Feeds:
Posts
Comments

Archive for the ‘Infrastructure’ Category

In my previous post I lamented the increasing loss of our personal privacy and anonymity due to the efforts of both malignant marketers and our own government.  Now I’ll propose some solutions to get a handle on how much of your communications and Internet behavior you want to expose to these vermin.

Selecting the appropriate approach is a function of perceived costs including the cost of failure, that is, a breach of anonymity or privacy.  There are different penalties, obviously Google figuring out who you are may be an irritation, but the secret police’s discovering you may have desperate consequences.

We’ll be looking at three general options: encrypt the traffic between you and a server you are accessing, using a private Virtual Private Network, and finally using an anonymizing network such as Tor.  These are in increasing order of complexity but provide increasing levels of security, too.  This is a focus on network security, there are some other security-related things you can do right in your own PC, I’ll deal with them in a later post.

1.  SSL between the User and the Server

This is the standard “HTTPS” technology that encrypts everything between your computer and the website or server.   SSL is what your bank uses, or Amazon, when you are doing financial transactions.  You are using SSL when the web address bar starts out “HTTPS://”. Once the tunnel is set up (which is completely invisible to the user), the data moving between them in either direction is encrypted in what is a practically-unbreakable cypher.  The data is therefore safe from anyone.  There are ways for a hostile party to insert themselves between you and the server and thus capture the data, but there are also defenses against this.  This is a good technology, the following options in this discussion all assume the User is using SSL to talk through the network.

Most of the big email providers such as Gmail, Yahoo Mail, or Hotmail use SSL in all their activity.  If you are not sure, you can always try typing the “https://www. . .” at the beginning of the URL and see if the site takes it.

But if SSL is all you are using, although the data is hidden the identities of you and the server are not – in fact, they are completely in the open because the actual network addresses need to be unencrypted so the data can be routed.  By capturing the packets that encapsulate the messages between the User and the Server, although the adversary can’t read the data their sources and destinations are clearly visible.  And of course if a government (or an ISP operating under a court order) may prevent the user from getting to some websites at all.

So in this case, the data is private but your identity is not.

2.  An anonymizing Virtual Private Network (VPN)

Several services market themselves to users wishing to anonymize their Internet access.  You pay a subscription fee which allows you to connect (via an SSL connection) to the VPN company’s server, of which there may be several in various locations around the world.  The VPN provider then gives you a new IP address, and forwards your traffic to the destination website.  So the destination website in effect thinks that you are located at the VPN’s server, instead of where you actually are.  To use a VPN you have to install a piece of software on your machine that supports your end of the VPN’s tunnel.

Once the SSL connection to the VPN is set up, the conversations with the real destination websites may be encrypted as an additional SSL layer, or they may be unencrypted – in the clear.  In either case, an adversary who can see the user’s packets can see that they are talking to one of the VPN’s public IP addresses, but they cannot decrypt the contents so they can’t see what the ultimate destination is.  This would be the case if the User’s ISP has been compromised and is handing User’s packets to someone for analysis.

At the destination web server, they know that the user’s traffic is coming from a VPN’s public exit node, but they don’t know where or who the originating user is ( unless of course the User has logged in with a real identity and the Server has been compromised).  So, in the main, privacy and anonymity have been preserved.  There are threats to this in the situation where a sufficiently powerful adversary (e.g. a government) is involved, see below.

The very weak link in this approach, though, is the VPN provider itself.  If the VPN provider keeps records of which User IPs were mapped to which exit-node IPs, the link between User and Server is suddenly available to subpoena or to malicious recording.  Even if the VPN provider vows to keep no persistent records, a hacker could penetrate their systems and record this data anyway.  Or the provider could err in erasing the active-session data and it could suddenly become available.

This is a lot of protection compared to just plain SSL, and it hides your data even if the site you are talking to is not encrypted. And you are somewhat further obfuscated because the VPN provider has a large pool of outbound IP addresses, so marketing schemes that capture your IP address as a way of identifying you will be at least partially foiled because you will likely have a new IP every time you show up.  And because it’s a single hop (you through the VPN to the provider to the destination) it’s quite fast.

