problem

Surveillance cameras don’t reduce crime

From BBC News’ “CCTV boom ‘failing to cut crime’” (6 May 2008):

Huge investment in closed-circuit TV technology has failed to cut UK crime, a senior police officer has warned.

Det Ch Insp Mick Neville said the system was an “utter fiasco” – with only 3% of London’s street robberies being solved using security cameras.

Although Britain had more cameras than any other European country, he said “no thought” had gone into how to use them.

Speaking at the Security Document World Conference in London, Det Ch Insp Neville, the head of the Met’s Visual Images, Identifications and Detections Office (Viido), said one of the problems was that criminals were not afraid of cameras.

He also said more training was needed for officers who often avoided trawling through CCTV images “because it’s hard work”.

One study suggests there may be more than 4.2 million CCTV cameras in the UK – the majority on private property – but until Viido was set up in September 2006 there had been no dedicated police unit to deal with the collection and dissemination of CCTV evidence.

From Owen Bowcott’s “CCTV boom has failed to slash crime, say police” (The Guardian: 6 May 2008):

Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe.

Virtual kidnappings a problem in Mexico

From Marc Lacey’s “Exploiting Real Fears With ‘Virtual Kidnappings’ ” (The New York Times: 29 April 2008):

MEXICO CITY — The phone call begins with the cries of an anguished child calling for a parent: “Mama! Papa!” The youngster’s sobs are quickly replaced by a husky male voice that means business.

“We’ve got your child,” he says in rapid-fire Spanish, usually adding an expletive for effect and then rattling off a list of demands that might include cash or jewels dropped off at a certain street corner or a sizable deposit made to a local bank.

The twist is that little Pablo or Teresa is safe and sound at school, not duct-taped to a chair in a rundown flophouse somewhere or stuffed in the back of a pirate taxi. But when the cellphone call comes in, that is not at all clear.

This is “virtual kidnapping,” the name being given to Mexico’s latest crime craze, one that has capitalized on the raw nerves of a country that has been terrorized by the real thing for years.

A new hot line set up to deal with the problem of kidnappings in which no one is actually kidnapped received more than 30,000 complaints from last December to the end of February, Joel Ortega, Mexico City’s police chief, announced recently. There have been eight arrests, and 3,415 telephone numbers have been identified as those used by extortionists, he said.

But identifying the phone numbers — they are now listed on a government Web site — has done little to slow the extortion calls. Nearly all the calls are from cellphones, most of them stolen, authorities say.

On top of that, many extortionists are believed to be pulling off the scams from prisons.

Authorities say hundreds of different criminal gangs are engaged in various telephone scams. Besides the false kidnappings, callers falsely tell people they have won cars or money. Sometimes, people are told to turn off their cellphones for an hour so the service can be repaired; then, relatives are called and told that the cellphone’s owner has been kidnapped. Ransom demands have even been made by text message.

No money changed hands in her case, but in many instances — as many as a third of the calls, one study showed — the criminals make off with some valuables. One estimate put the take from telephone scams in Mexico in the last six months at 186.6 million pesos, nearly $20 million.

Thinking like an engineer; thinking like a security pro

From Bruce Schneier’s “Inside the Twisted Mind of the Security Professional” (Wired: 20 March 2008):

This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.

Why you should not run Windows as Admin

From Aaron Margosis’ “Why you shouldn’t run as admin…” (17 June 2004):

But if you’re running as admin [on Windows], an exploit can:

  • install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
  • install and start services
  • install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
  • access data belonging to other users
  • cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
  • replace OS and other program files with trojan horses
  • access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
  • disable/uninstall anti-virus
  • cover its tracks in the event log
  • render your machine unbootable
  • if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well
  • and lots more

To solve a problem, you first have to figure out the problem

From Russell L. Ackoff & Daniel Greenberg’s Turning Learning Right Side Up: Putting Education Back on Track (2008):

A classic story illustrates very well the potential cost of placing a problem in a disciplinary box. It involves a multistoried office building in New York. Occupants began complaining about the poor elevator service provided in the building. Waiting times for elevators at peak hours, they said, were excessively long. Several of the tenants threatened to break their leases and move out of the building because of this…

Management authorized a study to determine what would be the best solution. The study revealed that because of the age of the building no engineering solution could be justified economically. The engineers said that management would just have to live with the problem permanently.

The desperate manager called a meeting of his staff, which included a young recently hired graduate in personnel psychology…The young man had not focused on elevator performance but on the fact that people complained about waiting only a few minutes. Why, he asked himself, were they complaining about waiting for only a very short time? He concluded that the complaints were a consequence of boredom. Therefore, he took the problem to be one of giving those waiting something to occupy their time pleasantly. He suggested installing mirrors in the elevator boarding areas so that those waiting could look at each other or themselves without appearing to do so. The manager took up his suggestion. The installation of mirrors was made quickly and at a relatively low cost. The complaints about waiting stopped.

