A Connecticut Yankee in Kangaroo Court

Another Thanksgiving Day is upon us and before my wife and I head off to stuff ourselves at an Extended Family gathering, I'm taking a few moments to reflect on the things I'm thankful for.

I'm thankful for my lovely wife, for one thing. Also for our 130-year-old home, even if it is continually in rahab. I'm thankful that my 88-year-old mom can still drive up to our place to join us for dinner. And, of course, I'm really thankful that I don't live in Norwich, Connecticut.

That last one needs a bit of explaining.

Norwich is the small town where, four years ago, substitute teacher Julie Amero was charged with (and eventually convicted on) four counts of “four counts of risk of injury to a minor, or impairing the morals of a child”. Her crime? Between the time the regular teacher, Matthew Napp, left the classroom and the time Ms. Amero entered, one or more of the pupils got to Napp's computer. When Amero entered the room, the PC was displaying pornographic images. Her attempts to close the web browser only resulted in more porn being spewed across the screen. In desperation, she turned the screen away from the class and, during the class break, tried (without luck) to get assistance from other teachers.

Never mind that the computer was directly connected to the Internet without a firewall, that it lacked any anti-spyware software, or that the Symantec software that was installed had never been updated.

Never mind that, at the trial, Detective Mark Lounsbury testified that the computer had never been checked for malware.

Never mind that, as noted by Nancy Willard (M.S., J.D.) of the Center for Safe and Responsible Internet Use, the situation Amero had clearly run into a “porn trap” in which trying to close one browser window spawns others at the same site and effective takes control of that browser.

Never mind that Amero had been specifically instructed not to turn the computer off and apparently didn't know how in any case.

No, somebody had to take the fall and a substitute teacher was clearly a more convenient victim than (say) Mr. Hartz, the school's technology director. Could that be why he didn't bother to tell the cops about the lack of a firewall or outdated software?

Indeed, the fact that Amero's lawyer was not permitted to present evidence about the computer's lack of proper security, coupled with testimony from a police expert that the images could only have appeared if Amero intentionally accessed the sites (testimony which Willard, in masterpiece of understatement, labels “totally inaccurate”), inevitably suggest to me that a backroom deal was made somewhere to prevent Hartz and his superiors from facing the consequences of their own gross negligence and incompetence.

Computer security professionals were understandably outraged at this travesty of justice. Articles were written and lots of cyber-hell was raised. The case was appealed and the original conviction thrown out by a superior court judge (superior in more ways than one, in my view) in New London. The whole sorry mess finally came to an end on November 21st when Amero, obviously worn down by five years of repugnant legal harassment, pled guilty to a disorderly conduct charge (a misdemeanor, as opposed to the original outrageous felony charges), paid a $100 fine and, in a final disgusting act of injustice, had her Connecticut teaching credentials revoked.

So, yes, I'm thankful that I don't live in a town and state in which being the innocent victim of official ineptitude malware malice is a felony. I wish only the best of Ms. Amero and her family and hope she's able to get on which her life. She might want to start by moving to a city and state where truth gets a little more respect than it does in Norwich, Connecticut.

Partly Cloudy

I’ve looked at clouds from both sides now
From up and down, and still somehow
Its cloud illusions I recall
I really don’t know clouds at all

- Joni Mitchell, “Both Sides Now”

A lot of customers of amazon.com’s much-hyped Simple Storage Service (S3) were probably singing that song back on July 20^th when (as reported by Information Week, among others) problems with “internal system communications” took S3 off line for eight hours. Worse yet, this was the third such outage in the company’s flagship “cloud computing” application.

What, you never heard of “cloud computing”? There's a respectable definition on Wikipedia, but essentially it's another form of outsourcing in which traditional corporate IT functions like data storage are made available by a third party as a service. The idea is that your company connects to the provider's network via the Internet - traditionally represented by a cloud graphic on network diagrams and PowerPoint sales presentations - and the provider takes care of all the nuts and bolts for you.

Launched in 2006, S3 was sold as a reliable alternative to big, power-hungry server farms.It was especially attractive to small businesses with big storage needs like SmugMug, ElephantDrive, Jungle Disk and others. Now some of them may be starting to wonder if trusting a critical business function to the vagaries of the Internet and Amazon's internal network was such a great idea after all.

This, of course, is the whole problem with cloud computing - to say nothing of Web 2.0, Software as a Service (SaaS), and all the other trends that involve sending your critical data off into a black box over which you have no control and about which you don't really know all that much. Sure, you've got a service level agreement. But how much does that mean when, as in the case of S3, the only way you can apply for a credit for the outage is via email? And how much is that credit worth, anyway, if your important data was unavailable for an entire business day? Are you really saving money if your storage isn't 100% reliable?

