Observations Along the Road

Theatre Writeups, Musings on the News, Rants and Roadkill Along the Information Superhighway

Category Archive: 'security'

Password Managers and Understanding Risk

Written By: cahwyguy - Thu Mar 23, 2017 @ 11:29 am PDT

If you’ve been following the technical news the last few days, I’m sure you’ve seen the articles about the vulnerabilities discovered in Lastpass (a popular password manager, and one that I use). You may have even seen people complaining that Lastpass was slow to fix vulnerabilities and that one shouldn’t use browser extensions and such. To me (someone who works in cybersecurity), this demonstrates yet again that most people have no idea at all how to assess risk.

This is a great example of this. The vulnerabilities announced above depend on visiting a malicious website. Think about the websites you visit on any given day. The vast majority are probably from some small set of the same sites: social media, news sites, banks, well-known shopping sites, perhaps well-known games. All with low odds of being malicious. Your only exposure might be if you click on an ad (most of us don’t do that) or click on an unknown link in an email (your mother taught you better). So, for the vast majority of people, the odds of going to a malicious website that has a newly released vulnerability that targets a specific password manager is low. Although you may see FUD (fear, uncertainty, distrust) otherwise, such as this statement on the Lastpass forums:

You mentioned exposure. There is always the possibility that someone discovered the bug previously, harvested the information and is sitting on it. Due to the nature of LastPass the level of the compromise is greater than any other tool or device as it would provide information to all passwords (as I understand it), not merely a matter of changing the password to your email or facebook account but could consist of updating 100’s of passwords. That 2FA appears to have been side stepped by this compromise is a large worry.

(2FA refers to two-factor authentication). Let’s assume, as this author did, that someone discovered the bug previously, harvested the info, and is sitting on it. Exploitation still requires visiting a malicious website, and it having a targeted attack in place. From the Lastpass blog on the subject:

To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

Based on this description, they wouldn’t even be obtaining all passwords. They would have to do so one at a time. If you practice good security hygiene and enable 2FA whereever you can (not just Lastpass), even if you did visit a malicious website, and even if they had a targeted attack, and even if they guessed one account right, 2FA would defeat them on that account, or you would have noticed something.  In other words, low odds of it being exploited.

As for the time to correct the problem, Lastpass had updated extensions in place (which auto-update) within 24 hours. The researcher that identified the vulnerability even acknowledged as much in this updated article (scroll to the bottom). We’ve gotten used to reported Windows vulnerabilities — which might be in the wild — being corrected in a month if we’re lucky. Similarly for Flash vulnerabilities. Both see much greater use, and much greater exposure. Here you had reasonably rapid correction of a bug.

Tavis Ormandy @taviso : Two more LastPass bugs fixed today https://bugs.chromium.org/p/project-zero/issues/detail?id=1188 … and https://bugs.chromium.org/p/project-zero/issues/detail?id=1217 …. Very quick response from LastPass, < 24hr.

Tavis Ormandy @taviso : Very impressed with how fast @LastPass responds to vulnerability reports. If only all vendors were this responsive

Lastly, there are folks out there that believe software should be bug-free. Programmers believe that as well, but recognize it is an impossibility. Turing Award Winner C.A.R. Hoare said it best:

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. It demands the same skill, devotion, insight, and even inspiration as the discovery of the simple physical laws which underlie the complex phenomena of nature.

Dahl, Dykstra, and Hoare, back in 1972, also noted that provably bug-free software is impossible: “Program testing can be used to show the presence of bugs, but never to show their absence.” We should expect our software to continue to have bugs, perhaps becoming more esoteric and harder to exploit as time goes on, but there none-the-less. All we can ask then is rapid patching.


--- *** ---

Things You Should Know

Written By: cahwyguy - Tue Mar 14, 2017 @ 11:18 am PDT

Amongst the political and transitional news chum I’ve been collecting of late, there are a number of articles that are more informational — that is, they provide some really useful tidbits and insights. I’d like to share them with you:


--- *** ---

Useful Security Site

Written By: cahwyguy - Tue Feb 21, 2017 @ 7:00 pm PDT

Password. The security mechanism we love to hate. Or hate to love. Or grudgingly tolerate. In any case, if you use passwords, you know you are encourage to (a) enable dual factor authentication whenever and where ever possible; (b) use the strongest passwords possible; and (c) use a unique password on every site. For (b) and (c), the easiest way to do this is to use a password manager (I use Lastpass), and have it generate strong passwords for sites (I have it generate long pronounceable passwords, and then modify them with digits and special characters). That still, of course, means you need a strong password for the password manager.

