From All Directions

If you’re not a computer security professional, you may not be aware of the magnitude of the attacks on the computer systems on which we rely. Andrew Burt and Dan Geer on Lawfare can give you a taste:

Attack surfaces have expanded beyond any organization’s ability to understand, much less defend against, potential adverse events. Common interdependencies, once assumed secure, are not, rendering entire protocols, infrastructures, and even hardware devices susceptible to exploitation.

So large is the deluge of potential security threats that a new phrase has entered the lexicon for information security professionals: “alert fatigue.” One 2015 study, focused on malware triaging efforts at over 600 US organizations, found an average of 17,000 alerts generated per week, with only 4 percent of such alerts ever investigated. And that’s just malware alerts. The information we have at our disposal about our vulnerabilities does little in the way of mitigating them.

This serves as an intro to a paper they’ve written for the Hoover Institute. I’ve not read it, lacking free time. But this alert fatigue is a warning that our systems are too vulnerable. Long ago, I briefly worked for Siemens Energy Automation Systems (long enough ago that I’m not sure I have the name right and I don’t even know if that entity is still around), a division of Siemens that supplied computer systems for controlling electrical grids, and I know that, at the time, many of those installations were available via the Internet. I know because I found myself debugging systems on the fly in other states and countries, without ever leaving Minnesota.

In retrospect, that’s an amazing lapse. It’s like putting a webcam in your bathroom so people can watch you do your thing. (Yeah, yeah, I’m sure some people do that, too, but I’m making a point here.) Now, I do recall some of my colleagues traveling to do the same sort of work, indicating that at least some of our customers had the proper level of paranoia, but I suspect that was a minority.

But I really do wonder how many systems that are on the web really shouldn’t be.

Ummmm, No

Out at Rosedale (Roseville, MN) they’ve opened the most upscale food court I’ve ever seen. It’s called The Revolution and looked, at least in spots, delicious. Too bad I won’t be partaking. Why?

Only credit, debit, or gift cards? Really? This pronouncement, once you think about it, is mostly just garbage. Let’s do a quick dissection:

  1. Smoother service. Really, folks, we’ve all learned how to wait in line. Really. And, you know what? Your long, slow lines are going to be one hell of a lot longer and slower if you lose connections to the central credit servers. I’ve seen it happen and, if you’re lacking a cash option, your customers are not going to have a happy experience. They’ll have all those wonderful smells, cash in their pockets, and yet not be able to buy any of those products that smell so good. Ah, of course, you could equip your vendors with those big old credit card manual processors. Remember them? <klunk, klunk, scribble> They will be significantly slower than straight cash.
  2. Cashless terminals. Sure, of course it’s logical that the presence of cashless terminals require your entire facility be cashless. Of course they do! (Why are you shouting?) Of course … Of … course. Oh, wait. Maybe not. Logic. So much for that point.
  3. Cleaner. This might possibly be true. But, given the lack of cries of calamity, I doubt it’s a major problem. How about just issuing latex gloves to the cashiers?
  4. Easier. No, just no. But I’ll defer this explanation.
  5. Safer [for customers]. No, not really. A stolen credit card means a big drain on your account, and while the issuer will cover [most] of it, that just means higher interest rates for everyone using credit. Cash is not open-ended like a credit card, and, depending on how it’s carried, can be more difficult than a card to subtly steal. And not nearly as attractive to thieves who know how to use a stolen credit card.
  6. Safer [for vendors]. Yes! You’re right! Cash must be moved physically, and many merchants prefer to take a discount on their profits to handling cash. It makes sense. BUT IT DOESN’T MATTER TO ME. Your problems are your problems. Don’t impose them on me.
  7. No-Cash. This policy is legal [although the informal reasoning presented in the link provided eludes me] but unfriendly to those of us who don’t care for plastic, whether their reasons are monetary or ecological. A little confused on that last point? Plastic is, after all, plastic. Consider this: Best Buy has stopped issuing plastic gift cards, because they’re, well, plastic. They’ve gone with paper, which is presumably recyclable. So you’ve lost those folks who think it’s more ecological to go with cash than credit cards. (I don’t actually know if that’s true or not.)

Now, back to the Easier point. In the short-term, many customers find it easier to use credit cards. Some use it for acquiring more and more stuff, others for budgeting.

But I’m a software engineer, and I’ll tell you what – credit cards are now all about computers, and what we’re generating here is a data trail for consumption by the Big Data analysis centers. These are used for a variety of operational purposes, but functionally, they’re mostly the same – how to extract more money from your wallet. As a consumer, I might like that (no, I’m not kidding – think of how hard it is to find stuff you want if you have specialized needs), but then again I might not. Discipline can be a problem for some folks.

Other purposes are more sinister, and mostly center around acquiring other information about you, such as your habits, your acquisitions, your physical locations, all the sort of things that most people would prefer to be kept out of sight. Which is not to say that they aren’t anyways. We spray off data every time we go online, every time we cross the visual field of a surveillance camera, etc etc. But it takes a lot of effort to bring all those things together, because the databases are disparate.

Which is why I dislike this scheme. By forcing you to disgorge your data into their computers, they learn a whole lot about you in a way that doesn’t require cross-referencing schemes across multiple databases. This is basically a corporate grab of data that they can analyze and make more money off of.

Not to mention they’re forcing you OUT of the generally accepted monetary system of the United States, and into the corporate controlled monetary system of credit & debit.

So, call me a crank if you will, and I’ll regret not sampling the pizza, but “Revolution” this is not. This is all about corporate profit and how to maximize it at your expense. And shitty, fallacious signage.

Belated Movie Reviews

Looking for a new residence, she’s just not sure this one’ll do for her thousands of offspring. Maybe something a little taller?