Sometimes you get what you pay for.

Four Minute Warning

If you're one of those rare individuals with sufficient taste and intellectual joie de vivre to read this blog on a regular basis, you're probably aware that when I'm not being a propeller beanie type for Really Big Company, I'm a writer, radio broadcaster, theatre critic and actor. This means that in the Green Room, I'm likely to be the only carbon-based life form who knows enough about PCs to troubleshoot them for my fellow thespians. Like the proverbial doctor at the cocktail party, I get a lot of requests for free diagnoses and advice, except that in my case the patient has only artificial intelligence.

One thing I've taken away from these backstage conversations is that - as I noted in a minor jeremiad last year - there are an awful lot of computer users out there who, if they maintained their cars the way they maintain their PCs, wouldn't be allowed out on the street, much less on the (information) highway.

Last month, for example, while appearing in Stray Dog Theatre's production of Paul Osborn's lovely comedy Morning's at Seven, one of the actors complained that her Windows laptop had become so slow that she could hardly stand to use it and was thinking of buying a new one. My first question was, “Do you have anti-virus and anti-spyware software installed and if so, are they up to date?” The blank stare I got was all the answer I needed.

I was reminded of this recently when I saw a post by Lorna Hutcheson on the SANS Institute's Internet Storm Center blog indicating that an unpatched Windows PC connected to the Internet can expect to survive around four minutes before it's probed by a worm or other attack bot.

Four minutes. That's less time than it would take for the PC to download the latest patches from Microsoft. In fact, as Daniel Wesemann noted in a comment on the blog:

“While the survival time measured varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas.”

I'm guessing that my fellow actor's PC had probably been on the 'net for years without proper protection. It's no wonder it was so slow; when your PC is busy pushing malware and spam to all and sundry, there aren't many processor cycles left for unimportant stuff like reading your email.

I offered to do a Spybot S&D scan on her PC for her but she had already decided to shell out for new PC. A week or two later she had it connected to the unsecured wireless access point that was available backstage, cheerfully logging on to her email server and doing heaven only knows what else without the benefit of encryption. Any bets on how long it takes this one to come to a screeching halt?

Her four minutes are already up, after all.

Influence Peddlers

I'm not normally a big fan of bumper stickers as a way of getting a message out; most are a waste of time and many are just plain obnoxious. Still there's one that might persuade me to change my mind: the “Hang Up and Drive” sticker that urges cell phone addicts to put the damn thing away and pay attention to the 2,000 pounds or so of metal and plastic they're supposed to be controlling.

I'm not the only person who feels this way. As reported in a recent Computerworld article, many states are taking action to ban cell phone use while driving and researchers are pointing out that other distractions - including MP3 players, internet access devices, GPS and even video players - have the potential to make the problem far worse. It's bad enough that we still have people hurtling down the freeway while intoxicated; now we've got to take into account jokers who are watching TV at the same time.

Unfortunately, legislation aimed at specific sources of distraction misses the main point. An automobile is a big, potentially dangerous machine. The operator of that machine needs to be focused on using it in a matter that is safe both for him/her as well as for other motorists. What really needs to be illegal is, for lack of a better phrase, Driving While Impaired.

Current drunk-driving laws address one form of DWI, but the explosion of technology-based forms of impairment clearly demands modernized legislation that penalizes any form of impairment, regardless of the source. Simply passing more laws targeted at specific sources of distraction (such as cell phones or GPS) is just playing "whack a mole" with the problem; as soon as you ban one, another one will pop up.

Operating a car isn't a right. It's a privilege that carries with it certain responsibilities. That's why we have tests on driving skills and laws as requirements for a license. That's also why we have periodic vision tests at license renewal time. Driving unimpaired is just another one of those responsibilities and, considering the loss of life and limb that results from failing to live up to that responsibility, it's probably the most important one.

Sound Bytes

Every now and then I come across an item that spans the divide between my technology blog and my performing arts blog - which is why I'm publishing this little essay in both. Case in point: this interesting item from the New York Times about the use of all-digital orchestras by small companies.

The technology is intended, supposedly, to supplement a small live orchestra. As the author points out, however, there's nothing to prevent it from replacing live musicians entirely.

On the one hand, it might be a boon to small, cash-strapped companies that can't afford to hire many (or any) musicians or community theatres with volunteer orchestras that leave something to be desired in terms of competence. On the other hand, it could make real musicians an endangered species, which is hardly a desirable outcome.

