Monday, May 16, 2005

The Iterative Phishing Scam


(Picture credit Microsoft Corporation)
Excel-web sharing of spreadsheetsThe crooks known as phishers have a brand new scam, according to News.com:

...the phishing e-mails arrive at bank customers' in-boxes featuring accurate account information, including the customer's name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.


This is an especially dangerous scam because it leverages real consumer data that the bad guys may have already collected through other means. Consider the ChoicePoint debacle, for example, or any one of another recent mass-disclosures of consumer data.

One hypothetical scenario: a bogus merchant who has already collected consumer data from ChoicePoint is now mass-mailing these phishing messages. The intent would be to collect even more data from victims. This time, perhaps they'll get an ATM PIN to augment the bank account number they've already stolen.

Just a reminder: if you're interested in seeing how to detect phishing and fight back against the phishers themselves, check out this previous blog entry.

In the mean time, I'd double-check every email from a supposed financial institution by voice-calling the firm.

News.com: New phishing attack uses real ID hooks
 

Really, really bad idea: REAL ID


Picture credit: EU Politix
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe invaluable Bruce Schneier led his most recent Cryptogram newsletter with a piece on REAL ID. The REAL ID act creates a set of uniform rules for how the states issue driver's licenses. The rules go into effect within three years. What's really strange is that the bill happened with little fanfare, virtually no debate in Congress, and was attached to completely unrelated legislation (military funding in Iraq).

Aside from creating a virtual national ID card, Bruce points out that it will make identity theft easier, not harder. Unlike many European countries with strong legal penalties for disclosure of privacy data, the US has no laws that protect consumers' privacy data.

The incentive for companies like ChoicePoint to broker information about your national ID card will be immense. Many businesses will want to scan your national ID card (say, to prove age in a restaurant serving alcoholic beverages) and they'll also want to sell that information to aggregators like ChoicePoint. Without any legal framework for protecting consumer data, it's certain that identity theft will rise -- not fall -- with REAL ID.

And the unintended consequences of the law will be devastating.

If, for instance, an illegal alien can't get a driver's license, that person will simply drive without a driver's license. And therefore without any automobile insurance. The result will be a higher number of uninsured motorists and a resulting increase in accidents in which one or multiple motorists have no insurance. The repercussions will be costly and painful: dramatically higher insurance premiums and all sorts of litigation.

If you haven't heard much about REAL ID in the newspapers, that's not an accident. The politics of REAL ID was almost surreal. It was voted down last fall, but was reintroduced and attached to legislation that funds military actions in Iraq. This was a "must-pass" piece of legislation, which means that there was no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing. And it's now law.

We're not defeated, though. REAL ID can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I'll be there.

Resources:

http://www.epic.org/privacy/id_cards/
http://www.unrealid.com/

EPIC's Washington DC event:
http://www.epic.org/events/id/savethedate.html

 

Sunday, May 15, 2005

Jihad Jane


Picture credit: Jane T. Christensen
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrontpage Magazine's Mike Adams points us to an especially egregious case of moonbatitis academia   at North Carolina Wesleyan College. Jane Christensen is a Political Science prof there and the heir apparent to nutjob Ward Churchill.

If you want to take a gander at her official, faculty web page, make sure you're sitting down. Yes, the picture that accompanies this story came straight from her faculty web site. Other gems from her web site include:

  • "Government Prior Knowledge and Involvement in the September 11th Attacks Archive"

  • "Iraqi Resistance Report 4/23/05"

  • "NWO PLANS TO DEPOPULATE THE EARTH"

  • "Mossad Planning Another Attack in US"

  • "THE ISRAELI CONNECTION TO 9/11"

  • "Israelis Planning Targetted Kills in US"

  • Can't the Left make up its mind: was Bush shocked into inaction while reading 'My Pet Goat'... or calmly awaiting the attacks because he knew about them?

    How about calling the Iraqi terrorists, the murderers of untold numbers of men, women, and children, "the resistance"? Resisting what? A democratic government?

    Oh, and blaming the Israelis for 9/11? Lots of evidence for that has turned up, right?

    If Jihad Jane is at all typical of liberal arts poli sci professors, I'm truly frightened for the future of our country.

    Feel like doing something? Here's the contact information for the president of the college. Politely call or email him. Ask him to reconsider Jane's role at the college. Perhaps she should be teaching science fiction, for instance. It appears she's already really good at that.

    Contact University President Ian D.C. Newbould
    Telephone: 252-985-5140
    Fax: 252-985-5199
    Address: 3400 N Wesleyan Blvd., Rocky Mount, NC 27804-9906
    Email address: INewbould@ncwc.edu


    Contrast Jihad Jane with fired Depaul University instructor Thomas Klocek. Why was Klocek terminated? He argued with pro-Palestinian students at a campus activities fair last fall. Let me repeat that. He argued with some pro-Palestinian students.

    It's worth asking why Klocek lost his position while other "instructors" like Jihad Jane remain.

    Frontpage: Jihad Jane
     

    Saturday, May 14, 2005

    Detecting and Fighting Phishers


    Picture credit: Stern
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHere's another wonderful phishing email I just received. Not familiar with the term phisher?

    Key Bank defines it as, "a fraudster [who] spams the Internet with email claiming to be from a reputable financial institution or e-commerce site. The email message urges the recipient to click on a link to update their personal profile or carry out some transaction. The link takes the victim to a fake website designed to look like the real thing. However, any personal or financial information entered is routed directly to the scammer."

