inside the man

Friday, October 28, 2005

A strong female voice for Islam

The International Conference on Islamic Feminism currently underway in Barcelona calls "gender jihad" to sexist readings of Islamic sacred texts. Here is an excerpt from Abdennur Prado's keynote call to arms:

"Opposing this internal criticism (deconstruction of the patriarchy based on the sources of Islam), we consider that Western culture's claim to superiority is not an effective adversary against fundamentalism, as this attack fails in his objective and tends to inflame even further these opposing stances. The more aggressive the pro-westernisation stance is and the more it relies on arguments based on a fear of Islam, the more strength is gained by the fundamentalist movements that present themselves as defenders of their religion in the face of these attacks 'from outside'.

Nor are attempts at 'social engineering' effective, such as that of Kemal Ataturk, put in practice in Turkey - banning the veil, closing the sufi associations, substituting the Arabic alphabet for the Latin alphabet, repressing all public expression of religious acts, etc. The failure of this policy could not be more spectacular. The social engineering and spread of anti-religious secularism carried out has not achieved its aim. In fact, Turkey has gone from being a region characterised by syncretism, the mixing of cultures and religious pluralism, to be a country in which traditional Islam is threatened by political Islam (Islamism).
"

Wednesday, October 26, 2005

Twins for Hitler? A fresh face for fascism?

While surfing some religious blogs this morning, the photo below caught my eye on a blog called doxology. Here is an excerpt from the underlying ABC story:

"They may remind you another famous pair of singers, the Olsen Twins, and the girls say they like that. But unlike the Olsens, who built a media empire on their fun-loving, squeaky-clean image, Lamb and Lynx are cultivating a much darker personna. They are white nationalists and use their talents to preach a message of hate."

Tuesday, October 25, 2005

Inside a penetration testing shop

Its one thing to build Nessus on your Linux box, click all tests on, enter a target IP, click go, and watch the test progress bar grow. After hundreds of thousands of Ethernet TX/RX LED flickers, Nessus will present you with a nicely formatted report of any and all vulnerabilities it discovers - including an inevitable rash of false positives. It is an entirely different thing to get a well trained and well equipped team of white hat hackers to try and bust into your critical web based systems. Do not get me wrong, Nessus is a spectacular information security tool, but just as people are better than computers at playing the game of go, people are better than automated tools at uncovering system vulnerabilities. This is especially true in the realm of web application vulnerabilities, an area where the available tools have not reached the level of sophistication that Nessus and its commercial counterparts have for general remote host audits.

Jeremiah Gossman has a column on BetaNews that gives an inside look into his web application security outfit, WhiteHat Security. Here is an excerpt.

"With the necessary paperwork signed and account credentials generated, we were ready to go. The URL and username/password were revealed to the racers and the symbolic green flag dropped. The next several seconds we heard nothing but mouse clicks and keyboard tapping.

From past experience we've learned that the fastest way to victory is to target the search boxes first and try for a speedy XSS win. Search boxes are notorious for such insecurities. It's a cheap trick, but it works. Next, it's best to look for input parameters and determine if any of them echo URL query data, indicating another potential spot for XSS.

The first 60 seconds of the race flew by. Nervousness set in because we knew that at any moment someone was going to claim speed-hack victory. Bill Pennington (WhiteHat's VP of Services), in what is becoming a trend, identified the first vulnerability (XSS) in about 1 minute 30 seconds. In classic style, we cried foul because he could arguably only exploit himself with XSS and represented no further risk.
"
Professional go player Fung Yun audio documentary

(RealAudio format)

"Even though it's been around for thousands of years, chances are you've never heard of the game, Go. Created in China, it's a board game that involves the placing of stones on a grid. One of the game's top players, Feng Yun, lives in New Jersey. But this week she's gone back to her homeland in China to participate in an international tournament. She sits down with independent producer Blake Eskin to talk about the game."
The joys of library blogs

My uncle, Ross Thrasher, who is also a librarian (although a blogless one), once said to me, "librarianship is the last bastion of the generalist". Perhaps this "intellectual diversity" (or "lack of focus"?) is why I enjoy reading library blogs - you never know what you are going to come across. One spectacular example is Peter Binkley's recent post about a delightful animated musical retelling of the great Hindu epic Ramayana entitled "Sita Sings the Blues". Check it out in QuickTime format here. Jaya Sita Rama!
Splog me

"Splogs are blogs set up for spamming purposes (Spam Blogs). By themselves they would probably go unnoticed since they have nothing to offer most readers, but through aggressive use of keywords they trick indexing services into sending out spam messages as links to the blogs."

Friday, October 21, 2005

Geek humor

"If I was going to make an evil programming language, I would not name it after a snake."
- Larry Wall

Thursday, October 20, 2005

German publishers warm to Google Print

In the wake of the news of a second American copyright suit over Google Print, Deutche Welle reports that German publishers kinda like the idea.