In any case, you'd think it would be an interesting topic for discussion. I expected, therefore, a flurry of responses when I posted the following question to two local theatre email lists: newlinetheatre and stlouistheatre: Would you use an all-digital orchestra for a production?

What I got was a whopping total of one response from New Line Theatre's founder and artistic director Scott Miller, who stated categorically that he would "never do a musical without live musicians". That was hardly surprising, by the way; I've known Scott for some years now and was well aware of his disdain for canned music.

I'm not sure what to make of that. There are a number of musical theatre producers on both lists. Surely at least one of them has an opinion on this. It's not an academic issue, after all. High schools are already using all-digital or mostly-digital orchestras. Surely it's only a matter of time before those small companies referred to above find themselves asking whether or not they should go digital.

So why the silence? Is it because they're all in agreement with Scott? That would be the happier explanation as far as I'm concerned. Or is it because, given the potential cost savings, they wouldn't even bother to think about it before going digital? Could commerce really have trumped art to that degree?

Scary thought, that. Are we facing a future like the one Walter Miller described in his Hugo Award-winning story The Darfsteller? Film extras have already been supplanted by digital animation in big-budget pictures. Could real, live performers of all kinds go the same way?

Will we eventually get to the point where we have made ourselves obsolete?

The Humanoid Boogie

[Thanks to The Bonzo Dog Band for the title.]

A couple years ago, on an internal company blog, I commented on the ways in which the right hand of the information technology industry not only doesn't know what the left hand is dong but often seems unaware that there even is a left hand. Breathless dispatches in technology trades about mashups, Web 2.0 (or is it 2.1.0.5 SP 2 now?) and other ways for everyone to connect to everyone else sit cheek by virtual jowl with sober articles on how we're losing the cyberwar with spammers, malware distributors, identity thieves and other net.swine. Don't the people who write these things ever talk to each other? It's as though they live on different planets.

I had similar When Worlds Collide experience the other day, albeit on a different technological front. It happened as I was listening to NPR's Science Friday talk show. The guest was “futurist” Ray Kurzweil expounding, as he usually does these days, on advances in computer and medical technology that will make us all cheerful cyborgs, living longer and happier lives through the integration of humans with computers. Listening to Kurzweil paint a rosy picture of the posthuman future, it's easy to forget to ask some fairly simple questions about it; questions that host Ira Flatow never thought to bring up.

Questions like: where are we going to get the power for the man/machine hybrid? Or: how much will this wonderful cutting-edge biomedical technology cost? Who's going to pay for it? And, for that matter, who's going to be able to afford it?

Given that in 2005 (the most recent year for which data are currently available), nearly 47 million Americans (just under 16% of the population) had no health insurance - and therefore no access to health care - those are hardly irrelevant questions. Indeed, even Americans with insurance are seeing their out-of-pocket costs increase. Add in the fact that employer-based health insurance is quickly turning into a luxury and you have to wonder how many of us really will get to be posthuman.

This was brought to my attention rather dramatically a few weeks ago when I got a new CPAP machine. A CPAP (Continuous Positive Airway Pressure) device is a fairly simple bit of technology that effectively eliminates snoring and sleep apnea. Those of us who suffer from those conditions know only too well how beneficial these little devices are. Not only are we less tired, but we're also less at risk for serious health conditions in later life, including stroke and cardiovascular disease.

Once the newer machine was delivered, of course, I had no use for the old one. As I'd had it for over six years, my insurance company had long since declared it my property. I therefore decided to give it away on freecycle.org.

What happened next was a stark illustration of the difference between Ray Kurzweil's future and everybody else's present. Within less than five minutes of making the offer on freecycle, I received well over a dozen replies - and kept getting them even after I posted a notice that the machine had been taken. All of them told essentially the same story: they had sleep apnea, they had insurance - and their insurance refused to pay for a CPAP machine.

Bear in mind that this is well-established and relatively inexpensive technology with a proven track record of correcting a condition which, left untreated, can lead to serious illnesses which are much more expensive to treat than sleep apnea. If insurers are so focused on short-tern costs that they won't even cover something this basic, how likely are they to ever cover the kind of Buck Rogers stuff discussed on Kurzweil's web site?

Meanwhile, the millions without any insurance are lucky to get a flu shot.

That doesn't mean the posthuman future won't happen. It will just happen to the shrinking percentage of the population that can afford the latest and greatest nanotechnology. Without drastic reforms to America's health care system - which delivers less care for more money than that of any other first-world nation - Kurzweil's future will be a dystopia of nearly immortal elites governing the destinies of highly mortal masses.

