Politics at Funerals

Here CNN discusses President Carter’s introduction of politics into his funeral speech for Corretta Scott King. Apparently this has been raising a fuss among some conservatives. As CNN says: “After the funeral yesterday, Kate O’Beirne, a prominent conservative writer, said liberals don’t know how to keep politics out of their funerals.”

Personally I find the fuss strange. Funerals are frequently a rallying point for the ideals of the deceased. When else do you have the attention of the country focused and thinking about a single set of values and issues? Nobody is claiming that President Carter said anything that would have gone contrary to the wishes of Correta King. On the contrary, she probably would have been very pleased at the attention those words have received.

Here is the portion President Carter’s speech which raised the fuss: “It was difficult for them personally with the civil liberties of both husband and wife violated as they became the targets of secret government wiretapping, other surveillance.” The video is here. Anyone who thinks that wiretaps without court supervision will always be used correctly, for the right purposes, and not to discredit legitimate causes, should think long and hard about our history.

Google and the China Syndrome

Here is my letter to Newsweek on the subject of Google censorship in China.

[Note from 2017: Google eventually gave up and pulled out of China rather than be censored and constrained. But American companies continue to work around restrictions and sell censorship tools to oppressive regimes.]


The question of whether to work within an oppressive regime, or hope that a boycott will force change, is always a hard one; and I’m not going to judge Google on their decision.  Keep in mind that such censorship requests don’t just come from China–even France and Germany wish to censor external web sites.  Nonetheless, there is no question in my mind that Yahoo overstepped the bounds when they turned over identifying information on a blogger.

However, in all this fuss we are missing an even more important example of censorship complicity by American companies.  At the same time that the United States is encouraging the people of countries like Iran to exercise their right to disagree with their government, American technology is being used to prevent freedom of speech in those countries. Iran, and other countries in the Middle East, use software from companies like Secure Computing to block their citizens from accessing everything from Iranian bloggers to the BBC Persian News Service.  While Secure Computing denies having sold the software to Iran, there is no question that they didn’t provide sufficient safeguards to prevent the dissemination of the software to such countries.  In a age when word processors get shipped with restrictions which require them to validate their license with a remote server, it seems to me that software which can be used to limit the liberties of people around the world should be locked down quite a bit tighter.  At least Google has the excuse that they are expanding access to some information.  This software is designed solely to provide censorship. It is a weapon against freedom of speech, and it should be regulated like any other weapon.

For more details on the use of American censorship software in other countries, see the OpenNet Initiative at http://www.opennetinitiative.net/.

“Iran’s Internet filtering system is one of the world’s most substantial censorship regimes. Iran has adopted this extensive filtering regime at a time of extraordinary growth in Internet usage among its citizens, as well as a tremendous increase in the number of its citizens who write online in Farsi…. The Internet has become an important information resource in Iran. Polls show that people trust the Internet more than any other media outlet, including domestic television and radio broadcasts. Beginning in 2000, Iranians began to create internal news sites to circumvent the state’s controls over traditional media sources. Blogs, both Iranian and from elsewhere, are increasingly popular, and Iranian servers host thousands of blogs.” – http://www.opennetinitiative.net/studies/iran/

Law Schools Against Free Speech – The Supreme Court considers military recruitment on campus. By Dahlia Lithwick

Law Schools Against Free Speech – The Supreme Court considers military recruitment on campus.Slate – Dahlia Lithwick

Chief Justice John Roberts instantly shuts him down, saying the Solomon Amendment “doesn’t insist that you do anything. … It says that if you want our money, you have to let our recruiters on campus.” Moreover, for Roberts, this is not about speech. “This is conduct.” Rosenkranz disagrees. “This is a refusal to send e-mail. This is conduct only in that they are moving molecules. … This is speech.”

