Back to normal in Colorado

But am I here? It’s kind of hard to tell
I do a good impression of myself
But what’s normal now anyhow?
from “Normal” by Porcupine Tree

Since the great weirdness last month things are getting pretty much back to normal in Colorado. The Balloon Boy’s parents have fessed up, but not before the Larimer County Sheriff posted an item to his blog attacking [the father], calling him “clever and manipulative” and comparing him to the Joker character from “Batman.” But sadly, if you were looking forward to the Balloon family reality show, that idea is a non-starter according to at least one New York-based production company.

“It’s just too poisonous,” said Irad Eyal, vice president of development at True Entertainment. “I don’t think anyone is going to want to meet with a man who shamed his family and children that way. In reality TV, there’s a definite line you don’t cross, and that’s tormenting children.”

I’m just going to leave that quote alone – as nothing I could possibly add would make it any more hilariously absurd than it already is. But I digress. Balloon Boy saga done.

The insurance companies that thought they could get away with denying coverage to healthy children are backpedaling and spinning their respective ways back to sanity. The Denver post reports that the insurer changed it’s course on the chubby baby.

Rocky Mountain Health Plans announced Monday that it found a flaw in its underwriting system and now will provide coverage to healthy infants, regardless of their weight.

“As a small company we were able to act quickly and decisively,” said Rocky Mountain spokeswoman Kayla Arnesen. “We are really pleased we are going to be covering Alex and other healthy babies.”

A “flaw in it’s underwriting system“? Dude, I can’t make up stuff this good. But again I digress. And the Denver Post also reports that the insurance company changed it’s mind on the skinny tot as well.

The Golden Rule Insurance Co. said Wednesday that it has changed its mind on a 2-year-old from northern Colorado rejected for coverage because she’s so skinny.

The insurer announced the change after [the parents] brought their story to television stations.

Golden Rule said in a statement that it changed its mind on Aislin’s case after a routine appeals process.

“I won’t tell you we’ve never made a mistake, because we have. But our reviews process is open to all,” said company spokeswoman Ellen Laden.

And the mistake was that they thought they could get away with it? At least the reviews process is open to all.

Westword is close to hiring that medical-marijuana dispensary reviewer. Although apparently I’m not the only one who found it humorous. According to Westword, their hunt for a pot critic made international news and the talk-show circuit.

“A newspaper in Denver is planning to hire a critic to write reviews of all the medical marijuana clinics in the state,” Conan O’Brien joked on his show last week. “My one suggestion for the editors: Give the guy a deadline.”

Thanks, Conan: We have. Westword stopped accepting applications for our medical-marijuana dispensary reviewer in mid-October. Now if comics and reporters alike would just stay off the story for a while (Westword‘s job opening has been the punchline on both NPR‘s Wait Wait Don’t Tell Me and a BBC quiz show, and we just logged mentions in newspapers in Russia, Israel and China), we might be able to actually finish the hiring process. For the record, we’ve gone through the more than 250 formal applications we received, contacted a dozen semi-finalists, and hope to have our new critic in place within the week.

That’s right, then it’s back to the same old, same old. But, seriously wouldn’t this  be the best job ever.

The Denver Broncos are behaving more like expected now with a 6-3 record having lost the last 3 games straight making it altogether possible (yea even probable) that they might only win 6 games total this season. Hey, you can only push the Almighty so far.

And finally the Windows 7 juggernaut continues unabated. Well, except that according to J. Nicholas Hoover at InformationWeek the U.S. Government isn’t jumping on the bandwagon until the Federal Desktop Core Configuration (FDCC), is finalized for Windows 7.

It may be another six months before agencies can move ahead with Windows 7 deployment because a government-mandated security standard hasn’t been finalized.

The Federal Desktop Core Configuration spells out 300 settings for Windows PCs and laptops, with a goal of making them less vulnerable to hackers and data breaches. FDCC settings exist for Windows XP and Windows Vista, but not yet for Windows 7.

“It will take until spring 2010, at least,” said Ken Page, Microsoft’s FDCC program manager, in a presentation today at Microsoft’s Washington, D.C., office. “This process does not happen fast.”

Oh and there was that little brouhaha over Microsoft snagging some open source code for use in a semi-proprietary licensed tool as reported by Mary Jo Foley at ZDNet. But they’ve fessed up and made it right now. Or at least made it GPL 2.