Falling into the same category as Terrordactyl (2016) is Big Ass Spider! (2013), which concerns the Army losing track of a corpse of someone killed by a mutant spider. When the corpse shows up in the morgue of a local hospital, and the spider escapes into the ventilation system, pest exterminator Alex offers to go after “it,” whatever it is, in exchange for voiding his hospital bill.

By the time he and his informal partner track it down to the physical plant of the hospital, the Army has arrived and boggles up his attempts to take down the spider, which is only a foot or two across.

Things go rapidly downhill after that, as the spider escapes the building and rapidly begins harvesting “food” (that would be humans) in preparation for reproducing (although it’s not clear with what it might have mated with in order to fertilize the eggs), with Alex in dogged pursuit, and one might say competition with the Army, in particular the second-in-command, a lovely Lieutenant Karly. Their firearms are useless against the carapace of the spider, and Alex is having problems applying poison to the spider. By the time the spider spawns, Karly is another item on the menu. And the spider?

Well, it’s big ass.

This is another entry in the evolution of the role of mythical monsters in the psyche of Western Civ. Representative of the divine in the early centuries, it exchanged those responsibilities for the role of being the devilish offspring of scientists, but now they’re becoming the creatures we must overcome to assert our dominance in the local neighborhood, even as they are a result of our own miscues. For all this may be played for horrific laughs, it can be seen as societal training for future treatment of monsters, extra-terrestrial or domestic, political or physical.

As a movie, it’s not bad, but not great. We had more fun with it than we expected, to be honest, and there are minor names in the cast as well, which may explain why it didn’t descend into that layer of movies known as cultishly bad. It was competently acted.

But, still, it was silly.

R.I.P., GHWB

I wasn’t paying much attention when our late President, George H. W. Bush, served his one and only term as President. He ran the Gulf War, and I do remember friends in the Reserves going off to serve in the war. He served as a pilot in World War II, shot down and rescued after completing a dangerous mission; went on to a private career in the oil industry; his government service included a stint as a Representative, director of the CIA, and Vice President to Ronald Reagan, before his election to the Presidency. I suspect he was limited to a single term as President because the extremist wing of the party, which had gotten started in earnest under Reagan, couldn’t abide Bush’s vision of an honorable and sober approach to governance, and while he won the nomination, he lost the general election.

Rest in Peace, President Bush. Whatever the blemishes of which I’m not aware, I think they’re more than balanced by dedication to good.

It’s A Trifle Disingenuous, Ctd

With regard to rank-choice voting in Maine, a reader writes:

Preaching to the choir, of course, but his lawsuit is complete bullshit. RCS [RCV] is effectively like holding actual multiple rounds of voting until someone gets a majority, but does it all in one go, saving a ton of money and time.

But it’s true that most American elections are not majority victory, but simple plurality victory. Incidentally, Minneapolis is using RCV, with the most recent race resulting in the election of Jacob Frey after four rounds. I recall no complaints regarding the use of RCV.

Since the Maine electorate chose through referendum to change to RCV (twice!), I don’t think his lawsuit has a chance of succeeding, but we shall see.

Is He Just A Human Smoke Screen

The acting Attorney General, Matthew Whitaker, is attracting scandals like rotting meat attracts flies. Steve Benen provides a helpful summary:

The sheer volume of controversies surrounding acting Attorney General Matt Whitaker – who was only appointed to the job three weeks ago – is extraordinary. New reports, each of which are deeply embarrassing to the nation’s top law enforcement official, seem to pop up with alarming frequency.

Just over the last week or so, Whitaker has faced credible allegations of having violated the Hatch Act and having run a dubious child-care facility in Iowa. Today, the news went from bad to worse.

The Washington Post, pointing to Federal Trade Commission documents released in response to a public records request, reports that Whitaker not only helped lead a scam operation called World Patent Marketing, but he was well aware of complaints from defrauded customers.

Despite the complaints, Whitaker “remained an active champion of World Patent Marketing for three years – even expressing willingness to star in national television ads promoting the firm, the records show.”

A Bloomberg News report twisted the knife.

And I’ll just stop there. There’s so much more, but it makes me nauseous.

Matthew Whitaker, tough guy and wannabe AG.

So after I stopped laughing at this zero-peg on the morality scale, and the lying liar who keeps on stocking the swamp with the largest alligators ever seen in the Federal government – much bigger than Obama’s alligators, one might envision Trump saying – I’ve begun to wonder about misdirection.

Whitaker’s ludicrous. Whitaker’s a joke. I’m not a lawyer, and even I can tell he’s a joke. Even if I take into account Trump’s predilection for selecting candidates to fill roles based on physical appearance, and willingly grant that Whitaker looks like an AG, his record still makes him a joke.

So while the reporters and the pundits and the basset hounds those of us venting pressure run around penning pieces on this pathetic joke, I have to wonder what the hell Trump thinks he’s up to behind the smoke and mirrors. This entire AG thing makes so little sense that it’s as if Trump were suffering from dementia.

All I can think is maybe, just maybe, his preferred nominee is being kept in the wings until the new Senate convenes, where he’ll have a more substantial majority, and can nominate someone who won’t be blocked by any two GOP Senators by the name of Flake (retired), Corker (retired and utterly irrelevant even when he wasn’t), Murkowski (erratic), or Collins (easily fooled anyways). With a 53-47 majority, Trump can lose three Senators and still have his selection confirmed, since Vice President Pence will always do his bidding.

Will it be Whitaker? Or will he pick some other tough guy, like Clint Eastwood, instead?

Our new Attorney General Eastwood attends every hearing in Congress with a six-shooter on his hip, by command of President Trump. He’s also not permitted to wash his hair.

Or is there something deeper going on? Or is it just that he can’t unglue himself from the TV to pursue this very serious matter any further?