Observations Along the Road

Theatre Writeups, Musings on the News, Rants and Roadkill Along the Information Superhighway

Category Archive: 'rant'

Bleeding All Over The Place

Written By: cahwyguy - Sat Apr 12, 2014 @ 8:52 am PST

userpic=securityAll this week, I’ve been following the news of the Heartbleed Flaw. If you haven’t heard if it — or if you have heard and don’t understand it — XKCD gives a good explanation. Basically, the flaw was an “old-school” programming error: someone allocated a buffer without clearing it first. In Orange Book terms, this was an “Object Reuse” error; the Common Criteria called it “Residual Information Protection”. Problems like this were common in old MS-DOS, where you could create a file, move the file pointer to some far out place, write a single character, and close the file. What would be left in the middle was whatever was lying on the disk. Heartbleed was the same thing:

Heartbleed Explanation When Heartbleed was first reported, panic ensued. You probably remembered this. This was the “Death of Commerce on the Internet!!!” Bruce Schneier (who I normally respect) said, “”Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.” I, however, felt that panic wasn’t warranted. I’m pleased to see that, as time goes on, others are realizing that as well.

Does that mean this isn’t a serious problem? Au Contraire! Rather, it is a problem on the system owners end, who need to change all potentially exposed certificates. It is a problem for all the hardware devices that embedded OpenSSL in firmware in an unchangable and un-updatable way. All those devices have to be trashed and replaced. It’s a problem for all those who depend on others to maintain their web site. For example, I’m on Westhost. Here are their instructions to site owners regarding Heartbleed.

Why was this problem so great? OpenSSL was free code, so everyone thought it was good and used it. Forbes thinks this is indicative of a big problem with open source and its funding — there were about 4 people who were charged with maintaining this, all volunteer. Again, I disagree. The problem is not the funding or the maintenance, but the fact that the authors were not thinking about security from the get-go. They hadn’t been inculcated with secure programming practices that would have eliminated any object reuse issue. Being aware of how to write secure code eliminates many problems: boundary errors, object reuse errors, mishandling of input errors. All showed up here, and all are techniques any secure programmer worth their salt would know.

So, again, should you worry about this? You certainly shouldn’t panic. If you have an account on an affected site, then you might change your password if you are really worried about your data (e.g., I don’t care about Yahoo; my mail account there is only for spam) or you use that password elsewhere. If, by rare chance, you have exposure on a financial website or a government website, then do change your password.

Most importantly, get a little perspective. Although this is a lot of work for site owners, this isn’t anywhere near the headache of a Target breach, or the breaches we hear about every day where this database or that database of credit card numbers is exposed, or major medical databases are exposed. Worry about those. Most importantly, continue to consciously think about cybersecurity in whatever you do, and whenever you authorized information. For example, does the Facebook android app really need all those permissions it asks for?

 

 

FacebookTwitterTumblrGoogle+LinkedInLiveJournalStumbleUponEmailPinterestMySpaceShare/Bookmark

--- *** ---

STEM and Cybersecurity Education – A Monday Lunchtime Rant

Written By: cahwyguy - Mon Mar 24, 2014 @ 11:39 am PST

userpic=cardboard-safeYesterday, my RSS feeds highlighted a provocative article: “STEM Stinks for Cybersecurity” (Forbes Magazine). In this article, the author argues that we don’t need more people with university degrees in science, technology, engineering, or mathematics — what we need is more people with Vocational Training (he calls it VoTech) who are familiar with the security tools and know how to run the security tools. I think this position misunderstands both STEM and Cybersecurity.

Let’s start with STEM. The author seems to believe that the emphasis on STEM is at the university level — that we only want STEM degrees. That’s wrong and misguided. Emphasizing STEM is important much earlier — from the first days of education to the end of high school. We need to be raising students that are unafraid — who perhaps even love — science, engineering, math, and technology. The ability to understand these disciplines is key to having adults who think critically, and who can recognize pseudo-science when they see it (and thus, believe neither the creationists nor the climate-change-denouncers). Being familiar with these disciplines is also key if you are going to exist in the modern world, where technology is everywhere (and technical terms are everywhere). They are particularly important even if you are going into VoTech — just because you are working with tools doesn’t mean you don’t apply scientific principles or use mathematics. In fact, most CNC tool programmers use mathematics regularly. Familiarity with technology is required in almost every field today — even the soft fields are making extensive use of technology.

