Blackmoor Vituperative

OpenOffice.org 3.2 is now available, with a handful of new features and improved ODF compatibility.

If you haven’t migrated from MS Office to OpenOffice… what are you waiting for? Hello? It’s 2010!

The actual title of the article is “Six easy steps to make a super secure Linux server”, but I think that’s hyperbole. Even so, these are some basic steps that should be followed, and they do help make a server more secure.

1. Install latest security updates.
2. Disable root login via SSH
3. Disable or filter extra services
4. Remove active guest accounts and test accounts
5. Remove version notification
6. Hide application errors and PHP errors

(From Six easy steps to make a super secure Linux server, Technicant)

I have believed for a long while now that passwords need to go away. I have to wonder if this comically bad password policy is someone working within the system to get rid of them by making them even more absurd than they already are….

In “How does bad password policy like this even happen?” we addressed the deep question of what goes through someone’s head when he or she creates password policy that makes little or no sense and substantially damages security. The case in point was that of Nelnet, which had a comically bad password policy with restrictions that make no reasonable sense at all. For instance:

It can’t contain two separated numbers (i.e., Abc12ef34 would be invalid)

Perhaps the developers are deathly afraid that someone will have 4+7 in a password and somehow cause SQL to do something dangerous with it. If the database is so brittle as to be incapable of handling something like that, even when special characters such as plus signs are disallowed anyway (another golden example of bad policy at the same site), we can be reasonably certain that the offending organization should not be trusted with any private data anyway.

What can be worse than such ludicrous password policy?

How about a slightly less ludicrous policy that is almost as bad for security and comes with a completely absurd, even insane, explanation for why the password policy is so bad?

This is the case of American Express, evidently. A customer received a thoroughly crazy customer service email explaining the reasoning behind a password policy limited to eight characters, with special characters prohibited. The most unbelievable thing about this entire situation is that the email reads like it was written by a Nigerian scammer, but it came from the American Express “Email Servicing Team.”

Key phrases illustrating the lunacy of the explanation include:

• We discourage the use of special characters because hacking softwares can recognize them very easily. Presumably, this is meant to refer to keyloggers that might harvest passwords, but the fact of the matter is that detecting passwords is not dependent on the characters used. Key factors such as words (or non-word strings of characters) appearing out of context in the middle of other logged keypresses and time delays at either end of a single, relative short string of characters are much more important for identifying passwords than whether an asterisk is typed.
• The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed.” For commonality of keypresses to be used to statistically identify passwords, your passwords will have to be incredibly long. Otherwise, every time you type Xerox, the date or time, or an emoticon, someone trying to parse a keypress log is going to have to check to see if it is a password. Sorry — this part of the explanation is even less reasonable than the first quote.

This little gem of an email from Saturday has already spread like wildfire amongst online communities populated by people with an inkling of what “security” means, and the consensus is that whoever this person is, he or she does not not know what “security” is. One can only hope that this person is making things up to BS a customer, rather than actually expressing official American Express “security” policy.

The alternative is too horrible to imagine.

The FBI is pushing to require ISPs to keep records on every web site visited by every American, so that there will be plenty of evidence if they ever decide to persecute someone (and no, that is not a typo). Of course! Why not? It’s not like we have any right to privacy, or presumption of innocence, or protection against unreasonable searches. We are all just one stroke of a pen away from having our lives ruined: guilt and innocence are anachronistic relics.

I remember when you tell the “bad guys” in movies because they demanded “papers” any time someone was traveling or was suspected of, well, anything. Now try traveling in your own “free” country, or earning an honest living, without showing “papers”.

I am glad that I was able to see the USA when it was at its best: votes for women, equal rights for (most) minorities, being able to earn an honest living without showing “papers” or being submitted to humiliating medical tests, being able to get on an airplane without worrying if there is a bottle of shampoo in your carry-on luggage…

I hope I die before this whole thing runs its course. I am glad that I do not have children.

Excessive use of Internet can lead to depression

This is just too cute.

This summer we saw the dangers of DRM on ebook readers, when Amazon deleted hundreds of copies of George Orwell’s 1984 from readers’ computers while they slept. Applying this control to a general purpose computer marketed especially for media distribution is a huge step backward for computing, and a blow to the media revolution that happened when the web let bloggers reach millions without asking for permission.

DRM and forced updates will give Apple and their corporate partners the power to disable features, restrict competition, censor news, and even delete books, videos, or news stories from users’ computers while they sleep– using the device’s “always on” network connection.

Apple can say they will not abuse this power, but their record of App Store rejections gives us no reason to trust them. The Apple Tablet’s unprecedented use of DRM to control all capabilities of a general purpose computer is a dangerous step backward for computing and for media distribution; we demand that Apple remove DRM from the device.

(from Defective By Design)

Oracle announced Wednesday it completed its acquisition of Sun Microsystems in a deal valued at more than $7 billion, a move that transforms the database and business-software giant into a hardware company as well.

(from Oracle buys Sun, becomes hardware company, CNet)

As reported in It was no joke at security gate, passenger Rebecca Solomon had a terrifying 20 seconds while passing through airport security:

After pulling her laptop out of her carry-on bag, sliding the items through the scanning machines, and walking through a detector, she went to collect her things.

A TSA worker was staring at her. He motioned her toward him.

Then he pulled a small, clear plastic bag from her carry-on – the sort of baggie that a pair of earrings might come in. Inside the bag was fine, white powder.

Of course, the bag was not hers, and neither was the white powder. She had never seen it before, and the TSA screener knew it:

Put yourself in her place and count out 20 seconds. Her heart pounded. She started to sweat. She panicked at having to explain something she couldn’t.

Now picture her expression as the TSA employee started to smile.

Just kidding, he said. He waved the baggie. It was his.

It really does not get much worse than this for the image of a government agency whose image was already among the worst in the country.

(from Are TSA policies a bad joke?, TechRepublic)

It is time to abolish the TSA. Well past time, in fact.

In case I was wondering if my decision to get out of IT (eventually) was just an undigested bit of beef, a blot of mustard, a crumb of cheese, a fragment of an underdone potato… the fine folks at TechRepublic and ZDNet have put my mind at ease. The era of independent IT consulting is, indeed, over.

Even as little as five years ago, an IT consultant was an outside expert called in to solve problems, or to create value for a business who wanted to find an edge over the competition. As the holder of knowledge and skills few others possessed, we were respected, and clients listened.

This is no longer true. IT has become a commodity: widely available, aggressively priced, and valued as much as a business values its janitorial staff or the company that handles its payroll. IT is simply another necessary cost which provides no significant business benefit other than to keep the status quo in place.

A good friend of mine, who provides technology policy advice to the state of Virginia, put it this way: when there is a job that your business needs done in a way that no one else is doing, you want to hire the best you can find and make sure you keep them. When that job is something every business needs to have done, in pretty much the same way, it makes sense to outsource it at the lowest cost possible. IT is just overhead, like janitorial service, or building maintenance, and it is put in the same category in the business’ ledger.

There is nothing here to “ride out”. IT has become a commodity, as valuable and respected and as easily replaced as light bulbs and batteries. We had a good run while it lasted, but technology and society have moved on. One might as well try to open a boutique that sells paper towels.