From a November 13 blog posting by Microsoft Open Source Community Manager Peter Galli:

“After looking at the code (within the USB tool) in question, we are now able to confirm this (inclusion of improperly licensed GPL v2 code) was indeed the case, although it was not intentional on our part. While we had contracted with a third party to create the tool, we share responsibility as we did not catch it as part of our code review process. We have furthermore conducted a review of other code provided through the  Microsoft Store and this was the only incident of this sort we could find.”

Galli said Microsoft plans to make the source code and binaries for the Microsoft tool available the week of November 16 under the terms of the General Public License v2 “and are also taking measures to apply what we have learned from this experience for future code reviews we perform.”

So like I said, things are getting back to normal. At least as normal as things ever get.

Open source and patents

linux-microsoft-brevetti-violatiMatt Asay over at The 0pen R0ad has this intriguing article wherein the following is asserted.

Patents are short-term monopolies (20 years) designed to give inventors sufficient time in which to recoup their R&D costs and turn a profit. Open source turns the 20-year patent term into two years, if that. As a relentless, ever-growing competitor, open source keeps the proprietary world in check and on its toes to a degree that the industry has never before seen.

Today, nearly every software vendor faces increasingly stiff open-source competition. Had this been the case 20 years ago when Microsoft Office was developed, we would likely have far more innovation in office productivity technology than we do today. Ditto for Windows desktop, SAP’s ERP system, etc.

I’m a hard-core open source aficionado and inveterate penguin head. And I will freely admit that I personally use Open Office (actually a derivative thereof) instead of Microsoft Office. And I am gravely skeptical of IT security software, in particular crypto, that is not based on open source. While I certainly relish the image of the Microsoft executives running scared from open source, or businesses abandoning SAP in droves for Sugar Suite ERP, I don’t see this happening in the immediate future. And if anything, the pressure being put on development teams at these places to “innovate faster” is probably mitigated by the larger pool of existing source code from which to ah… take inspiration. And seriously, do we really need more “innovation” in bloated-to-the-point-of-unusability office suites?

I’m not suggesting that commercial vendors who obtain patents are not being dramatically and substantially effected by open source. It’s just in more subtle yet profound ways. For example, Microsoft has been notorious in the past for presenting technology to a standards body while holding back a critical, patented, portion. Nowadays they have trouble getting any serious traction pushing standards which are, appropriately, almost exclusively an open source bailiwick. And they (Microsoft) know that any desirable technology that they want to patent, particularly network technology, will be reverse engineered, improved and released under a GPL license.

I also suspect, although actual numbers on this are hard to come by, that the number of software patent applications is declining. Given that it’s expensive to file a patent and by the time you actually receive it (minimum 2 years in the US) the technology will have already been reverse engineered and widely distributed via open source. That is assuming that your potentially patentable technology is worth being patented in the first place.

So maybe open source is the new patent regime as Matt suggests. Or maybe software patents were just a dumb idea in the first place and are moving towards their rightful place of irrelevancy.

DRM is a security threat

For my entire career I’ve designed, developed, maintained and secured commercial software products. So it is definitely not lost on me that the revenue generated by sales of those software products is what pays my bills. If customers don’t pony up then my employers quit paying me. So believe me, I’m certainly not advocating that all software should be free (“as in free beer” to quote Mark Shuttleworth).

But at the same time I’m a software user. I use both open source software (free as in speech because I like to tweak it, and free as in beer because I’m cheap and I like beer) and commercial software that my wife thinks I spend too much money on. And I hate Digital Rights Management (DRM) software. Hate it. It’s inconvenient, intrusive and hey – I paid for the product and I don’t want DRM. For me that is reason enough.
Okay, I think most of us can agree that DRM is annoying and intrusive but how is that a threat to information security? Glad you asked. From a recent article on the Harvard Law Zeroday blog:

EA could help end DRM

The backlash over DRM has finally started to gather serious momentum. Everyday consumers started a campaign to give the highly anticipated game Spore one-star ratings on Amazon. Thousands of Amazon users labeled Spore a poor choice because of the SecuROM DRM system that is forced onto PC users machines that purchase the game. EA has backpedaled a bit and eased the restrictions on the number of installs per machine. They have even made a verbal (but unenforceable) promise to disable the DRM system by patch should they ever end of life the product. But so far EA refuses to give in to consumer demand that they simply get rid of the DRM system. They hold on to the claim that DRM helps reduce piracy. Yet 30 seconds of searching on a popular torrent site shows not only Spore but a cracked copy that totally removes all DRM from the game.
This is possibly the most insulting bit for consumers. People who are pirating the game actually enjoy more freedom in the sense that their system does not have SecuROM permanently installed onto the hard drive. In the recent class action suit the defendants publicly document how the DRM used in Spore remains installed even after the game has been removed from the users computer. SecuROM also operates at “Ring 0″ which is to say the core of the kernel layer which is clever in that it is hard to bypass the program yet dangerous because anything that goes wrong will completely destroy the users session. All of these facts are not made plain to consumers before purchasing the game. Only after they have purchased the game and start installation will they have the chance to read about the DRM system in the EULA. Retailers almost never allow returns on software once opened which leaves consumers who don’t agree with the surprise DRM in a very bad position.

I see, it’s that nasty malware that they foist on users’ machines that is the security threat. Sorry, good guess, but no cigar. That’s nasty for sure, but there is a very real and significant threat that is inherent to all intrusive DRM. To illustrate this I will defer to someone familiar with Electronic Arts (EA) software and who has way more gamer cred than me, my son Nick Webster. He reviewed the article above and responded thusly:

Atari implemented the same sort of system on Alone in the Dark. AITD didn’t get any cracks and remained untorrentable largely due to the suckiness of the game, crackers didn’t waste their time on such a poor excuse for a game.
That MIGHT be why EA is claiming DRM works, cuz no one stole Atari’s AITD. You can clearly see their logic, “They had this really BAD game that no one wants to play, but it had DRM so no one stole it. DRM MUST WORK!!!”. Assuming you haven’t suffered brain damage you can obviously see where their logic is wrong. The REAL solution to keep people from stealing your game WAS hit upon in AITD, though, just make the game BAD and have Yahtzee FLAME it that seems to help.
My general tactic with all of this is to just NOT EVER buy EA games. So far the only game I’ve  seen with any sort of REASONABLE DRM is UT3. They let you install it on as many comps as you want, you just can’t have more than 15 people logged ONLINE with your code at ONCE. Seems fair, right?
Or if you MUST be nasty about your DRM the BEST tactic is the old school one, leave some music on the CD that will be needed to load the game. Then the no-cd-cracks will hinder game play and frustrate the player, as Daemon Tools requires lots of work to get it to actually let you play games OFF the ISO.
Anyway… as a side note I DID go rate spore a 1 on Amazon the current rating for the game is like 1.5 stars… glad to see there are a lot of us out there.

Note: apparently Yahtzee doesn’t like Spore much either – so Nick could be on to something here!

Still not see it? I’m not surprised. It’s because Nick and the Zeroday author were both vague yet obvious in suggesting how to deal with intrusive DRM: They don’tthey torrent a cracked version of the software. This is where the very real and present security threat lies. Not only are warez sites notorious for purveying malware, but there are companies like MediaDefender that actually inject “spoof files into the [torrent distributors] network without permission … as part of its antipiracy efforts to dilute the pool of pirated content online”. Yikes! In fact this particular “antipiracy” effort caused a serious Denial of Service (DOS) attack on the popular – and completely legitimate – Revision3 network. So what happens when an employee decides to download a Spore crack from a warez site on your corporate network? Or what happens when your kid decides to grab it on your home network (note to self – check those firewall and IDS logs!).

The bottom line is this – at best DRM is ineffective and is counterproductive to the vendors antipiracy efforts. It is ineffective because people who want to steal your software and bypass the DRM can do it quite easily and it is counterproductive to your antipiracy efforts because it’s easier for users to deal with the pirates than it is to deal with the DRM. And what about the real sales lost due to DRM. Not the bogus sales lost to piracy (I posit that people who steal your software would not have paid for it, ergo they cannot be counted as lost sales), but the real sales. Some due in part to the free advertising you get from piracy. That’s right, I can’t count the number of software packages I have purchased after trying a “borrowed” copy. Nowadays I rarely have to resort to anything as nefarious as “borrowing” software since most shareware (I’m partial to small independent software developers) now employ a “try before you buy” model where I can try the full unencumbered program for several weeks before buying it. Just ask my wife how effective this model is – based on my software spending habits. But even though I can easily “borrow” a copy of Spore to try it out before I pony up $50 American, I absolutely will not consider it as long as EA insists on forcing the DRM on me. I may, however, go to Amazon and give Spore a 1-star rating.