There is a certain irony here that both the liberals and conservatives have fallen into the same trap. Fundamentally the federal government has very little control of our lives. However, once you start accepting money from it–you are caught in a dependency trap. For religious conservatives, this means the eradication of support for any particular religion in schools. For anti-discrimination liberals, it means allowing military recruiters into the schools. I confess that I have little sympathy for either side. If you want to be free of federal restrictions–stay clear of federal money.

Interior Dept. Defends Its Keeping of Indian Books

Interior Dept. Defends Its Keeping of Indian Books

The Interior Department says its audits of accounts it manages for thousands of Native Americans have found few errors and little evidence that anyone tampered with the records.

The agency’s position, in a report sent to Congress on Monday, runs contrary to that of Native Americans who filed a 1996 class-action lawsuit saying that they were cheated out of more than $100 billion because of mismanagement of oil, gas, grazing, timber and other royalties from their lands.

The Post goes on to say that the Interior Department documented this in a “glossy 24-page brochure”. They weren’t kidding. Whatever the truth of the claims, there’s no question that someone blew a bunch of money on a significant bit of form over content. You can see for yourself at http://www.doi.gov/indiantrust/iimaccounting.pdf. Pure PR.

If You Can’t Fix It – Change the Judge

https://openclipart.org/detail/11125/judge-hammerSince a Blackfeet tribe leader named Eloise Cobell filed this lawsuit in 1996, several independent investigations found much evidence for Lamberth’s concerns. Although, the government initially said its existing Indian trust fund records were in good shape, Lamberth hired a hacker who found they could easily be accessed and altered from outside. Other reviews found that the Interior Department had never kept complete records, used unknown amounts of money to help balance the federal budget, and let the oil and gas industry use Indian lands at bargain rates. They also concluded that the Clinton and Bush administrations have repeatedly sidestepped initiating the required accounting because of the likely cost.

When they stand before a different bench tomorrow, government lawyers are expected to try to shift the discussion from the acknowledged failure of Interior to properly account for money held in trust and due 50,000 Indians, to the often assaulting words and actions of a powerful Reagan appointee who has made no secret of his disgust. Only three times before has this appeals court disqualified a trial judge from a case.

This case has been going on for years. Everyone agrees that the judge has been particularly pithy in his criticism of the government’s behavior. But fundamentally the problem is that the Interior Department has repeatedly been unable to clean up its act.

Words That Fall from Grace

World Wide Words newsletter is a fun read. The latest typos, odd words, and questions about where phrases come from. This time there’s a request for suggestions of words or phrases that have falling into disuse.

7 – Over To You
World Wide Words newsletter

This time it’s a personal request, aimed at British subscribers in particular, though others can also play. I’m writing a piece in my current book about words and phrases that were once common but that have fallen out of everyday use within the past 75 years or so. These will mostly be names for things, and I’m avoiding slang or colloquial terms. My aged brain is having trouble assembling an adequate selection.

Some already in my list will give you the idea of what I’m aiming at: emergency brake, running board, motoring holiday, antimacassar, career girl, wireless (a radio), gramophone, washboard, wringer, record player, double feature, liberty bodice, brassiere (as opposed to bra), inkwell, and pedal pushers.

Please send your suggestions to this special address oldwords@worldwidewords.org, not my usual e-mail address.

Protecting Property in New Orleans—The Law Looks the Other Way for Some

New York Times

ORLEANS, Sept. 8 – Waters were receding across this flood-beaten city today as police officers began confiscating weapons, including legally registered firearms, from civilians in preparation for a mass forced evacuation of the residents still living here.

No civilians in New Orleans will be allowed to carry pistols, shotguns or other firearms, said P. Edwin Compass III, the superintendent of police. “Only law enforcement are allowed to have weapons,” he said.

But that order apparently does not apply to hundreds of security guards hired by businesses and some wealthy individuals to protect property. The guards, employees of private security companies like Blackwater, openly carry M-16’s and other assault rifles. Mr. Compass said that he was aware of the private guards, but that the police had no plans to make them give up their weapons.

