World Summit foiled by Stallman

Bruce Perens noted in his blog on November 18th that Richard Stallman was causing quite a stir at the World Summit on the Information Society in Tunis because he wrapped his RFID badge in aluminum foil. I suppose that is about as good a publicity stunt as you could hope for if you are someone opposed to radio-based identification and tracking. Security would have been wise to have just left him alone, rather than making a fuss and trying to detain him between sessions.

You can’t give Richard a visible RF ID strip without expecting him to protest. Richard acquired an entire roll of aluminum foil and wore his foil-shielded pass prominently. He willingly unwrapped it to go through any of the visible check-points, he simply objected to the potential that people might be reading the RF ID without his knowledge and tracking him around the grounds. This, again, is a legitimate gripe, handled with Richard’s usual highly-visible, guile-less and absolutely un-subtle style of non-violent protest.

Happy Thanksgiving

One day I became curious how Lincoln’s Presidential Proclamation to reunify America turned into a feast of turkey legs, mashed potatoes, and pie.

I mean it seems fairly certain at first glance that the American holiday today was a result of President Lincoln’s third day of Thanksgiving, October 3, 1863, when he brought to national attention the cause for a November holiday to give thanks for “general causes” rather than “special providences” such as wartime victories. He thus declared a general and national Thanksgiving that year to be held on the last Thursday in November. Lincoln proclaimed:

Needful diversions of wealth and of strength from the fields of peaceful industry to the national defense have not arrested the plow, the shuttle, or the ship; the ax has enlarged the borders of our settlements, and the mines, as well as the iron and coal as of our precious metals, have yielded even more abundantly than heretofore. Population has steadily increased notwithstanding the waste that has been made in the camp, the siege, and the battlefield, and the country, rejoicing in the consciousness of augmented strength and vigor, is
permitted to expect continuance of years with large increase of freedom.

The actual origins appear to have been based in the observance of the bounty of peaceful industry and labor in-spite of ravages from a brutal civil war. And it was this particular Thanksgiving that was the first in the unbroken series of the national holiday tradition celebrated today. Unfortunately I never see this little bit of history brought to light during the holiday season.

Where did Lincoln get the idea from? It seems that the Thanksgiving holiday is evolved from a very routine English Puritan religious observation, which was irregularly declared and celebrated “in response to God’s favorable Providence”. Over time these observations by early settlers turned into a single, annual, quasi-secular New England autumnal celebration, but this was still a very small minority of Americans and it is not clear what Lincoln’s relationship with them might have been.

It is sometimes claimed that the first actual recorded “national” Thanksgiving was a formal declaration in 1777 by the Continental Congress. This event, however, had very little popularity outside a few peculiar and religious sects and “Thanksgivings” subsequently were only declared occaisonally and infrequently until 1815 when they apparently disappeared altogether.

The holiday thus was seen mainly as a regional observance until 1863 when President Lincoln declared three Thanksgiving days, two of which to celebrate Union military victories; the first following Shiloh on April 13 and the second a national day of thanks for the Gettysburg victory on August 6. The third day is the one described in the proclamation above. Perhaps Lincoln’s own family ties had some relevance to Thanksgiving, or perhaps he encountered it among his constituents and decided to expand the practice. Either way, today’s national holiday celebration was clearly founded at the end of the Civil War and not by the pilgrims or the Founding Fathers, as is often incorrectly claimed.

In fact, presidential declarations of Thanksgiving made absolutely no mention of the Plymouth Pilgrims or a “First Thanksgiving” until Herbert Hoover’s proclamation of 1931. This revision was apparently due to a change from how Pilgrims (and Indians) were perceived. Depictions of the settlers in America before the 19th century showed violent confrontation with people they encountered. As late as the 1910s a typical Thanksgiving “Pilgrim-puritan” image is more likely to have suggested settlers were fleeing a shower of arrows and running to safety than sitting down for a friendly meal with the “natives”.

The more modern imagery of Pilgrims and Indians sharing a communal and harmonious meal most likely found its place as an icon of American history in the early 1900s. The U.S. was concerned at that time with large numbers of immigrants and the related issues of integration into American culture. A Thanksgiving image of dissimilar ethnic communities co-existing amid peace and plenty was considered an effective message to help avoid confrontations. It was out of this school of thought that Jennie Brownscombe’s “First Thanksgiving” was painted in 1914 for Life magazine. Pilgrims were cast in a role to provide an example of the close-knit, religiously inspired American community. This also gained popularity as an image of American values and virtuosity to help boost morale during the dark days of the First World War.

Support for the holiday then unravelled a bit when President Roosevelt tried in 1936, against opposition, to move the day forward by a week to extend the Christmas shopping season. By 1941, during his administration, Congress declared the fourth Thursday in November to be the legal Holiday known today as Thanksgiving. However, since there are five Thursdays in November (two out of every seven years) several states continued to celebrate on the fifth Thursday for at least the next 15 years. Any guesses which states refused to comply?

Finally, in 1956 the fourth Thursday in November became the national holiday that Americans recognize today, observed similarly by every state in the Union.