"An increased and more direct reach to the consumer is just one way Google is promoting its new project to skeptical publishers. The company also says that publishers will be able to monitor interest in titles through the search engine, and use the information in deciding whether to reprint certain books. Google has also promised publishers a cut of the advertising that will appear on the site."
Google Print lawsuit number two

A couple of weeks ago the Authors' Guild filed a copyright lawsuit against Google. Now the Association of American Publishers has joined in the fray with their own suit. Slashdot reports:

"The Association of American Publishers, an organization of book publishers including Pearson Plc's Penguin unit and McGraw-Hill sued Google over its plan to create a digital Web library of printed books. The Association of American Publishers sued Wednesday after talks broke down with Google over copyright issues raised by the Google Print Library Project. Publishers say Google will infringe copyrights unless it gets advance permission for the scanning. The suit is the second by the publishing industry against Google's library plans and underscores the worries sparked by Google's expansion beyond Web search."

Wednesday, October 19, 2005

IA pitches folksonomies to librarians

nform Information Architect Gene Smith faced an audience of professional librarians at the Access conference this week to let them know that folksonomies are a good idea. While this conference is being held in my home town of Edmonton, Alberta, I was, unfortunately unable to attend. Fortunately, Gene has made his slides available at his blog.

I can tell you, as a librarian, that the profession as a whole is not necessarily warm to the idea of folksonomies. Librarians have a long term professional stake in the notion of authoritative classification and description of documents using thesauri and other controlled vocabularies. The folksonomic or social tagging movement is the antithesis of this perspective focused on amateur classification unimpeded by formal vocabularies.

I do not know how Gene introduced Clay Sharky's opinions on this issue during his presentation - it would be interesting to know - but Sharky's name is mentioned a few times and his mug graces one slide. I wonder how the audience of librarians, most of whom would not be familiar with Sharky's views on the profession of cataloguing, would respond if Gene had read the following quote from the summary of one of Sharky's well known presentations?

"The LC scheme, when examined closely, is riddled with inconsistencies, bias, and gaps. Top level geographic categories, for example, include "The Balkan Peninsula" and "Asia." The primary medical categories don't include oncology, defaulting to the older and now discredited notion that cancers were more related to specific organs than to common processes. And the list of such oddities goes on... it enforces cookie-cutter categorization that doesn't reflect the polyphony of its contents--there is a literature of creativity, for example, made up of books about art, science, engineering, and so on, and yet those books are not categorized (which is to say shelved) together, because the LC scheme doesn't recognize creativity as an organizing principle. For a reader interested in creativity, the LC ontology destroys value rather than creating it."

[You can listen to Sharky's full presentation here.]

There is also a third approach mentioned in Gene's slides - machine indexing. For the sake of clarity, the three approaches to making documents (or items, data, or whatever) findable are:

  1. The traditional cataloguer's approach - authoritative classification with controlled vocabularies that may or may not fit into the categories of ontologies or thesauri
  2. The amateur post-facto approach - a community of users, which may be as small as one or as large as all Internet users, tags items with any word they want to use
  3. The Google approach - keyword index everything and use clever relevance sorting on search results


For the record, I support the view put forward in Gene's final slide, the ideal for most situations is a combination of approaches to describing items.

Tuesday, October 18, 2005

EFF outs government-industry collusion

The Electronic Frontier Foundation (EFF) has cracked the secret fingerprinting code that some color printer vendors use to watermark every printed page. The story has chilling reverberations for how technology "features" that are introduced to combat one problem, in this case counterfeiting, can be used to combat many others as well. EFF Senior Staff Attorney Lee Tien:

"'Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?'"

UPDATE: This story has now been picked up by slashdot, the wp, and others.
UPDATE: October 19, 2005: Mr. Schneier covers as well.

Thursday, October 13, 2005

Why spend on IT?

Students in my IT Strategic Planning class at the University of Alberta will be familiar with the message of John Thorp in a recent Computerworld article cleverly entitled, "Buyers addicted to gambling on IT investments".

"Business needs to take greater responsibility for technology investments as $800 billion is wasted on ill-conceived IT projects each year, according to the head of Fujitsu's global consulting centre for strategic leadership, John Thorp. Pointing the finger at companies for having 'a serious addiction to gambling on IT investments', Thorp said a huge amount of money is spent on IT that is creating no value. 'The minute you put IT in front of something, it's an IT problem. IT strategy, IT governance, it's not about IT, it's about enterprise value,' he said."
Uncertain future for snort under Check Point

Security Wire Perspectives on Check Point's recent acquisition of Sourcefire, the owners of the open source IDS, snort:

"'Snort is now and will continue to be free to end-users,' Roesch wrote. 'We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the Snort.org Web site.'

Still, industry observers are hardly optimistic. Martin McKeay, a CISSP and Snort user based in Santa Rosa, Calif., said he's hoping for the best, but expecting the worst.
"

Tuesday, October 11, 2005

IT security: dangerous professionals or dangerous legislation?

The Register ran a story today regarding the conviction of Daniel Cuthbert, a respected IT security expert, for attempting to bust into a tsunami relief donation site in order to determine if it was a phishing scam. Cuthbert was found guilty even though he did not gain access, and the judge accepted that his motives where not malicious. What is interesting about the Register's story is that it provides a little - and only a little - more detail about what exactly Cuthbert did to try and "test" the site in question.

"On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories. After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action. In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions."

The story mentions "two tests" but only describes a pretty trivial directory traversal attempt. What was the other test, I wonder?

Saturday, October 08, 2005

Here's a good one

Thursday, October 06, 2005

Is there an open source security application crisis?

CheckPoint acquires Sourcefire, the makers of snort, and Nessus closes its source. What is going on!?!? Next fyodor will sell nmap!

Blog Archive

About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter