greg hughes - dot net

Google introduced zooming in their maps interface. I went to check it out and in the process discovered the area that includes my home now has hi-res images and that my house, which was built about three years ago, now appears on the map. That's cool. Not that big of deal in the grand scheme of things, but still cool. And I found it by double clicking to step through the maps and visually found my rural home, level by level.

The new zooming feature is a nice addition to the interface. To see how it works, just go to Google Maps and double click on the map and you'll zoom on in. I found I was also able to zoom in and out with my scroll-wheel-like function on my ThinkPad's little eraser pointer control thingie - point the mouse on the spot you want to zoom in on and zoom away. Cool. What's that red eraser thing called, anyhow?

The Google Maps API official blog has the zooming details.

Microsoft made this announcement today in their Security Newsletter for Home Users. Interesting the email headline they used, since the web site actually says Win XP SP1 support is supposed to stop on October 10th. Support for Win 98 and ME were set to end today. At any rate, if you're running Windows 98 or ME, it's well past time to pack it in:

End of support for Windows 98, Windows Me, and Windows XP Service Pack 1

Effective today, Microsoft no longer provides support for Windows 98, Windows Millennium Edition (Windows Me), and Windows XP Service Pack 1. Customers can access existing support documents through the Microsoft Support Product Solution Center, but telephone and e-mail support and security updates are not available.

Yesterday at work, I had the privilege of spending a couple hours with this cool kid named Connor. He's the son of a friend and coworker, and is an all-around good kid. Every now and then he'll come to work with his mom for a day and we'll hang out for a bit. It sure beats back-to-back meetings, heh.

Sidebar: For what it's worth, I'd kill to be eleven years old again (if I could stay that age, that is - no point in going through all those intervening years again, heh...).

True to form, he asked if we still have an XBOX. People kind of freak out when I tell them I bought an XBOX 360 for work. We actually have a couple of them on campus. "Video games at work??" they ask me. Heck yeah - it's a great way for creative minds to take an occasional and much-needed brain break (as long as it doesn't become something that's overdone), and some of the best idea-generating conversations happen when you're kicking someone else's butt in DOA4 or some other game. It's also of great interest, it turns out, to eleven-year-old kids. Yeah, go figure.

But most of the time we spent hanging out on Monday was occupied with trying to find a clean whiteboard somewhere in the building that didn't say "SAVE" on it (what the heck is up with THAT anyhow?) and then talking about computers and networks and how they work. Teaching kids something they have yet to learn about is really a lot of fun. I explained the underlying technology basics of how web browsers and web servers work, using analogies like phone books (for DNS), mapquest data (for routes) and phone numbers (for IP addresses) to try to describe some pretty complicated, intangible and abstract stuff in a way that makes some sort of sense. You know - looking up a name in a phone book and finding the phone number is like looking up a URL in DNS and getting an IP address, and using mapquest to figure out how to get from one place to another one step at a time is a lot like finding the route to a web server... We got a little more detailed than that, but you get the idea. His face really lit up when - all of a sudden - he "got it."

Next thing I knew, he was explaining how it works to me. Which was really cool. :)

I used to teach middle school kids back in the day, and there's something about those "getting it" moments that are a lot of fun to watch. Seeing reality expanding itself in a kid's mind is a pretty amazing thing. They sure do learn quickly.

At any rate, Connor will be back again sometime soon, and we'll see who's teaching whom whenever that day comes. For my part, I'm betting on the kid.

I'll be on the road (well, in the air actually) Wednesday through Friday this week, as I am traveling to Toronto, Ontario (Canada, of course), where I'll be speaking at a conference this Friday on the topic of strong authentication for web sites and the role of web site users in the security process. They say there will be somewhere around 2,000 attendees, so it should be an interesting conference. I've been doing a lot of this kind of presentation recently - there are many changes in the works in the financial services industry for performing strong authentication of people who access online banking and other secure web sites. That's pretty much everything I've been doing for the past year or so, in fact.

