Monday, April 18, 2005

What really happened in Oklahoma City?



Click here for AmazonFoxNews is pursuing some interesting angles to the now decade-old Oklahoma City bombing. Was it strictly a case of domestic terrorism? What about Terry Nichols' phone records, indicating that multiple calls were placed to Star Glad Lumber in the Philippines. Star Glad is reportedly operated by a man whose brother and cousin were both well-known terrorists involved with groups tied to the Abu Sayyaf terror group.

On several occasions, Nichols also allegedly called a boarding house in Cebu City, which had been linked to the first WTC bombing in 1993 by Ramzi Yousef. Just to reconnect the dots, the same type of fertilizer-fuel bomb was used in that bombing and in Oklahoma City.

In a follow up to addressing the joust between CAIR’s Ibrahim Hooper and Rocky Mountain News columnist Vincent Carroll, additional evidence has been produced in regard to who else may have actually been involved in the 1995 bombing of the Murrah Federal Building in Oklahoma City.

http://religion.upi.com/view.php?StoryID=20050412-124811-1156r
http://www.rockymountainnews.com/drmn/news_columnists/article/0,1299,DRMN_86_3697983,00.html

Were Timothy McVeigh and Terry Nichols the only perpetrators of this atrocity? For years, that’s what we’ve been told. However, with the nation marking the ten-year anniversary of this cowardly act, new or at least newly publicized evidence points out that these two America-hating domestic terrorists had some very unsavory associations with those who are tied to Islamic terrorism.

http://www.foxnews.com/story/0,2933,153635,00.html

There’s also the issue of John Doe number two, the all-elusive accomplice that more than two dozen witnesses say they saw in the Ryder truck with McVeigh. He has never been captured. There were two composite drawings made of this individual.

http://www.foxnews.com/story/0,2933,153644,00.html

The first composite was that of a thuggish looking man with a dark complexion.

http://www.greatdreams.com/john-doe-2.htm

The second composite, which has proven to be nearly as elusive as John Doe number two himself, was said to have been that of a white man, and looked absolutely nothing like the thug in the first composite.

On June 14, 1995, the Justice Department announced that it had all been a big mistake. One of the witnesses, Eldon Elliot of Elliot’s Body shop, had been confused when he gave his description of John Doe Two. He had mixed him up with a completely innocent, burly army private who came to the office a day later.

Back to the first composite drawing -- which many have stated bears a strong resemblance to dirty bomb suspect and Muslim convert Jose "Ibrahim" Padilla.

http://www.rotten.com/library/bio/crime/terrorists/jose-padilla/
http://www.greatdreams.com/john-doe-2.htm

4/17/2005: Fox News ran a program involving the OKC bombing. The show detailed incriminating phone records, which included repeated calls from the home of Terry Nichols to a place called Star Glad Lumber in the Philippines.

Star Glad Lumber is operated by a man whose brother and cousin were both notorious terrorists, involved in "splinter groups of the Abu Sayyaf terror group in the Philippines."

Nichols also repeatedly called a boarding house in Cebu City, an establishment that has been linked to 1993 World Trade Center bombing mastermind Ramzi Yousef. For the record, the same kind of ANFO fertilizer fuel bomb was used in New York and in Oklahoma City.

This may or may not come as a shock: Mohammed Jamal Khalifa, a brother-in-law of Osama bin Laden, who has been named co-defendant in a class action lawsuit filed on behalf of over 500 families of the 9/11 victims, also founded the Philippines branch of the International Islamic Relief Organization (IIRO), which has been designated a terrorist financing organization by the United States and other countries. There have also been some formerly classified Philippines investigative documents that have provided the basis for almost all major media reports concerning Khalifa's ties to al Qaeda and Abu Sayyaf...


What really happened in Oklahoma City?
 

Protecting Customer Data, Part II



Click here for AmazonThe rumbling sound you hear -- after the identity theft debacles at ChoicePoint, LexisNexis, and Bank of America -- is Congress mobilizing to take some sort of legislative action to "protect consumers".

Don't get your hopes up, though. The firms involved are, if nothing else, deep-pocketed and possessed of legions of well-lubricated lobbyists. Any resulting legislation will almost certainly be watered down and likely won't pin financial responsibility for bogus identity transactions on the firms themselves.

And we're nowhere close to having a government-administered system (run by, say, DHS) that could serve as a central registrar for identity data -- and could broker merchant-specific IDs for each consumer that would mitigate the risk of theft.

Today's bottom line is that responsibility for protecting consumer data lies with each company holding that data. That said, what can companies do to better protect the data?

Process: processes for managing the data have to be explicitly documented and enforced. Who can create the data? Who can update it or delete it? Who can read it?

