Sunday, 30 July 2006

This could be very bad... In a article published Friday, a couple of security companies (it's the good guys this time, at least - but they are planning to present it at Black Hat this week...) discuss how they've discovered a way to use your web browser and its built-in JavaScript engine to access information and resources inside the network where the browser resides and send it off to someone else or to launch attacks that appear to come from inside the network. This may be the next big wave of attacks.

SPI Dynamics is one of the companies mentioned in the article. They're discussing the results of their research at the Black Hat event this week, but they have also posted the article and a sample ("proof of concept" as they say) web page that does some of what they've discovered for all to see, use... and copy for that matter.

SPI Dynamics, by the way, has a quality set of expert articles, white papers, webcasts, and more on their web site.

Not sure how I feel about publishing this kind of stuff, but in the real world the bad guys will figure it out quickly enough anyhow, and I imagine they already have. The key to keeping this from becoming a major security event will be making sure cross-site scripting attacks cannot happen on web servers and using protective systems that catch malicious script on client machines before it gets run. Ultimately, JavaScript really needs to be revisited, but to do that probably means changing the way web sites work and coming up with a whole new standard.

JavaScript opens doors to browser-based attacks By Joris Evers

Malicious JavaScript embedded in a Web site can let a miscreant map a home or corporate network and attack connected devices ...

... "We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks" ...

... Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

Add/Read: Comments [0]
IT Security | Tech
Sunday, 30 July 2006 07:06:54 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 28 July 2006

Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.

You may already be familiar with the term "phishing" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent web site they've set up, in hopes you'll think it's legitimate and "update" Phishing - click for Univerity of Colorado's takeyour banking or other private information there. In reality you're not communicating with the actual bank or e-commerce company at all, and you're not really updating anything - Rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it.

The general technique of convincing you via trickery to give up your private and sensitive information is called "social engineering." Bad guys act in ways that cause you think you're communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets. More recently even and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not.

You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information, and you need to update your information by clicking a link to go to the bank's web site. But those emails are fakes, and so are the sites that load when you click the link. They're sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?) , the bad guys win and come out ahead - big time.

Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information - things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news. You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes completely - impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it.

You get the picture.

So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip.

We've covered some of the basics of phishing fraud - just the first thin layer of the problem, actually. Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with "ph" but which are really just about the farthest thing from cute you can imagine.

There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, prevention is the golden key here - we need to know and understand much, much more.

For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?

Do you have any idea who the bad guys are?

That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.

Add/Read: Comments [0]
IT Security | Safe Computing | Tech | Things that Suck
Friday, 28 July 2006 22:04:12 (Pacific Standard Time, UTC-08:00)
#  Trackback

Lots of people get credit card applications in the mail. Recently (possibly as a result of increasing interest rates and therefore the potential to make more and more money) it seems like the number and frequency of credit card applications arriving in my mailbox has gone though the roof. Last week alone I received over 20 of these pre-approved applications. It's just nuts.

Another crazy thing is, one credit card company will send several each week. They're spending lots of money mailing me fancy color-printed paper to try to get me to sign up for a credit card at an interest rate (and a variable one at that) which I'd never touch. The ones with the low fixed rates are more appealing, but I really don't want or need more credit cards.

There's a lot better deals out there. What's the best credit card deal these days? Is there such a thing?

Add/Read: Comments [3]
Random Stuff
Friday, 28 July 2006 21:59:17 (Pacific Standard Time, UTC-08:00)
#  Trackback

Internet phone service is bad and getting worse, according to a new survey released last week. That's interesting, since I have been using Vonage at home for quite a while now and my experience has been that it's improved significantly over time. These days its much better than the local "classic" wired telephone service. But apparently my VOIP experience might not be the norm, at least if you believe the people doing the testing:

Nearly one in five Internet phone calls are “unacceptable” in quality - with annoying woes ranging from echoes to clicking sounds. The problem is lines clogged with video, audio and other data that interfere with service, said the study by Brix Networks, which makes products that test the quality of so-called Voice Over Internet Protocol...

...Brix arrived at its conclusion after almost one million Internet phone tests were conducted by users at the company’s web site, The tests, started in late 2004, immediately revealed quality problems and Brix continued with the tests through early this year, before compiling and releasing its results...

All I can say is I really like Vonage. Between the call quality I get (very good) and the extra features, not to mention the lower price relative to POTS service, there's no way I'd go back.

(story via the Boston Herald)

Add/Read: Comments [1]
Thursday, 27 July 2006 23:59:50 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Wednesday, 26 July 2006

Forget "Hello, World." More like "Look Out, World!" Greg's gonna learn how to program. Just enough to be dangerous, I am sure... I mentioned this more than a year ago, but have yet to take advantage of it. And at the time all the content was not yet available.

Microsoft has more than 10 hours of online video training geared toward beginners (that would be me) on how to program using Visual C# 2005 Express. Woah, cool.  Dubbed the Absolute Beginner's Video Series, it takes you from "Hello, world" to a RSS reader app. This is totally for me. Not only that, you can choose to stream the video or download it, and the project files are right there to download, as well. Nice - I can spend some airplane time learning how to program!

There's also a C# Windows Forms Controls video series and for those wanting instead of C#, the same series is also available for that language.

I'm glad to see this kind of content available - it's exactly what getting-old management types like me who wish they'd learned to program a modern language need.

The content of the C# and tutorials was provided by, which has a whole slew of great looking content available for people wanting to learn programming, from absolute beginner to more advanced level programmers, as well as people in-between.

Add/Read: Comments [2]
Random Stuff | Tech
Wednesday, 26 July 2006 19:11:49 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 25 July 2006

Jay Rosen at PRESSthink has an idea, and one that is certainly quite interesting. In his post "Introducing NewAssignment.Net," Rosen describes his idea, which would meld the best of what the Internet mob has to offer with the typically-careful approach of professional Journalism, into a new hybrid-type of news gathering and creation process.

What can "networked journalism" do in the real world? What does news without the media look like? Check out Rosen's thought provoking and interesting post for that and more:

Alright, what is it?

In simplest terms, a way to fund high-quality, original reporting, in any medium, through donations to a non-profit called NewAssignment.Net.

