| wiman.us | Home | Site Index | |
| The current rant about technology | |||
A new poem about Microsoft security and other oxymorons. This bit of doggerel came to mind as I thought about the new IIS vulnerability that is thought to be written by Russian professional hackers:
Microsoft's record on security issues
is so bad it beggars description
Consumers don't know, or they little suspect
how open we are to destruction
And deception, illusion, and adware intrusion,
and malware of every kind
We get viruses, hackers, and script kiddie slackers
as our work falls ever further behind
Thanks to Outlook, Explorer, and a shaky OS,
new vulnerability every day
IIS, RPC, and active X too,
continually open the fray
What to do about Windows, and the stuff that goes with it,
while we wait for the big one to hit?
Buy rubber boots, and a sturdy raincoat,
for the day when the fan hits the shit
Baffled by a simple vocabulary test
Ok, I will admit to not being the brightest bulb in the box, but this
one has me totally baffled. I am a network support person at a university,
and I had a problem with the university-supplied DSL connection to our
house. I called the university help desk for advice. When I do this, I'm
usually picking their brains so I can help other people in our department
so they won't call the help desk. I'm doing them a favor.
I described my situation to them, including the use of a firewall/router at my home. I was reflexively informed, "we don't support routers." They didn't want to hear any of the benefits to them of home users using firewalls - they just kept repeating the mantra, "there are too many routers out there, so we don't support them. You shouldn't use one at home."
So here's my problem: I'm trying to think of a charitable adjective for the practice of discouraging home DSL users from using firewalls and... I can't! Even with a reasonably wide command of the English language, the only words that come to mind are "asinine" and "moronic" and "myopic." It's like the last few months of network worms just didn't happen... or they didn't learn anything from it. With all the person-months they've spent fighting worms recently, they just don't get it.
True, a firewall won't keep a computer safe from user-initiated viruses like MyDoom. But network worms like Sasser go looking for computers to infect: the user doesn't have to click on anything. As a rule, they won't infect non-Windows computers like Macintosh or Linux. Nor will they infect a firewall... which is a computer, however simple. It just runs a small embedded operating system that is simply not vulnerable to the worm.
It is also true that a currently patched computer won't be vulnerable to most exploits. This is why I encourage people to go to Windows Update every week. But patches sometimes don't install properly and people do forget. Auto-patching often does not work. So wouldn't it be ideal to make sure the inquisitive network worm never even gets to talk to the vulnerable computer in the first place?
I finally pulled the answer out of them, which was preposterously simple... it took me all of 1 minute to fix it once they gave me a little clue. And now that I know it, if any of our staff call me with that problem, I'll be able to fix them right up without even bothering the help desk.
Desktop support isn't that hard . . . unless you go out of your way to make it difficult. Such as, folding your arms and saying, "We don't support the way things really are on the network."
It's high time we took a hardware approach to network security. The idea of a firewall is simple enough: place a simple computer between the network and the one you are trying to protect. The simple computer acts like a mean-spirited secretary: it only allows communication with the boss according to certain rules and across certain channels. You don't get to talk to the boss: you just talk to the secretary, and you only find out what she wants you to know.
Firewalls are very common. Almost every home DSL router has a simple firewall in it, but some are even quite sophisticated. If a hacker tries to query the line to that house, he only ends up communicating with the firewall, and it isn't much of a conversationalist.
Let's take that one step further: every network interface card (NIC)
should have a firewall computer built-in. It should really consist of
two network cards: one for the boss computer and one for the firewall
computer. The firewall computer should be logically separate from the
boss computer, as in an actual firewall situation. 
Building
them all on one card is simple enough and does not change this.
The firewall computer, just like any other, should only allow communication across certain pre-determined ports. Additional ports can be opened one-at-a-time by a skilled network administrator working through a web browser to the firewall computer. The firewall computer should be able to perform full network address translation. It should perform stateful packet filtering. In other words, it should compress all the external "stuff" of a firewall computer to a small part of the plug-in network card. (See my artist's conception at right. Yes, it's true that I really don't know what a machine gun looks like.)