Let’s now turn to the question of whether VoTech is sufficient for Cybersecurity. I’ll start by saying that I have no problem with encouraging vocational technology — I think it was a disaster when shop classes were removed from schools, and I’ll support vocational training. Having trained machinists and technicians and repair support is vital to the success of most operations (and it should go without saying that all need to be familiar with STEM). But with respect to Cybersecurity, my opinion differs.

Technicians trained in using tools are only as good as the tools they use. While this is fine in manufacturing, it’s not in Cybersecurity. Cybersecurity tools can only find what they are programmed to find — which are signatures of yesterday’s attack. VoTech Cybersecurity experts, as a result, can typically only find what the best of their tools find. Perhaps, as they gain lots of experience, they will be able to go outside of that box and identify additional attacks. The basic trainee won’t; our systems won’t have time to wait.

Cybersecurity requires individuals who are familiar with technology, systems, mathematics, engineering… and can think critically, and can present their thoughts and findings (which is where the arts come in, and why you see a movement from STEM to STEAM). Successful cybersecurity is much more than running vulnerability scans. It is getting in with the engineering team from day 0 — identifying the security requirements and how they trade off other engineering and mission requirements. These are skills you learn in engineering courses and software and system design courses, not vocational training. It is being able to recognize results and findings that just seem off, and having the ability to track down the root cause (and not just the symptom of the day). The ability to recognize that “this doesn’t smell right” is a critical thinking skill; I don’t believe a VoTech trainee will have that without significant experience. Successful cybersecurity is being able to assess your findings in the context of the larger system, mission, and business picture — a perspective that someone who is only familiar with tools will not have. Successful cybersecurity is looking at all aspects of the system from the low hardware up through the design layers, from operational procedures and processes to suppliers. An emphasis on tools alone does not give that ability. Lastly, cybersecurity requires individuals that can think out of the box, because that’s what the adversaries do. Stopping the script kiddies is easy; VoTech can easily catch the low-lying fruit. The real threat comes from the determined adversary, and they don’t do what you (or your tools) expect.

Don’t get me wrong — technicians are important. If that is the highest level of skill you can obtain, and you’ve had that K-12 STEM/STEAM education, go for it. Some people work best with their hands. But if you can go on and get that STEM/STEAM degree, you will be much more successful and much more useful in the field (plus, you’ll earn significantly more over your lifetime — enough, perhaps, to pay off your student loans :-)).

--- *** ---

Monday Rant: How To Get More People to the Theatre

Written By: cahwyguy - Mon Mar 03, 2014 @ 11:27 am PST

userpic=theatre_ticketsMonday’s at lunch are my normal time to write rants. Today’s is based around an article a friend sent me entitled “Arts Education Won’t Save Us from Boring, Inaccessible Theater“. In it (and I recommend reading it), the author discusses why the audience for live theatre remains white and greying. He opines that it isn’t because of a lack of arts education; rather, it is because of the content of the shows, the nature of the edifaces, and the policies they impose. Some of the ideas he discusses are ones that Ken Davenport has discussed before on his excellent Producers Perspective blog. I agree with the author somewhat, but disagree with him as well.

First, the goal of arts education is not to get people into the theatre. The goal of arts education is to encourage an appreciation of creativity in all of its forms: be in drama, comedy, dance, art, or music. The creative process in the individual informs other areas of life and produces more rounded individuals. Remember, what we call scientists today were philosophers in the past; their artistic side encouraged their scientific endeavors and vice-versa.

Does having younger playwrights bring younger people in the theatre? Not necessarily, because one never sees the playwright. What brings people into the theatre are good stories that are relevant to them; stories that are well-written and engaging. What does this mean in practice? The playwright doesn’t need to be young, but needs to understand the sensibilities of the young. This can be helped with an appropriate dramaturg who can shape the story so it appeals to a younger audience. A critical player in this is the Artistic Director, who also has the young sensibility. The artistic director needs to not only program for the reliable older audience, but include in the season mix material to challenge the older audience and bring in the younger audience.

When plays speak to the audience, the audience comes. A good example of this is the Pasadena Playhouse: when it presents plays with African-American themes, the African-American audience comes out in droves (and, alas, the non-African-American audience often doesn’t). The problem is that when those themes go away, the audience doesn’t stick. Audiences come out for specific shows; they aren’t subscribing.