But the point of this rant is: When your company implements a strictly self-serving mechanism that not only is ineffective in accomplishing it’s intended purpose, but has the (presumably) unintended consequence of promoting risky and (potentially) illegal behavior that increases the threat exposure on the network, I have a real problem with that. Sure we can disallow all P2P activity on our business networks – but what about users who need access to legitimate groups that rely on torrents to distribute their software like the Fedora project? Or we can teach our children that stealing software is wrong and they should always pay for it – but what about software that forcibly installs malware like EA’s SecuROM? I think the better lesson is “vote with your wallet” – don’t buy bad stuff that you don’t want – especially if it’s bundled with something you do want.

So how about it, EA? Why not do everyone a service and just say “no!” to stupid ideas like DRM. You won’t have to pay for it, and we won’t have to put up with it. Sounds like a win-win to me. And maybe I’ll consider buying your software instead of flaming you. Hey fifty bucks is fifty bucks. Or do you really need to suck up to Sony that badly. Whoa I better stop here – I feel a great conspiracy theory coming on.

Keys to the kingdom

You think we’d have gotten past this by now. After all the research, mathematical and technological advancement almost all of our most valuable digital – and ultimately real – assets are protected by one little word. Usually something lame like our dog’s name or favorite team mascot. That’s right, I’m talking about passwords. In spite of efforts by Payment Card Industry (PCI) Security Standards Council and others to promote multi-factor authentication – i.e. some combination of

  • something you know (like a password)
  • something you have (like an access card)
  • something you are (biometrics like fingerprints or retinal scan)

Even most financial institutions can only manage a password and some personal questions (which incidentally is not really multi-factor it’s multiple single-factor, i.e. several things that you know) to authenticate us for the most sensitive and important transactions. And forget about web sites. Everybody wants you to have a password. Presumably a good – and unique – one for each.

By now most people have heard the about the guidelines for good passwords. For example Wikipedia lists the following common guidelines.

Guidelines for strong passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

  • Include numbers, symbols, upper and lowercase letters in passwords
  • Password length should be around 12 to 14 characters
  • Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates.

I can see heads start spinning! How in the world can I remember only one 12-14 character password that contains nothing I can remember, and is more or less random? Much less the 50 or so passwords I need for all my web sites and financial stuff? Yeah – that’s a problem. And it’s exacerbated by the fact that as the need for passwords has proliferated, the practicality (i.e. horsepower) of password crackers has improved exponentially. Oh and by the way, to really achieve decent security (i.e. mitigate the threat of exposure) you should really change your passwords at least annually and preferable more often.

Yikes! So how exactly can a person possibly memorize 50 pseudo-random character strings that all change every year? Well, in a nutshell – you can’t. No one can. Well maybe someone with an eidetic memory, but not you or me. There is, however, hope. SecurePuter has a great post on “How to Create and Remember Multiple Secure Passwords” wherein an easy to remember but hard to guess formula is presented that will allow you to calculate what your password is so it removes the randomness and requirement to memorize many different things. It’s a great idea, and be sure to read all of the comments as further refinements are suggested.

Still, if you’re like me and make an actual effort to forget things as soon as possible, this might not be an optimal solution. So how do I manage to remember 50 (or in my case more like 150) dynamic random character strings. It’s easy – I don’t even try. I use a password generator and storage system. There are quite a few good packages out there. The one I use is the open source package Password Safe partly because Bruce Schneier started the project, partly because it runs on all of the platforms I use, partly because it has great encryption but mostly because I’m cheap and it’s free (as in free speech and free beer). I keep my fully encrypted password safe database file on a USB thumb drive so all of my passwords are available on whatever device I’m using – except my iPhone (which is a rant for another time). Basically the way it works is that I make an entry for whatever web site or computer I need a password for and then let it generate one for me. There are all sorts of policy options so you can get insanely long and complex passwords. When I save the new password, it is encrypted using the one and only password I need to remember. That’s it. So not only do I not remember my 150 different passwords, I never knew what they were to begin with. Now there are situations where this kind of password safe mechanism will have an issue, specifically you can run into a race condition with computer logons that require a regularly changing password (e.g. most corporate networks) whereby you must be able to type in the password to log in so that you can get access to the password safe. I get around this by generating a random 12-character password that I can remember for the 90 days that it will be valid. So I guess I really have to remember 2 passwords. But even I can do that. And so can you.