It's been several years since I have visited Toronto, so I am looking forward to the time there. It's always been one of my favorite cities - clean and attractive.

If anyone happens to be in the Toronto area later this week and wants to try to catch up, be sure to let me know. Email and phone info are in the menu bar on the right side of the page on this site.

The Firefox 2 Beta 1 release candidate I mentioned last night includes a new feature that I just noticed (after using it practically all day), and it's simply terrific. It may seem small, but often it's the little things that make a real difference.

As-you-type spell checking is built right in. Just right-click on anything Firefox doesn't recognize and you'll get just what you'd expect. Looks like it's a basic English dictionary that's used, so you'll have to add some commonly typed terms - even Firefox isn't in the dictionary.

In Internet Explorer I have used IESpell for a couple years and it's always been very useful. But it doesn't do the red-underline thing to show me what's out of whack as I type, though, so this is another case where the Firefox team is again raising the bar.

Nice stuff.

NOTE: The Beta 1 release is set to hit the streets this week. Also, I confirmed that this weekend's binary release is definitely a pre-beta-1 release candidate (one of the nightly builds) and so it's likely (even probable) that it's not the same code that will ship as the actual Beta 1 this week. So, as mentioned last night, downloader beware. You'll probably want to wait. Sorry to anyone reading for gun-jumping, but hey we're all geeks around here, and it's in my nature to test early and test often.

Note: Sometimes bleeding-edge is fun, but it's not for everyone. I mention that so you'll know that this blog post is not for average computer users. But for those that like to try the latest, greatest things the second they become available and don't mind installing pre-release software...

UPDATE 7/10/2006: Since this post was originally authored the RC2 binaries for FF2B1 have been released earlier today in the nightly builds area. I've removed the old links.

You know Firefox is a great browser, and if you're one of the hard-core, gotta-have-it types (like I am), you'll be glad to know binaries for Firefox v2 Beta 1 are available on the Mozilla.org FTP server. It won't be formally released they say 'til Tuesday, and the files could certainly change between now and then (this looks like it's labeled RC1 of Beta 1), but as you can see from the image at right the 2.0b1 English binaries are there. You can grab it now:

Download binaries for:

• Linux
• Mac
• or Windows

You know you want it. There's some nifty and subtle updates in the release, like close buttons on browser tabs and friendly, clean feed display in the browser window.

And by the way... Really, you should know how this stuff works, it's not magic, you know. People are organized and work hard to give you something you can download for free and which makes your life better. Have you said thank you yet?

So, why don't go and get to know the project a little bit? Find out what goes into the software you use. It is a community thing, after all. Here, I will help you with starter links and a few facts:

The codebase was frozen on July 5th in preparation for release this week. The latest status meeting notes are viewable here. The code name for the release up 'til now has been "Bon Echo." From the Firefox 2 section of the MozillaWiki (where you can get lots of geeky details for yourself, by the way - so go learn and amaze your friends) here's a touch of high-level Firefox 2 trivia:

Theme of Firefox 2

Firefox 2 will aim to build on the success of Firefox by addressing issues related to the problem of managing the vast amounts of use a pre-release code name taken from a public park. Bon Echo Provincial Park is located in Ontario, Canada. The name literally translates to "good echo", and reflects how it is our goal echoes that of Firefox information available on the Internet. Our goal is to provide a browser that helps users manage and organize their online information channels.

About Bon Echo

Continuing the tradition, Firefox 2 will x 1, once again focusing on improving the browsing experience for our users, making it simple, effective, fast and useful.

While the release notes are not yet up as of this writing, and while the binaries you see on the FTP site certainly may change before they're formally released, you might also be interested in taking a look at the changes that were made up through the latest Alpha release (Alpha 3).

Looks like a new variant of an old virus is making the rounds.

I got an email tonight in my personal email account that pretended to be from Microsoft and which contained a virus in an attached ZIP file. The attachment was called "Microsoft SMS Manager.zip" and contains two files - which are packaged as a .JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located in Asia.

Of course I didn't get infected, because I saw it as obviously fake. Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.

