Category Archives: weblog

A plague of 3 things at the Malt House

Posted on by

And God send unto Cross – “WATER THREE TIMES”

Last Sunday the immerstion heater ballcock ball cocked it’s last.
Also followed by it’s Son the overflow pipe, which wasn’t connected to anything AT ALL!

So when we came in from visiting Mother (grass cut etc) the floor was starting to get wet. Good job we hadn’t got the new carpets yet.

Monday morning – “Mark the sink’s not going down”.
(Blocked waste disposal unit)

Tuesday washing machine leak appeared. The cold inlet piple leaking to the machine. The man who gets sent out to fix it says he’s never seen a new installation fail πŸ™‚ hmm….

Up shot of this week
Plumbing basics learnt “on the job”
Replacing ballcock system and plumbing plastic 3/4″ piping

I have my own views on how to stop days like September 11th 2001, they’ll be coming later – when I get more time!!!

Other news: last weekend Py finished painting the front room. So we now have two nice rooms in the flat.

Thanks Py

XXX

It may appear as though I am dead but …

Posted on by

Py and I have been a bit busy – Py especially.

Bedroom painted.
Kitchen and bathroom new flooring.
Front room stripped of three layers of wall paper. Plaster emulsion applied.

Photos to follow on all of the above.

Washing machine arrived today. Py’s first day back at Uni.

Py & Mx’s physical anniversary yesterday.

Please listen to Bruce and his friends, Mr Bush – ta MX

Posted on by
http://www.counterpane.com/crypto-gram-0109a.html[/url]

September 30, 2001

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.

Copyright (c) 2001 by Counterpane Internet Security, Inc.

This is a special issue of Crypto-Gram, devoted to the September
11 terrorist attacks and their aftermath.

Please distribute this issue widely.

In this issue:

  • [url=#1]The Attacks[/url]
  • [url=#2]Airline Security Regulations[/url]
  • [url=#3]Biometrics in Airports[/url]
  • [url=#4]Diagnosing Intelligence Failures[/url]
  • [url=#5]Regulating Cryptography[/url]
  • [url=#6]Terrorists and Steganography[/url]
  • [url=#7]News[/url]
  • [url=#8]Protecting Privacy and Liberty[/url]
  • [url=#9]How to Help[/url]

The Attacks

Watching the television on September 11, my primary reaction was
amazement.

The attacks were amazing in their diabolicalness and audacity:
to hijack fuel-laden commercial airliners and fly them into buildings, killing
thousands of innocent civilians. We’ll probably never know if the attackers
realized that the heat from the jet fuel would melt the steel supports and collapse
the World Trade Center. It seems probable that they placed advantageous trades
on the world’s stock markets just before the attack. No one planned for an attack
like this. We like to think that human beings don’t make plans like this.

I was impressed when al-Qaeda simultaneously bombed two American
embassies in Africa. I was more impressed when they blew a 40-foot hole in an
American warship. This attack makes those look like minor operations.

The attacks were amazing in their complexity. Estimates are that
the plan required about 50 people, at least 19 of them willing to die. It required
training. It required logistical support. It required coordination. The sheer
scope of the attack seems beyond the capability of a terrorist organization.

The attacks rewrote the hijacking rule book. Responses to hijackings
are built around this premise: get the plane on the ground so negotiations can
begin. That’s obsolete now.

They rewrote the terrorism book, too. Al-Qaeda invented a new
type of attacker. Historically, suicide bombers are young, single, fanatical,
and have nothing to lose. These people were older and more experienced. They
had marketable job skills. They lived in the U.S.: watched television, ate fast
food, drank in bars. One left a wife and four children.

It was also a new type of attack. One of the most difficult things
about a terrorist operation is getting away. This attack neatly solved that
problem. It also solved the technological problem. The United States spends
billions of dollars on remote-controlled precision-guided munitions; al-Qaeda
just finds morons willing to fly planes into skyscrapers.

Finally, the attacks were amazing in their success. They weren’t
perfect. We know that 100% of the attempted hijackings were successful, and
75% of the hijacked planes successfully hit their targets. We don’t know how
many planned hijackings were aborted for one reason or another. What’s most
amazing is that the plan wasn’t leaked. No one successfully defected. No one
slipped up and gave the plan away. Al-Qaeda had assets in the U.S. for months,
and managed to keep the plan secret. Often law enforcement has been lucky here;
in this case we weren’t.

Rarely do you see an attack that changes the world’s conception
of attack, as these terrorist attacks changed the world’s conception of what
a terrorist attack can do. Nothing they did was novel, yet the attack was completely
new. And our conception of defense must change as well.

Airline Security Regulations

Computer security experts have a lot of expertise that can be
applied to the real world. First and foremost, we have well-developed senses
of what security looks like. We can tell the difference between real security
and snake oil. And the new airport security rules, put in place after September
11, look and smell a whole lot like snake oil.

All the warning signs are there: new and unproven security measures,
no real threat analysis, unsubstantiated security claims. The ban on cutting
instruments is a perfect example. It’s a knee-jerk reaction: the terrorists
used small knives and box cutters, so we must ban them. And nail clippers, nail
files, cigarette lighters, scissors (even small ones), tweezers, etc. But why
isn’t anyone asking the real questions: what is the threat, and how does turning
an airplane into a kindergarten classroom reduce the threat? If the threat is
hijacking, then the countermeasure doesn’t protect against all the myriad of
ways people can subdue the pilot and crew. Hasn’t anyone heard of karate? Or
broken bottles? Think about hiding small blades inside luggage. Or composite
knives that don’t show up on metal detectors.

Parked cars now must be 300 feet from airport gates. Why? What
security problem does this solve? Why doesn’t the same problem imply that passenger
drop-off and pick-up should also be that far away? Curbside check-in has been
eliminated. What’s the threat that this security measure has solved? Why, if
the new threat is hijacking, are we suddenly worried about bombs?

The rule limiting concourse access to ticketed passengers is another
one that confuses me. What exactly is the threat here? Hijackers have to be
on the planes they’re trying to hijack to carry out their attack, so they have
to have tickets. And anyone can call Priceline.com and “name their own price”
for concourse access.

Increased inspections — of luggage, airplanes, airports — seem
like a good idea, although it’s far from perfect. The biggest problem here is
that the inspectors are poorly paid and, for the most part, poorly educated
and trained. Other problems include the myriad ways to bypass the checkpoints
— numerous studies have found all sorts of violations — and the impossibility
of effectively inspecting everybody while maintaining the required throughput.
Unidentified armed guards on select flights is another mildly effective idea:
it’s a small deterrent, because you never know if one is on the flight you want
to hijack.

Positive bag matching — ensuring that a piece of luggage does
not get loaded on the plane unless its owner boards the plane — is actually
a good security measure, but assumes that bombers have self-preservation as
a guiding force. It is completely useless against suicide bombers.

The worst security measure of them all is the photo ID requirement.
This solves no security problem I can think of. It doesn’t even identify people;
any high school student can tell you how to get a fake ID. The requirement for
this invasive and ineffective security measure is secret; the FAA won’t send
you the written regulations if you ask. Airlines are actually more stringent
about this than the FAA requires, because the “security” measure solves a business
problem for them.

The real point of photo ID requirements is to prevent people from
reselling tickets. Nonrefundable tickets used to be regularly advertised in
the newspaper classifieds. Ads would read something like “Round trip, Boston
to Chicago, 11/22 – 11/30, female, $50.” Since the airlines didn’t check ID
but could notice gender, any female could buy the ticket and fly the route.
Now this doesn’t work. The airlines love this; they solved a problem of theirs,
and got to blame the solution on FAA security requirements.

Airline security measures are primarily designed to give the appearance
of good security rather than the actuality. This makes sense, once you realize
that the airlines’ goal isn’t so much to make the planes hard to hijack, as
to make the passengers willing to fly. Of course airlines would prefer it if
all their flights were perfectly safe, but actual hijackings and bombings are
rare events and they know it.

