Category Archives: Security

Food, History, Security

US continues double-standard on IP

Leave a comment

Budweiser, Parmesan, Cheddar, Bologna, Gorgonzola…all these terms represent a small sample of ideas from Europe shamelessly taken and used indiscriminately throughout America without credit to their true origins.

In the case of Budweiser (pun intended), as I’ve mentioned before, the US brewing company had the nerve to not only copy the Czech beer, but to try and force a ban on the original from continuing to be sold in its own country. Likewise, Disney is infamous for taking public domain fairy tales like Cinderella and claiming them as original works of art to be globally protected under US law:

The tale’s origins appear to date back to a Chinese story from the ninth century, “Yeh-Shen.”? Almost every culture seems to have its own version, and every storyteller his or her tale. Charles Perrault is believed to be the author, in the 1690s, of our “modern”? 300-year-old Cinderella, the French Cendrillon.

Hard to say how accurate such a claim is, but it certainly gives a different perspective on the recent trade debate on IP and how the US feels it needs to protect its “innovation”:

US Trade Representative Susan Schwab said in a statement accompanying the report: “Innovation is the lifeblood of a dynamic economy here in the U.S. and around the world,

“We must defend ideas, inventions and creativity from rip-off artists and thieves.”

Wonder if the authors of Yeh-Shen were ever compensated appropriately by those who retold the story…

Of course the ability to duplicate a medium makes the issue more complicated, but perhaps the problem is in over-estimating value of a recording versus live performance? There must be some freakonomics at work here. I mean does a DVD really need to cost US$30, or are the prices and loss estimates inflated by fees paid to lawyers and lobbyists?

Security

Breakable Oracle

Leave a comment

Oracle security is a funny thing. Take this alert from red-database for example:

By specifing a special value for the parameter desname Oracle Reports can overwrite any file on the application server.

[…]

History

12-aug-2003 Oracle secalert was informed
26-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
18-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
25-aug-2005 CVE number added
16-sep-2005 Workaround was incomplete and is now correct (Thanks to D. Nachbar for this information)
13-jan-2005 days since initial report updated
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006)
19-jan-2006 Oracle Vuln# REP06

Note the almost three years between first notice and critical patch.

I ran into a problem recently, similar to this, which led to a conversation with an Oracle DBA about vulnerabilities. I am not exaggerating when I say I was asked “What is SSL?” and “How do I know if the system can access the Internet?” No, really.

Insecure products, combined with a lack of security awareness among their minions, makes Oracle a real liability for many companies. The cost of fixing their software must be a lot to bear. On the other hand they seem to have the money to cut a 10-year deal with a sports stadium and co-sponsor a boat (team Oracle-BMW) in the America’s Cup. Here’s my favorite part to these high profile marketing stories:

The Oracle is the premier entertainment venue in Northern California…

With all the vulnerabilities I keep finding, I couldn’t agree more. Entertaining, but sad too.

History, Security

Virginia restricts handgun sales

Leave a comment

The BBC calls it a loophole. But at the end of the day a control on who can purchase a firearm is just that, and a really good idea:

An existing loophole meant Cho was not entered onto the database even when a Virginia judge ruled he was a danger to himself, because he was treated as an outpatient and never committed to hospital.

The Virginia State Police have now been directed to request copies of orders both for involuntary inpatient and involuntary outpatient care from district courts.

Of course, it still begs the question of how the federal controls play into things, as the NYT pointed out earlier:

Under federal law, the Virginia Tech gunman Seung-Hui Cho should have been prohibited from buying a gun after a Virginia court declared him to be a danger to himself in late 2005 and sent him for psychiatric treatment, a state official and several legal experts said Friday.

This apparently doesn’t phase the anti-regulation radicals who propound the theory that controls don’t stop crimes.

But Jacob Sullum of Reason magazine says gun-control laws “disarm the law-abiding people, but they leave the criminals free to attack their victims who have no defense.”

“It’s never been never demonstrated in any conclusive way that gun control reduces crime,” he said.

Sad that CNN would choose a radical for perspective on the subject and leave such nonsense unanswered. The reason he said “in any conclusive way” is surely so he can control the debate on what is conclusive. Tricky.

Sullum wants you to believe that not enough guns are flowing through the halls of Virginia educational institutions. Here is his latest diatribe:

In shootings at other schools, armed students or employees have restrained gunmen, possibly preventing additional murders. Four years ago at Appalachian Law School in Grundy, Virginia, a man who had killed the dean, a professor, and a student was subdued by two students who ran to their cars and grabbed their guns. In 1997 an assistant principal at a public high school in Pearl, Mississippi, likewise retrieved a handgun from his car and used it to apprehend a student who had killed three people.

