Monday, June 18, 2007

Lessons for the iPhone from browsing with an old version of Internet Explorer

Have you ever refreshed an old machine with XP? It's a very tedious process. You do the install, then hours of repeated updates to get the machine to a semi-modern state.

In the midst of all this tedium you may need to fetch some code from the net.The reasonable way to do this is to download and install Firefox and use that. The suicidal approach is to skip both the five minute Firefox install AND the 12 hour Windows update process, and browse to a slightly shady web site to download something using an antique copy of Internet Explorer.

Jeff Atwood, who definitely knows better, decided on impulse to use an non-updated version of IE to fetch some code. Essentially, he figured the risk of infection was low enough for a non-critical system to justify saving five minutes. He was wrong, one of the sites he used turned out to be far sleazier than he'd imagined. His misadventures led to a good essay, so it wasn't a total loss. It's dramatic story of how quickly an old version of IE will be compromised when exposed to the wild*, but within it there's one sentence in particular I'll comment on (italics).

Coding Horror: How to Clean Up a Windows Spyware Infestation

... it's a wonder people don't just give up on computing altogether. Once the door is open, it seems the entire neighborhood of malware, spyware, and adware vendors take up residence in your machine. There should be a special circle of hell reserved for companies who make money doing this to people.

At first, I was mad at myself for letting this happen. I should know better, and I do know better. Then I channeled that anger into action: this is my machine, and I'll be damned if I will stand for any slimy, unwanted malware, adware, or spyware that takes up residence on it. I resolved to clean up my own machine and fix the mess I made. It's easier than you might think, and I'll show you exactly how I did it...

As Jeff probably knows, there's no "wonder" here because, in reality, people do "give up on computing altogether". They may still have a computer, but they don't use it very much because it's so unstable and unresponsive. Eventually it gathers dust.

The only reason my mother's computer still runs and works, despite having not been patched in the past six months ** is that she's running OS X and browsing with Safari. She's not a significant target and she mostly browses a few major news and weather sites. For most people in her situation, the computer just stops working and they don't go back.

Which may, despite all the conspiracy theories, be the real reason the iPhone is a closed system. In other words, Jobs was almost telling the truth (shocking, I know). Apple wants a closed iPhone not because a phone is a particularly bad thing to hack (though it may be), but because Apple is trying to produce a computing platform that will be relatively reliable for the average user.

--

* Web stories on old systems dying within minutes of net exposure are mostly baloney -- almost no-one every runs a PC with a direct IP connection. We all have NAT redirectors and de facto firewalls, even many users aren't aware they exist.

** I don't want her to deal with the patch process, and remote control and maintenance solutions for OS X have not been nearly good enough to be worth my using them. I've been betting we could get buy with my maintaining the system every 6 months or so, and that's been working well.

Update 6/25: Coding Horror (Jeff Atwood) wrote a f/u piece quoting a security expert, Adam McNeill, who analyzed how the attack occurred. Here's an excerpt:
...GameCopyWorld displays a "Find Your Love at Bride.Ru" advertisement. That advertisement "refers" to linktarget.com in order to display an advertisement for the DVD software produced by Slysoft.com. That advertisement "refers" to 39m.net which in turn creates an [iframe] to buyhitscheap.com. Buyhitscheap.com in turn calls fkdomain.info who attempts to deliver a series of exploits to a users system in hopes of installing a trojan dropper. The fkdomain.info site attempts to exploit the following...
It's interesting to imagine the reaction of someone from 1994 reading that summary. The emergent sophistication of a modern security attack is fascinating and reminiscent of how prison exploits evolve. Atwood, who I think has been guilty of previously deprecating the importance of running as a non-administrator admits that a non-admin user would not have been vulnerable. He manages not to mention that OS X defaults users to non-admin status and it works very well (except for a few Adobe applications, which is a good reason not to buy them).

Stop electing judges

The numbers are looking bad: The Best Judges Business Can Buy - New York Times. We can only fight corruption on so many fronts at once, popular election of judges simply opens another front. Let's concentrate on reducing corruption in the state legislature and return to a system of appointing judges.

Yes, we could move to public financing of judicial elections, but why only for judges?

In any case, I am rarely able to find any useful information to guide my judicial votes. I end up simply voting the MN DFL party line, so the whole process is a waste.

Sunday, June 17, 2007

Food labeling is being discussed now

The Feds are talking food labeling now. Lots of very wealthy and very interested parties don't want labels to describe where things come from. If you disagree, write your Elected and Appointed Officials.

If the label's not big enough, then require producers to include a URL with the details as well.