A good example of this is ProXPN (this is not an ad, they don’t know me from Adam). There are other good solutions, but this one has the imprimateur of security fussbudget Steve Gibson, for what that’s worth.

3.  A multi-stage anonymizing network, such as Tor

Now we start to get serious. Tor was invented by the US Naval Research Laboratory, as the Onion Routing Project. The goal was to invent a technology that would allow the US government to visit whatever websites they wanted to, and have this access never forever traced back to the government.  Tor (The Onion Router) is a public, not-for-profit implementation of that technology. It’s called “onion routing” because it uses multiple layers of encryption and routing (like the layers of an onion) to totally obfuscate your identity. And the cool part is it’s free (your tax dollars at work). Right now Tor is extensively used by dissidents and journalists in the Middle East, China, and southeast Asia, as well as more mundane commercial users.

Tor operates much like the VPN at the start: the user contacts a Tor entry server and sets up an SSL connection with it.  However, instead of connecting to the destination web server right away, Tor wraps the User’s data packets in another layer of encryption and forwards them to another intermediate Tor server, which again re-encrypts the packets and routes them to yet another server, and so on.  Eventually, the layers of encryption are peeled off and at the Tor exit server the User’s packets are sent to their destination.  The paths through the Tor network are randomly selected so an adversary has a virtually impossible task to track them.  By its design, every one of these intermediate servers in this temporary chain knows only the address of the previous server, so the compromise of one does not compromise the whole chain.  And each server uses different keys in performing their encryption, so an adversary is presented with an essentially impossible decryption challenge several times over.

Like the VPN service solution, your anonymity and privacy are protected, but because of the multiple layers of encryption and the lack of any centralized provider (the intermediate nodes are independent of each other and do not know the totality of the route to and from the user) you are completely anonymized and there is no attack point even with a court order or physical access to the server or any intermediate network provider’s records.

Tor requires the same kind of VPN tunnel software on your end, as well as some other specialized software, and the Tor package includes a customized version of Firefox that guarantees not to keep cookies or history.  Their website offers you a complete bundle, you just install it and you are on.

So there you have it: three network-based privacy solutions that will cause even the NSA some headaches.  Browse in peace!

Read Full Post »

I am hoping that now that we have brought about an abrupt end to Osama bin Laden’s involvement in the International Terror franchise, that cooler heads might prevail in fashioning our response to the actually-continuing threats from various domestic and international nut-cases.  I’m not optimistic.

Look, here’s the crux of it.  In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities.  A trillion dollars.  This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11.  Of course, that’s awful, and a tragedy.  But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that.  We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event.  Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people  how many were killed in the 9/11 attacks.  The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died.  So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.”  Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you.  And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

  • Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;
  • Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;
  • This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;
  • But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.
  • Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress.  This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010).  This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting.  All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are.  That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up.  Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies.  For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved.  How our money moves, they could stop that.  Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary.  But believe me, as one whose whole career has been in software development and system implementation, just asserting something is  possible a very long way from actually being able to do it.  Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work.  And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics?  I think there are a couple of things at work here.  First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing.  They hear about the theft of corporate and governmental databases, which seem to continue unabated.  They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

  • Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;
  • In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;
  • The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;
  • After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them.  This is going on right now, re: the Internet and foreign hackers, in spades.  But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation.  That is not a good sign.

Read Full Post »

We have heard a lot lately about how much of the anti-dictatorship uprisings in the Middle East have been mediated by technology, including cell phones and social media such as Twitter and Facebook.  “Freedom of the Press” no longer means just the right to print and distribute newspapers, but to have digital freedom of access to internal and external news sources, free from governmental censorship or retaliation.  Oppressive regimes certainly have noticed this fact, witness the Egyptian government’s attempt to cut Egypt off from the Internet during their recent rebellion.

But using the Internet safely from inside a repressive regime is not necessarily an easy thing to do.  Likely, you would not use your own identity on your posts or in your emails, and even going to certain websites can either be blocked or at least noted for later retaliation.  How would someone go about this, then?  The answer is that there are organizations that provide anonymous proxy services that allow access through sites that are not blocked (yet!) by national firewalls (as in: China, among others).