A card like this would cost about $100 retail, maybe $150 if it were fairly sophisticated with a lot of memory. And there'd be none of this trojans communicating across a bunch of non-essential network ports, PERIOD.
It's easy enough to do this now, but at the expense of wiring another box into the network connection, with attendent complexity and cost (most of which resides in the support, not in the gadget itself.) Granted my NIC-firewall card would require support, but it would eliminate several wires, possibly an extra monitor, and it would greatly simplify engaging firewall function.
How about it, 3COM?
Think gay marriage is wierd? Just you wait...
A British consultant named Jim Wightman has developed a software agent that engages in chat room conversations to look for pedophiles. The agent, called a "Nanniebot" poses as a child as it searches for adults posing as children. When it spots subtle incongruities and patterns characteristic of a pedophile "grooming" an online child contact, it copies the entire conversation to a human agent for review. It's amazing enough that a software agent can analyze chatroom conversation for pedophilia patterns, but ... this is the first example I know of where anyone has passed the so-called "Turing Test." The famous test is a thought experiment to answer the question: "can computers think?"
The basic idea is that if a computer can fool a human on the other end of a conversation, then it really doesn't make any sense to try to distinguish what it does from "thinking." The Nanniebots have reportedly fooled conversants in chatrooms for hours at a time. Notwithstanding that the subject matter is very limited (youth culture) it is an amazing feat. It heralds the day when you really won't know if you're conversing with a human or a computer online... or perhaps even on the telephone.
One cannot help wondering what would happen if two Nanniebots (in the employ of two different agencies, perhaps) got to chatting with each other...
Wightman wants to prevent anyone from profiting from his technology, though he's been offered "huge sums" by some companies. Ahh, Jim, you just don't understand capitalism - take the money, already! You can still use the technology to fight bad guys, and companies will get rich at the same time. They'll do it without you if you don't sell.
Another project is underway at the MIT Media Lab to create a program that responds to human emotions, acting as a surrogate coach, friend, or even lover; exhibiting "caring behavior" and looking out for the human on the other side of the screen. Some participants in the study find the software agent avatar so convincing they're ready to take it home and forsake actual humans. Sooner or later, someone is going to build that program into a robot, and some new legal ground will be tested as marriage is redefined once again...
21
February, '04: A running debate in tech circles is that
some tech people think Microsoft is just great, while others say the Redmond
giant produces terrible products propped up by marketing hype. People
who espouse the latter point of view are disparaged as "Microsoft Haters"
as if calling someone a name makes their point untrue.
The general public just doesn't realize HOW BAD Microsoft's products are, as they fret and fume at their computers and complain about "technology." But there is plenty of evidence that the corporate culture at Microsoft simply can't produce a good product. Microsoft keeps saying "We Get It Now" (which is a pretty clear admission that they didn't "get it" before,) then turning around and proving that they still don't "get it." Examples of this include their chairman's many pronouncements that MS Windows would become a secure operating system, followed by revelations of easy ways people can take over your MS-powered computer from outside.
One such irritation has always been the dismal quality of HTML code produced by Microsoft's website authoring tool, "FrontPage." FP has a well-deserved reputation for producing garbage, convoluted, difficult-to-maintain code. Web developers who want to avoid this problem use Macromedia Dreamweaver, or any number of free or cheap HTML editors that don't screw up their code.
Understandably this annoys Microsoft, which fancies itself a groovy web-hip company. So in FronPage2003, they really, really tried to produce the clean code everyone else has been producing all along. Here's an ad for FP2003:
For those who don't know HTML, line 28 in their clean-HTML-code advertisement ... is a serious HTML error. They started a paragraph with a "close-paragraph" tag. Oh, well...
14 February, '04: The New York Times' recent article, "Geeks put computer unsavvy on notice: learn or log off" has blown open a touchy topic in the world of tech-support: dealing with users who seem to cling to ignorance and devour all the geek's time as a result. The latest virus "MyDoom" can't infect computers by itself - the user has to click on it.