Youth baseball, education and health care performance measures

Whether you're coaching youth baseball, running a school, or taking care of patients, there's one sure-fire way to improve your rankings.

Eliminate the weak.

Oh well, we'll just run the experiment again anyway. Just because it's failed every other time it's been done there's no reason it won't work this time. Right?

Charles Stross dismantles the High Frontier

I loved O'Neill's 1976 High Frontier; I still have two of the books. The orbital colonies came first, then came microwave beaming of solar power as an attempt to justify the beautiful tori. I even had a personal connection, an aunt worked for the O'Neill Foundation for years. Once I considered presenting at one of their meetings, but I couldn't make it fit my schedule.

There's not much left of the High Frontier now. The Wikipedia entry is about one paragraph, though the old visions live on in space operas (science fantasy). Charles Stross, a first rate writer and thinker, is old enough to have fallen in and out of love with the High Frontier, and today Stross dismantles it. It's harsh reading for folks who, like me, went to college hoping to join the astronaut program, but it's familiar stuff. It's been clear for some time that biological organisms are not going to travel to the stars.

Inorganics, yes, organics, no.

I think he's a bit pessimistic about the rest of the solar system however. If our civilization manages to survive a few hundred more years the energy and environmental challenges may seem pretty doable. It just won't happen as fast as Kennedy once imagined.

Dowd asks a good question, hell freezes

At the very end of one her typically silly columns Dowd actually asks a good question:
Can He Crush Hillary? - New York Times

.... The Clinton financial disclosures raise a big question: Do we want the country run again by a couple who get so easily wrapped around the fingers of anyone who is rich? As long as a guy was willing to give them millions, would it matter if his name were Al Capone?
John Edwards. Al Gore. Maybe even Obama if he can get straight about his smoking habit and if he turns out to be relatively skeleton free...

The evolutionary biology of aging: Zimmer's links

In a quite brief post Carl (The Loom) Zimmer gives us a small set of brilliant links into the modern evolutionary biology of aging. Absolutely fascinating. I've long thought one of the most instructive examples of mammalian aging lived right by our feet, so I jumped right to the entry on Canis familiaris. It's weaker than it should be. It records the far end of canine longevity (at least 24 years, possibly 29) but misses the Great Dane -- old by six years. (One might argue breeding Danes is a crime despite their charm and beauty.)

That's a pretty impressive range for one species -- 400%. Should be some lessons there.

Wolves, by comparison, seem to live fairly readily to age 16-19 in captivity. This suggests we ought to be able to breed a mid-sized dog that would have at least 16 healthy years. That's much better than our genetically abused companions get these days. I'd like to see a derivation of the Australian cattle dog bred for long life but a more family friendly temperament.

Update: By the way. Delayed sexual maturation is a marker for longer lifespan. The age of menarche has fallen from about 16 to about 12 in the past forty years. Draw your own conclusions ...

Saturday, June 16, 2007

Sachs Reith 2007 - Lecture Four - Social engineering

From Jeffrey Sachs' 4th Reith Lecture on alleviating poverty in Africa ...
BBC Radio 4 - Reith Lectures 2007 - Lecture 4: Economic Solidarity for a Crowded Planet:

.. .The fourth challenge, excessive population growth, is similarly susceptible of practical and proven solutions. Fertility rates in rural Africa are still around 6 children or more. This is understandable, if disastrous. Poor families are worried about the high rates of child mortality, and compensate by having large families. Poor families lack access to contraception and family planning. Girls often are deprived of even a basic education, because the family cannot afford it, and are instead forced into early marriage rather than encouraged to stay in school. And the value placed on mothers' time is very low, in part because agricultural productivity is itself so low. With few opportunities to earn remunerative income, mothers are pushed - often by their husbands or the community - to have more children.

Yet, as shown by countless countries around the world, fertility rates will fall rapidly, and on a voluntary basis, if an orderly effort is led by government with adequate resources. Investments in child survival, contraceptive availability, schooling of children, especially girls, and higher farm productivity, can result in a voluntary decline in total fertility from around six to perhaps three or lower within a single decade. But these things will not happen by themselves. They require resources, which impoverished Africa lacks...
Ahhh. I have thought so much and so long about this very topic. The story of that would take far too long to tell, so instead I shall tell a story from the year 2015. It has been 3 years since the Zorgonians first landed their saucers at the UN ...
... No more disease. Our children shall live centuries. Zorgonian technologies will allow us unlimited energy production with no greenhouse gas emissions. It is all we have dreamed of, and yet ...

