Category Archives: Security

70% of Dell Users Want Linux

I thought Dell made this commitment years ago (around the time I gave up on them for taking too long to support Linux) but I guess upper management is still not convinced and has only just realized they should have been pre-installing Linux all these years. A survey cited by the BBC shows just how far things have come:

Earlier this year, 100,000 people took part in a Dell survey. More than 70% of respondents said they would use Linux.

That is a lot of penguins!

Sad that it takes such a vast majority before Dell is comfortable announcing that they have “heard” their users. Wonder what percentage cited quality or security as their primary reason for the switch?

Speaking of ignoring reality, remember when Steve Ballmer compared open source to Communism and said Linux will never make it to the desktop? I find him to be an annoyingly ignorant fool when it comes to history and politics. Anyone that has used open source software must know that they are in the hands of not only the most brilliant minds but some of the most modest and caring hands in the world. Even Microsoft has to play catch-up by copying the ideas generated outside their halls. Vista is probably their closest attempt yet to copy Unix.

Good to hear Dell is finally trying to escape the choke-hold and embrace the free-thinking alternative to the Microsoft OS. So many years wasted, but at least Gates never succeeded in his plan to crush anyone who thought they could give something away for free. Let us not forget his ironically “open letter” from 1976, explaining the pogrom he was about to wage against American software developers that thought too openly or tried to share ideas without monetizing them:

One thing you do do is prevent good software from being written. Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free? The fact is, no one besides us has invested a lot of money in hobby software. […] Most directly, the thing you do is theft.

I guess we can just say it is a good thing he only hated software “hobbyists” instead of turning his taunts towards some race or religion? And isn’t it funny how the Gates method has produced some of the worst software and most liabilities for the users while amazingly high quality software continues to grow from an open and free source. All the more reason why it is strange for Harvard to suddenly decide to give the guy a degree in their name, especially just after his philanthropy has been accused of ulterior motives:

After the LA Times reported that the Gates Foundation often invests in companies hurting the very communities Bill and Melinda want to help, the Seattle Times reported the foundation planned ‘a systematic review of its investments to determine whether it should pull its money out of companies that are doing harm to society’. Shortly after that interview, the Gates Foundation took down their public statement on this and replaced it with a significantly altered version which seems to say that investing responsibly would just be too complex for them and that they need to focus on their core mission

According to some friends in the investment community, this core mission could be to find a place their wealth can continue to grow without risk of consumer resentment, government regulation or taxes. Just like Gates’ aim to “help” the software industry, his aim to fix ailments could really just be another strategic money and power-grab that could have serious long-term negative affects (e.g. bolstering harmful business practices) on those who believe his story.

Meanwhile, back to the real world of philanthrophy:

Captain Ronnie Young of the United States Air Force says that Craigslist and Google Earth, both popular freebies, saved lives during the Hurricane Katrina disaster. “Just because it’s free, that doesn’t mean it’s not up to the task of doing great things,” Young says.

Tobacco and Ethanol Death

A comment by someone on my post about the death of the Armenian PM got me thinking about export death and tobacco. I did a little reading and searching and ran into a Trade and Environment Database (TED) report called Zimbabwe Tobacco Exports (ZIMTOBAC Case). I think it’s from 1994 and it has some interesting claims. Consider, for example, this little nugget in the Description section:

Tobacco smoke is the most widespread of known pollutants. In developed countries, ethanol and tobacco are the two principal causes of avoidable death.

Based on what? More than lead? More than mercury? And what’s that about ethanol?

A little more reading and it appears it has been flagged by the EPA. Here is a revealing story from 2002:

Factories that convert corn into the gasoline additive ethanol are releasing carbon monoxide, methanol and some carcinogens at levels “many times greater” than they promised, the government says.

[…]

States started measuring VOC emissions at ethanol plants about a year ago following complaints of foul odors. One small facility in St. Paul, Minn., had to install $1 million in pollution control equipment to reduce the emissions.

“To the extent that this new test procedure is identifying new VOC emissions, the industry has certainly agreed to address those,” said Bob Dinneen, president of the Renewable Fuels Association, the recipient of EPA’s letter.

Is that ethanol pollution or ethanol plant pollution? A study from 1997 speaks directly of pollution from ethanol fuel:

A recent field study in Albuquerque, N.M., published this month in Environmental Science & Technology, showed that use of ethanol fuels leads to increased levels of toxins called aldehydes and peroxyacyl nitrates (PAN).

[…]

PAN is highly toxic to plants and is a powerful eye irritant. It has been measured in many areas of the world, indicating that it can be carried by winds throughout the globe.

“Although these pollutants are not currently regulated,” said Argonne chemist Jeff Gaffney, “their potential health and environmental effects should be considered in determining the impact of alternative fuels on air quality.”

Incidentally, Dinneen’s comment reminds me of a discussion I had recently with a guy in charge of thousands of servers running all over the world. He had the classic “tell me what’s wrong, but don’t tell me anything I don’t want to know” approach to risk management. Yes, it’s contradictory. Or maybe I should say he did not seem to fully appreciate the opportunity to review a comprehensive list of issues in order to prioritize risks to his environment. Even my basic tests revealed important risks, but he slipped into denial and then anger when a messenger brought the message. Eventually he agreed to a Dinneen-like position — to address things brought to his attention. More on that later.

