The Blog of Harald

Schneier on Security: Security vs. Usability

bq. The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Hence the prevalence of doors propped open by bricks and wastebaskets, of passwords pasted on the fronts of monitors or hidden under the keyboard or in the drawer, of home keys hidden under the mat or above the doorframe or under fake rocks that can be purchased for this purpose.

Are kilts history? – The Globe and Mail

I’ve been hearing anecdotes about the battle between students and educators over kilts (and in particular, kilt length and related ‘tarty’ dress) since I was in private school, 20-mumble years ago. I don’t think the ’00s are that different from the ’80s, somehow…

Flickr Photo Download: Mythical Creatures.

– I’ve been at UHN for a month now. It’s been a bit of work coming up to speed on the projects, but I’m being effective, which is what counts. Besides, it’s fun!

– The kids have both been away to, and returned from, two week camp excursions, and both want to go on longer trips next year! They grow up so fast…

– Twitter and Facebook have pretty much replaced this weblog for day-to-day stuff, unfortunately. I’m not happy about that; I prefer having my “stuff” under my own control. Alas, they make it too easy to use, especially now that a) I have an iPhone, and b) I’m behind a nanny-state web filter during the day.

– I haven’t even picked up a camera in about 3 months, which makes it difficult to justify shopping for one. I think I’ve convinced myself to buy more glass instead of another body, anyway.

– Did I mention I have an iPhone now?

That’s it; see you in another month or so :)

The last few months have been a bit of a roller coaster ride; the next few will prove to be one also (although very different; wooden vs. steel, maybe? anyway…)

The Monday after the Century Cruise (back in February) my boss called to inform me that HP was placing me in their Work Force Redeployment program, which gave me four weeks to find another job, after which I would be placed in the Work Force Reduction program. There were no other useful jobs in Toronto (not even over at EDS), and so at the end of March I became an ex-employee of HP.

It took all of April for me to process this change. Rock Band 2 helped quite a bit! In May I started attending seminars and clinics at Knightsbridge, to work on my networking skills, update my resume, and so on. In the middle of that process (and before I actually finished polishing the resume), I found out about a 1-year contract position working for Irving at the University Health Network. I actually started yesterday, but my contract wasn’t completely signed until today, and somewhere in the last couple of weeks it became a 4-month engagement with a promise of an extension, but that’s Ontario politics that you can read all about in the media, so I won’t repeat it here.

Still, I have an income again, and I’m getting out of the house (which is the more important of the two; working at home for the long term isn’t healthy for me). The projects I’m going to be working on sound very interesting, and the people here are wonderful!

Apparently there are many secret cables buried in and around Washington, DC. The “call before you dig” guys don’t know about them, so if you dig one up, guys in suits driving black SUVs arrive. Which of course creates a social engineering attack:

bq. So if I want to stop a construction project in the DC area, all I need to do is drive up in a black SUV, wear a suit and sunglasses, and refuse to identify myself.

“Secret Government Communications Cables Buried Around Washington, DC”:http://www.schneier.com/blog/archives/2009/06/secret_govermen.html

Schneier on Security: Fear of Aerial Images

Yet another “refuse to be terrorized” article from Bruce Schneier, this time about satellite images in online mapping services…

bq. “It struck me that a person in a tent halfway around the world could target an attack like that with a laptop computer,” said Anderson, a Republican legislator who represents San Diego’s East County. Anderson said he doesn’t want to limit technology, but added, “There’s got to be some common sense.”

The usual rebuttal applies:

bq. Criminals have used telephones and mobile phones since they were invented. Drug smugglers use airplanes and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then. I haven’t seen it talked about yet, but the Mumbai terrorists used boats as well. They also wore boots. They ate lunch at restaurants, drank bottled water, and breathed the air. Society survives all of this because the good uses of infrastructure far outweigh the bad uses, even though the good uses are — by and large — small and pedestrian and the bad uses are rare and spectacular. And while terrorism turns society’s very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response — just as we would if we banned cars because bank robbers used them too.

(the last quote is from http://www.schneier.com/blog/archives/2009/01/helping_the_ter.html).

In my random walk through the Internet this morning, I visited several news articles with comments sections.

Why are people so hateful, so judgmental, so prejudiced (in the classic sense, i.e. making up their minds without facts)? People write that they’ll hate a (good) TV show after reading an interview with one of the actors. People heaping vitriol on a woman they’ve never met, and don’t know anything about. It’s ugly. YouTube is awful for this, although at least people are talking about that.

Maybe most people are like me, and simply move on when the conversation degenerates (which it usually does), and so I’m only seeing the vocal minority…

After almost a week of pressure, “The Conference Board of Canada”:http://www.conferenceboard.ca/ finally recalled three reports supporting the lie that Canada is a haven for intellectual property thieves. I love the language:

bq. An internal review has determined that these reports did not follow the high quality research standards of The Conference Board of Canada.