The site uses open source methods to develop good assignments and help bring them to completion; it employs professional journalists to carry the project home and set high standards so the work holds up. There are accountability and reputation systems built in that should make the system reliable. The betting is that (some) people will donate to works they can see are going to be great because the open source methods allow for that glimpse ahead.

In this sense it’s not like donating to your local NPR station, because your local NPR station says, “thank you very much, our professionals will take it from here.” And they do that very well. New Assignment says: here’s the story so far. We’ve collected a lot of good information. Add your knowledge and make it better. Add money and make it happen. Work with us if you know things we don’t.

But I should add: NewAssignment.Net doesn’t exist yet. I’m starting with the idea.

Add/Read: Comments [0]
Random Stuff
Tuesday, 25 July 2006 16:25:24 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 23 July 2006

ZuneEveryone and their brother has already written about Zune, Microsoft's planned new digital music player, service and whatever else comes of it (rumors and facts abound).

But have you seen the latest MS marketing virus? As in Zune viral marketing?

So, yeah... There ya go. Not sure the whole petting-rabbits thing is all that comfortable for me, but it's weird enough to get me to post this, so I guess it worked. Heh.

Oh, and if you are interested the background music is by Regina Spektor - visit her myspace if ya like.

Check out the Zune Insider blog (authored by - yes- a MS employee working on Zune):

"So what’s Zune? It’s Microsoft’s new, holistic approach to music and entertainment. And yes, this year, we’ll be releasing a device as part of the project. Under the Zune brand, we’re looking to build a community for connecting with folks, all to discover new music and entertainment."

The device (and service) better kick some serious butt - it will have to in order to beat the iPod, and let's face it... There's no goal worth Microsoft's time other than doing just that - in the long run. After all, iPods will eventually break (or get scratched into oblivion). What will you be buying when that happens?

Adding in WiFi to the portable device is cool, and so are some of the related ideas. One has to wonder about power consumption though - what will that look like? I especially like the "connected entertainment" ultimate goal - not just music, but video and other stuff, too.

This will truly be interesting to watch.

Add/Read: Comments [4]
Random Stuff | Tech
Sunday, 23 July 2006 10:13:50 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 21 July 2006

Honestly, I can't tell you how tired of the typical, average, mundane, same-old PowerPoint presentation I have become. 99 percent of the time, as soon as any given PowerPoint presentation starts, I can feel the bile and boredom start to slosh and boil in my gut - in part because I sit through so darn many presentations, but even more so because most presentations - well - they just suck.

There's nothing quite like a slide deck with all the bulleted words the presenter that will be coming right out of the speakers mouth, if your intent is to say to your audience, "Hey, you're an idiot, so let me read this to you." Who's the idiot, really? There's nothing more redundant than reading and listening to the same thing. Or even worse, a zillion words on the screen and the speaker is talking about something else entirely. You lost me at "Hello."

So more and more I feel like I'm wasting my time. "Read to me, speak at me, bore me with bullets ad nauseum." Please, don't.

Don't get me wrong - I know people don't do this on purpose, they're trying hard and - well - it's the way everyone else does it, right? I also know I'm being a bit harsh (in order to make a point, really). It's just that for most every presentation anymore it doesn't matter all that much what it's actually about, because it's so much like everyone else's. PowerPoint is PowerPoint is PowerPoint, and it's tiring.

If you sell a product, or an idea, or some thing, you don't want it to be just like everyone else's do you? Apply that rule to your presentation style - How do you differentiate yourself from the crowd?

We actually love the crowd, of course, because it's easy to stand out when everyone else is doing the same thing. But it's worth risking having to work harder at it if a few people will revisit their presentations and get out of the common PowerPoint traps.

Anyhow, I got to a point where I was also hating giving presentations with PowerPoint (which I do quite often), not because of the PowerPoint application itself, but because of the fact that all my presentations seemed to be basically the same, and all the templates out there seem to encourage it: Long bulleted lists, points to read aloud, graphs and charts and nasty nasty nasty clip-art. Seriously, using clip-art should be a felony. No, really. Seriously. Like as in prison.

So, a couple weeks ago I took a chance on a presentation I gave at a conference, and went all Lessig-ish with it. A couple words on each screen to punctuate the salient points, a plain white background with big, readable black letters centered on the screen, and the rest was all talk. No handouts (and believe me that was a real surprise for the attendees - but it's not like they walked out or rioted or anything). It took some concentrated effort to create the new presentation. Not rocket-science level effort, mind you - but extra work it was. Time well spent.

And - get this - it worked. The audience was engaged and the conversation (which is what it's all about - exchanging thoughts and ideas, as opposed to making a speech, right?) was interesting, for everyone including me. You could tell the format and style was something new for the audience, for sure, but the looks on people's faces were certainly fun to watch. And the thing is, they actually had looks on their faces. Gone was the blank gaze. Everyone in the room was looking at me as I spoke, and that means making a connection. They'd glance at the screen momentarily and then look back to me for the information, not the other way around. We actually looked in each others' eyes. Now, it's not that I have some kind of problem where I desperately need that kind of attention - it's just that it's clear as day that direct, personal communication is much noticeably more effective and meaningful.

The questions from the crowd at the session were good - They were thoughtful, and the audience was obviously tuned in. Not that my audiences aren't tuned in in general - quite the opposite. But in this presentation you could sense the difference - One could feel the connection and involvement noticeably more.

After the conference, we sent my spartan slides, along with the relatively detailed speaker notes printed on the page below each slide, in PDF form to anyone who attended and wanted it. Gotta provide those handouts at some point, you know... Unless it's caught on video or something.

One of the best and most effective presenters I know personally, Scott Hanselman (it's my week to link to Scott, heh), called it "Existential Presentation." I assume by that he means free, individual, unique, possibly even rebellious. I can see that. 

Personally, being the practical and somewhat-less-eloquent guy I am, I see it as a kind of resurrection of some form of miraculous goodness from the hell of a bloated and obese PowerPoint existence. Ah, existence. I get it, Scott!

Anyhow -- What do you think?

