Incite 8/24/2011: Living BinaryBy Mike Rothman
The Boss constantly reminds me I have no middle ground. On/Off. Black/White. No dimmer. No gray (besides on my head). Moderation is non-existent, which is why I never tried hard drugs. I knew myself well enough (even at a young age) to know it wouldn’t end well. Sure I’d be the best presenter in the crack den, but that would have impeded my plans for world domination.
It’s not just the mind altering stuff where I don’t do moderation. Let’s talk food. I became a vegetarian about 3 years ago, mostly because I couldn’t eat just five chicken wings. I’d eat 20 and then feel like crap. As much as my logical brain would say ‘STOP’, my monkey brain would plow through the tray of wings. I want to live to be 90, so then my kids can change my diapers. So I needed to figure out a method to deal with this lack of control. I figured it would be easier to go cold turkey. No red meat, no chicken (or turkey), no pork. Done. I can shut it off. I just can’t moderate.
A few weeks ago I needed to take some action. My weight was creeping up, mostly because I couldn’t work out with the intensity that used to keep things under control, because of injuries. I don’t eat terribly, but when we run out of veggies and fruit, I’ve been known to knock back some chips. OK, a bag of chips. Or a couple bowls of cereal. Or a few mini-bagels. It’s that moderation thing again.
I’ve been hearing many of my friends talk about this Primal thing for a while. Stories of how they feel a lot better. They certainly look better. I’m used to eating a big ass salad most days, and a lot of fruit/veggies. It can’t be that hard, right? Best of all, it plays into my binary nature. If I just stop eating bread and most starchy carbs, that can work. Now I don’t have to worry about digging into the bag of chips or grabbing 3-4 mini-bagels. That switch is off. Binary.
It’s actually gone pretty well. I haven’t dropped a ton of weight, but I adjusted pretty well. No headaches, no severe hunger pains. I’m not as draconian as I am with the meat. I don’t go nuts (no pun intended) if there are breaded do-dads on a salad. And I’ll eat potatoes, just not frequently. Maybe twice a week. Mostly with an omelet when I’m on the road (instead of 3 bagels).
Living binary may not be for everyone, but it works for me. I know I have got little control. Rather than trying to figure out how to gain control, I put myself in situations where I can be successful. Is this forever? Who knows? But it’s OK for now, so I’ll go with it.
Photo credits: “Binary cupcakes” originally uploaded by alicetragedy
Incite 4 U
Slowing down your denial: I’m not sure where it came from, but I love the idea of slowing down to speed up. Many times when things feel out of control, if I just take a step back and focus, I start moving things forward. Seems the denial of service attackers take a similar approach. Kick ass post here from Rybolov about slow denial of service (SDoS). Of course, our friend RSnake was one of the first (if not the first) guys to talk about slow HTTP attacks, so I’m glad he’s on our side. The post tells you what you need to know about this attack, delving into its devastating nature, the challenges of detecting it, and how to defend against it. It’s much harder to track, compared to brute force DDoS, so it seems likely we’ll see a lot more SDoS. Good thing Rybolov doesn’t miss the opportunity to reiterate that throwing a bunch of servers and bandwidth at SDoS may be one of the only mitigations we have. And good thing Akamai has a lot of both, eh? – MR
Blood Donation: Having been to China a few times I’m pretty sure they have some of my biometric information. Just like in the US, they take a photo and fingerprint on entry to the country. While I don’t consider China evil by any means, they are definitely a bit more of a rival to most Western nations (and pretty much any democracy). So I’m amused at this project to collect DNA sequences for people with high intelligence. Now I think this is a real research project, but they do report to the government in the end. Is anything at risk? Probably not for any of us. Is it amusing, in light of everything else going on these days? Certainly! – RM
You get the check… Cellarix is creating a mobile payment system. All you have to do is provide Cellarix (or more likely their credit card processing partner) with your credit card number – the merchant’s POS system essentially calls your phone to confirm payment. Think of it as a reverse Point-of-Sale system. I saw something almost identical to this demonstrated by Ericsson in 1997 – payment was handled simply by dialing the phone number on the front of a vending machine, in order to get train tickets or a pack of cigarettes. The idea was that you could leverage your phone provider’s existing payment relationships – at the end of the month, your phone bill would include your purchases. The obvious vulnerability is the device itself. If you lose your phone, you could have your bank account or credit card drained almost instantly, which is awesome. The Cellarix model is not much different, with the merchant calling you for verification. But nowdays losing the phone is just one of many threats – MITM and rogue apps could just as easily fake authorization by controlling that second factor. Most people can’t help leaking email credentials at Starbucks – is there any reason to believe your payment data would be more secure? I can’t think of one. – AL
Obscurity is not the answer: We all should know this, but it seems we all too often forget that security by obscurity is not the answer. Sure, we don’t want to be stupid (like publishing the home addresses of law enforcement), but sharing new attack vectors and other techniques makes everyone smarter. This definitely raises the low bar for stupidity and pwnage, but that’s going to happen anyway. As soon as a new exploit shows up in Metasploit, the low bar is reset. Schuyler Towne applies this mentality to lock picking (his expertise). The good guys need to abide by a code of ethics, but ultimately that means just doing the right thing. With the easy availability of information nowadays, it’s naive and dangerous to think that you’ll be able to hide a fundamental flaw. – MR
Hacking or just crap security? In an effort to leverage the negative perception of hackers that often gives big companies a mulligan on doing stupid things, AT&T is claiming two men ‘hacked’ their system to harvest names associated with AT&T users. Allegedly the defendants programmed predictive dialers to send AT&T phone numbers as the source of a ‘call’, with the phone system returning user names associated with the dialed numbers. The defendants then called every possible AT&T number they could, scraping AT&T’s database. While it’s technically hacking, it’s not clear they broke any laws. What’s more alarming to me is that the name lookup is a service AT&T charges users for – clearly exposing client information due to poor authentication protocols and non-existent monitoring. Maybe the defendants are guilty of illegal sales calls, but if anyone is fined for exposing data, it should be AT&T. – AL
Science Fiction: Years ago I had the opportunity to hang out and drink beers with Bruce Sterling (author and futurist) for a few hours. It was a great experience and I learned a lot about how a top-selling author (both fiction and non-fiction) sees the world. One thing that stood out was when he said his job is to look out past a 7 year horizon. You can make informed predictions (with decreasing accuracy) up to about 7 years, but after that all bets are off and the futurist needs to step in. Charlie Stross has become one of my favorite SF/future authors lately (with Halting State up there with Verner Vinge and Rainbows End). He has an honest to goodness tech background and it shows – especially in pieces like his USENIX keynote on network security. Read it. (Thanks to BoingBoing for the link. – RM
Don’t fear the cloud, but don’t be stupid either: Having just gotten back from teaching our cloud security class, one key point is to making sure you understand what security you need to handle and what your provider does. Chris Burton talks about how he uses the cloud for almost everything and is perfectly comfortable with it. He gets it – he’s encrypting his volumes and not making any assumptions about what the cloud does or does not provide. He’s also very clear about the downside, which is basically that he’s as much in control to screw things up as with his own equipment. At least in an IaaS (infrastructure as a service) context. That’s the point. The cloud changes the architecture, sure, which means the control points necessarily change. But it doesn’t give you a pass on your own responsibility to protect your stuff. Remember: you can’t outsource thinking. Actually, you can, but it never work out very well. – MR