Utter nonsense. That contradicts his own analysis of the Cho incident, as presented in the prior paragraph in the same story:

If some students and faculty members had access to guns during the attack, there’s a good chance they could have cut it short. According to witnesses, the killer—identified by police as Cho Seung-Hui, a senior studying English—took his time and paused repeatedly for a minute or so to reload.

Paused for a minute or so while completing 100 rounds? Who could run to a truck and get a weapon in that time? The only thing that saved people was running and jumping to escape. That’s it. For Gullum’s theory to work, the classrooms would have to be filled with arms. Do you think a teacher would agree to teach in such an environment? Give an F, get a bullet? Or should the teacher be packing more heat than the students combined in order to enforce their position?

Cho clearly had planned to take out as many people as possible in a very short time by using a machine pistol (mpg of the Glock 18 here) with recently legalized large clips of ammunition. He checked the rooms before he attacked them and his planning indicated he would have anticipated a firefight if he had needed to, just like the heavily armored bank robbers have done in Los Angeles.

Wearing body armor and carrying a trunk full of weapons, the robbers were ready for a fight. And that’s exactly what they delivered, firing “multiple hundreds” of rounds, according to police.

Similar to the LA tragedy, what really happened was an awful mismatch between an armed and irrational assailant and a group that did not realize they were suddenly at risk from significant control gaps in their shared environment.

Citizens should not be tasked to individually close control gaps through expensive and dangerous weapons and training of their own any more than they should have to individually become masters of a subject through self-study instead of attending an educational institution.

Aside from the economics of distributed systems, rational and reasonable behavior is what people agree to in an organization, through negotiation of terms such as “unstable”, followed by controls to detect and prevent vulnerabilities and threats.

Saying that everyone should be on constant guard for every other person’s interpretation of what is right and wrong is a recipe for escalation into disaster. The Bush administration’s security policy in Iraq is a shining example of this as they flattened the existing control system and replaced it with an every-man-for-himself situation under the mistaken belief that their vision would easily dominate the vacuum through economic and military muscle. The last thing Virginia needs is a similarly flawed model to actually incite armed confrontation in the classroom as a means of settling disputes.

Food, Security

Is that rocket-fuel in your baby’s milk?

Leave a comment

An MD named Anila Jacob recently testified in the US House about the impact on infants from perchlorate (solid rocket fuel used in explosives and rocket propellants) now found in drinking water and food in many U.S. cities.

The EPA has studied and been warned about this in the past:

Perchlorate a powerful oxidant used in solid rocket fuels by the military and aerospace industry has been detected in public drinking water supplies of over 11 million people at concentrations of at least 4 parts per billion (ppb).

Apparently Illinois Congressman John Shimkus challenged Dr. Jacob’s testimony by saying the financial burden of cleaning up America’s water would be too burdensome for corporations like Lockheed Martin and the US should indefinitely delay definition of a contaminant level.

The Doctor’s response to Shimkus is notable:

Congress’s first concern ought to be the health of the nation’s children who are forced to drink rocket fuel in their tap water.

Is Shimkus really more concerned about the security of Lockheed Martin’s profits than the health and safety of US citizens? One would think he would realize that the security of the country is closely tied to a clean environment. I don’t buy the argument that more data is required before setting a limit since the health risks are documented while the source data is intentionally obscured:

Production and use estimates of perchlorate are hard to come by: the military considers the numbers secret, and fertilizer producers won’t share them, saying they are proprietary information.

For what it is worth, it turns out Shimkus is not exactly the sort of man who carries a strong sense of ethics, or even stands by his own words:

Shimkus announced in September 2005 that he will run for reelection in 2008, despite making a pledge when first elected in 1996 not to stay in office for more than 12 years. He said he will run for a seventh term in 2008 if he wins re-election in 2006. “It was a mistake at the time,” he said about his 1996 campaign promises. “Unless everyone plays by the same rules, term limits don’t make sense.”

Uh, it’s ok to do the wrong thing if other people are doing it too? Maybe Shimkus will run a campaign on “I’ll allow toxins in every cup”. Or maybe he should continue his pro-life stance with “abortion is wrong, but intentionally poisoning your baby is ok if it keeps defense and aerospace companies profitable.” I can see my ethics professor rolling his eyes and pulling on his hair in frustration. Clearly US national security is most at risk from exactly this kind of malfeasance.