Posts filed under ‘Society’

Security Without Idiocy, Part 2.7

This is part of a series.  You may see earlier entries in this series:
»Part 1
»Part 2
»Part 2.5

Personal Responsibility

The message of part two was that users need to understand what is happening and take personal responsibility for their actions and the effects of their actions.  A good way to picture this is to imagine if people behind the wheel (that is, drivers of automobiles) could say "The security guy did not tell me that ignoring traffic signals could cause me to collide with a school bus!  They should make cars automatically stop when a school bus is coming."  Sounds stupid, doesn't it?  Most people understand that (1) actions have consequences, and (2) that ignoring traffic signals can cost someone's life.  Since computer networks can be just as powerful (and therefore dangerous) as motor vehicles, the same idea applies.

Today's Application

Have you ever seen that commercial for Southwest Airlines where someone opens an e-mail attachment and infects the entire company network?  That illustrates a potential effect of opening files that come from another computer.  Of course, reading this site is nothing more than reading files that come from another computer, so you have to make some decisions about which ones to trust.  Most of us have an uncle or friend that has never thought about restricting what kinds of messages he forwards.  We then have some people that seem to be over-paranoid about what they'll send or forward or even open, and the vast majority of people, who fall somewhere in the middle.

It does not make it easy, and that is the point.  There is no "quick and easy guide to computer security", just as there is no such guide for securing your home.  You have to use common sense to modify the suggestions of local law enforcement so that the result fits well with your lifestyle.  It is the same with the computer and the network.

You may have installed a front door that automatically locks when you leave. (If they do not already have those, I’ll file a patent on it–it is only a matter of time before they come out.)  If you frequently walk outside without your key, then that door does not fit your lifestyle.  You have two choices: modify your lifestyle by carrying your key with you at all times, or replace that lock with one that requires you to intentionally lock it.  Online security is no different.

One place where we can improve is on these automatic password remembering systems.  Note to the I.T. community: requiring thirty different passwords in order for users to do their daily business is idiotic.  It pretty well guarantees that the users will have to devise some way to reuse passwords across sites as well as encouraging the use of software password memory systems.

I was at the local library one day, using one of the public-access Internet computers.  I navigated over to one of the popular Web-based e-mail services, where a previous user had forgotten to uncheck the "remember logon info" box.  Taking that computer to the mail site immediately logged me into that user's account.  The purpose of a password is to restrict use of an account to someone who knows the password.  As soon as you start using this kind of checkbox (or the corresponding software, often built into your browser), you have defeated the purpose.  You will notice, however, that it is checked by default in at least one of the major services(*cough* Hotmail *cough*).  If you use this functionality in a public-access facility, you have signed up to have your account hijacked or taken over.  Fortunately for the user in question, I was able to log him / her out and turn off the memory function.

Apply Common Sense To Software Licensing

No one reads the legalese of software EULAs and service agreements, but we have to use some common sense.  If the price seems to be out of line with competitors, find out why that is.  Are you agreeing to accept spyware and adware?  Is it a trial that will require a full-price purchase later?  Is this an ISP that will hijack your connection to infest the pages you download with ads (in addition to or instead of the ads that support the content provider whose site you are visiting)?  Is this a limited-bandwidth or limited-use offer?

Does the legal agreement seem to be longer than usual?  Who are the parties to the agreement?  (This should be in the first few paragraphs.)  What legal system does it fall under?  Nearly all such agreements are designed to give all rights to the provider / vendor and take all rights from the purchaser / consumer, so if you get any feeling that the other party is malicious, refuse to agree or to use their product or service.  Otherwise, you may find that you are legally obliged to continue paying for the privilege of using something that you can not or will not use.

