd like to update my network of PGP folks. I think PGP is a start unless you have better ideas.

Encryption Export Restrictions

I wonder if there are any cypherpunks out there who might be able to clarify my interpretation that Clinton took all commercially available crypto off the US Munitions List in 2000. That's what this seems to say, but I'm just looking for a quick abstract.

UPDATE: I think it's pretty obvious here...

SUMMARY: This rule amends the Export Administration Regulations (EAR) to allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non-government end-users in all destinations. It also allows exports and reexports of retail encryption commodities and software to all end-users in all destinations. Post-export reporting requirements are streamlined, and changes are made to reflect amendments to the Wassenaar Arrangement. This rule implements the encryption policy announced by the White House on September 16 and will simplify U.S. encryption export rules. Restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria), their nationals and other sanctioned entities are not changed by this rule.

yay!

Gary Webb: Dead

You've got to be brilliant or crazy or a bit of both to take on the CIA singlehandedly. The bigger question is whether you can survive the success or failure of such an endeavor. All in all, the odds are against you, and now another David lies dead in the shadow of Goliath.

It was a suicide according to this article, but it might be more appropriately called a collective execution. Webb long ago lost the support of the profession, despite his willingness to go the extra mile to make his case.

The publication of his book 'Dark Alliance' set a lot of tongues wagging and eyebrows raising. But in the end it didn't prove enough to be the kind of damnation CIA haters would prefer or vindication CIA suckups desired. It showed a complicated and convoluted series of events with plenty of dirt and blame to go around. In the end, I believe that his profession abandoned him.

Webb's job may someday be internalized by massive organizations. Investigations of the sort he embarked upon over continents and years are the only way anyone can find out what goes on aside from those directing operations. In a publicly funded organization we have a right to know, even if most of us would prefer not to know.

Webb's death reminds us that there remain high prices to pay for the burden of unwelcome knowledge. Truth serves no man.

Hack Verizon

Verizon is digging their own grave, but only because clever folks are speaking up.

These guys are right for setting up the attention. A couple thousand bucks might not be enough to do anything, but when it gets to 5,000 then hackers will come forward. It's an eyebrow-raising proposition.

Bluetooth hasn't really fulfilled much of its promise. I wish it would because as nice as USB is, I sure would like to get rid of all the cables behind my desk and television. Let's get it started.

Literal Rednecks

In somebody's neck of the woods, some rednecks talking out the side of their necks got their necks broken.

The truck driver and father of six had come up from his home in St. Paul, Minn., intending to hunt on public land. He got lost in the dense forest and, wandering near a swamp, climbed onto a tree stand — a wooden platform built on a branch. A hunter approached and told him he was on private property. Though he hadn't noticed a No Trespassing sign, Vang said, he climbed down and walked away.

Then, Vang said, five or six hunters in all-terrain vehicles drove up and demanded to know why he had trespassed. He told them he was lost. They surrounded him and began spitting out racial slurs. The men told him they would report him to authorities. They cursed him. One of the hunters was carrying a gun, he said. Vang, walking away, turned and saw the gun pointed at him. He dropped to the ground. A bullet whizzed by him.

Thus sayeth Vang, who turned out to be more than these airheads bargained for. I don't understand what it is with people who think they can just provoke anybody without repercussions. Rule number one is never point a gun at somebody unless you're aiming to shoot. And if you shoot, don't miss.

And so..

He shot the man who had pointed the gun at him. The man dropped. The other hunters ran toward their vehicles. Vang kept shooting. More men fell. He chased those still standing, shooting one in the back. He heard the man groan. He walked past the body.

As the hunters' friends — alerted by walkie-talkie — arrived in two more ATVs, Vang took off his blaze-orange coat and turned it inside out so the camouflage pattern showed. He reloaded. An ATV whipped past, a man steering with one hand and holding a gun with the other. Vang shot him and the young woman sitting behind him.

I think Vang knew he was a dead man walking as soon as he killed the first man. Anyone for gun control?

Reverse Spoofing?

OK now I've seen it all. I'm just checking the blog for referrers which are a bit high today and I see that I have been cited as a 'sponsor' for a popup. I have no idea how that happened.

Somebody at Fastclick.net has pulled an interesting fast one. Somehow their popup pops up from somewhere and then it redirects the victim to here. So I've got to figure out how they did that.

Obviously you could see how bloggers might be reluctant to undo the spoof, since it attracts traffic to your blog. But I'm not associated with fastclick.net and I don't want to be, despite their being rather clever bastards.

UPDATE:
Nevermind. I actually *am* happy to be associated with fastclick.net because they are part of the conglomerate that hosts my racism test. Thanks to Kyle for discovering this.

Jacking Al-Jazeera

My brother Doc, in his heady froth of patriotism, gave me a bit to think about the other day. It's a simple question I'd never considered before. Why doesn't the CIA just jack Al-Jazeera?