    The scary thing is that, according to the Houston Chronicle, about 5% of adults receiving a phishing email provided some sort of personal information to the phisher.

    Want to fight back? We'll break this phishing scheme down, show you how to trace back a phishing email, and -- in some cases -- alert the parties who, wittingly or unwittingly, provide phishing infrastructure.

    First, let's look at the email I received as it appeared in my email client:


    PayPal User,

    PLEASE READ THIS NOTICE CAREFULLY.

    You have received this Notice because the records of PayPal, Inc. indicate you are a current or former PayPal account holder who has been deemed eligible to receive a payment from the class action settlement in accordance with PayPal Litigation, Case No. 02 1227 JF PVT, pending in the United States District Court for the Northern District of California in San Jose.

    In your specific case you have been found to be eligible for a payment of $252.99 USD.

    The aforementioned settlement funds may be transferred directly to your bank account providing you have a linked card. The funds may not be credited directly to your PayPal account as this would render Paypal to be accumulating interest and thus profiting on litigation settlement funds which contravenes Federal law.

    Your bank account will be credited within 7 days upon submission of account details.

    To credit your bank account please click here*...

    *Hyperlink and additional legal-sounding mumbo jumbo removed


    Step 1 - click the "view source", "show original message" or equivalent button that exposes the original, underlying message text. This will allow us to see the message header, which tells us how the email got to our inbox.

    Received: from clust05-www02.powweb.com ([66.152.98.52])
    by ***.att.net (***) with ESMTP
    id <***>; Sat, 14 May 2005 05:30:01 +0000
    X-Originating-IP: [66.152.98.52]
    Received: by clust05-www02.powweb.com (Postfix, from userid 10775)
    id **********; Fri, 13 May 2005 21:58:46 -0700 (PDT)
    To: ***@att.net
    Subject: Award Notification
    From: PayPal-Awards
    Reply-To: costumer@award.paypal.com...


    Aside from the comical misspelling of the reply-to address ("costumer"?), note how the spam arrived at our door. The mail was sent through one of powweb's mail servers. So, our first action-item is to email or call Powweb (for contact information, I simply went to their web site to find a toll-free number (1-877-476-9932) and a support email address (sales@powweb.com and support@powweb.com). You can forward the phishing email to them and lodge a complaint with both the sales and support departments.

    Step 2 - let's see where the information collected by someone naive enough to fall for this scam really goes. While we're still viewing the email source (the raw text of the mail message), let's look for some suspicious URL's or form submission actions.

    <BR><BR>

    <B>To credit your bank account please <a href="http://140.135.9.161:443/">click here</a>.</B>

    <BR><BR>


    Hmmm... why the address 140.135.9.161, if this is a message from PayPal? Well, obviously, it's not from PayPal. Let's find out where this phishing site is hosted. Instead of tracking the site back from our PC (called a "trace-route"), we'll do it from a web site designed to help us for reasons just like this one. One I particularly like is called DNS Stuff. We'll go there and use the tracert tool to figure out the location of the phishing site.

    Here's what we come up with: ecad.el.cycu.edu.tw [140.135.9.161]. So, somewhere in Chung Li, Taiwan (I just surfed to their central web site at http://www.cycu.edu.tw/), a bad guy has taken over at least one of the University machines for nefarious purposes. Maybe it's just an "entrepeneurial" student. Or maybe it's a remote user who's co-opted one or more of their machines.

    Let's take a look at the phishing site (I went through an anonymous proxy to disguise my real location).


    Phishing Site: PayPal


    This looks so good, no wonder 5% of the general public falls for it.

    Second action-item: let's contact the University and get their IT staff on the case. From their web site, we can find phone and fax numbers (886-3-265-9999 and 886-3-265-8888, respectively). Since I can't read Taiwanese, I use a Google search to find some email addresses. I come up with a couple: shhuang@cycu.edu.tw and eitc@cycu.edu.tw. Let's email them.

    What should our message be? A forwarded version of the phishing email with a polite introduction. Subject heading: Phishing Scam at cycu.edu.tw.

    Please be advised that at least one computer on your network appears to be part of a phishing scam, which may indicate significant criminal activity. The machine in question is:

    ecad.el.cycu.edu.tw [140.135.9.161]

    Also, please be advised that the authorities are being notified.


    Hopefully, that gets their attention. Last action-item? Don't forget to delete this scum from your inbox.
     

    Thursday, May 12, 2005

    Exceptions vs. Return Codes, part 912


    Picture credit: Congreve
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHee hee. Joel's at it again, raising cain in the age-old return-codes versus exceptions argument. Personally, I think it's case-closed for return codes when both Raymond Chen and Joel Spolsky weigh in that exceptions are hazardous, to say the least. But, hey, I'll throw in my two cents (*sigh*, again).

    First, let's see what Joel has to say in his latest missive.