Many years ago, in the days of Dockmaster, there was a generator that would generate strong, prounceable passwords. For a few years I used those, then I went to grabbing words from various places and combining them to create master passwords. Yesterday, I found another solution. Here is a site that generates nonsense words based on a frequency list of phonemes as they occur in legitimate English words.  You should be able to get strong master passwords by combining words and making permutations to add special characters, digits, capitalization, etc.

Here is an example of some generated words: minating ocrates exishering hophish diuraggramely tilized middly apissong moratierencess antinumeted fances vaultanewns gunfins ineake snaphypong misplake quarout hightfulus ansprubblet midweir objecta steton lishep ratinessy mententes.

Hopefully, you’ll find this useful.

--- *** ---

Security Chumbits – Tidbits to Raise Security Awareness

Written By: cahwyguy - Tue Jan 24, 2017 @ 12:39 pm PDT

This is a quickie collection of news chum items related to security that have caught my eye:

  • Weaponized Narratives. I did a whole separate blog entry on this, but I wanted to highlight the original article again in light of the emergence of “alternate facts”. Remember: A weaponized narrative “seeks to undermine an opponent’s civilization, identity, and will by generating complexity, confusion, and political and social schisms. It can be used tactically, as part of explicit military or geopolitical conflict; or strategically, as a way to reduce, neutralize, and defeat a civilization, state, or organization. Done well, it limits or even eliminates the need for armed force to achieve political and military aims.” Alternative facts? Excuuuuuuuse me. They are yet another weaponized narrative.
  • Ransomware. eWeek had an interesting article on some free software that claims to help fight off ransomware. This software is called RansomFree, from security company Cybereason. Once it’s installed (windows-only), it does three things. First it can detect the ransomware malware when it arrives on a computer if it has a signature it recognizes. But because of ransomware families rapidly evolve, it also watches the activity of the ransomware looking for attempts to encrypt files. Finally it deceives the ransomware into thinking its working, when in reality all that it’s doing is operating in a secure honey pot of a container. Think about that last point for a moment: a ransomware honeypot. Cool.
  • Infrastructure Security. A number of recent incidents in Las Vegas highlighted the Strip’s vulnerability in terms of infrastructure. In November, Paris Las Vegas was evacuated after an errant drilling severed its main power line; customers were not cleared to return for nearly a day. Shortly before New Year’s Eve, an unfortunate series of events that began with an overflowing sink sparked an outage that darkened the Rio’s Masquerade Tower (the tall one). The tower wasn’t fully reopened for a week, straddling both the New Year’s holiday and the start of CES, two peak occupancy periods. Earlier this month, Palace Station fell victim to an interruption in Nevada Power service that darkened the property for about 90 minutes. A similar outage had affected power at Palace Station—also for 90 minutes—in July. The MGM/New York-New York outage this month, reportedly caused by a windstorm blowing debris into a substation, lasted just over an hour. These all demonstrate inadequate contingency planning, or more important, resiliency, in the design of the buildings.
  • Phishing Attacks. There’s a new Gmail phishing attack going around, and it is one that can fool the best users. The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received. After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender. They use the same or similar subject line for the email, to invoke recognition and automatic trust. “You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again,” WordFence CEO Mark Maunder warns. The phishing page is a good copy of Gmail’s login page, and its URL contains the accounts.google.com subdomain, which is enough to fool many into believing that they are on a legitimate Google page. You can take it from there. Even the smartest people, with the right page, will click on an link in an email without examining it. I’m sure you’ve done it; I know I have.
  • Automotive Security. If you have a relatively new vehicle, you are driving an increasingly sophisticated computer that can be easily attacked. But fear not… or fear more. A consortium of researchers announced the development of a universal, free, and open source framework to protect wireless software updates in vehicles. The team issued a challenge to security experts everywhere to try to find vulnerabilities before it is adopted by the automotive industry.
  • Password / Form Security. Passwords are often stored in places you least expect, or obscure places that you do expect because you stored them there. One way around that mess is to use a good password manager. But you need to remember to get rid of the passwords stored outside the manager when you do.  Did you? Further, that form completion can also get you into trouble by completing saved personal information into fields you don’t expect. Again: use a password manager with form completion.