When I began listening to Chomsky a long time ago when he manufactured his own version of Manufactured Consent by dominating progressive left thought, I have believed that the CIA had moles operating in joints like the NYTimes. While I've come to a bit more sophisticated understanding of information theory, I understand there's no need for a physical arm-twisting editor on board. Information can be contained and parsed out in such a way as to appear complete and suggest without confirmation or denial of a concealed truth. In other words, my ability to influence what you think exists independently of my capacity to control what you think. When nits comes to grits, influence is enough, especially when you are the CIA and can always restrain what anybody can know without your permission. The point of all this is that I've always believed the CIA capable of great manipulations, and influencing any media outlet or conglomeration of them doesn't seem beyond the pale. In fact, it is not beyond the realm of possibility, as far as I'm concerned that Rupert Murdoch himself is operating according to a CIA plan.

I don't concern myself with such far fetched ideas, I just concede the possibility that they might be in somebody's interest.

Considering that symbolically, OBL is the most wanted man in the world one wonders what lengths our boys have gone to track his whereabouts. How difficult would it be for the CIA to figure out which reporters at Al-J are getting the periodic videotaped bloviations of Public Enemy Number One. There is a transaction that occurs here on the regular and clearly his emissary has mastered the art of the dead drop. But we've busted spies before, how hard can it be to bust a reporter for an enterprise as green as Al-J?

I believe that an organization like Al-Jazeera, despite its editorial position whatever it may be at the moment, is more valuable in the long run to US interests than one that is compromised and embarrassed by our spymasters and CI agents. Nevertheless, I have few doubts that there are more bugs in that joint than anybody there suspects. If not now, then soon.

What's In Your Wallet?

A few weeks ago I bought some business card software. These days I'm brainstorming about a new website concept that I'm putting together. Part of the idea is that people need to moderate their social circles with a bit more sophistication than has previously been done. How do we help manage that? I'm spending more time around the Corante Crew to catch a clue or two. Greg has an interesting set of ideas.

I've cranked out 6 different business cards, and I keep at least 4 versions onhand at all times. The first is the Daddy Card. When I'm at a school function, or out with the kids on a day trip, I leave the business mind far behind. It's lavender with a Matisse kind of graphical sun in purple. It has my home address and phone number. I give this out to potential refrigerator pals - people I wouldn't mind dropping by to grab a snack out of the fridge.

I also have a blog card, the title of which has me listed as a 'Large Mammal'. It also has the Cobb icon on it. My generic business card is for employees of companies where I work strictly pointing them to my website. And the detailed business card is the one shown here, that I give to people I believe may actually give me some business. There are a few others that I rarely use, one with me as publisher of Vision Circle and an older version of the blog card. There's also one that has me listed as a technical specialist in my partner's business. There are two other jobs I do for which I have no cards, but that doesn't concern me much.

I have been multiple people online, and still have mail from at least 6 domains coming to me at gmail and on Outlook (I'm leaving Eudora and GMail for Outlook (and Lookout & Google Desktop Search) and GMail). So I am accustomed to juggling multiple identities. I'm also an online gamer and none of those people fraternize with any of the other people. I need to be different things at different times, and I need different ways of presenting myself on different occasions.

This basic concept, a kind of extended code-switching, is something I think lots of people do. So our identities online need that multiplicity. Speaking of which, I have registered at Multiply (and Friendster, and Linked-In, and Orkut) and none of them really works for me. The best thing that works for me is my blog within my large, constantly evolving website. This is key to the concepts that interest me vis a vis virtual and extended self-representation.

In some ways, I am concerned that the online gamers I play with don't discover that I'm over 40. In other ways I am concerned that potential employers don't discover that I'm a political cartoonist. Most of the time I'm concerned that my blog readers don't discover the names of my kids, but in all those ways I know I'm not truly secure. Still, the illusion that I can hide parts of my life is satisfying. So with that in mind I wonder if we don't work a bit too hard in ensuring a kind of privacy that, with certain selected people, we actually want breached.

It makes me think about reality television. We have, in many ways, become the defensive, cocooned, SUV driving, stay at home people we forswore two decades ago. To that extent reality TV is a way for us to see that other people are as weird as we are - to confirm that our foibles are common ones, given that we cannot communicate them publicly. We want to be accepted for who we are, warts and all, but only to a select few.

As Shrek said, we're like onions. Wouldn't it be nice if I could decide how many layes to peel, on demand, without making anyone cry?

The North Korean Bomb

Q: If the DPRK did successfully explode a nuclear device on Thursday, why did we not hear about it until today?

Answer 1: It didn't happen.
Arrogant Analysis 1: Stupid fascists just blew up their own plant trying to stage a bogus test and make everyone fear them. Another escalation of rhetoric will ensue. The North Koreans are all hostages.

Answer 2: That's just how long it takes newspapers to find out because North Korea is so isolated.
Arrogant Analysis 2: Which only proves that the North Koreans are a threat to nobody but themselves. If they dared make a move against anyone, they would be crushed. Blowing up a remote part of their own country is all they can do. The North Koreans are all hostages.