I point out to you an organization that is working not just to advocate Internet freedom, but providing resources and information to help those trapped within these countries to use the Internet to forward their causes.  Take a look at Access, which describes themselves as:

. . . a global movement premised on the belief that political participation and the realization of human rights in the 21st century is increasingly dependent on access to the internet and other forms of technology. Founded in the wake of the 2009 Iranian post-election crackdown, Access teams with digital activists and civil society groups internationally to build their technical capacity and to help them advocate globally for their digital rights.

If you are proud to think that the technologies we use every day are playing a part overthrowing dictators and oppressive regimes, you might consider participating in or donating to Access or to a similar organization — put your money where your heart is.  Or consider participating in one of their proxy-anonymizer projects.  But get involved — make it happen.

And, if you’re interested in their how-to suggestions on preserving privacy in a repressive country, take a look at this.  Actually, these aren’t bad instructions for US, if you really want to be anonymous in the digital world — you can use these same techniques yourself here at home.

Read Full Post »

Regardless of which side of the aisle you sit on, the Republican sweep of the 2010 elections is going to presage some fundamental changes in the tech / science landscape, at least based on what the incoming set of pols say they are going to do.  Time now to take a look at some of these likely results, and of course decide if we like them or not.  One thing for sure, the Democrats have been very timid in advancing their causes during the last two years, and it’s equally sure the incoming Republicans probably will not be.  Whether or not they actually have a “mandate” from the voters to actually implement all these positions is not at all clear, but one can assume they’re going to try.

The background for this analysis is straightforward: broadly speaking, the incoming conservative Republicans are very strongly pro-big-business, believe that climate change is a hoax, and believe that Islam is a special global threat that requires extraordinary measures to combat it.  They also see government and its regulations and laws as the chief impediment to the national improvement.  And finally, they have a strong fundamentalist-Protestant ethos that is the most basic foundation of their worldview, and for many this ethos is hostile to science.

So, where does this leave us?  Like it or not, here’s what appears to be coming.

Dramatically less research funding, especially in areas not producing technologies leading directly to marketable products.  This article in the Times says it all: National Institutes of Health might drop by 9%, National Science Foundation, -19%, and NOAA,  -34%.  This is in contrast to the Obama administration’s projected reduction of about 5% overall in research funding for the next fiscal year.  One might ask why NSF and NOAA are taking such a hit, and the answer is what appears to be the Republican antipathy toward the whole concept of climate change, see below.  They don’t believe it, and they aren’t going to fund it.  Certainly our current economic situation requires belt-tightening, no question.  But these agencies take the brunt of political punishment for their positions: NIH refuses to promulgate the idea that abortion causes breast cancer and rampant depression, NSF keeps acting as if biological evolution were actually true, and NOAA — well, read on.  Opposing these agencies speaks right into the heart of the Republican / Tea-Party conservative core.  Nobody campaigned saying “we’ll cut emissions and promote greener living,” they campaigned on “drill, baby, drill.”  And obviously, that’s what the electorate wanted to hear.

There will likely be a concerted attack, and that’s not too strong a word for it, on the idea of doing anything about global warming / climate change.  For whatever reason, the Republican Party has embraced the position that climate change is a scientific hoax, or anyway if it’s real, it really doesn’t matter.  Part of this is their pro-business slant, and anything that impacts quarterly profits is anathema.  Several incoming Congressmen have stated that they will hold hearings for the purpose of “putting the lie to all this global warming scare talk.”  Rick Perry, the newly-re-elected Governor of Texas, intends to stop the EPA from regulating greenhouse gasses in Texas and has filed seven lawsuits against the government to prove it, see here.

This position is partly based on the fact that curbing greenhouse gases and addressing climate change will require concerted Federal action, and the Tea-Party view is that this must therefore just be a big liberal power grab.  Others, and some of these I have personally talked to, take a very Christian-fundamentalist view that “the Earth was put here for our use” and it would be an affront to God if we fail to fully exploit it, and anyway the Rapture is coming very soon so it won’t matter if the Earth is left a gutted hulk because God is going to destroy the universe anyway.  And soon.

So given these, we can expect very little if any Congressional support for any green technology investment or research.