--- *** ---

Being Safe Online

Written By: cahwyguy - Wed Jan 11, 2017 @ 6:24 pm PDT

As you have probably figured out by now, I accumulate articles of interest as I wander the web, and periodically collect them into themed articles.Today is no exception, and our topic for today is cybersecurity — specifically, whether anyone is safe online (or is it just an illusion), and how to really make the situation better.

  • Foreign Actors. In recent weeks, a big question has been whether Russia hacked the US — particularly, the DNC and RNC. Donald Trump, in his news conference today, finally admitted that it was likely Russia did, but that other countries could as well. What is the basis for the belief that Russia was behind things? Brian Krebs, in an article written before the CIA report was released, has a very good analysis. Krebs notes, “It probably doesn’t matter how many indicators of compromise and digital fingerprints the Obama administration releases on this incident: Chances are decent that if you asked a panel of security experts a year from now whether the march of time and additional data points released or leaked in the interim have influenced their opinion, you’ll find them just as evenly divided as they are today.” This is because providing strong attribution is difficult, short of your hacker being stupid, just because of the nature of Internet communications. The article points out that there are specific breadcrumbs that lead to the conclusion, and notes why the public has become skeptical. Of everything. I suggest you read that analysis, and then think about it in light of the BBC disclosure that there are unconfirmed reports that Russia has something on Trump. Ask yourself: If the Russians hacked the DNC, why did they want Trump to win (this is not to say they manipulated the election to do so)? Could it be that they didn’t need to worry about him for other reasons?
  • Data Breaches. Brian also has a really good article on data breeches, and in particular, some immutable truths about such breaches. He explains them in more detail in the article, but here they are in a nutshell: “(•) If you connect it to the Internet, someone will try to hack it. (•) If what you put on the Internet has value, someone will invest time and effort to steal it. (•) Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it. (•) The price he secures for it will almost certainly be a tiny slice of its true worth to the victim. (•) Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.” First, think about this with respect to the above. Both the DNC and RNC had servers on the Internet. Were they hacked? Most certainly. What was that information worth? Ask Hillary Clinton. Now, you deal with banks and businesses that put your information on the Internet. Now think about the truisms above.  Which organizations should you deal with? How much do they value your information?
  • Online Shopping. Dovetailing with all of this is an article from my web hosting service, Webhost, on what to be aware of when you shop online. They, too, go into a bit of detail, but their tips boil down to: (•) Shop online at home (or on a secure connection); (•) Make sure you have text, email, and/or phone security alerts set up with your financial institutions; (•) Always look for HTTPS when shopping; (•) If you’re shopping through a retailer’s mobile app, make sure it is an official version with a reputable company or developer behind it; (•) Use the ‘too good to be true’ rule and trust your gut. I’d add to this the adage to stay in a well-lit well populated part of the Internet. By that I mean: use companies that have a reputation to uphold — they are more likely to do things right.
  • Solving the Problem. The underlying problem for all of the above is that we are using a system that was never meant to be secure. That’s right: the basic and original protocols didn’t think about security because they believed everyone was trustworthy. The corollary to this is: if you want a secure system, you must engineer the security in from the start. Related to this, NIST has just announce a system security engineering website, based on their work with NIST SP 800-160. I’ve been doing a lot of close work with 800-160, and am working on gaining a deep understanding on it, and well as how all of the related processes (assessment, acquisition, and lifecycle) can work together. But 800-160 is a good start.


--- *** ---

How To Be Smarter Than a Democrat?

Written By: cahwyguy - Mon Dec 19, 2016 @ 6:14 pm PDT

Well, sorry to say (from my point of view), but it looks like Donald Trump has won the electoral college vote. We won’t know for sure until the votes are counted by the House in January, but I’m sure that election won’t be hacked.

Yup, sure.

Unlike, say, how the election that got us Trump was hacked. We may never know whether what the Russians did was sufficient to change votes, but we know how they did it, and some of the ways the influence occured. So, let’s see if you can be smarter than a Democrat. Note that I’m not saying “Democrats” in general, but some specific Democrats in Hillary’s organization.