    Here’s the thing with exceptions... Your eyes learn to see wrong things, as long as there is something to see, and this prevents bugs. In order to make code really, really robust, when you code-review it, you need to have coding conventions that allow collocation. In other words, the more information about what code is doing is located right in front of your eyes, the better a job you’ll do at finding the mistakes. When you have code that says

    dosomething();
    cleanup();

    ...your eyes tell you, what’s wrong with that? We always clean up! But the possibility that dosomething might throw an exception means that cleanup might not get called. And that’s easily fixable, using finally or whatnot, but that’s not my point: my point is that the only way to know that cleanup is definitely called is to investigate the entire call tree of dosomething to see if there’s anything in there, anywhere, which can throw an exception, and that’s ok, and there are things like checked exceptions to make it less painful, but the real point is that exceptions eliminate collocation. You have to look somewhere else to answer a question of whether code is doing the right thing, so you’re not able to take advantage of your eye’s built-in ability to learn to see wrong code, because there’s nothing to see.


    It's worth repeating the highlighted sentence, because it's true no matter what the pro-exception crowd says: You have to look somewhere else to answer a question of whether code is doing the right thing. Because there's nothing to see.

    And that is why you will never be permitted to rely on an exception-based infrastructure if you write mission-critical code. There's no argument about that. None. If you write code for an OS, the FAA, NASA, a database engine, or a nuclear reactor, or any other sphincter-clenching application*, you will not be permitted to rely upon exceptions. Period.

    * Defined as any application that, the first time you run it in a production environment, causes: (a) your blood pressure to soar to double its normal levels, (b) you to break out in a cold sweat, or (c) under extreme circumstances, forces you to exert conscious control over certain bodily orifices.


    Quick summary: we won't be able to use exceptions if we're writing code for Joel's proverbial open-heart-surgery circular saw. By the way, if you don't agree with this contention, please take a close look at mission-critical software certification specs like DO-178B. Then get back to me.

    The reason exceptions are verboten is simple: the code can't be reviewed and validated in any contained fashion.

    And now that we've established that exceptions are forbidden in the adult world, I have a question for exception aficionados:

    Where do you draw the line between mission-critical and non-mission-critical software?

    I'd just like some guidance here: when is it okay to go for anything less than bullet-proof code? What are the rules for delineating between mission-critical and non-mission-critical?

    Update: In the comments area, Gil wrote the following. I thought it was worth calling out, for obvious reasons:

    I think you've already provided the most useful definition possible of mission-critical software: any software for which it's required to meet an existing standard of mission-critical reliability, like DO-178B or an equivalent. It wouldn't surprise me at all to find that most, if not all, such standards, don't mention or explicitly reject exceptions. This isn't surprising since such standards tend to be very conservative and to rely on time-tested best practices, for the same reason that the chips in the space shuttle are 486s.

    The point I think you're getting at is that even pro-exception coders won't use exceptions in life-threatening situations; by getting them to draw a line, they're implicitly accepting that exceptions are not a good coding practice, to be followed by the 2 in the 1-2 punch of "if they're not a good coding practice when lives are at stake, why would they be considered good when the software is less than life-threatening? Exceptions are generally bad, and should never be used. QED."

    The reason no ones drawing the line you're asking them to draw is because they recognize the dilemma you're presenting and are refusing to accept the initial premise.


    Exactly.

    Joel: Raising cain
     

    Google, DNS Cache Poisoning, and Phishers


    (Picture credit Quantrimang)
    Excel-web sharing of spreadsheetsInformationWeek reports that Google was knocked offline on Saturday. The cause: DNS Cache Poisoning. In a nutshell, bad guys can take advantage of various weaknesses in the DNS protocol (e.g., a combination of guessing sequence numbers and spoofing IP addresses) to pollute the caches of legitimate name servers. A good explanation of the history of DNS cache poisoning was published a while back on the SecurityFocus site.

    In addition, TechWeb reports that Phishers are also starting to use DNS weaknesses to their advantage. Phishers are the persons or organizations running bogus websites that mimic, say, Citibank... and try to capture authentication and identity data from legitimate customers. Having captured that information, the Phishers attempt to use it for financial gain.

    Aside from simply hosting bogus DNS servers on co-opted machines, they can also attempt nasty tricks like polluting hosts files on client machines. The effect? You think you're logging into Citibank, but you're really authenticating to a zombie Dell PC in Skokie, Illinois.

    Here's hoping that a robust generation of DNS software and browsers, sufficiently innoculated against these sorts of attacks, comes sooner rather than later.

    The Dailydave mailing list laid out the process.

    "The hostname that is hosting the phishing site is served up by five different name servers. Those five name servers are on home computers residing on networks such as Comcast, Charter, etc.

    "The name servers are using some sort of round-robin DNS to serve up five different IP addresses for the phishing site, and the five IP addresses used are changing every ten to fifteen minutes.

    "All of this seems to be a distributed phishing scam controlled by some sort of bot network. This type of phishing site organization is virtually impossible to get shut down, other than having the registrar of the domain deactivate the domain. Anyone that has ever worked with a registrar on something like this knows that it's like speaking to a wall."

    "These DNS servers can change the IP address of the fake site over and over again," said Hubbard. "Say the fake site is hosted in China, but is quickly shut down. The phisher just has to change the bogus DNS server and anyone clicking on a phishing link would get sent to another machine, maybe now in the U.S., that's hosting the phony site."


    p.s., Did you know Google offers a H4x0r search engine?

    p.p.s., On an unrelated topic, Google just bought the mobile social networking service Dodgeball. Combined with Google maps, the possibilities are amazing.
     

    Could the Saudis Blow Up Their Own Oil Infrastructure?


    (Picture credit BBC News)
    Excel-web sharing of spreadsheetsFrontpage Magazine features a fascinating article by Daniel Pipes. The topic: the possibility that the Saudis have booby-trapped their oil infrastructure to prevent anyone else from taking control.

