Archive for January, 2007

I’ve previously posted on the expensive and wretched performance of private security contractors currently engaged by the US government in Afghanistan. I’d like for a moment to take a look at what these contractors — in this case, essentially mercenaries — are up to in Iraq and what that means to us. I’d like to especially look at Blackwater USA. Never heard of them? Yes you have — you just weren’t paying attention. It was two Blackwater contractors who were ambushed and killed in Fallujah in 2004, the ones left hanging from the bridge. And just this week five more Blackwater contractors were killed when their helicopter (belonging to Blackwater, not to the Army) was shot down during the Baghdad operation.

In a recent article in the Los Angeles Times, Jeremy Scahill of the Nation Institute wrote:

“At last count, there were about 100,000 contractors in Iraq, of which 48,000 work as private soldiers, according to a Government Accountability Office report. These soldiers have operated with almost no oversight or effective legal constraints and are an undeclared expansion of the scope of the occupation. Many of these contractors make up to $1,000 a day, far more than active-duty soldiers. What’s more, these forces are politically expedient, as contractor deaths go uncounted in the official toll.”

Blackwater has, among many others, a contract worth $300,000,000 to provide “diplomatic security” in Iraq. Well, maybe today they were just a little far afield of their usual run. But there they were, in their private helicopter, right in the thick of it. Make no mistake, these aren’t “guards;” they are highly trained mercenaries with their own agenda and their own profit-and-loss ledger.

Now in fairness, it was Blackwater personnel who first moved into New Orleans to begin to provide policing and security in the aftermath of Katrina, when the New Orleans Police Department deserted like rats, and the pols in Baton Rouge sat around passing wind and looking for somebody else to come in and get their hands dirty, and the Feds had Brownie On The Job. But is this what we really want? Political and operational incompetence at all levels, so we bring in contractors? Have we privatized everything? We do have the National Guard, except — whoops — they’re mostly in Iraq, with their equipment, which isn’t coming back.

The problem here is one of scale and scope. Armored cars, OK; security guards at refineries and office buildings, OK; specialized police-operations trainers, OK. But then there’s Blackwater: a 7,000-acre private military base in North Carolina, 20 (well now maybe 19) aircraft (apparently not all corporate transports), and literally tens of thousands of soldiers (excuse me: security professionals) on the payroll. On our side, at least for right now. But that’s the real problem, isn’t it? Who will control this Frankenstein, if it starts going off on its own?

Remember, these guys don’t report to the Pentagon, not directly; they’re contractors. And unlike our Armed Forces, if they don’t like things, they can just walk off the job — how’s that for leverage?

Will our President be their master? I don’t know, these people are loaded pretty well into his head. At the Blackwater command center in rural North Carolina, there are some rooms that are pretty much just cubes and desks, ready for occupation in the event of an emergency, a carefully-planned framework for a sudden need for troops and coordination.

And what does Blackwater call such a sudden buildup? A surge.


Read Full Post »

To those who complain that I’m always pointing out problems and not providing solutions, I present for your edification some material to help you choose better passwords. This stuff follows my own practice, so make your own judgements about it and proceed. If it’s good enough for me, its good enough for you too.

First of all, download and use Password Safe, which is a highly secure vault that can record and cough up on demand your identities and authentications, as long as you’re on your own machine. It will also generate very random passwords based on your telling it the rules for each site you want it to do so for, a very cool feature.

Second, remember that all the security is in the password, none in your ID. Sites don’t blank out the ID when you’re entering it, just the password, and lots of sites require that you use your email account as your ID. So don’t for a minute think that some obscure ID will provide any security.

Reconcile yourself: you will need more than one ID and password, but you can limit the number of different ones you have to remember. All kinds of sites want you to register yourself, and lots of them are very low security implications, such as newspapers and vendor help-sites and the like. Make something up and use it consistently across all these sites, and don’t use it for anything else, certainly not anything important.

Then there are the mid-range-security sites, such as some email accounts, your airline flier account, your phone bill, etc., where you want to keep people out but the data and financial exposure isn’t severe. Use the guidelines below, make up a couple of passwords, and use them on the various sites.

Finally, there are the high-security sites such as your broker, your bank, PayPal, a really secure email site, etc. Think about these sites’ passwords carefully, and then make up and use a different one for each site. Note that changing them frequently isn’t really much help — have a strong one to begin with and you won’t have to change it.