Today, mirrors in elevator lobbies and even on elevators in tall buildings are commonplace.

After a stroke, he can write, but can’t read

From Oliver Sacks’ “The Case of Anna H.” (The New Yorker: 7 October 2002: 64):

I recently received a letter from Howard Engel, a Canadian novelist, who told me that he had a somewhat similar problem following a stroke: “The area affected,” he relates, “was my ability to read. I can write, but I can’t read what I’ve just written … So, I can write, but I can’t rewrite …”

How to delete stuck files on Amazon’s S3

I use Amazon’s S3 (Simple Storage Service) to back up files, and I also use OmniGraffle, a diagramming program, on my Mac. This is a letter I sent to OmniGraffle recently that explains a problem with the interaction of OmniGraffle and S3.

Start letter:

OmniGraffle (OG) is a great app, but it has a serious, showstopping incompatability with Amazon’s S3 (Simple Storage Service).

S3 is an online backup service run by Amazon. Lots & lots of people use it, with more moving to it all the time. You can find out more about S3 here:

http://en.wikipedia.org/wiki/Amazon_S3

I created some documents in OmniGraffle and uploaded them to S3. When I tried to perform another backup, the command-line S3 app I was using crashed. I tried another. Crashed. I tried Interarchy, a GUI app, but while it appeared to work, in reality it simply silently failed. After much trial and error, I finally determined that it was a particular file generated by OG that was causing the problems. But I had no idea how to fix things.

After searching on the Amazon S3 forums, it turns out others are experiencing the exact same problem. I found two entries discussing how an invisible character in the name of the Icon file located in a .graffle folder was causing the crash. Here are those two entries:

http://developer.amazonwebservices.com/connect/thread.jspa?messageID=63273

http://developer.amazonwebservices.com/connect/thread.jspa?messageID=45488

Eventually, after over an hour of trying various combinations with the help of a friend, I was able to delete the offending file using this command.

./s3cmd.rb -v delete “granneclientele:clientele/images/omnigraffle/audacity-toolbar-tools.graffle/Icon”$’\r’

I show that command to you not because I expect you’ll understand it, but because it demonstrates that this is a bear of a problem that many of your customers will be unable to solve on their own. As more of your customers use S3, they’re going to run into this issue.

I understand this all may sound confusing, so please do not hesitate to call or email me for further details.

/End letter

An OmniGraffle support person wrote me back, saying that this issue had been fixed in version 4.2 of the software.

Out now: Microsoft Vista for IT Security Professionals

Microsoft Vista for IT Security Professionals is designed for the professional system administrators who need to securely deploy Microsoft Vista in their networks. Readers will not only learn about the new security features of Vista, but they will learn how to safely integrate Vista with their existing wired and wireless network infrastructure and safely deploy with their existing applications and databases. The book begins with a discussion of Microsoft’s Trustworthy Computing Initiative and Vista’s development cycle, which was like none other in Microsoft’s history. Expert authors will separate the hype from the reality of Vista’s preparedness to withstand the 24 x 7 attacks it will face from malicious attackers as the world’s #1 desktop operating system. The book has a companion CD which contains hundreds of working scripts and utilities to help administrators secure their environments.

This book is written for intermediate to advanced System administrators managing Microsoft networks who are deploying Microsoft’s new flagship desktop operating system: Vista. This book is appropriate for system administrators managing small networks of fewer than 10 machines up to enterprise-class networks with tens of thousands of systems. This book is also appropriate for readers preparing for the Microsoft exam MCDST 70-620.

I contributed two appendices to this book:

  • Appendix A: Microsoft Vista: The International Community
  • Appendix B: Changes to the Vista EULA

Appendix A, “Microsoft Vista: The International Community”, was about Microsoft’s legal troubles in Europe and Asia, and the changes the company had to make to Vista to accommodate those governments. Appendix B, “Changes to the Vista EULA”, explained that the EULA in Vista is even worse than that found in XP, which was worse than any previous EULA. In other words, Vista has a problematic EULA that users need to know about before they buy the OS.

Read excerpts: Front Matter (350 KB PDF) and Chapter 1: Microsoft Vista: An Overview (760 KB PDF). You can flip through the entire book, although you’re limited to the total number of pages you can view (but it’s a pretty high number, like 50 or so).

Learn by working on hard problems

From Paul Graham’s “Undergraduation” (March 2005):

Thomas Huxley said “Try to learn something about everything and everything about something.” Most universities aim at this ideal.

But what’s everything? To me it means, all that people learn in the course of working honestly on hard problems. …

Working on hard problems is not, by itself, enough. Medieval alchemists were working on a hard problem, but their approach was so bogus that there was little to learn from studying it, except possibly about people’s ability to delude themselves.