    In what sounds like the far-fetched plot of a Bond film, Pipes describes Gerald Posner's new book about US-Saudi relations. Posner, the investigative reporter and author of ten books, reportedly based this assessment on a variety of "intelligence intercepts". Supposedly spurred on by veiled threats from the US State Department during the oil crush of the 1970's, the Saudis came up with their own plan to repel any would-be takeover.

    This became a top-priority project for the kingdom. Posner provides considerable detail about the mechanics of the sabotage system, how it relied on unmarked Semtex from Czechoslovakia for explosives and on radiation dispersal devices (RDDs) to contaminate the sites and make the oil unusable for a generation. The latter possibilities included one or more radioactive elements such as rubidium, cesium 137, and strontium 90.

    Collecting the latter materials, Posner explains, was not difficult for they are not useable in a nuclear weapon and no one had the creativity to anticipate Saudi intentions:

    It is almost impossible to imagine that anyone could have thought a country might obtain such material … and then divert small amounts internally into explosive devices that could render large swaths of their own country uninhabitable for years.


    Saudi engineers apparently then placed explosives and RDDs throughout their oil and gas infrastructure, secretly, redundantly, and exhaustively.

    The oil fields themselves, the lifeline for future production, are wired … to eliminate not only significant wells, but also trained personnel, the computerized systems that seemingly rival NASA’s at times, the pipelines that carry the oil from the fields …, the state-of-the-art water facilities (water is injected into the fields to push out oil), power operations, and even power transmission in the region.


    Nor is that all; the Saudis also sabotaged their pipelines, pumping stations, generators, refineries, storage containers, and export facilities, including the ports and off-shore oil-loading facilities...


    Pipes: Will the Saudis Blow Up Their Own Oil Infrastructure?
     

    Wednesday, May 11, 2005

    The Five Most Shocking Things About the ChoicePoint Debacle



    Excel-web sharing of spreadsheetsA senior editor at CSO Online, Sarah Scalet, shreds ChoicePoint in impressive fashion, highlighting some of the concerns I mentioned in several earlier blog-missives.

    One of the most amazing aspects to the aftermath of the incident were statements made by ChoicePoint's CISO, Rich Baich, who claimed that it really wasn't his concern:

    "Look, I'm the chief information security officer. Fraud doesn't relate to me."

    Wow.

    So, Rich, who would this sort of incident relate to, if not the CISO? Wouldn't some CISOs have established processes for analyzing access to the crown jewels? Say, detecting anomalous activity, or creatively discerning whether customer activities match up with their claimed size and role in the market? Or is the data held in the various repositories really not that crucial to ChoicePoint's business?

    ...The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protection-whether a vulnerability stems from insider misuse, an outside hack or (in ChoicePoint's case) a social engineering scam. It seemed an especially convenient moment for Baich to argue, uncharacteristically, that his job description is actually narrower than one would assume...


    It all really does translate back to process. You could have orchestrated a series of stellar vulnerability assessments, indicating that you'd closed all the holes known to exist... and then, only a week later, be utterly exposed to a catastrophic crime through a zero-day exploit. Good processes, creative and committed people, and -- least of all -- technologies together need alignment under the management of a CISO willing to take responsibility for all of IT. Not just firewalls and network monitoring - but application development, databases and other repositories, remote access, the gamut of offerings that make up today's IT world.

    ...It would also behoove companies to review their use and/or implementation of IT security best practices, such as the ISO 17799:2000 framework, as well as the NIST 800 series practices for sound IT security management. IT's one thing to have the "CISO of the year in the State of Georgia" at the helm of your security function, but it's far better to have "state of the art" security best practice processes integrated into your business. Which would you prefer? I prefer the latter...


    An "award-winning" CISO unwilling to tackle the tough problems of information security is like a brand new Mercedes convertible... without an engine. On paper, it looks great. It just won't get you from point A to point B.

    CSO Online: The Five Most Shocking Things About the ChoicePoint Debacle
     

    The Political Influence of the Blogosphere



    Excel-web sharing of spreadsheetsIf you've wondered what impact the blogosphere made on presidential politics in 2004, wonder no more. The analysts at Blogpulse have dissected the topography of the blogosphere -- both left and right -- and have come to some interesting conclusions.

    Coverage by political leaning was fairly balanced. Of 1,494 blogs that met the researchers' definition of influence, 759 were liberal and 735 were conservative... Even though numbers of blogs were fairly balanced, conservative blogs showed a greater tendency to link to other blogs (84% linked to other blogs, 82% received a link) compared to liberal blogs (74% linked to other blogs, 67% received a link). That behavior is captured in the [accompanying] graphic...


    Blogpulse: Political Influence of the Blogosphere
     

    Fending off a DDOS Attack


    (Picture credit SIGgraph)
    Excel-web sharing of spreadsheetsI usually don't link to Slashdot articles simply because they're so widely read. But this one is well worth the ten to twenty minutes in case you happened to miss it. It describes how an owner of a gambling website, faced with an extortionist, went through hell and back attempting to fend off a massive distributed denial-of-service (DDOS) attack.

    Slashdot: Taking on an online extortionist
     

    Eight Gigs


    (Picture credit IBsys and AP)
    Excel-web sharing of spreadsheetsHitachi recently introduced its 8 gigabyte "Mikey" hard-drive. Shown here -- with dominos for perspective -- it can store several thousand MP3's in a tiny form-factor. Hitachi is basically saying to its competition (with apologies to Boyz in the Hood): "Domino, m*********r."
     