P.S.  Great resources for presenters and presentation authors (hey - you do write your own presentations, right???):

  • Presentation Zen Blog (which has been subscribed in my aggregator for quite some time)
  • Garr Reynolds presentation tips
  • Scott Hanselman's Tips for a Successful Microsoft Presentation (great stuff)

From the comments, Jim Holmes points out a couple more great ones:

and Shane Perran also has some excellent suggestions:

  • Steve Jobs - Simply brilliant when it comes to presentation. That goes for most of the Apple design/marketing team
  • - Guy Kawasaki - A one time Apple guy turned VC and absolute master of presentation
  • - Seth Godin - Author of the ever popular Purple Cow and another master presenter and storyteller
  • - Jakob Neilson - While wildly hard-nosed about design, he knows content usability like no other - mostly web oriented, there is a lot of carry over

Those are all good ones, and most all those blogs I subscribe to (and the rest I just did, heh). Presentation is about content, style, design, personality, conversation... All important components.

Add/Read: Comments [2]
Random Stuff | Tech | Things that Suck
Friday, 21 July 2006 14:51:58 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 18 July 2006

Last week it was Toronto, and this week I am headed to Atlanta. I'll leave Portland in the early morning Wednesday and fly across the country and then back, once again. This time I decided to use a couple of those 500-mile class upgrade vouchers I've been earning and hoarding, since this is the last flight I have scheduled for at least the next few weeks (I have over 100,000 total miles accrued on my frequent flier account, including about 70,000 real, actual miles flown since February and 45 flight segments flown since the beginning of the year - sheez). I've been flying my body into a deep, dark pit of cramps and generalized pain. So, I figure I might as well try to make this trip a nice one, eh? Then when I get home and spend a couple or few weeks in my own bed maybe I'll eventually get back to "normal." Whatever that is, heh.

So... I'll be in the Columbus and Atlanta, Georgia areas Wednesday night plus all day Thursday and Friday. Then it's back home again. If I am lucky, my travel calendar will remain fairly close to what it looks like today and I won't have to fly again til sometime in August. Fingers crossed!

The travel can get in the way of fun. My friend Norm called me tonight to see if I could help shoot a big fireworks show (on a river barge) this Saturday but I had to say I'd better not unless he gets in a bad bind for crew members, since I don't get back home til late on Friday night. All this travel really takes a lot out of me, and I'd hate to only be partially effective while everyone else on the crew was out there working their butts off. At any rate, I do wish I could work this fireworks show - it will be a fun one, and with a good crew of people. Oh well - next time!

I think maybe United Airlines owes me something more than a few upgrade coupons and some miles that can only cash in on a limited set of flights/seats. What do you think airlines should do for their customers that travel a zillion miles a year on their flights?

At least they aren't charging to use pillows and blankets like Canada Air was on my last trip. Wow, talk about penny-pinching. It's not very attractive.

Add/Read: Comments [0]
Personal Stories | Random Stuff
Tuesday, 18 July 2006 20:59:46 (Pacific Standard Time, UTC-08:00)
#  Trackback

A colleague from Australia IMed me tonight asking for help with a pesky error he was running into when trying to use SMIGRATE for Windows SharePoint Services 2003 to back up a SharePoint site.

The error was "ERROR: 6553609 You are not authorized to perform the current operation."

There's a KB article that addressed that error, but even after following the instructions in the KB article, the problem persisted. So we kept trying to figure it out. Permissions on the machine were fine, IE settings were fine, everything else checked out...

Greg Hughes says:
send me exactly what you typed on the command line pls

Greg Hughes says:
for your smigrate command?

< Jason /> says:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN>smigrate -u domain\Administrator -pw **** -w http://siteserver/clients/ -f c:\backup.fwp

< Jason /> says:
yea even with that tool still says im not authorised to do it

Greg Hughes says:
just for grins try this...

Greg Hughes says:
smigrate -w http://siteserver/clients -f c:\backup.fwp -u domain\Administrator -pw ****

< Jason /> says:
o ur good ur really good

< Jason /> says:
lol its working

Greg Hughes says:

Greg Hughes says:

Greg Hughes says:
two differences - not sure which mattered but I have a guess

Greg Hughes says:
so try it this way next:

Greg Hughes says:
smigrate -w http://point/clients/ -f c:\backup.fwp -u sydney\Administrator -pw *

< Jason /> says:
rofl yea that breaks it

Greg Hughes says:
you see the difference?

< Jason /> says:

< Jason /> says:
the slash interesting

Greg Hughes says:
non fault-tolerant tool

< Jason /> says:
lol yea

Greg Hughes says:
yep it doesnt like that

So apparently it's important to remove the trailing slash from the site URL you specify with SMIGRATE on the command line if you want it to behave correctly. Also note that the error you get when running the tools is the same one covered under the KB article I mentioned above ( for a different problem that's also related to backing up or restoring a SharePoint web:

"ERROR: 6553609 You are not authorized to perform the current operation."

The same error occurs when the trailing slash is applied in the site URL, at least in our case. So if you do everything in the KB article and still get the same persistent error, look for evil slashes...

For reference...

The syntax for the SMIGRATE is:

smigrate -r -w <website URL> -f <backup file> [-e] [-y][-x]

-r is the restore (optional)

-w signifies the start of the Web site URL for a site (no trailing slashes!)

-f is the backup filename with an FWP extension

-e is an option to exclude subsites during backup

-y confirms that any existing backup files will be overwritten

-x is an option to exclude security during restore

-u specifies an administrator username

-pw specifies an administrator password

Also, when it's time to restore, it's important to know that you have to restore to an empty subsite that you create in the SharePoint admin web tool - no template, no nothing - just an empty SharePoint enabled subweb site.

You can do this with the STSADM.exe tool, leaving out the extra syntax for specifying templates, titles, etc - all the stuff that makes it not blank...

stsadm.exe -o createweb -url http://server_name/sites/site1/subsite1

or, if you're creating a top-level site on the server that you want to restore to, you create it like this:

stsadm.exe -o createsite -url http://server_name/sites/site1 -ownerlogin <DOMAIN\user> -owneremail -ownername <display name>

Also - remember that especially when it comes time to back up and restore sites, the patch levels and versions of the WSS servers you're dealing with might make or break your ability to get done what you want - so make sure the versions of your servers match if you keep running up against errors when you go to do your restore. Not a silver bullet, but it can be an elusive problem to troubleshoot.