This is not to say that all airport security is useless, and that
we’d be better off doing nothing. All security measures have benefits, and all
have costs: money, inconvenience, etc. I would like to see some rational analysis
of the costs and benefits, so we can get the most security for the resources
we have.

One basic snake-oil warning sign is the use of self-invented security
measures, instead of expert-analyzed and time-tested ones. The closest the airlines
have to experienced and expert analysis is El Al. Since 1948 they have been
operating in and out of the most heavily terroristic areas of the planet, with
phenomenal success. They implement some pretty heavy security measures. One
thing they do is have reinforced, locked doors between their airplanes’ cockpit
and the passenger section. (Notice that this security measure is 1) expensive,
and 2) not immediately perceptible to the passenger.) Another thing they do
is place all cargo in decompression chambers before takeoff, to trigger bombs
set to sense altitude. (Again, this is 1) expensive, and 2) imperceptible, so
unattractive to American airlines.) Some of the things El Al does are so intrusive
as to be unconstitutional in the U.S., but they let you take your pocketknife
on board with you.

Airline security:
< [url=http://www.time.com/time/covers/1101010924/bsecurity.html]http://www.time.com/time/covers/1101010924/bsecurity.html[/url]>

< [url=http://www.accessatlanta.com/ajc/terrorism/atlanta/0925gun.html]http://www.accessatlanta.com/ajc/terrorism/atlanta/0925gun.html[/url]>

FAA on new security rules:
< [url=http://www.faa.gov/apa/faq/pr_faq.htm]http://www.faa.gov/apa/faq/pr_faq.htm[/url]>

A report on the rules’ effectiveness:
< [url=http://www.boston.com/dailyglobe2/266/nation/Passengers_say_banned_items_have_eluded_airport_monitors+.shtml]http://www.boston.com/dailyglobe2/266/nation/Passengers_say_banned_items_have_eluded_airport_monitors+.shtml[/url]>

El Al’s security measures:
< [url=http://news.excite.com/news/ap/010912/18/israel-safe-aviation]http://news.excite.com/news/ap/010912/18/israel-safe-aviation[/url]>

< [url=http://news.excite.com/news/r/010914/07/international-attack-israel-elal-dc]http://news.excite.com/news/r/010914/07/international-attack-israel-elal-dc[/url]>

More thoughts on this topic:
< [url=http://slate.msn.com/HeyWait/01-09-17/HeyWait.asp]http://slate.msn.com/HeyWait/01-09-17/HeyWait.asp[/url]>

< [url=http://www.tnr.com/100101/easterbrook100101.html]http://www.tnr.com/100101/easterbrook100101.html[/url]>

< [url=http://www.tisc2001.com/newsletters/317.html]http://www.tisc2001.com/newsletters/317.html[/url]>

Two secret FAA documents on photo ID requirement, in text and
GIF:
< [url=http://www.cs.berkeley.edu/~daw/faa/guid/guid.txt]http://www.cs.berkeley.edu/~daw/faa/guid/guid.txt[/url]>

< [url=http://www.cs.berkeley.edu/~daw/faa/guid/guid.html]http://www.cs.berkeley.edu/~daw/faa/guid/guid.html[/url]>

< [url=http://www.cs.berkeley.edu/~daw/faa/id/id.txt]http://www.cs.berkeley.edu/~daw/faa/id/id.txt[/url]>

< [url=http://www.cs.berkeley.edu/~daw/faa/id/id.html]http://www.cs.berkeley.edu/~daw/faa/id/id.html[/url]>

Passenger profiling:
< [url=http://www.latimes.com/news/nationworld/nation/la-091501profile.story]http://www.latimes.com/news/nationworld/nation/la-091501profile.story[/url]>

A CATO Institute report: “The Cost of Antiterrorist Rhetoric,”
written well before September 11:
< [url=http://www.cato.org/pubs/regulation/reg19n4e.html]http://www.cato.org/pubs/regulation/reg19n4e.html[/url]>

I don’t know if this is a good idea, but at least someone is thinking
about the problem:
< [url=http://www.zdnet.com/anchordesk/stories/story/0,10738,2812283,00.html]http://www.zdnet.com/anchordesk/stories/story/0,10738,2812283,00.html[/url]>

Biometrics in Airports

You have to admit, it sounds like a good idea. Put cameras throughout
airports and other public congregation areas, and have automatic face-recognition
software continuously scan the crowd for suspected terrorists. When the software
finds one, it alerts the authorities, who swoop down and arrest the bastards.
Voila, we’re safe once again.

Reality is a lot more complicated; it always is. Biometrics is
an effective authentication tool, and I’ve written about it before. There are
three basic kinds of authentication: something you know (password, PIN code,
secret handshake), something you have (door key, physical ticket into a concert,
signet ring), and something you are (biometrics). Good security uses at least
two different authentication types: an ATM card and a PIN code, computer access
using both a password and a fingerprint reader, a security badge that includes
a picture that a guard looks at. Implemented properly, biometrics can be an
effective part of an access control system.

I think it would be a great addition to airport security: identifying
airline and airport personnel such as pilots, maintenance workers, etc. That’s
a problem biometrics can help solve. Using biometrics to pick terrorists out
of crowds is a different kettle of fish.

In the first case (employee identification), the biometric system
has a straightforward problem: does this biometric belong to the person it claims
to belong to? In the latter case (picking terrorists out of crowds), the system
needs to solve a much harder problem: does this biometric belong to anyone in
this large database of people? The difficulty of the latter problem increases
the complexity of the identification, and leads to identification failures.

Setting up the system is different for the two applications. In
the first case, you can unambiguously know the reference biometric belongs to
the correct person. In the latter case, you need to continually worry about
the integrity of the biometric database. What happens if someone is wrongfully
included in the database? What kind of right of appeal does he have?

Getting reference biometrics is different, too. In the first case,
you can initialize the system with a known, good biometric. If the biometric
is face recognition, you can take good pictures of new employees when they are
hired and enter them into the system. Terrorists are unlikely to pose for photo
shoots. You might have a grainy picture of a terrorist, taken five years ago
from 1000 yards away when he had a beard. Not nearly as useful.

But even if all these technical problems were magically solved,
it’s still very difficult to make this kind of system work. The hardest problem
is the false alarms. To explain why, I’m going to have to digress into statistics
and explain the base rate fallacy.

Suppose this magically effective face-recognition software is
99.99 percent accurate. That is, if someone is a terrorist, there is a 99.99
percent chance that the software indicates “terrorist,” and if someone is not
a terrorist, there is a 99.99 percent chance that the software indicates “non-terrorist.”
Assume that one in ten million flyers, on average, is a terrorist. Is the software
any good?

No. The software will generate 1000 false alarms for every one
real terrorist. And every false alarm still means that all the security people
go through all of their security procedures. Because the population of non-terrorists
is so much larger than the number of terrorists, the test is useless. This result
is counterintuitive and surprising, but it is correct. The false alarms in this
kind of system render it mostly useless. It’s “The Boy Who Cried Wolf” increased
1000-fold.

I say mostly useless, because it would have some positive effect.
Once in a while, the system would correctly finger a frequent-flyer terrorist.
But it’s a system that has enormous costs: money to install, manpower to run,
inconvenience to the millions of people incorrectly identified, successful lawsuits
by some of those people, and a continued erosion of our civil liberties. And
all the false alarms will inevitably lead those managing the system to distrust
its results, leading to sloppiness and potentially costly mistakes. Ubiquitous
harvesting of biometrics might sound like a good idea, but I just don’t think
it’s worth it.

