Welcome to Thursday Truths. My goal is to write about one obvious truth each week.
Tonight the truth is "Han shot first". This is no surprise to anyone who saw Star Wars when it was released as the director originally envisioned it. Han Solo was (is) as scoundrel. And a hero. And a man who is not a sociopath.
He shoots first not because he couldn't give a dam, but because he is threatened. Very pointedly threatened. He knew his assailant. He knew he would suffer horrific pain if brought to Jabba. He did the math and came to the conclusion there was only one way out alive.
I can not emphasize that enough. Knowing the threat completely is the only thing which absolves him. For him it was a decisive act of self defense. To kill without comprehending the threat reduces a person to the mindlessness of a George Zimmerman. This is the key point. Without knowledge and understanding, you can not wield extreme force.
Our society does not like subtle points like this. So, we have the Disney-fied remix of the movie. Here Han was just lucky. He happened to not get hit with a shot at point blank range, then managed to retaliate. I believe the term is dice-liced. This reduces him to someone who simply has reasonably good reflexes. Or worse, someone who has no comprehension and just reacts.
I'll take my Han Solo as I found him. A scoundrel yes. But a thinking man's one.
Thursday, August 27, 2015
Tuesday, July 21, 2015
Could Hollywood improve cyber security?
The digerati know that vehicles using Chrysler's Uconnect can be compromised remotely. You can read more in the Wired Article (Hackers Remotely Kill Jeep). The problem is that the general public, nor their elected representatives know or care much about it. If they did, they might understand how this is a threat to both our nation's economy and security.
Q: How do you raise awareness?
A: Motion Pictures.
The basic idea: Standard fare action adventure movie. Someone pretending to be a valet at a car park slaps a device into the OBD port of the target's car. They drive away and are remotely executed in what looks like a plausible car crash.
Now you need a few reviewers to point out that this is not fiction, and possible today. With that you might generate some justified public concern. Make the movie target an elected representative and you might get some actual movement in our laws.
Senators Markey and Blumenthal have introduced a bill which addresses these issues. (http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal-introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks-with-standards-and-cyber-dashboard-rating-system, http://www.markey.senate.gov/imo/media/doc/SPY%20Car%20legislation.pdf). It is a great start, but it misses one point. It should not simply say "such as penetration testing". It should require "penetration testing by multiple independent third parties".
Well, I seemed to have gotten a little off topic here, but I do think it would make a great plot element in a film. I'm claiming copyright on that idea. I won't require much in residuals.
Q: How do you raise awareness?
A: Motion Pictures.
The basic idea: Standard fare action adventure movie. Someone pretending to be a valet at a car park slaps a device into the OBD port of the target's car. They drive away and are remotely executed in what looks like a plausible car crash.
Now you need a few reviewers to point out that this is not fiction, and possible today. With that you might generate some justified public concern. Make the movie target an elected representative and you might get some actual movement in our laws.
Senators Markey and Blumenthal have introduced a bill which addresses these issues. (http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal-introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks-with-standards-and-cyber-dashboard-rating-system, http://www.markey.senate.gov/imo/media/doc/SPY%20Car%20legislation.pdf). It is a great start, but it misses one point. It should not simply say "such as penetration testing". It should require "penetration testing by multiple independent third parties".
Well, I seemed to have gotten a little off topic here, but I do think it would make a great plot element in a film. I'm claiming copyright on that idea. I won't require much in residuals.
Tuesday, July 14, 2015
Online banking password fun
Security teams that do not test UI flows deserve a special place in hell....
Nothing that special so far, simple 2-factor authorization. But wait for it.......
When I enter my access code and password, it rejects the password in browser side code because it does not have a number in it. They have implemented the new password policy in the UI, without making sure the customers have complied with the new policy. I can certainly work around this, but they are going to have some unhappy people over the next few months.
- I bank with Chase.
- My current password is long enough and not made of any known words, but it has no digits in it.
- www.chase.com recognizes machines you sign in from (cookie or browser fingerprint, I do not know).
- When I use a new machine or browser installation, they redirect to a page where I can get a verification code sent to me via text or email.
- When I click Send, they direct me to a page where I must enter the access code and my current password.
Nothing that special so far, simple 2-factor authorization. But wait for it.......
When I enter my access code and password, it rejects the password in browser side code because it does not have a number in it. They have implemented the new password policy in the UI, without making sure the customers have complied with the new policy. I can certainly work around this, but they are going to have some unhappy people over the next few months.
Monday, June 1, 2015
Bubble Wrap Day
Baseball teams have traditionally had give-away nights a few times a season. From childhood, we all know of bat day (which, surprisingly, does not seem to cause more trauma than usual: http://www.ncbi.nlm.nih.gov/pubmed/8135433), and cap day. Over the years they have added BBQ aprons, bobbleheads, gym bags, sunglasses, jerseys, beer cups, pins, and some sorry gift cards.
Toss it all in the dumpster. I want Bubble Wrap DayTM.
Every attendee gets a square yard of bubble wrap. The organist pumps up the music. We all pop it in unison. Or... taunt the opposing pitcher. I challenge anyone to keep their composure with 15,000 people popping bubbles at them.
Toss it all in the dumpster. I want Bubble Wrap DayTM.
Every attendee gets a square yard of bubble wrap. The organist pumps up the music. We all pop it in unison. Or... taunt the opposing pitcher. I challenge anyone to keep their composure with 15,000 people popping bubbles at them.
Friday, May 22, 2015
Let's here it for taxpayer supported rule of law.
My daughter's pocket was picked the other day. It turns out you can get your driver's license replaced for free if you file a police report. We asked if she was going to do that and she said "That depends on how much it costs."
Huh?
"Well, yeah. It depends on how much it costs to file a report with the police."
"What do you mean? It's free."
After a bit of back and forth, we realized that she spent some college summers in the Dominican Republic and Tanzania. There, it seems, the police serve only those who can afford them. If you want service, you pay directly.
We might have some issues with who the police serve in the USA, but I am happy to live in a country where the presumption is that anyone who is wronged has a chance at justice.
Huh?
"Well, yeah. It depends on how much it costs to file a report with the police."
"What do you mean? It's free."
After a bit of back and forth, we realized that she spent some college summers in the Dominican Republic and Tanzania. There, it seems, the police serve only those who can afford them. If you want service, you pay directly.
We might have some issues with who the police serve in the USA, but I am happy to live in a country where the presumption is that anyone who is wronged has a chance at justice.
Sunday, January 11, 2015
Performance Sheets
Last week, we purchased a Sleep Number mattress. It was grotesquely expensive, but I'm willing to try it so that my wife and I can have different softnesses on our respective sides. Marriage is a lifetime of compromises, but one person sacrificing sleep for the other is not a sustainable situation.
The sales person (unsuccessfully) tried to sell us their "Performance Sheets" - at roughly $300 a set. I cut my losses there. Performance Sheets. Really? I've been sleeping every day of my life for years, but I'm not sure I have advanced beyond amateur status. I have had some critical acclaim in the non-sleeping arena, but still, performance sounds too theatrical. Miles Monroe said it best "Uh, uh, I don't think I'm up to a performance, but I'll rehearse with you, if you like."
The sales person (unsuccessfully) tried to sell us their "Performance Sheets" - at roughly $300 a set. I cut my losses there. Performance Sheets. Really? I've been sleeping every day of my life for years, but I'm not sure I have advanced beyond amateur status. I have had some critical acclaim in the non-sleeping arena, but still, performance sounds too theatrical. Miles Monroe said it best "Uh, uh, I don't think I'm up to a performance, but I'll rehearse with you, if you like."
Subscribe to:
Posts (Atom)