So what makes a strong password? Read Bruce Schneier’s article, which can be summarized as:

  1. If you insist on using an English word, place a few numbers of symbols in the middle of it, not at the ends, put in a random capitol letter, and don’t think that using $ for s, or ! for i, or 3 for e will help at all.
  2. Or use two words with symbols or numbers between them.
  3. Use a foreign word, say from Welsh or Serbian, with a couple of numbers (not at the beginning or end).
  4. Better yet, use the first letters of a sentence that means something to you, with random capitalization.

Remember, too, that if you use a public PC, say at an Internet cafe in Paris, or at your local coffee shop, it could have a keystroke logger on it that will capture what you type even if you can’t see it (i.e. for the blanked-out password field). So if you are traveling and have to use one of these, consider generating a new password for your important sites, and changing it when you come home (or are at a secure machine).

So there you have it: password sanity!

Read Full Post »

The Columbia Journalism Review, January 2007 issue, contains a thoughtful and interesting piece discussing blogging in the Arab world. Now of course I’m including it here because it supports one of my beliefs: that Muslim societies actually have more diversity of opinion than the West commonly believes, and most of these diverse viewpoints are calling for more self-criticism and reform of the existing societal and (especially) governmental institutions, and that it is these tentative steps toward (a) freer expression of opinions, and (b) reform, that we should be supporting with all our national might.   Some extracts:

. . . And though he probably would not have appreciated being deployed as a weapon in Israel’s public-relations war, the presence of his independent voice, a counterintuitive opinion not filtered through any official source, said a lot about the power of Middle Eastern Web logs to expose a hidden trove of multiple perspectives in a world that the West often imagines as having only one perspective — that of the “Arab Street,” a place of conformity, of mass acquiescence to singular passions, be they blind support for a dictator or seething hatred of Israel.

Last summer was, in fact, a watershed moment for the Middle Eastern blogosphere. The conflict between Israel and Hezbollah not only brought attention to the many different Arab conversations that had taken place on homemade Web sites in the past two or three years, but also launched thousands more of them. And they were more than just a handful of aberrant voices. They reflected a new culture of openness, dialogue, and questioning. And unlike the neoconservative notion that these ideals can be dropped on a foreign population like so many bomblets, the push for change here is coming from within. Whether it is a Jordanian student discussing the taboo subject of the monarchy’s viability or a Saudi woman writing about her sexual experiences or an Egyptian commenting with sadness at an Israeli blogger’s description of a suicide bombing, each of these unprecedented acts is one small move toward opening up these societies.

Why should we support this movement? Because this blogging represents the best hope we have to have a safety-valve that will prevent some of the most repressive regimes in the region (read: our friends, mostly) from erupting in an Iranian-style revolution — the kind of thing that will make our lives here very much more difficult. If we think that Iraq is a problem, wait until half of the whole middle-east is drowning in the same acid.

And they write not without risk:

In the American blogosphere, opinions and life tales blossom a millionfold every day. But against the background of a largely party-line mainstream local Arab media, and the absence of avenues for national conversation, these Arab bloggers, most of whom are anonymous for their own safety, commit small acts of bravery simply by speaking their minds.


To hear the bloggers themselves describe it, blogging has taken off in the Arab world because it presents an opportunity to reclaim individuality. In a region where leaders, be they Hassan Nasrallah or Ismail Haniya, claim to speak on behalf of all Arabs, a blog is a chance to contradict, to undermine, and to assert. “Every leader thinks they represent everyone in these countries,” says Abu Kais. “And I think that’s something we challenge every day in our blogs. We challenge what they say, and we always show the politicians as hypocrites, really. We have documented what has happened over the past two years and are able to contrast statements that show the level of the hypocrisy. That’s something you don’t always find in Lebanese media.”

So however tentative, however groping, however repressed, this unofficial opinion-sharing IS there and IS growing and IS worth reading. Try it, you will find it both disturbing and interesting.

And, as usual, I recommend you take a listen to a great American Shia Muslim podcast, Qunoot, to get a handle on diversity of Muslim opinion in the US.

Read Full Post »

Here’s a little amplification on the issue of the overwhelming deluge of spam that I posted on earlier. If you have any doubt at all about the dimension of the problem, read on.

The problem is not that somebody’s generating spam, but that they’ve installed an intrusive little program on a few thousand personal computers and linked these drones into a network of parallel spam-hoses. A recent article in the New York Times by John Markoff points out that the problem is numerically very serious and so far is truly defeating us:

Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.


According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm. That indicated that machines of the service providers’ customers had been woven into a giant network, with a single control point using them to pump out spam.