Phil Agre on face-recognition biometrics:
< [url=http://dlis.gseis.ucla.edu/people/pagre/bar-code.html]http://dlis.gseis.ucla.edu/people/pagre/bar-code.html[/url]>

My original essay on biometrics:
< [url=http://www.counterpane.com/crypto-gram-9808.html#biometrics]http://www.counterpane.com/crypto-gram-9808.html#biometrics[/url]>

Face recognition useless in airports:
< [url=http://www.theregister.co.uk/content/4/21916.html]http://www.theregister.co.uk/content/4/21916.html[/url]>

According to a DARPA study, to detect 90 per cent of terrorists we’d need to
raise an alarm for one in every three people passing through the airport.

A company that is pushing this idea:
< [url=http://www.theregister.co.uk/content/6/21882.html]http://www.theregister.co.uk/content/6/21882.html[/url]>

A version of this article was published here:
< [url=http://www.extremetech.com/article/0,3396,s%253D1024%2526a%253D15070,00.asp]http://www.extremetech.com/article/0,3396,s%253D1024%2526a%253D15070,00.asp[/url]>

Diagnosing Intelligence
Failures

It’s clear that U.S. intelligence failed to provide adequate warning
of the September 11 terrorist attacks, and that the FBI failed to prevent the
attacks. It’s also clear that there were all sorts of indications that the attacks
were going to happen, and that there were all sorts of things that we could
have noticed but didn’t. Some have claimed that this was a massive intelligence
failure, and that we should have known about and prevented the attacks. I am
not convinced.

There’s a world of difference between intelligence data and intelligence
information. In what I am sure is the mother of all investigations, the CIA,
NSA, and FBI have uncovered all sorts of data from their files, data that clearly
indicates that an attack was being planned. Maybe it even clearly indicates
the nature of the attack, or the date. I’m sure lots of information is there,
in files, intercepts, computer memory.

Armed with the clarity of hindsight, it’s easy to look at all
the data and point to what’s important and relevant. It’s even easy to take
all that important and relevant data and turn it into information. And it’s
real easy to take that information and construct a picture of what’s going on.

It’s a lot harder to do before the fact. Most data is irrelevant,
and most leads are false ones. How does anyone know which is the important one,
that effort should be spent on this specific threat and not the thousands of
others?

So much data is collected — the NSA sucks up an almost unimaginable
quantity of electronic communications, the FBI gets innumerable leads and tips,
and our allies pass all sorts of information to us — that we can’t possibly
analyze it all. Imagine terrorists are hiding plans for attacks in the text
of books in a large university library; you have no idea how many plans there
are or where they are, and the library expands faster than you can possibly
read it. Deciding what to look at is an impossible task, so a lot of good intelligence
goes unlearned.

We also don’t have any context to judge the intelligence effort.
How many terrorist attempts have been thwarted in the past year? How many groups
are being tracked? If the CIA, NSA, and FBI succeed, no one ever knows. It’s
only in failure that they get any recognition.

And it was a failure. Over the past couple of decades, the U.S.
has relied more and more on high-tech electronic eavesdropping (SIGINT and COMINT)
and less and less on old fashioned human intelligence (HUMINT). This only makes
the analysis problem worse: too much data to look at, and not enough real-world
context. Look at the intelligence failures of the past few years: failing to
predict India’s nuclear test, or the attack on the USS Cole, or the bombing
of the two American embassies in Africa; concentrating on Wen Ho Lee to the
exclusion of the real spies, like Robert Hanssen.

But whatever the reason, we failed to prevent this terrorist attack.
In the post mortem, I’m sure there will be changes in the way we collect and
(most importantly) analyze anti-terrorist data. But calling this a massive intelligence
failure is a disservice to those who are working to keep our country secure.

Intelligence failure is an overreliance on eavesdropping and not
enough on human intelligence:
< [url=http://www.sunspot.net/bal-te.intelligence13sep13.story]http://www.sunspot.net/bal-te.intelligence13sep13.story[/url]>

< [url=http://www.newscientist.com/news/news.jsp?id=ns99991297]http://www.newscientist.com/news/news.jsp?id=ns99991297[/url]>

Another view:
< [url=http://www.wired.com/news/politics/0,1283,46746,00.html]http://www.wired.com/news/politics/0,1283,46746,00.html[/url]>

Too much electronic eavesdropping only makes things harder:
< [url=http://www.wired.com/news/business/0,1367,46817,00.html]http://www.wired.com/news/business/0,1367,46817,00.html[/url]>

Israel alerted the U.S. about attacks:
< [url=http://www.latimes.com/news/nationworld/nation/la-092001probe.story]http://www.latimes.com/news/nationworld/nation/la-092001probe.story[/url]>

Mostly retracted:
< [url=http://www.latimes.com/news/nationworld/nation/la-092101mossad.story]http://www.latimes.com/news/nationworld/nation/la-092101mossad.story[/url]>

Regulating Cryptography

In the wake of the devastating attacks on New York’s World Trade
Center and the Pentagon, Senator Judd Gregg and other high-ranking government
officials quickly seized on the opportunity to resurrect limits on strong encryption
and key escrow systems that ensure government access to encrypted messages.

I think this is a bad move. It will do little to thwart terrorist
activities, while at the same time significantly reducing the security of our
own critical infrastructure. We’ve been through these arguments before, but
legislators seem to have short memories. Here’s why trying to limit cryptography
is bad for Internet security.

One, you can’t limit the spread of cryptography. Cryptography
is mathematics, and you can’t ban mathematics. All you can ban is a set of products
that use that mathematics, but that is something quite different. Years ago,
during the cryptography debates, an international crypto survey was completed;
it listed almost a thousand products with strong cryptography from over a hundred
countries. You might be able to control cryptography products in a handful of
industrial countries, but that won’t prevent criminals from importing them.
You’d have to ban them in every country, and even then it won’t be enough. Any
terrorist organization with a modicum of skill can write its own cryptography
software. And besides, what terrorist is going to pay attention to a legal ban?

Two, any controls on the spread of cryptography hurt more than
they help. Cryptography is one of the best security tools we have to protect
our electronic world from harm: eavesdropping, unauthorized access, meddling,
denial of service. Sure, by controlling the spread of cryptography you might
be able to prevent some terrorist groups from using cryptography, but you’ll
also prevent bankers, hospitals, and air-traffic controllers from using it.
(And, remember, the terrorists can always get the stuff elsewhere: see my first
point.) We’ve got a lot of electronic infrastructure to protect, and we need
all the cryptography we can get our hands on. If anything, we need to make strong
cryptography more prevalent if companies continue to put our planet’s critical
infrastructure online.

Three, key escrow doesn’t work. Short refresher: this is the notion
that companies should be forced to implement back doors in crypto products such
that law enforcement, and only law enforcement, can peek in and eavesdrop on
encrypted messages. Terrorists and criminals wonÒ€ℒt use it. (Again, see my first
point.)

Key escrow also makes it harder for the good guys to secure the
important stuff. All key-escrow systems require the existence of a highly sensitive
and highly available secret key or collection of keys that must be maintained
in a secure manner over an extended time period. These systems must make decryption
information quickly accessible to law enforcement agencies without notice to
the key owners. Does anyone really think that we can build this kind of system
securely? It would be a security engineering task of unbelievable magnitude,
and I don’t think we have a prayer of getting it right. We can’t build a secure
operating system, let alone a secure computer and secure network.

Stockpiling keys in one place is a huge risk just waiting for
attack or abuse. Whose digital security do you trust absolutely and without
question, to protect every major secret of the nation? Which operating system
would you use? Which firewall? Which applications? As attractive as it may sound,
building a workable key-escrow system is beyond the current capabilities of
computer engineering.

Years ago, a group of colleagues and I wrote a paper outlining
why key escrow is a bad idea. The arguments in the paper still stand, and I
urge everyone to read it. It’s not a particularly technical paper, but it lays
out all the problems with building a secure, effective, scalable key-escrow
infrastructure.