Answer 3: That's just how long it takes newspapers to find out when the US Government wants the news suppressed.
Arrogant Analysis 3: Worry.

Richard Forno

Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.

Keep this man's name in mind when you start hearing discussions on security. I'm thinking these days of the amateur CT person who helped the FBI nail the latest domestic traitor to AQ.

Here's a few of Forno's wise words:

Let’s play devil’s advocate for a moment and see what the real consequences of a cyber-terror attack would be. Could someone shut down part of a power grid or water system via a remote dial-up connection? Perhaps, but the same could be accomplished if someone managed to gain physical access to such facilities to throw a few switches and turn a few knobs. Besides, we’ve proven during countless natural weather disasters that we can live without electricity for short periods of time. Should critical networks be compromised, we can still pay for groceries with cash.

Even if any of these scenarios were realized, life might be a bit inconvenient or slower than normal at times, but we will still be alive, and buildings won’t have toppled. Life will continue to go on, and soon return to normal, likely more quickly than if recovering from a physical type of terror attack. A potential compromise of the air traffic control system doesn’t necessarily mean that planes will start falling from the sky: airplanes have arcane backup systems known as “pilots” and “co-pilots” who can fly and land them safely.

I've recently signed up to Cryptogram and started perusing back issues. Great stuff. If you don't know Bruce Schneier, you should.

The New Security

This morning I sent out an invoice to one of my customers - an Adobe PDF file. Since GMail wasn't working, a periodic annoyance, I used my old Eudora client. As the mail went out, I noticed that there was a lack of an outbound virus scan. Usually when I send out a large document, it takes several extra seconds as Norton AV checks to make sure I'm not poisoning my email recipient unintentionally. This time, the little window didn't pop up.

Is Norton turned off? Yes, but only for outbound mail. Now I remember. When my buddy made his debut as a bassist in a reggae band, I spammed several hundred people on his behalf. In order to accomplish that, I turned off the outbound scanner.

It has been about 20 years since I first started using anti-virus software. I was getting McAfee updates even before Mitnick's famous worm. Back in those days, the threat level was nowhere near as consistent as it is today. Viruses are much more sophisticated, but ironically, they tend to be a lot less deadly. Back in those days, many virues just erased hard drives - they were just plain destructive. Today virus hackers seem to be more interested in owning fully functional machines. It's more like brainwashing than killing. We are a nation of potential Manchurian Candidates for today's crackers. I'm fairly safe however, but my safety has more to do with my own awareness than what any tools do for me. It was the fact that I know my outbound mail should be scanned rather that the fact that Norton does it for me, that adds to my security.

What I'm particularly pleased about this morning is that this consciousness is embedded in me after all these years. It doesn't hurt using it. I think about surgeons that I know, they'll drink themselves under a table, but they won't touch cigarettes. When you understand what the bad guys can do to you, it's not paranoia any longer, and after you've been practiced the safe regime for a long enough time, it starts to feel more like common sence than 'preparedness'.

I bring up this notion because I know that it's important for the future of our country, in the face of terrorism, that we all begin preparing ourselves. For what it's worth, I think people are getting accustomed to airport security. Whenever I have to go through a terminal, I know to wear my Oakleys. They come off in a second, they pop on in a second.

But I also know that, as a civil libertarian, I am particularly sensitive to this boiling frog effect on our important freedoms. The important thing to know is that once your security conciousness becomes elevated - when you begin to understand more about the threat against you, so does your understanding of the value of the tools in place (or not) to protect you. Again, it is the consciousness that is your strength, not the tool. Because as time goes forward, the nature of the threat will change in terms of its manifestations. Terrorists might want to blow up hard drives now, but next season they may want to brainwash us. The point is not to get overly dependent on one defensive tactic. We'll then have the options to trade-off. Maybe we want to spam for the sake of our friends, so we'll turn something off for a while. Maybe we'll want to encourage American students to study abroad, so we'll lift exit visa restrictions for a while.

In order for us to accomplish this kind of preparedness consciousness, we need to have some transparency from our government. Way back in the day, when I first loaded McAfee (or was it Norton?), I remember that the virus definitions all had names and descriptions. It gave me a great deal of comfort to know that any day I could look up the name of one of xhundred viruses and their variants to understand what kind of damage they might do and how likely it was that I would be infected by it. They still provide services like this today, even though I don't use them, I'm glad to know that they are there.

Twenty years ago, most Americans didn't even have PCs much less any knowledge of viruses or how to defend against them. But the fact that companies like McAffee and the Norton guys (who have been owned by several different entities) have been open about virus threat assessment and detection let a sizeable group of Americans operate securely. We've been able to internalize and maintain our preparedness consciousness because of that transparency. Now we would no more likely leave our machines unprotected than a cardiologist would smoke or an AIDS worker sleep around. But we know average Americans are not always so informed and disciplined.

When it comes to Homeland Security, some of us are going to know what's behind the big Orange Light, but most of us don't. Somebody somewhere is going to have to be our Surgeon General and start spreading some details and transparency. Even if she's going to be frank about masturbation like our old friend from Arkansas, Dr. Elders. Better safe and embarrassed than smug and in danger.