People: roles for data access and management must be mapped to the approved processes. For example, consider a hypothetical role called keymaster. The keymaster is responsible for generating, retaining, and monitoring key-pairs used to encrypt and decrypt the consumer data. In other words, a field like SSN is never stored in the clear. It is encrypted using a public-key provided by the keymaster.

Consider another role called application developer. The app-developer never has direct access to the private-keys needed to decrypt sensitive fields. The app-developer uses documented requests (e.g., APIs) to code provided by keymasters to enable an application to decrypt a sensitive field.

Further, a role called auditor could monitor the use of data provided by the keymaster and the app-developer. The auditor has no direct access to the data, but can closely monitor the detailed logs generated by the other roles. The auditor could use manual and automated techniques to discover misuse of data or anomalies in data access. Presumably an auditor would have discovered the anachronistic behavior of the fake vendors who plugged into ChoicePoint's systems.

Technology: Firewalls, intrusion detection, intrusion prevention, network monitoring: in other words, all of the standard mechanisms for network security. But the processes and people that configure and monitor that technology are equally important. Logs, tools, APIs, clear delineation and separation of roles... all come together to provide a synergistic approach to protecting sensitive data.

Tens or hundreds of millions of dollars in market capitalization hang in the balance.
 

Saturday, April 16, 2005

The Blauction  Concept



Click here for AmazonIn the vein of life-caching, which I discussed yesterday, how about my concept of blauctions? Yep, this is a word I just coined - a hybrid of blog and auction. This technology would support the operation of controlled auctions on blogs.

Let's say you have a blog. A simple control panel would give you the ability to publish your own auctions... or select from categories of auctions that you would like to promote on your blog. And say your blog covers Red Sox baseball. You could give precedent to auctions of baseball cards and baseball memorabilia.

Just like eBay, the blog owner would get a cut of every sale made on his or her site.
 

Friday, April 15, 2005

Protecting Customer Data



Click here for AmazonThe Internet age's security guru, Bruce Schneier, has weighed in with his take on the recent spate of identity theft debacles (think ChoicePoint, LexisNexis, Bank of America). These high-profile incidents have resulted in Congressional rumblings for new legislation to protect privacy. In Mitigating identity theft, Schneier's take is that simply protecting identity data won't work.

The problem is not identity theft per se -- since you can't really steal someone's identity -- it is the proliferation of transactions that allow one person to impersonate another.

Proposed fixes tend to concentrate on... making personal data harder to steal--whereas the real problem is [the ease with which a criminal can use personal data to commit fraud]. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

...Financial intuitions [sic] need to be liable for fraudulent transactions... Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction. ...once financial institutions are liable for losses due to these types of fraud, they will find solutions.

Right now, the economic incentives result in financial institutions that are so eager to allow transactions--new credit cards, cash transfers, whatever--that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention. And they'll mitigate the risks.


As usual, Schneier is spot on. But I'll attach a caveat: companies must do more to protect critical customer data. Until the time comes that institutions are responsible for the financial consequences of impersonation (and don't hold your breath, given their lobbyists), you'll still want to protect your SSN.

I'll post some thoughts about what companies can do to better protect customer data and to validate the transactions that use that information. Until then, suckle at the teat of wisdom and read the whole thing:

News.com: Mitigating identity theft
 

Thursday, April 14, 2005

Life-Caching



Click here for AmazonTrendwatching.com has identified a trend called life caching. What is "life-caching"? It's the emerging capabilities for...

...collecting, storing and displaying one's entire life, for private use, or for friends, family, even the entire world to peruse. ...[it] owes much to bloggers... millions of people have taken to digitally indexing their thoughts, rants and God knows what else; all online, disclosing the virtual caches of their daily lives, exciting or boring. Next came moblogging, connecting camera phones to online diaries, allowing not only for more visuals to be added to blogs, but also for real-time, on the go postings of experiences and events. And that's still just the beginning.


Trendwatching notes services like Nokia's Lifeblog, which uses the Nokia 6620 as the hub of a collection service for notes, videos, high-res (1.1 Megapixel) still photos, sound clips, etc. and is capable of delivering the life-cache to an Internet blog site.

Think Gmail's 2+ gigabyte limit and miniatured high-density MP3 players that are worn on a lanyard (like the iPod Shuffle). Microsoft Research's Rick Rashid had a neat sound bite:

...you can store every conversation you've ever had in a terabyte. You can store every picture you've ever taken in another terabyte. And the Net Present Value of a terabyte is USD 200...


Three interesting ramifications to the life-caching trend that I see:

Security - if you're able to carry around a USB flash card that centralizes your music, photos, videos, documents, etc., then security will be a huge concern. You don't want to lose the equivalent of your entire life to a stranger. So... how can you protect your data?

Privacy - publishing an increasing percentage of your life-cache to the Internet raises a variety of privacy concerns. Will the bad guys (and it's difficult to even identify who the bad guys are these days) get hold of your data in such a way as to compromise your identity, subsume your credit or otherwise cause heartache? With life-caching, the ChoicePoints of the world aren't disclosing the data the bad guys require... you are.