Add/Read: Comments [1]
SharePoint | Tech
Monday, 17 July 2006 23:31:58 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Monday, 17 July 2006

There I was going to go and write up a big ol' post comparing the new IE7 beta 3 and Firefox 2.0 beta 1 releases, and it turns out Scott Hanselman already did a great job of it.

For lots of detail and good review, see Scott's post. He covers RSS capabilities, the anti-phishing/anti-fraud capabilities (yay Scott! heh), usability, download functionality, and more. Well worth the read.

Add/Read: Comments [0]
Monday, 17 July 2006 21:53:15 (Pacific Standard Time, UTC-08:00)
#  Trackback

Amanda Murphy's got a whole slew of great blog posts and screen shots from Office 2007 and SharePoint 2007, which is looking more and more to be a great collaboration platform. Lots and lots of new features and significant improvements over the 2003 versions.

Check out the list of posts here. Keep on posting more, Amada!

Add/Read: Comments [1]
Monday, 17 July 2006 20:52:17 (Pacific Standard Time, UTC-08:00)
#  Trackback

Yeah, it's cliche and random, but truth is Oregon's a great place to live. Heck, the whole Pacific Northwest is terrific. Here's just three among many reasons I say this...

Sunrise Mount Hood


Wild Iris

Add/Read: Comments [4]
Photography | Random Stuff
Monday, 17 July 2006 20:16:08 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 16 July 2006

BuddyMy lab, Buddy, died today. He was one of my oldest and best friends and lived more than 13 years, which they say is old for a lab.

He was a good dog, and a true friend. I'll miss him more than I can say.

People always commented about how well behaved he was. I trained him to do all sorts of things and he was very smart. One of his favorite things was to hold some sort of snack or food on his nose, balanced for as long as it took until you told him it was okay to toss it in the air off his nose and catch it mid-air. He practically always caught it, and would always wait for the okay, no matter how long it took. One time my son had him waiting, and got engrossed in a TV show and forgot buddy was standing there, patiently and neurotically waiting for someone to give him the okay. A huge puddle of drool soaked the carpet under his feet. He always aimed to please, even if he couldn't control his drool.

Buddy came into my life one afternoon when my first foster son and I went to the local animal shelter and there he was, a tiny little black furball exactly eight weeks old. I could hold him in one hand, he was so tiny.

At any rate, I think everyone that ever met him over the past 13 years truly liked him, and when all is said and done, that says a lot. He'd been getting and appearing older and quite tired and worn out, and it was becoming obvious that time was catching up with him. People who met him before know that's unusual. He'd been almost like a puppy until about a year ago, and in recent weeks his breathing had become quite labored and he had slowed down a lot.

Now he's gone. Tonight I'll take him down to be cremated. My friend Tyson, whom I've known as long as Buddy, is going to meet me. I'll miss him, I'm glad he was my friend.

Add/Read: Comments [21]
Personal Stories
Sunday, 16 July 2006 17:58:13 (Pacific Standard Time, UTC-08:00)
#  Trackback

There's an interesting story over at the Times of London online that describes the need and future of IPv6, a new number addressing scheme for the Internet that will take the finite IP addressing scheme used today (which is quickly running out of addresses) and replaces it with something significantly huger. The story explains the new addressing scheme without getting all geeky, so it's good for non-technical types. It also does an effective job of explaining the massive difference between the old and new systems.

Only one problem - the math appears to be wrong in the article. IPv6 addresses are 128 bits long. IPv4 addresses are 32 bits long. So, I am not sure where the author's numbers came from...

"When the Internet was developed in the 1980s, programmers had no idea how big it would become. They gave each address a “16-bit” number, which meant that the total number of available addresses worked out at about four billion (2 to the power of 32).

"But as use grew, it became clear that the old protocol, IPv4, wasn’t big enough, so a new one was written based on '32-bit numbers.' That increased the number of available addresses to 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion — enough for the foreseeable future, Mr Kessens said."

Well, the math is off but the article does get the point across that the change is significant. Too bad it's not more accurate, though. Read the story here.

Add/Read: Comments [0]
Sunday, 16 July 2006 07:53:23 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 14 July 2006

Yearinpictures2005I'm in the Toronto airport waiting for my flight home this afternoon, and so I decided to check out what's happening in the world. Wow.

In my cybertravels here, I ran across photo stories on depicting what's happening in the Middle East, and from there stumbled upon their Year in Pictures 2005. I used to work in photojournalism, for about 8 years. I have long since stopped doing professional photography, but I often long to be at it again - especially these days. Pictures can change a world. They can matter so much.

And the pictures in the Year in Pictures 2005 essay are powerful. Check them out.

Add/Read: Comments [2]
Friday, 14 July 2006 11:58:04 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Wednesday, 12 July 2006

Microsoft and Yahoo! have announced they are releasing a combined, interoperable network for beta testing, which will allow uses of each network to communicate with users of the other network. This is a great step in creating a IM infrastructure without (or at least with less) borders.

"Windows Live Messenger and Yahoo! Messenger with Voice users in the U.S. and more than 15 international markets can register to participate in the IM interoperability beta by visiting Yahoo! at or Microsoft at"

See the press release here.

Add/Read: Comments [0]
Wednesday, 12 July 2006 19:34:52 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 11 July 2006

Google introduced zooming in their maps interface. I went to check it out and in the process discovered the area that includes my home now has hi-res images and that my house, which was built about three years ago, now appears on the map. That's cool. Not that big of deal in the grand scheme of things, but still cool. And I found it by double clicking to step through the maps and visually found my rural home, level by level.


The new zooming feature is a nice addition to the interface. To see how it works, just go to Google Maps and double click on the map and you'll zoom on in. I found I was also able to zoom in and out with my scroll-wheel-like function on my ThinkPad's little eraser pointer control thingie - point the mouse on the spot you want to zoom in on and zoom away. Cool. What's that red eraser thing called, anyhow?

The Google Maps API official blog has the zooming details.