I'll vote for a president who does that.

Spy Geekery

I'm having a paranoid moment.

What if somebody came into my house, or better yet, what if somebody were eyeballing me as I type this? They'd have to notice the DVDs next to my flat panel: {Ronin, Enemy of the State, Spy Game, Swordfish, Heist, Heat}. They'd have to notice my bookshelf {Ludlum, Bamford, Littell, Clancy}. They'd notice all my books on hacking. And as I write this I'm desparately trying to find out what a TR105 is and how I could get one.

I need to get outside.

Pub Tagged

Silly me. I've been pub-tagged by PsychoDad.

I have a box on the web that I've kept a few ports open on in order to have a nice way to access files at home. I opened up the FTP port in order to handle a 3gig file I had to get from a customer site. Ordinarily I would just use one of my hosted domains for that kind of stuff, but I obviuosly didn't have 3 gig sitting around...

The symptoms are easy to spot. A whole tree of undeletable directories. MS can be somewhat helpful, and I've used solution number 3, to a certain extent. But I want to know exactly what my vulnerability is.

Of course there are utilities from people who are ready and willing to help me, for a fee. But I'm going to read the little doc on it and work my way out of the mess I stumbled into.

Beware.

Earthlink.biz

Somebody sure does hate Earthlink.

Spammers have created an ever more sophisticated set of ruses to get people to send them credit card information. They have been fairly sloppy enough in the past to leave the URLs in their new forms pointing to their bogus domains.

But today, they seem to have gotten control of Earthlink.biz and somehow a redirection for tr.earthlink.net. It didn't fool me because I'm in security awareness mode this week, but this latest was a pretty good spoof.

Be alert.

Unix Viruses &cetera

A Taste of Computer Security

Given the nature and scope of the field, it would require one or more books to even briefly touch upon all that is known about computer security. This document's goal is only to give you a taste of (a subset of) the subject. The various sections are not uniform in their depth or breadth, and the document's overall structure is not pedagogical. I could have titled it Thinking Aloud On Computer Security, if not for the somewhat pompous undertone.

Shoe Bombs

I've actually had enough free time to read a book. Although I'm not finished with 'The Man Who Warned America' I have read enough about Ramzi Yousef to be significantly impressed with this whole shoe bomb thing.

To put it briefly, Yousef got busted and they found his computer describing his elaborate plans to sneak explosives onto commercial aircraft. So while most of us were laughing at the British guy they arrested with the shoe bomb, Yousef showed that it could be a very capable weapon.

Coup

Mike Ruppert is at it again. I had almost forgot about this ex-LAPD officer who shouted down DCI Deutch when he came to Los Angeles' First AME Church to try and explain the CIA-Crack connection. This time Ruppert sees devilish doings in the resignation of Tenet having to do with the Plame investigation. His angle? It's part of a setup by the CIA to take W down.

If you have nothing better to do than stew in Ruppert's juices, take a peek. Of course there's more than a grain of truth. But who can tell which through his breathlessness?

For the record, I think Ruppert's not a loony, but he'll never get dignified. He's a muckraker whom any day might find himself in a politically engineered character assassination. In other words, he's pissed off the powers that be, and for that he has earned the title of lone wacko, whether or not he deserves it. He has been deep enough undercover in joint LAPD / intelligence community activities to understand how twisted our tactics can get, but he's betrayed the colors. He's always looking over his shoulder, poor blighter.

What the Hey @ CIA?

Trigger Fish shows scuffling and rumbling for a new head honcho at CIA. I don't know what the hell is going on over there. Is it just me or does it strike anyone strange that there have been too many DCIs over the past 20 years? After Casey came (Webster, Gates, Woolsey & Deutch) four in 10 years. Tenet seems to have stuck around longer than any, and 7 years is a good long time. But did he turn it around? Is the CIA over its shuffling at the top? Every time they have a new head of the CIA or FBI I get a very weird feeling.

I think something big and dirty has gone down, let's see if the insider gets it.

Chalabi Dropped

Today's news about Chalabi is especially juicy, and I think it points directly to the storms of intrigue and infighting between the White House, Pentagon, CIA and FBI. In particular, I think Richard Perle is looking especially egg-faced today.

Assuming you know the story and/or are vaguely familiar with basic spycraft and/or information theory, you were probably laughing out loud at this paragraph in today's NYT.

According to American officials, the Iranian official in Baghdad, possibly not believing Mr. Chalabi's account, sent a cable to Tehran detailing his conversation with Mr. Chalabi, using the broken code. That encrypted cable, intercepted and read by the United States, tipped off American officials to the fact that Mr. Chalabi had betrayed the code-breaking operation, the American officials said.

That's rich. Echoes of Cryptonomicon huffduff.

My money says some spymaster at DIA who has been pissed at Chalabi for a long time put into motion this plot to discredit him once and for all, with the possible cooperation of State (or at least with the knowledge that Colin Powell could benefit from a discredited Chalabi who now becomes the 'source' of 'all' the 'bad intelligence' about Iraqi WMDs).

