Ecto Sucks. A rant.

When I first bought my Mac I was looking for some blogging tools.  I read great things about the Ecto tool and how it plugged right into Mac OS X and had all sorts of nifty hooks.  It has all those things but it lacks one critical feature: the ability to provide reliable and expected rich text formatting. 

Every time I make a double space in a post, Ecto seems to think that I mean quadruple space. After some poking around on the forums, I have concluded that I am not the only one with these problems and that the Ecto support team does not seem very concerned with fixing the problem. 

Screw Ecto.  I'm going back to ScribeFire.  ScribeFire does everything Ecto does and does it reliable.  I wish I had my $20 back. 

Come See My Photos at the CNote Art Show

I've had five photos accepted to the CNote Art Show. The CNote Art Show is a showcase of independent artists in the Columbus, OH area. All works at the show are for sale at a price of just $100, hence the CNote Art show. All proceeds go directly to the artists. There are currently over 300 artists showing their work and over 1000 pieces of work on display and for sale. The work runs the gamut of style and media.

The show takes place on December 12 and 13, 2008 at Junctionview Studios. You can get directions here: Map Private showings are available by appointment. Please contact Junctionview Studios at 614.634.1415 or email them here or here to set up an appointment.

Giant spider eating a bird caught on camera

I found this over on FriendFeed. I hate spiders and this creeps me the F#%k out.

According to the Telegraph, the spider in question is a Golden Orb Weaver and the unfortunate bird is a Chestnut-breasted Mannikin.

I lack words to describe how disturbing this is. Maybe you have some. Leave them in the comments.

Some Thoughts on the San Francisco Network Admin

I was going to ignore this, but I can't do it any longer. The short story is that a network administrator for the city of San Francisco changed the primary administrative password that controlled access to its fiber option routing infrastructure. He didn't share the password with anyone else and refused to share it until recently.

Many people are approaching this incident from an information security perspective. This guy had the only administrative password to the fiber network, how could this not be a security issue? I'll agree that the symptoms of the problem fall into the information and network security realm. However, the root cause is something different.

The root cause is a human resources issues, specifically a first line supervisor issue. The accounts that I have read of this issue indicate that Terry Child, the administrator in question, had been unhappy with his salary. I further understand that his management team knew that he was unhappy with it for some time.

As a manager, you need to have some insight into your team members. I can tell when the guys on my team are stressed out, tired, or distracted. I'm sure that Terry demonstrated similar behavior and I'm sure that his supervisor noticed it. As soon as the supervisor noticed the disgruntled behavior he or she should have started taking some type of remedial action. If discussing the situation did not improve it and his behavior started to call his trustworthiness into question, he should have been removed from his position immediately.

By definition, system administrators are highly trusted individuals. They hold the keys to your electronic kingdom. The absolute instant, you don't believe you can trust them, you need to get rid of them. I think that is the root cause of San Francisco's problem here. The HR management system did not work effectively.

Think I'm full of it? Let me know in the Comments.

Amos Lee is Amazing

I was listening to NPR's Weekend Edition this morning and they had Amos Lee in the studio. This guy has an amazing voice. His live performance was powerful and authentic. The sound is a little bluesy and a little folksy, but generally kicks ass. If you can only listen to one track, I highly recommend Street Corner Preacher.

An Observation on the Recent iPocalypse

Below is a comment I left over at scobeliezer.com.




Pardon my cynicism, but I have to ask this question.

Could Apple have planned the iPocalypse on purpose?

I ask because Apple is full of smart people. They have to be or they would not have produced the consistently top rate products, marketing, and brand management we have observed to this point. Could this same organization really not foresee the capacity issues they might face during the release of iPhone 2.0?

Just count the number of iPhones you shipped to vendors and multiply by the resources required during the average activation process. That's the amount of resources you need. Plus 20%. This is simple planning. What happened to Apple's calculations?

That raises the question: Could this just be a deft marketing move on Apple's part?

Actually, what does Apple have to lose through such a marketing plan? They are essentially inconveniencing the hard core Mac Addicts that will buy Apple products regardless of the circumstance. These folks are in Apple's pocket and will take a little abuse for the privilege of being one of the first with the newest shiny Apple toy. (I mean that in the least offensive way possible.) Apple probably isn't risking the population of users that are considering a switch, and more profits for Apple.

So now Apple as traded a little political capital with its hard core fans for the chance to say that iPhone 2.0 was so popular it crashed the iPhone activation infrastructure. That is actually a pretty powerful statement of popularity. Why not spend the political capital with its hard core users?

