Chaos Program

Once, when I was considering things like blog names and twitter-like user names, I considered calling myself the Security Cynic. I know, that sounds redundant. Anyone who knows much about security is likely to be highly skeptical of much of what is often said about security. And anyone who has worked for a living may be, um, less than impressed by the security practices of a lot of companies or departments, even when their managers claim that security is the most important thing on their minds.

It would be easy at this point to segue into a discussion of the monstrous Heartland data breach but that’s not where I’m going with this today. Still, it’s an interesting object lesson in security cluelessness and should be studied as such. Here are some links:

• Heartland data breach could be bigger than TJX’s
• And the Heartland lawsuits pile on and up
• Heartland Payment Systems Under Informal SEC Inquiry – Another Red Flag

Now that that’s out of the way, back to today’s storyline. I laughed out loud (seriously enough to not even acronymize it!) when I saw this in the Twitter stream of dantheshive:

@pvponline Be sure to save that bad boy. I personally have a mail folder marked simply as “evidence”.
read more »

Does anybody know if scientific journals are making money lately?

I don’t have any idea. A lot of commercial print information sources are having serious troubles. There are reports, for example, that the San Francisco Chronicle is in deep trouble [http://sfist.com/2009/02/24/sf_chronicle_for_sale.php] and even venerable (if you can imagine that word in this context) Playboy may be up for sale. [http://www.npr.org/templates/story/story.php?storyId=100906383&ft=1&f=1020] I’ve discussed before some of the troubles in journalism in general. But what I’m asking about today concerns the plethora of scientific and technical journals out there that seem to make up a huge industry.

The question came up because I came across a report that the International Journal of Technology Transfer and Commercialisation has a paper in an upcoming issue about how social networking could be used to discover prior art related to patent applications and thereby speed up the review process [http://esciencenews.com/articles/2009/02/23/social.patents]. It seems there’s an enormous backlog of patent applications and there isn’t much hope of reducing it with current procedures.
read more »

At my job we encourage people to use Test Driven Development (TDD). The short explanation of that is that before you write a line of program code, write a test for what it is supposed to do. I confess I don’t always adhere to this. For me the rule would be more like, test early and test often. Testing is a skill and it can be hard. Testing first is also a skill. Like any skill it takes time to learn (and I’m getting better at it all the time!).

For years now, though, I’ve found that even my sloppy and less-than-perfectly skilled approach to testing seems to be too much effort for some people. At a previous job I routinely heard other people complaining that some system/server/software was broken when, in fact, their own code (or configuration or approach or whatever) was really broken. My colleagues and I would say something like, “Did you try it from a different computer?” And, as often as not, when tried on a different computer it worked fine. Reboot and try again. Don’t place blame before you’ve gathered the relevant information. Thank you kindly, call again soon.

See? It’s not just programming. Programming is just an environment where testing is measurable and has well developed tools.

read more »

Is security a science? (I mean specifically computer/Internet security here.) Maybe the question is trivial but sometimes I wonder. The question occurred to me as I was reading a section on cross-site scripting attacks in Ed Skoudis’s excellent book Malware: Fighting Malicious Code, which is the textbook for a class I’m taking. Being a curious sort of guy, I tried it out. I took a prototype web site I had developed for my job and inserted some javascript into a text field, just to see if it would work. It did.

I had the advantage of knowing that I had not included defenses against such an attack in the code because it was a prototype intended to work through a problem, not an actual attempt to build a real live website. It was never going to see real life on the Internet. Well, it seems now that this may not be true. I’ve moved on to other things while that old prototype site has been handed to another programmer to build out into a more complete system. I guess I’d better warn the programmer that he has to include some kind of white listing or tag stripping in the data entry fields before it goes live.

Monday I guess I’ll add it to his backlog. It’s already on mine for the current project (at least, I hope it is!).
read more »

We commonly refer to computer programs that spread and cause trouble in terms of diseases; we call them viruses and we say that a computer that has one is infected. Lots of things spread, though. Butter. Ideas. Economic downturns. Clouds of nerve gas. But there are a more limited number of things that spread between people.

Twitter had a problem today. Not just today but that’s when it seemed to come to a head. (If you don’t know Twitter, all you need to know is that

Twitter without Don't Click

people send very short messages that will be seen by their friends who “follow” their posts, or by anyone who looks at the stream of all posts. More on Wikipedia at http://en.wikipedia.org/wiki/Twitter). This was both hilarious and disturbing. Hopefully that’s not a comment on life, the Internet, or Twitter itself.