Sooner or later, Chalabi would become expendable especially given the way things have turned out in Iraq which make the PNAC crew look better than they deserved to. What career Pentagon intel officer could stomach Perle's pontifications and the general besmirching of CIA and other US intelligence organizations? Time to show what they can do.

So, suspecting as any spymaster should, that Chalabi is playing both sides of the fence, they set him up with a 'drunk' agent who 'inadvertantly' says that Iranian codes are broken. Chalabi falls into the honey pot and spills the beans.

The other possibility here, as suggested by Canistraro is that some guy really was drunk and no US intelligence agency knows any other Iranian codes. That would be incredibly stupid, in fact, unbelievably so. But in any case, Iranian agents in Iraq are going to have to be restrained considering that this news is all over the place and their codes and cyphers are going to be changed anyway.

I say this is a fairly interesting turn of events. The question now is, where are Chalabi's deadly enemies and what excuses are they going to find to wreck the Iraqi National Congress? Hmmm.

FBI Systems

Listening to Janet Reno this morning on CSPAN, one wonders exactly what kind of system is being built. This thing seems to be magical, because with it, they're going to be able to really catch the bad guys, and without it they seem to be lost without a clue.

At least we can be reasonably sure that this is an IT assignment that won't be outsourced.

AQ Kahn: International Goat

We know too much about this guy.

I have a strange feeling that AQ Kahn knows a great deal more than he is saying and that he is alive for very, very specific reasons. The last time I felt this way about somebody, it was when Skilling quit Enron 'to be with his family'. There is some massive conspiracy afoot.

Blackout Retrospective

I mentioned just after NYC went dark and I started sleuthing that there was a reasonable possibility that computer failure was at the heart of the problem. Bruce Schneier is looking closer and here's what he thinks.

The chain of events began at FirstEnergy, a power company in Ohio. There, a series of human and computer failures turned a small problem into a major one. And because critical alarm systems failed, workers at FirstEnergy did not stop the cascade because they did not know what was happening.

This is where I think Blaster may have been involved. The report gives a specific timeline for the failures. At 14:14 EDT, the "alarm and logging software" at FirstEnergy's control room failed. This alarm software "provided audible and visual indications when a significant piece of equipment changed from an acceptable to problematic condition." Of course, no one knew that it failed.

Six minutes later, "several" remote control consoles failed. At 14:41, the primary server computer that hosted the alarm function failed. Its functions were passed to a backup computer, which failed at 14:54.

Doesn't this sound like a computer worm wending its way through FirstEnergy's operational computers?

His speculation is backed up by some pretty unusual coincidences, such as the fact that FirstEnergy has been hit before by Slammer and the time that these alarm servers were failing was exactly the same time Blaster was knocking out machines nationwide.

I gave Gent the benefit of the doubt...

Courthouse Snipers

First, shoot all the lawyers.

Last night someone tried to kill a probate lawyer. I suspect this will not be the last time. Imagine the chilling effect if courthouses became danger zones, if the litigious types of our society began to fear their day in court because they would have to travel under armed guard.

What a thought!

The Outrage

Jim Marcinkowski lays down the hardline, Larry Johnson provides the outrage and Vince Cannistraro adds flavor to Daschle's hearings.

I'm looking for a transcript. C-SPAN has the full video, but there is a lot of quotable stuff.

Cringely Gets Tribal

Cringely puts another foot forward in advocating what I see as the feudal future:

My system is based on a registry of friends because we all participate in
virtual tribes that are geographically dispersed. Every person who wants to have
credit, to make a big purchase, or to board a 747 has to have a list of 10
friends -- people who can vouch for their identity and know how to test it if
needed. That takes us out of the realm of the mother's maiden name, replacing it
with, "What was the nickname I called you in the fourth grade?"
I am Bob, and these are my 10 friends.
They don't even have to be friends -- just people who know you. You don't have
to tell them they are on your list and you can change your list as often as you
like.

Yep.

And We Thought Teller Was Dead

With any luck, Carl Collins and his scientist pals in Texas will be proven wrong. If not, then we are on our way to a new age of destruction which will have us looking back fondly to the Cold War.

Here's my advice. Sell all your biotech stocks and find out where you can drop some ducats on Hafnium. For this is the stuff of the atomic grenades of the future. You may as well hedge the bet by putting some chips down on Thorium and Niobium as well. Actually, that may not work because it will become nationalized, but you're a smart investor, you'll figure out how to corner the market.

Apparently, these elements have isotopes that are nuclear isomers. That means that they can be excited to certain states at which they release great amounts of energy as gamma rays. It's something like nuclear fission without the ugly byproducts. Sounds appetizing? You betcha.

According to the New Scientist:

Scientists have known for many years that the nuclei of some elements, such as hafnium, can exist in a high-energy state, or nuclear isomer, that slowly decays to a low-energy state by emitting gamma rays. For example, hafnium178m2, the excited, isomeric form of hafnium-178, has a half-life of 31 years.