Now for the disclaimers. I'm a recent Mac convert and love my MBP. I'm currently strategizing a pitch to justify purchasing an iPhone 2.0 to my wife. If the iPocalypse is a planned marketing event, I think it's brilliant. I probably over-simplified things a little.

Now, if you'll excuse me, I'm going to put an Apple sticker on my tinfoil hat.

Have a great weekend!

Thoughts on Social Engineering

This article at the end of this post underlines a threat that a lot of people forget about: Social Engineering

A social engineer is just another name for a con man. Social engineering takes advantage of the human element, which is the weakest part of any security plan. Since human beings are social critters, they have a tendency to be helpful because it's much easier to get along in society when you're helpful. It tends to be more difficult to get along in society if you have a reputation for being a road block. That's just the way the system works.

Just like hackers that exploit electronic systems, social engineers observe the normal behavior and protocols of their target social system. Once they have a solid understanding of the system, social engineers try to use the social system in an unexpected manner to get what they want. For example, they dress up as a tech support technician, drop a few senior executive names, walk into a building and start stealing laptops. This attack is analogous to trojan horse email attachment.

I think one of the biggest challenges we face in social engineering defense is that we take for granted the benefits civilization affords us all. Living in a community provides tremendous value to all its participants. When we fail to understand that value we don't afford the system sufficient protection. Additionally, a large portion of society's standard protocols are based on unverified trust, which makes a social engineer's job even easier. Furthermore, since we live this system every day, it is incredibly difficult to step back and make an objective analysis of the situation.

Given the combination of all these factors, there is little wonder why social engineering is so successful.

Now, if you'll excuse me, I'm going to crawl under my desk and whimper quietly to myself for a few minutes.


Cracking Physical Identity Theft - Desktop Security News Analysis - Dark Reading

Technorati Tags: security, social engineering

Playing With New Blogging Tools

The switch to Mac has caused me some churn. I've been a very devout Firefox user forever but as I get more used to the way my Mac works, the more Safari grows on me. The problem is that ScribeFire doesn't work on Safari.

That brings me to Ecto, which seems to be a pretty popular blogging tool for the Mac. This is my first real post using Ecto. I tend not to do too many crazy things on my blog posts so I imagine that Ecto will work fine.

I'll be testing for a while to see what happens. Please excuse any strange posts in the mean time.

Some People Should Just Avoid Driving

We're getting ready to head out on vacation for a couple of days so I headed over to Barnes & Noble to pick up a book. I get there and see that the pull-through spot I had my eye on was partially double-parked. I've seen this before and it's usually a mammoth SUV with a driver that is incapable of parking the vehicle correctly. My thoughts whenever I see this are usually "If you can't park it, don't buy it". Today however, there was a small twist. The incompetent parker was driving a Toyota Yaris. Seriously, if you can't get a Yaris in between the lines, just stay home. Technorati Tags: rant

An Innovative Way to Precent Credit Card Fraud

This is a great idea. Essentially, this new technology basically embeds technology similar to RSA's SecureID into individual credit cards. For those not familiar with SecureID, it generates a one-time PIN that is used in combination with a username and password to log on to an information system. This way even if a bad guy gets your username and password, they still need the fob that generates the one-time password.

Since the PIN these souped up credit cards generate would be valid for only a single transaction, thieve need to have the physical card in order to conduct a fraudulant transaction. This is like CAPTCHA on steriods.

The technical details are still sketchy. I can only assume that the technology requires some modified infrastructure. We'll probably just see the enhanced authentication used for high value transactions at first, but I bet it will spread to daily transactions as the infrastructure builds out.

This is one of the coolest anti-fraud technologies I've read about in a long time. Here's the article:

Visa plans credit card with onboard TAN generation - News - heise Security UK

Technorati Tags: credit card, security, fraud, technology

Motorola RAZR Vulnerability

The folks over at Zero Day Initiative (ZDI) have discovered a vulnerability in the software that processes .jpg images on a Motorola RAZR mobile phone. The vulnerability allows an attacker to execute arbitrary code on the phone.

This illustrates how the area of mobile device security is evolving. Simply the fact that people are researching ways to compromise mobile phones is a new development. Given the underground economy fueling the hacking community someone must have come up with an business model for compromised mobile devices. In the case of a RAZR, it might not be much more than a platform for SMS or Bluetooth spam, but someone probably found a monetary driver for the research. Time will tell if they came up with something more interesting than spam.

Another interesting evolution is that the bad guys are aware of the value of the data on mobile devices. I'm not sure that the mobile device owners have the same insight. Most people probably fail to realize the value of the information stored in their cell phone.