The events of September 11 have convinced a lot of people that
we live in dangerous times, and that we need more security than ever before.
They’re right; security has been dangerously lax in many areas of our society,
including cyberspace. As more and more of our nation’s critical infrastructure
goes digital, we need to recognize cryptography as part of the solution and
not as part of the problem.

My old “Risks of Key Recovery” paper:
< [url=http://www.counterpane.com/key-escrow.html]http://www.counterpane.com/key-escrow.html[/url]>

Articles on this topic:
< [url=http://cgi.zdnet.com/slink?140437:8469234]http://cgi.zdnet.com/slink?140437:8469234[/url]>

< [url=http://www.wired.com/news/politics/0,1283,46816,00.html]http://www.wired.com/news/politics/0,1283,46816,00.html[/url]>

< [url=http://www.pcworld.com/news/article/0,aid,62267,00.asp]http://www.pcworld.com/news/article/0,aid,62267,00.asp[/url]>

< [url=http://www.newscientist.com/news/news.jsp?id=ns99991309]http://www.newscientist.com/news/news.jsp?id=ns99991309[/url]>

< [url=http://www.zdnet.com/zdnn/stories/news/0,4586,2814833,00.html]http://www.zdnet.com/zdnn/stories/news/0,4586,2814833,00.html[/url]>

Al-Qaeda did not use encryption to plan these attacks:
< [url=http://dailynews.yahoo.com/h/nm/20010918/ts/attack_investigation_dc_23.html]http://dailynews.yahoo.com/h/nm/20010918/ts/attack_investigation_dc_23.html[/url]>

Poll indicates that 72 percent of Americans believe that anti-encryption
laws would be “somewhat” or “very” helpful in preventing a repeat of last week’s
terrorist attacks on New York’s World Trade Center and the Pentagon in Washington,
D.C. No indication of what percentage actually understood the question.
< [url=http://news.cnet.com/news/0-1005-200-7215723.html?tag=mn_hd]http://news.cnet.com/news/0-1005-200-7215723.html?tag=mn_hd[/url]>

Terrorists and Steganography

Guess what? Al-Qaeda may use steganography. According to nameless
“U.S. officials and experts” and “U.S. and foreign officials,” terrorist groups
are “hiding maps and photographs of terrorist targets and posting instructions
for terrorist activities on sports chat rooms, pornographic bulletin boards
and other Web sites.”

I’ve written about steganography in the past, and I don’t want
to spend much time retracing old ground. Simply, steganography is the science
of hiding messages in messages. Typically, a message (either plaintext or, more
cleverly, ciphertext) is encoded as tiny changes to the color of the pixels
of a digital photograph. Or in imperceptible noise in an audio file. To the
uninitiated observer, it’s just a picture. But to the sender and receiver, there’s
a message hiding in there.

It doesn’t surprise me that terrorists are using this trick. The
very aspects of steganography that make it unsuitable for normal corporate use
make it ideally suited for terrorist use. Most importantly, it can be used in
an electronic dead drop.

If you read the FBI affidavit against Robert Hanssen, you learn
how Hanssen communicated with his Russian handlers. They never met, but would
leave messages, money, and documents for one another in plastic bags under a
bridge. Hanssen’s handler would leave a signal in a public place — a chalk
mark on a signpost — to indicate a waiting package. Hanssen would later collect
the package.

That’s a dead drop. It has many advantages over a face-to-face
meeting. One, the two parties are never seen together. Two, the two parties
don’t have to coordinate a rendezvous. Three, and most importantly, one party
doesn’t even have to know who the other one is (a definite advantage if one
of them is arrested). Dead drops can be used to facilitate completely anonymous,
asynchronous communications.

Using steganography to embed a message in a pornographic image
and posting it to a Usenet newsgroup is the cyberspace equivalent of a dead
drop. To everyone else, it’s just a picture. But to the receiver, there’s a
message in there waiting to be extracted.

To make it work in practice, the terrorists would need to set
up some sort of code. Just as Hanssen knew to collect his package when he saw
the chalk mark, a virtual terrorist will need to know to look for his message.
(He can’t be expected to search every picture.) There are lots of ways to communicate
a signal: timestamp on the message, an uncommon word in the subject line, etc.
Use your imagination here; the possibilities are limitless.

The effect is that the sender can transmit a message without ever
communicating directly with the receiver. There is no e-mail between them, no
remote logins, no instant messages. All that exists is a picture posted to a
public forum, and then downloaded by anyone sufficiently enticed by the subject
line (both third parties and the intended receiver of the secret message).

So, what’s a counter-espionage agency to do? There are the standard
ways of finding steganographic messages, most of which involve looking for changes
in traffic patterns. If Bin Laden is using pornographic images to embed his
secret messages, it is unlikely these pictures are being taken in Afghanistan.
They’re probably downloaded from the Web. If the NSA can keep a database of
images (wouldn’t that be something?), then they can find ones with subtle changes
in the low-order bits. If Bin Laden uses the same image to transmit multiple
messages, the NSA could notice that. Otherwise, there’s probably nothing the
NSA can do. Dead drops, both real and virtual, can’t be prevented.

Why can’t businesses use this? The primary reason is that legitimate
businesses don’t need dead drops. I remember hearing one company talk about
a corporation embedding a steganographic message to its salespeople in a photo
on the corporate Web page. Why not just send an encrypted e-mail? Because someone
might notice the e-mail and know that the salespeople all got an encrypted message.
So send a message every day: a real message when you need to, and a dummy message
otherwise. This is a traffic analysis problem, and there are other techniques
to solve it. Steganography just doesn’t apply here.

Steganography is good way for terrorist cells to communicate,
allowing communication without any group knowing the identity of the other.
There are other ways to build a dead drop in cyberspace. A spy can sign up for
a free, anonymous e-mail account, for example. Bin Laden probably uses those
too.

News articles:
< [url=http://www.wired.com/news/print/0,1294,41658,00.html]http://www.wired.com/news/print/0,1294,41658,00.html[/url]>

< [url=http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm]http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm[/url]>

< [url=http://www.sfgate.com/cgi-bin/article.cgi?file=/gate/archive/2001/09/20/sigintell.DTL]http://www.sfgate.com/cgi-bin/article.cgi?file=/gate/archive/2001/09/20/sigintell.DTL[/url]>

< [url=http://www.cnn.com/2001/US/09/20/inv.terrorist.search/]http://www.cnn.com/2001/US/09/20/inv.terrorist.search/[/url]>

< [url=http://www.washingtonpost.com/wp-dyn/articles/A52687-2001Sep18.html]http://www.washingtonpost.com/wp-dyn/articles/A52687-2001Sep18.html[/url]>

My old essay on steganography:
< [url=http://www.counterpane.com/crypto-gram-9810.html#steganography]http://www.counterpane.com/crypto-gram-9810.html#steganography[/url]>

Study claims no steganography on eBay:
< [url=http://www.theregister.co.uk/content/4/21829.html]http://www.theregister.co.uk/content/4/21829.html[/url]>

Detecting steganography on the Internet:
< [url=http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf]http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf[/url]>

A version of this essay appeared on ZDnet:
< [url=http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html]http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html[/url]>

< [url=http://www.msnbc.com/news/633709.asp?0dm=B12MT]http://www.msnbc.com/news/633709.asp?0dm=B12MT[/url]>

News

I am not opposed to using force against the terrorists. I am not
opposed to going to war — for retribution, deterrence, and the restoration
of the social contract — assuming a suitable enemy can be identified. Occasionally,
peace is something you have to fight for. But I think the use of force is far
more complicated than most people realize. Our actions are important; messing
this up will only make things worse.

Written before September 11: A former CIA operative explains why
the terrorist Usama bin Laden has little to fear from American intelligence.

< [url=http://www.theatlantic.com/issues/2001/07/gerecht.htm]http://www.theatlantic.com/issues/2001/07/gerecht.htm[/url]>

And a Russian soldier discusses why war in Afghanistan will be a nightmare.