Net Neutrality will be threatened and probably eroded.  The Obama administration has taken a strong stand for “net neutrality,” the concept that Internet Service Providers (ISPs) must provide non-preferential routing to all Internet traffic.  In the US, there is an effective oligopoly on Internet service, unlike Europe where it is a competitive free-for-all and hence service is much better (in other words, faster) and the costs are lower.  The big ISPs are determined to not let all this competition happen here, and they intend to leverage their oligopoly position to create a set of tiered services where those content providers who can’t pay the extra tariff will be relegated to second-class service.  Since this is good for the providers’ business, the Republicans are going to fight any net neutrality regulations under the banner of “get the Federal government out of our private lives,” and of course, protect their oligopolistic profits.

Also, and especially in the Internet environment, there will be attempts to enact more intrusive laws that will reduce Internet anonymity and personal privacy.  The Obama administration has not been a shining light here, either, having asked for legislation to require eavesdropping “backdoors” in telecommunication networks and hinting that data encryption might somehow be restricted.  But the more militant parts of the Republican / Tea Party, for all their table-pounding on personal and states’ rights, and freedom, and the Constitution, are worked up considerably against the to them ubiquitous Muslim Terrorists, and believe if they can only curtail some of our freedoms and privacy they will be able to eliminate terrorism or terroristic threats.

How much of this can the new Republican majority enact in two years?  Probably not all that much but they can stall, de-fund, and in general make a mess of things.  And to date the Obama administration has not been an effective counterpoint to them.  My only editorial comment on all this: it’s not pretty if you think that science and technology investments are critically important to our economic and political future, that science should not be trumped by politics and religion, and that personal freedom and privacy are what after all we stand for in the world.

Read Full Post »

A few dismal statistics on the prevalence of dangerous email, from a post here in a security blog SearchSecurity, quoting a study by MessageLabs, a security software firm:

  • Based on their samples, MessageLabs believes that 90% of all emails globally are spam;
  • 1 in 200 emails contain a phishing attack;
  • 68% of all malicious emails they intercepted were phishing attacks.

As a personal note, I think they’re understating the proportion of spam — my own sample here at the office is that only 3% of our incoming email traffic was valid email, based on a study I did in mid-October.

So as usual, the bad guys are keeping one step ahead by devising new forms of attack when the old ones become less effective; nothing new there, online or offline. But phishing attacks are particularly worrysome because they aren’t as readily filtered out as other forms of spam that are just selling some kind of hokum. Phishing attacks work by getting the victim to disgorge their account numbers and passwords, which are then used to vacuum out bank accounts, open illegitimate credit cards, and all the rest of it.

A good proportion of the rest of all this spam is devoted to getting the victim to allow the spammer to download to the victim’s machine some hostile software, including keystroke loggers and the control software that will turn the victim’s machine into a spam-relaying robot.

And all it takes is one mistake, one visit to an apparently innocent but actually hostile website, and you’re nailed, and if the infection is a rootkit it’s likely that you won’t be able to either find it or fix it without a complete software rebuild on the machine.

Here is an excellent non-technical overview of one of the world’s largest phishing organizations, from the Seattle Times. It’s more than scary.

Now I’m not an alarmist, but at what point does the Internet become just too dangerous to be worth the trouble? Back about 15 years ago I used to go out to some of the Compuserve newsgroups pretty regularly for technical subjects, but gradually they became so filled up with spam messages that perhaps one in 50 was a valid message, the rest were all machine-generated junk. At that point, I just quit going there. At what point will the broader public come to the same conclusion, and become afraid to use the Internet?

Read Full Post »

As if we don’t have enough spam, viruses, phishing attacks, and other forms of network-mediated malware assailing us, now we have Storm. Storm is a kind of compound malware, not so clever in and of itself, since it infects like so much other malware, via a user getting suckered into clicking a link. What is especially insidious about it is that it enslaves vulnerable machines, like a regular bot does, but then rather than going on the attack, it tends to lie there for a time, waiting for instructions. And the instructions come not from a central command center, but on a distributed 2-C (Command and Control) pathway from a smaller group of command systems. In effect, the bot-herder can jack into the botnet at many points and from anywhere, making it exceptionally difficult to intercept and contain. The bot software is also reputed to self-modify when installed, so that it can further hide itself from anti-virus cleaners.

