March 2007 Archives

Thaaaaaank goodness it is indeed Friday. It's been a very busy week, and I'm just glad it's over. Ran a few times (mostly poorly). Lifted on Tuesday (very well). But, the theme, by-in-large, has been work, work, work!

Overall, it's been a good week. A good couple weeks, in fact. And this coming week, we're heading to Colorado for a little skiing/boarding and, more importantly, R&R. I do, however, have to confess to being a bit annoyed this evening...

Speaking of The Long Tail, here's a perfect example of a very successful niche band that's probably somewhere in the short head, but which doesn't fit the critics' model of a "blockbuster." If ever you needed proof that critics don't have nearly the collective intelligence as the crowd, here's a perfect example.

I'm not done with the book "The Long Tail" yet, but I had to post some thoughts before I lost them. I just finished chapter 9, "The Short Head", which talks about the importance of focusing on the head of the long tail, but also some of the misconceptions. In fact, here's a list of key misconceptions from p.167 of the book, after which I will tell you my two ideas for applying long tail thinking to traditional bricks-n-mortar businesses.

Al Gore's "An Inconvenient Truth" is now available on the premium cable channels, as I stumbled upon it this morning. I missed the first 15 minutes and the last 20-30 minutes, but overall I'm fairly impressed. Combine this with the Discover Channel's special on global warming, and the picture is pretty bleak. Even if they're only half right, we are not looking at a particularly good future.

Everybody, I think, will agree that global climate change is real. The weather this decade is different from the weather last decade, is different from the weather the decade before that. Where people get uppity is when the phrase "global warming" is used, as if to indicate that the planet is getting hotter. Which, it is, based on statistics, but that's not the point. But, I think there's a lot more to be said on this subject than even people like Gore have said.

I find myself increasingly in agreement with Lou Dobbs' commentaries. No, I'm not always in agreement, such as on the immigration "problem." However, this piece is dead on.

Dobbs: 'Showdown' really a battle of partisan buffoons

Choice quotes:

This could be alternatively subtitled "one guy's journey to a career in writing." I've been struck by the writing bug lately, and not just in the blog form. The fact of the matter is, I'm still expected to complete a journal article for my thesis work, to be submitted to a peer reviewed journal, such as IEEE S&P. On top of this, however, I've also had a couple opportunities crop up that are intriguing and driving me to plan (and begin executing on) other articles.

Prior to last week, I was planning a couple articles for Dan Swanson, who's recently become editor of EDPACS The EDP Audit, Control, and Security Newsletter. He had also suggested sending articles to Information Systems Security (ISS) and Information Systems Management (ISM). ISS is the official ISC2 journal (of the famous CISSP certification). ISS doesn't have a very good rep, but I figured writing is writing.

Fyodor has posted the latest Nmap News to the Nmap Hackers list. Check it out!

Quoting here one choice section, specifically to help raise awareness. If you are currently using GoDaddy, get off of it asap. Some whack job started flinging falsified accusations and DMCA requests around, which apparently resulted in the domain pull-downs, even though they weren't justified (see later in the newsletter, linked above).

I'm feeling hyper tonight, no idea why, just completely buzzed. No, I did not consume caffeine, thank you very much. I'm in a very random mood, though, and really have no idea why that may be. So, before I post my serious entry, I (*pause: switch to iTunes, queue music*) need to get some of this energy out, set a better mood, and just generally shake out all this hyperness. No, that's not a word, I made it up. Pretty common, actually. Just let it go. :)

Let's see, what else do I know? Oh, not much, so that's it. Junk post is out of the way, am feeling more betterer, can now get on with "other stuff."

*puts on serious, focused, concentrating face*
*walks away to do other things for a while*

:D

It's Monday and I'm back to work after my brief trip to Minnesota. Visited my parents, spoke to 3 groups of students at Concordia, had an excellent conversation with Dad's psychology prof colleague M about research I'm working on, hung out with my friend B for a while, and went for breakfast and a brisk walk with my (new-found?) friend R. Overall, aside from locking my keys in the rental car on Saturday while it was running, it was a pretty darned good trip.

Outline of thoughts...
* Speaking to audit class - tough!
* Speaking to comp sci majors class - fun! mythbusting!
* Speaking to comp sci 101 class - also fun!
* Good to see the 'rents
* Great chat with M about psychology and security
* Changing perspectives on driving times/distance
* Changing perspectives on my career

I had a rough morning today. "Why?" you may ask. Well, I locked my keys in a running car at my parents house. Dumb, eh? But here's my tirade and how it relates...