Counter-googling - attendant with privacy issues is the one-to-one marketing trend called counter-googling, in which legitimate companies build up directories of useful information about customers and prospects based upon the public life-caches they've assembled. Companies will know more and more about you -- even without the ChoicePoints of the world -- and will use that data to target your whims, desires and weaknesses to extract additional dough from your wallet.
 

Wednesday, April 13, 2005

Firefox's SwitchProxy



Click here for AmazonNews.com reports that RoundTwo -- formerly known as MozSource -- has re-dedicated itself to building Firefox extensions. Their contention is that the same users flocking to Firefox in droves will also be looking for safe and reliable products to enhance the Firefox experience.

They are thinking of products like SwitchProxy, which allows you to select and choose from a list of a variety of web proxies. The proxies can provide (but certainly don't guarantee) a level of anonymity for surfers by adding a layer of indirection to your surfing. The web server you're visiting, for instance, will record the IP address of the proxy... and not your IP.

Ah, but where to find anonymous proxies? The MozMonkey Forum has a lengthy thread discussing this very topic. For your viewing pleasure, I've coalesced some of the lists mentioned.

In addition, there are tools like the ProxyTester, which will examine lists of proxies and let you know the ones that are still alive and kicking. And, of course there are tools to test the anonymity services provided by these proxies: ProxyJudge and Anonymizer's Privacy Tester may fit the bill.

In any event, use these lists at your own risk - they are culled from MozMonkey and have not been checked or examined in any depth. The onus is on you to determine suitability and applicability to your particular web surfing requirements. Nuff said.

http://www.stayinvisible.com/index.pl/proxy_list
http://www.steganos.com/?area=updateproxylist
http://abcdelasecurite.free.fr/html/modules.php?op=modload
http://www.geocities.com/nothing75487548/proxy.txt
http://www.geocities.com/switchproxylist/
http://www.aliveproxy.com/socks5-list/
http://free-proxy-servers.com/
http://anoniem-surfen.eigenstart.nl/
http://www.geocities.com/switchproxylist/massive.txt
http://www.multiproxy.org/anon_proxy.htm
http://www.i-hacked.com/.../Finding-and-Using-Anonymous-Proxies-9.html


News.com: Start-up wants to improve on Firefox
 

Tuesday, April 12, 2005

The Real  Die-In



Click here for AmazonMarc Fencil is a senior majoring in political science at Ohio University. He also happens to be -- at the moment -- a Marine serving in Iraq. His eloquent and powerful letter-to-the-editor was printed in Ohio University's Post Online. It was a response to the recent "die-in" sponsored by the Leftist moonbats so typical of academe.

Yes, a handful of coddled wankers, whose most recent hardship consisted of having to wait ten minutes for a lukewarm mocha latte at the corner coffee klatch, continue to demonstrate their staggering and profound ignorance while siding with the Zarqawis of the world. Arrayed against freedom, arrayed against the forces of good, arrayed against History itself - the Leftist moonbats orbit the provably false hypotheses of "WMD lies", war-for-oil, and Halliburton. That's the extent of their brilliance: rehashed movie magic from the Leni Reifenstahl of the twenty-first century. Perhaps the moonbats are actually orbiting Michael Moore himself. Goodness knows, he's big enough to have his own gravitational field.

Just read the whole thing.

It’s a shame that I’m here in Iraq with the Marines right now and not back at Ohio University completing my senior year and joining in blissful ignorance with the enlightened, war-seasoned protesters who participated in the recent “die-in” at College Gate. It would appear that all the action is back home, but why don’t we make sure? That’s right, this is an open invitation for you to cut your hair, take a shower, get in shape and come on over! If Michael Moore can shave and lose enough weight to fit into a pair of camouflage utilities, then he can come too!

Make sure you all say your goodbyes to your loved ones though, because you won’t be seeing them for at least the next nine months. You need to get here quick because I don’t want you to miss a thing. You missed last month’s discovery of a basement full of suicide vests from the former regime (I’m sure Saddam’s henchmen just wore them because they were trendy though). You weren’t here for the opening of a brand new school we built either. You might also notice women exercising their new freedom of walking to the market unaccompanied by their husbands.

There is a man here, we just call him al-Zarqawi, but we think he’d be delighted to sit down and give you some advice on how you can further disrespect the victims of Sept. 11 and the 1,600 of America’s bravest who have laid down their lives for a safer world. Of course he’ll still call you “infidel” but since you already agree that there is no real evil in the world, I see no reason for you to be afraid. Besides, didn’t you say that radical Islam is a religion of peace and tolerance?