If
this were the first time a virus of this type had come along, geeks might
be more tolerant, but after rescuing the same people time after time,
the charm of being a hero wears a bit thin. Here's a cartoon from the
Illinois State University Vidette that sums up something that is apparently
a difficult point for computer users:
This cartoon doesn't cover all the technical points - for example, you can bet the little fish is using Microsoft Outlook as an email client - but it perfectly conveys the idea that the user's security is very much in their own hands. Or fins, as the case may be.
The New York Times article did expose the dilemma of the geek who is trying to keep good channels of communication with users, however. Coming on too strong is certain to cause the user to stop listening to the geek, which would be disastrous.
Alas, some users pretty much just act annoyed when it turns out that cutting-edge technology is a little bit complicated. They still do not understand that what they do on their little computers - especially if connected to a high-speed line - affects other users and even entire businesses. Once their computer is infected with the virus, it sends out millions of copies to other email addresses, and the infection exponentially.
(Thankfully, this is not all users. Many strive to be responsible citizens of the 'net, and our job would be impossible without them.)
The economic costs of just this one virus alone so far is in the neighborhood of $250 million. That translates into a lot of people who can't get their work done, and not all of them are office workers - some are police dispatchers, home care nurses, researchers trying to stay ahead of epidemics, probation officers, schoolteachers, and so on.
28 January, '04: I have an idea for a new reality TV show: "When Legislators Attack!" In the show, ordinary people would go about their everyday lives, and then state and federal legislators would screw it up for them...
The state of Illinois just joined the "techno-illiterate legislators" club with their new regulations for data security on discarded computer equipment. The basic idea is a good one, that discarded state-owned computer hardware should have all data removed. Computer technicians know how to do this efficiently and effectively, and the Department of Defense (DOD) has a standard that everyone uses. But that wasn't good enough for Illinois.
| "Hmm, it says the Pentagon requires erasing the drive 7 times - maybe we better make it 10 times just to be safe." | |
 |
The DOD standard requires using a drive-erasing software tool to overwrite the data on the hard drive 7 times. There is free software available that does exactly this, which should be good enough for you and me, and the state agency down the road.
But nooooo... the state of Illinois legislature, in PA93-0306, section 20, specifies that magnetic media shall be erased "at least ten times." Apparently Illinois' stuff is 1.43 times more secret than Pentagon stuff.
Mind you, this does not confer any additional security. After being erased 7 times, only the most advanced data recovery methods (such as at the NSA) would have any hope of getting any data back. When the data is gone, it's gone. The extra 3 passes don't make the data any "more goner." But it does make a big difference to strapped state agencies that have to cope with the regulation: the free software only erases 7 times or 30 times (which takes a lot longer). To specify erasing 10 times, you have to buy the professional version, which ain't cheap.
Why not just use the free software and erase 30 times? Erasing 10 times takes about 45 minutes per computer. So 30 times would be over two hours, and time is money. This is an unfunded mandate: no money is provided for compliance - only penalties for failure to comply.
So let's review: state agencies have to buy the more expensive erasing software, then pay technicians to use it. Plus, it takes about as long to fill out the sticker that has to be attached as it does to set up the computer to run the software: you have to fill out the agency name, the serial number of the computer (which makes no sense since the sticker is attached to the computer in question... and many white-box computers don't have serial numbers), the software used to do the erasing, who performed the erasing, the date, and then sign it. Then the sticker has to be placed on a certain place on the front of the computer, and the computer has to be stacked on the pallet in a certain way for shipping so the sticker is visible.
I believe that places us squarely in "onerous-regulation-land." It proves that legislators should be given soft toys to play with, and supervised when they cross the street. And it proves they should never, never be allowed to play with technology: it's just too much for them.
One other thing: the law states that computers must be erased if they are to be sold, disposed of, or "relinquished to a successor executive adminstration." Ahh, I get it now. Wouldn't want the new governor - or any special prosecutor - to read the old governor's email, eh?
14 January, '04: Most of what we need to know about space exploration policy, we can learn from old Warner Bros. cartoons. Just for example, take the famous cartoon in which Bugs Bunny is lured onto a Mars rocket by the promise of a carrot. The rocket takes off and he is told by radio that it's now his job to represent Earth on the red planet.
