The Technology Curmudgeon

Ghost Writer

2010-12-19T00:21:00.003-06:00

Say what you will about Facebook, there are times when it’s extraordinarily useful. If it weren’t for Mark Zuckerberg’s mammoth marketing machine, for example, I might never have found out about a recent Vanity Fair article by Teller (of Penn and…) about the late Harry Houdini. The piece made me sigh and wish that Harry Houdini had not died so young.

During his brief life – he died on Halloween, 1926, at the age of 52 – Houdini was many things: magician, historian, aviator and even (according to a recent biography by William Kalush and Larry Sloman), spy. Uncritical reports of hauntings, however, inevitably call to my mind the role that consumed most of his final decade: debunker of phony Spiritualist mediums.

An ostensibly Christian religious movement whose practitioners claimed the ability to communicate with the deceased and to act as living bridges between this world and The Other Side (usually for a price), Spiritualism included, by the 1920s, many of the rich and famous in its ranks. Séances, it was said, were even taking place in the Coolidge White House.

Against such formidable enemies, Houdini brought his legendary pugnacity, a fortune of his own, and an encyclopedic knowledge of all forms of illusion and deception. Try as they might, mediums generally discovered that when Houdini was in charge of the séance, the spirit voices, tapping tables, and ectoplasm were suddenly in short supply. Houdini relentlessly exposed their tricks on stage and, finally, in hearings before the US Congress.

Alas, it was a losing battle. The drain on his finances and health eventually became too much. Following assaults backstage at the Princess Theatre and again later in his hotel lobby by men who may or may not have been Spiritualist agents, Houdini suffered a ruptured appendix and died.

Today, Spiritualism is almost as dead as Houdini, but many its hustles and frauds have been picked up by mainstream culture. From the Psychic Friends Network to SciFi Channel’s Ghost Hunters to James Van Praagh and his fellow “ghost whisperers”, popular media seem chockablock with the same purveyors of the preternatural against whom Houdini fought so valiantly. The words may change, but the melody – or is that malady? – remains the same.

Really, you’d think we’d know better by now. It’s not like we don’t have contemporary hoax busters – the aforementioned Penn and Teller come immediately to mind, as does James Randi. Maybe the problem is that they’re just not as charismatic as Houdini was. Maybe we’re just not paying that much attention because having conversations with the loquacious deceased is no longer the idiocy of choice amongst the Rich and Infamous, its place having been taken by making pornographic videos or starting wars, as the case may be.

Or maybe our scientific illiteracy has reached the point where we can no longer tell fact from fiction or understand the difference between that which is strongly believed vs. that which can be empirically verified. If so, it does not bode well for our survival as a species. Many challenges await us, and we’ll need all the reason and real world knowledge we can summon to meet them.

Where’s Houdini when we really need him?

Too Much Monkey Business

2009-12-15T21:49:00.002-06:00

The lingo used by those of us who deal with computer security issues can be pretty opaque at times. Acronyms like CIAC, NAC, and RAT rub shoulders with neologisms like keylogger, phishing, and malware, and ominous-sounding phrases like “zero-day attack”. Their meanings are not always clear and most have little relevance to the daily lives of anyone who doesn’t have a propeller beanie or pocket protector.

There are, however, some terms for computer brain malfunctions that are similar to human brain malfunctions. Take, for example, the buffer overflow.

In computerese, a buffer is simply a short-term storage area for information. When I wrote this article, for example, it was stored in a buffer in my computer’s memory until I saved the file, when it was moved to long-term storage on the hard drive. There’s a limit to how much data the buffer can hold at one time, however, and if it gets flooded with too many bits too quickly it will overflow, the program will crash, and information will be lost. Viruses and other malicious programs use buffer overflows as an infection tactic.

Buffer overflows occur in the real world all the time. Have you ever gone to a party and been introduced to so many new people so quickly that you completely forgot most of them? Or attended a class that moved so quickly that you became completely lost? Buffer overflow. Like your computer, your brain has only so much short-term storage capacity.

Situations like the ones I just described are minor annoyances, but in the last couple of decades another, more troubling kind of human buffer overflow is starting to show up. It’s a function of the 24/7, “always on”, media-saturated environment in which we live – an environment that’s very new in human history and effectively unprecedented.

The problem is that we are simply bombarded by information every waking hour of our lives, from hundreds of cable, satellite and broadcast TV and radio channels, junk paper mail and email, and every possible type of media via the Internet.

Irrelevant trivia that, in an earlier age, simply wouldn’t have made the cut to publication is tossed into the mix along with genuinely critical political and economic information. There are so many outlets that the demand for material is staggering.

The result is that we in the Western world seem to be losing the ability to tell trash from truth, and are forgetting our own history, recent or distant. Our buffers are continually overflowing. We’re swamped in a flood of celebrity gossip, vacuous sound bites and, especially over the last several years, a constant drumbeat of fear — all of which makes us that much more susceptible to the latest corporate hustle or government propaganda campaign. The less we know about the real issues, the easier we are to manipulate.

There are, happily, some easy remedies:

Make “off” the default state for your TV. Turn it on only when there’s something that you particularly want to watch.
Do the same for your radio.
Get your news from a source that allows you to control what information you get and the speed at which you get it — a newspaper, news magazine, or news web site.

Finally, take time to think about what you’ve read and to discuss it with friends and family. Explaining a concept to others helps clarify your own thinking.

It might even prevent a mental system crash.

Absent Friends

2009-09-01T23:12:00.003-05:00

[This is an expanded version of an article originally published in a local newspaper in January of 2008.]

For many years now, my wife and I have been hosting a New Year's Eve party. At the stroke of midnight, we pop the Champagne, sing “Auld Lang Syne” and offer a series of toasts to “Absent Friends” - people of note who shuffled off this mortal coil during the dying year.

The honored dead are usually celebrities of varying degrees of renown along with, on a few sad occasions, folks who were part of what we refer to as our “Extended Family”. This year, though, was unique because the list included two celebrities who weren't people at all: Alex and Washoe.

Alex, an African Grey parrot, and Washoe, a chimpanzee, were notable for their abilities to use language in ways that most of us humans assume are unique to us. In doing so, they helped psychologists and linguists better understand how language works. They also reminded us Homo sapiens types that we may not be quite as special as we like to think we are.

Of the two, Alex presents the more remarkable history. Most parrots can mimic human speech and other sounds, but what set Alex apart was his apparent understanding of what his 150-word vocabulary meant. He could identify shapes and colors and, as noted in the bird's New York Times obit, “he could express frustration, or apparent boredom, and his cognitive and language skills appeared to be about as competent as those in trained primates.”

Alex's last words - spoken to his trainer/mentor Dr. Irene Pepperberg as she covered his cage the night before his death - were: “You be good, see you tomorrow. I love you.”

Washoe the chimp had been something of a celebrity for decades. I first heard of her accomplishments in a graduate school learning theory class. Adopted by psychologists Allen and Beatrix Gardner, Washoe was taught to communicate with the Gardners, their students and, later, with other chimps using American Sign Language (ASL), the dominant sign language used by the Deaf community in the USA.

The Gardners used ASL because they felt that chimps lacked the physical apparatus to produce human speech. If chimps could communicate via ASL, it would suggest (among other things) that Noam Chomsky's assertion that linguistic ability was “hard wired” into humans alone might not be accurate.

Washoe succeeded admirably. By the time of her death, she had a working vocabulary of 250 signs and had even begun to pass on her knowledge to her son Louis. She used them, moreover, in ways that suggested an understanding of the concepts underlying the words. She communicated, in short, in ways that were strikingly human.

Not all scientists agreed on the significance of the accomplishments of Washoe and Alex, of course. Skeptics included not only Chomsky but also the Canadian psychologist Steven Pinker and semiotician Thomas Sebeok. And that's as it should be. A single case, striking as it may be, is significant only if it can be replicated; that's how science works.

And yet: those final words from Alex are haunting, and fraught with possibilities. If chimps, apes and even parrots are capable of something approximating human thought and feeling, what does the way we treat them say about us? Even more to the point: what are the moral implications of destroying their habitat for nothing more profound than our convenience and profit? Is it merely another form of “ethnic cleansing”?

We are not the captains of Spaceship Earth, only passengers. If Alex and Washoe are any indication, we should start treating our fellow travelers with a little more respect.

Subway Night

2009-05-12T22:02:00.004-05:00

It was during the waning years of the Bush Reich that I decided my peace of mind would be enhanced if I just stopped listening to the news every day. Most of it was dire and almost none of it concerned events over which I exercised the slightest control, so I turned off the car radio and started stuffing the changer with selections from my classical CD collection.

Something resembling sanity may have returned, at least temporarily, to our nation's capital, but most of the news isn't significantly more encouraging and I still have no control over it.

All of which is just a roundabout way of explaining why I'm apparently the only one who didn't know about a subway collision in Boston that injured 49 people - including the nitwit operator of one of the trains who, it turns out, was texting his girlfriend when the crash occurred.

As reported in Computerworld, the agency that runs Boston's underground has, predictably, responded by calling for a ban on operators even carrying mobile devices - a response which largely missed the real problem.

That problem (as I noted here a little while ago) isn't that some lamebrain was texting while driving a multi-ton commuter vehicle. The problem is that he was giving his attention to something other than driving a multi-ton commuter vehicle. He was trying to multi-task despite the fact that human beings don't (indeed, can't) multi-task.

We can (and so) switch attention among different tasks, but that's not the same thing. If you're texting, smoking, drinking, eating, putting on makeup, or talking on a phone you are NOT attending to the rather demanding task of piloting a heavy vehicle at high speed. And it only takes a second of inattention to at the wrong time to create a disaster on the rails, the road - or in the sky.

Operating vehicles while impaired is what needs to be banned. Laws focused on specific sources of distraction (such as texting) miss the point and run the risk of becoming obsolete as soon as they are passed.

Sun Set?

2009-04-21T21:19:00.003-05:00

Well, it's Monday. The parking garage was nearly full, the new screen saver my employers installed on my PC over the weekend locked it up so badly I had to do a hard reboot (ouch!) and Sun is in merger talks again, this time with Oracle. To paraphrase a lyric from Li'l Abner, it's a typical day in IT USA.

Unless you're part of the propeller beanie crowd (or a stockholder), you probably haven't paid much attention to Sun Microsystems' ongoing attempts to stay afloat in the current roiling economic waters, so here's a little background.

