Circuit Writer

Is John McCain good for Us?

Once again, please note that I define "us" as people using computers both professionally and for pleasure; in other words, DACS members like you and me. Last month we looked at Barack Obama. On the Obama website, technology is a major heading under issues. Technology does not make the top cut for issues on the McCain website. Once you navigate to the technology page (ok, it only took two clicks rather than one), the thing that struck me first was that I had to scroll half way down the page before I found anything that dealt with end users like us. 

The major technology bullets, followed by my comments, are:

• Encourage investment in innovation (this is part of McCain’s policies to lower taxes, particularly on business)
• Develop a skilled work force (by increasing H-1B visas, thus reducing opportunities and pay for Americans)
• Champion open and fair trade (deregulation and market-based)
• Reform intellectual property protection (more funding for the patent office, rather than patent reform)
• Keep the Internet and entrepreneurs free of unnecessary regulation (finally! But rather than ensuring net neutrality, McCain would leave it to the market place)
• Ensure a fully connected citizenry (the programs mentioned are mostly oriented to rural areas, where Internet and other digital services are poor)

The main difference between Barack Obama and John McCain from our perspective is emphasis. McCain policies seem oriented more toward business with little or nothing to actually protect your digital rights. Instead he relies on the availability of competition to preserve net neutrality. I urge you to read the technology pages of both candidates and judge for yourself. Final comments: John McCain admits he does not use email or the Internet, but he does have an official Facebook page. Anyone want to take bets on whether he has actually seen it himself?

The Is This For Real? Department

With airlines dropping flights and reducing service on all fronts, even removing the magazines from planes to save fuel, Delta Air Lines is actually launching a new service. Yes, soon you will be able to use Wi-Fi to surf the web and talk on Skype at 30,000 feet. The service is planned for the entire Delta domestic fleet by summer 2009. The service will cost $9.95, and lest you think that you might get a better deal on longer flights, it will cost $12.95 on flights longer than three hours. Now, haven’t we been warned for lo these many years, to turn off any device that might emit a radio signal lest we interfere with the plane’s navigation and electronics? I guess at least one airline can solve this sticky technical issue once the marketing guys develop a reason! The eWeek article mentions how the equipment provided by Aircell is “extremely light, requiring minimal space on the aircraft, and can be installed overnight” but says nothing about any testing or modifications to the plane’s avionics to ensure that the planes will not fall out of the sky the first time some guy in business class surfs to a porn site.

Comcast, the FCC and Net Neutrality

The FCC, in a 3-2 vote, found that Comcast violated net neutrality principles when it throttled BitTorrent traffic. While this appears to be a great victory for Internet freedom, we should not jump to conclusions. The vote was narrow to give Comcast a slap on the wrist. Meanwhile, Comcast says it is ready to change how it manages its network traffic and the ruling reduces pressure in Congress to codify net neutrality in legislation – something the large Internet providers do not want. Read the New York Times article.

The Could This Happen Here? Department

If I said that this could only happen in San Francisco, I’d be lying because I know that’s just not true. Even if I said that it could only happen in government, it would be far from honest. As you may have guessed, I refer to the situation in San Francisco where a consultant held the city’s network hostage when he set up the security so that he was the only one with access to the top-level administrative privileges.

Terry Childs, a network administrator (or network designer or security expert, depending on what you read) set up the city’s new FiberWAN so that he was the only one with top level security access and then refused to give the key (the password) to the city even when sitting in jail under $5 million bail. The standoff continued for several days while experts (presumably newly hired experts) tried to crack the passwords and other experts speculated that Childs had set up a “logic bomb” that would cripple the city. The network, which contains official city email, payroll, and law enforcement information, continued to function flawlessly while Childs sat in jail. Only a secret jailhouse visit from S.F. Mayor Gavin Newsom finally convinced Childs to give up the password.

Like so many stories, once the juicy parts are resolved, the coverage stops. After nine days of drama, the city regained administrative control of the network. I’m sure there is more to this story. Read this story on the New York Times and on Dark Reading and see for yourself. I cannot fathom how IT management at the City of San Francisco allowed the situation to reach this point.

