Tuesday, 04 July 2006

Thank goodness for The Crew. Having plenty of people around to help makes all the difference in the world. This year I can actually man a shovel (before my back surgery I was mostly just giving directions, which always feels stupid). We've run througfh some initial safety talks and talked about how the whole process works. After we ge everything installed and ready we'll do some training. But much to do before then.

Setting up is a lot of work, but hey it's worth it when you hear the crowd cheer at the end of the show. Besides, where alse can you blow up several thousand dollars worth of high explosives legally in someone's neighborhood and have everyone love you for it?

A mortar is a tube that basically acts as a cannon - the sheel is loaded into the bottom of the tube and the lift charge sends it out of the tube into the sky. It's, well, pretty exciting when it happens.

But before you can shoot them off you have to install the mortars, in our case in the ground. That means people, shovels and hopefully a good breeze. We're lucky today - not hot and a breeze to make it bearable. Last year was sweltering hot.

Everyone installs mortars - 4 and 5 inchers:

Installing Mortars

Back-filling the trench (which was dug by a back-hoe):

Installing more mortars

Lots and lots of tubes - hundreds of 'em:

Lots of tubes

More to come later...

Add/Read: Comments [0]
Random Stuff
Tuesday, 04 July 2006 14:19:49 (Pacific Standard Time, UTC-08:00)
#  Trackback

One again, I'm out setting up and preparing to fire off a fireworks show with a bunch of friends and helpers. I'll post a few updates here and hopefully be able to impart a little bit of what goes into setting up and executing a public display. EVDO rocks, by the way. A bit slow out in this neck of the woods, but still it's the only way to be able to write this from a field.

First of all, there's a significant amount of hurry-up-and-wait involved. I arrived early this morning (before 9am) to meet the truck that delivered the explosive shells. All 1.3G commercial fireworks have to be delivered by someone with a commercial driver's license and a HAZMAT endorsement, and I have been too lazy to get mine. I really need to do that. I've read the book and just need to get my butt in gear.

Dave showed up earlyAnyhow, so since I had to get the shells at the early drop off, that means a bunch of time before the crew shows up to help set up the show. Luckilly, Dave (at left) showed up early, too. He got here at the same time as the delivery truck. Talk about a glutton for punishment. Heh. Nice to have someone else around in the intervening hours.

And it suddenly got cold out. Turns out there's a 30% chace of rain mid-day, but by late afternoon it should warm up and the chance of rain drops off to pretty much zero. That's always nice when you have to shoot fireworks. Wet is bad, dry is good. And as I type this, it starts to rain. Go figure.

The picture set is at Flickr.com so look there for everything. Here's a few to start. I will add more later:

We start with an empty trench. Into this trench we will install about 400 mortars (you'll see those later).

An empty trench

Dave showed up really early. So he gets trench inspection duty.

Dave inspects the trench

A truck full of mortars and boxes of shells. Nothing exciting really, and it doesn't look like much until it's out of the truck. But we do that part a bit later, after the crew shows up. Right now they're all stuck on the other end of town calling me on my cell phone while the massive three hour parade goes on. For a realtively small town they sure have a huge parade! Heh.

Truck with equipment and shells

More later.

Add/Read: Comments [1]
Random Stuff
Tuesday, 04 July 2006 11:35:32 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 01 July 2006

The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's News.com:

While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,  the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.

It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.

To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.

It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me.  Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.


Add/Read: Comments [5]
IT Security | Safe Computing | Things that Suck
Saturday, 01 July 2006 16:05:10 (Pacific Standard Time, UTC-08:00)
#  Trackback

Winners are not determined by who gets the last word or who attacks whom.

Or as one common user just said: "What I see here is ego overcoming ego." Could not be better said. The ego in this room is suffocating. The thought leadership is suffering as a result.

Typical of me, I didn't realize the first day of Gnomedex that the guy sitting on the floor behind me was oh, one of the co-founders of Firefox.  I figured that out pretty quickly when I did the "okay so that name sounds familiar, ummm, uhhhhh.... Oh!"

Yeah. So I'm getting old. Hey, at least I figured it out.

At any rate, I enjoyed the few quick chats over the past couple days while sitting with Blake Ross, who as it turns out is a nice guy and and is obviously wicked smart. He also cares about what he builds and the people who use it, and it shows.

Unfortunately, what I will call "the predictable regulars" here at the conference apparently seem to think they have a monopoly on caring. Unless you agree with these people, you lose. They scream and bitch and moan if they can't finish a sentence, and they complain about one person controlling the conversation, yet they cut others off when they try to participate in the conversation or when they - God forbid - try to defend themselves.

At any rate, Blake stepped on the stage today to talk about how Firefox went from zero market share to millions of downloads without a marketing budget and almost exclusively through community driven effort. It's a success effort worthy of review and notice. But the conversation - predictably - was dragged off by the predictable few into a pattern of argument and conflict. Blake tried to steer the conversation back to the topic at hand (which is what discussion leaders were supposed to do, let's be clear on that point) and was attacked for doing that, too.

What it specifically wasn't intended to be: A talk about features, bugs, roadmap or the future of Firefox.

And as Jeremy Zawodny said at the start of his presentation, which followed Blake's, the participants in this room sure do like to bitch. And so it goes.

So let me say this to Blake: Thanks for a great browser, and keep it up. Winners are not determined by who gets the last word or who attacks whom or how loud our little tiny echo chamber is. We all know that when it comes down to it.

And next year, maybe we should suggest they rename this conference if this is the way its going to be. BitchCon maybe. Or give each person two comment tickets at the door, and when you've used 'em up you can listen but not bloviate. I dunno - I love GnomeDex but I also long for the days of the enthusiasts and the practical, even while enjoying the debate that Gnomedex has brought us this year. But the change has been fundamental, core and pervasive. It's a whole different show. Not a bad thing necessarily, just very different.

Add/Read: Comments [2]
GnomeDex | Random Stuff
Saturday, 01 July 2006 14:34:45 (Pacific Standard Time, UTC-08:00)
#  Trackback

A Gnomedex discussion took place earlier in the conference about sharing intimately personal things on weblogs and in public forums. There was a lot of other stuff in the conversation, too - but what I took away from it was the "what do you write about, why, and is it a good idea?" theme.

Some people are a truly and completely open book (crime, sex and all) on the Internet, while others who used to be quite open in their blogging have since changed and have pulled all the personal stuff back in, only writing about things that are not descriptive of real life. Kids these days (that's my old dude comment for the week) seem to post all kinds of things that some find both shocking and concerning.

For my part, I write both. I would never write about certain things that are definitley best kept private, and there are a number of specific things that happen in my life which I choose not to post here. But people do sometimes comment about things I write that are quite personal. It really doesn't take courage (people often say "I wish I had the courage to..."), just some common sense and a desire to think things through sometimes, which I find works out well by writing.

I often write (both the personal and the tech stuff) to clear my plugged up brain so I can sleep better. So I guess whatever comes out just comes out. With a filter. Like it or not. Good or bad.

Add/Read: Comments [0]
Blogging | GnomeDex | Personal Stories | Random Stuff
Saturday, 01 July 2006 08:59:30 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 30 June 2006

Chris Pirillo just mentioned onstage (at Gnomedex) that he wrote: TechMeme Hacked!!

Also - noted the launch of blaugh.com. Cool. The un-official comic of the blogosphere.

Add/Read: Comments [0]
GnomeDex | Random Stuff
Friday, 30 June 2006 08:48:18 (Pacific Standard Time, UTC-08:00)
#  Trackback