1. At 9:00 AM, I got notice that my dependents will lose their health insurance in 9 days if I don’t document that they are in fact my dependents. The state has launched an audit to hold down costs. Because I might be a cheater out to get health insurance for a bunch of children that don’t deserve it, I have to spend a bunch of time bowing and scraping before the auditor kings and hope they accept my papers. They set up a site where I can upload scanned images of the birth certificates, my marriage certificate, and my tax return. I hope they’ll enjoy looking at the extra images. How much are we paying for this audit?
2. At 11:00 AM I got a reminder about harassment training. The state has mandated that every single state employee undergo harassment training. 30,000 people will sit in conference rooms across the state to be told that it is NOT OK to move their fist back in forth in front of their mouths while pressing out against their cheek with their tongues. I don’t need to be told not to slowly circle my lips with my tongue while looking over my cube wall at my co-worker or make suggestive motions with grocery items. If I DID, a two hour meeting would not cure me! I skipped the training. Because I have work to do. I expect dire consequences.
3. When I got home after this long day of being bad, I was accused of eating a chocolate Gelato (whatever the THAT is) that someone gave my daughter for her birthday. This is fake drama about living with a male who can’t control his urges.
4. Finally, that same evening, the clerk at Target took my $20.00 and held it up to the light. Because I might be trying to pass funny money. I was like, “I’m outta here. Keep your Archer farms Smoked Ham”. How big of a problem is counterfeiting, really? Big enough to train all cashiers to spot bad bills? Big enough to make it worth while to subject all customers to this kind of treatment? Well, if the cost of insulting your customers is zero, then maybe it is worth while. I’d like to raise this cost.

One: Do I get bent when I walk by a bike that is locked up? Isn’t that treating me like I might steal a bike? No. I’m not having a transaction with that bike owner. It also addresses a real problem. I know from personal experience that all unlocked bicycles will be immediately stolen by a supernaturally efficient bike theft underworld.

Two: Don’t all those measures help keep crime at bay and benefit society? I don’t think so. We, as a society, have smashed the living shit out of crime, relatively speaking. New crime prevention measures are reaching the point where cost exceeds benefit. These measures are not going to solve some kind of huge costly problem. Kind of like a runaway train of virtue, well meaning bureaucrats are trying to engineer all slack out of the system and make sure nobody is ever ripped off, injured or even upset. The ultimate effect is to control and harass ordinary citizens to the point where we can’t think of anything else except how not to look suspicious.

this was a group project with some clay and a webcam

That guide goes deep and shows some new features, some of which allow for more privacy. For example,

• Make sublists of friends so you can control which groups of friends see which posts.
• Keep an eye on those Apps. With Application Access Logs, you can see a history of which Apps requested which personal information from you.
• Test your security settings by viewing your Facebook page as it would be seen by another user. To do this, go to privacy settings –> edit profile –> view as. Now type someone’s name in the box and you will see if that person sees only what you want them to see.

There was a good set of instructions going around more than a year ago. I followed those recommendations and like many people, I just assumed those would stick. Well, enough has changed in the account and privacy settings that that old “lockdown” is no longer complete. So, the first step to locking down Facebook is : Pay attention to changes. The graphic at the end of this article shows the changes over time to default Facebook privacy settings and they trend towards more exposure, not less. A good source of Facebook info is the ZDNet friending Facebook blog.

Here are notable facts from the article:

• Especially if you use Facebook with public wi-fi, you need to force HTTPS. It took a long time, much longer than it should have, but FB now allows you to use exclusively HTTPS. This means that your communication between your browser and Facebook will be scrambled so that nobody can read your traffic or hijack your session. HTTPS is not on by default, though. You have to turn it on. If you have any doubt about the need for this, watch this video.
• Customization for Apps has been upgraded. Facebook apps are things like Scrabble, Wordtwist, Mob wars, and whatever else you are adding into Facebook . These third-party applications are often poorly and insecurely written and can even be malicious. Note that the list of apps you see on your front page when you click “apps” is much shorter than the actual list of apps that are installed and silently monitoring your life. To view the full list go to Privacy Settings –> Apps –> Edit Settings. I was surprised to see several apps that I had forgotten about, silently working.
• I missed this in my first pass at checking account settings, but Facebook can also use your “Like” vote about a product or business as endorsement when they show an ad for that product to your friends. You can turn this off Account Settings –> Facebook Ads –> Edit Social Ads Settings.