That’s an interesting distinction. One can understand the practical aspects. Those who can afford to hire armed security forces presumably can afford to keep them healthy and fed. And those forces (perhaps) are less likely to engage in illegal activities than non-incorporated forces. But fundamentally, this means that people with money can protect their property by means that violate the law, but people without money cannot. Whether the decision is valid or not, the result is that the poor will lose more than the rich.

Definition: Buffer Overflow

Buffer Overflow

If you read any press on computer security problems, at some point
you are likely to come across the phrase “Buffer Overflow”–it’s by
far the most common security error that programmers make. It’s common
for several reasons.

  • It has nothing to do (by itself) with security.
  • It’s an easy error to make, and a hard one to detect.
  • It’s human nature not to expect the unexpected.

So what is a buffer overflow? I’ll start off extremely non-technical
here, and gradually bump up the level until the final section, at
which point if you don’t understand programming and call stacks you
may want to stop reading, and if you do understand them, you may
decide to start reading.

First, here’s the non-technical explanation.

You need to tell a co-worker something important, you go to their
office, expecting a conversation something like this:

“Hello.”
“Hi.”
“I though you should know about this new thing.”
“Oh? What is it?”
You tell them the important thing.

Instead the conversation goes like this:

“Hello.”
“Hey! Just the person I wanted to see! Did you hear about this
crazy election thing,”…followed by five minutes of political
diatribe. By the end of the conversation, not only have you
forgotten what you came in to say, you’re on the way out the door
with a poster to protest something.

Your buffer just overflowed, and you were hijacked for a purpose
other than your original intent. You had an expectation of how the
conversation would go (the protocol) and it was violated, with the
result that you ended up doing something different. That’s exactly
what happens to a program when someone exploits a buffer-overflow
problem.

Now a slightly more technical explanation.

When a program is designed, it is designed with an interface to the
outside world. That interface is not just what you see on the
screen, but also how it communicates with other programs and the
operating system. The interface is typically defined in terms of
either an API (a set of programming conventions for direct
communication with another piece of code) or a protocol (a definition
of a set of data and commands to be passed between programs). Think
of the API as how your brain tells you arm to pick something up, the
protocol as how you ask someone to pass the salt. Of course the
protocols are not always executed directly. Your brain tends to use
the mouth API to tell someone to pass the salt, rather than using
telepathy directly, and many programs use standard sets of code
provided by the operating system when they want to use a protocol.

Now, these APIs and protcols specify the form of the information to
be passed back and forth. For instance, a specification might say
that the correct response to an initial communication is no more than
five letters long (e.g. “Hello”). In the days before people had to
worry about hostile programs, code was written assuming that the
program you were talking to was going to be following the rules of
the protocol. If the protocol said “five letters” then there wasn’t
a lot of point in leaving room for six. Sure, your program might
crash if there were six, but it wasn’t your bug, it was a bug in
the program talking to you–it should have sent five letters.

So that’s a buffer overflow. You expect one thing, and somebody
sends you something much bigger. The “buffer” that you had set aside
to store that information doesn’t have room for what you get, and you
end up writing those six (or six hundred) letters on top of other
things that you were trying to remember. Obviously that’s not going
to be a good thing for the continued functioning of your program, but
it turns out it’s also a major security problem.

And still a bit more technical.

Computers tend to think in terms of two things–code and data. Code
consists of the instructions for the computer, telling it what to do.
Data is what it does it to and with. When you run a program, it
loads into memory both the code and the data that code needs. When
that program communicates with some other program, it is receiving
data, and it will then use the code that it already has to figure out
what to do next. This makes remote communication relatively safe.
The remote program can only tell the local program to do within the
constraints of the original code. Assuming nobody has done anything
stupid (which is not generally a good assumption), the remote program
cannot tell the local program to do anything that wasn’t originally
intended.