    Book Review: Frederick Forsyth's Icon



    Amazon - Icon, by Frederick ForsythThough it was published in 1996, Icon is especially relevant today, given Russia's wavering stance on democracy. Icon looks several years into the future, to a day where Russian crime syndicates, a teetering economy, and an American-style public relations campaign conspire to carry a man named Komarov to the office of president.

    The British embassy in Moscow, however, accidentally acquires a document Komarov never meant to make public. Called The Black Manifesto, it describes his plans to consolidate power, recapture the breakaway Soviet Republics, and launch a program of genocide against any religious group that could oppose him: Christians, Jews, and Muslims alike. In this effort, he is funded by a major mafia syndicate and has the support of a para-military organization not unlike Hitler's brown-shirts.

    While the manifesto alone is not enough to stir official Western government action against Komarov, it is sufficiently worrying that senior officials feel they must act. Retired British spymaster Sir Nigel Irvine, a hero of the Cold War, is brought back into the fold. And spyrunner Jason Monk, formerly of the CIA, is unretired.

    Like chessmasters, Irvine and Komarov move their pieces across the board in this brilliant, complex and wide-ranging novel. With the fate of Russian fascism -- and a Nazi-style genocide -- hanging in the balance, Irvine and Monk are the last, best hopes for a democratic Russia.
     

    Tuesday, May 10, 2005

    Judicial Filibusters: a Brief History


    (Picture credit US Senate Committee on the Judiciary)
    Excel-web sharing of spreadsheetsI'd heard rumblings from the MSM/DNC that the idea of the judicial filibuster wasn't truly a Democratic party invention. That the GOP had effectively stonewalled some of President Clinton's nominees using procedural nastiness, albeit not filibusters themselves. I'd wondered about this issue. Was it correct? Was the GOP just as guilty as the Democrats in refusing to let Clinton's nominees come to a vote?

    I hadn't seen a detailed explanation of these "procedural" methods until I came across this explanation on El Rushbo's site.

    ...Hagel said, "What we did with Clinton's nominees about 62 of them, we just didn't give them votes in committee or we didn't bring them up." In the first place, Bill Clinton had a large percentage (71%) of his nominees confirmed. George W. Bush has the lowest percentage (50%) of his nominees confirmed of any recent president, going back to Truman (over 90%).

    Now, in this case the filibuster was not used. There was no violation of Senate rules in what the Republicans did. They didn't pass some of these nominees out of committee. Some of Bush's nominees haven't come out of committee. But none of the senators that came out of the judiciary committee when Clinton was president and the Republicans are running the committee, none of them were filibustered. Those that got out of committee got votes on the floor. That is not what's happening now.

    The Democrats are the ones trying to change the age-old traditions of the Senate...


    In other words, the majority used the Judiciary committee for its intended purpose: to determine the fitness of the nominee, stamping approval on those nominees deemed acceptable and forestalling others. This has occurred for many decades and is considered standard practice.

    What has not been standard practice, at least for the last 215 years, is the judicial filibuster. Over that period, there has not been a single sustained filibuster of any judicial nominee.

    Hugh Hewitt distills its history and ramifications a bit further:

    The fact is that Senate Democrats want to enshrine a new rule -- a 60 vote rule -- for judicial confirmations.

    If they want that rule, they should win some elections on the issue, rather than lose them.

    It is clear that there will be no "compromise" worth having, just a vote on whether the Senate will abide by the design of the Framers and its practices of 215 years, or the desires of Patrick Leahy, Barbara Boxer, Chuck Schumer, Ted Kennedy, and Harry Reid to ignore that design and throw out those practices.


    Piling on, Patterico reveals a beautifully laid out expose (shades of windiff for journalists) of the LA Dog-Trainer Times. Their apparent selective editing of Professor Greenberg's article on the history of the judicial filibuster compares with the best efforts of Pravda circa 1960 - and is just as relevant to today's news consumers.

    If the MSM really stoops to these lows -- slashing op-ed pieces in chainsaw-massacre fashion to reach the conclusions they desire -- it simply indicates their rising panic. Heaven forbid they actually staunch subscription bleedout with op-ed balance or a sense of fair play. It's crystal clear from these tactics just how wrong they are... and how out of touch with their readers they remain. From all appearances, they can't trust their readers to read Greenberg's real op-ed piece... so they've created their own version, hoping to swing some opinions with adulterated bile.
     

    Sharkfish's experiences interviewing techies


    Picture credit: Boston College
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThrough a link on the JOS discussion board, Sharkfish discusses his takeaways from a long series of technical interviews. Here are some of the salient details:

    # DO NOT send a resume with misspellings. You would be surprised how many of these we saw.

    # I do not hammer people and I give them all sorts of leeway to relax. If a tense moment comes up (couldn't answer a technical question), I fall back and ask something more general. If you do not know the answer, just say you don't know. Hemming and hawing makes interviewers nervous. Yes, we interviewers are nervous, too.

    # I was surprised at the number of people who out and out LIED on their resume. In addition to the usual Indian name with the resume of SuperMan (how in hell can you be great at EVERYTHING?). How DOES one get a skillset that includes mainframe, mini, PC, web apps, network admin, Unix, windows, database, programming EXPERT? Why is it that people with these mythical SuperResumes never seem to attach the skill with the employer, leaving me to guess that all this stuff was accomplished in India where it can never be verified?