I posit the notion that audiences don’t subscribe because of cost. A vision might be interesting, but when you have to drop $800 or more for two seats in one shot — well, it is easier to buy the seats for individual shows. One of the reasons I like the Colony Theatre is that they allow me to split my payment; I believe that if more theatres offered split payments for seasons (2 or 4 payments), they would get more subscribers.

Another reason theatres have trouble getting subscribers is that they don’t cultivate relationships. Relationships between the theatre and the audience are vital. From the audience perspective, the relationship makes you care about the theatre — it makes you want to support them, it makes you want to donate, it makes you care about the existence of the organization. From the theatre’s perspective, it allows you to know the audience, and just how far you can challenge them. It also creates your best ambassadors, for what brings people into the theatre is word of mouth.

This is the other thing that is hurting the theatre community: we are losing the voice of the critics. Trained critics help the audiences discover shows — they alert people to what might be of interest. Arts education might make you receptive to theatre, but unless you know what shows are out there you won’t go. For many theatres — especially small ones with no advertising budget — the only mediums are email and postcards, which tend to go only to audiences that already know you or know theatre. Critics are in major media outlets, and are seen much more broadly. Even if the critic doesn’t like the show, the description of the show might speak to you.

Lastly, the author blames theatre policies. I agree with him on some points — there should be an easier ability to obtain refunds if plans change or to reschedule tickets, but I can also see the problem that if tickets are returned too late, they can’t be easily resold. Other points he is off about — there is a certain etiquette that people must understand that is simple common courtesy: turn off your phones, don’t illuminate your face during a show, and arrive on time.

So what are your thoughts? How do we get more people to the theatre?

 

--- *** ---

My Dues Are Too High! (A Lunchtime Musing)

Written By: cahwyguy - Thu Feb 20, 2014 @ 11:36 am PST

userpic=tallitYesterday, I read a very interesting piece on Kveller titled “My Local Kosher Market is Closing & I’m Part of the Reason Why“, and I set it aside to write a post related to it. Yesterday evening, Rabbi Lutz posted a link to an article about why one should choose synagogue membership. Both are worth reading, so I’ll wait while you do so.

(taps feet, looks at watch, taps feet again, while the theme from Jeopardy plays in the background)

OK, so now you’ve read them. What both emphasize, in slightly different ways, is the importance of having the Jewish community — and by extension, Jewish communal institutions — there when you need them. The value of these institutions cannot be viewed solely on what you get back in services over a given time period. In fact, looking at Jewish institutions (or any religious institution) in a fee-for-service manner just will not work. You can’t say: I pay $2000 a year to be a member, and that’s cheaper than buying the services ala-carte.

The reason we join together in the groups we do (be that brotherhoods and sisterhoods, or the congregation as a whole) is to create a community, pure and simple. We want to create a community that will be there to support us — to help us and lift us when we are having trouble, to be there to share our joys. We build relationships within the community, and we help others in the community. We may not always like everyone in the community, but the community should have common values, goals, and mores. Most importantly, we want the community to be there when we need it.

In the past — at least in the progressive Jewish communities — we’ve been told that there is a price of admission to the community (boy, doesn’t it sound wrong when I put it that way?) This price: dues. There are dues for the synagogue, dues for brotherhood, dues for sisterhood. This notion of dues turns people off. It is one thing to have fees for specific services (such as a fee for religious school)… but being told by some entity that you must pay $X to be considered a part of the community seems wrong (although, to be fair, they do allow you to negotiate the value of $X depending on your circumstances).

How do Christian congregations handle this? Ever hear of something called “faith offerings”? Ever seen the basket passed? Congregational support is often done at the end of services with passed baskets, with people giving as the community moves them. This never took hold in Jewish communities because of the traditional prohibition of handling or carrying money on Shabbat. There is also tithing (giving 10% of your “income”) to the church, but (to my knowledge) this is unlike dues in that it is voluntary, not a price of admission.

Some Jewish institutions are exploring a different model. In $mens_club, we’ve done away with our dues system, and made all men in the congregation members. We have ask them to send in support to the community, if they feel the community is valuable, in an amount they deem appropriate. If we do our job right and build a valuable community with strong relationships, then people will want the community to exist and will be willing to support it financially. Yes, it is a risk. However, it is a better level of feedback than robotic collection of dues for an organization that might no longer have a purpose.