I think that many people would be amazed at the information I could glean from their mobile phone. A few things I would check include:

• Who is #2 on your speed dial? (#1 is usually 911)
• Who is in your address book?
• What are the numbers in your call logs?
• Do you have any voice memos?
• What pictures do you have in your cell phone?
• Do you have a calendar and what items are listed?

These seem innocuous at first, but I bet I could gather enough information from one of these phones to impersonate the owner in some capacity. Maybe enough to open a credit card in their name? Could I log on to their banking site and determine their mother's maiden name, city of birth, or color of their first car? Maybe. It's not outside the realms of possibility.

Things get even more interesting if the compromised device is a smartphone. Now there is the possibility of using the smartphone as a point of entry into corporate networks. As smartphones become more powerful, they become just as dangerous as a PC or laptop. We need to start thinking about how much we trust these devices and what kind of data it is acceptable to store on them.

I don't think that this RAZR vulnerability will amount to much. F-Secure seems to agree with me. However, it is a signal that the bad guys are starting to consider our mobile devices as legitimate targets of value. We need to start considering them in the same manner.

ZDNet's Zero Day also has a discussion of this one. They're focusing on the screwed up process for updating and fixing the issue rather than to big picture stuff, but it's still an interesting read.

TJX Whistle Blower

There are several stories running today that discuss the actions of Nick Benson, a former employee of TJX.  I say former because he was recently fired for disclosing, in the opinion of TJX management, too much information about their internal operations.  I read the posts and I'm not sure that the information disclosed was that sensitive.  Furthermore, Benson was essentially a cashier.  How would he know about the operational details of the TJX infrastructure?

Regardless of the value or accuracy of the disclosed information, the question I'm asking myself is this:

Why did Benson think that an external hacker site was the only way to report the problem and be taken seriously?

As security professionals, we need to provide our non-technical employees with tools to report their concerns.  More importantly, we need to make certain that non-technical people know that they can report security concerns.  If we give them the tools they need, they won't start looking to outside entities for help. 

How does your organization enable its employees to report security concerns?

A Very Moving and Insightful Presentation

The TED Talks are always awesome. Everytime I have watched one of them I've come away with some insight that I lacked before. This talk by Jill Bolte Taylor is no exception. Jill is a neuroanatomist that had the opportunity to observe a stroke from the inside out. She describes her experience here. I highly recommend taking the 20 minutes to watch this one.

Surfing the Web on a Mac

One of the big things that I struggled with as I started using the Mac was what web browser should I use. Safari is the default and it isn't a bad browser, but I have been a huge fan of Firefox since with was called Firebird. This left me in something of a dilemma.

The thing about Macs that I'm discovering is that a Mac is not just a piece of hardware and associated software. A Mac is a package deal. An experience. All the applications just fit together with Jobsian perfection and predictably. Picking a non-standard application to do something basic like surfing the web makes you fear that you might through the planets out of alignment.

I was being open-minded about trying new things so I gave Safari a chance. Safari is a sound browser. It is fast has a basic interface that works well. By far the coolest feature of Safari is the three-finger swipe to go back in the browsing history is incredibly useful and intuitive. Other than that, Safari is a decent browser but unremarkable otherwise.

One issue that I would like to point is that the built in RSS reader is a little odd.


It works fine, but it's a stand alone application. My use of RSS has evolved into a means of sharing information with other people rather than just keeping it to myself. Safari did not provide any means of sharing the RSS posts that I have grown accustomed to while using Google Reader.

The other thing that I didn't like about Safari was its lack of extensibility. Having used Firefox for the last several years, I have grown to expect my browser to plug into the latest information sharing widgets. Safari just doesn't do this. I looked all over for some type of hook into del.icio.us and StumbleUpon and couldn't find anything. I thought that I could work around that but as I surfed without the ability to share the cool stuff, I found that I really missed that part of web browsing. In short, that ability to share what I found with others was more important that the three finger swipe to move forward and backward in my web browser.

Suffice it to say, I'm back with Firefox and I am happy with the decision. I actually think that it enhances my experience with the Mac. I would recommend anyone switching to a Mac to try Safari, but seriously consider using Firefox as their primary browser.

I Have Switched

I've made the jump and switched to a Mac. Last Friday I purchase last Friday at the Columbus Apple Store. I purchased a 15" MacBook Pro with the Multitouch pad. Overall I think that the hardware is awesome. The fit and finish is great and everything just flows together.

One think that I noticed right off the bat was that Apple's old tag line "Think Different" is an incredibly accurate warning for switchers. Apple has a definite way of approaching the computer and computing tasks. It took me about three days of playing with the Mac to get a feel for the philosophy. Now that I grasp the basic concept Apple uses getting things done is a little easier.