Does the product contain TUR (technological usage restrictions, often euphemized as "digital rights management"), removing control of your equipment from your hands and giving that control to a content provider whose interests are opposed to yours?  Have you had to purchase multiple copies of the same song because you listen on different devices?  The unskippable previews and warnings at the beginning of DVDs and things like region-coding are only the beginning of what is possible with TUR techniques, while the Sony rootkit scandal of a few years ago is an example of the security risks associated with TUR.ౘ If I was a bad guy in Russia or China, for example, I would be working on misusing the TUR of HD-DVD and BlueRay so that users would have to e-mail credit card info in order to watch a movie.  Of course, I would claim to be Microsoft, since their "activation" process appears to be much the same thing anyway.

Health Risks

We know from surveys that a significant number of people do not wash their hands after visiting the "facilities".  We also know that this can pass disease organisms from person to person.  You may be the one who does your business and gets up and leaves, while someone else may wash vigorously under painfully hot water for a minute or more, followed by putting on latex gloves before he or she opens the door.  It is all about what level of risk is acceptable to you and how much contact you have with other people.  Please, if you do have much contact with other people, go ahead and wash your hands.  The gloves are unnecessary, but I recommend a good thirty-second wash as a courtesy to others.

Wrap Up

Ultimately, there is no such thing as perfect security or safety.  Instead, we have a range of perceptions of riskiness and different people perceive riskiness differently.  The key is for each user and each organization to decide on the acceptable amount of risk and act to contain riskiness within that level.

Mandatory disclaimer: I am not a security guru, nor a lawyer.  This is not security advice.  This is not legal advice.  This is not medical advice.  This is not accounting or bookkeeping advice.  Your mileage may vary.  Consult dealer for details.  Taxes, registration fees, and dealer preparation fees extra.  Consult a doctor before beginning any diet or exercise program.  On approved credit.  Not all buyers will qualify. 

Tuesday, 2007-July-17 at 15:27 1 comment

Security Without Idiocy, Part 2.5

This is part of a series.  Older posts are here and here.

I was trying to look up my pay rate on an internal site at work.  I had not logged in recently, so I could not recall my password.  No problem, there's a "send me my password" link.  Only, it takes three to four weeks and sends it by snail mail to my home address.  I recognized this as a so-called security feature.

Now, I am presently over 2700 miles away from home, on the other side of the country.  If I was home, I could just read it off of my pay stub.  But that isn't what bothers me the most: what happens each year in March and April?  Thieves steal tax refund checks from mailboxes.  What is one of the ways identity thieves get your information?  They steal those unsolicited credit card approval offers from your mailbox.

What are some alternatives?  Send it to my internal e-mail address, where only I can pick it up.  Call my telephone number (in my personnel records).  Call my next-of-kin (in my personnel records) to find out how to get it to me.  Tie it into the login name & password I already have.  Call the office nearest my home and ask someone there where I am.  Just do not send supposedly secret information in a way that may or may not arrive and then once it arrives, may or may not be stolen before I collect it.

Monday, 2007-July-16 at 20:22

Independence Day Greetings

Today is Independence Day, the anniversary of when the Continental Congress approved the Declaration of Independence, which is the foundation for the freedoms that are enumerated in the Constitution.  In a society based around individual freedoms, we have to recognize that our freedoms are constantly threatened from within and without.  If you view our freedoms as coming from the Supreme Court, then those freedoms will be subject to removal at any time by that court.  Watching the Court's back-and-forth movement on any contentious social issue (e.g., Guantanamo) does not inspire the greatest confidence that they will continue to uphold our freedoms.

We face threats to our freedoms from external sources, but many of those threats have arisen as reactions to decisions our own leaders have made.  Here in the Western Hemisphere, for example, there were multiple military actions where our forces invaded to stabilize a banana republic.  It just happened that those revolts threatened the control American businesses corporations had over those nations' economies.  A nation's economic assets must be managed for the good of its citizens.  One of the big reasons we are an independent country is because our national assets were being managed to benefit the British East India Company rather than the local citizenry.