< [url=http://www.latimes.com/news/printedition/asection/la-000075191sep19.story]http://www.latimes.com/news/printedition/asection/la-000075191sep19.story[/url]>

A British soldier explains the same:
< [url=http://www.sunday-times.co.uk/news/pages/sti/2001/09/23/stiusausa02023.html?]http://www.sunday-times.co.uk/news/pages/sti/2001/09/23/stiusausa02023.html?[/url]>

Lessons from Britain on fighting terrorism:
< [url=http://www.salon.com/news/feature/2001/09/19/fighting_terror/index.html]http://www.salon.com/news/feature/2001/09/19/fighting_terror/index.html[/url]>

1998 Esquire interview with Bin Ladin:
< [url=http://www.esquire.com/features/articles/2001/010913_mfe_binladen_1.html]http://www.esquire.com/features/articles/2001/010913_mfe_binladen_1.html[/url]>

Phil Agre’s comments on these issues:
< [url=http://commons.somewhere.com/rre/2001/RRE.War.in.a.World.Witho.html]http://commons.somewhere.com/rre/2001/RRE.War.in.a.World.Witho.html[/url]>

< [url=http://commons.somewhere.com/rre/2001/RRE.Imagining.the.Next.W.html]http://commons.somewhere.com/rre/2001/RRE.Imagining.the.Next.W.html[/url]>

Why technology can’t save us:
< [url=http://www.osopinion.com/perl/story/13535.html]http://www.osopinion.com/perl/story/13535.html[/url]>

Hactivism exacts revenge for terrorist attacks:
< [url=http://news.cnet.com/news/0-1003-201-7214703-0.html?tag=owv]http://news.cnet.com/news/0-1003-201-7214703-0.html?tag=owv[/url]>

FBI reminds everyone that it’s illegal:
< [url=http://www.nipc.gov/warnings/advisories/2001/01-020.htm]http://www.nipc.gov/warnings/advisories/2001/01-020.htm[/url]>

< [url=http://www.ananova.com/news/story/sm_400565.html?menu=]http://www.ananova.com/news/story/sm_400565.html?menu=[/url]>

Hackers face life imprisonment under anti-terrorism act:
< [url=http://www.securityfocus.com/news/257]http://www.securityfocus.com/news/257[/url]>

Especially scary are the “advice or assistance” components. A security consultant
could face life imprisonment, without parole, if he discovered and publicized
a security hole that was later exploited by someone else. After all, without
his “advice” about what the hole was, the attacker never would have accomplished
his hack.

Companies fear cyberterrorism:
< [url=http://cgi.zdnet.com/slink?140433:8469234]http://cgi.zdnet.com/slink?140433:8469234[/url]>

< [url=http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO63965_NLTSEC%2C00.html]http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO63965_NLTSEC%2C00.html[/url]>

They’re investing in security:
< [url=http://www.washtech.com/news/software/12514-1.html]http://www.washtech.com/news/software/12514-1.html[/url]>

< [url=http://www.theregister.co.uk/content/55/21814.html]http://www.theregister.co.uk/content/55/21814.html[/url]>

Upgrading government computers to fight terrorism:
< [url=http://www.zdnet.com/zdnn/stories/news/0,4586,5096868,00.html]http://www.zdnet.com/zdnn/stories/news/0,4586,5096868,00.html[/url]>

Risks of cyberterrorism attacks against our electronic infrastructure:

< [url=http://www.businessweek.com/bwdaily/dnflash/sep2001/nf20010918_8931.htm?&_ref=1732900718]http://www.businessweek.com/bwdaily/dnflash/sep2001/nf20010918_8931.htm?&_ref=1732900718[/url]>

< [url=http://cgi.zdnet.com/slink?143569:8469234]http://cgi.zdnet.com/slink?143569:8469234[/url]>

Now the complaint is that Bin Laden is NOT using high-tech communications:

< [url=http://www.theregister.co.uk/content/57/21790.html]http://www.theregister.co.uk/content/57/21790.html[/url]>

Larry Ellison is willing to give away the software to implement
a national ID card.
< [url=http://www.siliconvalley.com/docs/news/svfront/ellsn092301.htm]http://www.siliconvalley.com/docs/news/svfront/ellsn092301.htm[/url]>

Security problems include: inaccurate information, insiders issuing fake cards
(this happens with state drivers’ licenses), vulnerability of the large database,
potential privacy abuses, etc. And, of course, no trans-national terrorists
would be listed in such a system, because they wouldn’t be U.S. citizens. What
do you expect from a company whose origins are intertwined with the CIA?

Protecting Privacy and Liberty

Appalled by the recent hijackings, many Americans have declared
themselves willing to give up civil liberties in the name of security. They’ve
declared it so loudly that this trade-off seems to be a fait accompli. Article
after article talks about the balance between privacy and security, discussing
whether various increases of security are worth the privacy and civil-liberty
losses. Rarely do I see a discussion about whether this linkage is a valid one.

Security and privacy are not two sides of a teeter-totter. This
association is simplistic and largely fallacious. It’s easy and fast, but less
effective, to increase security by taking away liberty. However, the best ways
to increase security are not at the expense of privacy and liberty.

It’s easy to refute the notion that all security comes at the
expense of liberty. Arming pilots, reinforcing cockpit doors, and teaching flight
attendants karate are all examples of security measures that have no effect
on individual privacy or liberties. So are better authentication of airport
maintenance workers, or dead-man switches that force planes to automatically
land at the closest airport, or armed air marshals traveling on flights.

Liberty-depriving security measures are most often found when
system designers failed to take security into account from the beginning. They’re
Band-aids, and evidence of bad security planning. When security is designed
into a system, it can work without forcing people to give up their freedoms.

Here’s an example: securing a room. Option one: convert the room
into an impregnable vault. Option two: put locks on the door, bars on the windows,
and alarm everything. Option three: don’t bother securing the room; instead,
post a guard in the room who records the ID of everyone entering and makes sure
they should be allowed in.

Option one is the best, but is unrealistic. Impregnable vaults
just don’t exist, getting close is prohibitively expensive, and turning a room
into a vault greatly lessens its usefulness as a room. Option two is the realistic
best; combine the strengths of prevention, detection, and response to achieve
resilient security. Option three is the worst. It’s far more expensive than
option two, and the most invasive and easiest to defeat of all three options.
It’s also a sure sign of bad planning; designers built the room, and only then
realized that they needed security. Rather then spend the effort installing
door locks and alarms, they took the easy way out and invaded people’s privacy.

A more complex example is Internet security. Preventive countermeasures
help significantly against script kiddies, but fail against smart attackers.
For a couple of years I have advocated detection and response to provide security
on the Internet. This works; my company catches attackers — both outside hackers
and insiders — all the time. We do it by monitoring the audit logs of network
products: firewalls, IDSs, routers, servers, and applications. We don’t eavesdrop
on legitimate users or read traffic. We don’t invade privacy. We monitor data
about data, and find abuse that way. No civil liberties are violated. It’s not
perfect, but nothing is. Still, combined with preventive security products it
is more effective, and more cost-effective, than anything else.

The parallels between Internet security and global security are
strong. All criminal investigation looks at surveillance records. The lowest-tech
version of this is questioning witnesses. In this current investigation, the
FBI is looking at airport videotapes, airline passenger records, flight school
class records, financial records, etc. And the better job they can do examining
these records, the more effective their investigation will be.

There are copycat criminals and terrorists, who do what they’ve
seen done before. To a large extent, this is what the hastily implemented security
measures have tried to prevent. And there are the clever attackers, who invent
new ways to attack people. This is what we saw on September 11. It’s expensive,
but we can build security to protect against yesterday’s attacks. But we can’t
guarantee protection against tomorrow’s attacks: the hacker attack that hasn’t
been invented, or the terrorist attack yet to be conceived.