How did they basically do it? Social engineering. Read the New York Times account of the hack. Podesta was phished, and the starting place was a purported message from Google indicating an account had been hacked, and a password needed to be changed.  That, combined with a warning message that mistyped “illegitimate” as “legitimate”, and the damage was done.

See, what people forget is that the weakest link in the security chain is the human link. It is incredibly easy to do a social engineering attack. Our nature is such that we want to be helpful, and we fall for it. Here’s an example: During our recent security conference, one of the banquet staff found a USB drive that someone left behind, and he asked us to return it to its owner. We promptly tossed it. What would you do? Many people would put it in their computer to find the owner — and potentially be hacked. Or they would just announce it and hand it to the owner, letting them be hacked. One never knows what changes were made to that drive when it was out of your sight (this, by the way, is a good reason to use encrypted USB drives).

What about other attacks? Those ads you see on webpages? They can insert malware into your router without you knowing it. They could bring in ransomware? My malware dectector has frequently intercepted malicious ads on non-malicious sites. Sites you go to every day. These sites often don’t have control of their ad networks.

By the way, you do have regular backups, right? Not always connected to your computer? Not in the cloud? Could you survive the sudden loss of your data?

As they say, fool me once, shame on you. Fool me twice, and…. well, we’ve just seen the fool get elected. Let’s not be fooled again.

P.S.: And what should you do about the fool? The answer is not to use your computer to sign a petition or send an email. The answer is to take time and write your congresscritters and senators, and as many other congressional people as you can, a hand-written letter. Legibly. This shows that the issue is important for you to take the time. Send it to their local office, or call. Insist that Congress hold Trump to the exact same standards of ethics, no conflicts of interest, and highest quality of minimally-partisan appointments to which they held Obama. Different Presidents should not have different standards. And, just like with Obama and Bill Clinton, they should investigate the littlest impropriety or questionable action by the President or any member of his administration. All Presidents and his staff should be held to the same standards.

PS: And if you don’t hold with that position, then please explain why Trump should not be held to the same standard. Party shouldn’t make a difference in how we expect the President to behave, so you must have some other reason. Our President should be the role model for the country, someone that our children can look up to see how a leader behaves.

--- *** ---

Decision 2016: Understanding Email and Related Concerns

Written By: cahwyguy - Fri Oct 21, 2016 @ 6:08 pm PDT

userpic=cardboard-safeA number of people I know refuse to vote for Hillary because they believe she mishandled classified information, and that the FBI was wrong in not prosecuting her. I’d like to convince them otherwise. So let’s do some reasoning, shall we?

We are talking about email here. What is a unique characteristic of email? It has a sender and a receiver. Suppose you are friends with Jared Fogle, the Subway guy. He decides to send you an email with one of his favorite pictures of children attached. It arrives in your server, unsolicited. Are you guilty of possession of child pornography? Even if you delete it when you receive it? It’s a serious question. I was once at a security conference where someone said one of the best attacks in the world is to go to a conference room computer, load child porn from a thumb drive onto that computer, and then delete it… and then report the person for possessing child porn. Look, he even knew he was guilty when he deleted it, right?

Wrong. The criminal is the person that loaded the illegal material, not the recipient.

The same rules apply with classified information. If someone emails you a classified document over an unclassified system, the person who is in big trouble is the person who originated that document (i.e., took content they knew was classified and entered it into an unclassified system) in the first place. The person who receives it is suppose to recognize and report it (although that doesn’t always happen), and their computer is appropriately cleaned (often with only a minor warning to them, because it wasn’t their fault).

Think about what you know about Hillary’s server. The messages that were found were sent to her; she didn’t originate them. At worst (and this is a supposition), she inadvertently forwarded them because they were not marked properly (plus who would send her classified info on a public computer).

But, you say, people have been prosecuted for having classified information on unclassified computers. Yup. But look at those cases closely: they put that information on those systems, often with the intent to exfiltrate it to an unauthorized party. In fact, espionage laws requires that intent to be present, and provably present. I have not seen any articles that demonstrated that Secretary Clinton took a document she knew was classified, put it on her email server, and sent it to someone else with the explicit intent to exfiltrate it. That is why the FBI did not prosecute her, even though there was classified information found.