The relevance of turkey to the holiday celebration is even more unclear than the origins of the celebration. Perhaps it stems from an early description of “men out fowling” for ducks, geese, and turkey (e.g. as described in the Bradford document, “discovered” in 1854). Or perhaps it is due to sentiment expressed in Benjamin Franklin’s note that “The turkey is a much more respectable Bird and withal a true original Native of North America”. Franklin actually was so enamored of the bird that he was in favor of using the turkey as the national Bird, instead of the Bald Eagle. Thus, perhaps he is not the person to have suggested it as a centerpiece for the dinner-table.

And so, today, I have yet to meet an American who has any idea why Lincoln started the holiday, why they are asked to celebrate the image of Indians and Pilgrims, or even why they are eating a native bird.

Presidents as Poets

The US Library of Congress has launched an interesting site called “Presidents as Poets“, which has information about the following men:

  • George Washington
  • James Madison
  • John Quincy Adams
  • Abraham Lincoln
  • Jimmy Carter

The collection includes an infamous poem attributed to Lincoln:

    To ease me of this power to think,
    That through my bosom raves,
    I’ll headlong leap from hell’s high brink,
    And wallow in its waves.

Haiku for today

Dag Hammarskjold, Markings, p. 190-191 (Translated from Swedish by Leif Sjoberg and W. H. Auden)

    Congenial to other people?
    It it with yourself
    That you must live.

    Denied any outlet,
    The heat transmuted
    The coal into diamonds.

    Alone in his secret growth,
    He found a kinship
    With all growing things.

The manuscript for the book was left by Hammarskjold to be published after his death. He was Secretary-General of the United Nations (UN) when he died in an air crash on September 18, 1961 en route to negotiate a cease-fire between the UN and Katanya forces in Northern Rhodesia (now Zambia). I was introduced to his writings while studying the origins of the conflict.

Belief in evolution may prevent bird-flu

I was riding in an airplane not very long ago, seated next to a young woman who was on her way to visit a college. She was from somewhere in Oregon where everyone goes to a Christian school and practices strict rules of virtuous living. For example, she said, children are not allowed to carry bags or boxes in the school buildings in order to ensure that everyone can safely escape during a fire.

Makes sense, right? I didn’t think so either. But I wasn’t content to just nod blithely and let her discover reality on her own. No, I had to argue with her for several hours and try to help her arrive at a more logical conclusion about rules that ban kids from carrying bags.

One item in particular that really seemed to surprise her was that Darwin might have contributed something meaningful to the modern world. Believe it or not, this intelligent-seeming woman had been told that Darwin wrote a Theory of Evolution because his daughter died at a young age and so he became an athiest and just wanted to thumb his nose at God. I’m not making this up. She said they learned this in school, as well as bible camp. It’s amazing what passes for an education in America these days. Anyway, the story only became stranger when the woman said she was planning to study biology or chemistry in college. “How it doesn’t really exist?” I asked with glee.

To make a long story short, I don’t know if I made a positive impact on this woman, but I did my best to help her emphasize critical thinking and using the scientific method to arrive at conclusions in order to gradually help her debunk most of what she had probably been raised to believe as absolute gospel. And then today I read the amusing news that a NY museum has said that without Darwin’s theory we would be far less able to research and fight the bird flu:

“Without his insights, we would fail to appreciate the dangerous potentials of rapid evolution in the avian flu virus,” Michael Novacek, curator of paleontology at the museum, told a news conference on Tuesday.

To which the creationists replied “Obviously God created Darwin so that he could create the insights that would create the understanding that will create the ultimate vaccine for those who are chosen to survive. Isn’t that self evident? You say ‘proof’, I say banana.”

Auto-nomy no more

I’m a big fan of digital camera technology, and thus I usually am quick to support intelligent uses related to detective controls. Take for example a Bed & Breakfast that had issues with people loitering across the street dealing drugs. The B&B installed a camera, took some extracted video to the absent property owner and the next thing you know the neighborhood felt safe again. Here’s another example. Some well-intentioned system administrators were moving equipment in the racks when suddenly a core network device went off-line. Everyone started pointing fingers but a simple review of the video at the exact moment that the services were terminated shows who was in the cookie jar pulling power cables, and who was not.

Surveillance doesn’t happen in a vacuum, however, and there should be the same care and caution applied as with any other detective controls. Sadly, some investigators get so excited about the opportunity to nail every tiny infraction with uncontestably strong evidence that they start to sound like rabid dogs, ready to chase down every living thing and chew it to the bone.

Take for instance this proposal, recently captured in The Times:

BRITAIN’S top traffic policeman is pushing through plans to create a national network of roadside spy cameras that will be able to track the movements of motorists around the clock.

Meredydd Hughes wants the cameras to be installed every 400 yards on motorways, as well as at supermarkets, petrol stations and in town centres.

They are designed to crack down on uninsured driving, road tax evasion and stolen cars, but will also monitor millions of law-abiding drivers.

It sounds expensive and invasive with little return, if you ask me. One thing that surveillance camera projects should never do is start with an overly broad objective. It is similar to saying you want to write software to improve security every 400 yards on motorways…if you don’t start out with a good focus on the purpose of the system, then you will never end up with a clear picture of its usefulness.