Our nation is not doing so well right now.  By giving corporate organizations rights as though they were individuals (albeit very wealthy and long-lived individuals), we have given them super-citizen status.  This also gives corporate leaders the idea that they are immune from the laws that apply to the rest of us.  It then spreads to those involved in financing (through stocks and bonds) and those involved in regulating (that is, politicians and the heads of regulatory agencies) corporate activities.  Examples abound, but the way that Microsoft is manipulating the political process to force our state governments (and their citizens) into economic slavery (using Not-so-open XML to lock out competition in the office software space) is going to be taught in our B-schools for many years.  As a California resident, I am really disappointed in our Legislature for caving in so easily.  Similarly, the big telephone and cable monopolies are fighting Net Neutrality, trying to force the small businesses that provide most of America's jobs out of the online market ("e-commerce").

The gravest threats we face come not from foreign attackers hiding in caves, but from internal groups that seek to protect us from some perceived "threat".  These range from law enforcement and other agencies that wish to monitor every move Americans make to watch for the slightest sign of unpatriotic thought or criminal intent to those who suppress individual expression in the name of protecting someone from exposure to someone else's beliefs, to those who believe that schoolkids lose their constitutional rights to freedom of belief and freedom of expression as soon as they enter the schoolyard that they cannot legally refuse to enter.  This even happens to college employees.  Some even want to censor or at least edit the Declaration of Independence, because it mentions that our rights come from our Creator.

MJ and I discussed freedoms and patriotism today.  My view is that it is patriotic to talk about why you think high schoolers should be able to wear shirts that say "Bong Hits For Jesus", even though I have never used drugs and am very Christian in my outlook.  I also believe that someone who legitimately wishes to express himself by burning a flag should be allowed to do so.  Why?  Because you are not free to honor and respect a flag that you cannot likewise dishonor and disrespect.  I don't like it, just as I wouldn't like that T-shirt.  But we have far more serious problems in this country than someone who wants to express an ungrateful viewpoint.  Why don't we skip the speck in the eye and deal with the log in the eye, as a very famous person once phrased it?

Wednesday, 2007-July-04 at 16:24

Security Without Idiocy, Part 2

Second in a series.  The first part is here.

I'm not a security consultant.  Far from it.  Much of what I know about security comes from books and magazine articles.  When I want to know more about security, I read Bruce Schneier's writings, such as this blog article.

However, when we think that security is suddenly different once we are talking about computers and networks, we are being foolish.  We already know what it takes to be acceptably secure in real life.  Why would we think that IT security would be much different?

Arms Race

When I was in junior high, I had a combination lock with the three numbers and the "turn all the way past zero to the number" method of opening it.  It took too long to get the lock unlocked in the crowded halls between classes, so I could either lug all my stuff with me all day or find a faster way to unlock the combination lock.

My solution was to go ahead and dial in the first two numbers and then set it at zero, so that I could quickly turn to the third number.  Before the school year ended, someone else had discovered my secret.

After that, I discovered that it was better to be slightly late to a class than it was to suddenly have all your gym clothes, school supplies, and even some of your text books stolen.  That is, shortcuts are not always acceptable if they increase the likelihood of an unacceptable cost.

I was in high school when I first saw a new kind of lock, based upon a magnetic code in a rectangular piece of metal that was placed against the lock in a particular location.  Over the years, there have been numerous new locking devices invented, and with each one, people have found ways to defeat them.

Even without getting into the history of military weaponry and armor, it is still clear to anyone who cares to look that any time there is a new and effective defense, work immediately commences on finding ways to overcome it.  Likewise, any new and effective offense spurs opponents and potential opponents to seek ways to defeat it.

When Ug and Og stood 20 paces apart and threw rocks at one another, one of them recognized that he could hold something up in front of him so that his opponent's ballistic projectiles would be less likely to strike him and hurt him.  It is likely that the other one then tried throwing two rocks at once or perhaps running up to his opponent and striking him with the rock or maybe even imitating his opponent's tactic, evening out his advantage.