What happened was that Twitter was hit by a piece of program code that used a simple social engineering trick to fool people into activating it, so it could reproduce. It showed a link that said “Don’t click this link.” Of course people did click the link, allowing the code to insert itself into their feed, where all their followers would see it – and passive-aggressively do what they knew they shouldn’t and replicate the link still farther.
read more »

Maybe it’s some kind of law of nature that immediately after I write a blog post about a subject, the next day there will be new stories related to the same subject. Last week I wrote something about critical thinking and, shortly thereafter, there was an interesting story in Science Daily claiming that tests show that college freshman majoring in science have terrible reasoning skills whether they were educated in the U.S. or in China.

My first reaction was, “Duh!” Young people in general have terrible reasoning skills. That’s why those of us who are older call them idiots. At this point it would be polite of me to explain that I’m just kidding but, in fact, I’m not much. Face it, how many people look back on their younger selves and think, “Wow! I was sure smart then! I wish I was that smart now!”? I have my glasses on and I still can’t see any raised hands. But, believe it or not, this is not intended to trash the thinking capacity of young people. I was trashing a study about them, actually.

The article about the study mentioned that Chinese students knew many more facts than American students (but please don’t get me started on the state of science education in America!) but performed just as poorly on tests of scientific reasoning. That is, even the ones who knew many scientific facts were unable to solve many of the problems they were given.

From this, the researchers (Or maybe it was the reporters. It’s so hard to tell sometimes. But don’t get me started on the state of science journalism in America either!) concluded “that educators must go beyond teaching science facts if they hope to boost students’ reasoning ability.” I found this to be a very poorly reasoned conclusion based, as it was, on the strange assumption that it’s even possible to teach reasoning or that it’s possible to teach it to children. Talk about a triumph of optimism over experience! read more »

I work for someone who often talks about “disruptive technology” and how hard it is to keep it alive. He believes that not only is the project we are building disruptive in the context of the technology world but also in the company itself. One definition of disruptive technology is found at the old standby, Wikipedia “A disruptive technology or disruptive innovation is a technological innovation that improves a product or service in ways that the market does not expect, typically by being lower priced or designed for a different set of consumers.”

The term came to my mind in a completely different context, though, when I was reading an article [at DefenseTech] about the U.S. Army and the developing – and struggling – doctrine of hybrid war. I was already familiar with the somewhat different concept of asymmetric warfare, in which a very weak opponent (such as Al Qaeda in Iraq) uses guerrilla or terrorist tactics to go after a much more powerful foe (such as the United States) [See http://en.wikipedia.org/wiki/Asynchronous_warfare for more on asymmetric warfare]. But the term hybrid war was new to me.

According to the article, hybrid war is fought against (surprise!) hybrid enemies who “come equipped with high-end, precision guided weapons, yet fight in distributed networks of small units and cells more akin to guerrillas.” This put me in mind of the Afghani Mujahideen of the 1980s, who used U.S. supplied stinger missiles against the invading Soviets. This kind of warfare is not fought with the traditional tank columns and carrier groups but can still do terrible damage. It is made possible both by modern weaponry and by the cleverness and determination of small group leaders. read more »

One of my short stories, a fantasy about a bard who gets in a lot of trouble, is now available for reading in the current issue of  Sorcerous Signals. The story itself is at http://www.sorceroussignals.com/LegendofBats.html and is also included in their first ever print anthology Mystic Signals . You can buy Mystic Signals at https://www.createspace.com/3370204 or from Amazon at http://www.amazon.com/Mystic-Signals-1-Carol-Hightshoe/dp/1441453474/ref=sr_1_18?ie=UTF8&s=books&qid=1232557841&sr=8-18

I sell a lot more poetry than short stories, even though I’ve been writing stories a lot longer, so it’s a big kick for me to actually see a story make it to print. The stories pay a little better too, though I’m not exactly getting rich off of any of them. Incidentally, this story is one of a sort of loose series of them I’ve been writing (and failing to sell), all taking place at around the same time. For some reason, they are all written in the first person, too. Don’t ask me what order they go in. This is the first one to be published, so it must be first! Did I mention it was a loose series?

Anyway, I hope people will read the story, buy the anthology, and leave comments here telling me what they think.

What do you think?