Not in Chicago anymore

Mundane life from rural Minnesota.

Friday, May 15, 2015

Discussion groups

This article on the Reddit blog discusses a topic that has been around since there were enough people with access to computers to support electronic discussion groups.  That happened back in the 1970s when Usenet and bulletin board systems became popular.  Both of these support an open discussion in which people type their comments rather than speaking them. Other than the mode of interjecting the material, these discussions are much like having a group of people together face to face.

But there are two big differences.

First is the scale.  In some of these large systems like Reddit, it's not unusual to have thousands of people involved in the discussion. This strains the analogy with a traditional in-person discussion.

But the most important difference is the element of being anonymous. People will say things when they can hide behind a computer screen that they would never consider saying to another human face to face. It's actually rather sad.

So you end up with a situation for which there is no perfect answer. Free speech versus an environment in which meaningful discussion isn't possible.

People have been wrestling with this since the beginning of the mode.  In Usenet, one of the first large discussion forums, the situation was address by inventing moderated newsgroups where a human moderator examined each submission and approved it before it was seen by the group as a whole. This concept continues to be used by systems like Reddit in different forms – sometimes every submission is screened, or some members are whitelisted so that they can contribute directly, or articles are removed after submission.

Reddit has done a remarkably good job of handling this problem. The fact that they're still around testifies to that; PostSecret attempted an open discussion system that they finally shut down because they simply couldn't police it (or didn't want to). As you can see from the article above, Reddit continues to wrestle with the issue.

It's interesting to watch the reaction of different systems to this issue.

Sunday, May 3, 2015

Are these guys real?

The day is new and I'm already in awe of our fringe politicians.

There's this article that reports that a number of Republicans have formed a group to try to change the ownership of national park land into state hands. The article reports it as a move to seize land and turn it over to developers, and the actual statement is more of a state's rights "We can do it better than the Feds" theme. I suspect that the truth is somewhere in between. But please . . . the national park system in the US is one we can be proud of. It's not broken. Can we not try to fix it?

As an aside on that article . . .  this quote, "Earlier this week, Bishop attached a provision to a defense spending bill to delay the U.S. Fish and Wildlife Service from protecting the greater sage grouse under the Endangered Species Act for at least 10 years."  This technique of attaching riders to a bill that have nothing to do with the actual purpose of the bill is so sad. If you want to debate the merits of the greater sage grouse, fine . . . but debate it.

Then there's this NPR article about deploying the National Guard to keep Obama from taking over Texas. Really? Well, it is reported by more than NPR, including this article that includes a video of Ted Cruz pandering to this conspiracy theory. I understand the the sources I'm using, like NPR, have no credibility because they are controlled by raging liberals . . . but Ted Cruz is speaking for himself in the video, and what I hear scares me.

Sunday, April 26, 2015


I did a really stupid thing this morning. Using a web site, I made an anonymous donation.

My definition of "anonymous" is obviously outdated. Silly me; I thought that if I made an anonymous donation that "no one" would know where it came from. I am not naive enough to think that "no one" means "not a single human in the universe". It was made using a credit card, so obviously it is linked to me at some level.

Literally within seconds of my hitting the {donate} icon, my phone rang. The donation was earmarked for an individual in a team – one of these deals where the individuals compete to see who can garner the most donations – and the "recipient" was calling to thank me. I was kind of flabbergasted. To me, the whole idea of "anonymous" is that I don't want the recipient to feel somehow obligated to me because I made a donation to the team and she gets credit for it. But no, anonymous does not mean this.

I have subsequently found out that there are many people who know about the donation and exactly who made it. "Anonymous" in the sense used on the web site only meant that my name was not shown in the list of donors on the web site. It could well show up in material published by the organization, in public expressions of appreciation, or anywhere else.

It's not that I am ashamed of making the donation. But I said "anonymous" for a reason, and I am disappointed that my wishes are not being respected. So beware – in today's world, "anonymous" may not mean what you think.

Thursday, April 23, 2015

Stealing WiFi passwords via a web site

I remember when I was in the security biz and attended conferences and training events. Generally the kickoff session was a "What's New" and by the end I would be depressed and distressed based on what the black hats were up to. There was always new stuff, and I always wished that these people could use their huge intellect and imagination to create good instead of bad.

This morning I stumbled on this article that describes how to steal the password for someone's personal wireless network as they are innocently browsing sites on the web.  It took me a while to put it together because the article is not terribly well written, but the basic story is that there is a network-connected speaker that stores the network password in a file, and the instructions describe how to trick the person's browser into returning the contents of that file to the attacker.

This is, of course, just a specific example. It applies only to folks who have Bang & Olufsen speakers attached to their home network. But it's getting to the point that all of us have things connected to our home networks – printers, thermostats, even refrigerators. Is there a similar exploit that could grab my wireless network password from my network-connected printer? Maybe.

The general adage that you're only as strong as your weakest link applies to security. Many of these newfangled gadgets that connect to your home network were not designed with security in mind.

Wednesday, April 22, 2015

Firecall IDs

Were you [that would be about two people] beginning to wonder if there would ever be another post here?  So was I.

I received a huge compliment today and I felt the need to share it, so here I am.

There's this article on Cloudmark's blog.  It's by Andrew Conway, a co-worker from decades ago. It discusses an up and coming concept, JitJea: Just In Time, Just Enough Administration. And as Andrew points out, we were doing that in the 1980s on a mainframe.

The idea is simple. It's simple now; it was simple then. Basically if someone needs to do something that requires a lot of access, you provide them a way to do it for the period when they need it, revoke the access when they're done, and then very carefully review what they did. Even if you don't do that careful review, if the person using this extraordinary access knows that you can review exactly what they did, they're less likely to step out of bounds.

So what we did was invent something that we called a "firecall ID". If you needed to poke around - and there are perfectly valid reasons to need to do that to solve a problem - you requested a firecall ID.  It was linked to your normal login ID, so anything you did was easily traceable back to you. And everything that you touched was logged, so that after the fact an auditor could see what you did - things that exercised that extraordinary privileged access, and things that you could have done anyway. It created some overhead to generate all that audit data but since it was generated only in connection with these special firecall IDs it wasn't a big issue.

I wonder if people still use this concept. It rather depends on having someone who has the time and motivation to examine the audit trail after the fact, so maybe not. I get the impression that there are many "administrators" out there these days, straight out of school, who can wander through data at will, pretty much unimpeded. The saving grace being that there's so much data to wander through that it's unlikely that mine will be the interesting and attractive part.

Yeah, we did some pretty innovative stuff back then.

Blog Archive