This after “Michael Geist”:http://www.michaelgeist.ca/index.php accused them of plagiarising the text of one report, without attribution, from the International Intellectual Property Alliance, a major US lobby group representing Hollywood et al.

The details are on on Michael Geist’s weblog, starting with “The Conference Board of Canada’s Deceptive, Plagiarized Digital Economy Report”:http://www.michaelgeist.ca/content/view/4000/125/ . I’m particularly dismayed that they initially stood by the report, that it took three days of intense media coverage for them to back down. Call me a conspiracy theorist, but I believe that once the attention dies down, these reports will quietly resurface, they’ll circulate internally on Parliament Hill, and our lawmakers will pass draconian copyright legislation based on a lie.

In fact, Canada is a relatively low producer and consumer of stolen intellectual property. I’ll try to dig up the various references that support this (my browser history is acting up :-). For some reason factions within the US government have decided that they can win more votes, or collect more lobbyist dollars, by attacking their neighbour to the North.

I find this especially interested after a recent article from Eric S. Raymond: “Some Iron Laws of Political Economics”:http://esr.ibiblio.org/?p=984

bq. Mancur Olson, in his book The Logic Of Collective Action, highlighted the central problem of politics in a democracy. The benefits of political market-rigging can be concentrated to benefit particular special interest groups, while the costs (in higher taxes, slower economic growth, and many other second-order effects) are diffused through the entire population.

bq. The result is a scramble in which individual interest groups perpetually seek to corner more and more rent from the system, while the incremental costs of this behavior rise slowly enough that it is difficult to sustain broad political opposition to the overall system of political privilege and rent-seeking.

Worth a read.

My son had the fastest computer, with a PCI Express slot. I had the slightly slower computer, with an AGP slot. I needed to install a graphics card that would let me run two DVI-D displays, and the only AGP cards I could find were quite expensive, so I decided to swap computers. (The fast computer was originally supposed to replace the shared family computer, but I didn’t finish installing/upgrading it before my son took it over :).

To make matters more complicated, my desktop had IDE drives and his had SATA drives. A simple drive swap wasn’t going to work; his SATA motherboard only had one IDE connector, and it was already full with two CD/DVD drives. I was going to have to swap the OS images between the two harddrives. I had recently read about “Clonezilla”:http://clonezilla.org/, and decided to try it. I started by testing cloning to a “VirtualBox”:http://www.virtualbox.org/ VM, to make sure I could use the image after cloning. VirtualBox lets me attach disk images as either IDE or SATA, which definitely helped my testing.

My capsule review is that Clonezilla works well and is very flexible, but way too complicated. Fortunately I’m a sophisticated Linux guy, so the complexity wasn’t a barrier, but I wouldn’t recommend it to my father-in-law, for example. I’m loving VirtualBox, btw; I run it on a server, so I can’t use the fancy GUI for configuration, but the command line is adequate and the ability to use remote desktop to access the console is excellent.

The other item that saved me was “Changing a Motherboard or Moving a Hard Drive with XP Installed”:http://www.michaelstevenstech.com/moving_xp.html. There are three basic options described there: 1) use the Windows Upgrade procedure before swapping, 2) perform a Repair after the swap, and 3) fiddle with the disk controller drivers in the Device Manager before the swap. My Windows disks don’t have the Upgrade option, so that was out. I then tried the Repair option, but it took over 3 hours (after the 90 minutes of image copying); way too slow (and I would have needed to re-install SP3 and other patches later, too!).

Fortunately, option 3 worked perfectly for me. I’ve reproduced it here:

bq. Before you swap out the current motherboard go to device manager and select the IDE ATA/ATAPI Controller and select your current storage controller. Right click, select update driver and select install from a list or specific location. Click don’t search I will choose the driver to install and select the standard dual channel IDE controller.

bq. This will prevent the inaccessible boot device blue screen.

bq. With this method, booting the first time with the new motherboard should be done in Safe mode. XP will install the drivers it needs and you can install the new motherboard drivers. I would suggest accessing the motherboard web site to get the latest drivers and bios updates rather than use the CD media included with the MB. The CD is usually a couple of revisions behind the latest updates.

Both images worked perfectly (and quickly!) after this tweak. I was able to boot both OS images on the new systems, install all of the appropriate drivers for the new hardware, clean up the device manager, and now everything is as good as new. We’ve been running with swapped hardware for a couple of weeks now with no apparent problems.

Alas, after all this, we discovered that the on-board graphics on my old desktop were too slow to run a couple of his games; because that machine was originally intended as a business class machine, it had crappy graphics (worse than our other 5+ year old desktop!). So I’ve had to buy a graphics card for him anyway, but I was still able to save. I found him an older AGP card (with DVI-I, VGA, and TV-out instead of Dual DVI-I).