Here is the info about the infected contents of the ZIP file (specifically the JPG file):

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: W32.Gavgent.A
File:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip\Product.jpg
Location:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip
Computer:  *******
User:  *******
Action taken:  Delete succeeded : Access denied
Date found: Saturday, July 08, 2006  11:22:31 PM

If the AV software is correct and it's actually a W32.Gavgent.A virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP are 8/2005, so it's entirely possible this is a reuse of an older virus. The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at Symantec Security Response. Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the microsoft.com site with some extra arguments on the query string.

<HTA:APPLICATION ID="GavGent.B-ID"
    APPLICATIONNAME="GavGent.B"
    CAPTION="Microsoft SMS Manager"
    SHOWINTASKBAR="yes"
    SYSMENU="yes"
    WINDOWSTATE="maximize">

This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. Details are available here.

The original email I received is below. The subject line was "SMS Manager from Microsoft."

Developer@microsoft.com wrote:

Dear Customer,
This email provides you information about new product from Microsoft
Corporation, called Microsoft SMS Manager.
These product would help your activities, you can send and receive SMS
messages through your PC with no charge before December 31, 2005 (trial
period).
It's compatible with most of GSM and CDMA operators.
The Installation's document is attached (Microsoft SMS Manager.zip).

For further informations, please contact support@microsoft.com

Best Regards,
---------------------------------------------------------------------

Microsoft Corporation
http://www.microsoft.com

Remember that guy who decided last year to start with one red paperclip and trade it up for a house?

Well guess what?

He succeeded.

Kyle MacDonald will soon be moving into a house in the small town of Kipling in Saskatchewan.

The two-storey house in Kipling was built in the 1920s and has undergone renovations in recent years. Roach admits some touchups and yard work are needed before turning the keys over to MacDonald, and a work party is scheduled for Saturday, July 8 to do just that. He is hoping residents will jump on the bandwagon and that there will be lots of help that day, in preparation for welcoming Kyle and Dom to Kipling.

Here is the progression of trades (with a link to the details of each item):

Tenacity and a blog. Wow.

I'm feeling rather thoughtful and somewhat random today. I even cleaned the island counter in my kitchen. Well, sort of. How's that for unusual? It's nice to have a "down" day, for sure.

So anyhow, this morning I took this Jung personality type test online after surfing around on Portland craigslist for random stuff and finding a not-where-you'd expect link to the test on there somewhere (no idea where, craigslist is this infinitely random web of always changing complex stuff where one can always go to see how much more screwed up than oneself people really are). I took the profile test for kicks, and basically just because I like those sorts of things. They make me think. I ended up classified as type INFJ, which it seems is pretty much spot on when I read the description. I don't especially like everything about the fact that it's right on the mark, but hey - what can ya do? Heh.

Then I took the short version of another online profiler that assesses your entrepreneurial business type. the results of that were also interesting. I'm fascinated with the questions these profile systems use, especially the whole group of them in combination. Depending of how the answers pattern out, I can see how one could accurately draw certain conclusions. Not sure how accurate these are in reality (they sure seem to hit the mark), but they are fun to run though nonetheless. It makes me think.

Hmmm, always interesting to see what the robots think of you, eh?

So that got me thinking about something else that always seems to be on my mind: What do I want to be when I grow up? Sure I'm 39 and turning bald and grey (prematurely by the way, I really don't feel this old). But there's a part of me that wants to do things that matter - to somehow change the world, if you will. So, I have to indulge that part of me from time to time, if for no other reason then just to stay happy and sane. To make me think.

Earlier this week we did a big ol' fireworks display for the Clatskanie (Oregon) Heritage Days on July 4th, which was a lot of fun and quite successful. One of my friends from the pyro crew - Brad - brought along a friend of his who had not worked a fireworks show. Jake is his name and he works for a non-profit called Action Without Borders, and they have this interesting and cool web site at idealist.org that is basically a clearing house for, well, non-profits and idealists. Check it out, it's cool. It makes me think.