    # Don't put a web site on your resume that is supposed to be an example of your work if it is going to give a 404! We had at least two of these....


    My experience interviewing techies
     

    Monday, May 09, 2005

    Meet the Fockers


    Picture credit: RH Sager
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe endlessly disappointing Bob Herbert reprised the Iraq war in a Times' Op-Ed piece this morning. I'll save you the time and effort of reading his diatribe, which can only be characterized as a complete waste of fourteen column-inches. Here are the key sound-bites, which I'm pretty sure were stolen from John Kerry's dustbin sometime in October:

  • ...war in Iraq has been an exercise in extreme madness...

  • ...amateurs and incompetents have run the war from the start...

  • ...Abu Ghraib was not an aberration. It was a symptom...

  • ...clownish, disastrous war...

  • Even putting aside his vicious, unwarranted insults of the US Military, it's stunning that Herbert has neither the eloquence or intellectual honesty of even, say, the virulent Barbra Streisand.

    Here's what Herbert fails to mention: 9/11. The innocents slaughtered in the Madrid Train Bombings. The promises by terrorists to kill three million Americans through any means possible. The Global War on Terror. The elections frenzy sweeping the Mideast.

    Think about it: even the senseless Barbra Streisand, in the recent open letter posted on her site, was willing to mention 9/11 and the implication of WMDs on American soil.

    Of course, her statement likening President Bush to Nazi Germany's Hermann Goering, was rendered unintentionally comic through its record-setting levels of irony.

    Consider the analogy: an immensely wealthy, ultra-liberal entertainer criticizes the Third Reich in, say, 1936. The outcome? She is either deported, executed, or sent to a concentration camp. Streisand's willingness to minimize the horrors of Nazi Germany would truly be ludicrous were the implications not so tragic.

    That Herbert could attempt a Reader's Digest version of the Iraq War without mentioning the war on terror, the lives lost on 9/11, Afghanistan, the elections sweeping the region, and the general topography of life in the early 21st century is proof of either utter bias or stupefying ignorance. I'm betting on the latter.
     

    Saturday, May 07, 2005

    Zarqawi's Morale Problem - Exclusive Memo



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIraqi and US counter-terror operators recently captured a computer owned by insurgent COO Musab al-Zarqawi. Among the documents found on the hard-drive: a memo from Zarqawi to the insurgent rank-and-file related to wavering morale.

    Through an exclusive sharing agreement with a source inside the New York Times (hat tip: MoDo), I'm pleased to offer the only translated copy of the Zarqawi memo addressing the insurgency's morale problems:

    To: The Mujahaddin
    From: The Sheikh
    Subject: Morale

    I am greatly disappointed to hear reports of low morale among the mujahaddin. To address these problems, our Vice-President of Human Resources has promoted Sheikh Abdul Hassan al-Bharbouti to Director of Organizational Development.

    Sheikh al-Bharbouti will be responsible for training programs, martyrdom operations, and selected special missions against the American and Iraqi devils.

    To that end, he will be tasked with quantitatively addressing morale problems with our fighters:

    - Training programs: each fighter will be required to attend at least one week of training in any of the following areas: explosives preparation, bomb-belt construction, car-bomb wiring, fuses (beginning and advanced), and suicide-bombing methods
    - Martyrdom operations: to improve morale, the Sheikh will be selecting certain fighters to participate in martyrdom operations within the coming few days and weeks
    - Special missions: each fighter will be required to participate in special missions against the American devils including night operations and small-arms attacks against armored vehicles

    Please give the Sheikh your full cooperation in these efforts - they are certain to result in high morale as we dismantle the devil occupiers.

    Sheikh

     

    Thursday, May 05, 2005

    Can Bill Gates Slow Google Down?


    Picture credit: ZDnet Korea
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFortune Magazine features a great article on the challenges Microsoft faces from Google's juggernaut. The amazing list of innovations -- think Google Maps, Google Mail, Blogger, and the nearly omniscient Google search engine -- are jaw-droppingly good.

    Okay, let me sidetrack my narrative for a moment. If you haven't experimented heavily with Google's search engine (and only a few serious geek losers like me have), you'll find that it is:

  • A calculator (type in 5250 * 1818 into the search box)

  • A dictionary (type in define staid)

  • An address and phone book (type in David Smith, Boston Mass)

  • A patent lookup engine (type in patent followed by a patent number)

  • A UPS/Fedex tracking system (type in a tracking number)

  • A stock-quotation device (type in GOOG)

  • An airport traffic checker (type in sfo airport)

  • An airline flight status system (type in a flight number like ual 134)

  • A spell-checker

  • A VIN -- vehicle identification number -- tracker (type in a VIN number)

  • An FAA airplane registration system

  • A UPC code lookup engine

  • An area-code cheat sheet (type in 404)

  • and so forth


  • Think it's hard for the other search engines to match up? One word: ayup.

    Google's method is to overwhelm the competition with technical innovation, giving lie to academic poseurs like Nicholas Carr, who claim that 'IT doesn't matter.' Google's IT innovation -- I mean order-of-magnitude leaps like Google Maps' use of AJAX -- has resulted in billions in market capitalization. And the same can be said for other IT innovators, even staid insurance companies like Progressive.