Thus, you should not expect any particular tool or tactic to remain effective over a long period of time.  Just as con artists develop new ways to hook victims as people learn to avoid the old ways, in any sphere of endeavor, your opponents will seek to alter their approaches in order to gain advantage.  It should be expected, just as invaders led to walled cities, which led to catapults and siege engines, which led to moats and castles, which led to ….

Just as it is effective to give people realistic facts about potential dangers they may face in this life and tactics that may be used if said situation arises, it is likewise effective to do the same in the computer and network world.  I disagree with those who think that we should teach users to push all their security concerns onto someone else.  Instead, we need to help users to accurately understand what behaviors are more likely to lead to undesirable results.

The most insecure part of a system is its users.  It is sheer idiocy to think that putting all security-related concerns in the hands of "experts" will fix the problem.  Instead, involve users in the process of protecting the system against malicious activity.  Explain to them how unsecured computers on high-speed connections are taken over to spew out spam and how they can help avoid becoming an unknowing part of the problem.  This includes explaining that what worked last year may not be good enough this year, as new attacks and countermeasures are continually being developed.

Saturday, 2007-June-23 at 16:56

Security Without Idiocy, Part 1

This is, I believe, going to be a series.

Let us begin this way.  When I was in high school back when cave men still walked the earth, there was some creep that killed some girl scouts at a camp.  Their reaction was appropriate for the situation—they shipped the survivors home and canceled all scheduled camping in that state for the rest of the Summer.  I believe they evaluated the environment and made a few changes.  Ultimately, I think they recognized that there are not thousands of these guys out there waiting to attack teenage girls in their sleep, and so it would have been extreme (and costly) to hire armed guards to patrol the outskirts of the camp in order to prevent such an occurrence.

Fast-forward to this century.  We are so extreme about preventing the slightest risk that we have people who want to force children who wear those wheeled shoes to wear pads and helmets.  Of course, pads and helmets are not foolproof, so when someone gets hurt wearing a helmet, we will then force helmet-making companies to make their products bigger, thicker, and heavier.  Eventually, our children will be armored like the Star Wars StormTroopers.  At some point, we have to decide what levels of risk are acceptable, because even in full armor, people will still get hurt or killed.

In the meantime, we are afraid to allow our middle schoolers to walk a mile home from school or to play outside, so we are creating a generation of overweight, fearful, risk-averse people.  Without putting risks and dangers into perspective, any harmful event results in new restrictions on what is allowed, without any real improvement in security.  There are some dangers that you can lessen or prevent, but there are many more that you can not affect at all.  A few years back, a local teen died (and two others were injured) when the spoon he was using to eat ramen noodles was hit by lightning.  Should we then require that all youth eat from plasticware to protect against this kind of event?

Now let's consider this in the context of Web browser security.  I was on a Linux laptop (not my usual laptop) a few years ago, using Konqueror to visit a Webmail site that was not one of the big three.  I moved the mouse pointer across a banner ad on the way to the "Log Out" button when it popped up a JavaScript box: "Install IE Toolbar?" and of course, I immediately hit the enter button, since I was so used to getting these pop-up security messages that I instinctively hit enter before I considered what they said.  Fortunately, it responded, "Unable to find Internet Explorer" and quit.  The point is, rather than giving us modal dialogs for trivial events, we need visible but non-intrusive indicators to tell us (for example) that we are entering or leaving a secured site.  Save modal dialogs for real dangers, such as phishing or malware sites.

Computer security can never be perfect, because at some level, we have to depend upon humans that are imperfect.  We can overreact, making everyone that goes through airports remove their shoes and dump out their shampoo (except for a tiny quantity in a plastic bag), but this reactive strategy puts us at a disadvantage and only serves to make us more and more paranoid.