One of the biggest things that I had to get used to was how easy it is to install software. I was completely confused when I tried to install Firefox. There was no installer, no questions about where I wanted to install the program. I just double-clicked the .dmg file and dragged the icon to the Applications folder. Tada. Done. It was that easy. It was so easy that I was confused.

One other thing that I noticed was that Google seems to be working on an Apple-like experience for non-Apple users. I made extensive use of Google applications while I was useing a Windows machine. All the Google services are designed to work together and the users are subtly herded into using Google services almost exclusively. Apple does the same thing, but maybe not so subtly.

I knew what I was getting myself into though. Buying a Mac is like buying a SLR camera. When you buy the camera, you're not just buying a camera, you're buying into a system. For example, I bought a Canon Digital Rebel XT and I am a member of the Canon club now. Had I purchased a Nikon D70, I would have been a member of the Nikon club. Moving from one club to another requires you not to just sell off your camera body but all the lenses you purchased along the way. Apple and PCs are kinda the same thing except instead of lenses, you have to buy all new software.

I'll post more observations as I make them.

Energy Independence is Cool

I am a big fan of the Green Energy movement. At first thought you might think that this is because I like to hug trees and eat tofu. I must admit, I do love trees. Some of my favorite furniture is made from them. Tofu, I can take or leave. However, the real reason I love the Green Energy movement is its elegance. It just impresses me how this technology can work to achieve our desired technological goals while still have a minimal impact on our environment. Engineered harmony. That's cool.

Today is a Technology Bonanza

The US Navy has just tested a new railgun. Here's what the Navy ultimately expects the weapon to do:

The big gun uses electromagnetic energy instead of explosive chemical propellants to fire a projectile farther and faster. The railgun, as it is called, will ultimately fire a projectile more than 230 miles (370 kilometers) with a muzzle velocity seven times the speed of sound (Mach 7) and a velocity of Mach 5 at impact.

Lots of boom. No reason to use high explosives. The best part of the article is the quote from Admiral Gary Roughead:

I never ever want to see a Sailor or Marine in a fair fight. I always
want them to have the advantage. We should never lose sight of always looking
for the next big thing, always looking to make our capability better,
more effective than what anyone else can put on the battlefield.

Amen. He seems to be channeling George S. Patton who said: The object of war is not to die for your country but to make the other bastard die for his.



Navy Tests Incredible Sci-Fi Weapon | LiveScience

Technorati Tags: weapons, navy, railgun, technology, science

Powered by ScribeFire.

This is the Coolest Technology I've Seen in a Long Time

Dean Kamen, inventor of the Segway, has developed a new prosthesis that is controlled by thought just like a natural limb. This thing even provides the user with tactile feedback while in use. The prosthesis is called the "Luke Arm" after the Star Wars character who lost his hand during an unfortunate domestic dispute with his estranged father. Here is a brief description of the prosthesis' abilities:

(It) enables 18 degrees of freedom, a scant 4 degrees less than an actual arm. It enables the wearer to "to pluck chocolate-covered coffee beans one by one, pick up a power drill, unlock a door, and shake a hand." It features six different grip settings, and fits a modular design so any level of amputee can use it. It weighs 3.6 kg and runs on lithium batteries.

This is awesome!

Dean Kamen's "Luke Arm" bionic prosthesis heads to clinical trials, is awesome - 60 Second Science

Technorati Tags: technology, biology, prosthesis, science

Powered by ScribeFire.

I Disappoint Myself Sometimes

For some reason people love to gawk at train wrecks. Sometimes those train wrecks involve real rail cars and sometimes they are more metaphorical train wrecks. I know we all have the tendency to stop what we're doing and pay attention to these train wrecks, especially the metaphorical ones. In fact, I'd say the majority of the US media is dependent upon metaphorical train wrecks for their daily copy. for some reason fascination with metaphorical train wrecks bug me and I try to ignore them as much as possible. I failed in that effort this morning.

The Metaphorical Rail Car du Jour is Brittney Spears being carted off to the hospital in the middle of the night. I saw the headline on CNN and clicked the link before I could do anything about it. DAMNIT!!!!

I hate when I do that.


Technorati Tags: train wreck, brittney spears

Powered by ScribeFire.

A Novel Way to Test Passwords

I ran across this an interesting way to check the strength of your passwords this morning. Put them into Google and see how many matches you get. If you get less than 10 results, you have a strong password.