... The Zorgonians have not demanded any price, but already we can see that we must change to fit their complex world. We cannot interpret their alien emotions, but it is clear they have little patience or interest in our religious traditions. They are suggesting a program of aggressive eugenics; in their world there is no tolerance for the weak or the slow. Bleeding heart liberal or NASCAR fan -- neither win the favor of these alien peoples. To run with this pack, we must abandon all but the strong.

They offer us devices that will extend our mind and reason, but those who use them seem so different, so uninterested in the things we love and treasure ....

... Is their gift worth the price?
I trust the analogy is obvious. A wonderful prize offered, but a prize with a Faustian price. African peoples who accept Sach's agenda will be transformed, and they know that well. To us the transformation is worth the prize -- we don't particularly care for genital mutilation anyway. The recipient's opinions will vary.

When I was a 1st year medical student in 1982, still reeling from the the complex adventures of a year in Asia studying fertility programs, I wrote a long and garbled paper on social engineering for a McGill medical school elective course (my first use of a word processor by the way). It was clear, even back in 1982, that dramatic fertility transitions were associated with radical changes in social structures. Women, in particular, rose quickly. Many men saw their power base shrink. Mating preferences changed. Traditions were being destroyed, new social structures were emerging. Why not face this fact, I thought, and think about how to deliberately engineer the transition to technocentric modernity? There must be many ways to covertly destroy a social order and rebuild a new one....

My poor medical anthropology elective course supervisor nearly died, and my medical career almost ended before it began. I might as well have written a paper for Opus Dei advocating sainthood for Satan. I'm not quite sure how I survived.

I was a naive idiot. Also young. And yet, 25 years later, the reality has not changed. I hope and pray Africa will emerge from poverty, undergo a demographic transition, and flourish in a technocentric world. The price, however, will be high.

Expensive toxic toy trains from ...

Well, where do you think they come from? 

Thomas the Tank Engine Toys Recalled Because of Lead Paint - New York Times

... The affected Thomas toys were manufactured in China, which has come under fire recently for exporting a variety of goods, from pet food to toothpaste, that may pose safety or health hazards. “These are not cheap, plastic McDonald’s toys,” said Marian Goldstein of Maplewood, N.J., who spent more than $1,000 on her son’s Thomas collection, for toys that can cost $10 to $70 apiece. “But these are what is supposed to be a high-quality children’s toy.”

Ms. Goldstein’s 4-year-old son owns more than 40 pieces from the Thomas series, and seven of them were on the recall list, including the Sodor deluxe fire station, a footlong piece that is a little heavier than the average train...

Yawn. No surprises here. Lead Christmas light wiring, toxic fake flour in dog food, poisoned toothpaste, counterfeit medicines that don't work, counterfeit surgical supplies, fake glycerine that kills, etc, etc.

Not that there's a trend or anything.

Oh, yeah, and the toasters and such.

This time around the toy company has plausible deniability. That's not true going forward. Manufacturers now know what they can expect, if they're not assuming rampant fraud in China's marketplace then they're criminally negligent. Emphasis on the criminal part ...

More whacko terrorists - is this why we're still standing?

Schneier is back. Actually, he was never gone. The feed I was using to track him had been abandoned; I finally decided to see why he was silent and found a new feed. That's a relief, I was worried when he didn't seem to be commenting on the routine incompetence of our guardians and government. This time he's reviewing the latest news of a terrible plot foiled, and putting it in the post-9/11 context ...

Schneier on Security: Portrait of the Modern Terrorist as an Idiot

... I don't think these nut jobs, with their movie-plot threats, even deserve the moniker "terrorist." But in this country, while you have to be competent to pull off a terrorist attack, you don't have to be competent to cause terror. All you need to do is start plotting an attack and -- regardless of whether or not you have a viable plan, weapons or even the faintest clue -- the media will aid you in terrorizing the entire population.

The most ridiculous JFK Airport-related story goes to the New York Daily News, with its interview with a waitress who served Defreitas salmon; the front-page headline blared, "Evil Ate at Table Eight."

Following one of these abortive terror misadventures, the administration invariably jumps on the news to trumpet whatever ineffective "security" measure they're trying to push, whether it be national ID cards, wholesale National Security Agency eavesdropping or massive data mining. Never mind that in all these cases, what caught the bad guys was old-fashioned police work -- the kind of thing you'd see in decades-old spy movies.

The administration repeatedly credited the apprehension of Faris to the NSA's warrantless eavesdropping programs, even though it's just not true. The 9/11 terrorists were no different; they succeeded partly because the FBI and CIA didn't follow the leads before the attacks.

Even the London liquid bombers were caught through traditional investigation and intelligence, but this doesn't stop Secretary of Homeland Security Michael Chertoff from using them to justify (.pdf) access to airline passenger data.