Demands for even more surveillance miss the point. The problem
is not obtaining data, it’s deciding which data is worth analyzing and then
interpreting it. Everyone already leaves a wide audit trail as we go through
life, and law enforcement can already access those records with search warrants.
The FBI quickly pieced together the terrorists’ identities and the last few
months of their lives, once they knew where to look. If they had thrown up their
hands and said that they couldn’t figure out who did it or how, they might have
a case for needing more surveillance data. But they didn’t, and they don’t.

More data can even be counterproductive. The NSA and the CIA have
been criticized for relying too much on signals intelligence, and not enough
on human intelligence. The East German police collected data on four million
East Germans, roughly a quarter of their population. Yet they did not foresee
the peaceful overthrow of the Communist government because they invested heavily
in data collection instead of data interpretation. We need more intelligence
agents squatting on the ground in the Middle East arguing the Koran, not sitting
in Washington arguing about wiretapping laws.

People are willing to give up liberties for vague promises of
security because they think they have no choice. What they’re not being told
is that they can have both. It would require people to say no to the FBI’s power
grab. It would require us to discard the easy answers in favor of thoughtful
answers. It would require structuring incentives to improve overall security
rather than simply decreasing its costs. Designing security into systems from
the beginning, instead of tacking it on at the end, would give us the security
we need, while preserving the civil liberties we hold dear.

Some broad surveillance, in limited circumstances, might be warranted
as a temporary measure. But we need to be careful that it remain temporary,
and that we do not design surveillance into our electronic infrastructure. Thomas
Jefferson once said: “Eternal vigilance is the price of liberty.” Historically,
liberties have always been a casualty of war, but a temporary casualty. This
war — a war without a clear enemy or end condition — has the potential to
turn into a permanent state of society. We need to design our security accordingly.

The events of September 11th demonstrated the need for America
to redesign our public infrastructures for security. Ignoring this need would
be an additional tragedy.

Quotes from U.S. government officials on the need to preserve
liberty during this crisis:
< [url=http://www.epic.org/alert/EPIC_Alert_8.17.html]http://www.epic.org/alert/EPIC_Alert_8.17.html[/url]>

Quotes from editorial pages on the same need:
< [url=http://www.epic.org/alert/EPIC_Alert_8.18.html]http://www.epic.org/alert/EPIC_Alert_8.18.html[/url]>

Selected editorials:
< [url=http://www.nytimes.com/2001/09/16/weekinreview/16GREE.html]http://www.nytimes.com/2001/09/16/weekinreview/16GREE.html[/url]>

< [url=http://www.nytimes.com/2001/09/23/opinion/23SUN1.html]http://www.nytimes.com/2001/09/23/opinion/23SUN1.html[/url]>

< [url=http://www.freedomforum.org/templates/document.asp?documentID=14924]http://www.freedomforum.org/templates/document.asp?documentID=14924[/url]>

Schneier’s comments in the UK:
< [url=http://www.theregister.co.uk/content/55/21892.html]http://www.theregister.co.uk/content/55/21892.html[/url]>

War and liberties:
< [url=http://www.salon.com/tech/feature/2001/09/22/end_of_liberty/index.html]http://www.salon.com/tech/feature/2001/09/22/end_of_liberty/index.html[/url]>

< [url=http://www.washingtonpost.com/wp-dyn/articles/A21207-2001Sep12.html]http://www.washingtonpost.com/wp-dyn/articles/A21207-2001Sep12.html[/url]>

< [url=http://www.wired.com/news/politics/0,1283,47051,00.html]http://www.wired.com/news/politics/0,1283,47051,00.html[/url]>

More on Ashcroft’s anti-privacy initiatives:
< [url=http://www.theregister.co.uk/content/6/21854.html]http://www.theregister.co.uk/content/6/21854.html[/url]>

Editorial cartoon:
< [url=http://www.claybennett.com/pages/latest_08.html]http://www.claybennett.com/pages/latest_08.html[/url]>

Terrorists leave a broad electronic trail:
< [url=http://www.wired.com/news/politics/0,1283,46991,00.html]http://www.wired.com/news/politics/0,1283,46991,00.html[/url]>

National Review article from 1998: “Know nothings: U.S. intelligence
failures stem from too much information, not enough understanding”
< [url=http://www.findarticles.com/m1282/n14_v50/21102283/p1/article.jhtml]http://www.findarticles.com/m1282/n14_v50/21102283/p1/article.jhtml[/url]>

A previous version of this essay appeared in the San Jose Mercury
News:
< [url=http://www0.mercurycenter.com/premium/opinion/columns/security27.htm]http://www0.mercurycenter.com/premium/opinion/columns/security27.htm[/url]>

How to Help

How can you help? Speak about the issues. Write to your elected
officials. Contribute to organizations working on these issues.

This week the United States Congress will act on the most sweeping
proposal to extend the surveillance authority of the government since the end
of the Cold War. If you value privacy and live in the U.S., there are three
steps you should take before you open your next email message:

1. Urge your representatives in Congress to protect privacy.
– Call the Capitol switchboard at 202-224-3121.
– Ask to be connected to the office of your Congressional representative.
– When you are put through, say “May I please speak to the staff member who
is working on the anti-terrorism legislation?” If that person is not available
to speak with you, say “May I please leave a message?”
– Briefly explain that you appreciate the efforts of your representative to
address the challenges brought about by the September 11th tragedy, but it is
your view that it would be a mistake to make any changes in the federal wiretap
statute that do not respond to “the immediate threat of investigating or preventing
terrorist acts.”

2. Go to the In Defense of Freedom web site and endorse the statement:
< [url=http://www.indefenseoffreedom.org]http://www.indefenseoffreedom.org[/url]>

3. Forward this message to at least five other people.

We have less than 100 hours before Congress acts on legislation
that will (a) significantly expand the use of Carnivore, (b) make computer hacking
a form of terrorism, (c) expand electronic surveillance in routine criminal
investigations, and (d) reduce government accountability.

Please act now.

More generally, I expect to see many pieces of legislation that
will address these matters. Visit the following Web sites for up-to-date information
on what is happening and what you can do to help.

The Electronic Privacy Information Center:
< [url=http://www.epic.org]http://www.epic.org[/url]>

The Center for Democracy and Technology:
< [url=http://www.cdt.org]http://www.cdt.org[/url]>

The American Civil Liberties Union:
< [url=http://www.aclu.org]http://www.aclu.org[/url]>

Electronic Frontier Foundation:
< [url=http://www.eff.org]http://www.eff.org[/url]>

CRYPTO-GRAM is a free monthly newsletter providing summaries,
analyses, insights, and commentaries on computer security and cryptography.
Back issues are available on < [url=http://www.counterpane.com/crypto-gram.html]http://www.counterpane.com/crypto-gram.html[/url]>.

http://www.counterpane.com/crypto-gram.html[/url]>
or send a blank message to [email]crypto-gram-subscribe@chaparraltree.com[/email] To unsubscribe,
visit < [url=http://www.counterpane.com/unsubform.html]http://www.counterpane.com/unsubform.html[/url]>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends
who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as
long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder
and CTO of Counterpane Internet Security Inc., the author of “Secrets and Lies”
and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, and Yarrow
algorithms. He is a member of the Advisory Board of the Electronic Privacy Information
Center (EPIC). He is a frequent writer and lecturer on computer security and
cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane’s expert security analysts protect networks
for Fortune 1000 companies world-wide.

http://www.counterpane.com/[/url]

Copyright (c) 2001 by Counterpane Internet Security, Inc.

Copyright Counterpane Internet Security, Inc., 2001
Reprint Permission

“The future is wireless for PCs” – yes indeed it is

Posted on by

… ‘Last week Jim Allchin, group vice-president of Microsoft, was talking up Windows XP, the new version of Windows for consumers (that will, by the way, make Windows95 obsolete; no more new device drivers for you, Mr Stopped-Paying-Microsoft-Six-Years-Ago-Win95 user!).