The possibility that this process could be explosive was discovered when Carl Collins and colleagues at the University of Texas at Dallas demonstrated that they could artificially trigger the decay of the hafnium isomer by bombarding it with low-energy Xrays (New Scientist, 3 July 1999, p42). The experiment released 60 times as much energy as was put in, and in theory a much greater energy release could be achieved

The fine fellows at SRS are trying to find ways to manufacture mass quantities of this very rare element, which will be quite expensive. But dig this, there's no such thing as a critical mass. You can make really tiny weapons. Maybe you can flatten a block with a suitcase bomb. Exciting mad scientist stuff, that is if you can get it to explode. If it just fizzles, it will have the same ethical nastiness as neutron weapons do now, but if it goes boom, it's likely to get used.

Well, the controversy is just getting started.

"In my opinion, this matter is worse than cold fusion," said panel member Bill Herrmannsfeldt, referring to unconfirmed claims by scientists in the 1980s that they had generated nuclear fusion energy at low temperatures. Herrmannsfeldt, a physicist at the Stanford Linear Accelerator Center, is leading a revolt against hafnium-178 weapons work within HIPP itself.

Although Herrmannsfeldt regards claims for hafnium-178's super-energy powers as nonsense, he fears that other nations will take them seriously, triggering a new arms race. Recently, he successfully urged numerous top scientists to co-sign a letter to Washington officials citing experts' reservations about the scientific credibility of hafnium-178 claims and asking for a review of those claims by independent experts.

FAS has nothing on it yet. Keep your eyes open.

Who Do You Think You Are?

Bryonn Bain thinks he's an intelligent civilized man. The System knows better.

I was interrogated about "terrorist activity"—whether I was involved with a terrorist group or knew anyone else who was—without an attorney present. My Legal Aid lawyer claimed she was also a medical professional and diagnosed me as mentally ill when I told her I teach poetry at New York University. After my bail was posted, I was held behind bars another night because central booking ran out of the receipts required for my release. On my third day in jail, accused of two misdemeanors and a felony I knew nothing about, I was finally found innocent, and allowed to go home.

What's ironic about this whole deal is that computer systems are the way out. People forget something about excellently done computer systems, the mistakes they make are minimal and the speed with which they do things right is phenomenal. Now there are certain to be exceptions, but I challenge anyone to suggest that Citibank's ATMs are routinely making mistakes that cost the bank or its customers any money. When Walter Wriston put his money where his mouth was on electronic banking, an entire new era in finance was begun. Investments in the billions paid off and changed the way we behave when it comes to getting a little cash for the weekend.

Until such time as there is such a trusted and reliable system for identity, we are going to be subject to travesties of justice which are far more consequential than bounced checks.

Today, I can go online, call on my cell phone, or use a magnetic stripe card and a pin and know what my bank balance is, 24/7/365.25 It's not a problem. That is because the infrastructure is right. Sooner or later there is going to be a trusted identity net, and we in the chatting and privileged classes are going to be the first beneficiaries. I'll be speaking about it here in Cobb as time goes by.

Who do you think you are? And who knows you well enough to prove it? Do not doubt that I consider my existence in the blogosphere and your recognition of it as insurance against dark days to come. I'm down with the Negrophile among others. What's your phile?

Ammonium What?

I am currently reading Dick Marcinko's 'Violence of Action', a literary action movie about some terrorist organization that threatens Portland with a suitcase nuke. It's a great guide for recognizing the tools of the trade, that is if you are a field operative in CT.

I've learned a lot about tactical goodies like H&K USP 45 Compacts and Leupold & Stevens Mark 4s. Having read Red Cell as well as several others in the Rogue Warrior series, I find Marcinko a credible and pleasant alternative to Littel and Ludlum. Marcinko is all first person expletive narrative instead third person geopolitical omnicient. He gets you inside the bones of a warrior who has to do the moderately impossible at the behest of Pentagon 'puss-nuts', which is much better for the suspension of disbelief than following a Jason Bourne around the globe. When 'Demo Dick' gets his hand on a weapon, or outfits his crew, you really get a feel for how important skills and alertness and exasperating, excruciating discipline is necessary in this, the most dangerous work you're glad you never have to do. So when he starts talking about suitcase nukes, SADMs, you really start to believe they exist in reality.

So let us consider the probability that suitcase nukes exist in reality in significant numbers. Let's imagine further that 3 are loose.

If Saddam Hussein had one, how would we know? How could we know? And what of Al Qaeda?

OK so now we've taken two steps away from proveable reality. Let's go all the way across the gap to Bali. This gap will never be bridged for the civilian public.

Tattling Tags

The LATimes offers a clue to RIAA tactics against the defense of copying your own MP3s. ID3 tags.

OCW

It's time to remember that MIT has Open Course Ware. Which means that if you really are interested in learning something online, you have every opportunity to do so. Ever since I got bored out of my mind at university, went broke and dropped out, I've been having nightmares about missed exams. Well, to be honest, the nightmares mutated right about the time my first child was born. Still, like all those who shoulda, coulda, woulda, I periodically lament my lack of degrees, especially when I have to explain things to the sort of people who barely achieved their own.