On the other hand, maybe we commoners aren't supposed to have acsess to that stuff. Maybe we're just supposed to buy the high-priced nutritional supplements Kurzweil is hawking on another site.

Top Ten Vexes

[With apologies to Lewis Furey for the title.]

Like many of you, I expect, I get a lot of unwanted commercial email, a.k.a. spam. I haven’t taken a count, but I’d say something like 80% of the email sent to me is spam these days.

Only a tiny fraction of it ever makes it to my in box, of course, because I have two levels of spam filtering in place – one at the server level and one at the client level. Over the years I have fine-tuned them so that I get few false negatives (junk that eludes the filters) and even fewer false positives (legit email pegged as junk).

Still, I have to scan the subject lines of my junk mail weed patch daily to remove the occasional flower. When doing so, it’s hard not to notice the sheer idiocy – to say nothing of hallucinatory incoherence - of most of those subject lines. Many of them are random strings of words or letters apparently designed to defeat spam filters. Others, however, are so actively obnoxious that you’d think they’d defeat the entire reason for their existence. Would anyone with two neurons to rub together really open an email with some of these titles, much less follow a link contained therein and, even more incredibly, actually buy something at that link? Apparently P.T. Barnum was right.

So here, for your dining and dancing pleasure, are my (so far) top ten least appealing spam email subjects, in the style of David Letterman. I can’t imagine who is opening these emails. I just hope he or she doesn’t live in my neighborhood. Or in my city. Or on my planet.

Top Ten Least Appealing Spam Email Subjects

10. Top Rated Australians on Sale

9. What They Don't Want You to Know What it Does to Your Body!

8. With this medicine may lead to unconsciousness or death

7. Chuck Norris is looking for you

6. Jessica Alba stares at me

5. Update your Penis

4. Quality Narcotic Support

3. Pimp my ass

2. russian roulette games

And the number one least appealing spam email subject:

Nazi Chat Room

Miami Vice II

Well, dear friends, the latest installment of Mac Wars II: Attack of the Clones is now out. My earlier suspicion that Mac clone maker Psystar might be little more than a hustle notwithstanding, it appears that the Miami-based startup is actually producing a product - or at least a demo product that got a nice review on CNet. Their bottom line:

Its hardware isn't made by Apple's design team, it will likely never work as a full member of the greater Apple ecosystem, and one ill-intended software update could turn it into a $750 brick. Get past all of that, and you'll find Psystar's OS X-based Open Computer a fast and otherwise compelling lower midrange desktop.

Personally, I'd be a lot more concerned that Psystar is a startup, and one that's had a shaky history (see my previous blog post for a summary). The computer may come with a one-year warranty but if you ask me it's even odds as to whether these guys will still be around in one year.

Maybe we should wait for Mac Wars III: Revenge of the Apple.

Miami Vice

Hey buddy - have you heard the one about the Mac clone?

There are times when it seems like every day is April Fool's Day in the technology news; times when some of the stories are strange enough to make you wonder whether or not somebody isn't having a big laugh at our expense.

Take, for example, the story of the Mac clone maker Psystar. At least, they say they're making Mac clones; so far, nobody has actually seen one despite what the Miami-based company claims is the “incredible response” to the offering of its Open Computer, pre-loaded with Apple's OS X. Shortly after announcing its product line early last week, Psystar's web site went down. In the days that followed, the web site went back up, but the company's business address changed repeatedly (“four times in the matter of a few hours” according to Adrian Kingsley-Hughes' Hardware 2.0 blog at ZDNet).

Then their credit card payment processer, Powerpay, dropped them. According to News.com's Tom Krazit, “Louisa Deluca, vice president of loss prevention for Powerpay, said on Thursday [April 17th, 2008] that her company dropped Psystar because it violated the terms of its agreement with Powerpay”. Psystar switched to Paypal, only to be given the virtual axe by them less than 48 hours later.

The punch line, however, is to be found in a Forbes piece by Brian Caulfield, wherein we learn that Psystar's founder “won't go on the record about his educational background, detail his professional history or name any previous ventures” (THAT'S certainly not suspicious) and acknowledges that the Open Computer “is based on a machine put together by his brother (whom he won't name). Nor will he say how the new computer works.”

“I'm not making this up, you know!” as Anna Russell used to say.

