Sunday, February 13, 2005

Iraq: worse than you think?

The Counterterrorism Blog: Iran's Great Victory

I've been following this counterterrorism blog for a while. It's not a left/democrat/liberal site, but neither is it pro-Bush. Mostly it's professional military and, as the name goes, counterterrorism journalists and hobbyists. It's rationalist/secular, so it's something I can relate to even when I may disagree.

This post includes an alleged statement by a "senior military commander". The claim is that religious Shia dominance of the new legislature may be virtually complete, with no balancing Kurdish block of significance and no significant secular block. The alleged author also describes very effective insurgent military action and implies Iraqi forces are completely penetrated by insurgent intelligence.

We'll know in a few days if the claims of the political outcome are correct.

At around the same time I read reports that the US training of Iraqi forces is failing dismally. I also see reports that the new Saudi education minister is a Wahabbi zealot who could have been appointed by bin Laden, and that the Saudis are backpedalling on their counter-terrorism initiatives.

I am very interested in what the Sunni/Wahabbi Saudis make of the rise of Shia Iraq, the rise of Shia Iran, and the fall of the Iraqi Sunni elite.

I'm also curious as to whether bin Laden is all that keen on how this is turning out; does he truly favor Iran? I'd thought the Wahabbi were always suspicious that Iran was a bit too civilized (not to mention that Zoroastrian skeleton in the closet).

The hypothesis that Iran has competely outplayed the US, and bin Laden, has not yet been disproved.

Who knows, maybe a truly dominant Iran will turn out to be a good thing. If anyone but me repeats that statement we'll know that the crisis of Iraq is plumbing new depths.

Each household borrows $3000 a year to run America

The New York Times > Week in Review > Cut Short: The Revolution That Wasn't

This is a helpful analogy.
...To most Americans, the federal budget, more than 2,000 pages of fine print, is hard to grasp; it isn't easy to summon a mental image of $2.57 trillion. One way to look at it is to consider how much the government spends per household. In the 1990's, the figure held steady at about $18,000, according to Brian M. Riedl, a budget analyst for the Heritage Foundation. But last year, it exceeded $20,000, adjusted for inflation, the highest amount since World War II. But the government only takes in $17,000 for each household. 'So right there,' Mr. Reidl said, 'we're borrowing $3,000 per household.'
We borrow from other countries, but mostly we borrow from the future. This is not necessarily irrational -- assuming the money is used wisely and that our future selves can afford the cost. Unfortunately we are borrowing more than the near future will likely repay.

I used to belong to the Concord Coalition. Then I switched to organizations fighting corruption in government. Lastly I made a very strong effort for Kerry. All of these failed.

I figure all I can do now is buckle our life jackets and wait for the ship to run aground.

Arranged marriages for the wealthy unmarried

The New York Times > Magazine > The New Arranged Marriage

Janis Spindel arranges mergers and acquisitions for wealthy unmarried men:
... Janis Spindel Serious Matchmaking Incorporated's fees begin -- begin! -- at $20,000 for an initiation fee, plus $1,000 for a one-year membership that includes 12 dates.... An out-of-town client must fly Janis and an assistant first class and put them up in a hotel for the home visit. Additionally, a marriage bonus is expected -- sometimes it's a car or extravagant jewelry; other times it's cash. She has received gifts in the $75,000-to-$250,000 range.

Gorgeous [the prospect] tries to negotiate the price, but Janis flatly refuses. Then he says he's uncomfortable with the general idea of paying for dates and wonders what kind of women would date a man who needs to pay to find her. He doesn't want to be set up with ''shrews'' or women who are interested in him because he owns a successful business.

This strikes me as an extremely realistic concern. How else to describe the women who, Janis says, pay $750 for a 30-minute meeting to audition for her databank of women (6,800 of them, Janis claims) who want to marry a man rich enough to pay for her services?
As a young man I traveled the world as a Watson Fellow. I spent about 8 months in Bangkok in 1981; I've not been back since, but I'm told it's a different city now. In those days mergers and acquisitions were a common arrangement for visiting executives, executed with a mercenary understanding of power, advantage, and mutual benefit. To paraphrase Churchill, only the price has changed.