Locking the keys in one's car is not an uncommon occurrence. However, since buying a Honda Civic, I have not had to worry about this problem. This is because Japanese designers think about the smallest of details when designing new cars and they consider that people might accidentally do something that could result in a "bad event" such as locking keys in the car. Here are some distinguishing features between my Civic and the Jeep Liberty that I have as a rental car:

I recently completed reading Freud's The Future of an Illusion, which is essentially a diatribe against religion in society, on the premise that we've evolved beyond the point of needing it. He makes some interesting points, such as that rules that frame civilization should be couched in a context of bettering society, not based on a religious epithet. Nonetheless, his own self-arguments in the book (he plays devil's advocate with himself) end up being as dissuasive of his point of view as anything. Ultimately, I think the question is from whence we derive our concept of "good for society"? It needs to be based on some sense of right and wrong. Anyway...

He also accuses himself of essentially positing an alternative belief system (religion) when he's advocating to remove religion. This is somewhat true, depending on when "philosophy" becomes "religion."

Well, I'm in Moorhead with the 'rents. Spoke to a group of future accountants at Concordia. Lesson #1: do not try to speak (or type, apparently - having issues here) extemporaneously on too little sleep. Lesson #2: failing #1, make speaker notes!

I had thought ahead of speaking about org structure, the role of audit in the enterprise, and so on, with some integration of controls. Instead I blathered on endlessly about random things that I can't even recall. Finally someone asked a question about org structure ("what's your title and where do you fit in?"). I of course didn't end up answering the question. These things always go so much better in my mind ahead of time. Anywho...

Tomorrow I'm meeting with a couple different groups of students. The first group will be primarily Comp Sci students - juniors or seniors - and some English majors aspiring to be tech writers. Should be good, will get to geek out a bit, talk about how this is an exciting time in info systems evolution. In the afternoon I then meet with another group of students - mostly freshman, I believe - and get to try to upsell Comp Sci to them. Am looking forward to both sessions and am browbeating myself into being better prepared. As Nike says, "Just do it!"

It's currently 75F here in NoVa today. So, logically, I'm hopping a plane at 5pm and flying to Minnesota - ostensibly to visit my parents - where the current temp is 39F with a chance of snow tonight. Makes perfect sense to me! :)

Actually, I'm looking forward to the trip. Will be good to visit with my parents for a couple days. I also have had an offer to speak to some classes taken up, so will be meeting with 3 groups over the next two days. The first group, Thursday mid-day, will be more audit focused and interested in discussing controls. Friday I then get to speak with a group of Comp Sci juniors and seniors, perhaps getting more technical and geeky and stuff. Should be good. And then, lastly, I'll get to speak to a group of first years who are take an intro Comp Sci class, try to pump them up about the opportunities associated with working after completing a Comp Sci degree.

Beyond this, I have a stack of reading I hope to get through, such as supplementing my "psychology of security" research. We'll see how things turns out.

Well, need to cut this off now, have a string of meetings then a mad dash to the airport to catch my flight. Tally ho!

Ok, just a quick entry as it's 1am and I need to get my butt in bed asap. We went to the Josh Groban concert tonight at Verizon Center - it was phenomenal. Hanna says it's the best concert she's ever been to. The staging was amazing, the special effects were outstanding (LCD/plasma screens used creatively all over), and the music was, of course, top notch. I have a couple cheesy pictures that I'll post to photos in a few days (after I get back from MN - will hopefully post about tomorrow).

On a side-note, Angelique Kidjo was the opening act for Groban. She was excellent, too. Ran out (to the souvenir stand) and bought one of her albums. Good stuff.

Much, much, much more to post... but not tonight...

This sounded so much funnier in my head today:

My brain uses a hash function to compress memories. This is great for speedy comparisons, but makes recovery of the original memory impossible. And don't even get me started on birthday attacks and collisions...

Like I said... seemed... so... much... funnier... *sigh*

For something funnier, check out XKCD.

Time for another miscellaneous entry in ye olde blog. Today I thought I'd focus on a few quicks hits on personal cultural exploration. Later this week: posts on upcoming travel, meeting with bright young minds of the future, and the "joys" of airline travel and the brilliant minds of airport security. Anywho...

First up, if you haven't checked out Last.fm or Lulu.com, then I highly encourage it. Last.fm is a music socialization site where you download a plugin for your mainstream media player and it "scrobbles" what you're listening to, sending the notes back to your profile and - the really interesting/cool part - it compares you profile to other profiles and defines your "neighborhood" based on listening preferences. The more you listen, the better the profile match. Kind of nifty.

Lulu.com is something that's apparently been around for a while. If you've ever thought about writing and self-publishing a book, this is the site for you. Apparently known well to writers already. Check it out!

Now onto the random entries... today's topic: books that I'm currently reading and that I have queued for reading.