Modern computer architectures have an unfortunate design, however.
They don’t really no the difference between data and code. If
somebody can convince your program to try running the data that it
has in memory, it will do so quite happily. So a malicious program
has two goals. First it wants to get some code to your machine, and
then it wants to persuade somebody to run it. This is of course, no
different than an email virus writer’s goal. In that case, they
expect you to run it, in the case of a buffer overflow, they expect
the broken program to run it. Email viruses are so successful
because users often don’t know the difference between data and code
either (and some operating systems helpfully try to hide the
difference so as no to confuse them).

It turns out that if a malicious programmer can find a target program
that didn’t check for a buffer overflow, it can be very trivial to
get that program to execute code provided by the remote program. So
easy, in fact, that there are standard packages out there that
provide the entire payload for the overflow–all the script kiddie
(we’ll define that sometime, but suffice to say it isn’t a compliment
of someone’s hacking prowess) has to do is find the write length for
the buffer overflow and bang–they have control of your computer.

Before you panic, remember that doing this requires that they have
remote access to a program on your computer already, and that that
program have a buffer overflow problem. That means (for an internet
exploit) that your computer has to have some program that is
listening to external connections (e.g. print server, file
sharing…) or that you have a malicious user at your computer (or
you helpfully downloaded and ran their software).

Now let’s get completely technical.

How does a buffer overflow exploit work from a programmer’s perspective?

First you find some place in that program where it’s reading data and
assuming that it’s going to be reading something rational. E.g.

        char    buf[4];      /* Store 4 characters */
        gets(buf)               /* Read any number of characters from the input
                                                and put them in buf */

where the input turns out to be more than 4 characters long.

Now the question is, where is the data stored in “buf” located?

If “buf” is a global variable, then that data is probably allocated
in a data segment somewhere, and you’re going to try and overwrite
some other piece of data which will result in something useful (e.g.
a place where the program was going to execute one program, now
executes another). That’s tricky and hard to do without source code.

However “buf” is probably a local variable, allocated on the stack.
So instead of overwriting data, your goal is to overwrite the stack
itself. So you are going to put in buf some amount of padding (that
will overwrite the rest of the data stored on the stack), followed by
some machine code that overwrites the part of the stack that had code
on it. You’ll set things up so that your code will be executed
(possibly when this particular function returns) instead of the code
that normally would have been executed. Now you’re home free. Since
there are plenty of examples of sample exploit machine code, all you
need to do when you find a new buffer overflow is figure out the
appropriate offset–the rest of the work has been done already. You
don’t need to transfer very much data, just enough to run something
that connects you to the remote machine–from there you can transfer
the rest of the software you want to install remotely.

This is where security-by-obscurity comes in handy. Want to lessen
the chance of buffer-overflow attacks? Just run some obscure piece
of hardware. Run a Mac, or even Linux on the PowerPC1Of course with Apple switching to an Intel platform, some of that obscurity goes away, but exploits still have to vary from operating system to operating system, even if the underlying processor is the same.. It’s not that
there aren’t buffer-overflow problems, but their are less handy
examples of how to exploit them running around. Less examples, less
successful attacks. It’s not a solution of course (especially if
everyone does it :-), but it is one way to slightly increase your
odds of remaining secure.

There are machine/OS architectures that would make buffer overflows
much harder to exploit. Disable dynamic creation and execution of
code on the stack for one. Or keep a separate data stack. And there
are tools out there which will put watchdog data on the stack, and
then watch it to make sure it doesn’t get overwritten (effective, but
rather painful from a performance standpoint). But fundamentally,
where there are bugs, there are exploits. And modern software, with
it’s layers and layers of abstraction that no one person can fully
grok, has a hell of a lot of bugs.

700 ISPs?

Recently Scott McNealy, predicting consolidation in the ISP market, was quoted
as saying that we no more needed 700 ISPs than we needed 700 electric power
companies. That’s an interesting analogy when you consider that the electric
power industry, now approaching deregulation, is probably approaching 700 companies
itself, many of whom don’t even own power facilities.