Dean as National Democratic Committee Chairman

The New York Times > Washington > Democrats Elect Dean as Committee Chairman

I'm glad Dr. Dean was chosen. He was widely smeared during the campaign, not only by the usual suspects but also by the NYT. I'm looking forward to his next steps.

Rural suicide - anything to do about it?

The New York Times > Health > Social Isolation, Guns and a 'Culture of Suicide'
When Professor Branas examined data from the federal Centers for Disease Control and Prevention, he found that the risk of dying by gunshot was the same in rural and urban areas from 1989 to 1999, findings that were published in The American Journal of Public Health. He has also concluded that in the most rural counties, the incidence of suicide with guns is greater than the incidence of murder with guns in major cities.
The article doesn't say which of the three alleged factors is the larger contributor to the high suicide rates. Suicide rates are also high in many scandinavian nations; I think guns less accessible there. Isolation is not only a part of most rural areas, it's a feature. Would more mental health workers really drop the suicide rate? It would be useful to have some data.

Maybe we could do something about the romanticization of suicide. In 20 years I've walked out of one movie -- The Dead Poets' Society. The romantic portrayal of the senseless suicide of the teen protagonist was infuriating. That's an uphill battle however.

We know there's a problem worth studying, but we've got a lot of work to figure out if there's anything to do about it.

Who will defend freedom? It's not illegal to take pictures of subways.

Shooter.net: Attack of the SF Muni Fare Inspectors

It's commonly believed that after 9/11 it became illegal to take pictures in subways and of public transit structures. This is an urban myth, but it's a myth accepted by many transit workers and some police. This post tells the story of a San Francisco photographer who persists in taking pictures and is first threatened by transit workers, then harassed by police.

This is how freedom goes away, one step at a time.

Once upon a time this story would have brought a mass of americans to the subway to snap pictures. I now fear that most of us lack the energy even for such a minor defense. I know many of my friends, post Nov 2nd, have withdrawn from the world of politics and discourse.

Saturday, February 12, 2005

Passphrases? Nice try.

Why you shouldn't be using passwords of any kind on your Windows networks . . .

A microsoft security guru starts blogging, and gets attention for advocating passphrases as memorable alternatives to passwords.

I don't see passphrases as workable. I have hundreds of passwords to manage -- would hundreds of passphrases be any easier to manage? In any case it's not like people would choose passphrases randomly -- popular songs, famed bible quotes, historic expressions would all be over-represented.

The blog did mention a few minor details that are probably not known to the average person:
  1. Passwords of under 10 characters are completely vulnerable. Software using "Sarca rainbow tables" are used to create all "possible LM or NT password hashes of a given length with a given character set". The "pre-computed password-hash-to-password-mappings" are then burned to DVD. The DVDs are used to crack systems using passwords under 10 characters.
  2. All dialects of Windows default to storing an "LH hash" for passwords below a certain (nn characters?) length. "The LM hash is no longer cryptographically secure and takes only seconds to crack with most tools".
  3. Password length may be more important than password complexity given current cracking tools. A good length is something like 42 characters or more.
This is all interesting, but it's pointless. It's fighting a lost war. We need biometric identifiers and/or physical tokens. This passphrase/password stuff is for the boids. (Let's not even mention the "secret question" madness.)

Firefox is 20% of bloglines access; The Firefox Center

Bloglines | Firefox Center

The Firefox browser now generates 20% of bloglines
(dominant web based blog monitoring and reading software) traffic. I'd call this an impressive leading indicator of future growth. Bloglines represents a "leading edge" clientele, but where the geeks go others will follow.

They've added a Firefox-centric page to support this growing user base.

The stupidity of the Secret Question and the death of passwords

Schneier on Security: The Curse of the Secret Question

I'm going to take some credit for this post by Schneier, the god of modern security. I wrote him a few weeks ago asking him to address the use of these inane "secret questions". Here he's done it, and in fine form. The stupidity behind these "secret questions" is breathtaking, but Schneier correctly points out (hey, it was in my email to him!) that this is yet another sign that passwords have passed their prime.
It's happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a 'secret question' to answer. Twenty years ago, there was just one secret question: 'What's your mother's maiden name?' Today, there are more: 'What street did you grow up on?' 'What's the name of your first pet?' 'What's your favorite color?' And so on.