    Google spurs its innovation by encouraging scientists and engineers to devote 20% of their time to pet projects. Gems like Google News and Orkut sprung from 'hobby' sites created by creative entrepeneur-employees at G-ville.

    The latest? A downloadable tool that speeds up web surfing using Google's outrageously scalable (and - uhmm - Linux-based) infrastructure.

    This is where things get real, real risky for Microsoft (NASDAQ:MSFT).

    The desktop has always been Microsoft's to control. But small inroads -- like the acceleration engine and the desktop search product -- are encroaching on Gates' turf. And they're as welcome there as the Bloods are twelve blocks into Crips territory.

    To add to this ominous (well, ominous as far as Microsoft's shareholders are concerned) behavior, Google's rumblings towards the Mozilla/Firefox browser are -- at best -- worrisome. Because the browser has, for many classes of application, become the de facto desktop, the sonar pings are coming louder and faster at Gates' lakefront manse.

    Firefox's usage rates are already skyrocketing due to the pandemic of security issues with Internet Explorer: the unfortunately named IE trojan-hider called Browser Helper Objects (or BHO's, for short) are examples of egregious shortcomings in IE's security architecture.

    Now imagine Firefox tightly integrated with all of Google's offerings. And here's the kicker:

    A lightweight plug-in installer that instantly adds browser support for any of Google's newly hatched research projects

    I'll give you an example. Say you're starving - you were in meetings all day and missed lunch. You do a Google search (from the integrated Firefox/Google search bar) for pizza topeka. The browser gives you a list of pizza places and their phone-numbers... and also adds a Dial Now button that places the call for you. And it'll make a VoIP call if your computer is so equipped. And, yes, you need to place a voice-call to see if they have the jalapeno and banana special that you used to order in LA. Cool, eh?

    Imagine a browser that is tightly integrated with Google. A browser that is multi-platform: Linux, Windows, PocketPC, Symbian, Blackberry, etc. A browser that... becomes your operating system.

    No wonder MSFT's market cap hasn't budged since Google rose to prominence.

    In my estimation, Microsoft has to concentrate on one thing -- and one thing alone. And it's not security, though heaven knows that  remains a concern. Microsoft needs:

    Ease-of-use

    I'm not talking about making Outlook or Access or Excel easier to use (though products such as Access routinely get their asses kicked by products like Alpha Five, from tiny companies, due mostly to learning curve). No, I'm specifically focusing on IT ease-of-use. Reducing complexity. Making IT simple.

    Seen the Visual Studio .NET interface lately? If there were more windows -- all purportedly there to make life easier -- you'd have a skyscraper.

    Tried to deploy a .NET thick-client (WinForms) app? Talk about bringing on the pain. Yeah, I really want to make 80% of my users download the 25 Mb .NET runtime -- to get my 1 Mb app to run -- and hope the install takes. This is what Mark Lucovsky talked about when he said Microsoft no longer knew how to ship software.

    Seen a great piece of software out of MSFT lately? Maybe, just maybe, MSN search makes the grade. But that's a catch-up play... copying Google, which is no way to play offense.

    The bottom line is that Microsoft has to make their software idiot-proof. I know, I know, when you build more idiot-proof software, the world will catch up and build better idiots. But I think you get the flavor.

    When we tune a SQL Server installation, it shouldn't require a week and a gaggle of Avanade consultants. When we configure SharePoint, it should be so dead-nuts simple that a business analyst can handle it... easily. When we want to share an Excel spreadsheet over the web, it shouldn't require six different technologies and a project plan.

    These are simple concepts. Useful concepts. Concepts that translate to real dollars for organizations spending major moolah on IT. And it's a place that Microsoft had better start innovating... before Google takes a serious look at corporate IT.

    Fortune: Search and Destroy - Bill Gates is on a mission to build a Google killer
     

    Baseball Trivia



    Picture credit: Boston Red Sox
    J McGraw, C Mack, M Huggins, C Stengel, J McCarthy, W Alston, S Anderson, J TorreHere's a bit of baseball trivia: eight managers in the history of the game have won three or more World Championships. Can you name them? Hint: four of the eight managed the Yankees.

    For the answer, position your mouse cursor over the picture of the trophy.
     

    Wednesday, May 04, 2005

    CBS' Bob Schieffer: Unfair and unbalanced


    (Picture credit Tcho.ch - results of an image search for 'Schieffer'!)
    Excel-web sharing of spreadsheetsIf you thought CBS' talking heads would at least make an effort at a little political balance, you'd be wrong. And if you thought CBS would lighten up on the Bush administration -- and the GOP in general -- you'd be wrong. Dead wrong.

    Let me give you a few sounds bites from CBS anchor Bob Schieffer's appearance on the Don Imus show this morning:

    WMD. Iraq. Things getting worse, not better. Vietnam. Bodybags.

    That's the gist. Put simply, phrases pitched straight from John Kerry's talking points memo distributed in, what, October? Can't someone change Schieffer's teleprompter?

    Of course, Schieffer neglected any mention that another senior Al Qaeda leader was just captured. And he couldn't find time to report that Saddam's nephew, was nabbed: a major financier and director of insurgent operations, according to reports. Nephew Hussein was discovered in the briar patch of a giant weapons cache, but I suppose that's not newsworthy.

    Things are getting bad for CBS when even the Guardian, yes, the staunch, leftmost bastion of Europe, states that, "perhaps the neocons got it right in the Middle East.".