For what seemed like years, Sun had been in increasingly troubled merger talks with IBM, much to the alarm of many in the IT community, who saw it as a threat to both Sun's Solaris operating system and its Sparc hardware line. The deal would also have given IBM control of a majority (65%) of the world's UNIX servers - also a cause of unease.

The new deal with database giant Oracle would appear to set some of those fears at rest while raising others - mostly regarding the popular open-source database MySQL, which Sun acquired just last January. As Computerworld columnist Sharon Michlis mused in her April 20th column:

As MySQL becomes more successful in pushing into the enterprise, can Oracle executives resist seeing the open-source database as a threat to its own high-performing, capable but more costly offering?

All of this may seem pretty abstract to anyone who isn't involved in corporate IT or database development and I suppose it is, if viewed in isolation. As yet another example of the trend towards corporate mergers, however, it's disturbing. Competition is what makes capitalism work. The fewer companies there are competing for business, the less concerned they have to be with offering a quality product at a fair price and the more likely they are to come to Capitol Hill, platinum cup in hand, begging for bailouts.

We've already seen what happens when companies become “too big to fail”. Isn't it about time Federal regulators started enforcing anti-trust laws that were created to keep our capitalist system healthy in the first place? The merged Oracle/Sun entity might look healthy now, but then so did AIG and Citicorp.

Mad Tea Party

2009-04-19T00:30:00.007-05:00

Well, tax time has come and gone, so one hopes that we've heard that last of this Astroturf “tea party” movement - unless Faux News decides to continue sponsoring it as aggressively as they have to date.

I won't bore you with the details or why it's all so stunningly hypocritical to see a bunch of middle-class white folks whining about paying the taxes that make their comfortable middle-class life possible. Besides, the picture accompanying this rant neatly labels some of the things taxes pay for and without which the protestors would have been, as they say, SOL. As they say in The Moon is a Harsh Mistress, there ain't no such thing as a free lunch.

What does this have to do with technology? Quite a bit, actually.

To begin with, the Internet - that world-wide network of networks that makes it possible for you to read this and for the tax protesters to organize and distribute their grievance lists - exists only because tax dollars were spent to create its foundation.

Yes, kids, the Internet - that Holy of Holies for the libertarian, “all government stinks” movement - began life as a government-funded project called ARPANet in the 1960s. Initially built by BBN with Defense Department funds, the nascent network had only four nodes, three of which were at public (as in “taxpayer funded”) universities. It would be decades before it grew robust enough to stand on its own and attract tons of venture capital.

There's nothing surprising about this. Basic research - the intellectual heavy lifting that must precede any big technological advance - is always expensive and rarely yields a short-term payoff. It's the sort of thing that governments do well and that business, with its myopic focus on the short-term bottom line, no longer does at all.

If the Tea Party crowd had its way, none of this would happen and we'd all be worse off for it. Heck, according to some analysts, we're already pretty far down that increasingly ill-paved road already thanks to eight years reckless spending on unnecessary foreign adventures coupled with a steady decrease in funding for research.

In his Principles of Economics Gregory Mankiw (former chairman, ironically, of Boy George's Council of Economic Advisors) notes: "To get one thing that we like, we usually have to give up another thing that we like. Making decisions requires trading off one goal against another."

You like having police and fire protection, roads, bridges, water and sewer service, a functioning court system, an ever-expanding prison system, disaster recovery assistance, a standing army, public education, libraries, and an entire regulatory infrastructure to discourage fraud and enforce contracts? Well, you can't have all that without giving up something else you also like (money) at tax time - especially when you combine all those things with multiple wars of invasion and occupation.

So the next time you get an email whining about taxes, remind the sender that taxes are what made it possible for the email to be sent in the first place. There's no free lunch. Deal with it.

Son of Chinese Rock

2009-04-08T22:37:00.007-05:00

He's baaack!

Yes, dear friends, the Technology Curmudgeon has returned from a long hiatus (largely due to activities centered in the other half of his brain) to once again remind you that inside of every InfoTech silver lining (or Silverlight, for that matter) is a big, dark cloud.

This time it's a cloud I warned you all about two years ago. Then it was an ominous thunderhead. Now it's starting to look more like Hurricane Katrina. And we're just about as well prepared for it.

I refer, of course, to the ongoing cyberwar between the USA and China.

No, you probably haven't read about it in the corporate media. Sure, you might have noticed, down around the third or fourth paragraph, a mention of the fact the recent conficker worm likely originated in China. But for the most part it's only infosec professionals who are aware of the fact that China-based attacks against domestic targets, public and private, have been going on for quite some time now.

That may be about to change. As reported in the April 8th Wall Street Journal and Computerworld: “[c]yperspies from China, Russia and elsewhere have gained access to the U.S. electrical grid and installed malware tools that could be used to shut down service”.

As the WSJ article states:

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, [emphasis added] officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Officials said water, sewage and other infrastructure systems also were at risk.

Oh, frabjous day.

Let's see where we stand now. Pretty much all of our manufacturing is now done in Chinese sweatshops. China has been keeping our spendthrift economy afloat by buying dollars. US firms are shipping IT jobs and infrastructure to China as quickly as possible with, ironically, enthusiastic support from the likes of the WSJ. And now they might have a stranglehold on our power grid, thanks in part to lack of attention to security by power companies.

Or, as the WSJ puts it: “The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.”

This is madness. Anyone who knows anything about the Internet understands that it is an inherently insecure system. Why would utilities rely on something like that? Could it be because, in the aftermath of the deregulation mania of the last decade, power companies (like other corporations) don't want to spend money on anything that doesn't promise a quick profit?

Security costs money. Sure, not securing your cyber-assets could cost you the entire business but, as we have seen recently, companies that are “too big to fail” don't have to worry about that.

So - where will you be when the lights go out?

A Connecticut Yankee in Kangaroo Court

2008-11-27T12:37:00.002-06:00

Another Thanksgiving Day is upon us and before my wife and I head off to stuff ourselves at an Extended Family gathering, I'm taking a few moments to reflect on the things I'm thankful for.

I'm thankful for my lovely wife, for one thing. Also for our 130-year-old home, even if it is continually in rahab. I'm thankful that my 88-year-old mom can still drive up to our place to join us for dinner. And, of course, I'm really thankful that I don't live in Norwich, Connecticut.

That last one needs a bit of explaining.

Norwich is the small town where, four years ago, substitute teacher Julie Amero was charged with (and eventually convicted on) four counts of “four counts of risk of injury to a minor, or impairing the morals of a child”. Her crime? Between the time the regular teacher, Matthew Napp, left the classroom and the time Ms. Amero entered, one or more of the pupils got to Napp's computer. When Amero entered the room, the PC was displaying pornographic images. Her attempts to close the web browser only resulted in more porn being spewed across the screen. In desperation, she turned the screen away from the class and, during the class break, tried (without luck) to get assistance from other teachers.

Never mind that the computer was directly connected to the Internet without a firewall, that it lacked any anti-spyware software, or that the Symantec software that was installed had never been updated.

Never mind that, at the trial, Detective Mark Lounsbury testified that the computer had never been checked for malware.

Never mind that, as noted by Nancy Willard (M.S., J.D.) of the Center for Safe and Responsible Internet Use, the situation Amero had clearly run into a “porn trap” in which trying to close one browser window spawns others at the same site and effective takes control of that browser.

Never mind that Amero had been specifically instructed not to turn the computer off and apparently didn't know how in any case.

No, somebody had to take the fall and a substitute teacher was clearly a more convenient victim than (say) Mr. Hartz, the school's technology director. Could that be why he didn't bother to tell the cops about the lack of a firewall or outdated software?

Indeed, the fact that Amero's lawyer was not permitted to present evidence about the computer's lack of proper security, coupled with testimony from a police expert that the images could only have appeared if Amero intentionally accessed the sites (testimony which Willard, in masterpiece of understatement, labels “totally inaccurate”), inevitably suggest to me that a backroom deal was made somewhere to prevent Hartz and his superiors from facing the consequences of their own gross negligence and incompetence.

Computer security professionals were understandably outraged at this travesty of justice. Articles were written and lots of cyber-hell was raised. The case was appealed and the original conviction thrown out by a superior court judge (superior in more ways than one, in my view) in New London. The whole sorry mess finally came to an end on November 21st when Amero, obviously worn down by five years of repugnant legal harassment, pled guilty to a disorderly conduct charge (a misdemeanor, as opposed to the original outrageous felony charges), paid a $100 fine and, in a final disgusting act of injustice, had her Connecticut teaching credentials revoked.

So, yes, I'm thankful that I don't live in a town and state in which being the innocent victim of official ineptitude malware malice is a felony. I wish only the best of Ms. Amero and her family and hope she's able to get on which her life. She might want to start by moving to a city and state where truth gets a little more respect than it does in Norwich, Connecticut.

Partly Cloudy

2008-08-02T00:19:00.001-05:00

I’ve looked at clouds from both sides now
From up and down, and still somehow
Its cloud illusions I recall
I really don’t know clouds at all

- Joni Mitchell, “Both Sides Now”

A lot of customers of amazon.com’s much-hyped Simple Storage Service (S3) were probably singing that song back on July 20^th when (as reported by Information Week, among others) problems with “internal system communications” took S3 off line for eight hours. Worse yet, this was the third such outage in the company’s flagship “cloud computing” application.

What, you never heard of “cloud computing”? There's a respectable definition on Wikipedia, but essentially it's another form of outsourcing in which traditional corporate IT functions like data storage are made available by a third party as a service. The idea is that your company connects to the provider's network via the Internet - traditionally represented by a cloud graphic on network diagrams and PowerPoint sales presentations - and the provider takes care of all the nuts and bolts for you.

Launched in 2006, S3 was sold as a reliable alternative to big, power-hungry server farms.It was especially attractive to small businesses with big storage needs like SmugMug, ElephantDrive, Jungle Disk and others. Now some of them may be starting to wonder if trusting a critical business function to the vagaries of the Internet and Amazon's internal network was such a great idea after all.

This, of course, is the whole problem with cloud computing - to say nothing of Web 2.0, Software as a Service (SaaS), and all the other trends that involve sending your critical data off into a black box over which you have no control and about which you don't really know all that much. Sure, you've got a service level agreement. But how much does that mean when, as in the case of S3, the only way you can apply for a credit for the outage is via email? And how much is that credit worth, anyway, if your important data was unavailable for an entire business day? Are you really saving money if your storage isn't 100% reliable?

Sometimes you get what you pay for.

Four Minute Warning

2008-07-15T16:40:00.001-05:00

If you're one of those rare individuals with sufficient taste and intellectual joie de vivre to read this blog on a regular basis, you're probably aware that when I'm not being a propeller beanie type for Really Big Company, I'm a writer, radio broadcaster, theatre critic and actor. This means that in the Green Room, I'm likely to be the only carbon-based life form who knows enough about PCs to troubleshoot them for my fellow thespians. Like the proverbial doctor at the cocktail party, I get a lot of requests for free diagnoses and advice, except that in my case the patient has only artificial intelligence.

One thing I've taken away from these backstage conversations is that - as I noted in a minor jeremiad last year - there are an awful lot of computer users out there who, if they maintained their cars the way they maintain their PCs, wouldn't be allowed out on the street, much less on the (information) highway.

Last month, for example, while appearing in Stray Dog Theatre's production of Paul Osborn's lovely comedy Morning's at Seven, one of the actors complained that her Windows laptop had become so slow that she could hardly stand to use it and was thinking of buying a new one. My first question was, “Do you have anti-virus and anti-spyware software installed and if so, are they up to date?” The blank stare I got was all the answer I needed.

I was reminded of this recently when I saw a post by Lorna Hutcheson on the SANS Institute's Internet Storm Center blog indicating that an unpatched Windows PC connected to the Internet can expect to survive around four minutes before it's probed by a worm or other attack bot.

Four minutes. That's less time than it would take for the PC to download the latest patches from Microsoft. In fact, as Daniel Wesemann noted in a comment on the blog:

“While the survival time measured varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas.”

I'm guessing that my fellow actor's PC had probably been on the 'net for years without proper protection. It's no wonder it was so slow; when your PC is busy pushing malware and spam to all and sundry, there aren't many processor cycles left for unimportant stuff like reading your email.

I offered to do a Spybot S&D scan on her PC for her but she had already decided to shell out for new PC. A week or two later she had it connected to the unsecured wireless access point that was available backstage, cheerfully logging on to her email server and doing heaven only knows what else without the benefit of encryption. Any bets on how long it takes this one to come to a screeching halt?

Her four minutes are already up, after all.

Influence Peddlers

2008-06-19T12:44:00.002-05:00

I'm not normally a big fan of bumper stickers as a way of getting a message out; most are a waste of time and many are just plain obnoxious. Still there's one that might persuade me to change my mind: the “Hang Up and Drive” sticker that urges cell phone addicts to put the damn thing away and pay attention to the 2,000 pounds or so of metal and plastic they're supposed to be controlling.

I'm not the only person who feels this way. As reported in a recent Computerworld article, many states are taking action to ban cell phone use while driving and researchers are pointing out that other distractions - including MP3 players, internet access devices, GPS and even video players - have the potential to make the problem far worse. It's bad enough that we still have people hurtling down the freeway while intoxicated; now we've got to take into account jokers who are watching TV at the same time.

Unfortunately, legislation aimed at specific sources of distraction misses the main point. An automobile is a big, potentially dangerous machine. The operator of that machine needs to be focused on using it in a matter that is safe both for him/her as well as for other motorists. What really needs to be illegal is, for lack of a better phrase, Driving While Impaired.

Current drunk-driving laws address one form of DWI, but the explosion of technology-based forms of impairment clearly demands modernized legislation that penalizes any form of impairment, regardless of the source. Simply passing more laws targeted at specific sources of distraction (such as cell phones or GPS) is just playing "whack a mole" with the problem; as soon as you ban one, another one will pop up.

Operating a car isn't a right. It's a privilege that carries with it certain responsibilities. That's why we have tests on driving skills and laws as requirements for a license. That's also why we have periodic vision tests at license renewal time. Driving unimpaired is just another one of those responsibilities and, considering the loss of life and limb that results from failing to live up to that responsibility, it's probably the most important one.

Sound Bytes

2008-06-11T17:29:00.002-05:00

Every now and then I come across an item that spans the divide between my technology blog and my performing arts blog - which is why I'm publishing this little essay in both. Case in point: this interesting item from the New York Times about the use of all-digital orchestras by small companies.

The technology is intended, supposedly, to supplement a small live orchestra. As the author points out, however, there's nothing to prevent it from replacing live musicians entirely.

On the one hand, it might be a boon to small, cash-strapped companies that can't afford to hire many (or any) musicians or community theatres with volunteer orchestras that leave something to be desired in terms of competence. On the other hand, it could make real musicians an endangered species, which is hardly a desirable outcome.

In any case, you'd think it would be an interesting topic for discussion. I expected, therefore, a flurry of responses when I posted the following question to two local theatre email lists: newlinetheatre and stlouistheatre: Would you use an all-digital orchestra for a production?

What I got was a whopping total of one response from New Line Theatre's founder and artistic director Scott Miller, who stated categorically that he would "never do a musical without live musicians". That was hardly surprising, by the way; I've known Scott for some years now and was well aware of his disdain for canned music.

I'm not sure what to make of that. There are a number of musical theatre producers on both lists. Surely at least one of them has an opinion on this. It's not an academic issue, after all. High schools are already using all-digital or mostly-digital orchestras. Surely it's only a matter of time before those small companies referred to above find themselves asking whether or not they should go digital.

So why the silence? Is it because they're all in agreement with Scott? That would be the happier explanation as far as I'm concerned. Or is it because, given the potential cost savings, they wouldn't even bother to think about it before going digital? Could commerce really have trumped art to that degree?

Scary thought, that. Are we facing a future like the one Walter Miller described in his Hugo Award-winning story The Darfsteller? Film extras have already been supplanted by digital animation in big-budget pictures. Could real, live performers of all kinds go the same way?

Will we eventually get to the point where we have made ourselves obsolete?

The Humanoid Boogie

2008-06-09T23:34:00.001-05:00

[Thanks to The Bonzo Dog Band for the title.]

A couple years ago, on an internal company blog, I commented on the ways in which the right hand of the information technology industry not only doesn't know what the left hand is dong but often seems unaware that there even is a left hand. Breathless dispatches in technology trades about mashups, Web 2.0 (or is it 2.1.0.5 SP 2 now?) and other ways for everyone to connect to everyone else sit cheek by virtual jowl with sober articles on how we're losing the cyberwar with spammers, malware distributors, identity thieves and other net.swine. Don't the people who write these things ever talk to each other? It's as though they live on different planets.

I had similar When Worlds Collide experience the other day, albeit on a different technological front. It happened as I was listening to NPR's Science Friday talk show. The guest was “futurist” Ray Kurzweil expounding, as he usually does these days, on advances in computer and medical technology that will make us all cheerful cyborgs, living longer and happier lives through the integration of humans with computers. Listening to Kurzweil paint a rosy picture of the posthuman future, it's easy to forget to ask some fairly simple questions about it; questions that host Ira Flatow never thought to bring up.

Questions like: where are we going to get the power for the man/machine hybrid? Or: how much will this wonderful cutting-edge biomedical technology cost? Who's going to pay for it? And, for that matter, who's going to be able to afford it?

Given that in 2005 (the most recent year for which data are currently available), nearly 47 million Americans (just under 16% of the population) had no health insurance - and therefore no access to health care - those are hardly irrelevant questions. Indeed, even Americans with insurance are seeing their out-of-pocket costs increase. Add in the fact that employer-based health insurance is quickly turning into a luxury and you have to wonder how many of us really will get to be posthuman.

This was brought to my attention rather dramatically a few weeks ago when I got a new CPAP machine. A CPAP (Continuous Positive Airway Pressure) device is a fairly simple bit of technology that effectively eliminates snoring and sleep apnea. Those of us who suffer from those conditions know only too well how beneficial these little devices are. Not only are we less tired, but we're also less at risk for serious health conditions in later life, including stroke and cardiovascular disease.

Once the newer machine was delivered, of course, I had no use for the old one. As I'd had it for over six years, my insurance company had long since declared it my property. I therefore decided to give it away on freecycle.org.

What happened next was a stark illustration of the difference between Ray Kurzweil's future and everybody else's present. Within less than five minutes of making the offer on freecycle, I received well over a dozen replies - and kept getting them even after I posted a notice that the machine had been taken. All of them told essentially the same story: they had sleep apnea, they had insurance - and their insurance refused to pay for a CPAP machine.

Bear in mind that this is well-established and relatively inexpensive technology with a proven track record of correcting a condition which, left untreated, can lead to serious illnesses which are much more expensive to treat than sleep apnea. If insurers are so focused on short-tern costs that they won't even cover something this basic, how likely are they to ever cover the kind of Buck Rogers stuff discussed on Kurzweil's web site?

Meanwhile, the millions without any insurance are lucky to get a flu shot.

That doesn't mean the posthuman future won't happen. It will just happen to the shrinking percentage of the population that can afford the latest and greatest nanotechnology. Without drastic reforms to America's health care system - which delivers less care for more money than that of any other first-world nation - Kurzweil's future will be a dystopia of nearly immortal elites governing the destinies of highly mortal masses.

On the other hand, maybe we commoners aren't supposed to have acsess to that stuff. Maybe we're just supposed to buy the high-priced nutritional supplements Kurzweil is hawking on another site.

Top Ten Vexes

2008-05-28T21:51:00.009-05:00

[With apologies to Lewis Furey for the title.]

Like many of you, I expect, I get a lot of unwanted commercial email, a.k.a. spam. I haven’t taken a count, but I’d say something like 80% of the email sent to me is spam these days.

Only a tiny fraction of it ever makes it to my in box, of course, because I have two levels of spam filtering in place – one at the server level and one at the client level. Over the years I have fine-tuned them so that I get few false negatives (junk that eludes the filters) and even fewer false positives (legit email pegged as junk).

Still, I have to scan the subject lines of my junk mail weed patch daily to remove the occasional flower. When doing so, it’s hard not to notice the sheer idiocy – to say nothing of hallucinatory incoherence - of most of those subject lines. Many of them are random strings of words or letters apparently designed to defeat spam filters. Others, however, are so actively obnoxious that you’d think they’d defeat the entire reason for their existence. Would anyone with two neurons to rub together really open an email with some of these titles, much less follow a link contained therein and, even more incredibly, actually buy something at that link? Apparently P.T. Barnum was right.

So here, for your dining and dancing pleasure, are my (so far) top ten least appealing spam email subjects, in the style of David Letterman. I can’t imagine who is opening these emails. I just hope he or she doesn’t live in my neighborhood. Or in my city. Or on my planet.

Top Ten Least Appealing Spam Email Subjects

10. Top Rated Australians on Sale

9. What They Don't Want You to Know What it Does to Your Body!

8. With this medicine may lead to unconsciousness or death

7. Chuck Norris is looking for you

6. Jessica Alba stares at me

5. Update your Penis

4. Quality Narcotic Support

3. Pimp my ass

2. russian roulette games

And the number one least appealing spam email subject:

Nazi Chat Room

Miami Vice II

2008-05-02T20:35:00.000-05:00

Well, dear friends, the latest installment of Mac Wars II: Attack of the Clones is now out. My earlier suspicion that Mac clone maker Psystar might be little more than a hustle notwithstanding, it appears that the Miami-based startup is actually producing a product - or at least a demo product that got a nice review on CNet. Their bottom line:

Its hardware isn't made by Apple's design team, it will likely never work as a full member of the greater Apple ecosystem, and one ill-intended software update could turn it into a $750 brick. Get past all of that, and you'll find Psystar's OS X-based Open Computer a fast and otherwise compelling lower midrange desktop.

Personally, I'd be a lot more concerned that Psystar is a startup, and one that's had a shaky history (see my previous blog post for a summary). The computer may come with a one-year warranty but if you ask me it's even odds as to whether these guys will still be around in one year.

Maybe we should wait for Mac Wars III: Revenge of the Apple.

Miami Vice

2008-04-20T23:22:00.000-05:00

Hey buddy - have you heard the one about the Mac clone?

There are times when it seems like every day is April Fool's Day in the technology news; times when some of the stories are strange enough to make you wonder whether or not somebody isn't having a big laugh at our expense.

Take, for example, the story of the Mac clone maker Psystar. At least, they say they're making Mac clones; so far, nobody has actually seen one despite what the Miami-based company claims is the “incredible response” to the offering of its Open Computer, pre-loaded with Apple's OS X. Shortly after announcing its product line early last week, Psystar's web site went down. In the days that followed, the web site went back up, but the company's business address changed repeatedly (“four times in the matter of a few hours” according to Adrian Kingsley-Hughes' Hardware 2.0 blog at ZDNet).

Then their credit card payment processer, Powerpay, dropped them. According to News.com's Tom Krazit, “Louisa Deluca, vice president of loss prevention for Powerpay, said on Thursday [April 17th, 2008] that her company dropped Psystar because it violated the terms of its agreement with Powerpay”. Psystar switched to Paypal, only to be given the virtual axe by them less than 48 hours later.

The punch line, however, is to be found in a Forbes piece by Brian Caulfield, wherein we learn that Psystar's founder “won't go on the record about his educational background, detail his professional history or name any previous ventures” (THAT'S certainly not suspicious) and acknowledges that the Open Computer “is based on a machine put together by his brother (whom he won't name). Nor will he say how the new computer works.”

“I'm not making this up, you know!” as Anna Russell used to say.

To be fair, it's always possible that Psystar, despite making every possible mistake a start-up can make, might actually cough up a product. They claim it takes around two weeks to turn one out, so by early May we should know whether or not the folks who managed to give them their credit card numbers before everything crashed have been taken to the cleaners. So far the only evidence we have that the machines even exist is some images from Psystar collected by ZDNet.

And that's assuming that Apple doesn't let loose the dogs of law. There's still the inconvenient truth, after all, that Apple's EULA prohibits the installation of OS X on non-Apple hardware. Psystar said they'll challenge that in court, but then Psystar is saying lots of things that raise one's virtual eyebrows.

Given that Open Computer prices start at $399, I'm skeptical. As Larry Dignan noted in his Between the Lines blog, "I’d rather let you trusting souls be the guinea pigs before I pay up for a Mac clone. If it sounds too good to be true it probably is". If I had to make a bet, I'd lay heavy odds that its lawyers who will have the last laugh here.

Safety Last

2008-04-10T17:08:00.002-05:00

The title of the April 9th Computerworld article was interesting: "DHS chief says feds need help to defend Internet against cyberattacks". Given this administration's track record when it come to power grabs, I expected this to be a sales job for Chertoff to claim even more authority.

Looks like I was wrong. Chertoff acknowledges that "[t]here is no question that one of the threats that continues to materialize again and again is the threat to our virtual world of cyberspace," and that a successful attack could have a world-wide "cascading effect". He just doesn't think government can do much about it. Check out this quote:

But defending cyberspace is different from protecting buildings and other physical targets, Chertoff said. The federal government doesn't own the Internet or much of the technical infrastructure on which it runs, he noted. As a result, he declared, it's the shared responsibility of the government and the private sector to guard against cyberattacks.

"We're operating in a domain where traditional military power or the power of government is insufficient to address the full nature of the threat," Chertoff said. "We need to have a networked response to deal with a networked attack."

Translation: "I need to make it look like I'm doing something but I don't want to force the administration's corporate cronies to do anything that would cost them money, so regulation is right out of the question."

Note that this is the same Michael Chertoff who, according to the April 8th New York Times, declares that he has the power to unilaterally invalidate dozens of laws in order to build a fence at the Mexican border (a boondoggle if ever there was one, but that’s another rant). Why not use this same constitutionally suspect dictatorial power to force corporations to secure their network? After all, declaring itself above the law is SOP for this lot.

The answer, of course, is that doing so would annoy the corporations that call the shots in this administration. They're perfectly happy to have Chertoff sweep away environmental laws that get in the way of the holy pursuit of a fast buck. Telling them to spend money on security, on the other hand, would be a quick way to an early retirement so he could "spend more time with his family".

Meanwhile, as reported on the very same day at news.com, security experts have demonstrated that gaining control of the systems at a power station via social engineering and malware is a no brainer. Don't hold your breath waiting for Chertoff to force the power industry to clean up its act. See above.

Fakin' Care of Business

2008-01-24T16:50:00.000-06:00

OK, you already know you can get infected with malware by visiting web sites in the Internet's red light district or by foolishly clicking on links in e-mails promising to decrease your mortgage payments or increase the size of various body parts. So you should be fairly safe, right?

Wrong.

It turns out that avoiding obviously shady web sites isn't enough. According to Websense's Second Half of 2007 review the majority (51%) of malware attacks in the last half of 2007 came from legitimate web sites that had been hacked.

How is this possible? Here's what Websense's vice president of security research, Don Hubbard, had to say in a January 23rd, 2008 article in Computerworld:

Sites are hacked in a variety of ways, said Hubbard, who noted that there is no one method that stands out. "[Compromises are] all over the place, unfortunately, [including] miss-configurations, no patches and so on."

In other words, the companies responsible for the compromised sites aren't taking security seriously. That's because making web sites and applications secure costs money without making any obvious contribution towards profits. Given the choice between making a web site more secure and sticking more bells and whistles on it, corporate America's empty suits will inevitably choose the latter.

And it's not just web sites you have to worry about. The Websense report also notes that 87% of email messages are spam and that 67% of those unwanted emails include links to malicious or spam-producing sites.

In fact, thanks to the proliferation of digital add-on devices, you can get infected without even opening an email or starting up your web browser. As reported in a January 19th product alert, digital picture frames made by Insignia (and sold at Best Buy) "were contaminated with a computer virus during the manufacturing process." When you use the frame's USB connector to download an image from your PC, the frame reciprocates by uploading an (unspecified) virus.

Insignia doesn't say where the infected frames were made, but given the low prices of their products and some comments in on-line forums, it seems likely that they're made in that hotbed of high product quality, China.

The fact that China is actively engaged in cyberwar with the USA is, of course, just a coincidence.

Can't Stop the Music

2007-12-12T18:10:00.001-06:00

Sometimes, you've just got to wonder.

In a recent posting on his Recording Industry Vs. the People blog, lawyer Ray Beckerman maintained that the RIAA is now, in the case of Atlantic v. Howell, labeling any copying of music files as copyright violations, whether you share and/or re-sell them or not. ZDNet's Adrian Kingsley-Hughes immediately took issue with him, claiming that the RIAA said the defendant was in violation only when he copied the MP3 files to a shared drive.

In this particular case, Kingsley-Hughes may be right, but it hardly matters. The hostility of both the RIAA the the industries it represents to any copying of music and video files for any purpose at all has a long and shameful history (remember the Sony rootkit fiasco?). For that matter, the RIAA web site (as one of the Talkback responses to the article points out) explicitly states that any copying is unauthorized. And, of course, there are the clueless comments from chairman and CEO of Universal Music Group, Doug Morris, in the latest issue of Wired.

Let's be clear on what this means.

That mix CD you made for your wife's birthday? Bad.

The sound design you did for your local no-budget community theatre? Bad.

The customized Christmas CD you made for your car? Bad.

Let's get real, folks; the RIAA and the industries it represents know they haven't got a snowball's chance in hades of stopping the actual pirates. The entire intent of the various DRM schemes is to force law-abiding consumers to purchase the same material over and over - or to eliminate purchases entirely and make everything a rental. Their model is the software EULA, which basically says that your don't own zip.

So while the RIAA may not be saying all copying is illegal in this particular case, make no mistake: that is their ultimate goal, and they'll pursue it with all the lawyers and lobbyists at their command.

I Fought the Law and the Law Won

2007-12-07T22:00:00.000-06:00

Urban Legend has it that when the late Willie Sutton was asked why he robbed banks he replied "because that's where the money is".

If he were around today he'd probably scoff at bank robbery. These days the real money is clearly in spyware.

It shouldn't be news to anyone, of course, that cybercrooks are using spyware to generate big bucks, primarily by stealing credit card and banking information and reselling it to other swine on the 'net. What may be news, however, is the fact that many of the tools used by these characters are completely legal and available at "crazy low prices", if not for free.

The bust of a couple dubbed "the Bonnie and Clyde of identity theft" illustrates the problem. As described in a recent article in Digital Journal (among other places):

Jocelyn Kirsch, 22, and Edward K. Anderton, 25, were living a lavish lifestyle: trips to Paris and London; salon visits costing $1,700 each; a $3,000-a-month apartment in upscale Philadelphia. Kirsch and Anderton didn't earn any of these luxuries – they stole money using a complex identity theft scam.

What's especially interesting about this is that the couple didn't need to invest huge amounts of money or technical expertise to do this. All they had to do was buy a $100 spyware program called Spector Pro (from Spectorsoft). Although widely identified as malware by major anti-virus vendors such as Symantec and Safernetworking.org (the makers of Spybot Search and Destroy, one of the better anti-spyware products around), Spector Pro is also a PC Magazine Editor's Choice award winner and touts itself as a tool for enhancing corporate security by allowing employers to monitor employees' internet activity.

The thing is, the behavior of the program itself is indistinguishable from that of other forms of malware. Here's how Symantec describes it:

Spyware.Spector functions in a manner that is similar to a Backdoor Trojan Horse. When it is installed, it logs all the activity on the system. The person who installed it can then watch all the logged activity.

Spectorsoft president Doug Fowler, of course, disclaims any responsibility for the nefarious use of the product. According to ABC News (where this story originally broke):

"SpectorSoft has never marketed its software as a way to steal from people, to assume another's identity," Fowler wrote in an e-mail. "Any piece of software has the potential to be abused."

If this sounds familiar, it might be because the same justification is offered by anyone who profits from the sale of dangerous and/or deadly items. Be it agribusiness, Big Tobacco, or the NRA, they all insist that it's not their fault if the folks to whom they have aggressively and expensively marketed their products wind up morbidly obese, coughing up a lung, or mowing down a few dozen family members, friends or acquaintances.

Legally, of course, they may be right. Attempts to hold the "Merchants of Death" accountable have largely failed thanks to flotillas of high-priced lawyers and a federal government that never met a corporate lobbyist it didn't like.

Legality and morality are hardly identical, however, and the ethical situation is far less clear. My take on this is that if you are selling a product that you know, beyond a doubt, is going to be used for a moral wrong, you better be certain that said product isn't designed primarily for that purpose and/or that you're serving a greater moral good by offering it.

For example: a hammer can certainly be used to commit murder, but that's not even remotely what it's designed to do. And in any case you're helping someone build something by selling it. Weapons, on the other hand, face a far higher hurdle since their principal purpose is to kill.

By that standard, Spectorsoft is treading on potentially thin ice. Yes, their software can be used by businesses to prevent unethical behavior by their employees, but Spectorsoft doesn't just market to businesses. Indeed, two of their products (the aforementioned Spector Pro and eBlaster) are targeted at individuals who want to spy on each other, including parents who want to spy on their children.

If it walks like a duck, quacks like a duck, and gobbles up your keystrokes like a duck, shouldn't we conclude that it's fair game during Duck Season?

Money (That's What I Want)

2007-12-05T21:39:00.000-06:00

What would you call a business that secretly spies on its customers, threatens them with massive lawsuits if they refuse to re-purchase a product they've already bought, and generally assumes that they're all crooks out to steal merchandise?

Apparently, you'd call it the music business.

Many of you may already know about Sony's infamous rootkit scandal from 2005, in which the media giant was caught installing spyware on the PCs of everyone who bought their CDs - without, of course, bothering to ask permission first. Cybercrooks quickly figured out how to exploit the malware and Sony was faced with a raft of lawsuits, which are still wending their way through the legal system.

That was bad enough. Around the same time, however, the industry trade group The Recording Industry Association of America, began launching thousands of lawsuits against individuals who had shared songs they had already bought via Peer to Peer (P2P) networks such as Napster. The claim was that this was an effort to combat piracy and claims were made (wildly inflated, in my view) of the amount of revenue lost by the industry - despite the fact that industry profits remained spectacular.

It's an odd claim, considering that the victims of these lawsuits weren't actually making any money from their infringement. If piracy of copyrighted material is an issue why not go after the big international pirates who are selling the stuff for a profit, largely overseas?

The answer - if a recent “Justice” Department ruling is any indication - is that it's cheaper to take every last cent of song sharers here in the USA than it is to go after the big-time international crooks who are really eating your lunch. Taking a couple hundred grand from some poor schlemiel who shared tunes with his buddies is easy money when you already have an army of lawyers on retainer.

Will this have a deterrent effect of P2P music sharing? Probably. Will it have a deterrent effect on the big-money pirates? Almost certainly not. But if you've already decided that suing your customers is a valid business model, maybe you don't want the pirates to stop selling your stuff for $4.00 in Beijing. You've already given up on that, and having them around allows you to continue to make exaggerated claims about how much money you're losing.

Pay no attention to those massive profits behind the curtain. Government of the corporation, by the corporation, and for the corporation shall not perish from this earth.

Blue Christmas

2007-11-29T22:39:00.000-06:00

'Tis the season to be generous. That means lots folks are logging on to the web sites of non-profits like CARE and the Red Cross to make donations, either for themselves or as gifts to friends and family who already have all the electronic gizmos and consumer crud they need.

Unfortunately, some of those good-hearted souls are going to find a lump of coal in their Christmas stockings in the form of stolen email addresses and passwords. As reported in Computerworld on November 28th the FBI is investigating a data breach at Convio Inc., a firm that specializes in recruitment and fund raising software and services for the non-profit sector. According to the report, criminal hackers managed to lift information on 92 non-profit organizations (including The Red Cross and CARE) and were preparing to help themselves to data on another 62 when Convio discovered the leak in their data dike and plugged it.

How did this happen? Here's a Convio spokesperson, as quoted in Computerworld:

The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating".

Those of you who read my earlier blog entry on the importance of keeping your PCs secure will not be surprised to discover that I rolled my eyes as I read that. A chain is only as strong as it weakest link. A company's data is only as secure as its most clueless employee's PC. Your personal data is only as secure as your own PC. Why is it so hard for some people to comprehend this?

The situation isn't going to get any better. Cybercrooks are getting smarter as operating systems become more secure. Windows and OS X are too locked-down to be easily exploited? No problem - there are plenty of individual applications (like QuickTime, Windows Media Player, Firefox and - of course - Internet Explorer) with vulnerabilities. The corporate love affair with outsourcing application development to countries (such as China, Brazil and Russia) that are havens for cyberthieves, combined with the tendency for developers to consider security as less important than bells and whistles, provides fertile ground for a bumper crop of exploits. And, of course, good old-fashioned social engineering, phishing, and other techniques based on the notion that there's a sucker born every nanosecond will continue to be useful to what The Saint referred to as “The Ungodly”.

But don't take my word for it. Take a look at the SANS Institute's Top 20 2007 Security Risks report. According to them, “[t]he number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.” If computer security is an arms race (which it is), the Bad Guys are 'way out in front.

With apologies to The King: You'll be doin' all right with your Christmas of white, but security pros will have a blue, blue Christmas.

Absolutely Free

2007-11-01T17:50:00.001-05:00

Well, it's now official: there will be no free wireless Internet access for the city of St. Louis. Originally conceived as a city-wide service, municipal Wi-Fi (wide-are wireless service) will now be confined to a downtown-only “pilot project”.

In the technology business, “pilot project” is often a euphemism for “consolation prize” - although in this case it might just be a realistic alternative for the near term. Condo developments are sprouting like dandelions in downtown St. Louis right now (see the Urban St. Louis site for some examples ), so a municipal Wi-Fi network there might actually be profitable.

There's no need to go into the gory details behind the failure of the original plan as they're available on line, although it is rather surprising that it took so long for somebody to notice that there's no power running to city street lights in the daytime - thereby killing the plan to mount Wi-Fi antennas on them. Anyone who has spent any time in the city after dark has surely noticed that lights go on or off in blocks rather than individually.

St. Louisans need not feel stigmatized by the evaporation of this particular techno-mirage, though. As The Economist magazine noted in an August 30th article, “many municipal Wi-Fi projects have since been hit by mounting costs, poor coverage and weak demand”. Chicago has killed its muni Wi-Fi project, as has Springfield (IL) and even San Francisco. Meanwhile, existing networks, from Tempe (AZ) to Taipei, have failed to fully live up to expectations.

Some of the problems are technological. The outdoor transmitters don't generally have the power to penetrate walls effectively, or examples, so indoor coverage is spotty. But the main barriers to the spread of municipal Wi-Fi networks appear to be economic.

Building the basic infrastructure that would provide seamless, wireless Internet access is expensive. A 2005 Jupiter Research paper estimated that price at $150,000 per square mile. An October 27th, 2007, article in the St. Louis Post-Dispatch estimated the cost at closer to $200,000. Even in a relatively small geographic area like the city of St. Louis (62 square miles), that's a lot of money invested up front with no real guarantee of a profitable return.

One solution, as municipal WiFi advocate Esme Vos suggests in a recent interview, might be for cities to provide the basic network access infrastructure - the wireless transmitters and related back-end hardware and software - in much the same way they now provide physical infrastructure such as roads and sewer systems. They could open up these networks to the Internet service providers, who would sell the actual Internet access to subscribers just as they do now over existing telephone lines. Cities could pay for the network investment via a combination of taxes and payments from the Internet carriers.

This might also have the advantage of making the hurdles lower for ISPs who might want to sell to the folks connecting to the municipal network. As Vos points out, this is what has happened in “Nordic countries” where this “socalist” approach has actually resulted in more consumer choice than here in the USA, where our options are usually limited to either the cable monopoly or the telecom monopoly.

That's because free-for-all capitalism tends to devolve into a small group of non-competing monopolies. But that, I suppose, is another blog post.

Hey Bartender

2007-08-14T18:14:00.000-05:00

I'm still not dead yet!

See, there are two ways you can approach this whole blog thing. Way 1 is to write something every day or thereabouts regardless of whether you have anything to say or not. Way 2 is just to write something whenever the mood strikes you.

Way 1 probably gets you more readers, but Way 2 produces better articles. Given that there are already too many bloggers gassing on about too many things, I have chosen Way 2.

Besides, I'm lazy.

So: what vital concern moved me to get off my virtual duff and compose this entry? Is it a dire new threat to the Internet like the latest attack by the "Storm" worm? A cool new technology like the Linux-based iPhone killer? An egregious bit of stupidity like the Wall Street Journal's "Ten Things Your IT Department Won't Tell You" article (a.k.a. "How to Get Yourself Fired and Break the Law in Ten Easy Lessons")?

Nah, none of the above. The Storm worm is just an old threat in a new package, Linux has a long way to go to match iPhone's cachet, and intellectual dishonesty is just business as usual at the Journal.

What got me to finally update this blog is the demonstration, by the folks over at Tom's Hardware, of the value of beer (Molson Canadian, to be exact) as a CPU coolant. According to their test protocol (which, in all fairness, seems to have been devised after imbibing some of the coolant), the only thing that out-performs a brewski is SilverStone Thermal Fluid - and then only by a fraction of a degree.

There's no mention of how Silverstone performs against Molson in a taste test, alas.

Such are the thoughts of an IT geek's fevered brain after three weeks of a killer heat wave.

The Dark End of the Street

2007-06-19T18:00:00.000-05:00

"I'm not dead yet!"

Yes, despite the fact that I haven't written anything in this blog for a couple of months, I'd not dead yet. I feel happy! I feel like - dancing!

Besides, I haven't been silent. Stage Left, the blog from the other half of my brain, has been pretty lively lately because of all the shows I reviewed in June. And I'm working on a new op-ed piece for the St. Louis Post-Dispatch. It'll be published on July 8th and I'll have a link to it here by the 9tth or thereabouts. My May musings for that publication can be found here. There's a March column as well, but it has been moved to their paid archives. Killjoys.

Still, the main reason there's been nothing here for a while is that there's been so much technology news lately that it's hard to keep up: Apple's iPhone and new MacBook Pros, Microsoft's coffee table computer (which looks suspiciously like the open-source ReacTable, not that I'm suggesting anything) and, of course, the daily flood of malware news.

I'll leave comments on the latest Bright Spaklies for another column. This time I want to expand on some advice from my ten-point Internet safety check. At the time, I advised you to "think before you click" on a link in an e-mail or at a web site. The idea was to avoid sites that were clearly dangerous or which might mimic legitimate sites.

Now, it seems, things have got even more complicated. According to a June 18th article in Computerworld a "phenomenal" number of web sites - mostly in Italy, so far - have been compromised by a gang using a Russian-made exploit kit called MPack. The hacked sites are used to download malware - mostly keyloggers, designed to grab user names and passwords - to unprotected computers that visit these otherwise legitimate web sites.

This is bad news, to say the least. It means that even if you're careful to avoid the dark end of the virtual street, you can still get mugged. Trend Micro network architect Paul Ferguson, quoted in the Computerworld article, puts it this way: "The usual advice we give, 'Avoid the bad neighborhoods of the Web,' just doesn't hold water anymore. Everywhere could be a bad neighborhood now."

Oh, joy.

Could be worse, of course. If you followed my advice back in February and installed multiple anti-virus and anti-spyware products, you're still likely to be protected from hacked sites. But this does ratchet up the paranoia level and raises an unpleasant question: just how risky does doing business on the Internet have to become before large numbers of computer owners decide it's not worth the trouble? And what will the economic impact be if that happens?

When Will They Ever Learn?

2007-04-26T09:06:00.000-05:00

Well, folks, don't say I didn't warn you. In July of 2006, when the Fedabobble Gummint started work on anti-spyware legislation, I expressed my usual curmudgeonly cynicism over the likely results. Among other things, I noted that the FTC had already told Congress it didn't need any additional legislation (a fact reinforced by recent successful actions against spyware offenders) and that at least one major spyware vendor was backing the effort, making it all of questionable value at best.

Comes now blogger Ed Foster at InfoWorld with evidence that my crystal ball was, at least in this case, in good working order. H.R. 964, the so-called Spy Act, carves out major exceptions for ISPs, software vendors, and pretty much anybody else who can claim you're doing business with them. Worse yet, the bill preempts stricter state laws and states that "no person other than the Attorney General of a State may bring a civil action" in such cases.

Had this bill been law when Sony installed its infamous rootkit on the PCs of unsuspecting consumers, there would have been no legal remedy available to individuals. Only a state AG could have taken action, and s/he wouldn't have in any case because the law would have made that rootkit legal.

Time to notify your Congresscritters that they should be spending more time cleaning up Bush Jr'.s mess in Iraq and less time pushing special interest legislation for their corporate cronies.

Chinese Rock

2007-04-18T21:58:00.000-05:00

When it comes to technology issues, does this country's right hand know what the left hand is doing? Reading the on-line IT trade journals, the only possible answer I can come up with is a resounding “no”.

The latest example: a U.S. House of Representatives probe into hack attacks on government servers that appear to have originated in China.

To anyone following computer security issues, this is about as surprising as the discovery that the sun appeared to rise in the East this morning.

In America's corporate board rooms, however, the sun must be rising somewhere else, because, by an amazing coincidence, the hot new place to which corporate America is shipping IT jobs and company data as fast as it can is - China.

Maybe I'm just old-fashioned, but it strikes me as just a wee bit suicidal to be cheerfully sending confidential data to a country which:

Is run by an autocracy that hasn't changed its hostility toward human rights since the Tiananmen Square massacre
Has an attitude towards intellectual property protection that is (to say the least) indifferent, and
Now appears to be hosting criminal attacks against our infrastructure.

But, hey: why let a little thing like homeland security stand in the way of a quick boost in corporate profits and the resulting hike in executive bonuses? We need to keep our priorities straight, after all!

Of course, the fact that attacks have originated from servers that appear to be in China doesn't necessarily mean that those attacks are orchestrated or condoned by the Chinese government. Indeed, why bother to attack American assets at all when American corporations are giving them away in return for cheap, obedient labor and a political system that makes independent trade unions impossible?

Spies in the Night

2007-04-09T21:40:00.000-05:00

In my last post, I went on at some length about that alarming tools available to criminal hackers as revealed at the March 2007 Black Hat Conference.

Shortly after that, I came across something even more alarming, if that's possible: a pre-publication draft of a study by Phil Howard and Kris Erickson of the University of Washington entitled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006. The paper reviews major media reports of 550 security breaches that took place during the period in question and it seems that 60% of them were the result of corporate incompetence. To quote from their abstract: "in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors."

So it turns out that, even if you do implement my 10-point security check, your personal information could still end up in the hands of the Russian Mafia because corporations simply don't adequately safeguard their customers' data.

That's no reason to give up the security fight, but it's a darned good reason to insist on more accountability by the companies that hold our personal information. So far, most legislation and public policy has been driven by the companies themselves, and we can see where that has gotten us.

"I think", said Howard in an interview for Computerworld, " it is easier when your company loses a lot of client data to put an immediate spin on it and blame it on a hacker or some external guy using some ingenious hacking technique."

Besides, that money you saved by not investing in proper safeguards in the first place has been earning you some nice interest in the meantime. It's always easier to shell out for PR and spin afterwards.

The Monster Mash

2007-03-05T18:04:00.000-06:00

There's some pretty scary stuff on the screens at your local googleplex cinema these days. You've got you choice of serial killers (Zodiac, Hannibal Rising), a nutter with numerical obsessions (The Number 23), and a super-anti-hero in touch with his Inner Satan (Ghost Rider) to name just a few.

But if you're a propeller beanie type who has to deal with computer security issues, you don't need supernatural pyromaniacs or cannibalistic mass murders to keep you awake at night. No, in this business all you need are reports from the Black Hat security conference.

For the benefit of those of you who don't spend your days worrying about things like rootkits and Remote Access Trojans, Black Hat is a company that provides briefings and training on security issues to both private and public sector clients of all sizes. It brings together, according to its web site, “the best minds from government agencies and global corporations with the most respected independent researchers and hackers” to provide state of the art information on how to defend your company from criminal hackers, identity thieves, and related virtual outlaws. The Black Hat conferences, which take place four times a year, provide an opportunity for security professionals to meet, greet, and compare notes.

They also provide the rest of us with fodder for digital nightmares. The latest conference, which concluded March 1st, included briefings on the threat of rootkits, the risks posed by the widespread use of RFID tags, vulnerabilities in the ways databases communicate with each other, various ways that web applications can be hacked (and how to stop those hacks), and a presentation on what's referred to as “data seepage”.

This last one was of particular interest to me, since it touches on an issue I referred to in an earlier blog entry: the foolish and often reckless ways in which the average computer user cruises along the Information Superhighway. Data seepage refers to the little bits of personal information our laptops, handhelds and even smartphones are broadcasting to the world at large – and therefore to criminal hackers – when we use those nifty free wireless networks at the local coffee shop or airport.

The problem, you see, is that those networks are unsecured. That means that anything you do at your laptop can be picked up by others on the same network using “packet sniffers” or other network monitoring applications. They can determine what type of hardware and operating system you're using, what other wireless hotspots you've connected to in the past, what web sites you're visiting and any personal information you've been foolish enough to enter. At the very least, the bad guys can pick up enough information to make you and/or your employer the target of a “spear phishing” attack. At the worst, they might gain the ability to read your e-mail, steal your on-line identity, and even plant spyware on your computer.

This isn't just theoretical. Even at Black Hat conferences – where you'd assume everybody is pretty cyber-savvy – there's a Wall of Shame (actually a large video monitor) displaying, in real time, personal information being sent unencrypted on the conference wireless network. During their presentation on data seepage last week, in fact, experts from Errata Security “were able to use [their network monitoring application] Ferret to intercept an e-mail sent to a reporter working in another conference session. The message included one of her applications' passwords”, according to ComputerWorld columnist Matt Hines' report from the conference.

Fortunately for her, Hines doesn't sniff and tell.

There are ways you can protect yourself from this kind of exposure, of course. You can make sure your laptop is as secure as possible (I refer you to my ten-point safety check for details) and you can subscribe to a VPN (virtual private network) service for those times when you really need to use one of those “free” wireless networks. That old saying “there's no such thing as a free lunch” applies in cyberspace as well, you know.

Look for this data seepage issue to get worse before it gets better, especially with towns and cities rushing to implement municipal WiFi networks. For the well-equipped cybercrook, the only thing more attractive than an airport full of laptops cheerfully leaking personal information is an entire city full of them. It's like shooting phish in a barrel.

Now THAT'S scary!

More Sunday Driving

2007-03-02T17:41:00.000-06:00

Lest you think that nobody could be clueless enough to do some of the things I warned you about in my last blog posting, allow me to direct your attention to this recent entry at Shark Bait, Computerworld’s discussion forum focusing on Stupid User Tricks.

Yes, I know, we techie types can lack people skills and come off as a bit arrogant at times, but when faced with behavior this foolish, it’s difficult to by diplomatic.

Shark Bait is well worth reading on a regular basis, by the way. Even the relative beginner in the computer world will find many of the stories reported therein highly amusing, and you technorati will really get a kick out of it.

Sunday Driving

2007-02-25T23:20:00.001-06:00

Are you cruising along the Information Superhighway sober, sane and safe - or drunk, deranged and dangerous? Following these steps won't guarantee you complete immunity from the digital equivalent of a 50-car pileup - the only way to do that is to disconnect your computer from the network and turn it off - but it will make disasters less likely and recovery much easier.

Unless otherwise indicated, all software recommended here is either part of the basic operating system (Windows or Macintosh OS X) or is open source and/or freeware. I'm trying to make this as painless as possible.

I have no association of any kind with any of the web sites or products I'm referring you to here; I've just found them very useful and/or reputable. Think of this as a ten-point safety check for your virtual car.

Use smart passwords
- Never use the default password that comes with any piece of hardware or software; always create your own.
- Use passwords that aren't obvious; Cornell University has a guide on creating strong passwords that's worth reading.
- If you have trouble remembering your various passwords, store them in a secure, encrypted file or program. Macintosh users can use Keychain Access, which is part of Mac OS X. Windows users should check out Password Safe.
Keep your system software updated
- Windows: make sure Windows Update runs automatically.
- Macintosh: Set your Software Update utility to check on a daily basis. You'll find it under Preferences - System - Software Update.
Use anti-virus software
- Windows: Free anti-virus options include ClamWin and AVG. Commercial products are available from McAfee, Norton and Trend Micro, among others.
- Macintosh: Viruses for OS X are relatively rare, as are free anti-virus programs. ClamXav is the Macintosh version of ClamWin. Commercial products are available from McAfee, Norton, and Intego.
- No matter what product you use, make sure you have it set to automatically update your virus definition files. Out of date anti-virus software is as bad as none at all.
Use anti-spyware software - Anti-virus packages won't necessarily catch all the bad stuff out there
- Windows: Spybot Search and Destroy, Ad-Aware SE Personal Edition, and Windows Defender are all worth having and all free.
- Macintosh: OS X has, so far, been largely ignored by the spyware creators, so there's not much in the way of anti-spyware software out there. MacScan is one of the few available, but it's not free.
Practice e-mail safety
- Don't open a file attached to e-mail unless it's one you're expecting from a trusted sender. Hostile program are often disguised as apparently innocuous documents.
- Don't reply to or click on links in unsolicited e-mails asking you to verify personal data at financial institutions or on-line merchants. These are likely to be fraudulent.
- See this article at wiredsafety.org for more solid recommendations on e-mail safety.
Practice safe browsing
- Think before you click on a link! Hackers will try to sucker you into visiting web sites that will download viruses and spyware to your computer without your knowledge, or con you into entering personal information at a web site that looks (but isn't) legitimate.
- Secure your web browser. The US Computer Emergency Readiness Team (CERT®) has some good practical advice for both Windows and Macintosh users.
- Use Mozilla Firefox instead of Microsoft Internet Explorer. We propeller beanie types can debate the reasons why until everyone's eyes glaze over, but the bottom line is that Internet Explorer is the preferred target of the network's bad guys. Download Firefox and make it your default browser.
Use a personal firewall
- A personal firewall program provides an additional layer of protection from Internet threats, and can alert you if a spyware program is trying to "phone home".
- Windows: Windows XP has a built-in firewall. See this article from Microsoft on how to make the best use of it.
- Macintosh: OS X has as built-in firewall. See this article from Apple on how to make the best use of it.
Avoid peer-to-peer file sharing programs
- Programs such a Kazaa, Grokster, and Limewire are major distribution channels for viruses, worms and spyware - to say nothing of copyright violations.
- If you must use one of these programs, disable file sharing. Here's an article on how to do that.
Lock your car. Take your keys.
- Limit access to your computer. Unless you really need to share your files and programs with others, turn off file sharing. Here's information on how to do that in Windows XP, Macintosh OS 8 or 9, and Macintosh OS X.
- Windows has a guest account enabled by default. Who needs it? Here's how to disable it.
Think before you download
- Avoid web sites or e-mails offering "cracked" versions of commercial products such as Microsoft Office. You might or might not wind up with the product in question (and if you did, you'd be breaking the law), but you'll almost certainly wind up with a mother lode of spyware, viruses and worms.
- Freeware downloads are OK (as is shareware IF you do the right thing and pay the shareware fee), but make sure you get them from reputable sites such as download.com.
- Bottom line: downloading files from questionable web sites is the 'net equivalent of trying to beat a veteran card sharp at three-card Monte - a sucker bet.

Want to know more? Here are some useful web sites:

So You Think You've Got Spyware? - a good primer on detecting and removing spyware from PC Week
10 things you should do to a new PC before connecting it to the Internet, from TechRepublic
10 things you should know about securing wireless connections, from TechRepublic
CERT® on Home Network Security
Top 10 Tips for Wireless Home Network Security
CERT® on Home Computer Security
Dark Reading is an on-line publication pitched more at the techie crowd, but many of the articles are jargon-free and the writing style is lively. Besides, any site that has a column by someone called Tim the Enchanter (a.k.a. site editor Tim Wilson) has definitely got my vote.
Security Watch in an on-line division of eWeek magazine that will keep you up to date on the latest security news as well.
Spywareinfo.com is a great source for news about spyware/malware threats and how to defend yourself from them.

Yakety-Yak (Don't Talk Back)

2006-09-21T22:02:00.000-05:00

Not long ago, I noted how the IT world, in general, seems to be far more interested in the latest cool new feature than in the risks that often accompany that feature.

You'd have thought that the September 11th attacks here in the US of A and subsequent warnings about our continuing vulnerability to cyber-attacks would have acted as wake-up calls to the IT community. Unfortunately, governments in the USA and elsewhere have simply used the attacks as a pretext for increased surveillance of ordinary citizens while doing little or nothing to actually improve security.

Meanwhile, businesses and consumers continue to gaze at the latest sparkly trinket.

Which brings me to IP telephony, a.k.a.Voice Over IP or VoIP. Gartner says IP phone shipments have jumped 53 percent from last year and I, personally, know folks who now do all their voice communications via Skype or similar products. Never mind that, according to a presentation at the latest Hack in a Box conference, VoIP systems are easily hackable and could be used for identity theft or that hackers can already download tools to attack the protocol used by VoIP handsets.

In fact, as a recent Business Week article bluntly states, "VoIP calling systems are just as susceptible to hacking and digital mischief as any other Internet-based application". That includes worms, viruses, DDOS attacks, and phishing.

That last one is especially scary. Most of you out there are probably familiar with how e-mail phishing works (the rest of you can click here). The VoIP version of this would direct you to a phone number - very possibly the actual phone number of your bank - where you would give your personal information to someone who is allegedly on your bank's customer service staff but who is, in reality, working for someone else entirely. Like, for example, the Russian Mafia. That's because your bank's VoIP system has been hacked in much the same way web sites are hijacked now.

Worse yet, the security tools for VoIP systems are far less well-developed than those for PCs and servers. In this area, unfortunately, the Bad Guys are way out in front.

(My)Space Cowboy

2006-09-08T21:53:00.000-05:00

I've been hangin' around the IT Corral fer nigh on to thirty years, pardner, an' I've seen some pretty darn dumb ideas come down the Ol' Checksum Trail. You prob'ly even remember some of 'em, even if y'are jes' a whippersnapper:

Microsoft's "Bob" operatin' system (and they weren't talkin' J.R. "Bob" Dobbs, neither)
Apple's Newton ('nuff said)
IBM's OS/2 "Warp" (not enough Trekkies to keep that one afloat, I reckon)
Pointcast, Backweb and all them other "information push" and "webcasting" technologies that were a-gonna to ree-vo-lutionize content delivery a while back
Internet-enabled ever'thin' (what kinda durn fool wants ta surf the web from a refrigerator?)

Dead, ever' one of 'em, and planted up thar on Reboot Hill. Nights, some of the real old-timers - them UNIX guys with the suspenders and the beards, y'know - they claim they can see their ghosts a-walkin' 'round up thar, tryin' to sell ya stock options. Freeze the blood in yer veins, by cracky!

OK, that's enough of channeling old Gunsmoke re-runs, but you get the picture. In technology, as in any other field of human endeavor, the mediocre or outright stinky ideas always out-number the real winners. My nominee for the latest bad idea: social networking web sites in general and myspace.com in particular.

You've probably heard about myspace.com by now, although what you've heard probably depends on whether you're getting your information from technology news outlets like ZDNet or InformationWeek vs. mainstream media sources or propaganda services like Faux (a.k.a. Fox) News. To hear the latter two tell it, myspace is a hotbed of sexual perverts, child molesters and, for all I know, Yetis and Martians. To most of the Propeller Beanie crowd, on the other hand, it appears to be the Next Big Thing.

You know - like information push.

It's not that the idea of the Internet as a social network is inherently bad. Back before there was even a single web site, like-minded folks exchanged information and opinions and formed various types of personal relationships via e-mail and usenet newsgroups. Social networking sites have just made it easier to do so and therefore more accessible to a wider range of people.

"Aye, there's the rub."

Because the easier it becomes to create something - like, say, a web site on myspace.com - the more likely you are to have incompetent people creating it. Myspace has taken this to its logical extreme, allowing members to stick pretty much anything they want on their pages in any way they want, resulting in some of the worst web sites since the early days of Microsoft FrontPage.

I experienced this on a personal level this past weekend when, in a fit of unaccustomed leisure time, I decided to visit the myspace page of a close friend. She had recently gone through a rather nasty relationship break-up and I was curious to see how she was doing. We hadn't talked in a while and her insane work schedule make phone conversations highly unlikely.

We may have to have that phone call yet, though, since I never was able to locate her page - it seems she's using a nom de net that I didn't know about. I did, however, slog through a number of other myspace pages in the process and, to paraphrase the late Warren Zevon, they ain't that pretty at all. Most were so chaotic and so filled with junk media that they were effectively useless. Huge image files there were in abundance, along with automatic slide shows and, that most obnoxious of all features, music that began playing as soon as the page loaded. I decided that the game was not worth the virtual candle and hit the "close" box.

And let 's not even start on the abusive pop-up and pop-under ad boxes!

Besides, even with a less-cluttered interface, fewer ads, and no spyware cookies, a social networking web site is no substitute for - well - social networking. In person.