What it boils down to is this: You need to support your communal groups if they are to survive and be around whenever you need them. You might not utilize them every day; you might not get back in services what you contribute in support. If you want them to survive, you contribute. This is true whether the organization is your congregation’s brotherhood or sisterhood, whether it is the congregation itself, or whether it is your local Kosher market or JCC. If an organization has value to you, support it.

--- *** ---

Monday Rant: Spy Agencies Spy. That’s a Surprise?

Written By: cahwyguy - Mon Jan 27, 2014 @ 11:47 am PST

userpic=securityMonday’s seem to be my day to rant over something I saw while skimming the news at lunch. Today’s rant is prompted by the article “Report: Spy agencies collude to gather personal data from mobile apps” in PCWorld. Thanks to Snowden’s disclosures, the world appears to be up in arms that spy agencies are (heaven forfend) spying, and (heaven forfend again) spying quite possibly on them.

Guess what. That’s their job. It’s in their name. They are spy agencies.

Think about this: Imagine you are the head of a spy agency. Imagine you have been tasked to find enemies who are tasked with harming the country you are sworn to protect and defend. Wouldn’t you do anything you could think of to find them? In this quest, would you care at all about the other information gathered along the way that shows people who might be people? Probably not. That stuff is chaff, not the nuggets of grain you want. You have to sort through a hella lot of chaff to find the occasional grain.

So why is everyone up in arms about this? I opine there are two reasons.

First, there is a growing distrust of government and government agencies, egged on by the wackos and conspiracy theorists whose voices are amplified by the Internets. Read any newspaper during WWII. There were much much more flagrant violations of rights during those times than today, but they were swept under the rug. People no longer trust government, and no longer believe it is working in their interest. That’s why they are scared. It is also a significant concern independent of the spying — we need to restore the faith that the government is on the side of the people. [Or, as some might argue, we need to restore government that is on the side of the people. Both views beg the question of what “on the side of the people” means.]

Second, there is a growing surprise that the government can find out as much as they can. Part of that, my friends, is on all of our backs. We’ve been so eager to adopt new technology before it is mature, and before the security and privacy safeguards have been designed and are strong. Is it any surprise that designed-in weaknesses are exploited? Similarly, we have failed to keep our laws up to date with all the facets of technology. So is it any surprise that people are exploiting those laws?

So spy agencies spy. It’s the scorpion and the frog all over again. What should we do about it all?

First, work with lawmakers to enact updated laws that appropriately protect privacy while providing national security and dealing with current and future technology.

Second, vow not to adopt the latest and greatest until you know it provides you a level of protection that you want. Let companies know you’re willing to pay for security, not go cheap for compromises.

Third, understand where the threat lies. The government could care less about the chaff. Big business, on the other hand, loves the chaff. They mine it, research it, learn your habits, so that they can sell you more and more. Remember: if it is free, you are the product. Be careful who you give your information to.

 

--- *** ---

Hypocritical People

Written By: cahwyguy - Tue Jan 21, 2014 @ 6:05 pm PST

userpic=soapboxTwo articles this week have caught my eye because they clearly elucidate some interesting positional tension.

The first, an opinion piece by the attorney for the McMath family (the parent’s of the brain dead girl in Oakland) has the following paragraph:

Those who attack Nailah’s decision and who are “pro-choice” on the issue of abortion should think hard about the fallout from their insistence that the family’s personal and private decision about when life ends can and should be overridden by doctors or the state. The same rights that support the choice made by Nailah also support contraceptive rights and abortion rights.

The other is an article about the television series “2 Broke Girls“, and its pushing the boundary of proprietary in the 8pm hour. That article contained the paragraph:

“CBS has no obligation to only create child-friendly programming so your kids aren’t subjected to sexual suggestion, especially at night – and the FCC isn’t here to raise your kids,” said L.A-based pop culture expert Jenn Hoffman. “Ironically, the same values-obsessed people who want the FCC to swoop with an iron first and regulate our airwaves are often the same people who want the Federal government to leave their speech, guns, heath care and  churches alone. At some point you have to choose what type of country you want to live in and stick with it.”

Being consistent on your positions is not easy, from either side.