But, you say, she sent messages with classified information. Other than possibly inadvertent forwarding, my understanding of those incidents is that the information was not classified at the time it was sent; it was classified sometime later. In these cases, what matters is the classification at the time it was sent. Subsequent classification does not expose anything because there is nothing that indicates the original message was confirmed as classified information. It has the same status of classified information published by Wikileaks in the New York Times — if you don’t know it is classified, it has no authority.

Again, there is no evidence (and remember: one is innocent until proven guilty) that Secretary Clinton took information from a marked, classified document, and then entered that information onto her server with the intent to exfiltrate it. That is the crime.

If your sole reason for voting against Hillary is that you believe she mishandled classified information, then I suggest you change your mind. Secretary Clinton — as demonstrated by her debate behavior — is some that always thinks before she speaks and is always prepared. She knows what is classified, and does not discuss it publicly (unlike Donald Trump, who has disclosed some of his intelligence briefings). She is cautious in how she words things and says things; again, a behavior we have not seen in Mr. Trump). Secretary Clinton cannot control what people send her, and whether they mark it correctly. Her only infraction here is not recognizing mis-marked information and reporting it (for she has already acknowledged the mistake of having the private server in the first place, and indicated she would not do it again… and at the time she did it, private servers were permitted for unclassified information).

ETA 10/25/16: My friend Rick Smith over at Cryptosmith has a great article on this subject. Reading it, another cybersecurity colleague, Dave Bell, wrote: “This is a nice exegesis of the laws and regulations surrounding classified information in general and classified email in particular. Lapses in following Department rules on disclosure are not ILLEGAL (in the sense of violating laws) unless the information is covered by the Espionage Act (circa WWI) or the Atomic Energy Act of 1946. The article points to a more detailed, lawyerly article.”

Lastly, you’ll say, she deleted all this email. That make her guilty of something, right? Nope. In America, absence of evidence does not imply guilt. The courts require that guilt be proven beyond a reasonable doubt, and there is a presumption of innocence. Just as Mr. Trump is not guilty of all the sexual assault claims until he has his day in court, and the actual evidence presented and a jury convinced, Secretary Clinton is innocent until there is actual evidence of a crime with a conviction. One cannot have the standards be different for some citizens.

So, let’s drop the whole canard about Hillary’s emails. It is up there in the meaningless category with the canard that she is responsible for her husband’s infidelities. Ah, but you say, if that’s a canard than Trump’s behavior is a canard. Potentially, you’re right. Nothing has been proven yet in court. He is only accused, and not proven guilty. He’s as pure as Bill Cosby. Yet words do demonstrate attitude, and he is on record for what he has said, and has not (a) apologized for the words, and (b) changed the behavior. Contrast this with Bill Clinton — there has been no evidence that his behavior has been repeated since the incidents in the 1990s.

--- *** ---

A Sweet Circular News Chum, with Raisins

Written By: cahwyguy - Mon Oct 03, 2016 @ 5:22 pm PDT

round challah userpicIt’s Rosh Hashanah afternoon (L’Shana Tovah to all), and I’m exhausted from the morning. Yet I have a bunch of news chum to post. Let’s see if we can braid it into something sweet and circular, coming back by the end to where I started. This time, we’ll just give headlines and a few comments.