Add/Read: Comments [14]
Tuesday, 11 July 2006 22:38:41 (Pacific Standard Time, UTC-08:00)
#  Trackback

Microsoft made this announcement today in their Security Newsletter for Home Users. Interesting the email headline they used, since the web site actually says Win XP SP1 support is supposed to stop on October 10th. Support for Win 98 and ME were set to end today. At any rate, if you're running Windows 98 or ME, it's well past time to pack it in:

Effective today, Microsoft no longer provides support for Windows 98, Windows Millennium Edition (Windows Me), and Windows XP Service Pack 1. Customers can access existing support documents through the Microsoft Support Product Solution Center, but telephone and e-mail support and security updates are not available.

Add/Read: Comments [0]
IT Security | Tech
Tuesday, 11 July 2006 20:52:05 (Pacific Standard Time, UTC-08:00)
#  Trackback

Yesterday at work, I had the privilege of spending a couple hours with this cool kid named Connor. He's the son of a friend and coworker, and is an all-around good kid. Every now and then he'll come to work with his mom for a day and we'll hang out for a bit. It sure beats back-to-back meetings, heh.

Sidebar: For what it's worth, I'd kill to be eleven years old again (if I could stay that age, that is - no point in going through all those intervening years again, heh...).

True to form, he asked if we still have an XBOX. People kind of freak out when I tell them I bought an XBOX 360 for work. We actually have a couple of them on campus. "Video games at work??" they ask me. Heck yeah - it's a great way for creative minds to take an occasional and much-needed brain break (as long as it doesn't become something that's overdone), and some of the best idea-generating conversations happen when you're kicking someone else's butt in DOA4 or some other game. It's also of great interest, it turns out, to eleven-year-old kids. Yeah, go figure.

But most of the time we spent hanging out on Monday was occupied with trying to find a clean whiteboard somewhere in the building that didn't say "SAVE" on it (what the heck is up with THAT anyhow?) and then talking about computers and networks and how they work. Teaching kids something they have yet to learn about is really a lot of fun. I explained the underlying technology basics of how web browsers and web servers work, using analogies like phone books (for DNS), mapquest data (for routes) and phone numbers (for IP addresses) to try to describe some pretty complicated, intangible and abstract stuff in a way that makes some sort of sense. You know - looking up a name in a phone book and finding the phone number is like looking up a URL in DNS and getting an IP address, and using mapquest to figure out how to get from one place to another one step at a time is a lot like finding the route to a web server... We got a little more detailed than that, but you get the idea. His face really lit up when - all of a sudden - he "got it."

Next thing I knew, he was explaining how it works to me. Which was really cool. :)

I used to teach middle school kids back in the day, and there's something about those "getting it" moments that are a lot of fun to watch. Seeing reality expanding itself in a kid's mind is a pretty amazing thing. They sure do learn quickly.

At any rate, Connor will be back again sometime soon, and we'll see who's teaching whom whenever that day comes. For my part, I'm betting on the kid.

Add/Read: Comments [1]
Personal Stories | Tech
Tuesday, 11 July 2006 15:44:02 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Monday, 10 July 2006

I'll be on the road (well, in the air actually) Wednesday through Friday this week, as I am traveling to Toronto, Ontario (Canada, of course), where I'll be speaking at a conference this Friday on the topic of strong authentication for web sites and the role of web site users in the security process. They say there will be somewhere around 2,000 attendees, so it should be an interesting conference. I've been doing a lot of this kind of presentation recently - there are many changes in the works in the financial services industry for performing strong authentication of people who access online banking and other secure web sites. That's pretty much everything I've been doing for the past year or so, in fact.

It's been several years since I have visited Toronto, so I am looking forward to the time there. It's always been one of my favorite cities - clean and attractive.

If anyone happens to be in the Toronto area later this week and wants to try to catch up, be sure to let me know. Email and phone info are in the menu bar on the right side of the page on this site.

Add/Read: Comments [0]
Personal Stories | Random Stuff
Monday, 10 July 2006 20:06:34 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 09 July 2006

The Firefox 2 Beta 1 release candidate I mentioned last night includes a new feature that I just noticed (after using it practically all day), and it's simply terrific. It may seem small, but often it's the little things that make a real difference.

As-you-type spell checking is built right in. Just right-click on anything Firefox doesn't recognize and you'll get just what you'd expect. Looks like it's a basic English dictionary that's used, so you'll have to add some commonly typed terms - even Firefox isn't in the dictionary.


In Internet Explorer I have used IESpell for a couple years and it's always been very useful. But it doesn't do the red-underline thing to show me what's out of whack as I type, though, so this is another case where the Firefox team is again raising the bar.

Nice stuff.

NOTE: The Beta 1 release is set to hit the streets this week. Also, I confirmed that this weekend's binary release is definitely a pre-beta-1 release candidate (one of the nightly builds) and so it's likely (even probable) that it's not the same code that will ship as the actual Beta 1 this week. So, as mentioned last night, downloader beware. You'll probably want to wait. Sorry to anyone reading for gun-jumping, but hey we're all geeks around here, and it's in my nature to test early and test often.

Add/Read: Comments [1]
Sunday, 09 July 2006 14:31:01 (Pacific Standard Time, UTC-08:00)
#  Trackback

Note: Sometimes bleeding-edge is fun, but it's not for everyone. I mention that so you'll know that this blog post is not for average computer users. But for those that like to try the latest, greatest things the second they become available and don't mind installing pre-release software...

UPDATE 7/10/2006: Since this post was originally authored the RC2 binaries for FF2B1 have been released earlier today in the nightly builds area. I've removed the old links.

Firefox v2 beta 1 about dialogYou know Firefox is a great browser, and if you're one of the hard-core, gotta-have-it types (like I am), you'll be glad to know binaries for Firefox v2 Beta 1 are available on the FTP server. It won't be formally released they say 'til Tuesday, and the files could certainly change between now and then (this looks like it's labeled RC1 of Beta 1), but as you can see from the image at right the 2.0b1 English binaries are there. You can grab it now:

Download binaries for:

You know you want it. There's some nifty and subtle updates in the release, like close buttons on browser tabs and friendly, clean feed display in the browser window.

And by the way... Really, you should know how this stuff works, it's not magic, you know. People are organized and work hard to give you something you can download for free and which makes your life better. Have you said thank you yet?