To be fair, it's always possible that Psystar, despite making every possible mistake a start-up can make, might actually cough up a product. They claim it takes around two weeks to turn one out, so by early May we should know whether or not the folks who managed to give them their credit card numbers before everything crashed have been taken to the cleaners. So far the only evidence we have that the machines even exist is some images from Psystar collected by ZDNet.

And that's assuming that Apple doesn't let loose the dogs of law. There's still the inconvenient truth, after all, that Apple's EULA prohibits the installation of OS X on non-Apple hardware. Psystar said they'll challenge that in court, but then Psystar is saying lots of things that raise one's virtual eyebrows.

Given that Open Computer prices start at $399, I'm skeptical. As Larry Dignan noted in his Between the Lines blog, "I’d rather let you trusting souls be the guinea pigs before I pay up for a Mac clone. If it sounds too good to be true it probably is". If I had to make a bet, I'd lay heavy odds that its lawyers who will have the last laugh here.

Safety Last

The title of the April 9th Computerworld article was interesting: "DHS chief says feds need help to defend Internet against cyberattacks". Given this administration's track record when it come to power grabs, I expected this to be a sales job for Chertoff to claim even more authority.

Looks like I was wrong. Chertoff acknowledges that "[t]here is no question that one of the threats that continues to materialize again and again is the threat to our virtual world of cyberspace," and that a successful attack could have a world-wide "cascading effect". He just doesn't think government can do much about it. Check out this quote:

But defending cyberspace is different from protecting buildings and other physical targets, Chertoff said. The federal government doesn't own the Internet or much of the technical infrastructure on which it runs, he noted. As a result, he declared, it's the shared responsibility of the government and the private sector to guard against cyberattacks.

"We're operating in a domain where traditional military power or the power of government is insufficient to address the full nature of the threat," Chertoff said. "We need to have a networked response to deal with a networked attack."

Translation: "I need to make it look like I'm doing something but I don't want to force the administration's corporate cronies to do anything that would cost them money, so regulation is right out of the question."

Note that this is the same Michael Chertoff who, according to the April 8th New York Times, declares that he has the power to unilaterally invalidate dozens of laws in order to build a fence at the Mexican border (a boondoggle if ever there was one, but that’s another rant). Why not use this same constitutionally suspect dictatorial power to force corporations to secure their network? After all, declaring itself above the law is SOP for this lot.

The answer, of course, is that doing so would annoy the corporations that call the shots in this administration.  They're perfectly happy to have Chertoff sweep away environmental laws that get in the way of the holy pursuit of a fast buck.  Telling them to spend money on security, on the other hand, would be a quick way to an early retirement so he could "spend more time with his family".

Meanwhile, as reported on the very same day at news.com, security experts have demonstrated that gaining control of the systems at a power station via social engineering and malware is a no brainer.  Don't hold your breath waiting for Chertoff to force the power industry to clean up its act. See above.

Fakin' Care of Business

OK, you already know you can get infected with malware by visiting web sites in the Internet's red light district or by foolishly clicking on links in e-mails promising to decrease your mortgage payments or increase the size of various body parts. So you should be fairly safe, right?

Wrong.

It turns out that avoiding obviously shady web sites isn't enough. According to Websense's Second Half of 2007 review the majority (51%) of malware attacks in the last half of 2007 came from legitimate web sites that had been hacked.

How is this possible? Here's what Websense's vice president of security research, Don Hubbard, had to say in a January 23rd, 2008 article in Computerworld:

Sites are hacked in a variety of ways, said Hubbard, who noted that there is no one method that stands out. "[Compromises are] all over the place, unfortunately, [including] miss-configurations, no patches and so on."

In other words, the companies responsible for the compromised sites aren't taking security seriously. That's because making web sites and applications secure costs money without making any obvious contribution towards profits. Given the choice between making a web site more secure and sticking more bells and whistles on it, corporate America's empty suits will inevitably choose the latter.

And it's not just web sites you have to worry about. The Websense report also notes that 87% of email messages are spam and that 67% of those unwanted emails include links to malicious or spam-producing sites.

In fact, thanks to the proliferation of digital add-on devices, you can get infected without even opening an email or starting up your web browser. As reported in a January 19th product alert, digital picture frames made by Insignia (and sold at Best Buy) "were contaminated with  a computer virus during the manufacturing process." When you use the frame's USB connector to download an image from your PC, the frame reciprocates by uploading an (unspecified) virus.

Insignia doesn't say where the infected frames were made, but given the low prices of their products and some comments in on-line forums, it seems likely that they're made in that hotbed of high product quality, China.

The fact that China is actively engaged in cyberwar with the USA is, of course, just a coincidence.