Nevertheless, I have determined that at this stage in my life, if I were suddenly to have enough money to stop working, I would go for an economics degree. That an network security are two things I only vaguely understand and feel guilty that I don't know more about. Well, those two and how to play Liszt on the piano; fat chance on the latter.

Meanwhile, I can structure up some of my free time ignoring my family and learning macroeconomics thanks to MIT. There's hope for the world after all.

SCADA Hacks

I hate to admit it, but as soon as the words 'modernize' came out of our President's mouth in regards to what needs to be done about the power grid, I wondered which energy companies he had been talking to this morning. This is not a technology problem. This is a process problem. We'll know more details in time.

Nevertheless my curiosity tends toward the infrastructural difference between power grids and peer networks. The internet works if you blow up any piece of it, but the power grid can have cascading failures. Why? I'm looking to find out soon.

What's clear is that the internet, which is more robust than the power grid can be hacked. Isn't the power grid then even more vulnerable to hacks? Probably so. It's not clear that they are as susceptible, however.

Meanwhile, here are some interesting links:

SCADA Hack One

To destroy a dam physically would require "tons of explosives," Assistant Attorney General Michael Chertoff said a year ago. To breach it from cyberspace is not out of the question. In 1998, a 12-year-old hacker, exploring on a lark, broke into the computer system that runs Arizona's Roosevelt Dam. He did not know or care, but federal authorities said he had complete command of the SCADA system controlling the dam's massive floodgates.

Roosevelt Dam holds back as much as 1.5 million acre-feet of water, or 489 trillion gallons. That volume could theoretically cover the city of Phoenix, down river, to a height of five feet. In practice, that could not happen. Before the water reached the Arizona capital, the rampant Salt River would spend most of itself in a flood plain encompassing the cities of Mesa and Tempe -- with a combined population of nearly a million.

SCADA Hack Two:

Paul Blomgren, manager of sales engineering at cyber-
security firm Rainbow Mykotronx in Torrance, Calif., measures control system vulnerabilities. Last year, his company assessed a large southwestern utility that serves about four million customers.

"Our people drove to a remote substation," he recalled. "Without leaving their vehicle, they noticed a wireless network antenna. They plugged in their wireless LAN cards, fired up their notebook computers, and connected to the system within five minutes because it wasn't using passwords.

"Within 10 minutes, they had mapped every piece of equipment in the facility," Blomgren said. "Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports. They never even left the vehicle."

SCADA Hack Three

Snake Eats Tail

So let me understand this. The Bush White House refuses to declassify the identity of Saudis that have been revealed have links to Al Qeada. How are we to determine whether this secrecy is to protect an ongoing investigation which, or a coverup of links between such Saudi money and American money?

All we know is that the Senate has asked for names of terrorist links and the Treasury Department is withholding information it knows to be true about terrorist funding operations. That sounds like some kind of violation of Ashcroftian proportions. Or is it that the Executive Branch is just being high handed with the rest of the government?

Somewhere, there is something deeply embarrassing about Saudi money and American money. I can't prove it. Nor can it be disproven at the moment. What kills me is that somebody knows and we can't. This is very frustrating for me.

We know who was funding Al Qaeda now. What are we doing about it? We knew when some poor slob in Cleveland who ran a check cashing agency got arrested, why can't we know this?

EFF & Recovered Memory

This morning as I watched Cory Doctorow gesticulate wildly with Leo Laporte on The Screen Savers about AB 1143, I suddenly remembered that I have met Bruce Sterling.

I met him at a meeting of the CPSR a very long time ago at UCLA, probably around 1987. Everything he was saying was so far over my head that I never showed my face at such a meeting again. At that point in my life I had just read my first Chomsky, gotten my first understanding of what was going on in Afghanistan regarding shiny kiddie bomblets and learned that there was a nation on the planet called Namibia, and of course fallen out completely with the USG over Iran-Contra. In other words, I was becoming overwhelmed by the duplicity of the world and trying to adjust myself in this new light. But as of yet I had still not read Toni Morrison, so I was still above ground and un-repurposed.

But of course the thing that shocked me about this Sterling character was how smart and paranoid he was. He looked as though he belonged in a cube down in aerospaceville (El Segundo) and not standing in front of people exhorting them to refuse and resist. It was this incongruity among other things that made people have to shush me. I simply couldn't believe all the things I was hearing, especially from this dinky looking outfit.

There is a chance that the person who impressed me that evening was not Bruce Sterling, there are a lot of manuscript diaries I'd have to troll to find out, but something about the level of detail and energy he brought to the forum was memorable, and seeing Doctorow brought that moment back.

A Nation of Stooges

It occurred to me as I disabled my file sharing software this afternoon, that the RIAA could be a bit more bloodthirsty and effective if they wanted to. Don't credit me, credit Disney's hot flick Pirates of the Caribbean. OK don't credit Disney, credit real pirates. Real pirates attract real bounty hunters. So why not use peer networks to rat out peer networks?