So, why don't go and get to know the project a little bit? Find out what goes into the software you use. It is a community thing, after all. Here, I will help you with starter links and a few facts:

The codebase was frozen on July 5th in preparation for release this week. The latest status meeting notes are viewable here. The code name for the release up 'til now has been "Bon Echo." From the Firefox 2 section of the MozillaWiki (where you can get lots of geeky details for yourself, by the way - so go learn and amaze your friends) here's a touch of high-level Firefox 2 trivia:

Theme of Firefox 2

Firefox 2 will aim to build on the success of Firefox by addressing issues related to the problem of managing the vast amounts of use a pre-release code name taken from a public park. Bon Echo Provincial Park is located in Ontario, Canada. The name literally translates to "good echo", and reflects how it is our goal echoes that of Firefox information available on the Internet. Our goal is to provide a browser that helps users manage and organize their online information channels.

About Bon Echo

Continuing the tradition, Firefox 2 will x 1, once again focusing on improving the browsing experience for our users, making it simple, effective, fast and useful.

While the release notes are not yet up as of this writing, and while the binaries you see on the FTP site certainly may change before they're formally released, you might also be interested in taking a look at the changes that were made up through the latest Alpha release (Alpha 3).

Add/Read: Comments [0]
Sunday, 09 July 2006 01:35:06 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 08 July 2006

Looks like a new variant of an old virus is making the rounds.

I got an email tonight in my personal email account that pretended to be from Microsoft and which contained a virus in an attached ZIP file. The attachment was called "Microsoft SMS" and contains two files - which are packaged as a .JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located in Asia.

Of course I didn't get infected, because I saw it as obviously fake. Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.

Here is the info about the infected contents of the ZIP file (specifically the JPG file):

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: W32.Gavgent.A
File:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS\Product.jpg
Location:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS
Computer:  *******
User:  *******
Action taken:  Delete succeeded : Access denied
Date found: Saturday, July 08, 2006  11:22:31 PM

If the AV software is correct and it's actually a W32.Gavgent.A virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP are 8/2005, so it's entirely possible this is a reuse of an older virus. The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at Symantec Security Response. Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the site with some extra arguments on the query string.

    CAPTION="Microsoft SMS Manager"

This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. Details are available here.

The original email I received is below. The subject line was "SMS Manager from Microsoft." wrote:

Dear Customer,
This email provides you information about new product from Microsoft
Corporation, called Microsoft SMS Manager.
These product would help your activities, you can send and receive SMS
messages through your PC with no charge before December 31, 2005 (trial
It's compatible with most of GSM and CDMA operators.
The Installation's document is attached (Microsoft SMS

For further informations, please contact

Best Regards,

Microsoft Corporation

Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Saturday, 08 July 2006 22:58:17 (Pacific Standard Time, UTC-08:00)
#  Trackback

Remember that guy who decided last year to start with one red paperclip and trade it up for a house?

Well guess what?

He succeeded.

Kyle MacDonald will soon be moving into a house in the small town of Kipling in Saskatchewan.

The two-storey house in Kipling was built in the 1920s and has undergone renovations in recent years. Roach admits some touchups and yard work are needed before turning the keys over to MacDonald, and a work party is scheduled for Saturday, July 8 to do just that. He is hoping residents will jump on the bandwagon and that there will be lots of help that day, in preparation for welcoming Kyle and Dom to Kipling.

Here is the progression of trades (with a link to the details of each item):

one red paperclip fishpen.JPG knobt.JPG  coleman.JPG  generator.JPG one instant party skidoo2 yahk2 Cintas  Cube Truck1995 one recording contract phoenix one afternoon with Alice Cooper one KISS snow globe one movie role one house

Tenacity and a blog. Wow.

Add/Read: Comments [2]
Random Stuff
Saturday, 08 July 2006 14:03:03 (Pacific Standard Time, UTC-08:00)
#  Trackback

I'm feeling rather thoughtful and somewhat random today. I even cleaned the island counter in my kitchen. Well, sort of. How's that for unusual? It's nice to have a "down" day, for sure.

So anyhow, this morning I took this Jung personality type test online after surfing around on Portland craigslist for random stuff and finding a not-where-you'd expect link to the test on there somewhere (no idea where, craigslist is this infinitely random web of always changing complex stuff where one can always go to see how much more screwed up than oneself people really are). I took the profile test for kicks, and basically just because I like those sorts of things. They make me think. I ended up classified as type INFJ, which it seems is pretty much spot on when I read the description. I don't especially like everything about the fact that it's right on the mark, but hey - what can ya do? Heh.


Then I took the short version of another online profiler that assesses your entrepreneurial business type. the results of that were also interesting. I'm fascinated with the questions these profile systems use, especially the whole group of them in combination. Depending of how the answers pattern out, I can see how one could accurately draw certain conclusions. Not sure how accurate these are in reality (they sure seem to hit the mark), but they are fun to run though nonetheless. It makes me think.


Hmmm, always interesting to see what the robots think of you, eh?

So that got me thinking about something else that always seems to be on my mind: What do I want to be when I grow up? Sure I'm 39 and turning bald and grey (prematurely by the way, I really don't feel this old). But there's a part of me that wants to do things that matter - to somehow change the world, if you will. So, I have to indulge that part of me from time to time, if for no other reason then just to stay happy and sane. To make me think.

Earlier this week we did a big ol' fireworks display for the Clatskanie (Oregon) Heritage Days on July 4th, which was a lot of fun and quite successful. One of my friends from the pyro crew - Brad - brought along a friend of his who had not worked a fireworks show. Jake is his name and he works for a non-profit called Action Without Borders, and they have this interesting and cool web site at that is basically a clearing house for, well, non-profits and idealists. Check it out, it's cool. It makes me think.

Anyhow, I enjoy what I do today because there are parts of it that "matter," and that drives me to do more. There are many other things I'd like to do someday - other things that might in some way change the world, or something like that. But I'll leave the descriptions of those things for another time.

Ask yourself this: How can you change the world? What will you do? What makes you think?

Add/Read: Comments [2]
Personal Stories | Random Stuff
Saturday, 08 July 2006 11:33:25 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 06 July 2006

Just when you thought you'd seen it all, well - you'll just have to check this one out for yourself (from

Straight from the Portland Bureau of Ridiculousness...