On the other hand, when someone actually reveals that not only is there no intended benefit to the public but the real purpose of the surveillance (detective control) system is to become a source of revenue/taxation for the police, well, that should ring some alarm bells under the category of “clear conflict of interest”:

An Acpo strategy document, seen by The Sunday Times, makes the controversial suggestion that every ANPR “intercept officer� should aim to issue at least 310 fixed-penalty notices a year.

Blog riot

Fascinating article in the Guardian by Jeff Jarvis about online communication as a tool in the French riots:

the arrest last week of at least three young bloggers for allegedly using their sites to incite violence precisely highlights the confusion this new medium brings

I am surprised to hear that the French government is trying to control the debate by spending advertising money on Google. That just seems unsettling on so many levels, it’s hard to know where to begin.

UK Trains to get Airport Security

The Guardian reports today that train stations in the UK are considering passenger security to be implemented in a similar fashion to airports. The problem with train stations today, which they rightly identify, is that they are not “closed”, especially compared to the sealed-off nature of airport terminals. Trains also are regularly accessible, unlike planes at 30,000 ft.

When you get right down to it, train security actually does not have much in common with planes other than the movement of large numbers of passengers on a schedule (e.g. “public transportation”).

The airport screening model seems to be increasingly considered high-cost and largely biased in some odd control areas, especially if you consider the lack of relevance to other forms of public transportation, so let’s hope the upcoming conference gets back to the basics like preventive and detective controls, defense-in-depth, etc.

FTP pubstro

An increase in attacks meant to setup high speed, public, distribution networks (pubstro) seems to be spreading. In a nutshell, this means vulnerable servers are being used as hosts for hidden ftp servers with little impact on other data that might be exposed on the host. Nothing especially new here other than the amazing efficiency of the attacks, which leads to robust “networks” of compromised systems, as well as the fact that breach laws are now in effect. The odd situation with market forces in this scenario is that attackers seem better at writing code to remotely install agents to generate revenue than many of the companies that are actually supposed to be in charge of the servers themselves. If this rate of change goes unchecked, my guess is that developers may see a more lucrative future in stealing resources than in being tasked to try and prevent them from being stolen. But who should bear the cost of the disincentives?

Some discussion on Educause suggests even fully-patched Windows 2000 systems are at risk.

Microsoft labels Sony DRM as spyware

Jason Garms finally stepped up to the plate on Saturday, November 12th, 2005 and announced that Microsoft’s internal Anti-Malware Engineering Team formally acknowledges Mark Russinovich’s October 31st, 2005 blog entry and will now add Sony’s DRM software into its anti-malware software. That’s right, twelve days after the news broke and two full days after exploits were documented in the wild, Microsoft has quietly announced on a blog that they are going to update their signatures.

Here is Microsoft’s criteria for determining what is spyware, and here are some comments I made earlier.

Quite frankly, we all know that people dumped Microsoft’s anti-spyware software once it was revealed that they cave to companies for odd reasons (which begs the question of what spyware company wouldn’t apply pressure if they know they can — hello, spyware is all about being annoying and persistent, no?).

But even so, I am really disappointed that Microsoft continues to show that they are not the kind of company that a user or company can bank on if they need security. Sony has had to eat so much publicity about this issue that just about everyone and their dog is aware of the issue (contrary to what Thomas Hesse, President of Sony BMG, suggested in an NPR interview, that people don’t know enough to care about root-kits). Just take a look at an anti-virus company who started addressing the issue the very day the news of the root-kit broke. F-secure claims that they were even working on it prior to Mark’s announcement because they were fielding reports about the same suspicious behavior.

The Inquirer responded to Microsoft’s blog announcement on Sunday, November 13th, 2005, with an excellent write-up on why this giant company, yet again, seems to entirely miss the point on what it means to establish trust with users. In brief, one might summarize their point as something similar to the old adage “it’s not the crime, it’s the cover-up”:

So, what do we end the day with? Microsoft dipping a toe in the water and saying it will remove a solitary DRM infection. No future pledges, no strong stand. I was honestly hoping MS would stand up and plant a stake in the ground about things like this. A week later with a murmur in a blog is not the response of a market leader.

Mark has an excellent summary himself today, called “Sony: No More Rootkit – For Now”, regarding the Microsoft announcement as well as the Sony soundbite from NPR. Most importantly, he clarifies that the viruses are just a symptom of bad security:

The viruses simply take advantage of the Sony rootkit if it’s present, but could just as easily install their own rootkit to hide their presence on the system. If a user activating the virus, which is transmitted as an email attachment, is running with administrator privileges, the virus can install a kernel-mode rootkit just as powerful as Sony’s. But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit. The bottom line is that it’s not rootkits themselves that are the problem; it’s the inability to manage the objects that they hide that creates security, reliability and manageability problems.

His point that Sony owns the IP not the computer just reminds me of the story about people who “own” their cars and want the error codes under the Right to Repair Act. Transparency of technology and the ability to protect oneself from predatory corporations are gearing up to be tough issues for the next few years.

the poetry of information security