Yet another example of government abuse of access to information, also in the name of "national security" in the wake of 9/11. CNN.com is featuring a story that the Inspector General (IG) for the Justice Dept. has identified "serious misuse" of national security letters, which are used to retrieve information without formal issuance of subpoena or warrant. This capability was designed to allow for secret investigations that would not tip off, in particular, terrorists (though I believe I read somewhere that organized crime and drug cartels have been the primary targets of these investigations).

The main problem here, folks, is that we want formal paper to be issued for searches and seizures. This is the whole principle of the 3-way check-n-balance system designed into the Constitution. The Executive branch (of which Justice is a component -- don't confuse Justice Dept with the Judicial Branch) has made a tremendous power grab since 2001, and only to the detriment of the citizenry. Your rights, your privacy, your freedoms are being violated -- and all in secret, because the current administration believes that security through obscurity is better than open, transparent, robust, resilient systems. This is a misconception that has been widely debunked, but which has been arrogantly disregarded by those in charge. If you've ever tried to reason with a drunk, then you'll understand why explanations seem to fail. These so-called leaders, who have consistently lied about just about everything over the past 6-7 years, appear to be drunk on power. Rational thought does not apply. Anyway, enough ranting... call or write your Representatives and Senators today!

Source: http://www.cnn.com/2007/LAW/03/09/security.letters/index.html

Well, the dummies in Washington are at it again. You might recall a few years ago that a certain discredited DoD politician by the name of Poindexter (see Iran-Contra Affair) was found to be at the helm of a project called "Total Information Awareness" (TIA). Once the media caught wind of this program they raised red flags, the citizenry got upset, and Congress investigated. DoD appeared to relent and shut it down. Over the last few years, we've seen it come back in multiple forms. Well, now it's back again, this time hosted by the Department of Homeland (in)Security, and it's called ADVISE -- Analysis, Dissemination, Visualization, Insight and Semantic Enhancement.

This is, hands-down, one of the most egregious ongoing violations of privacy and common sense that I have seen in government since 9/11. It has been demonstrated over and over and over and over and over again that collecting information on law-abiding citizens DOES NOT solve crimes. Know why? BECAUSE THE ACTIVITIES REVIEWED ARE NOT ILLEGAL!!! Statistically, I would be shocked if even 1% of the data collected could be tied to an actual crime.

Our friends at AOL, riding the wave of Web 2.0 innovation, have come up with a very interesting idea called "ficlets". According to the site:

A ficlet is a short story that enables you to collaborate with the world.

Once you’ve written and shared your ficlet, any other user can pick up the narrative thread by adding a prequel or sequel. In this manner, you may know where the story begins, but you’ll never guess where (or even if!) it ends.

I encourage everybody to check it out. This is brand new, cool, cutting edge. Ever wanted to be a writer and thought "it's just too much work"? Not any more! Give it a go!

According to the iceberg FAQ, "About 7/8ths of an iceberg is below the water line." That's about 87%. Thus, the iceberg principle is that you only see a very small portion of the iceberg, potentially missing the vast majority of it.

Working in security assurance (which in this context means internal consulting and attestation, injecting security requirements in projects and then performing technical security testing as the project nears completion), we are constantly dealing with the iceberg principle. We typically see projects when they follow procedure and come to us. We review the portion of the overall application or system being developed, issue our findings, and then move on. In the background, however, is the rest of the project, hidden just below the water line. Because of the large number of projects we're expected to clear, this prevents us (usually) from probing deeper and perhaps finding those hidden concerns.

Nothing much to tell, just had a very productive day, for once in a long while. Was up at 6am for tennis with the wife at 7am. Didn't hit very well, can't move freely with the hamstring and hip bugging me (Monday makes it a week since I pulled it). Doc says it'll be fine, just give it time. Anyway...

Funny, I was just blogging about emerging threats in Web 2.0. Well, here's an example of an attack on a stalwart of the Web 2.0 concept, live and all: WordPress 2.1.1 has been declared dangerous after an attacker broke into the servers and modified the code base, inserting malicious code that allowed for remote code execution. This does not appear to be a "web as platform" class attack so much as a server-side code abuse attack. Really, the attack itself seems mundane. However, given the popularity of blog software, with huge growth due to social networking, this attack is amplified because of the Web 2.0 movement. fwiw. :)

I've previously blogged about how I don't think, fundamentally, Web 2.0 represents a change in information security. It represents some new challenges, but the base goals are still the same -- Confidentiality, Integrity, Availability. I was able to attend a couple excellent internal conferences this week on Web 2.0, which has helped me further refine some of my thinking. One conclusion I've drawn over the past couple weeks is that the Web 2.0 "web as platform" principle is fairly significant, and is going to represent the new class of major self-propagating malware threats. And it gets worse.