As usually, Scott is being quotable. Realistically, as more detailed comments
have indicated, it’s the medium sized ISPs that are likely to consolidate. Smaller
ISPs serve niche markets and personalized service that are not likely to be
attacked by the larger players. I don’t believe the numbers of small ISPs are
likely to decrease, in fact, as I sit here after just having driven through
the sparsely settled high-plains of Utah, I suspect that the market for small
ISPs is far from saturated.

It’s dangerous to judge the progression of the internet by the progression
of businesses past. While it’s true that in areas of high competition, the service
and hardware requirements for an ISP are high. It is also true that in many
areas, anyone with a leased line and a couple of modems can still become an
ISP. While all eyes are turned towards the big IPOs, it’s the small businesses
that will keep the internet alive.

[2017: I was wrong. In fact McNealy was wrong, it’s more like 50.]

Why I do *not* support Family PC’s Parent’s Bill of Rights

When was it that everyone started to talk about
rights, and forgot all about responsibilities?

[A note from the future, in 2017. I was right. I didn’t get more conservative, and they grew up safe and awesome. One’s editing movies. The other’s working QA at a robotics company. Let’s hear it for sensible parenting.]

Kee's kids--A long time ago
Before I begin, let me set
some context. I’m a parent, I have two terminally cute daughters; one six, the
other four. I’ve heard that the number one correlation between sexual conservatism
and other factors is whether a person has daughters. Maybe things will be different
when they reach adolescence, but so far my values haven’t changed.

So now we have had a
summit,
and
everyone’s talking about how to protect the rights of
parents on the internet.
This is apparently something that greatly concerns many parents,
although
from a reading of the statistics,
I can only assume that it’s primarily a concern of parents who are
not
on the internet, since those that are, aren’t even using the available
tools. But I don’t mean to belittle the core desire–parents
want to make sure that children’s exposure to new concepts and people is
consistent with their beliefs, whether that exposure is on the internet, the
street, or the corner store.

And that’s the fundamental issue I have with all this ruckus. The
internet doesn’t exist as a thing, it isn’t something that’s safe or not
safe. The internet is a community of people, and the things you
have to teach your kids in this community are the same as the things you teach
them in your own. Be polite, don’t interrupt, don’t speak unless
you have something to say, stay away from the seamier parts of town, and of
course, don’t go off alone with strangers. Those are values I try and teach my
kids. If I haven’t gotten them across by the time they learn to
send email, it’s probably too late anyway. But these values are not
specific to
the internet–I expect them to be applied online, and down at the
coffee shop.

I think I know where things went wrong. Some parents thought that if
their kid was staying home in front of the computer, that they were safe
and could be left alone–just like when they were sitting in front
of the television. They were wrong of course, the two mediums are not
comparible–there is far more violence and sex on television.

But on the internet, no one knows you’re a dog. What good does it do to teach
your kids right from wrong, if someone can pretend to be a teenage soulmate,
when they are actually a lecherous old man? There is some validity in this,
but frankly, anyone who has spent much time in online communities very quickly
learns that identity is both central to, and yet completely apart from, the
online experience. I spent my freshman year in college hooked on “the con”,
as it was called by those of us with access to
Dartmouth’s
Time Sharing System
years before AOL’s forums and IRC. We all knew
the story of the guy that gets all excited about this great girl he’s been chatting
with for hours, only to walk over to his roommate’s cubby to tell him the news–and
find out he’s been chatting with him all this time. The notion of an
online identity, or identities, that is separate from your physical one is fundamental
to the system–our children will understand that long before their parents.
This isn’t the dark side of the internet, this is one of the liberating things
about the internet. (Note that having multiple identities is not the same as
being anonymous, I’ll talk more about that some other time–if you want some
mandatory reading on that subject, check out “The Transparent Society : Will Technology Force Us to Choose Between
Privacy and Freedom”
by David Brin.)