Two things I would add to that guide:

1. If you haven’t changed your password recently (or ever), do that now. Breaches in the past year make it somewhat likely that your password has leaked out somewhere.
2. This might be more paranoid than you wanna be, but photographs uploaded to Facebook may leak personal information. This information may include the make and model of your camera, time of day and location. If you do not want this information known, consider scrubbing the photograph’s exif data before posting

This is from Facebook itself (link):

Applications your friends use can also access information from your profile

Not much has been written this, but your friends’ poor security choices could affect you. It happens when they post on your wall advertising a funny video that is really a virus.

1. Seeing more ads while wondering where Laura Frisian went? A current Facebook clickjacking attack will fill your browser with ads and infect your wall after you click on a bogus video posted by an infected friend. NoScript makes this impossible. In NoScript, you can still allow facebook to run scripts but deny attempts from other domains to run scripts. NoScript will totally shut this one down
2. Mac Defender. Recently some Mac Users have been falling for a ruse that Windows users have become enured to: The popups that warn us that our system is infected and then proceed to infect when installed. Recently, a group of Google Images were crafted to run the “Mac Defender” or “Mac Protector” warnings and infect users. The Mac Defender popups look like Mac system messages. A user of NoScript would never see them.
3. Cross Tab attacks. A new kind of attack that uses javascript to modify open tabs to resemble web sites you trust. Totally shut down by NoScript.
4. Scripting in the browser is not limited to javascript. CNET describes an attack that uses Scalable Vector Graphics libraries act as a keylogger. NoScript stops this as well. This vulnerability is patched in the latest browsers, but if you run NoScript, you don’t have to wait for the software to get fixed.
5. Banker Rootkit. The Banker Rootkit exploited a hole in Java that has since been fixed. A user gets infected by navigating to a malicious website which then loads java and through the hole in java, installs a program on your computer that changes your hosts file and installs fake certificates in your browser. The attackers can then gather your bank credentials and empty your account. NoScript turns off Java as well by default and protects against this attack.
6. Oh, you never go to malicious sites? Perfectly legitimate sites might be infected with either malicious ads or SQL injected files that in turn attempt to run malicious scripts when you visit. A recent SQL Injection campaign infected tens of thousands of sites with javascript based malware that NoScript handily prevented from running.

The author posts ongoing NoScript development news on his excellent blog.

I think I’ve been made much safer by NoScript and I’ve grown used to the extra step of allowing scripting at sites I trust. But don’t trust me. Even the National Security Agency recommends NoScript in their recent security Best Practices datasheet.

Syria did not do a very good job. While they were able to set up a Man in The Middle (MITM) they didn’t bother to issue a realistic fake certificate. A browser will warn the user that an unknown certificate is presented by a web server (the fake one wasn’t found in that user’s list of certificates). Unfortunately, many users just click past whatever warnings they need to click to get to the site they want.

Much more effective and scary is the recent attack by Iran doing almost the same thing but issuing a real certificate through an authority that browsers trust. In this case, the browser will NOT warn the user that the certificate is bogus.

A security company named psyced sought to address this problem. According to them:

Your web browser trusts a lot of certification authorities and chained sub-authority, and it does so blindly. Subordinate or intermediate certification authorities are a little known device: The root CAs in your browser can delegate permission to issue certificates to an unlimited amount of subordinate CAs just by signing their certificate, not by borrowing their precious private key to them. It is unclear how many intermediate certification authorities really exist, and yet each of them has God-like power to impersonate any https site.