A Northeast Portland man is suing basketball superstar Michael Jordan and Nike founder Phil Knight for a combined $832 million. Allen Heckard filed the suit himself, June 29th in Washington County Court. Heckard says he’s been mistaken as Michael Jordan nearly every day over the past 15 years and he’s tired of it.

“I'm constantly being accused of looking like Michael and it makes it very uncomfortable for me,” said Heckard.

Heckard is suing Jordan for defamation and permanent injury and emotional pain and suffering. He’s suing Knight for defamation and permanent injury for promoting Jordan and making him one of the most recognized men in the world.

Uhhh... Yeah, right. You can read the whole story here. And roll your eyes like me. Rolling eyes is so much fun. What an idiot.

My favorite quote from the story:

Some might wonder how he decided to sue Knight and Jordan for $416-million each. "Well, you figure with my age and you multiply that times seven and ah, then I turn around and ah I figure that's what it all boils down to."

Wow. Scary thing is he might get a few bucks tossed at him to go away. Or if we're lucky he'll lose hard and get stuck with the defendants' attorney's fees. You think he considered that possibility?

What an idiot. Sorry, but there are times when you just have to come out and say it.

Add/Read: Comments [3]
Random Stuff | Things that Suck
Thursday, 06 July 2006 22:41:02 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Wednesday, 05 July 2006

Today was a good day - more so than most. I realized this a few minutes ago as I stood in my freshly-mowed front lawn and surveyed my work.

First of all, the fact that the sun was still out and I was actually standing in my front yard (heck, the fact that I was even on my own property at 6pm on a weekday) was a minor miracle. Between extensive travel and the time spent at work catching up on all the stuff I miss while traveling, time spent at home has been very little. So a better-looking lawn and the fact that it's still plenty light out as I type this are both great things.

On top of that, an old friend from back when I lived in New Mexico - John Turner - called me today out of the blue. Seems he'd been searching for "Redneck Yard of the Week" and found my blog. Hmmm, interesting psychological questions about that search come to mind, heh. But anyhow, JT's one of my all-time favorite people and it was great to hear from him after a few years of disconnect and to catch up on the phone. People ask me why I put my cell phone number on this blog - now you know. JT mentored me (whether he knew it or not) and was a big factor in convincing me back in '98 and '99 to leave law enforcement and move into computers and technology. Mostly he helped me get past the risk/fear part and into the take-action part. Plus he believed I could do it and make it work when I was not so sure. He was also there for me during some very difficult times, and I will always appreciate that. He's an awesome dude and all around good people, and it's great to be back in touch.

Finally, I had a day where my schedule at work wasn't meeting after meeting after meeting. I am realizing more and more just how much endless meetings rob from your soul. So it was very nice to be able to sit still and catch up with the people I work with and to close a few loops.

And to top it all off, I am at home and done with yard work in time to catch a full hour of South Park on Comedy Central. The dogs were shocked to see me and to get a chance to play around, and the crazy cat is trying to get me to play fetch (what a weirdo). Ahhhh, the life!

Add/Read: Comments [1]
Personal Stories | Random Stuff
Wednesday, 05 July 2006 18:03:20 (Pacific Standard Time, UTC-08:00)
#  Trackback

Lighting the showUpdate: Both Rich and Travis have posted blog entries about our fireworks show, check 'em out.

Once mortars (the tubes that the shells are launched out of) are installed (which takes a while and represents the bulk of the manual labor that goes into a show), it's time to load the shells. This is the last fireworks show post until I can get some video or images of the show itself from others, since during the display I have to watch the line crew and supervise for safety and light some shells myself - no time for taking pictures, so I rely on others.

(Update: Crew-member Erik Dake shot the picture at left, which shows us from a distance lighting off the shells that are launching into the night sky. Note that it's a long exposure - so you're seeing several shots worth of flame and lit up smoke. It gives you an inkling of an idea of what it's like, though.)

After installing the mortars, the remainder of the afternoon was spent loading the show, doing some walk-through training to show how we light the shells, lots of redundant safety training all afternoon, and finally getting some dinner before blowing the whole thing up. Several new crew members that were here for their first show had the chance to light the show and experience the smoke and noise. There's really nothing quite like it.

The show was terrific (lots of extended cheers from the crowd, which is pretty much the only real litmus test) and the crew did a great job from beginning to end. Here are some pictures of the crew members setting up and loading shells in the evening, in preparation for the show. Note that we spend about 6-7 hours setting up a show that took 22 minutes to completely destroy. It was worth it.

Here's the pics...

Travis (who got his pyrotechnician license from the state recently - congrats!) loads some of the mortars that will be used to fire the finale:

Travis loads the finale shells

Rich and Desann - first-timers - load a five-inch shell:

Loading more shells

The "other" Scoble (Alex, that is, also a first-timer) loading five-inch shells:

Alex loading

Jake (another first-timer, lots of those today) loads more shells:

Drop a shell

The crew loads the line:

Loading the line

Dave loading another mortar:

Dave drops a shell in

Jake, Jenn (also recently got her pyro license!), Brad and Erik (both repeat offenders) loading mortars with shells:

Crew loading

Thanks to a great crew for putting on a great show. I'll be glad to work with any and all of these people again.

Add/Read: Comments [0]
Random Stuff
Wednesday, 05 July 2006 00:22:14 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 04 July 2006

Thank goodness for The Crew. Having plenty of people around to help makes all the difference in the world. This year I can actually man a shovel (before my back surgery I was mostly just giving directions, which always feels stupid). We've run througfh some initial safety talks and talked about how the whole process works. After we ge everything installed and ready we'll do some training. But much to do before then.

Setting up is a lot of work, but hey it's worth it when you hear the crowd cheer at the end of the show. Besides, where alse can you blow up several thousand dollars worth of high explosives legally in someone's neighborhood and have everyone love you for it?

A mortar is a tube that basically acts as a cannon - the sheel is loaded into the bottom of the tube and the lift charge sends it out of the tube into the sky. It's, well, pretty exciting when it happens.

But before you can shoot them off you have to install the mortars, in our case in the ground. That means people, shovels and hopefully a good breeze. We're lucky today - not hot and a breeze to make it bearable. Last year was sweltering hot.