An example of this idiocy would be requiring passwords like A5!n%G94d.  In theory, this makes a better password, because it does not spell any words.  In reality, this password will force users to write their passwords down (with the likelihood of losing or leaving said password in a place where another person might find it).  I was logging into my mobile phone carrier's site to check my balance, when they prompted me to enter additional "security" information, such as my first pet's name and grandmother's maiden name.  Since I do not know all of this information, I opened another browser tab to search for it.  You guessed it—most of this security information was publicly available on the Web.  I fired off an e-mail message to the company's technology support staff, but I have not received any response.

Have you ever discussed your hobbies, your children, your pets, or your genealogy on any online forum or message board?  Have you been registered with and participated in one of those school / college / military / employment reunion sites?  If the answer is 'yes', anyone can find all of the information necessary to answer those supposedly secret questions.

In general, I think we have to accept the fact that some risk is built into life.  You can cage your daughter up in her room until she is 18, but then she will walk out the door with no ability to decide for herself which situations present unacceptable risks.  Either she will lock herself in her apartment without human contact, or she will travel to Hollywood to sell her body on the streets.  If you think either or both of those are unacceptable, you’d better start giving her a realistic perspective (and exposure to real life) now.

Sunday, 2007-June-10 at 09:55 4 comments

Coded URLs Patented!

Just when I thought the U.S. Patent and Trademark Office might be turning around, they go and surprise me with this one.  Patent number 7,197,478 uses coded URLs to automate single-click reordering.

I know what you are thinking.  You are thinking about all of your e-mail newsletter subscriptions that have user IDs embedded so that they can personalize the newsletter to your habits and preferences and track whether you actually read what they send you.  But that does not count, because it doesn’t insert your credit card into an order form.

Initial ordering information including payment by credit card, PayPal or other payment mechanism, delivery or pickup information and product data is encapsulated in a coded URL. An icon representing the order can be inserted on the desktop, as a favorite browser setting or on the quick launch bar. After that, one click submits any repeat order.

Now isn't that innovative?  Please join me in standing and saluting QuikOrder for their bright engineering staff, who must have spent many months working around the clock to create and perfect this concept.  Like you, I can feel America becoming more prosperous at this very moment.  Surely, with inventive companies like this at the forefront of American business, we will soon see foreign companies volunteering to become subsidiaries to our great and innovative elite companies.  We beam with pride as we contemplate the possibilities.

Sunday, 2007-May-20 at 16:14

Small Businesses Are The Inner Cities’ Only Hope

It is already well-known that one of the major problems in our inner cities is the astonishingly low income levels of local residents. This more or less forces many residents into the underground economy (deriving income from illegal activities), as it is not possible for them to support themselves otherwise.

Yes, there are serious drug, gang, and other crime issues. Some of these are effects of pervasive social issues. A study published by the Upjohn Institute for Employment Research [PDF] in 2000 found that a part of the problem with inner-city economies is a “spatial mismatch.” This is the idea that most of the economic development occurs around the periphery of cities, causing “environmental damage, congestion, and labor shortages at the periphery, and poverty and neighborhood deterioration in the central city.”

However, the study’s solution does not really solve much. At least in Southern California, many residents already spend two to four hours each day getting to and from work. Many residents of areas like the Inland Empire and High Desert are already seeking local opportunities before their vehicles wear out.

Regional solutions are needed, but those solutions must encourage business development to occur closer to residential communities, and encourage employers to seek nearby residents for their workforces.

Milwaukee’s Journal-Sentinel has an editorial that puts this into a more practical perspective. While trying to recover from the loss of industrial firms, the city must still cope with its economically stagnant inner city. “Income per taxpayer, adjusted for inflation, in one ZIP code alone on the city’s increasingly troubled northwest side, was down 7.7% in one year. Meanwhile, the gap between city and suburban incomes continued to grow.”