How? Let the RIAA pay for individuals to crack the network by licensing a free version of say, this tool. If every subpoena served is worth about $20,000 the RIAA could afford to post a $10,000 reward for each successful prosecution. Then people would be motivated to snitch on others.

The RIAA would, of course, be considered very much like a gun dealer in the Old West, not caring whether their arms arm bandits or posses. But if they were seriously concerned about their appearance, they wouldn't bother chilling the P2P industry with their phlegmatic legal actions.

Foucault's Panopticon Reviewed

For us thoughtful paranoids, at Surveillance & Society.

Spooky

For the second time in a year and a half, a conservatively dressed clean cut young man has come to my door, flashed a badge and inquired about the man next door. The first time, the young guy said he was from the FBI. The other day, the guy said he was from some Air Force outfit.

I don't know my neighbor. In fact, I really don't even know the name of the street one block over that parallels mine. I just live here, inside. I wouldn't know the name of the young lady who lives behind my house if the mailman didn't put her stuff in our box periodically. So I was really no help, and probably won't be any time soon.

It's disturbing to know that the guy next door is being investigated. Or is he? I wouldn't know an FBI credential from a fake, and I sure as hell wouldn't know an Air Force investigator's credential. So who is the man next door? Or, who are these fresh faced kids pretending to be government officials?

This is too creepy.

I'm going to see if I can find somewhere on the net that tells me what real FBI credentials look like, because I really don't like the idea of people playing Agent Smith on my front porch.

Plame Blamed

In yet another bracing slap of a revelation, the Bush administration has shown itself to be venal and vindictive. GWBush must think he's running a kingdom.

Valerie Plame, a woman who acted on behalf of the CIA and was involved in finding out exactly how [in]accurate the Niger connection to Iraq was, has been outed by Bush Administration officials. She was a spy and the administration deliberatly blew her cover. It's a rather complicated story but it is very important to understand this: GWBush wants everybody who has told the truth about the weakness of the African uranium connection to pay dearly.

If that's compassionate conservatism, you can have it. This is really sickening. This is like leaving a wounded soldier on the battlefield. There's no excuse. I do hope the American call GWBush on this dastardly deed.

Old News: CALEA Hacked

Cringely, ever informative and better than most bloggers, gives us a fright with his news.

That's what led me to this story. In the Lacie Peterson murder case in California, thousands of Scott Peterson's phone conversations were recorded using CALEA technology. Some of those conversations were between Peterson and his lawyer, some between Peterson and the press. None of them were with me. I have no idea whether Scott Peterson is guilty or innocent, and it doesn't matter at all to this column. What matters is that a few days ago 176 new phone conversations were "discovered."

How do you "discover" a recorded phone conversation in a totally automated system? If you can discover a conversation, then you can also lose one a la Rosemary Woods and the famous 17-minute gap in that Watergate tape. The whole system becomes suspect and subject to abuse.

I never wanted to give a phat gnat about Lacie Peterson's murder, but clearly every man's death diminishes me.

The Case for Open Source Intelligence

If you are a congressman on some special committee, chances are there are few things more annoying than a leak of a critical memo to the press. If you are a staffer who sees that something is going terribly wrong on a committee, chances are you have no more powerful weapon than to leak a critical memo.

I gather that this kind of cloak & dagger intelligence game is played all the time inside the Beltway. As much as it is insider pool, it is a part of the power struggle. When the public knows, it makes a big difference. In fact, some of this pool is played with the public, and when the press insiders know the effects they develop a great expertise. It doesn't seem beyond belief that Washington bureau chiefs know a real memo from a fake one and understand exactly what the presence or absence of a good leak means.

Today we hear that GWBush is recanting an inflammatory statement including the words Iraq, Uranium and Africa in no less than his State of the Union Address. Apparently, a lot of people knew better, but not us in the American public. Of course it is incumbent upon us to find out, to trust but verify, but what are the chances that we will get our hands on the kind of intelligence necessary to debunk such a claim? Slim, I think. What's worse is that the intelligence services themselves cannot seem to get their best thinking past the ideological blinders of this President. This has happened before.. How many DCIs have we been through in the past dozen years? Webster, Gates, Woolsey, Deutch.

My radical position here is that if there is not going to be military or economic pressure directly brought to bear on a 'rogue state' then it does the United States very little benefit to keep most secrets secret. If the Administration policy is to remain disengaged from say, Chile, why not declassify whatever dirt we have on Chile?

It seems to me that the first invitation into any coalition of the willing involves sharing intelligence with the new ally. The most important ally of American policy is the American public, so share already.

20MBPS on Copper

If you know a guy named Jess Posey, you may be friends with a very wealthy man soon. That is if telcos do what's best for guys like me, which is offer me HDTV quality signals through my phone lines. According to Cringely, it can be done.

Telepulse is going to get slashdotted.

Update: Hmm, how do you hack this?