I’m warning you though -it’s not going to be all fun and games over here. You might have bad dreams for the next several nights after you zip up the body bag over a friend’s disfigured face. I know you think that nothing, even a world free of terror for one’s children, is worth dying for, but bear with me here. We’re going to live in conditions you’ve never dreamt about. You should get here soon though, because the temperatures are going to be over 130 degrees very soon and we will be carrying full combat loads (we’re still going to work though). When it’s all over, I promise you can go back to your coffee houses and preach about social justice and peace while you continue to live outside of reality.

If you decide to decline my offer, then at least you should sleep well tonight knowing that men wearing black facemasks and carrying AK-47s yelling “Allahu Akbar” over here are proud of you and are forever indebted to you for advancing their cause of terror. While you ponder this, I’ll get back to the real “die-in” over here. I don’t mind.


LGF: Marc Fencil's Letter-to-the-Editor
 

Will LAMP Eclipse Java?



Click here for AmazonThe new software company ActiveGrid has introduced its application server, which is based upon LAMP technology. LAMP (Linux-Apache-MySQL-PHP/Perl/Python) is the open-source stack used so successfully by companies like Google and Yahoo to build massively scalable server-based applications. And, personally, I feel LAMP should be used in the majority of situations where Java/J2EE apps are used today: I've seen too many J2EE apps that went over-budget and too many similar LAMP budgets that went under-budget. And I'm comparing apples-to-apples, though corporate confidentiality agreements prevent me from elaborating upon project specifics.

All that being said, I'm highly skeptical about ActiveGrid's claims that J2EE app servers are no longer necessary. It's great marketing hype, but I would have to see how ActiveGrid stands up to true session-integrity requirements.

For example, consider when you're using your broker's website online. You're in the middle of specifying a stock transaction when the server on the back-end dies. Session-integrity would allow another server to pickup seamlessly where the other left, without losing any of the information entered in the session up to the point where the first server died. Now those are the kinds of systems J2EE was designed to handle.

An open-source software company called ActiveGrid is challenging the established thinking among builders of large-scale business applications.

The premise of ActiveGrid, which released an early version of its server software and tools on Monday, is that application servers based on the Java 2 Enterprise Edition (J2EE) specification are no longer required. Company Peter Yared was even handing out "No J2EE" pins at LinuxWorld earlier this year...

...In an essay, Yared argued that the day of powerful applications servers that centralize many functions, like database access and caching, are passé.

Instead, a distributed grid of back-end application servers will function more like a "text pump" moving text-based XML files around the network. And scripting languages, he says, are very good at handling text and easily building Web pages.


News.com: Will LAMP eclipse Java?
 

Monday, April 11, 2005

The Collaborators



Click here for AmazonThe consistently brilliant Power Line has followed up on the bizarre story of AP photographers who won the Pulitzer Prize. Some of the photos appear to have been taken in collaboration with terrorist insurgents.

New York Times photographer D. Gorton analyzed the photos and weighed in with his take on this photo:

Leaving aside the ethical specifics of this situation, if I knew that an event was about to occur that included possible violence, I would do exactly what it appears the photographer did in making this picture:

(1) I would choose an elevated mobile platform where I had an unobstructed view of the scene, and where I had maneuverability to observe as well as rapid exit...such as a pick up truck

(2) I would be at enough distance to be somewhat protected and inconspicuous

(3) I would choose a medium telephoto lens that could be hand held in a moving vehicle, yet give me large enough images to be clearly recognizable.

So, the assassination picture has all the earmarks of a planned image, indicating that the photographer had taken most of the considerations that I have written about above.


Power Line: The AP
 

Sunday, April 10, 2005

When Software Kills



Click here for AmazonThe Therac-25, a computer-based radiation therapy machine, massively overdosed patients at least six times between June 1985 and January 1987. Each overdose exposed a patient to several times the normal therapeutic dose and resulted in the patient's severe injury and, in some cases, death. The overdoses occurred primarily because of errors in the data validation routines contained within the Therac-25 software.

For example, a normal therapeutic dose of radiation might consist of exposure to around 200-rad. Physicists believe that the Therac-25 exposed patients to 15,000-rad... or more.

How could such a thing happen?



Poor design and implementation of a multi-tasking application was the primary culprit. If the operator of the Therac-25 performed data-entry under special circumstances, shared variables between the keyboard-handling routine and other tasks could become corrupted. These other tasks included verification that the machine's settings were correct.

The upper collimator, on the other hand, is set to the position dictated by the low-order byte of MEOS by another concurrently running task (Hand) and can therefore be inconsistent with the parameters set in accordance with the information in the high-order byte of MEOS. The software appears to include no checks to detect such an incompatibility.


Basically, aside from the poor design and implementation, there were no paranoia checks.