Probably the best and readable technical overview of the Storm worm is here in Bruce Schneier’s blog.

Several pundits are predicting nothing short of the end of the world over this thing, and I grant that it’s going to be a bear to deal with, but I’m quite confident that it will be dealt with successfully. OK, so the Storm developers are very clever, but the good guys aren’t dunces, either. No, it’s much more likely to become part of the Internet background noise, just more gunk we have to filter out.

I mean, right now in my current work environment, only 3% – 5% of the emails we get in a given day are actual valid communications to someone here, the rest are spam or worse (this is by my actual count). We just filter them out, some get through, we individually delete them, and we go back to work. It’s a large problem, but it’s more of a nuisance than a threat to the business. And we all just keep emailing.

Of course, it might be placed in the hands of any of the various political terrorists around the world that are continually assailing us, they they have very little to lose if the Internet itself is rendered unusable. This I do worry about, but it still seems unlikely.

The more important issues revolve around what we might have to do to harden our defenses, and what this will lead to in terms of a “revised” Internet. We currently enjoy the Internet as an extremely free and borderless ecosystem, where data races back and forth with few restrictions, and people dream up and implement new services — and new kinds of services — that no one could have dreamed of a few years ago. Harden all this down too much, and suddenly everything turns into molasses. Not good!

So something very bad happens. Will we have to license servers or individual PCs? Will there be qualifications to connect to the Internet? Will sysadmins need to be licensed? What about our ability to publish or participate in discussions anonymously?

I’ll address these and other related issues in a future post. But I encourage you to think about it now, because if the Internet takes a big hit from criminal or terrorist elements, the legislature won’t be far behind, and we all know what kind of technicians the lawyers are.

Read Full Post »

Yet another indication of the general lack of capability of the Department of Homeland Secutiry surfaced this week, when the recipient of a relatively routine DHS counter-terrorism email newsletter attempted to have his delivery email address changed. His request, which he apparently thought was going to the mailing list administrator, in fact executed a “reply all” and shot off the request to all 7,500 subscribers. The humor of his simple request blasting the whole list resulted in an increasing number of recipients joining in with various sage and less than sage comments, and the initial wave of activity resulted in over 2.2 million emails being generatd during the day.

Now so far, this is just a lighthearted little bungle, it does happen inside businesses or agencies, with no particular harm done except to the administrators of the email system. Once when I was at US Bank, some hapless low-level employee in the Proof and Transit department managed to “reply all” to a monthly-fluff-from-the-president email thinking he was asking his supervisor if the vacation schedule was done yet. So everybody got this email too, and some of the recipient’s email “I’m not here” notifications were sent to “reply all” list, as were 2 or 300 emails back to him telling him what he had done, all these copied everybody and ricocheted around the bank until by 11 AM the whole system croaked with overload.

So, as it turns out, it’s possible to flag certain emails as “nonforwardable” and/or “nonreplyable” so this doesn’t happen. That was new stuff, about 5 or 6 years ago. And it was internal email in a bank.

But this is the organization in charge of protecting our critical infrastructure and us from terrorists! And, it’s 5 or 6 years later! The Times’ article points out,

The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem.

“It is a very simple fix,” said Marcus H. Sachs, a volunteer computer security expert at the SANS Internet Storm Center. “Do they not have anybody there that understands how to fix it?”

Actually, the worse problem is, don’t they have anybody who knows how to set it up in the first place? After all, this is not something that’s never happened before. Now they may argue, we’re so busy on the really big stuff, like setting standards for shampoo bottles when you fly, that we didn’t have time to do this right. To anyone who makes that argument with a straight face, I direct you to the parable of the talents in the Bible (Matthew 25:14 – 30). In the end, the master said, “Well done, good and faithful servant! You have been faithful with a few things; I will put you in charge of many things.”

I’d like to see DHS, and especially it’s cyber-terrorism unit, so some small things right, so we had a better feeling about their being able to do complex and critical things right, and right the first time.

Read Full Post »

Older Posts »