When I was driving to a federal office in the Los Angeles area every day, I was leaving at 4:45 AM in order to arrive by 7:00 AM. Why? Because around 5:50 AM, a place I needed to pass where another freeway met the one I was on suddenly jammed up. At that point, it took more than an hour to travel the last 17 miles of my 90+ mile journey. It took longer to travel the last 17 miles than it did to cover the first 78 miles.

The Upjohn study suggests:

These problems are distinct because neighborhoods are not job markets. Most Americans do not work in the neighborhood they live in. Research suggests that relatively few of the jobs created by inner-city economic development are likely to go to inner-city residents. Rather, these jobs will go to workers living throughout the metropolitan area.

This is one of the problems with being dependent upon larger companies as the foundation of the regional economy. A vibrant community is likely to have a proliferation of smaller businesses, many of which will be owner-managed businesses, along with some medium-sized and larger businesses among the mix. These locally-owned businesses are much more likely to hire nearby residents. Now there is definitely something positive about having a certain percentage of the people who work in the area coming from outside–these people are going to spend money in the area’s restaurants, for example. Yet, if that percentage rises too high, then neighborhoods become ghost towns after 5:00 PM, with no businesses or services remaining available in the evenings for those who do continue to live in that community.

We have to find a balance. I suggest that the balance is for communities to encourage, support, and even finance locally-owned small businesses. This, of course, should not be a blank check or given without strings. For a certain amount of loan guarantees, a certain number of locally-resident employees should be maintained for a particular time period (which should be at least one to two years). In order to qualify for a larger guarantee amount, both the number and the time period should increase. Perhaps percentage targets are more appropriate: 50% for the first guarantee level, 75% for the second, and 85% for the third, with some numerical “floor” to qualify.

[This would also be helpful in areas such as the Victor Valley and Barstow areas (in the High Desert of Southern California), where there are miles of housing areas, but employment is usually obtained by commuting to other communities.]

If inner-city economic development won’t help the central-city poor much, should the government encourage inner-city economic development? Yes, because business development in the central city vs. the periphery causes different community spillover effects. On the periphery, new business development causes environmental problems and congestion and may require costly infrastructure. In the center city, business development may help improve amenities and safety in inner-city neighborhoods and also the city’s tax base. Private investors do not take account of these 2 spillovers. Government can encourage business to take account of these spillovers by providing central-city business development with public subsidies.

By placing smaller businesses at the center of economic development and ensuring that these job sources are in proximity to employee pools, we can do more than that, especially if we provide employment training that is directly tied to a particular employers requirements. If company X needs 15 employees that can operate a particular type of lathe, we train 15 local residents and they go directly into company X’s workforce. Now, there will have to be social programs in those areas, including financing, so that local residents can become owners of their homes (perhaps turning housing projects into resident-owned condominiums) and begin to experience the “pride of ownership” that will lead them to help prevent graffiti and other property damage.

A more recent study, from the US Small Business Administration, claims that “Small Business Drives Inner City Growth And Jobs.” We should not be surprised, as larger businesses have to consider locations that can pull in employees from a wide area. They choose freeway crossroads, for example, if they are retail-based, so that employees and customers can drive from all over the metropolitan area.

“This report demonstrates that local entrepreneurs are not only the backbone of inner city economies but their strongest source of new jobs,” said Steve Adams Region I Advocate for the Office of Advocacy and formerly the Director of the Center for Urban Entrepreneurship at the Pioneer Institute. “Policy makers should take note of these findings showing that supporting new and established entrepreneurs in inner cities should take priority in their urban development strategies.”

Again, not surprising, except to those who have been lured by the siren song of the large corporation. Local business, local employees, local tax revenues–what is so hard to understand about that? It is a “slam dunk,” a win for all concerned.

technorati tags:

Blogged with Flock

Monday, 2007-March-19 at 23:45 1 comment

Older Posts Newer Posts


RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Owner Managed Business

Archives

Recent Posts

Blog Stats

  • 586,650 hits

SUBSCRIBE


Follow

Get every new post delivered to your Inbox.

Join 149 other followers