During machine setup, Set-Up Test will be executed several hundred times since it reschedules itself waiting for other events to occur. In the code, the Class3 variable is incremented by one in each pass through Set-Up Test. Since the Class3 variable is 1 byte, it can only contain a maximum value of 255 decimal. Thus, on every 256th pass through the Set-Up Test code, the variable overflows and has a zero value. That means that on every 256th pass through Set-Up Test, the upper collimator will not be checked and an upper collimator fault will not be detected.

The overexposure occurred when the operator hit the "set" button at the precise moment that Class3 rolled over to zero. Thus Chkcol was not executed, and F$mal was not set to indicate the upper collimator was still in field-light position. The software turned on the full 25 MeV without the target in place and without scanning.


Subsequent studies of the software and the processes around the events in question led to recommendations for basic "best practices". Most were obvious: documentation, processes, and standards should have been established - and never were. Even formal testing and rigorous stress tests never took place.

But one recommendation, in particular, is near and dear to my heart:

* Ways to get information about errors -- for example, software audit trails -- should be designed into the software from the beginning.


One of my personal heroes -- Dan Bricklin, the co-inventor of the spreadsheet -- made a similar point a while back. And I blogged about it last year. It's a point worth considering - again.

Because if you write software for a living, you have a responsibility to be dead serious about your code's quality. You never know when someone will borrow, reuse or transplant your code into another package, device, or system. And your code could end up in another system like a Therac-25, where lives hang in the balance.
 

Fortify Your Loops



Excel-web sharingThis is another post in a continuing, yet oddly sporadic, series of entries on building reliable software. Here's another outrageous tenet of my philosophy:

Ban the While Loop

Yes, that's right: ban the while loop. Get rid of any while loops in your code. Today. Here's why.

Consider the following, oh-so-typical code:

myQuery.FetchFirst();
while (!myQuery.IsEndOfFile()) {
    ... processing steps ...
    myQuery.FetchNext();
}


What's wrong with that? Nothing you say? Au contraire, mon frere. Consider the jamoke who comes after you and adds some additional logic, like so:

myQuery.FetchFirst();
while (!myQuery.IsEndOfFile()) {
    ... processing steps ...
    if (bSkipRecord) {
        continue;
    }

    ... processing steps ...
    myQuery.FetchNext();
}


Guess what? If the boolean bSkipRecord ever gets set, you're in infinite-loop-land and you might as well go out for coffee and a cigarettes -- indefinitely -- while this code runs and runs and runs... basically like the Energizer Bunny plugged into a 220-volt outlet.

So, what do we do in cases like this instead of a while loop? Basically, fortify all of your loops. Make them into for loops.

for (myQuery.FetchFirst(); !myQuery.IsEndOfFile(); myQuery.FetchNext()) {
    ... processing steps ...
    if (bSkipRecord) {
        continue;
    }

    ... processing steps ...
}


Now when Einstein adds his logic, we no longer have the catastrophic result of the system hanging (or an internal denial-of-service attack, as I like to call it).

Going a step further, we can fail-safe the loop. By "fail-safing", I mean assigning a maximum number of loop iterations and recording an error if we hit that maximum. This serves two purposes: to short-circuit a possible infinite loop and to detect the fact that the loop constraint did not work as intended.

for (ixCount = 0, myQuery.FetchFirst();
        !myQuery.IsEndOfFile() && ixCount < MAX_TBL_COUNT;
        myQuery.FetchNext(), ixCount++) {
    ... processing steps ...
    if (bSkipRecord) {
        continue;
    }
    ... processing steps ...
}
if (ixCount >= MAX_TBL_COUNT) {
    // Note that our loop did not work as intended!
}


So, I guess we can boil this lesson down to two tenets: (a) fortify your loops; and (b) fail-safe your loops.
 

Friday, April 08, 2005

Oh, Those  Perils of Outsourcing!



Click here for AmazonThe Times of India reports that call-center employees of MSource, a financial services outsourcing arm of MphasiS, ripped off about $350,000 from Citibank account holders:

They allegedly transferred a total of Rs 1.5 crore (US $3.5 lakh) from a multinational bank into their own accounts, opened under fictitious names. The money was used to splurge on luxuries like cars and mobile phones.

Twelve people, including the alleged mastermind, have been arrested. The police are trying to determine the extent of the scam and whether the accused committed such crimes earlier...

...Asked to divulge the name of the bank, the accounts of which have been hacked into, Dayal said he could not reveal names of the company’s clients as they had signed a non-disclosure agreement. But, according to sources, the bank is Citibank.

According to the police, Thomas, who worked in the callcentre for six months before quitting the job in December 2004, had the secret pincodes of the customers’ e-mail IDs, which were used to transfer money. In January, he roped in his friends and transferred money from four accounts of the bank’s New York-based customers into their own accounts, opened under fictitious names.

The money was transferred to the accounts on February 22, March 23 and March 31. The amount was later withdrawn by cheques drawn in their (accused’s) names or on the names of other people. The customers, from whose accounts the money had been withdrawn, alerted the bank officials in the US, after which the crime was traced to Pune...