Russian Gangs and Malware

Malware needs to be taken seriously. It’s not just an annoyance like the virus that deletes your music files but a product of organized crime. Many large businesses think that it’s ok if their network is penetrated once or twice a month as that level of infection is manageable. Now a security researcher has uncovered a Russian gang that is actually using the same enterprise tools used by the corporations themselves to distribute a program called Coreflood. Coreflood captures and transmits keystrokes (to capture passwords) and personal information to a central database.

Attacks can start with a single compromised machine on the network, possibly a laptop belonging to a visitor. Once the gang controls a machine with administrative privileges, they configure Microsoft System Center (an enterprise tool to manage networks with large numbers of servers and end user computers) or another tool to deliver and install the Coreflood program to every computer on the network. Note that this is not a flaw in System Center – it is doing exactly what it is told to do which is to install software. The fact that it is not the authorized network administrator who is in command is another matter. Read more on the New York Times.

This is not the only Russian Gang malware story by any means. Most of the gangs harvest and control botnets of thousands of malware-infected computers. The botnets are often used to send spam, notably phishing attacks which lead theft of credit card numbers at the low end and identity theft at the worst. The gangs do not use the credit cards themselves. Instead they sell the number to other criminals to manufacture fake cards and sell them to petty thieves on the Internet or even on the street. The person who gets caught with the fake card is so far down the food chain, there is no way to trace the transaction back to the gangs responsible.

While most of the database servers used by these gangs are overseas, the gang at the top of this article had a server in Wisconsin. When threatened, they moved it to Ukraine. Now there is new evidence they have relocated to IP blocks in China. If this is not global warfare, I don’t know what to call it. Read more at eWeek where there are links to even more.

Domain Name Tasting Will End, and other Fairy Tales

The practice of registering a domain name, setting up a trivial website and then monitoring the hits during the five day grace period is know as domain tasting. Often the domain names in question are ones that expire accidentally. If the real owner wants to recover his domain, the taster will ask an exorbitant ransom. While legal in the narrow sense, the practice is not ethical, especially when practiced by unscrupulous domain registrars – the very people charged with protecting those domain names for the registrant! ICANN, the quasi-governmental organization charged with managing the Internet infrastructure (domain name registration and IP addresses) has issued a couple of rules changes that may help – or may not, depending on who you ask. A full explanation is beyond our scope here so read more on eWeek and at The Coalition Against Domain Name Abuse (cadna.org).

Serious Security Flaw In Internet Infrastructure

Several months back Dan Kaminsky, the director of penetration testing for the security company IOActive, found an incredibly simple and thus incredibly serious flaw in DNS. The Domain Name System (DNS) is what translates the user friendly names we type into the address bar of our browser, like dacs.org, into the IP address of the server we want. The flaw, known as cache poisoning, tricks a DNS server into delivering the wrong IP address to a query. The user making the query then goes to the wrong server which could contain a phishing website. When this was first discovered, all DNS servers everywhere, even the root servers at the very top of the Internet infrastructure, were vulnerable because the flaw was part of the original design. Kaminsky acted quickly and privately alerted people at Cisco and other major infrastructure manufacturers. Quickly and quietly people worked to design a patch and to implement it throughout the Internet. The patch was released in early July. After the months of work, Kaminsky planned to give a paper at the Black Hat Conference in Las Vegas to announce the flaw and the work done to fix it.

As so often happens, the flaw was leaked early, apparently by mistake. Since then Kaminsky has become a celebrity with an interview on NPR’s All Things Considered. It’s really good to read a story once in a while about someone who acted responsibly when confronted with a problem that literally affected the world.

Is Barack Obama good for Us?

Please note that I define "us" in this case as people who use computers both professionally and for pleasure, in other words, DACS members like you and me.

Much of Senator Obama's success in the primaries has been attributed to his "use of the Internet". So if he, or really his campaign, is so technically savvy, will he make the best president for us as computer users and consumers of online media? Will an Obama administration make policy favorable to "us"? So far we have several ways to look at this question.

The Obama campaign was derided by a Clinton campaign official for "looking like Facebook". We know who won that battle, but many people feel that the social networking model has been a key factor in the Obama success. So let’s look at his Facebook page. You will need a Facebook account to view this. [Don’t lie when you sign up, it only causes problems later on. Use your real name and age.]