I'm not sure if this is insanely stupid or utterly brilliant. The more I think about it, the more I lean toward the brilliant end of the spectrum. If a password candidate only gets 10 hits on Google, the chances of it being in a password dictionary are probably low. The biggest danger I see is if you have a search history enabled. That could give a local attacker an edge, but then again to see the search they would have to be logged on as the victim already anyway. If you're using the Google toolbar, your searches are recorded and that's a risk but in that context your password search is a grain of sand on a beach. You would have to have access to the Google system storing that data and you'd have to be able to develop search terms to find what you're looking for. A good place to start might be searches returning 10 items or less. I suspect that is still a large number of searches in absolute terms.

The biggest challenge I find in the security business is making security easy for non-security people. I could give these instructions to my Mom and she would understand them and would probably have a decent password at the end of the day. I'm still leaning towards brilliant on this one. Are there any other thoughts?

Tip 'o the Hat to the Sunbelt BLOG for this idea.


Technorati Tags: passwords, security

Powered by ScribeFire.

I Knew I was on to Something

Here's a link to an article in Time Magazine documenting the fact that a half hour of exercise and a drink or two a day is good for you. Specifically, it will help your heart by increasing your good Cholesterol. Even better, if you don't want to exercise a drink or two a day can still increase your good cholesterol. The study found that moderate alcohol consumption and exercise had "an independent beneficial effect on the heart and a compounded effect when practiced together."

On the downside for me, the benefits don't really take effect until you hit 45 or 50. I figure it won't hurt to start good habits early though.


Work Out and Drink Up - TIME

Technorati Tags: medicine, research, drinking, exercise

Powered by ScribeFire.

One Seriously Cool Coffee Pot

The Bialetti Moka Express coffee pot is awesome. There are three things that make it awesome. First, it doesn't just make coffee, it makes espresso. Second, it works on the stove top. You just put the water and coffee basket in the bottom and screw on the kettle top. Put it on the back burner and let the magic happen. The third and final reason this is cool is that is costs a mere $24.99. Find another espresso machine for that much.


Technorati Tags: Bialetti, coffee, espresso

Researching Apple in the Field

EDITOR'S NOTE: I originally published this over on my Photoblog by mistake. That's what I get for blogging while watching Ohio State get beat.

I've been looking into switching to a Mac for the past couple of months. Most of my research has been online but that will only go so far. With that in mind, I made a trip to the Apple Store to check out MacBook Pros in their natural habitat.

I poked around on a 15 inch MBP for about thirty minutes to see what it was like. Leopard seemed to be able to keep up with all the standard things and even performed reasonably well with Safari, iTunes, PhotoShop, and iWork running simultaneously on different virtual desktops. I continued to poke around and discovered a shell prompt, which was really exciting. It looks just like a FreeBSD prompt so that should provide some additional flexibility.

The presence of the shell prompt was especially comforting considering the reports of the OS X firewall is not configured well by default and that it doesn't perform as expected when it runs. I would be able to configure PF or whatever BSD firewall lurks beneath the Leopard eye candy.

Just after I finished poking around with the shell prompt and sales guys approached me and asked if I had any questions. I asked him if there was any difference between a Windows machine and an Apple machine when using Adobe Photoshop. The immediate answer was "Of course there is. All the artsy people use Macs." After reminding him that wasn't my question, he conceded that there wasn't much difference between the two platforms. However he did point out that Macs are more secure than Windows machines.

I countered that Macs are not more secure, but rather are just more ignored than Windows machines. Essentially the hackers get more bang for their buck with Windows exploits and that Macs just were not worth their time. However, as Mac's market share increases that will change and they will be hacked more.

Imagine telling a born again Southern Baptist that reports of Jesus walking on water might have been exaggerated slightly to improve his public image. That is about how this Apple sales guy responded to the notion that Macs were not more secure than Windows, but rather not worth the effort. It was an interesting experience.

At the end of the day, my estimation of the situation is that Macs are not better or worse than Windows machines they are just different. Some people say that Macs are more expensive than Windows machines. On the surface that is true, but as far as I can tell that extra cash gets you software that you would have to purchase separately on a Windows machine. Specifically, I'm talking about iLife. To purchase comparable software for a Windows machine you would probably spend somewhere around $400 to $500 dollars. That and iWork is $85 dollars as compared to MS Office Basic, which runs around $250.

That and Macs are just pretty. I thik that the minimalist style is awesome. Using two fingers to scroll on the touchpad is a great idea. The more I look at them, the more I like them

Drifting in a Half Million Dollar Car

It is downright impressive to watch this guy flog a Porsche Carrera GT up the side of a mountain. Even if you don't speak German, this is still impressive to watch.

Tip 'o the hat to Autoblog.