Another source in the article states that they believe there are an average of 250,000 new bot infections per day. Now granted, each day some of these are caught and disabled, so the net growth is not at that level. Even so, its a very serious issue. And while mostly these penetrated machines are used to generate spam, the same technologies that can insert the bot-control software into a machine can also harvest a very much more dangerous crop:

Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro, a Tokyo-based computer security firm. He declined to identify the agency because it is a customer.

The implications of this are really grim. One of the problems here is the Average User, who’s being marketed to the hilt by Dell, Best Buy, CompUSA, Hewlett-Packard, and others, to buy these ever-so-cool-and-powerful new machines, with the inherent promise that anyone can use them with no technical expertise. Can they?

Well, the final illustration in Markoff’s article was a description of an Average User who had turned off all the security features of her Windows 98 machine because they made the machine “slow to a crawl.” She was fat and happy until the police showed up and confiscated her machine, which was part of a botnet ordering stuff with stolen cards.

So, probably they can’t.  But surely they can be expected to do better than this.

I’m sorry I don’t have a simple answer to all this — in fact, I have no real answer at all for now. The best you can do is keep your anti-virus and firewall subscription current, and hope that we start catching up with the bad guys. Right now, we’re not.

Read Full Post »

Don’t know if I’m happy or sad about the following, from an AP article:

Foreign-born entrepreneurs were behind one in four U.S. technology startups over the past decade, according to a study to be published Thursday. A team of researchers at Duke University estimated that 25 percent of technology and engineering companies started from 1995 to 2005 had at least one senior executive — a founder, chief executive, president or chief technology officer — born outside the United States. Immigrant entrepreneurs’ companies employed 450,000 workers and generated $52 billion in sales in 2005, according to the survey.

Their contributions to corporate coffers, employment and U.S. competitiveness in the global technology sector offer a counterpoint to the recent political debate over immigration and the economy, which largely centers on unskilled, illegal workers in low-wage jobs.

“It’s one thing if your gardener gets deported,” said the project’s Delhi-born lead researcher, Vivek Wadhwa. “But if these entrepreneurs leave, we’re really denting our intellectual property creation.

I’m a firm believer that immigrants (and they should be legal ones, but that’s another issue) bring to us much more than they “cost,” so I’m glad to see this kind of analysis, but the counter-thought is: where are our native-born innovators? Gates and others have lamented that there aren’t enough computer science graduates here to fulfill their needs, so they go get them offshore. This isn’t being driven by cheap wages, it’s a question of whether or not these companies will be able to get enough workers to function in the future.

Yet, I also hear that US citizens aren’t going into Computer Science and MIS programs because they are afraid there won’t be any jobs for them, they’ll all be in India or China. I can attest to that choice — I haven’t taught at the University of Minnesota for two years because there aren’t enough business / MIS graduate students — they’re all going into Finance programs instead.

I hope this isn’t happening because our kids have lost the willpower to take on a hard major or graduate program in Computer Science, or that they’ve become fat and complacent and unwilling to take risks and create innovation. I don’t know, I see a lot of young people with a pretty high sense of entitlement: why take technology risks, I can make more money just flipping around other people’s money!

The best analytical document I have found on the challenges of developing an effective immigration policy is here.

Read Full Post »

So many people blog around new years’ about the past year, but I’m going to post about the future. This has it’s downsides, of course; you run the risk of being wrong on something. But I’ll take that risk just to keep things focused on things we still have the opportunity to change. After all, the past is beyond correction, with current technologies!

First a personal note, about looking into the future. Over the last 18 months or so, several of my friends and relatives have retired. Retired, and they all seemed to be glad to be punched out of the work world for good. Man, I am so not in that bunch. Now, I’m not a workaholic, believe me. But I can’t imagine a more exciting time to be doing systems work, what with the Internet, new generations of web capabilities, Linux and other open-source software, wireless expansion seemingly without limit, challenges to personal privacy, and the integration of media through podcasts, video blogs . . . to be a part of it, what more could you ask for, personally or professionally? I can’t imagine.

Well, anyway, here’s my take on a few interesting things that I think will turn the cranks in 2007.

What the railroads were in the 1800s, what highways were in the 1900s, our digital and often wireless backbone will continue to be for the 2000s: a powerfully transformative medium that completely shifts our assumptions and our habits. Look at ordinary people (not technicians) and you see an increasingly fluid pattern of digital engagement, e.g. wifi internet delivery, cellular talk and data, broadband Internet access nearly everywhere, GPS that pinpoints our location anywhere on earth, SMS (text messaging to phones), and the ability of these services to work together. Now we have web on cell phones, SMS to email and vice-versa, GPS-based mashups of all kinds of data against, say, Google Earth. The list goes on and in fact is continually expanding.