In other words, it appears from this report that Citibank's security operation never detected the fraud: the account-holders apparently were the outer edge of the security perimeter. If this holds true, it's potentially a bigger story than trusting outsourced BPO vendors with key corporate secrets.

Forrester Research is predicting that this incident, in combination with incredibly high attrition rates, will serve to dampen the market for BPO outsourcing by as much as 30%.

A couple of take-aways:

1) MphasiS' Pune centre was both BS-7799 security-certified and CMM Level 5-certified. Certifications are no panacea.

2) Citibank needs to examine whether their account-holders detected the fraud before they did... and, if so, how their security organization dropped the ball.

Times of India: BPO staffers hack bank A/Cs, steal Rs 1.5 cr
 

Moonbats on Parade



Click here for AmazonThe irreplaceable LGF points us to ZombieTime's photo coverage of the Eyes Wide Open Anti-War Display, which occurred in San Francisco on March 25. The accompanying picture, which purported to illustrate the number of "Iraqi civilian" deaths is indicative of the lot:

So -- am I hard-hearted? What's wrong with mourning the "civilians"? As I looked at the placards honoring the Iraqis, it occurred to me that the vast majority were adult men. Hmmmm -- why would this be the case? Perhaps because most of them were combatants? While there undoubtedly have been innocent victims of the war (and yes, each of those deaths is a tragedy), not every single Iraqi who died was a "civilian," as the AFSC would want us to believe...

...I'd estimate 75% at least -- of the casualties were (in order, from the start of the war) soldiers in Saddam Hussein's army, Republican Guard troops, Ba'athist "insurgents," Sunni militia members, foreign jihadis, and all manner of thugs, fanatics and killers.

In other words, the enemy. Terrorists. The American military has gone to extremes to minimize civilian casualties, and the vast majority of the time if someone was killed by U.S. forces, that person was killed while actively engaged in the battle to kill Americans.


And be sure to scroll down to the last photo, where you'll find a clue as to the true agenda of the Left Bank Moonbats.

ZombieTime: Eyes Wide Open Anti-War Display
 

Thursday, April 07, 2005

The AP's Pulitzer Prize-winning Photos



Click here for AmazonThe Cassandra Page posted a very popular blog entry entitled, "The Top 10 categories of MSM/DNC bias" on April 2nd. With excellent linkage to real (and, often, nearly unbelievable) incidents, it quickly became one of the most popular blog entries in the last few weeks. Well, it's now up to 20 categories... and counting. Read the whole thing.

I bring the Cassandra post up because of the recent Pulitzer Prize awards. Twenty news photos from the AP received awards.

Riding Sun (hat tip: LGF) and the Jawa Report have examined all of the photos... and what they found was more disturbing than the concept of "Governor Gary Coleman".

I looked at the twenty photographs and broke them into groups on the basis of content. Here are my results:

*U.S. troops injured, dead, or mourning: 3 (2, 3, 11)
* Iraqi civillians harmed by the war: 7 (4, 5, 8, 9, 10, 13, 18)
* Insurgents looking determined or deadly: 3 (6, 15, 20)
* US troops looking overwhelmed or uncertain: 3 (7, 12, 14)
* US troops controlling Iraqi prisoners: 2 (16, 17)
* Iraqis celebrating attacks on US forces: 2 (1, 19)

Equally telling is what the photos don’t show:

* US forces looking heroic: 0
* US forces helping Iraqi civillians: 0
* Iraqis expressing support for US forces: 0
* Iraqis expressing opposition to insurgents: 0


After analysis, Jawa states, " two... photos clearly show that the AP has ties to terrorists and insurgents fighting the U.S." The accompanying photo is a case-in-point. The AP just happened to be there when insurgents dragged some civilian innocents out of a vehicle and capped them in the middle of a busy road.

The AP - collaborating with the enemy? Who'da thunk it?

Riding Sun: Analyzing the AP's Pulitzer-prize-winning Photos
 

Bruce Schneier on the Publicity surrounding Quantum Cryptography



Click here for AmazonIn an era where endpoint security (i.e., what is running on my workstation?) is the Achilles' Heel of network security, the PR around quantum cryptography is, uhm, somewhat disturbing.

Bruce Schneier said it best:

Security is only as strong as its weakest link and cryptography is the best link we have... I break a lot of things for a living, but I almost never break the crypto.


Forbes: Building a hacker-proof network
 

Bench Press



Click here for AmazonFunny comment on Pete's blog regarding bench-press accidents (along with a link to a pretty scary drop of an 800-pound bench):

If you find me crushed to death by the weights, put a few more plates on before you get help.


Exactly. And take a few pictures. At least the farewell comments of the mourners would be, "damn, I didn't know he could bench 500!".

