Charles Curley's Weblog

Maturity may be recognized in the slowness with which a man believes.
Baltasar Gracián, Oraáulo manual y arte de prudencia (1653)
Quoted in Will and Ariel Durant, VII The Story of Civilization 296 (1961)

Come to think of it, a lot of people could afford to contemplate that observation.

Due to concerns about the future of Gnome 3 and Ubuntu's Unity, I installed Debian Squeeze version 6.0.3 with XFCE on my semi-retired Lenovo R51. Two installation gotchas are noted on that page.

According to Oxford University and McKinsey, "One in six big IT projects go over-budget by an average of 200%." The study also found that spending on technology was three times more likely to spiral out of control than construction or other major projects.

Apparently the problem stems from management failing to identify and plan for "black swans", negative events that hit rarely, but when they hit, they have a large impact.

Professor Flyvbjerg and his team are now looking to develop tools that help IT managers avoid out-of-control projects.

"Managers are very likely to run into black swans. They need to be able to identify them and prevent them."

Let's hope the good professor and his team don't hit any black swans.

Don't forget, Software Freedom Day 2011 is coming up on Saturday, September 17, 2011. Celebrate by contributing back to the community.

Rap superstars Jay-Z and Kanye West employed tight security and extreme tactics to ensure their album Watch The Throne did not fall victim to the curse that hits almost every other big release - the online leak.

When Watch The Throne, the hotly anticipated collaboration between the two hip-hop heavyweights, was released on iTunes last week, the music was not the only talking point.

Virtually every major artist - from Lady Gaga to U2 - has found their music being leaked. So how did Jay-Z and Kanye stop it happening to them?

Stars step up war on music leaks

What is interesting about this article is the efforts producers and others take to avoid having their product leaked. Fingerprint-protected hard drives? OK. Sleeping with the hard drives? Er, OK.

I think the most interesting statement is from John Giacobbi, founder of internet security company Web Sheriff. The company works for recording artists such as Lady Gaga, Beyonce and Adele. He believes that leaks are pretty close to inevitible. The question is, how do you deal with the leak after it has occurred. One approach is to ask the fans to help. "If you treat fans like fans, instead of treating them like criminals, it tends to work." Treating people like people instead of criminals almost always pays off. TSA, please note.

If you are going to run with the big dogs, you have to get off the porch.

— Old Southern Saying

If you are going to crack other people's systems, and then thumb your nose at them, you have better be sure your own security is good. Someone out there is waiting to prove it isn't. Oops!

Chocolate lovers may soon be able to print their own 3D creations thanks to work by UK scientists.

A 3D printer that uses chocolate has been developed by University of Exeter researchers - and it prints layers of chocolate instead of ink or plastic.

Although still a prototype, several retailers have already expressed interest in taking on the device.

I want one!

The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

"There’s no device known to mankind that will prevent people from being idiots," said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC)

— Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy

In short, the best defense against cyber attack includes user education.

These days, people tend to think of computer security in terms of network security. How strong are my firewall rules? Is the security good on my web application? Should I use this web site on an unsecured WiFi link? Etc. These are all valid concerns. As recent Anonymous and LulzSec efforts show, they are excellent concerns.

However, this does not mean one should ignore physical security concerns.

When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits.

Deprived of the low-hanging fruit attackers typically rely on to get a toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a technique straight out of a plot from Mission Impossible: He modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it.

— Hackers pierce network with jerry-rigged mouse

It's amazing what you can fit into the empty volume in an off-the-shelf rodent.

One might wonder why the client disallowed the more obvious attacks such as social engineering. Maybe the client thought those guards were really good. But that misses the point. Precisely because they are obvious they are guarded. This attack bypassed all those guards, however good they were. Or weren't.

Having heard, so frequently, that the data underlying the current consensus was robustly supportive, I decided to take the time to find raw, unadjusted data and undertake some simple analyses. I was quite surprised by the results. I am posting those here for comments and suggestions, along with source code and links to the raw data.

The majority of climate researchers use the adjusted data in their work, because CRU, GISS, and NCDC make the adjusted data easily accessible and easy to use. Since evidence has surfaced which suggests those three entities are not independent, all three adjustment methods may be suspect. Let’s take a look.

The author, Eugene Zeien, lays it all out. What he did, where he got his raw data (and why he used that data instead of other data). He shows us the results. He tells us exactly what he did, starting with installing Sun's VirtualBox to create a virtual machine. And he gives us the source code, complete with wget command lines to acquire the data.

If you want to reproduce his efforts, you can. If you want to disagree with his analysis and the decisions he made along the way, you can. It's all laid out for you. He even tells you which flavor of Ubuntu he used.

Nor did he have to go spend a pile of money on expensive software. Thanks to the General Public License and other open source licenses and all that free software, you can duplicate his efforts at no charge other than the cost of your computer and your time.

Mind you, I have no idea if he is right or not. Is he wrong? Let us know if he is wrong, and where exactly he went wrong.

Science as it should be done.