Allchin said XP will have lots of new features that will persuade people (like you, Mr SPMSYAW95 user) to upgrade their operating system, and presumably their computer. “We should have a very good next year, and when I say we, I mean the industry,” he told the Intel Developer Forum. “There are 140 million computers out there that haven’t been upgraded in three years; the operating systems and applications haven’t changed enough Γ’β‚¬β€œ haven’t added enough value Γ’β‚¬β€œ to get people to upgrade.”

Developers, or “software writers” to you and me, like such talk. Intel loves such talk, since it wants to shift some of those gigahertz-plus chips out the door.’ …

http://news.independent.co.uk/digital/reviews/story.jsp?story=91932

Help my head is hurting – but life is complete, Py is back :-)

Posted on by

Saturday 17:13pm Py arrived at Totnes in remarkably fine shape :-), much better then when I landed back the other month.
Pizza in. Chilled out / bath.

Sunday croissant run & real coffee from Py’s perculator, untouched for three months. Wow that stuff tastes good.
Py studied ALL day and I made Chicken Casserole in the evening. Earlyish night.

Monday – 7.30 started, shower – YES I had a shower… I normally hate them but it seems a lethal method of forcing yourself up. 8.10 Safeways again, groceries for Monday night and sandwich material for tommorrow. Make sandwiches for us both today.

YES I want Py to study all day!!

9.30 off to work. Arrive 10am – Christ I’m shattered and the day hasn’t started.

and finally

Posted on by

James arrives from Futon World and delivers are guest bed for the front room.

Peter from Burford’s puts a high-spec mortice lock on the door. The mickey mouse one could have been raided by a credit card shoved down it and window locks all round. Window locks apparently reduce burglary by windows in the UK to 0.6% of attempted break ins!

Day ends with crappy non-conclusive work meeting which pissed me off.

Computers are not hard to use – fact, PERIOD

Posted on by

“Computers are really hard to use, they’re not intuitive. they’re not obvious, they complicated and clunky and tend to do the wrong things at the wrong time,” said new media consultant Bill Thompson.

Bollocks
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1502000/1502820.stm

Some people have just decided they like getting OLD. Well *uck you out there, I’m going to hang on to my youth as long as possible.

I believe age is just a STATE of mind.

More of the same

Posted on by

Monday, popped into work to set up a cron jobs I urgently need the results on, plus I want to take some time out of work Tuesday, so I thought a bit of time shifting was in order.

There was a bit of a rumble in Camp Cross today, so I just bundled all my hifi into the car.
Grandma was apparently very upset, tuff, I didn’t start the shit this morning.

Flat duty brought clean bottom cupboards. Kitchen stuff for 907 slowing going in. (907 was Py’s old Uni room number.) The top of the cupboards still need cleaning, but I needed to get the pots and pans inside. The tops I don’t think have been cleaned since the flats were rebuilt from what I can suss.

I’ve discovered the only way to crack the tops will be Jif cleaner (Unilever product) and a pan scourer.

ALL My finger tips are now sore!

Bank Holiday weekend

Posted on by

Saturday, we took “Brummer” to the crap yard.
MX, HW, Leona, Fred and Ros.

My mechanic very kindly lent me a fixed bar, but sadly Helga wasn’t up to it, so we used Fred’s Cavilier, Ros towed with HW driving and Ros did a cracking job.

The brakes on the Brummer went at Totnes Cross on the way to Nick Wayes. Good job it was a fixed towing bar.

Steam Packet for lunch – photos here.
4pm back home, changed, started the day in jeans and then roasted.

6pm back at the flat, cleaned the bedroom cupboards, 3 Jay clothes later. Clean and smelling good.
It took till 23:30 to do this operation. “major” Tim visited me from next door and he’s a little chatty. More on the major another time I guess.

Sunday, mowed all the lawns, strimmed the back banks.
3:30 leave for the council rubbish tip to drop the garden rubbish off. Going through town, steam out of bonnet, it had been raining, so I thought some that just dropped on to the radiator. hmm temperature needle isn’t moving down. Dump rubbish, bonnet up – oh shit, plug (temperature sensor) jump out of the cooling system. Water drained out of system. Pooh.

4:30 call AA, 5:15 “Steve” up, looks like O ring perished, unfortunately I didn’t loose a clip, but I did loose a washer which I suspect was knackered. Get it back to my mechanics, AA guy traveling behind. Someone who works there is working on their own car, raid the place for a washer, temporary fix till after the Bank Holiday.

6ish back at the flat, unpack all Py’s clothes.

Start on the kitchen cupboards….

10pm leave for late dinner – achievement, all the top cupboards are clean inside now. Bottom ones tommorrow.

Database Nation – a damned good read

Posted on by

I’m just squeezing in some tech light reading Database Nation in between the Nancy Kress Beggars in Spain trilogy.

I have learnt, that in the US, if you default on any sort of loan / credit card is the IRS screw up and even if it’s there fault it stays on file. It only goes off file after 7 years because of the Fair Credit Reporting Act of 1971. In some cases, people get refuse a mortgage and jobs because of their credit status, but the real problem is that as at time of the books writing, once in the system, the three main credit agency sub-sell their data to 117 other companies down the food chain.

The book narrates a real life horror story where one couple were reduced to one credit card company because of moving house twice, paying their IRS billing, the next two IRS offices loosing track of this. IRS serve $10,000 lien (reposs order), the renting tennant of one property is in shit with the IRS, so he’s doesn’t forward the letter. Next Position please, credit rating shafted and nobody actually calls and speaks to the people involved – they were abroad, they paid their tax, the IRS received it, the IRS had fucked up. Family doesn’t get to buy a new house for seven years. It could have cost them their jobs!

When the seven years were up the credit card offers came through like confetti.

They only seem to pass laws when a US politicans get there personal data abused. Example given Judge Bork, because a journalist got hold of Blockbuster records, but he didn’t find him renting any porn – so he was quite disappointed the judge was clean! So when somebody important gets shat on – que the Video Privacy Protection Act of 1988.

Other than that, carry on allowing credit card companies to send out pre-approved credit cards. It all seems a good money making racquet to cc companies, but the misery identity theft is causing there by their completely half baked dependence on the SSN number. Social Security number – completely beggars common sense.

I’ve learnt that DNA matching is only a science – it is not fact, we all share 99% of the same genome. The data set frequencies which determine a false positive could still be in dispute.

1% of the population share exactly the same DNA – identical twins. And in the US, that’s 1 million people. (In year 2000).

Fingerprints are good. So are Iris prints, they are fixed in utero.
Retina prints suck – for women they vary with pregnancy. New arteries and veins branch out.

Why is British Telecom in joint venture with IriScan, who have developed an iris scanner which can “capture an iris print of a person in a car driving at 50 miles per hour”?

Presumably this was pre-privatisation and done on behalf of DERA / GCHQ? I mean, it’s got shed loads to do with making telephone calls hasn’t it!

I’m a quarter way through – but I’ve got a feeling that the mobile phone is going to be the cool state tracking device.

60% of all phones sold in the US by 2001 have to give 911 a position accurate to 150 metres. So if you are Nokia and Motorola, you’re hardly like to leave this out of the chip set and Iraq, China and those other nice friendly regimes will want’em down 1 metre not 150!

It’s easy to work out A to B. And the world ahead looks grim.

Although Simon’s Garfinkel’s book is excellent it is very US, but with not enough rest of the world observations, I had the UK’s one and only photograph encapuslated credit card issued by the National and Provision Building Society. He seemed to think this would help with fraud, the Abbey National purchased the N&P then stopped the scheme, I wrote complaining, they said that credit card fraud represented so little lossage – the photo card wasn’t worth it. This is because in Britain we have a radio based system which distubutes stolen card information on a 3 minute turnaround, even my local petrol (gas) station has one.

I am greating looking forward to the other three quarters to go, because it looks like Britain has been too state regulated to make the same mistakes with it’s citizens data. Or a least just doesn’t flog it off to the private sector for direct mail profiling. Anti-terrorism and fraud I can cope with, but state organisations flogging the data to private companies is just plain bollocks.

In Februrary 1999 the South Carolina Public Safety Department (like DVLC in the UK) sold it’s entire 3.5 million photograph database to Image Data LLC Nashua, New Hampshire. For … $5,000.

The Washington Post subsequently discovered that Image Data LLC had received a $1.46M grant and technical assistance from the US Secret Service in 1998.

They appear not to have been the only other state to have done this either.

In you are into information security and social hacking/engineering – READ THIS BOOK!

Linen and pans

Posted on by

Busy shopping day

Popped into work to back up my email, then of to wet Plymouth.

Stop off at MFI – wow found this great shelving just like the Lunida/Skandia stuff Py & I like and it’s on clearance. MFI are stopping manufacture. Now if I take the 1m high end and cut them to 60cms I can put a TV on a corner section. Excellent. Grab brochue and prices. Offer probably end Sept 5th.

Arrive – Plymouth roasting hot. Rain gone away.

Bought from the co-op in a genuine British sale, none of the Value City nonsense (US), where nothing
has ever actually been that price, in the UK it must have been actually on sale for 30 days
at the inflated price before they can mark it down and call it a “sale” price :

Super King Size Duvet (for 6 ft bed πŸ™‚
Included two free pillows πŸ™‚
Duvet case + Two matching pillow cases
2 Egyptian plain cotton sheets and pillow cases for other pillows – non sale πŸ™
Underblanket – non sale πŸ™

We have bedding.

Then what do I discover – it’s Plymouth’s first French day.
20 or so French Market trades have stalls in the street.

One old guy owns and runs a French enamelling factory :-

http://www.region-normande.com/artisanat/region6/h6/emaillerie.htm

We now have :

A wok
Two frying pans – one very large for a Steve & Lee invasion, fry Sunday morning + a small one for us.
A steamer pan set
A plain source pan
A chip pan
+ couple of lids

Funny to think our market traders couldn’t do the same – our command of French is too crap.
Their English was excellent.

The Washer is down to three (all German of course, I love nearly all things German especially their cars) :

Miele £1,200 – expected lifetime 20,000 hours
Bosch £779 – expected lifetime 10,000 hours
Whirlpool £559 – expected lifetime 10,000 hours

Whirlpool 5 years parts guarantee extra £19!
So if it breaks down in the first five years – you only pay for labour.
3 day repair guarantee – if they don’t fix it in 3 days – you get the whole repair free.

Back to MFI – me thinks I best pop in an order for this stuff.
Go through order with “Kelly” – the computer says, out of stock.
So can’t I buy the display. / Neogiate with the Manager.
Oh no – Head Office have to approve that and he’s only covering.
They’ll sell of the display at the end of the clearance sale.
Ah – so you’re going to continue to let people look at the display and then try to order the basic components to find there out of stock?
I’m sorry I only work here.
“Kelly” promises to call round the other branches next with my shopping list of components. I on the other hand hold out ZERO hope.
She’s not in Tuesday and Wednesday, but doesn’t expect a reply from their Intranet before that anyway!
Now that’s confidence in your company.
It has a fully computerised EPOS with central warehousing and it’s going to take them 3+ working days to do an SQL query on 6 line items.
Me thinks MFI ripe for takeover – must check out moneywhispers.com and the Fool.

Half an hour wasted driving around working out how to get back to MF *cuking I, only to find their management couldn’t escape out of a wet paper bag.

Dinner
Dog walk – that was funny, Abi slipped her lead on Mother and tried to leg it back home
Watched BBC2 – 1990 in music and pop videos documentary – God I feel old
Stella Artois
Bath
Chat to friend in Canada
Chat with Py
This blogging
Time to brush teeth
Bed

Mr Baseball

Posted on by

Friday night unwound watching – Tom Selleck in Mr Baseball good light hearted flick. US and American/European cultural aspects of team and individualism.

Good because it shows a top sportsman going out on a good note then…. (You’ll have to see it)
And it true Hollywood fashion he just gets to keep the girl. (But that’s not giving anything away)

“Steven Spielberg wanted him to play Indiana Jones in Raiders of the Lost Ark (1981), but he was still under contract for the “Magnum, P.I.” (1980) TV-series. ” – I bet you didn’t know that “pop pickers” – “not ‘half”.

MX

god this is funny and VERY pythonesque

Posted on by

“Dave is a 27-year-old artist who works a night shift in a press clippings agency in London. He’s been getting into Flash recently, and Jada is his first effort. He has taken a large rabbit and combined it with a load of images that people had made on the Tsluts mailing list. Plus some fish. The result is, well, weird.”

Jada

Check out the egroup for B3TA

Somebody get this guy a NEW day job. Wake up Channel 4 and let him have a spot. He needs help fast!

Cooling beer in New Zealand, X on the PS2

Posted on by

http://www.asciimation.co.nz/beer/

X on the PS2

Spy Satellites? What Spy Satellites? Posted by michael on Sunday August 12, @05:59AM
from the no-see-ums dept.
mutantcamel writes: “This story at Yahoo says that the actual orbits of US spy satellites are not the same as the ones that the UN thinks that they are. The errors include a launch of a satellite that was never registered, and only two of the last ten satellites have been correctly registered. The errors are bound to cast doubts on what will really happen with the Son of Star Wars programme.” Heh, “errors”.

Looks silly but looks like fun (US only Oct 27th & Nov 245h 2001)

Posted on by

The Idea:

Inexpensive, yet surprisingly powerful laser pointing devices have become ubiquitous in America. Millions of people own such a device. Laser light stays coherent over vast distances, the beams spreading very little. In theory, even a single laser pointer could reach the Moon. The idea behind Paint the Moon is to organize millions of people in North America to try and shine their laser pointers on one area of the Moon at one time, to see if we can create a temporary visible field of color on our nearest celestial neighbor.

On October 27th at 11:00 P.M. EDT (10:00 P.M. CDT, 9:00 P.M. MDT, 8:00 P.M. PDT) and again on November 24th at 11:00 P.M. EST (10:00 P.M. CST, 9:00 P.M. MST, 8:00 P.M. PST), everyone who has a laser pointer and a clear view of the first-quarter Moon should turn on their pointers and aim them at the moon, just behind (to the left, or East) of the terminator (the line where the sunlight stops). The illustration at the top of this page shows approximately where you should aim. Continue to shine your pointer at this spot for five minutes. That’s it.

http://www.paintthemoon.org/

I *think* this really is a .com to *watch* – keen.com

Posted on by

http://www.keen.co.uk/
or in the US
http://www.keen.com/

MSN back it July 2001
As do AOL Aug 2001

Fortunately, some entrepreneurs haven’t checked out of the asylum yet. Take Karl Jacob, CEO of the online-advice service Keen.com Inc. After a short stint as an entrepreneur-in-residence at Silicon Valley VC firm Benchmark Capital–where he admits he didn’t believe in eBay at first–Jacob started Keen. His aim was to get people to log on to the Web to locate experts on everything from astrological readings to computer repairs–and then pay to consult with them over the phone. Weird as it sounds, it’s working so far: Sales at the privately-held company have jumped from almost zero a year ago to more than $5 million in the first quarter. Says Jacob: “You can’t create lasting companies and great value by following everybody else.”
Business Week June 2001

“Keen’s revenues from the first quarter of this year are more than the total from all of 2000. Using the first quarter as a guide, the company projects that the total transactional revenue for 2001 will be about $25 million, which will be split between Keen and the speakers.”
Red Herring give Jacob thumbs up June 2001

Keen’s Press Release page