Anyhow, I enjoy what I do today because there are parts of it that "matter," and that drives me to do more. There are many other things I'd like to do someday - other things that might in some way change the world, or something like that. But I'll leave the descriptions of those things for another time.

Ask yourself this: How can you change the world? What will you do? What makes you think?

Just when you thought you'd seen it all, well - you'll just have to check this one out for yourself (from KGW.com).

Straight from the Portland Bureau of Ridiculousness...

A Northeast Portland man is suing basketball superstar Michael Jordan and Nike founder Phil Knight for a combined $832 million. Allen Heckard filed the suit himself, June 29th in Washington County Court. Heckard says he’s been mistaken as Michael Jordan nearly every day over the past 15 years and he’s tired of it.

 
kgw.com

“I'm constantly being accused of looking like Michael and it makes it very uncomfortable for me,” said Heckard.

Heckard is suing Jordan for defamation and permanent injury and emotional pain and suffering. He’s suing Knight for defamation and permanent injury for promoting Jordan and making him one of the most recognized men in the world.

Uhhh... Yeah, right. You can read the whole story here. And roll your eyes like me. Rolling eyes is so much fun. What an idiot.

My favorite quote from the story:

Some might wonder how he decided to sue Knight and Jordan for $416-million each. "Well, you figure with my age and you multiply that times seven and ah, then I turn around and ah I figure that's what it all boils down to."

Wow. Scary thing is he might get a few bucks tossed at him to go away. Or if we're lucky he'll lose hard and get stuck with the defendants' attorney's fees. You think he considered that possibility?

What an idiot. Sorry, but there are times when you just have to come out and say it.

Today was a good day - more so than most. I realized this a few minutes ago as I stood in my freshly-mowed front lawn and surveyed my work.

First of all, the fact that the sun was still out and I was actually standing in my front yard (heck, the fact that I was even on my own property at 6pm on a weekday) was a minor miracle. Between extensive travel and the time spent at work catching up on all the stuff I miss while traveling, time spent at home has been very little. So a better-looking lawn and the fact that it's still plenty light out as I type this are both great things.

On top of that, an old friend from back when I lived in New Mexico - John Turner - called me today out of the blue. Seems he'd been searching for "Redneck Yard of the Week" and found my blog. Hmmm, interesting psychological questions about that search come to mind, heh. But anyhow, JT's one of my all-time favorite people and it was great to hear from him after a few years of disconnect and to catch up on the phone. People ask me why I put my cell phone number on this blog - now you know. JT mentored me (whether he knew it or not) and was a big factor in convincing me back in '98 and '99 to leave law enforcement and move into computers and technology. Mostly he helped me get past the risk/fear part and into the take-action part. Plus he believed I could do it and make it work when I was not so sure. He was also there for me during some very difficult times, and I will always appreciate that. He's an awesome dude and all around good people, and it's great to be back in touch.

Finally, I had a day where my schedule at work wasn't meeting after meeting after meeting. I am realizing more and more just how much endless meetings rob from your soul. So it was very nice to be able to sit still and catch up with the people I work with and to close a few loops.

And to top it all off, I am at home and done with yard work in time to catch a full hour of South Park on Comedy Central. The dogs were shocked to see me and to get a chance to play around, and the crazy cat is trying to get me to play fetch (what a weirdo). Ahhhh, the life!

Update: Both Rich and Travis have posted blog entries about our fireworks show, check 'em out.

Once mortars (the tubes that the shells are launched out of) are installed (which takes a while and represents the bulk of the manual labor that goes into a show), it's time to load the shells. This is the last fireworks show post until I can get some video or images of the show itself from others, since during the display I have to watch the line crew and supervise for safety and light some shells myself - no time for taking pictures, so I rely on others.

(Update: Crew-member Erik Dake shot the picture at left, which shows us from a distance lighting off the shells that are launching into the night sky. Note that it's a long exposure - so you're seeing several shots worth of flame and lit up smoke. It gives you an inkling of an idea of what it's like, though.)