Bugs asks ground control; "Eh, why send a rabbit, doc?" The speaker jumps out from the wall of the rocket cabin and yells at him; "BECAUSE RABBITS ARE EXPENDABLE!"
I bring this up in the vain hope that George Bush has ever seen the Bugs Bunny cartoon in question, and might remember that in times of record deficits, ROBOTS ARE EXPENDABLE! It's much, much cheaper to send robots than humans to Mars because a robot needs none of the life-supporting amenities that human astronauts need.
It isn't that humans aren't expendable: we are. We expend human life all the time for lots of reasons: to fight wars, study volcanoes, cover news stories, or even to enforce the law. We often trade human lives in the realization that perfect safety costs hundreds or even thousands of times as much as pretty good safety. Besides, there are plenty of brave people who would accept the risk in exchange for the adventure of going to Mars. Loss of life in space exploration is no problem.
Loss of money is another matter, however. As one wag observed, "Space probe reveals existence of rocks and dirt on other planets!" We're unlikely to find anything on Mars that would materially affect life on Earth in any way. Eventually it will get cheaper to go to Mars, but what's the hurry? Kitty Hawk was just 100 years ago, and we can a lready study it while improving our (very economically useful) robotic technology in the bargain.
A good argument can be made that the Apollo moon missions paid off manyfold in technology transfers to the civilian economy, establishing a principle that can be use to analyze the cost-effectiveness of space missions. But the trip to Mars will use mostly technologies that already exist and have already transformed the world economy. The unsolved problems for the Mars mission include: propulsion, closed-system food production, and closed-system psychology. The first two can be studied much closer to our planet (if we have any reason to study them) and the third is one hell of an expensive psychology experiment.
Mars isn't going anywhere. It's been up there since before the human race arrived at the notion that the Earth's curvature might suggest a universe that is gravitationally strung together, and it will still be there tomorrow. This leaves us with the question of George Bush's motives in proclaiming his "bold vision" of a moon base and mars mission. Nothing in Bush's history suggests an abiding love of science, but everything he's done in office suggests he's more adept at grand gestures than at grasping consequences. Send the robots, mr. president!
Postscript: Due to reallocation of NASA funding towards the Mars mission, planned shuttle missions for future maintenance of the Hubble Space Telescope have been cancelled. The Hubble will be allowed to die instead of going on for another decade as the steller scientific performer that it is. Thanks a LOT, Mr. President.
29 December '03 Rats against landmines: In Mozambique, GIANT RATS (3 lbs) are being trained to find landmines in exchange for a bit of banana. They're easier to train and handle than dogs, and crucially, too light to set off landmines. In Tanzania, the same rats can sniff 2,000 medical samples in a day to find tuberculosis (against 20 for a trained lab technician with expensive equipment.)
African pouch rats are banned from the United States because they have been shown to be capable of spreading monkey pox. But it seems a simple quarantine procedure would answer that concern. As bomb-sniffing dogs are in short supply, and bomb-sniffing machines costing around a $quarter-mil apiece, maybe we ought to make friends with these bright little rodents. But could Americans be trained to let a giant rat sniff them?
Maybe we could train cute American squirrels to do the same job. But that may not be any good either. Americans might like the squirrels too much, and try to pet them (no danger of that with an African pouch rat). Have you ever looked at a squirrel's teeth?
Alas, the biggest barrier would be the American religion of "Technology is the answer to EVERYTHING." Somehow, maybe in the process of conquering the vast prairie from all those buffalo and 'injuns, we got it in our little heads that animals are only a solution to problems until we can figure out how to address it with something made in a factory. The thought that our lives could be saved by little rodents in exchange for a bit of banana . . . humbles us somehow.
Tech-Rant archive page 1:
-
Net Fridge and other dumb innovations
Stealth Goodies
Word Rage
Super Technology Powers
___________________________________________________________
[Home]
... [Site
Index] ©1997-2003 George Wiman, All Rights Reserved
This page created in Macromedia Dreamweaver. Please email
george@wiman.us if you have any problems viewing this page.