His Facebook page is typical for a politician (one of the page types you can select when opening an account). There is little real information about policies and it appears that the page is really just an anchor for Facebook members to become “supporters” and a convenient place to read news and comments. Becoming a supporter sends a notice to your Facebook friends that you have done so, which is how social networking works. For information the Obama Facebook page has links to the official campaign Facebook group, to the campaign’s mySpace page, and to Michele Obama’s Facebook page. I suspect that all this is exactly what the typical obsessive Facebook user wants. To see more information in the form of news clips, videos, etc., you can add Barak Obama to your Facebook page. Without extensive experimentation, I have no idea what this might entail.

The “Barack Obama (One Million Strong for Barack)” Facebook Group has more information; however most of it is about how to volunteer for the campaign at several levels. Once again, this is what social networking is about but does not answer my question.

So back to the official campaign website we go for a quick dose of policy platitudes. There is a PDF, The Blueprint for Change, that has more detail than the website and I urge all of you to read it thoroughly.

From our standpoint he does address several issues:

• Net Neutrality – an open Internet. This is paramount and most of the right words are in the statement. As always, the devil is in the details, but at least he has it as the top technology issue.

• Patent Reform – Basically he suggests giving the Patient Office the resources needed to do a better job. Nice, but how about eliminating trivial software patents?

• Copyright protection at home and abroad – Here he does a nice job of defining some problems without much on the solutions side. He seems to be dancing on the fence here although at least he is not railing about digital downloads and trivial software piracy while ignoring the factories that pump out fakes in quantity.

• Protecting children versus the First Amendment – this has been a tricky issue since the nineties. The statement says Obama will “give parents the tools to prevent reception of programming that they find offensive on television and on digital media.” No on can be against this, but how to do it?!

• Broader broadband – This is interesting. He notes that the FCC “defines ‘broadband’ as an astonishingly low 200 kbps. This distorts federal policy and hamstrings efforts to broaden broadband access. Obama will define ‘broadband’ for purposes of national policy at speeds demanded by 21st century business and communications.”

This is a very narrow look at some of the computer user issues I’ve talked about here over the months. Obviously there are many, many more issues that touch all of us like voting machine technology and immigration reform (H1B visas), to name just two. There are position statements on these and more, so I urge you to take a really good look.

Next month we will look at Senator McCain.

WiMax is the Next Big Thing - maybe

You can think of WiMax as Wi-Fi on steroids with a potential range measured in miles rather than feet. As the market for Wi-Fi subscription services like T-Mobile and Boingo disintegrates (have you noticed?), WiMax is a new way for an ISP to get you on the Internet. There are two forms – fixed and mobile. The mobile version works like a cell phone as you move about, transferring your session from one tower to the next. I see no reason for anyone to offer the fixed version. Sprint, the only cell phone provider without a “high” speed data plan, planned to implement WiMax, then backed down, then did a deal with Clearwire and WiMax is back on. Intel is has been really pushing this for some time <pun>(they got the chips!)</pun> so it is bound to happen eventually, even here in the USofA.

Another Next Big Thing

The SSD or solid state drive will become standard for laptops any day now. An SSD is essentially a really big flash drive that replaces the hard drive. Battery life gains will drive the change as costs for such devices drop. Capacities are already there with Dell offering a 128GB SSD in selected notebooks. Much smaller SSDs have been standard in ultramobile notebooks like the OLPC XO-1, ASUS EeePC from the beginning. The XO-1 used a SSD for durability as well as battery life. Many pundits predicted the technology in the XO-1 would become mainstream. It has begun.

They Said It Couldn’t Be Done Department

Seagate has introduced a 1.5 terabyte hard drive. Just a few years ago, you bought this kind of capacity from one of the high-end enterprise storage specialists like EMC who sold you an cabinet full of drivers configured in an array. The new drive is the regular 3.5” size that has been standard now for about fifteen years. The new drive uses PMR (Perpendicular Magnetic Recording – not Pimp My Ride) to increase the areal density (bits per square inch) of the drive platter.

Equally amazing is a 500-gigabyte notebook drive. Yes, you can now walk around with one-half terabyte of whatever amuses you in your laptop. Soon it will be possible for one lost laptop to contain personal information about every person on earth.