Once a subordinate gains this trust, it can issue any “valid” certificate it can think of, even for a domain they have no business signing. This means that these subordinates can change the country of the cert and change the domain, becoming the trusted certificate authority for, say, Bank of America.

Firefox Certificate Patrol to the Rescue. This neat little add-on warns you when a certificate trusted by your browser changes. This extension would warn you if a subordinate certificate authority suddenly got delusions of grandeur and decided it was a major US bank. It keeps a database of all the https certificates it knows about, and if one changes, it warns you.

Installing this product into Firefox, I don’t find it very intrusive or confusing. When it finds a certificate it hasn’t encountered before, it positions a yellow notice in the top of your browser that disappears after a short time. Now that It has shown me one for Twitter, for example, it won’t show me one again until it changes, indicating that either Twitter has changed its provider (unlikely) or that a subordinate certificate authority has been compromised and made to look like Twitter.

Here is an academic-looking paper about such attacks. The paper does a nice job of describing the problem and plausible scenarios where a CA is “compelled” by a government to issue subordinate certificates that may be easily falsified. It promotes a way of warning users only when the country of the certificate authority changes. This is helpful because it can let the user know if their bank’s certificate authority suddenly switched to being issued in Russia. The paper’s promised product, CertLock seems to have never been released, though.

The paper says,

We also believe that there is little reason to warn users if a website switches CAs within the same country. As our threat model is focused on a government adversary with the power to compel any domestic CA into issuing certificates at will, we consider CAs within a country to be equals. That is, a government agency able to compel a new CA into issuing a certificate could just as easily compel the original CA into issuing a new certificate for the same site. Since we have already opted to not warn users in that scenario (described above), there is no need to warn users in the event of a same-country CA change.

Fortunately, Certificate Patrol has opted to warn users in that scenario and many others. Even if the government compels the same CA into issuing a new certificate, you will be warned. It may not be possible in all cases for you to figure out if something funny is going on, but you will be warned. You may wish to combine this warning with a search in the EFF’s SSL Observatory for further research.

While Security Patrol is a great product, it is kind of a band-aid. It seems like we need a new approach to the CA system and I don’t know what that is.

They say that Firefox security patrol is for users that will not be befuddled by more alerts in their browsers. They also say that “only by getting familiar with this will really help you get in control.” I say that our privacy and security depends on understanding this stuff.

A great real-life example how this works is related in this forum post. The browser in question there is Google Chrome and Google has a slightly different approach to this problem., but the warning would be similar.

Here is the light rail station going up in front of my office building

I’m glad I read this book because I gained insight into the world of late antiquity. Augustine’s personality and the events of his life come alive. He became a real person instead of a ghostly figure in a Russian icon. I was struck by how easy it was to relate to the attitudes and activities of these people. Augustine ran around as a youth in Carthage with a gang of hipsters vandalizing stuff and having all-night bull sessions.

I gained less understanding about why Augustine was so important and why Augustine was attracted to Christianity out of all the competing ideologies he experimented with (Paganism and Manicheanism).

I needed something like “Augustine came up with X and this influenced all Christian thought as evidenced by A,B, and C.” If I had to come up with the X after reading this book, I guess it would be his insights about the will or the concept of the church as a “City of God”. I would not be able to give you the A, B, and C. It may be right in there, but I missed it. I suspect that Wills assumes some pre-existing knowledge on the part of the reader. I didn’t always find it easy to read the philosophical explanations. When he discussed a theory of time and brought in Karl Popper and Bertrand Russell, wow, I was lost (and I consider myself a time-travel expert).

Gary Wills has this way of lurching from one subject to another. Traditional demarcations of subjects such as chapters or transitional paragraphs are missing.



View all my reviews

I like the rhythm of the library. Request, borrow, read, return.

For someone of my height, shopping at Goodwill isn’t always the best use of my time. I do better at Lutheran church rummage sales. I pretty much need a “long” and those are few and far between (and often monogrammed).