History, Poetry

Dan Simmons on Poetry

Leave a comment

I love this description of poetry by the famous Science Fiction author Dan Simmons:

I don’t think I’ve ever seen it commented on, but there’s a great affinity between writing poetry and SF. As with poetry, quality speculative fiction demands great skill with language and invites linguistic invention. As with poetry, good SF delves deep into metaphor while sliding lightly on the surface of its own joy of telling. As with poetry, quality SF demands a much greater collaboration on the part of the reader — a greater sensitivity to detail, word-meaning, texture, and nuance, as well as a greater involvement in ferreting out meaning.

My favorite commentator on things literary — Harold Bloom — has said that the common element to all great literature, from Homer and Shakespeare and Goethe through Emily Dickinson to Mark Twain — is an ineffable quality of “strangeness.” By that he doesn’t mean deliberate post-modern weirdness or Ken Kesey wonkiness, but rather an indescribable, out-of-its-own-time, deep-to-the-literary-marrow differentness that great prose and poetry carries in itself and conveys to successive generations. It tends to mix the sacred and the profane, the profound and the entertaining, in a way that helps us to redefine ourselves and our cultures. The most ambitious of speculative fiction has a taste of that delicious strangeness, for both the writer and the reader.

Yeah, Bloom is definitely an insightful thinker on things literary. I often wonder about his hypothesis that the bible was just inspired writing and was never meant to be the basis for dogma.

Security

OpenBSD hole

2 Comments

Number two has been discovered! Their main page now reads:

Only two remote holes in the default install, in more than 10 years!

According to Core it seems like you have to be on the same network or on IPv6 to exploit the hole, so the slow adoption of IPv6 actually works in their favor to mitigate the risk. A patch has been released already and there is also a workaround.

Poetry, Security

Hitchcock Automotive and Your Fingerprints

1 Comment

Lornamatic has posted a fabulously written story of a terrible customer experience at a car dealer run by Hitchcock Automotive. In a nutshell the dealer demanded a thumbprint to seal the sale of a car but did not provide any assurance to the customer about the safety or use of the thumbprint, and so the customer did the right thing and walked away.

I wonder if the dealer will soon run ads that say

Give us the finger and we’ll give you a car!

Good thing I never went into marketing, eh?

The story is really well done and definitely worth reading. I won’t give it away because I don’t think I can do it justice, but I will comment on a comment at the end of the story because it is rather funny and ironic. Someone who signed their comment as Andy wrote:

I’m assuming the good folks at that dealership are doing the best they can and are not interested in framing you

Right. First of all the risk is not being framed. The risk is losing your fingerprint to an identity thief. Then what? Get a new hand? Second, should someone really believe that gosh-darn kind-hearted car dealers are just good folks who have your best interests at heart? I suppose they also ride unicorns to work. But let’s dig a little deeper…

My point is simply that Andy’s point is really no point at all. It’s the equivalent of saying “trust the trustworthy and you’ll have no problems”. What makes dealers inherently good? Or what makes their information management practices worthy of you handing them identity information? I’ve worked on computers in some dealerships and let me tell you it is about as far from pretty as you can get.

Maybe customers should be fingerprinting the dealers. Literally. Who knows how long those shifty-eyed sweaty-palmed sales folks in plaid suits and shiny white shoes have been working or where they came from? A dealer might do their best to avoid hiring a grand-theft perpetrator (to protect their own assets), but do they care if someone has just been released after serving time for identity theft? Identity theft (especially biometric data) is external to the dealer. Thus, someone other than the dealer HAS to put a burden upon them to prove they will do NO harm to things given to them for safekeeping that they do not personally value. And if they can not provide the assurance, then they should be able to transfer the risk (e.g. to an insurance company or underwriter) or reduce the value of the asset, etc..

OK. Given all that usual risk assessment stuff I feel I should point out that a Regional Auto Theft Task Force (RATTF) does in fact exist. I tried posting this on Lornamatic’s site, but I failed the anti-spam math test. :) Lornamatic mentioned not being able to find a reference, but take for example the Santa Clara RATTF, which published this interesting report about an area close to Lornamatic’s dealer:

In most of the cases, the individual suspect presented false employment information on a credit application, reflecting a lengthy employment history and sufficient monthly income. In the majority of these cases, this information would be corroborated by what appeared to be legitimate paycheck stubs, later found to be completely counterfeit. In fact, the majority of the suspects had no legitimate source of income. The business addresses were more often than not determined to either be vacant properties, or in some cases, actual functioning businesses, which had no record of such persons ever being employed. Postal mail drop services were also utilized in this process; helping to provide what appeared to be a legitimate local address for several of these suspects.