As you can see from the version number in the title, this begins my seventh year writing monthly for DACS.

As I write this on Sunday morning, NBC is paying tribute to Tim Russert, the longtime host of Meet the Press. There is no way to tie this into DACS or computing so I won’t try, but Tim has been an important part of my Sunday mornings for many years. In this column, I often try to associate tech issues with the political players who make or influence those decisions. Each week Tim brought those players into our homes in a way that made issues understandable. He got answers to tough but fair questions while holding his guests accountable for past statements. Two things made Tim a standout: his humility, the show was always about politics – not him, and his loyalty to all things Buffalo. Sunday mornings will never be the same. 

The Browser War Returns 

The best evidence that Microsoft intended to kill Netscape is how the intervals between versions of Internet Explorer got longer and longer once there was no Netscape Navigator with which to compete. Would there be an IE 7 if there were no Firefox? I think not. 

There is some evidence that the next browser war will be over JavaScript, the scripting language (tinyurl.com/6f9uea), however I think the issue of the moment is standards compliance. Microsoft trumpeted IE 7 for better performance against HTML standards. Unfortunately IE 7 retains most of the “quirks” that have driven web developers nuts. The quirks (some would call them bugs) have remained in the product so long as Microsoft thought that developers would code to the quirks rather than the standards. The ever growing market share of Firefox has changed all that. So, once again, Microsoft is promising “interoperability and compatibility” in IE 8. 

Digital Rights in Canada 

While our Congress does whatever it has been doing (nothing productive lately), the Canadian Parliament is addressing copyrights in the digital age (tinyurl.com/5ca23k). A new bill introduced by Industry Minister Jim Prentice would allow Canadians to copy legally acquired music to a computer or iPod but they must not circumvent any DRM applied by the copyright owner. The new bill continues existing protections for ISPs from liability for their customer’s transgressions and does not require that an accused violating website be taken down immediately as in the U.S.

An interesting provision allows consumers to time-shift radio and television broadcasts but prohibits retaining the recordings in a permanent personal library. So basically, the proposed law gives consumers a few ‘privileges’ with the copyrighted materials they purchase and then takes everything away if the content happens to be digital. From the eWeek article: 

In drafting the new legislation, the government said it faced the delicate task of balancing the rights of content creators with the realities and needs of everyday life in a digital world, and also realizing the difficulty of policing possible personal infringements.

Prentice said of the issue: "It touches each and every one of us, and it is no surprise to find so many different points of view with respect to copyright."

My reaction is “Ha!” The bill gives everything to any business entity involved and screws the consumer. Another group compares this new bill to the DMCA in the U.S.

Reaction to the bill has come from an online group called Fair Copyright for Canada (www.faircopyrightforcanada.ca – many, many fascinating links) which seems to have most of its activity in a Facebook group (tinyurl.com/2r6z6q – you must have a Facebook account to view this page). The social networking model seems to work quite well for this issue. The Facebook group has over 61,000 members and there are many more Facebook groups for local chapters presumably to concentrate lobbying on a particular MP (Member of Parliament). 

Canadians take pride in being different from their neighbors south of the border (that would be us). They are certainly to be commended for the activity they have generated over this issue.

Truly Interesting Department 

Did you know that on June 17^th and 18^th there is (was as you read this) a conference in Seoul, Korea, on the “Future of the Internet”? Well, I didn’t either. Several organizations have requested input to this process via YouTube. You can begin your YouTube surfing at the video channel (www.youtube.com/futureinternet) created by the Organization for Economic Co-operation and Development (OECD.org), the organization sponsoring the event. No matter what I try to write here, everything seems trite. What is the future of the Internet? I haven’t found anything from John Patrick, yet. 

The Could This Work Department 

This morning at breakfast (where I read eWeek and Information Week), I came across an article on Open Source Hardware – yes, hardware (tinyurl.com/55ejw9). Actually this concept is not new and I’ll tell you why in a moment. The article talks about how the OpenMoko Project (openmoko.org) and VIA Technologies have released CAD files for several products. OpenMoko released CAD files for all of its mobile phones. You really need to go to the OpenMoko websites to understand what it is all about. The VIA Technologies release is easier to grasp as the product involved is a prototype ultra-mobile notebook computer. VIA did not release everything needed to make the entire computer but just the design for the outer shell. The idea is that OEM manufacturers can customize the outside to produce a unique version. 

The author, Serdar Yegulalp, speculates that hardware design could increasingly move to the open source model which would lead to whole market segments based on common, open designs. This could really simplify finding a part for your washing machine and it could lower production and repair costs for many products, both electronic and not.

Open source hardware has been around for many years, primarily in sports. My first thought was one-design sailboats. There is a standard basic design. How you implement that design could give you an edge in a race or allow for a lower sales price. Sit for a minute and you’ll think of others.

Water Cooling is New?! 

Once again we start with IBM and the headline, “IBM Ships First Water-Cooled Supercomputer”. I remember when all “serious” computers were water cooled. That’s still true, but now its serious gamers who use water cooling to keep their over-clocked chips cool. The new supercomputer in the article is called Bluefire and will replace three older systems that are no longer quite so super. Remember when we talked about computer performance in terms of MIPS, or millions of instructions per second? The new Bluefire is claimed to offer 76 teraflops, or 76 trillion floating point operations per second. Keep in mind that each floating point operation requires several instructions to execute. 

The customer is the National Center for Atmospheric Research (NCAR - www.ncar.ucar.edu/) which reminds me of an interesting factoid. Weather prediction was the application that first got John Mauchly interested in building an electronic computer. That was in the late 1930’s and he went on to co-invent ENIAC, the first all electronic digital computer. The Bluefire will be used to study the effects of climate change. 

Net Neutrality 

Our Congresspeople in the House of Representatives have taken up the issue of Network Neutrality (See eWeek article) once again. Representatives Ed Markey (D-MA), and Chip Pickering (R-MS) have introduced the Internet Freedom Preservation Act of 2008. The act seeks to enshrine the principals of net neutrality into law as national policy. Email your Congressperson today and tell him you want him to support this bill. 

HealthVault 

Could Microsoft have its heart in the right place here? I mentioned HealthVault here several months ago when it was first announced by Microsoft. I created an account immediately. An eWeek article suggests that the healthcare industry has been focusing on the needs of providers and payors (insurance companies) rather than consumers (you). Duh! Microsoft seeks to change the way we access our healthcare records by giving us a place to store (and control) those records. As this resource builds, Microsoft hopes that if they build it, consumers will come with their data and developers will come with applications to analyze the data and make possible collaboration between patients and their healthcare providers. The idea is to give you the same access to healthcare records that you get to your financial records at the bank. Only this time, you don’t need to get all your services from one provider to centralize your data. What happens then is anybody’s guess, but the key is that you will be involved in the decision. 

Desktop Virtualization

Before the main presentation at the May General Meeting, I tried to get the presenters to start with the very basics and explain everything. Instead we got a time-compressed version of their regular sales presentation. I was disappointed. Well there is a nice eWeek article that explains what we missed. 

While they totally missed explaining it, Citrix has a product called ZenApp. It used to be called Presentation Server which at least gives a clue to its function. Like Microsoft Terminal Services (aka: Remote Desktop), Presentation Server runs on a big central box that is shared by many users. Both Terminal Services and Presentation Server turn Windows into a multi-user system by creating virtual desktops in the central server that you view remotely using client software on your local PC. Since you don’t need a full PC to run the client software, a thin client device can replace the local PC. This is the Windows version of the old mainframe model with the OS and applications running on a shared server with the user sitting at a terminal device. There is only one OS and one installation of the applications to maintain. This technology has been around since the days of NT 3.5 and thus is pretty mature. Presentation Server (ZenApp) adds the ability to make an application running on the central server look like an application running on your normal PC. In other words, the application on the remote server appears in a window on your local PC. This middle ground offers central management of major applications like SAP. Network managers use Remote Desktop to remotely manage servers. I use it eliminate travel to client sites to fix most problems. 

The next stage of desktop virtualization is a different way to share that big central box. Rather than many virtual desktops within one OS, this time many virtual machines run in a hypervisor on the big central box. The user views the desktop using a remote desktop technology like VNC (Virtual Network Computing) or Microsoft’s RDP (Remote Desktop Protocol). Now each user gets his own, separate OS that he can reboot as needed – something that is not so easy when rebooting means closing down every user on the central box. The tricky part to this plan is to store and save each user’s personal settings while still centrally managing the application environment. Much newer, this technology is much less mature.

The third type of desktop virtualization is called client-side virtualization. One of the presenters talked briefly about this technology when he described a scenario where a bare-metal PC can boot to a copy of Windows that is passed down to the PC on an as-needed basis. What he didn’t mention is the possibility to put the virtual desktop on a USB key that the user can carry from PC to PC as they move about during their workday. Your personal computing environment becomes a sort of personality module that you can plug into any PC.

It is truly a sorry state of affairs that network neutrality is still an issue. Back in 2005, the FCC issued some net neutrality rules that allowed carriers some exceptions for “reasonable network management”.  In a recent Senate hearing, FCC Chairman Kevin Martin gave some guidance on what the agency considers appropriate broadband network management practices. He also told the assembled Senators that the FCC can enforce net neutrality without the help of Congress. Even while the FCC investigation of Comcast continues, he said that throttling specific applications like BitTorrent is not likely to be among acceptable management practices. You can read the eWeek article at tinyurl.com/6dxchx. 

When Congress or any part of the government is involved, the devil is always in the details. These details begin with the very definition of "Network Neutrality" - who and what is neutral and to whom? Is this an issue with charging certain users extra, throttling BitTorrent, or applying a surcharge for selected content like video? And, of course the biggie, who decides? No matter what your opinion on the looming election (is it over yet?), our Congresspeople need to be reminded that net neutrality is an issue we care about. [See also the WikiPedia article on net neutrality.]

Security thru Obscurity

Before I jump into this, allow me to point out that this article comes from something called “Dark Reading”, a website under the TechWeb (techweb.com) umbrella which bills itself as “the industry's most comprehensive security site for IT pros”. The articles include all sides of computer and network security. There are even some videos for a change of pace, but this article caught my eye. “Proprietary Security Through Obscurity” is a short article about pacemakers – yes, those things that keep some people’s heart beating properly. This started in a New York Times report about an article on an obscure website about how a heart device was found to be vulnerable to hacker attacks. It seems that a team of researchers was able to reverse engineer the wireless interface for a combination pacemaker and defibrillator. Using this knowledge they were able to change the programming in the device to adjust it’s “pace”, shut it down, read patient data, and even to give a potentially lethal jolt. 

Certainly patients (including Dick Cheney) with these devices are under no imminent threat; however, newer devices are being developed that can connect to the Internet to allow doctors to monitor a patient remotely. This could mean better, more frequent monitoring with fewer trips to the doctor’s office – a win-win, except for what should be obvious. Of course, we (you and me) understand the need for security on the Internet. In the type of statement we hear all too often, the manufacturer of the “hacked” device said, “To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide.” Obviously if they don’t know about it, it doesn’t exist. 

One manufacturer said that it used “proprietary techniques” to protect the security of its implants – and here is where we get to what I call the “head in the sand” approach to security, or security thru obscurity. Back in the day, Ma Bell used obscurity to secure its long distance trunk lines from unauthorized use. John Draper, aka Captain Crunch, demonstrated that this is not a good approach with the 2600 Hertz tone produced by a whistle packed in breakfast cereal. His discovery led to a cottage industry making “blue boxes”, “red boxes” and devices of other colors to make free long distance calls. According to legend, Apple Computer may have been funded from such sales. 

So which is better, proprietary security or security based on published protocols? The Open Source community argues that only when the source code is published for peer review can we be reasonably assured that any protocol works as advertised. The Internet protocols are the best example. Openness is especially required for encryption. Proprietary or “secret” encryption algorithms cannot be verified by the community of experts. How do you know that a proprietary encryption program doesn’t have a hidden key or back door that lets the author or manufacturer – or some other organization or government – read the encrypted data? For an in-depth look at this issue, I recommend the book “crypto” by Steven Levy (2001, Viking Penguin). See my review in January, 2002, DACS.doc (dacs.org/archive/0201/feature3.htm). Read the articles and see what you think.