  • The O shaped iPod? On Rosh Hashanah, you dip Apples in Honey, so where else to start but with a circular Apple product. This article describes a new circular design for the iPod Shuffle that is quite cool, if a Shuffle has enough storage for your needs.
  • The Taxonomy of Tech Holdouts. As we’re talking about iPods, here are the nine archetypes of planned non-obsolecence, from the Anachronist to the Careful Curator. I think I’m the latter.
  • Navy scuttles sailors’ enlisted rating titles in huge career shake-up. Moving from holdouts to non-holdouts. The Navy is holding on to specialist ratings no more. Effective immediately, sailors will no longer be identified by their job title, say, Fire Controlman 1st Class Joe Sailor. Instead, that would be Petty Officer 1st Class Joe Sailor.
  • New college at Onizuka Station pays homage to the ‘Blue Cube’. Moving from the Navy to their sister service, the Air Force. Those in the Bay Area might remember the blue cube, the former Onizuka AFS. It has been converted into a local college, but still plays homage to its history. The walkways leading from the parking lot to the campus are speckled with flecks of blue paint harvested from the cube. Once inside, there is the Onizuka Cafe for hungry students and the Satellite Lounge next door for relaxation and study. Two murals that previously had been inside the cube are now hung in campus hallways. One features the Challenger shuttle with a memorial poem. The other is signed by many former employees of the Onizuka Air Force Station and coincidentally features a large owl—Foothill’s mascot—with a lightning bolt in its talons.
  • An Abandoned Hospital in West Adams Has Been Filled With Fine Art. Moving from an Abandoned Air Station to an Abandoned Hospital, although this one is still abandoned. The LA Metropolitan Hospital was one of the first black hospitals, but it close a few years ago and is pending redevelopment. However, for the next month, there is an interesting art exhibit in the abandoned hospital.
  • Texas prisons ban books by Langston Hughes and Bob Dole – but ‘Mein Kampf’ is OK. A hospital is a pubic service building, and so is a prison. So here’s an interesting prison story: prisons in Texas have banned books by Bob Dole, Harriet Beecher Stowe or Sojourner Truth. But inmates are more than welcome to dig into Adolf Hitler’s “Mein Kampf” or David Duke’s “My Awakening.” The rationale: they ban offensive language or violence or sex, but not offensive ideas.
  • Palestinians’ Abbas seeks British apology for 1917 Jewish homeland declaration. Moving from Hitler to another group that doesn’t like the Jews: the Palestinians. According to the Palestinian President, Britain should apologize for its 1917 declaration endorsing the founding of a Jewish homeland in Palestine and should recognize Palestine as a state.
  • Your Samsung washing machine might be about to explode. Moving from explosive ideas to explosive washers. The problem it appears, is a defective support rod that is causing washer tubs to separate, potentially launching wires, nuts and other parts.  Boom!
  • The one step you shouldn’t skip when cooking with your cast iron pan. Moving from the Laundry Room to the kitchen, here are some tips regarding use of cast iron pans.
  • Fat Flora? Gut Bacteria Differ in Obese Kids. What do you cook in a cast iron pan? Food. And what happens if you eat too much food? You get fat. Researchers have found that obese children have a different population of microorganisms living in their intestinal tracts, compared with lean children. These microorganisms appear to accelerate the conversion of carbohydrates into fat, which then accumulates throughout the body, the researchers said.
  • Attack of the plastic eaters: Can mushrooms, bacteria and mealworms save the planet from pollution? Speaking of bacteria, it runs out they may be the solution to accumulating plastic. As it turns out, nature might offer us the solution to our man-made problems. Scientists around the world are harnessing — in test tubes, under glass domes, and within large bioreactors — the power of living things that can digest plastic without suffering harm.
  • Inside Arizona’s Pump Skimmer Scourge. Of course, if you’re in Arizona, you should keep a close eye on your plastic — not due to bacteria, but criminals that are doing a lot of skimming of gas and other credit cards.
  • Why the Hallmark Card Company Owns Thousands of Priceless Artworks. Plastic, of course, refers to a credit card, and who is one of the largest purveyors of greeting cards? Hallmark. Here’s the history of Hallmark, and why the company owns lot of priceless art.
  • UC Berkeley mascot Oski celebrates 75th birthday. Of course, you send greeting cards on an anniversary, and it just so happens that Oski, the mascot of UC Berkeley, is celebrating an anniversary — his birthday.
  • Horses can communicate with people using symbols. Oski is a bear, and another type of animal is a horse. It turns out that twenty three horses learned to tell trainers if they wanted to wear a blanket or not. Subjects were shown three symbols: a horizontal bar to say “I want a blanket”, a blank square for “No change”, and a vertical bar for “I don’t need a blanket”. They learned the meanings in a day or two and using them to convey if they were too warm or too cold, building the case for self-awareness.

Of course, a square is a simple polygon, and if you keep adding sides to a polygon infinitely, you end up with a circle. An a circle, of course, is the shape of the new iPod Shuffle, which permit us to spiral back to where this post began. Of course, circles and spirals are the shape of a round Challah, which we dip in honey as we wish EVERYONE a happy and healthy new year. May you all be written and inscribed for the happiest of years.

--- *** ---