Yet another example of the premise that if you want to understand the world around you, look for the incentives…

Schneier on Security: Perverse Security Incentives

bq. Incentives explain much that is perplexing about security trade-offs. Why does King County, Washington, require one form of ID to get a concealed-carry permit, but two forms of ID to pay for the permit by check? Making a mistake on a gun permit is an abstract problem, but a bad check actually costs some department money.

bq. In the decades before 9/11, why did the airlines fight every security measure except the photo-ID check? Increased security annoys their customers, but the photo-ID check solved a security problem of a different kind: the resale of nonrefundable tickets. So the airlines were on board for that one.

And so on…

“A Mom Lets Her Son Walk to Soccer…And The Police Come Calling”:http://freerangekids.wordpress.com/2009/03/18/a-mom-lets-her-son-walk-to-soccerand-the-police-come-calling/

bq. From the Free Range Kids blog, the story of Lori from a small town in Mississippi, who sent her 10-year-old on foot to soccer practice, only to have him picked up by the cops, who reported “hundreds” of 911 calls by curtain-twitchers who were horrified at the thought of a 10-year-old walking a third of a mile to a local school. The cops told her she could be charged with child endangerment After she complained to the cops, the local police chief called her to apologize and to reassure her that she lived in a safe neighborhood. The moral of the story: stand your ground when crazy people tell you that your kid needs to be swaddled in bubblewrap until she’s 22.

From the article:

bq. My 10-year-old son wanted the chance to walk from our house to soccer practice behind an elementary school about 1/3 mile from our house. He had walked in our neighborhood a number of times with the family and we have driven the route to practice who knows how many times. It was broad daylight – 5:00 pm. I had to be at the field myself 15 minutes after practice started, so I gave him my cell phone and told him I would be there to check that he made it and sent him off. He got 3 blocks and a police car intercepted him. The police came to my house — after I had left — and spoke with my younger children who were home with Grandma. They then found me at the soccer field and proceeded to tell me how I could be charged with child endangerment. They said they had gotten “hundreds” of calls to 911 about him walking. Now, I know bad things can happen and I wasn’t flippant about letting him go and not checking up, but come on. I live in a small town in Mississippi. To be perfectly honest, I’m much more concerned about letting him attend a birthday party sleepover next Friday, but I’m guessing the police wouldn’t be at my house if I chose to let him go which I probably won’t.

via Boing Boing

Schneier on Security: The Kindness of Strangers

h3. The Kindness of Strangers

bq. When I was growing up, children were commonly taught: “dont talk to strangers.” Strangers might be bad, we were told, so its prudent to steer clear of them.

bq. As it turns out, this is profoundly bad advice. Most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest thing he can do is find a nice-looking stranger and talk to him.

bq. The advice in each of these paragraphs may seem to contradict each other, but they dont. The difference is that in the second instance, the child is choosing which stranger to talk to. Given that the overwhelming majority of people will help, the child is likely to get help if he chooses a random stranger. But if a stranger comes up to a child and talks to him or her, its not a random choice. Its more likely, although still unlikely, that the stranger is up to no good.

(I’ve ranted about this before, in “talk to strangers”:http://blog.cfrq.net/chk/archives/2005/06/24/talk-to-strangers/ and “strangers”:http://blog.cfrq.net/chk/archives/2005/06/24/strangers/)

“The World’s Biggest Diamond Heist”:http://www.wired.com/politics/law/magazine/17-04/ff_diamonds

These guys managed to blow through many layers of hi-tech security with careful planning and some low-tech tricks, and one huge security gaff: the “unduplicatable” key for the vault was hung on the wall in a storeroom next door.

My favorite bit, I think, was how they disabled a magnetic sensor on the vault door, that would detect the door being opened; they brought a piece of aluminum covered in double-sided tape, stuck it over the sensor pieces, unscrewed the pieces from the vault door and door frame, and swung them out of the way. The sensor was never triggered because the two pieces remained in contact…

The article is a bit long, but it’s worth reading both for how they got through all of the security, and the one stupid mistake they made that led to them all getting caught…

Charlotte has a Facebook account.

I’m still trying to decide if this is a sign of the Apocalypse or not…

Tomorrow is the first day of “nerdigras”:http://nedbatchelder.com/blog/200903/square_root_of_christmas.html ; let the festivities begin!

(I wonder what the pancake-equivalent is? :-)

http://biggeekdaddy.com/miscvideos/everythingsamazing.html

It’s true. We live in amazing times, and everyone is as grumpy as ever!

February seems to have vanished completely, as my last post was on January 29th. Ah well, it’s a deformed month, with the missing three days bit; February don’t get no respect!

Oh ya, I went on a cruise with 16 other people; planning, packing, and executing ate my brain. Then I came back to news that most of you have heard by now, and now it’s March…

* “No Heroics”:http://heywriterboy.blogspot.com/2009/01/no-heroics.html – A UK sitcom about a bunch of second-tier superheroes hanging out in a bar.

* “Being Human”:http://heywriterboy.blogspot.com/2009/01/being-human-and-building-anticipation.html – A vampire, a ghost, and a werewolf share a flat. “Trailer on YouTube”:http://ca.youtube.com/watch?v=v_sRd2spBo0