Back to the ethanol, it turns out that a million dollars spent on emission controls is just the beginning of the story on the Minnesota plant. Data released by the Minnesota Pollution Control Agency and the US Department of Justice showed that there were to be impressive results:

The agreements announced today will ensure each plant installs air pollution control equipment to greatly reduce air emissions such as volatile organic compounds (VOCs) by 2,400-4,000 tons per year and carbon monoxide (CO) emissions by 2,000 tons per year. In addition to contributing to ground-level ozone (smog), VOCs can cause serious health problems such as cancer and other effects; CO is harmful because it reduces oxygen delivery to the body’s organs and tissues. The settlement also will result in annual reductions of nitrogen oxides (NOx) by 180 tons, particulate matter (PM) by 450 tons and hazardous air pollutants by 250 tons.

This of course was the tail end of the Clinton EPA and the start of the Bush and Cheney policies to remove regulation of harmful emissions, as a Washington Post story explains with regard to coal:

The case against Duke Energy was one of many initiated by the EPA across the country in the waning days of the Clinton administration.

The Clinton crackdown was bitterly opposed by utilities, and the Bush administration promised to change EPA enforcement policy.

But the EPA continued to press cases that were already pending when the administration took office in 2001, so the Bush EPA and Environmental Defense had been on the same side of the Duke Energy case until the 4th Circuit’s ruling.

That soon changed. I’m certain Cheney or one of his minions thinks it is best for the industry to shoot messengers who bring the wrong messages instead of spending efforts on innovation and research to solve the actual problems. Solving problems requires that he acknowledge they exist and address them.

So, with the high profile of this coal case and the number of deaths cited I am curious if ethanol actually has a higher risk?

Environmental Defense says that about 17,000 facilities are covered by the rules, and it cites studies that show 20,000 premature deaths per year traceable to pollution from coal-fired plants.

The decision on coal is apparently due this July. Wonder if it will set a precedent for other energy companies, especially as the Bush administration appears to want to pander to the corn lobby with bold invitations into the fuel industry.

Still looking for data on ethanol-related deaths in industrialized countries…

Max Microchip

While doing research on how to deal with the awful proprietary AVID RFID chips implanted in American pets, I came across a brilliant site called Max Microchip. Here’s my favorite part:

Your reaction to the rec.pets-2005a standard might be something like this, and I would say understandably so: “I bought the Encrypted readers and tags for my operation years ago because the Kennel Club accepts it for identification requirements, it was readily available, friends recommended it, and it works great. Now you tell me that each dog has a different number that’s the real number? It looks like a Bogus Code to me.” That’s one point of view. But consider the point of view of the pet rescuer, (meaning, anyone who tries to find the owner of a stray pet) who may find one of the dogs from the Puppy Farm after it has been adopted and then has run away from home. He might say, “You didn’t ask me if encryption was a good idea. I can easily read what this dog’s chip is transmitting, but if the pet registry requires me to make my report with the result of a secret algorithm that only certain reader manufacturers know, that’s like asking me to translate a collar tag into an obscure ancient dialect of Chinese. The open technology reading is the animal’s true identifying characteristic. Anything else is a Bogus Code.” The pet rescuer’s point of view is the one that deserves to carry the day, because he’s always been the volunteer who makes the whole system work. (I would suggest that if you have a pet with an “Encrypted”-type transponder, you might want to check with your registry to find out if they will be accepting found pet reports by open technology such as rec.pets-2005a, or continue to accept only the proprietary codes.)

Max really begs the question of whether the encryption was meant to protect the system from losing market share or to help protect the pets/owners.

Massive TJX encrypted (or not) data theft

The BBC does not give much detail in its story, but it does at least mention that the data in question may have been encrypted:

In its filing to the Securities and Exchange Commission (SEC) the group said it believed “the intruder had access to the decryption tool for the encryption software utilized by TJX”.

Interesting. I’ve seen several people miss this fact in their analysis of the incident. Key management is often mentioned as a vague concept in the emerging regulations. Will we see sudden interest in tightening up the audit requirements for this crucial aspect of encryption? We’re working hard to refine and publish EKMI audit guidelines. The BBC continues…

It also admitted it did not know who, or how many people, were behind the attack, or whether there had been one breach or many.

The papers also said that a further 455,000 customers who returned merchandise without receipts had personal data stolen – including driver’s license numbers.

[…]

Hackers managed to access information from its TJ Maxx, Marshalls and HomeGoods shops in the US and Puerto Rico; Bob’s Stores in the US; as well as Winners and HomeSense shops in Canada.

It’s all so vague, but at least they’re trying to warn people/companies who might be affected. One might gather that times really have changed when they read a SF Gate article that (over?) emphasizes how little is apparently known about the incident:

“It’s not clear when information was deleted, it’s not clear who had access to what, and it’s not clear whether the data kept in all these files was encrypted, so it’s very hard to know how big this was,” said Deepak Taneja, chief executive of Aveska, a Waltham, Mass.-based firm that advises companies on information security.

Funny quote, eh? Maybe it is just not clear to Deepak? Wonder what he considers “easy to know” in investigations.

TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it.

“There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang said.

Ooops. I always wonder what people are thinking when I come across data retention practices that keep sensitive consumer identity/card around data longer than necessary but that delete transaction and log data.

The PCI DSS has helped me significantly in the face of VPs and C-level folks who insist that they absolutely need to keep consumer data around for “convenience” or some other arguably lopsided (is it really in the consumer’s interest?) value proposition. I can’t reveal names/places but I’ve certainly had some heated confrontations where I get to try and convince a highly-successful and profitable business person that their practices have generated a “weaponized” data repository that could blow up and things must change immediately.