Among those businesses victimized by these criminals, were Capitol Honda, Courtesy Chevrolet and Chris’ Dodge World. Lending institutions included American Honda Finance, San Jose Credit Union and Bank of America.

RATTF investigators determined that this group of suspects obtained at least 113 new vehicles in this fraudulent manner, valued at approximately $2.3 million. Of the 105 suspects eventually identified, Task Force detectives have thus far been successful in obtaining 85 criminal complaints, charging various felonies including Grand Theft, Making a False Financial Statement, Perjury and Insurance Fraud. In addition to warrants resulting from the vehicle scams, several of these suspects have been arrested for robbery, financial elder abuse and other theft related cases. At least a dozen more cases are pending complaints as of this writing. Approximately 80% of the vehicles have been recovered as a result of these investigations. Vehicles have been recovered in New Jersey, Texas, Arizona, California, Washington and Florida.

For some incredibly short-sighted reason the perpetrators are being described as “nomadic criminals”. This weighted reference to people who do not want to (or can’t) “own” land and stick to it is a topic for another day:

Somalis have long debated the merits of a nomadic, pastoral existence versus those of a settled agricultural community.

Perhaps from the dealer’s standpoint, the threat is potentially so high and the identity verification system so vulnerable that they really do not mind turning away the odd customer in order to avoid the risk of a stolen car. The sad thing is the way Hitchcock Automotive handled their security, and in particular how they handled Lornamatic’s genuine concerns.

Security

Symantec measures identity value at $18

1 Comment

People used to ask for it for free, but now, thanks to Symantec, you can tell everyone that they must pay you $18 first. Based on some amazing analysis of “its offices in more than 180 countries and from some of the 120 million users of its security products”, Symantec has revealed the market value:

All of your personal banking and credit card information, your birth date and your social insurance data are worth about $18 US on the Internet, according to a study released today.

But wait, there’s more. Symantec also has announced that the China is now part of Europe, and that these Sino-Europeans are to blame for a “surge” in hijacked computers world-wide. Why? Because they are so uneducated, of course. See for yourself:

Ollie Whitehouse, senior consulting services director at Symantec, said: “This rise in the number of infected computers can certainly be attributed to the rise in the online population of countries like China and Spain, in Europe [emphasis added].

“There is almost an educational curve that the users and service providers have to go through. Unfortunately when certain countries go through rapid increases in connectivity and availability of technology that curve is not always kept up.

Typo? I could not make this stuff up if I tried. Someone should tell the BBC there’s a mistake, or perhaps even whisper to Symantec that China is not in Europe. More importantly, bad software and improper default configuration or perhaps even culture probably has a lot more to do with the “spread” of hijacked OS than some measure of user “educational curve”. Even more interesting might be the fact that the curve is reversed, that the more educated the user population the more they try to hijack computers! I might just have to do the analysis on this to figure out what’s really going on.

In the meantime, here’s the icing on the Symantec cake. Warning! Warning! They warn you that hijacked PCs are on a sharp rise in the world. They say a plague of targeted attacks is coming. Oh, thank you Symantec for sounding the clarion horn in such a distressed sea of information…all of which brings me to their clever Threat-O-Meter:

Grassy Green

Green? We’re at code green?

Yahoo! has defined this as “Recommended action: None”

y!lertcon

Big difference, no?

Disclaimer: I was partly responsible for oversight of the new Yahoo! security site and argued extensively with the marketing folks. I would not allow the Threat-O-Meter to be on the page unless meaning was also provided (per the true intent of declaring an “alert condition” or LERTCON). I specifically fought to prohibit its use until some kind of specific action like “scan for virus x” was included for each color/number. Glad to see that this was taken to heart and is still there so I now can point to it when executive management (or anyone else, really) comes running and says “oh my goodness, have you seen the Symantec report…what do we need to do?”