    You'd think even Schieffer -- or at least his pointy-headed bosses at CBS -- would be coming around. A little balance might improve the ratings. And, heaven knows, it might attract some of those middle-of-the-road viewers who departed in droves when disgraced ex-anchor Dan Rather drowned in a sea of blinking GIF files.

    But, no, Schieffer went on to predict that Rep. Delay was going to go down in flames. Though it now appears that fat-cat lobbyists like Abrahamoff were paying travel expenses for both Democrats and Republicans.

    And Schieffer couldn't find time to discuss Ms. Hypocrisy '05, Nancy Pelosi, who is now utterly silent about said travel issues. "She demanded an investigation into [Majority Leader] Tom DeLay, but hasn't said a word about these Democrats who have done the same thing," said Rep. Patrick McHenry (R-NC).

    Maybe someday Schieffer can ask his staff to look into all Congressional travel expenses, so the public could determine just how frequently these jaunts are practiced. But that would require exposing Democrats, and not just Republicans, so I wouldn't hold your breath.

    Until then, CBS has all the relevance of Leonard Nimoy at the Grammys.
     

    Despair


    Picture credit: Despair.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe inimitable Despair.com is back in the news again, albeit through a mention on CNet's blog. I don't mean to demean media outlets that have turned to blogging -- least of all CNet, because they do a good job -- but they exude a slight odor of late-comer to the whole blogging party.

    Despair is the firm who markets "de-motivational" posters - the bizarro-universe version of those classic posters so prevalent in cube farms. Here are a couple of Despair's good ones:

  • Motivation - If a pretty poster and a cute saying are all it takes to motivate you, you probably have a very easy job. The kind robots will be doing soon.

  • Get to work - You aren't being paid to believe in the power of your dreams.

  • Achievement - You can do anything you can set your mind to when you have vision, determination and an endless supply of expendable labor.

  • Sounds like Carly was working on some of this material. Anyhow, here's a few I just came up with:

  • Losing - Because your best will, frankly, never be good enough.

  • Effort - If, at the end of the day, you can say you gave it your best shot, you will be - a liar.

  • Focus - Don't concern yourself with "goals". The obstacles in your way are insurmountable.

  • Innovation - Creativity is easiest when you can steal ideas from underlings.

  • Anyhow, the funniest thing on Despair's site relates to the frowny emoticon :-( . They set off a firestorm of controversy in '01 when they (really) trademarked the frowny and claimed that everyone who used it had to pay royalties. Of course, the whole royalty thing was tongue-in-cheek... but some didn't get it.

    DALLAS, TX - February 5th, 2001 - Individuals across the globe have registered their outrage and despair at the recent announcement by Despair, Inc. that they had been awarded a registered trademark for the 'frowny' emoticon by the United States Patent and Trademark Office (USPTO) and that the company intended to sue anyone who used the trademarked symbol in email.

    The firestorm of controversy even led to an entire newsthread discussing the lawsuit on the highly respected tech-news site Slashdot, which in turn inspired a subsequent story by the Gray Lady herself, The New York Times.

    But the outrage wasn't limited to the English speaking world. Newspapers and websites across the globe voiced all manner of bemusement, confusion, disdain and disgust over the trademark and lawsuit.

    In the face of international public outcry, company founder and COO Dr. E.L. Kersten announced today that he was prepared to offer a compromise to the global Internet community -- one that would allow for the continued legal use of the symbol in email.

    Kersten explained both a change of heart and of policy in a press release...


    And some poor, gullible losers (oops, I mean "L" is for "Love") even assumed that Despair was scanning all Internet email traffic for trademark violations. Some of the letters they received were classic.

    From: Mark (removed) <(removed)@(removed).com>
    To: media@despair.com
    Subject: Frowny Face suit
    Date: Mon, 29 Jan 2001 09:15:50

    To whom it may concern,

    If you have searched any of my mail, send me confirmation of that fact immediately. Under consumer protection laws, and the Freedom of Information Act, you are required to confirm or deny that you have a record of searching my mail. My two addresses are (removed)@(removed).com and mark@(removed).

    Failure to comply is punishable by law.

    If you have searched any of my mail, you have illegally searched me and are in violation of civil rights laws.

    Sincerely,
    Mark (removed)
    -------
    From: "Dr. E.L. Kersten"
    To: Mark (removed) <(removed)@(removed).com>
    Subject: Re: Frowny Face suit
    Date: Tue, 30 Jan 2001 11:34:23
    Mr. (removed):

    While we did not find either of your referenced email addresses in our list of 7,000,000 some odd citizens who have violated our trademark via email, we'll take your panicked entreaty as a confession of probable guilt and make sure to keep an eye on your future communications.

    Attentively yours,

    E.L. Kersten, Ph.D.

    -------

    From: Paul (removed)
    To: feedback@despair.com
    Subject:
    Date: Wed, 31 Jan 2001 14:40:27

    Best site I've enjoyed in some time. I was alerted to it by a bulletin board discussion about the frowning emoticon lawsuit. Out of 31 posts, one person "got it."

    Thanks!
    -------
    From: "Dr. E.L. Kersten"
    To: Paul (removed)
    Subject: Re:
    Date: Wed, 31 Jan 2001 19:01:47

    No offense intended- but it may be time to start hanging around in smarter bulletin boards.

    Regards,
    E.L.


    News.blog: Despair in the Air