Education teaches people how to solve problems, not choose the good ones

From Paul Graham’s “Why Smart People Have Bad Ideas” (April 2005):

Why did so few applicants really think about what customers want? I think the problem with many, as with people in their early twenties generally, is that they’ve been trained their whole lives to jump through predefined hoops. They’ve spent 15-20 years solving problems other people have set for them. And how much time deciding what problems would be good to solve? Two or three course projects? They’re good at solving problems, but bad at choosing them.

But that, I’m convinced, is just the effect of training. Or more precisely, the effect of grading. To make grading efficient, everyone has to solve the same problem, and that means it has to be decided in advance. It would be great if schools taught students how to choose problems as well as how to solve them, but I don’t know how you’d run such a class in practice.

A new way to steal from ATMs: blow ’em up

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 March 2006):

In the Netherlands, criminals are stealing money from ATM machines by blowing them up. First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas — from a safe distance — and clean up the money that flies all over the place after the ATM explodes. Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.

Change the AMD K8 CPU without authentication checks

From Bruce Schneier’s Crypto-Gram Newsletter (15 August 2004):

Here’s an interesting hardware security vulnerability. Turns out that it’s possible to update the AMD K8 processor (Athlon64 or Opteron) microcode. And, get this, there’s no authentication check. So it’s possible that an attacker who has access to a machine can backdoor the CPU.

[See http://www.realworldtech.com/forums/index.cfm?action=detail&id=35446&threadid=35446&roomid=11]

Posse Comitatus Act

From Geoffrey Klingsporn’s “The Secret Posse” (Legal Affairs: March/April 2005):

What do these scenarios have in common? Under current military policy, both fall under the heading of “Information Operations,” officially defined as “actions taken to affect adversary information and information systems while defending one’s own information and information systems.” …

The law that, in effect, prevents the Army from acting as a national police force is the Posse Comitatus Act, an 1878 statute that prohibits law enforcement officers from using military personnel as a posse comitatus—Latin for “power of the county” or, in the vernacular of the Old West, a “posse”—to enforce domestic law, except with the express authorization of the president or Congress. …

“The use of military forces to seize civilians,” wrote the U.S. Court of Appeals for the Eighth Circuit, “can expose civilian government to the threat of military rule and the suspension of constitutional liberties,” and can chill free speech and other fundamental rights, creating the atmosphere of an enemy occupation. …

Since the 1980s, though, the statute has been weakened by laws that allow the military to help address the problems of drug trafficking, natural disasters, and terrorist attacks. It is now routine for soldiers and sailors to help state and local police with training, equipment, and logistics; to detect and monitor suspected smugglers; and to keep order in disaster areas. … But the courts generally have ruled that it is well within the discretion of the president and Congress to allow the military to help in nonmilitary situations, including cases of terrorism. In 1988, a federal district judge in Washington, D.C., ruled that the Posse Comitatus Act was not violated when the FBI used the Navy to help capture a suspected terrorist in international waters and transport him to the United States.

Problems with fingerprints for authentication

From lokedhs’ “There is much truth in what you say”:

The problem with fingerprints is that it’s inherently a very insecure way of authentication for two reasons:

Firstly, you can’t change it if it leaks out. A password or a credit card number can be easily changed and the damage minimised in case of an information leak. Doing this with a fingerprint is much harder.

Secondly, the fingerprint is very hard to keep secret. Your body has this annoying ability to leave copies of your identification token all over the place, very easy for anyone to pick up.

Fundamentalism as limited reading

From Douglas Rushkoff’s “Faith = Illness: Why I’ve had it with religious tolerance“:

When religions are practiced, as they are by a majority of those in developed nations, today, as a kind of nostalgic little ritual – a community event or an excuse to get together and not work – it doesn’t really screw anything up too badly. But when they radically alter our ability to contend with reality, cope with difference, or implement the most basic ethical provisions, they must be stopped. …

As I’ve always understood them, and as I try to convey them in my comic book, the stories in the Bible are less significant because they happened at some moment in history than because their underlying dynamics seem to be happening in all moments. We are all Cain, struggling with our feelings about a sibling who seems to be more blessed than we are. We are always escaping the enslaved mentality of Egypt and the idolatry we practiced there. We are all Mordechai, bristling against the pressure to bow in subservience to our bosses.

But true believers don’t have this freedom. Whether it’s because they need the Bible to prove a real estate claim in the Middle East, because they don’t know how to relate something that didn’t really happen, or because they require the threat of an angry super-being who sees all in order behave like good children, true believers – what we now call fundamentalists – are not in a position to appreciate the truth and beauty of the Holy Scriptures. No, the multi-dimensional document we call the Bible is not available to them because, for them, all those stories have to be accepted as historical truth.