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue too. And if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.
In my case I wrote Schneier when a corporate system asked me for both my password and my secret question. Of course I knew the password (I use my generic ultra-low-security password for unimportant internal systems), but my "secret answer", like Schneier's, was a string of flailing keystrokes. I had to spend some days fighting with a mailbot to get both the secret answer and password reset. (BTW, corporate systems are usually far less service oriented than public systems, after all, the users have no power and no choice. Senior execs have power of course, but their admins deal with the software.)

CIA rebels not done yet

The New York Times > Washington > '01 Memo to Rice Warned of Qaeda and Offered Plan

We've known for some time that Clarke gave Condoleeza Rice specific warnings about al Qaeda -- which she ignored (she thought China and Russia were our big threats). The interesting news here is the role of the CIA in releasing a document:
A strategy document outlining proposals for eliminating the threat from Al Qaeda, given to Condoleezza Rice as she assumed the post of national security adviser in January 2001, warned that the terror network had cells in the United States and 40 other countries and sought unconventional weapons, according to a declassified version of the document.

The 13-page proposal presented to Dr. Rice by her top counterterrorism adviser, Richard A. Clarke, laid out ways to step up the fight against Al Qaeda, focusing on Osama bin Laden's headquarters in Afghanistan...

... The proposal and an accompanying three-page memorandum given to Dr. Rice by Mr. Clarke on Jan. 25, 2001, were discussed and quoted in brief by the independent commission studying the Sept. 11 attacks and in news reports and books last year. They were obtained by the private National Security Archive, which published the full versions, with minor deletions at the request of the Central Intelligence Agency, on its Web site late Thursday.
This is old news, but it's interesting that the CIA surrendered the document. These days it's generally pretty easy to refuse such requests. I wonder if the director of the CIA (a Bush loyalist) knew of this release.

Trash company, earn $42 million

The New York Times > Business > Fiorina Exiting Hewlett-Packard With More Than $42 Million

This wouldn't be so bad if she were getting the $42 million from Dell. But to get it from her own employers?

Can someone please sue the HP board?

Microsoft rot?

ABC News: Silicon Insider: R.I.P. Microsoft?

A Silicon Valley guy prophesies hard times for Microsoft:
Great, healthy companies not only dominate the market, but share of mind. Look at Apple these days. But when was the last time you thought about Microsoft, except in frustration or anger? The company just announced a powerful new search engine, designed to take on Google -- but did anybody notice? Meanwhile, open systems world -- created largely in response to Microsoft's heavy-handed hegemony -- is slowly carving away market share from Gates & Co.: Linux and Firefox hold the world's imagination these days, not Windows and Explorer. The only thing Microsoft seems busy at these days is patching and plugging holes...

... Microsoft has always had trouble with stand-alone applications, but in its core business it has been as relentless as the Borg. Now the company seems to have trouble executing even the one task that should take precedence over everything else: getting "Longhorn," its Windows replacement, to market. Longhorn is now two years late. That would be disastrous for a beloved product like the Macintosh, but for a product that is universally reviled as a necessary, but foul-tasting, medicine, this verges on criminal insanity. Or, more likely, organizational paralysis.

... And do college kids still dream of going to work at MS? Five years ago it was a source of pride to go to work for the Evil Empire -- now, who cares? It's just Motorola with wetter winters.
Of course, you say, he would say that. The death of Microsoft is dear to the heart of the Valley. This guy gets a bit of credibility though; he claims he also rang the bell for Carly/HP and for Silicon Graphics. (He doesn't mention the other 55 companies he said were going down ... :-)

On the other hand, the usual rules of capitalism don't apply to monopolies. And then there's the patent weapon. Microsoft hasn't even begun their scorched earth patent attack. They can't "go nuclear" until the EU accepts software patents, but that will probably happen within a month or so. Yet even then Microsoft must worry that India and China might rebel. Microsoft has an incredible weapon at hand, but like all doomsday weapons it can also destroy its master.

And even the monopoly isn't a perfect weapon. Microsoft bought the Bush administration, but the Bushies prize loyalty above all else -- and they suspect that deep down Gates despises them. The Bushies won't stay bought, and the EU is an even tougher case.