Alas, 2007 will probably mark the effective end of pagers, as everyone’s got a text-capable cell phone. Here are the numbers: 45,000,000 pagers in 1999, 8,200,000 in 2005, to 7,400,000 in 2006 (numbers thanks to the Times, here). Yes, there will be niche applications for them, but they will soon be like people who play vinyl records: possible, yes, but why bother?

A very interesting hardware dichotemy is brewing for 2007. On the one hand, we have moderately-priced PCs stuffed with multi-core processor chips, gigabytes of memory, half-terabyte disk drives, and graphics processor boards with the power of yesterday’s mainframes. These truly put the power of the data center of 15 years ago on your desktop. But at the same time, there’s a rapid expansion in the sales of USB memory devices (pseudo-drives) loaded with a complete operating environment including programs and your own data, and similarly we see the availability of network-based programs (e.g. from Google) and remote-server-hosted data stores. Both of these latter items mean that you are potentially liberated from carrying even a laptop — you can transform your friend’s computer, or the one at the coffee shop, into your own computer. So one development makes the computer into a monster processing and data engine, while the other two make the desktop irrelevant. Which approach will win out, or will they just be one more set of alternatives?

I almost hesitate to point this one out, seeing as Time has made “all of us” the Personage of the Year because of user-generated content, but trite as it may seem, its real. But what’s interesting is not all this “user-generated” content per se, but the impact it’s having on existing media. Its less about users generating content than it is about the ongoing integration not only of the different media but within the existing media. For example, right now I can go to a radio website for the local oldies station, see what’s playing right now, listen in via a streaming feed, and email the DJ with a request. I can download TV shows to my PC or my iPod, answer web-only quizzes for prizes, etc.

Even more interesting, I remember when a newspaper sued somebody for framing the paper’s content on the other site. Now, the New York Times has on-page links to post their articles to NewsVine, Digg, and Facebook — they not only allow it but give you the tools to send their content elsewhere. Their content, but you decide what to forward and then, on those sites, people can have their say on how important it is — vote it onto the front page, if you will.

Read Full Post »

This is the not-so-fun part of the tech explosion into popular life, the sudden washboard-road that tells us that lots of people aren’t really ready for all this stuff. So here are the challenges, or in some cases, actual threats, and unfortunately most of them are self-inflicted.

The tsunami of spam is threatening to make email nonfunctional, or at least a closed system, and this is really sad. Not only costly and network-clogging, but just plain sad that we can’t just send an email to a college friend that we haven’t seen for years, without first making contact and getting on their whitelist so we get past their spam filters. None of the solutions are very good, although SPF and related technologies show some promise. Licensing email servers might help, but the privacy implications of that move are really scary.

Going right in hand with the collossal irritation of spam is the threat of phishing and other email-based fraud attacks. Its getting almost dangerous to link from an email to a corporate site, forfear that somebody’s hijacked their domain and their logo. It’s hard for me to deal with this stuff, its impossible for my neighbors and my parents. At what point does the whole environment become too fraud-ridden for the average person? I don’t know.

Our personal privacy remains under assault by fraudsters, corporations, and especially our own government. Some people would counsel that “we have no privacy, get used to it” but I don’t buy this at all. But lots of people with no business to have it, want it, and I don’t like it. And, mind you, I have nothing to hide. But that is irrelevant for every reason on earth. At least one solution is staring us in the face, and I recommend it highly: TrueCrypt, which can encrypt large disk areas, or entire disks, with government-level encryption. Get it, use it, its free. And to encrypt and use your personal passwords, don’t write them down, use Password Safe, an easy and convenient utility. No excuses here, folks.

I’ve blogged earlier on the threats to our tradition of Net Neutrality, and for the moment we seem safe from the plundering of Congress in this matter, nonetheless the monetary stakes are so high that you can bet the cable companies et.al. will be back to the trough again this year.

And finally, the folks who brought you the Federal response to Hurricane Katrina and who maintain the exciting security theater at your local airport are also in change of securing our digital infrastructure from the bad guys in China, Pakistan, Somalia, or wherever. To date there is no evidence whatsoever that they have actually done anything about this and given history to date I wouldn’t be very confident about it if they had. Now, some people I’ve raised this to maintain that all this should be secret and so on so the bad guys don’t know what we’ve done. Sorry, don’t buy that. This security should be like encryption: protected by a hidden thing (the key) not by the process, which should be open to critique and thus improvement.

Just remember, all this cool VOIP phoning that everybody (including businesses) are getting is running on rails that the Pakistani’s have access to. Feel better?

Read Full Post »