--- *** ---

Perpetuating Misconceptions

Written By: cahwyguy - Mon Jan 13, 2014 @ 11:23 am PST

userpic=schmuckRecently, a link has been going around the Interwebs that has been infuriating me. This link, likely based on this Slate article, purports to provide the basis for Jewish names. It provides a map and detailed explanations for many Ashkenazi (Eastern European) Jewish names. The information on the name origins in the article is essentially correct, so why am I mad enough to write a post over lunch ranting about it? Here’s why.

There is no such thing as a Jewish Name.

Perhaps I should explain. There are people who are Jewish. They have names. But the name in isolation from the person is not Jewish. People with Eastern European names (such as those in the article) may or may not be Jewish — to view them as Jewish on the basis of their name alone is stereotyping. Further, there are people with names not covered in the article that are Jewish. People convert to Judiasm. People convert out of Judiasm. People change their names. People get married. It is wrong to assume that everyone named Cohen or Levy or Goldberg is Jewish. It is wrong to assume that someone with the last name of Davis or Smith or Jones isn’t. It is also wrong to assume that the person of color sitting next to you isn’t Jewish — two years ago the Southern California Regional Man of the Year (from the Men of Reform Judaism) was a Chinese fellow that had converted to Judaism and was very active in the community.

There are black Jews, there are Asian Jews, there are African Jews, there are Hispanic Jews, and there are Jews from almost every country and ethnicity in the world. This is because Judaism is, at its heart, a religion. It is a belief system that people can adopt; when they do, they are just as Jewish as someone from birth. People can also choose to leave Judaism and move to other belief systems. The point of this is: You can’t determine someone is Jewish by name alone; to do so is succumbing to a stereotype.

If you circulate the article, don’t refer to “Jewish names”. The article discusses names common to Jewish people of Eastern European origin.

--- *** ---

Setting the Example for Women in Engineering

Written By: cahwyguy - Wed Jan 08, 2014 @ 7:50 pm PST

userpic=boredSometimes, the stars align. Other times, it is the articles that come across my screen.

A few days ago, Gene Spafford wrote an excellent essay over at CERIAS on the need for more women in engineering, more particularly in Computer Science, and even more particularly in Computer Security. Even more importantly, he listed things in the article that both men and women should do to bring about this change. I’ll repeat the first five of his fourteen rules for men:

  1. Simple: be aware. Help others be aware. Don’t limit your involvement to this, but everything else flows from this.
  2. If you have children, encourage them and their friends to consider computing in school. Be supportive of anyone trying an IT profession. Be positive and not condescending.
  3. If you are a teacher/professor, don’t let the male students bully or harass the females. You are there to create a learning environment for everyone. Generally speaking, many women are less quick to respond to questions as they think about how to frame the answers, and they tend to let others speak without interruption; males generally are the opposite. Don’t let anyone be interrupted when speaking, and ensure that everyone gets a chance.
  4. At a conference or professional meeting? Don’t assume that the women are less important than then men there — especially if they look young! Address everyone equally. No one should be invisible. Would you want people to ignore you or trivialize what you had to say if you looked different than you do? Address the person, not the appearance.
  5. Don’t ever touch a woman, without her clear uncoerced permission, in any manner that you would not touch a male authority figure. That is, would you touch your boss/professor/policeman in the same manner — without getting slugged/fired/arrested? Thus, shaking hands, fine. Catching someone if they stumble, fine. A greeting hug? Let her initiate it. Grabbing their butts? Definitely no. Use the same rule of thumb for language. Would you proposition a male policeman you just met?

For the women, he gives specific pointers to resources (although he forgot the Scholarship for Women Studying Information Security sponsored by ACSA — contact me if you want information on that and I’ll get you to the right people). One thing that he surprisingly does not mention is the importance of role models. Many of the women I know in the field went in the field because a role model showed them it was possible. There are many such role models, from Sally Ride to Grace Hopper to Marilyn Jorgenson Reece, the engineer who designed the I-405/I-10 interchange. I’d like to mention two that were written up recently. The first is the President of my employer: Dr. Wanda Austin, who worked her way up as an engineer. The second I just read about: Mary Sherman Morgan, the first female rocket scientist.

The road isn’t easy. The LA Times just had an interesting article about the insidious effect of a sport on the climb: golf. It appears many female executives don’t feel at ease cutting out of work to do “business” on the golf course, and male executives (thinking they don’t play golf) aren’t inviting them. This is the same subtle segregation that occurred back in the old athletic clubs and fraternal societies, and served to exclude women from the business world. Battling the attitudes is part of the first step.

--- *** ---