Pete also referenced my own frightening experience of benching while failing to use a spotter. That won't happen again.
 

Wednesday, April 06, 2005

The Wharton School on the Future of Blogging



Click here for AmazonI haven't read something quite as disappointing as the Wharton School's analysis of the "Future of Blogging" in some time.

The article's omissions -- whether through sheer inexperience with the blogosphere or willful neglect -- are almost shameful. The following are some excerpts that caught my eye - my comments are in bold.

"This is not a fad. It's the rise of amateur content, which is replacing the centralized, controlled content done by professionals." --Dan Hunter, Wharton legal studies professor

True, but I'd hardly term articles by Powerline's three high-powered attorneys, 'amateur content'. In most cases, bloggers like Hugh Hewitt and Powerline offer superior investigative, organizational, and writing skills -- along with advanced knowledge of the legal system. Contrast that sort of experience with, say, that of an AP stringer... and while there's a mismatch between amateur and professional - it's not the one that Wharton intended to highlight.

...In the future, Fader says, a technology may be created to rate credible bloggers. The system, which would operate like eBay's buyer and seller ratings, could create a blogger pecking order based on readers' opinions...

Uhmmm, well, there already are blogosphere rankings like TTLB's Blogosphere Ecosystem. And Technorati has been tracking blog popularity through link relationships for quite some time. Either system can be used to rate credibility.

...investigative journalism will still be the hallmark of the media. "First-hand reporting will be the distinction between blogging and journalism," Hunter adds.

You must be joking. Investigative journalism like Rathergate and the Eason Jordan affair? Or first-hand reporting from the frontlines of Democracy in Iraq or the tsunami-devastated towns of Banda Aceh and Phuket?

Bloggers do firsthand and investigative journalism better than the MSM - because bloggers are everywhere... and their credibility is at stake with every story, due to the inherently self-correcting nature of the blogosphere.


While corporations can chalk up blogging as a marketing expense, the story is a little different for individuals. Can blogging pay the bills? If you are lucky, you can pay the hosting fees, but that's about it, say Wharton experts.

Uhmm, better get some new experts. The major blogs are making serious coin. Drudge is reported to have made millions in advertising revenue from his site. Using the blogosphere's leading ad network, Blogads, I've calculated some ballpark revenues for the following sites:

$6000/week - Daily Kos
$4000/week - Instapundit
$4000/week - Eschaton
$3750/week - Little Green Footballs
$3000/week - Talking Points Memo
$1800/week - Hugh Hewitt
$1600/week - Wonkette

Of course, this doesn't count their ad revenue from GoogleAds, associates' revenue from Amazon, and other ad networks. So, even in my brief survey, there is some ca-ching occurring on the major blog sites.


The article was passably interesting, but certainly did not appear to have a good handle on the evolution of the blogosphere. In fact, if I said, "Haloscan" to the unnamed authors, I'm betting I'd get a "huh?" in return.

A disappointing effort, especially given the Wharton's School's excellent track record.

News.com: Wharton on the Future of Blogging
 

The Future of Pay-per-Click



Excel-web sharingIn a story that hasn't seen wide publicity, Google and Yahoo News have been sued by an online gift shop for allegedly overcharging on "pay-per-click" (PPC) advertising.

Lane's Gifts and Collectibles says in a Miller County lawsuit that the Internet companies charged it for advertising traffic not generated by bona fide customers... Lane's alleges a conspiracy in which the companies worked with one another to create an online environment that harms advertisers.

The companies, it says, "have grown the Internet PPC (pay per click) advertising market while failing to disclose that they have routinely and systematically overcharged and-or overcollected for PPC advertising revenue from their customers."


In the past, Google and Yahoo have both disclosed the risk of fraudulent click-throughs. After all, who can guarantee that someone clicking on your ad isn't your competitor (trying to drive your costs up) or a bot of some kind?

Here's another real risk I haven't seen publicized: distributed zombie attacks on the PPC model and specific customers.

If the crooks controlling zombie networks so decided, they could easily blow up the PPC market by randomly clicking on advertisements -- thousands a minute. It would be extremely difficult for the ad networks to detect and then shield advertisers from the effects of random, distributed source IP addresses.

Or the zombie networks could target a specific advertiser by driving up their specific CPC costs.

Either way, the CPC business could get ugly quick.
 

Tuesday, April 05, 2005

Software Development Best Practices: Minimizing Nesting



Click here for AmazonI'm going to spend a little time blogging about my personal software development best practices. These posts will come in no particular order, but will outline the rules I like to follow when developing software. Reliability, maintainability and simplicity are my personal mantras for development.