Jes' lak in the ol' days, by cracky!

Leavin' on a Jet Plane, Part Two: The Laptop Strikes Back

2006-08-17T21:33:00.000-05:00

In my last post on the future (or lack of it) of air travel, I noted that all personal electronics - including laptops - are being banned from carry-on luggage on the premise that they can be used to remotely trigger bombs. What I didn't mention, since it would have amounted to a major (if not augmented) digression, was the way in which this method of reducing risks on the plane is likely to lead to increase risks after landing.

And no, I'm not talking about the Air Rage likely to result from being stuck, with no form of diversion, on a transatlantic flight in the center seat between a colicky baby with the lungs of a Wagnerian soprano and a chatty insurance salesman from Topeka. What I'm talking about is the risk of damage to or theft of those laptops in the checked baggage.

I'm hardly the first person to think of this (or anything else, for that matter). Computerworld ran an article on the problem back on August 10th, along with some very common-sense advice on how to minimize the fallout from breakage (such as backing up data on a regular basis) and theft (encryption and password protection).

That advice is also, I'm afriad, very timely.

A new survey of 500 information security professionals by Ponemon Institute LLC (reported in Computerworld once again) informs us that "eighty-one percent of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months". Eighty-one percent. Worse yet, 97% of stolen laptops are never recovered.

And this happened before the new restrictions went into force. Anyone care to guess what's going to happen in the next twelve months? Corporate spin machines are probably being primed with a fresh load of excuses, diversions, fabrications, obfuscations and some good old-fashioned hooey even as this is written.

It makes the recent flap over recent laptop losses at the Veterans Administration and the Navy look less like an aberration and more like business as usual - especially when you add in the recent loss of two laptops containing "names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents" as well "fraud case files involving government contracts and grants" by the Department of Transportation. Is it any wonder that identity theft "remains the #1 concern among consumers contacting the Federal Trade Commission", according to the Identity Theft Resource Center?

What we have here, in short, is another instance of the law of unintended consequences. In attempting to reduce the risk of terrorist attacks, we increase the risk of laptop theft. That increases the risk of stolen identities, which can, in turn, be used by terrorists and other criminals to achieve their nefarious ends.

Are there steps we can take to minimize those unintended consequences? Certainly. Are we here in the USA likely to take them? Probably not. But that's a subject for a future blog entry.

Leavin' on a Jet Plane

2006-08-14T22:59:00.000-05:00

We put up with the long security check-in lines. We sighed as we surrendered our nail clippers and penknives. We took off every possible metallic item except our fillings and shuffled through metal detectors in our stocking feet.

But we grinned and bore it because we understood the need for security and air travel was still bearable, even if it was coming to increasingly resemble the Greyhound bus experience of thirty years ago.

But now the technological sophistication of the Bad Guys has advanced, as it always does, and the bar has been raised substantially for the rest of us.

No liquids, gels, or anything remotely resembling them. Those Dr. Scholls gel insoles are right out; ditto any child's toy with gel components. Also, no books, laptops, MP3 players, cell phones, or pretty much anything else that might make a transatlantic flight bearable. Even electronic key fobs are banned in Britain.

Has long-distance air travel finally jumped the shark? History suggests that this just might be the case.

Consider: Until the spread of mass, mechanized transit in the last century or so, long-distance travel was, for the vast majority of people, a dangerous and expensive proposition. International travel was even more so, and usually, therefore, the exclusive privilege of the very rich.

Think about it. Before the advent of the ocean liner and then the airplane, overseas travel was risky business, indeed. If the weather or scurvy didn't get you, pirates (we'd call them terrorists now) would. Even on the ground, travel via coach for any distance was slow, unpleasant and, of course, there was always the risk of highwaymen.

For a while we lived in a bubble of relatively safe and inexpensive long-distance travel. As the gap between the technology of travel and the technology of travel disruption closes, that bubble may be about to burst. Safe air travel may soon become so expensive that only the wealthy - with private jets and private security personnel - will be able to afford it. Mass air transit will simply be too dangerous.

We live, alas, in interesting times.

Who Are the Brain Police?

2006-08-03T21:05:00.000-05:00

[With apologies to the late Mr. Zappa]

Who are they? Well, to hear some folks over at Slashdot talk, you'd think that they were the managers of the posh Canoa Ranch Resort condominium/hotel in Tucson. It seems that, along with all the other upscale amenities (salon and spa, resort pool, fitness center and “Village Center” - does No. 6 know about this?) the owners are going to provide you with wireless Internet access as well.

Oh, yeah: they're also going to require you to encrypt access to that wireless access point (WAP).

Well, once the Slashdotters got on to that one, you'd think that Jackooted Thugs were just around the corner. As Paul McNamara relates in his July 24th Buzzblog at Network World, “Silly was the least of the insults tossed at this idea.” The technorati were in High Dudgeon (just down the road from Low Dudgeon) and waxed wroth.

Then Roth waxed them for a while, but that's a topic for another blog - probably the one where I defend stealing jokes from Julius Marx.

Anyway, when asked why all the fuss, Sales Manager Bryan Welch said “We just don't want to see anybody hurt with their wireless system. If someone (unauthorized) were accessing it and an owner's information, there could be damage and a potential lawsuit.”

To which The Technology Curmudgeon can only add: “Well, DUH!”

Despite the fact that one Slashdot poster (as quoted by McNamara) took the position that the decision to provide encryption on your WAP was no different from the decision on whether or not to lock your door, the stakes here are clearly higher. Failure to secure your home can result in loss and misery for you and your family, but that's about as far as it's going to go.

Failure to secure your WAP, on the other hand, is more like driving under the influence in that you create a public nuisance, if not an outright menace. An unsecured WAP is an invitation for war drivers to use that access point for a variety of nefarious purposes, including the dissemenation of spam, worms and viruses - all of which cause damage to the community as a whole.

Cruising the Information Superhighway unsecured, in short, is not that different from cruising the Interstate with a fifth of Jack Daniels in your bloodstream.

So, while nobody is seriously suggesting (yet) that There Oughta Be a Law, I don't think you can say of wireless security (to quote “Fats” Waller in a totally different context) “'tain't nobody's business if I do”.

I Can See Clearly Now

2006-08-02T22:23:00.000-05:00

Or not. Being a dissertation on the process of making lousy decisions.

Ever wonder how some big-time decision-makers wind up making such lousy decisions? It's easy (and not necessarily wrong) to chalk some of them up to a combination of arrogance, greed, and simple immorality. The Vioxx and FEMA debacles come immediately to mind as examples. In an article in the Harvard Business Review earlier this year, however, Max H. Bazerman and Dolly Chugh suggest that there may be another factor operating. They call it "bounded awareness"; most of the rest of us would probably call it "tunnel vision".

According to the authors, "bounded awareness" happens "when cognitive blinders prevent a person from seeing, seeking, using, or sharing highly relevant, easily accessible, and readily perceivable information during the decision-making process". This can cause decision-makers to miss important information just because it's not readily available or because they don't appreciate its significance. It can also result in a failure to share that information because, again, someone has failed to notice that it is, in fact, important.

In a January 9th interview for Computerworld, Bazerman elaborates on these ideas and offers examples of the phenomenon from the lab of Cornell's Ulric Neisser (a key figure in the study of human perception and the guy who coined the term "cognitive psychology" back in 1967, for those of you keeping score) that involve the use of visual illusions. In one study, subjects asked to focus on one particular aspect of a video - how many times a soccer ball is passed among the players - completely miss another aspect that would be obvious to anyone not focused on that first aspect. In this case, it was a woman holding an umbrella walking right through the middle of the game.

Now, this sort of stuff is fascinating to me because, before I became a Technology Professional (and got my official Propellor Beanie, complete with MP3 player, webcam, 1 gigabyte of VRAM and Windows Beanie Edition), I was, among other things, a psychology grad student specializing in visual and auditory perception and statistics. I was also an amateur magician. Findings like this, therefore, are no big surprise to me. What was a bit of an eye-opener was this quote from the Bazerman interview: "In Neisser's study, only 21% saw her. My experience with executives is closer to 3%".

Yup, that's right: according to Bazerman, the guys making the big decisions at the big corporations/governments/whatever are roughly seven times more likely to succumb to tunnel vision than us ordinary mortals.

Of course, anybody can fall prey to this. I have found myself doing it more than once. Unfortunately, the skill to focus and concentrate on a single task - a vital one, especially in IT - is at war with the ability to step back, take a look at the larger picture, and ask yourself whether or not you might be missing something that's right under your nose.

So we all need to make sure we're not missing the woman with the umbrella. She might be trying to tell us that it's going to rain.

There ain't nobody here but us chickens

2006-07-31T11:28:00.000-05:00

There ain't nobody here at all. Honest. Now just look the other way while we write anti-spyware legislation.

Everybody remember the Federal "CAN SPAM" law (official title: Controlling the Assault of Non-Solicited Pornography and Marketing Act) from 2003? It was supposed to stop Evil Spammers dead in their tracks and was signed with much hoo-rah.

Unfortunately, not even the Feds really believed it would help. FTC chairman Tim Muris, in fact, opposed it. Why? Because it would make it easier for the companies who hire spammers to claim ignorance of the spammers' business practices. According to Muris, "the FTC would have to prove that the seller (who hires a spammer to advertise a product or service) knew, or consciously avoided knowing, that the third-party ailer intended to violate the law. This standard requires proof of both the seller's and spammer's level of knowledge...These requirements to prove intent pose a serious hurdle that we do not have to meet to obtain an injunction under our current jurisdiction". It also negated existing state anti-spam laws, many of which were more restrictive.

And, of course, we all know what a significant effect the law had on spam, right?

Never content to let well-enough alone, however, Congress is now out to follow up on its anti-spam success with anti-spyware laws. Never mind that, once again, the FTC told Congress over two years ago that it already has the laws it needs, thanks very much. A new law means new photo ops. Let the games begin!

Cynicism aside, there are good reasons to be more than a little wary of this effort. For one thing, major adware and spyware vendors such as WhenU think Federal legislation a good idea - strongly suggesting that this particular chicken coop will have foxes on the no-bid contractor list. CAN-SPAM overrode stricter state laws. Any bets as to what effect new anti-spyware regulations might have on often-stricter state laws like those in Utah?

Ain't nobody here but us chickens.