Of course, even incompetent terrorists can cause damage. This has been repeatedly proven in Israel, and if shoe-bomber Richard Reid had been just a little less stupid and ignited his shoes in the lavatory, he might have taken out an airplane....

It's a great review, I encourage everyone to read the entire essay. Schneier has put a lot of related material in one place. So what lessons can we draw from this history?

Well, we already know our leadership is incompetent and that they inflate threats in order to further their political agendas. That's not a useful lesson. The more interesting trend is the matching incompetence of our terrorists.

The 9/11 crew had engineers among them. Engineers are dangerous. Since then we've had schizophrenics, cognitively disabled persons, people with personality disorders, and no real engineers that I know of. It's been a very unimpressive crowd. The only times they seem to get inventive is when undercover FBI agents give them ideas.

Imagine if Bruce Schneier were a terrorist. We wouldn't stand a chance. We're still standing because, as near as we can tell, our enemies have been unable to recruit geeks, intellectuals, and the nerdy special forces types that work for us. Maybe there's something about al Qaeda's 14th century agenda that doesn't appeal to anyone with insight.

I think George Bush has been (unintentionally) working very hard to recruit higher quality terrorists. I only hope he's been as unsuccessful with that effort as he's been with everything else he's touched, because the alternate theory is that we're only catching the idiots ...

Friday, June 15, 2007

Krugman again, this time syndicated

Krugman was recently caught posting on TPM Cafe. Nice, but no feed.

Today DeLong pointed to a DeLong post on an European econ site, but this site has a Paul Krugman feed. I'll track it and see what happens.

Fall of The Economist - resting with Al Jazeera?

The Economist has fallen a long way in the past ten years:
Transparency for thee but not for me | FP Passport:

... A new study out from the International Center for Media and the Public Agenda measures just how candid media are about what they do and how they do it. ICMPA's newest study looks at 25 of the world's top news sites to see which ones correct their errors, are open about their journalistic standards, and welcome reader comments and criticism.

Which were the best?

* The Guardian
* The New York Times
* The Christian Science Monitor
* National Public Radio

Which were among the worst?

* Time magazine
* Al Jazeera
* CNN
* The Economist
Back when I was a happy subscriber The Economist seemed quite able to admit a mistake. That was about ten years ago. It's been a nasty tumble ever since ...

verschärfte Vernehmung and George W. Bush

Not much gives me chills in these waning days of Cheney/Bush rule. All the outrage seems to have been spilled. What more can be said? This, though, gave me chills (via DeLong)

Scott Horton, writing in a Harper's blog ...

"Defending Enhanced Interrogation Techniques" by Scott Horton (Harper's Magazine)

Before there were “enhanced interrogation techniques,” there was verschärfte Vernehmung, (which means “enhanced interrogation techniques”) developed by the Gestapo and the Sicherheitsdienst in 1937 and subject to a series of stringent rules. Now, as we have seen previously, there were extremely important differences between the Gestapo’s interrogation rules and those approved by the Bush Administration. That’s right—the Bush Administration rules are generally more severe, and include a number of practices that the Gestapo expressly forbade...

and here Horton quotes Sullivan:

... In cross-examination BEST was shown a document which stated that the commander of the security police and SD was authorized to use verschärfte Vernehmung in Kracow. He said it was his impression that this type of interrogation was adopted in order to discover the underground movements in Poland, which had come into being at that time. Describing the use of verschärfte Vernehmung in Denmark, the witness HOFFMANN reiterated that third degree methods were based on a legal decree which authorized them. Disciplinary action was always taken against those concerned with excesses. In general, third degree was applied only when the saving of German lives required it. In this connection he instanced the use of such methods in order to find the whereabouts of arms and explosives belonging to the underground movement. The GESTAPO in general believed that other methods of interrogation, such as playing off political factions against each other, were much more effective than third degree methods. Verschärfte Vernehmung had to be approved by his head office and approximately 20 were allowed for Copenhagen (see reference to the case of Colonel TIMROTH).

and Horton concludes ...

... what was the sentence the Norwegian war crimes court deemed appropriate for those convicted of the use of verschärfte Vernehmung? Death.

This is why CIA interrogators needed Bush's legal shelters. They expect that with it they, Cheney, and Bush will all escape unscathed. They're probably right.

Still.

One day, this may be seen as a very dark time. A darker time than those who live in it now realize. We've grown accustomed to it, but our children and grandchildren may see things differently (and yes, in part I protest here in hopes it will lessen their scorn).

One day Bush, Cheney, and many others may find it difficult to fly places. There may be many nations they cannot visit with confidence. One day, they may even find a future American government is no longer willing to shelter them ...