Beyond monopoly and patents, what does Microsoft have? Incredible numbers of brilliant people yes, but many of their best innovations are likely disruptive threats to Microsoft's cash stream (Office, XP). Their "nasty" innovations can further the monopoly; but that risks the delicate game Microsoft pays with corrupt governments. (Ok, so they also have more wealth than most nations and they can specify cash flow on demand -- but they're addicted to that cash flow.)

The fear of cash flow disruption, or of losing control of key governments, mean Microsoft's biggest innovations rarely get to market. Meanwhile Longhorn, a festering mass of complexity, recedes into the future, while historic legacies and worldwide dislike breed an endless horde of software attacks.

Years ago a judge who wouldn't be bought decided to split up Microsoft. He was overruled. Gates decided the empire must stay whole, and he made his Faustian deal with the Bushies. That might have been the right decision for a company that can mint money, but I suspect if Microsoft had been broken up its component parts wouldn't be in any way paralyzed today. Instead Microsoft is turning into the pre-breakup AT&T of the 21st century.

Friday, February 11, 2005

Advanced warning of 9/11 -- by about 25 years

In October of 2001 I wrote
Over the past century technology has increased destructive power more than it has increased defensive capabilities. Technology, including communication networks and knowledge distribution, has brought to individuals and small groups (micro-powers) the capabilities once limited to nation states; the cost of acquiring and deploying nuclear and particularly biological weapons has decreased substantially. It has increased the harm potential of individuals and small groups. I sometimes call this the AIM problem, a pseudo-acronym for Affordable, Anonymous Instruments of Mass Murder. Our technologies are lowering the cost of the havoc, and the new weapons can be deployed anonymously. Anonymity means invulnerability. We cannot be anonymous, so we are are at an enormous disadvantage -- eventually contending against an invulnerable opponent with irresistible weapons.
In 1978, at a Berlin conference, Brain Michael James of the RAND Corporation said
We are approaching an age in which national governments may no longer monopolize the instruments of major destruction. The instruments of warfare once possessed only by armies will be available to gangs...
1978. Fallows, writing in the Jan 05 Atlantic (paywall), says James first wrote about this even a few years earlier, in 1975.

The Fallows article is essential reading. When will we start to talk about this new world like adults? I see no sign that we're ready to begin.

How fast could YOU spend 25 billion dollars?

PBS | I, Cringely . Archived Column

Why is it only Robert X Cringely ever writes about this stuff? It would be less peculiar if he were usually wrong, but he's most often right. Cringely says the VCs are going to spend some change fast ...
In 1999-2000 -- at the very peak of the dot-com boom -- venture capital firms were not only taking companies public at a furious pace, they were just as furiously raising new venture funds -- funds that will shortly be coming to the end of their lives. Throughout the fixed lifespan of these funds venture capitalists are typically paid 1-2 percent of the total fund per year as a management fee. If a VC raises $100 million for a fund with a six-year life, they'll take $2 million every year as a management fee, whether the money is actually invested or not. Any money that remains uninvested at the end of the fund must be returned to the investors ALONG WITH THE ASSOCIATED MANAGEMENT FEE.

Right now, there is in the U.S. venture capital community about $25 billion that remains uninvested from funds that will end their lifespans in the next 12-18 months. If the VCs return those funds to investors they'll also have to return $3 billion in already-spent management fees. Alternately, they can invest the money -- even if they invest it in bad deals -- and NOT have to cough-up that $3 billion. So the VCs have to find in the next few months places to throw that $25 billion. They waited this long in hopes that the economy would improve and that technical trends would become clear so they could do their typical lemming-like jump off the same investment cliff as all the other VCs. Well, we're at the edge of the cliff, so get ready for the most furious venture investing cycle in history.

The national identification card and database

Slashdot | House Approves Electronic ID Cards

The US House has approved a de facto national indentification card and database that will aggregate data across all citizens.

Ten years ago this would have caused a great fuss. Now the comments on Slashdot (ok, so Slashdot is pretty vapid these days) are tepid and confused.

Resistance is indeed futile. Let's get our chips implanted and get this over with.