Everyone installs mortars - 4 and 5 inchers:

Installing Mortars

Back-filling the trench (which was dug by a back-hoe):

Installing more mortars

Lots and lots of tubes - hundreds of 'em:

Lots of tubes

More to come later...

Add/Read: Comments [0]
Random Stuff
Tuesday, 04 July 2006 14:19:49 (Pacific Standard Time, UTC-08:00)
#  Trackback

One again, I'm out setting up and preparing to fire off a fireworks show with a bunch of friends and helpers. I'll post a few updates here and hopefully be able to impart a little bit of what goes into setting up and executing a public display. EVDO rocks, by the way. A bit slow out in this neck of the woods, but still it's the only way to be able to write this from a field.

First of all, there's a significant amount of hurry-up-and-wait involved. I arrived early this morning (before 9am) to meet the truck that delivered the explosive shells. All 1.3G commercial fireworks have to be delivered by someone with a commercial driver's license and a HAZMAT endorsement, and I have been too lazy to get mine. I really need to do that. I've read the book and just need to get my butt in gear.

Dave showed up earlyAnyhow, so since I had to get the shells at the early drop off, that means a bunch of time before the crew shows up to help set up the show. Luckilly, Dave (at left) showed up early, too. He got here at the same time as the delivery truck. Talk about a glutton for punishment. Heh. Nice to have someone else around in the intervening hours.

And it suddenly got cold out. Turns out there's a 30% chace of rain mid-day, but by late afternoon it should warm up and the chance of rain drops off to pretty much zero. That's always nice when you have to shoot fireworks. Wet is bad, dry is good. And as I type this, it starts to rain. Go figure.

The picture set is at so look there for everything. Here's a few to start. I will add more later:

We start with an empty trench. Into this trench we will install about 400 mortars (you'll see those later).

An empty trench

Dave showed up really early. So he gets trench inspection duty.

Dave inspects the trench

A truck full of mortars and boxes of shells. Nothing exciting really, and it doesn't look like much until it's out of the truck. But we do that part a bit later, after the crew shows up. Right now they're all stuck on the other end of town calling me on my cell phone while the massive three hour parade goes on. For a realtively small town they sure have a huge parade! Heh.

Truck with equipment and shells

More later.

Add/Read: Comments [1]
Random Stuff
Tuesday, 04 July 2006 11:35:32 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 01 July 2006

The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's

While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,  the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.

It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.

To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.

It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me.  Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.


Add/Read: Comments [5]
IT Security | Safe Computing | Things that Suck
Saturday, 01 July 2006 16:05:10 (Pacific Standard Time, UTC-08:00)
#  Trackback

Winners are not determined by who gets the last word or who attacks whom.

Or as one common user just said: "What I see here is ego overcoming ego." Could not be better said. The ego in this room is suffocating. The thought leadership is suffering as a result.

Typical of me, I didn't realize the first day of Gnomedex that the guy sitting on the floor behind me was oh, one of the co-founders of Firefox.  I figured that out pretty quickly when I did the "okay so that name sounds familiar, ummm, uhhhhh.... Oh!"

Yeah. So I'm getting old. Hey, at least I figured it out.

At any rate, I enjoyed the few quick chats over the past couple days while sitting with Blake Ross, who as it turns out is a nice guy and and is obviously wicked smart. He also cares about what he builds and the people who use it, and it shows.

Unfortunately, what I will call "the predictable regulars" here at the conference apparently seem to think they have a monopoly on caring. Unless you agree with these people, you lose. They scream and bitch and moan if they can't finish a sentence, and they complain about one person controlling the conversation, yet they cut others off when they try to participate in the conversation or when they - God forbid - try to defend themselves.

At any rate, Blake stepped on the stage today to talk about how Firefox went from zero market share to millions of downloads without a marketing budget and almost exclusively through community driven effort. It's a success effort worthy of review and notice. But the conversation - predictably - was dragged off by the predictable few into a pattern of argument and conflict. Blake tried to steer the conversation back to the topic at hand (which is what discussion leaders were supposed to do, let's be clear on that point) and was attacked for doing that, too.

What it specifically wasn't intended to be: A talk about features, bugs, roadmap or the future of Firefox.

And as Jeremy Zawodny said at the start of his presentation, which followed Blake's, the participants in this room sure do like to bitch. And so it goes.

So let me say this to Blake: Thanks for a great browser, and keep it up. Winners are not determined by who gets the last word or who attacks whom or how loud our little tiny echo chamber is. We all know that when it comes down to it.

And next year, maybe we should suggest they rename this conference if this is the way its going to be. BitchCon maybe. Or give each person two comment tickets at the door, and when you've used 'em up you can listen but not bloviate. I dunno - I love GnomeDex but I also long for the days of the enthusiasts and the practical, even while enjoying the debate that Gnomedex has brought us this year. But the change has been fundamental, core and pervasive. It's a whole different show. Not a bad thing necessarily, just very different.

Add/Read: Comments [2]
GnomeDex | Random Stuff
Saturday, 01 July 2006 14:34:45 (Pacific Standard Time, UTC-08:00)
#  Trackback

A Gnomedex discussion took place earlier in the conference about sharing intimately personal things on weblogs and in public forums. There was a lot of other stuff in the conversation, too - but what I took away from it was the "what do you write about, why, and is it a good idea?" theme.

Some people are a truly and completely open book (crime, sex and all) on the Internet, while others who used to be quite open in their blogging have since changed and have pulled all the personal stuff back in, only writing about things that are not descriptive of real life. Kids these days (that's my old dude comment for the week) seem to post all kinds of things that some find both shocking and concerning.

For my part, I write both. I would never write about certain things that are definitley best kept private, and there are a number of specific things that happen in my life which I choose not to post here. But people do sometimes comment about things I write that are quite personal. It really doesn't take courage (people often say "I wish I had the courage to..."), just some common sense and a desire to think things through sometimes, which I find works out well by writing.

I often write (both the personal and the tech stuff) to clear my plugged up brain so I can sleep better. So I guess whatever comes out just comes out. With a filter. Like it or not. Good or bad.

Add/Read: Comments [0]
Blogging | GnomeDex | Personal Stories | Random Stuff
Saturday, 01 July 2006 08:59:30 (Pacific Standard Time, UTC-08:00)
#  Trackback