“But…,” (says my wife), “it is different, you think they
are safe because they are in the house. With other communities, you know where
they are.” Well, one can hope, but the teen
pregnancy
rate in the U.S. would seem to argue otherwise. The fact of the
matter is that, the older your kids get, the less control you have over them.
That’s why I see this whole thing very differently. This isn’t an issue of parent’s
rights, it’s a question of parent’s responsibilities, and that’s
a word that seems to be very much out of favor recently. All the internet is
doing is bringing home that our job as parents is not to control, but to guide.

Here is FamilyPC’s “Internet Bill of Rights” proposal, with my responses. They asked if they
could publish by responses, so if you see it in a physical copy, let me
know which issue.

  1. Parental blocking software should be integrated into every Internet
    browser.


    Including experimental
    ones? Ones meant for developer use only? Ones running on PDAs that
    don’t
    have the necessary memory or CPU? No. If the demand is there, the
    industry
    will provide it. Protection of children is the responsibility of
    the parent,
    not something that can be regulated.
  2. Web site creators must
    rate their
    sites in an industry-standard way that is recognizable by the browser
    (for now this means using RSACi or SafeSurf or PICS).


    Aside from being
    unenforcable, there is no need to do this. If people stop going to
    unrated
    sites, then sites will rate themselves. The fact of the matter is the
    majority of sites that rate themselves are adult sites–they don’t
    want
    minors on their sites. The rest of sites don’t have the time or
    interest
    to rate themselves.
  3. An arbitration board should be created to
    arbitrate
    discrepancies in site ratings.


    That implies that ratings have the
    force
    of law. Ratings are going to be relative my definition. An independent
    board cannot be created to legislate free speech. If we were
    talking about
    signs on a front yard, this wouldn’t stand up in court for a
    second.

  4. Webmasters who do not comply with voluntary ratings should not be
    listed
    on the major search services.


    Absolutely not. This restricts adult
    access
    to sites, never mind access to sites outside of the United States.
    Search
    engines are already beginning to offer alternative, rated-only search
    facilities. There is no need to legislate this.
  5. Children’s chat
    rooms
    will be monitored to keep them safe; monitoring can be human or
    electronic.


    If you are worried about what your children say to whom, then
    monitor
    them. Don’t forget to tape phone conversations and follow them to the
    school bathroom as well. Chat room monitoring is neither practical or
    workable.
  6. Web sites must fully disclose what they do with
    information
    collected from people who register at their sites.


    This is a
    general issue
    that has nothing to do with the specific issue you are addressing
    here.
  7. Advertising must be clearly labeled as advertising and kept
    separate
    from editorial content.


    Ditto.
  8. If online shopping is involved,
    advertisers
    must require parental permission prior to purchase. Parents will be
    able
    to cancel an order mistakenly sent by a minor at no charge to the
    parent.


    The standards here should be the same as they are anywhere else.
    Use of
    a credit card is deemed to be an indication of adult status.
  9. If an
    advertiser communicates with a child by e-mail, the parent should
    be notified
    and should have the option, with each mailing, to discontinue
    mailings.


    If you want to disallow communications with children by advertisers, I
    might consider that a good goal. However, “on the internet no one
    knows
    your a dog”. It’s impossible to tell whether you are communicating
    with
    a child on the internet. As for the ability to remove yourself from
    commercial
    mailings–go for it, but this is a general issue, not one specific to
    children’s/parent’s rights.
    Frankly I find the whole concept of a
    “Parent’s
    Bill of Rights” to be misguided. First we need to construct a Parent’s
    Bill of Responsibilities. For the past 15 years my closing email
    signature
    has been the same. And every year I feel it is more and more
    appropriate.
    “I’m not sure which upsets me more; that people are so unwilling to
    accept
    responsibility for their actions, or that they are so eager to
    regulate
    everyone else’s.”