Minimizing Nesting



Unncessary nesting is, if not evil, pretty darn annoying. Whenever possible, developers should strive to minimize nesting. Why? Let's say I have the following code:

//
void CEventHandler::OnNew(const CString& strFileName) {
  //
  CString      strName = CleanFilename(strFileName);
  CString      strLog;
  //
  do {

    //  File-type valid? If not, quit.
    //
    if (!IsFileTypeValid(strName)) {
      break;
    }


    //  Mark file as added.
    //
    m_pPage->m_mapFileClassification.SetAt(strName, (LPVOID) XMP_FILE_ADD);
    m_pPage->ScheduleRefresh();

    //  Event handling.
    //
    strLog.Format("Added: '%s%s'", m_pPage->m_strPath, strName);
    if ((m_pPage->m_folderSettings.m_dwEvents & CFolderSettings::FileCreated) != 0) {
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionLog) != 0) {
        Log(strLog);
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionRoute) != 0) {
        m_pPage->ScheduleRoute();
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionEmail) != 0) {
        m_pPage->ScheduleEmail();
      }
    }

  //
  } while (0);
}


Note that I could have made the IsFileType a nested IF clause: if the file type is valid, then do all the rest of the stuff. But I didn't. Because (and this really happened), I later realized that it was in the wrong place. The file-type validity check needed to occur after the scheduled (display) refresh embodied by ScheduleRefresh. So I simply moved those lines of code:

//
void CEventHandler::OnNew(const CString& strFileName) {
  //
  CString      strName = CleanFilename(strFileName);
  CString      strLog;
  //
  do {

    //  Mark file as added.
    //
    m_pPage->m_mapFileClassification.SetAt(strName, (LPVOID) XMP_FILE_ADD);
    m_pPage->ScheduleRefresh();

    //  File-type valid? If not, quit.
    //
    if (!IsFileTypeValid(strName)) {
      break;
    }


    //  Event handling.
    //
    strLog.Format("Added: '%s%s'", m_pPage->m_strPath, strName);
    if ((m_pPage->m_folderSettings.m_dwEvents & CFolderSettings::FileCreated) != 0) {
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionLog) != 0) {
        Log(strLog);
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionRoute) != 0) {
        m_pPage->ScheduleRoute();
      }
      if ((m_pPage->m_folderSettings.m_dwActions & CFolderSettings::ActionEmail) != 0) {
        m_pPage->ScheduleEmail();
      }
    }

  //
  } while (0);
}


Now, if I'd originally nested the IF, I'd have to move a bunch more code around... shifting a lot of indentation... and, in general, opening the door to possible errors.

Minimizing nesting greatly aids readability and, thus, maintainability. Whenever possible, bail out of logic (break, throw an exception, whatever floats your boat) when you can cleanly exit a method or function. Don't nest when you don't have to.
 

Monday, April 04, 2005

A Mission for the Cybersecurity Foks at DHS?



Click here for AmazonIf the cyber-security folks at the Department of Homeland Security are looking for something important to work on, I have an idea:

How about handling identity management for the citizenry?

Because, as Bruce Schneier says, the social-security number -- a relatively short and easily guessed identifier -- shouldn't be the keystone to a person's identity.

And after the various identity-theft debacles at ChoicePoint, Harvard, Lexis, et. al., DHS could fill the void by providing a conceptually simple system for managing personal identity.

Here's the gist of the idea: DHS would create and maintain a web-site that would be used to manage and verify identity. Call it id.dhs.gov or something.

To create an individual account, a user would pick a 'handle' and a PIN, password, or pass-phrase. Upon account creation, an individual could verify their identity using the same sort of "shared secret" approach that the IRS employs when you e-File.

From the individual citizen's standpoint, the id.dhs.gov site exists to generate unique identifiers that not only designate individual identity, but are also tied to a specific merchant.

For example, say I fill out a credit application with Infiniti to finance a vehicle. Beforehand, I visit the id.dhs.gov site, login, lookup the merchant ("Infiniti Financial Services/IFS") and generate my unique identifier for IFS, which just appears to be a random bunch of alphanumeric characters. This ID is unique for me and is only useful to IFS, since it's tied to the IFS merchant account.

Thus, when IFS goes to look me up and perform a credit-check with Equifax, they would use DHS as a go-between.

DHS would provide web services to merchants to allow, say, Infiniti to go to EquiFax and ask for information on the ID I've given them. The DHS web service would broker the conversation between IFS and Equifax, translating my IFS ID to an equivalent Equifax ID that corresponds to my identity.

So instead or storing SSNs, Equifax, IFS and the other vendors now store DHS IDs. A DHS ID for an individual is different for each merchant.

Thus, if my IFS ID gets disclosed to some unauthorized third-party, I don't care. What can they do with it? Without the help of a DHS merchant, not a whole heck of a lot.

Yes, it requires some DHS integration with the IRS. But if the idea is to enventually rid the world of SSNs, then a DHS-based identity management web site -- and attendant web services -- may make a heck of a lot of sense.