A fraud victim's false victory and the high tech industry that supports identity theft

SFGate, a San Francisco news site, puts on optimistic spin on the chance capture of a woman who did very well as an identify thief. Alas, the reality is not at all encouraging (emphases mine)...

How victim snared ID thief / She chased down woman who had given her 6 months of hell

... Nelson took off again. In front of West Coast Growers, she dropped a wallet into an abandoned shopping cart. Lodrick, still after her, picked up the wallet -- also Prada -- and found an entire set of identification, including credit cards, a Social Security card and a debit card all in the name of Karen Lodrick. Later, when she returned to the bank that had been her original destination that morning and took possession of the lost driver's license, it was a perfect forgery -- with a hologram and a California seal -- and it had Lodrick's name but Nelson's photo and physical characteristics.

"You can buy the technology (to add marks and holograms) on your computer from companies that have legitimate government contracts and then make a lot of money selling the technology to people they must know are not legitimate," Fairbairn said. "Millions and millions of dollars." The black market, he said, is "a growth industry."

... In November 2006, her postal carrier told Lodrick that master keys to the neighborhood's mailboxes had been stolen. Soon afterward, Wells Fargo informed her that there was suspicious activity in her accounts.

Using the stolen keys, Lodrick believes, Nelson made off with an unsolicited mailing from the bank. Lodrick said it contained two debit/credit cards she had not requested and, worse, a statement for a certificate of deposit that included her Social Security number. Personal identification numbers for the cards were in a separate envelope.

It took only three days for Nelson to raid the accounts for about $9,000 through withdrawals and purchases, bank records show....

Dealing with the consequences of somebody pretending to be her and ringing up purchases of computers, jewelry, clothing, groceries, cigarettes and liquor took a day or two of Lodrick's time every week. There were the credit card companies to hassle with and credit agencies and banks, especially her own bank.

Lodrick calculates that as a self-employed consultant, she lost $30,000 in unearned income between November and Nelson's apprehension in late April. Wells Fargo eventually restored to her accounts all the money Nelson had withdrawn.

... "the bank was horrible. I felt they thought I was comical. I kept dealing with different people. Three different times they told me I'd have to come in and ID the (security camera) photo, that I hadn't done it."

... Lodrick changed bank accounts and identification numbers, only to find that Nelson had again broken into her mail and stolen the new information and was still after her accounts.

...What Lodrick didn't know is that they were neighbors, living only three blocks apart.

In the end, that photo of Nelson in her distinctive coat was her undoing. On June 6, she pleaded guilty to one felony count of using another person's identification fraudulently. She was sentenced by Superior Court Judge Harold Kahn to the 44 days she had already served in county jail and three years' probation...

Lodrick, who made a statement at sentencing, was dissatisfied. "I can't believe it," she said. "I went through six months of hell, and she's going to get probation? She was on probation when she victimized me. Obviously, probation's not helping."

Nor did Nelson, 31, appear to be remorseful. When she entered the courtroom in her orange jail jumpsuit and saw Lodrick, she smirked and waved at her. Judge Kahn chastised her for her attitude...

To summarize the obvious:

  • The banks (Wells Fargo in this case) don't care all that much. They'd care a lot more if they were liable for a victim's pain, suffering, and lost income.
  • The justice system isn't set up to deal with this kind of crime. Identity thief a pretty good profession for someone who doesn't mind having a criminal record. It's the same story for stealing checks btw, offenders are usually put on probation - again and again. What's new is that income opportunities are now much greater.
  • The thief was not particularly bright or inventive, but she was able to plug into a "franchise model"
  • Above all, high technology vendors are, at a minimum, closing their eyes to the crooked intermediaries who buy their products. In the case of InfoUSA, they went so far as to develop products that were primarily designed for crooks. Arms dealers in general, and gun manufacturers in particular, of course, have made an art form of this over the centuries.

It's part of this meme.

So what do we do?

  1. Make the banks liable for more than the money lost. Maybe ten times more. That would incent them to change their behavior.
  2. Go after the legitimate suppliers. That means going after companies like InfoUSA and whoever supplied the id manufacturing equipment that was used in this case. These are companies with deep pockets and a business to protect. This may require changes to laws. The arms dealer industry may provide some good lessons.

Thursday, June 14, 2007

Dyer - four new essays

Dyer has four new essays up. Enjoy.
Articles 2007
May 31 The War of Six Days and Forty Years
June 4 Don't Mention the Warming (G8 and Climate Change)
June 8 Calling the BMD Bluff
June 11 India: The Price of Choice
He takes PayPal donations, but needs to adopt Amazon instead. I don't do PayPal.