After installing the mortars, the remainder of the afternoon was spent loading the show, doing some walk-through training to show how we light the shells, lots of redundant safety training all afternoon, and finally getting some dinner before blowing the whole thing up. Several new crew members that were here for their first show had the chance to light the show and experience the smoke and noise. There's really nothing quite like it.

The show was terrific (lots of extended cheers from the crowd, which is pretty much the only real litmus test) and the crew did a great job from beginning to end. Here are some pictures of the crew members setting up and loading shells in the evening, in preparation for the show. Note that we spend about 6-7 hours setting up a show that took 22 minutes to completely destroy. It was worth it.

Here's the pics...

Travis (who got his pyrotechnician license from the state recently - congrats!) loads some of the mortars that will be used to fire the finale:

Rich and Desann - first-timers - load a five-inch shell:

The "other" Scoble (Alex, that is, also a first-timer) loading five-inch shells:

Jake (another first-timer, lots of those today) loads more shells:

The crew loads the line:

Dave loading another mortar:

Jake, Jenn (also recently got her pyro license!), Brad and Erik (both repeat offenders) loading mortars with shells:

Thanks to a great crew for putting on a great show. I'll be glad to work with any and all of these people again.

Thank goodness for The Crew. Having plenty of people around to help makes all the difference in the world. This year I can actually man a shovel (before my back surgery I was mostly just giving directions, which always feels stupid). We've run througfh some initial safety talks and talked about how the whole process works. After we ge everything installed and ready we'll do some training. But much to do before then.

Setting up is a lot of work, but hey it's worth it when you hear the crowd cheer at the end of the show. Besides, where alse can you blow up several thousand dollars worth of high explosives legally in someone's neighborhood and have everyone love you for it?

A mortar is a tube that basically acts as a cannon - the sheel is loaded into the bottom of the tube and the lift charge sends it out of the tube into the sky. It's, well, pretty exciting when it happens.

But before you can shoot them off you have to install the mortars, in our case in the ground. That means people, shovels and hopefully a good breeze. We're lucky today - not hot and a breeze to make it bearable. Last year was sweltering hot.

Everyone installs mortars - 4 and 5 inchers:

Back-filling the trench (which was dug by a back-hoe):

Lots and lots of tubes - hundreds of 'em:

More to come later...

One again, I'm out setting up and preparing to fire off a fireworks show with a bunch of friends and helpers. I'll post a few updates here and hopefully be able to impart a little bit of what goes into setting up and executing a public display. EVDO rocks, by the way. A bit slow out in this neck of the woods, but still it's the only way to be able to write this from a field.

First of all, there's a significant amount of hurry-up-and-wait involved. I arrived early this morning (before 9am) to meet the truck that delivered the explosive shells. All 1.3G commercial fireworks have to be delivered by someone with a commercial driver's license and a HAZMAT endorsement, and I have been too lazy to get mine. I really need to do that. I've read the book and just need to get my butt in gear.

Anyhow, so since I had to get the shells at the early drop off, that means a bunch of time before the crew shows up to help set up the show. Luckilly, Dave (at left) showed up early, too. He got here at the same time as the delivery truck. Talk about a glutton for punishment. Heh. Nice to have someone else around in the intervening hours.

And it suddenly got cold out. Turns out there's a 30% chace of rain mid-day, but by late afternoon it should warm up and the chance of rain drops off to pretty much zero. That's always nice when you have to shoot fireworks. Wet is bad, dry is good. And as I type this, it starts to rain. Go figure.

The picture set is at Flickr.com so look there for everything. Here's a few to start. I will add more later:

We start with an empty trench. Into this trench we will install about 400 mortars (you'll see those later).

Dave showed up really early. So he gets trench inspection duty.

A truck full of mortars and boxes of shells. Nothing exciting really, and it doesn't look like much until it's out of the truck. But we do that part a bit later, after the crew shows up. Right now they're all stuck on the other end of town calling me on my cell phone while the massive three hour parade goes on. For a realtively small town they sure have a huge parade! Heh.

More later.

The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's News.com:

While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,  the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cu