Archive for March, 2005

KySOR – Bullet Dodged

Thursday, March 31st, 2005

Wednesday a student at Toliver Elementary in Danville reported

…she had been approached outside the school but on school grounds by an older, white male with gray hair, and she claimed (that the older, whte male) asked her to go with him,” Newell said. “The girl declined and immediately ran inside the school and told the principal of the incident.”

Remember earlier this week I posted about the Kentucky Sex Offender Database and the number of non-compliant folks? Take a look at this guy and tell me if the description isn’t abit too similiar(sadly the picture is only viewable in IE):

Charles Lyons

Perhaps the little girl could look at the picture and see if this is the man?

Wardriving made easy…

Wednesday, March 30th, 2005

I like to take my notebook out and drive around the various neighborhoods looking for open wireless access points. One of my favorite areas to wardrive is Centre College. All kinds of interesting things can be found there…not that I attempt to gain access or anything…just the number of access points out there.

Now comes this news . I’m wondering what my little strolls through the ether will show in June.

Kentucky’s Sex Offender Registry

Monday, March 28th, 2005

I was reading about the various abductions of little girls, including the alleged abduction this morning in Lexington, and feeling my blood pressure rise. I visited the Kentucky Sex Offenders Registry and saw something that troubled me. There are two offenders in Mercer county that are currently not compliant with their registrations. Where are these two guys?


Charles Lyons

Or…more importantly…where are the children of Mercer County?

I went on to look in some other counties with non-compliant sex offenders:

  • Jefferson: 49
  • Fayette: 8
  • Kenton: 7
  • McCracken: 3

and that’s where I stopped looking. What’s being done to find these people? Clerical error on the part of the State Police?

This information shouldn’t be difficult at all to find and these faces need to be made public…VERY public.

I listed 4 of the largest counties in Kentucky but these guys can travel like anyone else. A VERY brief look at the KySOR finds 67 people that are on the SOR but are not compliant. It only takes one.

And before someone goes down the road of, “You can’t harass these people!”, I’m not advocating that. I just want to know where they are. I want them to follow the law and register. You know…like what we DON’T do for illegal aliens?

Mercer Sheriff to get Tasers

Saturday, March 26th, 2005

It’s been talked about for a while but it looks like it’s going to happen thanks to the Hitachi plant in the community.

With the growing number of Meth labs in our community it’s a matter of time…no it isn’t…it’s necessary NOW to offer the Constabulary a way to drop attackers in a non-lethal manner. Of course it’s only a matter of time before someone gets zapped and they sue because of “police brutality”. *SIGH*.

Deputy Erick Barkman said:

They are becoming a necessary evil, It sure beats shooting them

I don’t know about that Deputy. I’d have to think about that long and hard for some…like these people who are on the Sex Offender Registery but are presently unaccounted for.

oh yeah…The Kentucky State Police are a Microsoft Only Shop…ya gotta use Internet *wretch* Explorer to view the pictures of these swine.

Half Horse – Half Gator

Friday, March 25th, 2005

Finally we’re getting somewhat unfiltered reports on the action earlier this week by some of our own Kentucky boys and girls against the barbarians.

What makes me particularly proud is the fact that the soldiers from Richmond are almost certainly descendants of members of the 8th Kentucky Volunteer Infantry like me. I’m sure that Col. Sidney Barnes and the rest of the lads were looking down on these people with pride. Bet they were talking about what happened at Chickamauga(Read the Brigade(Num 192) and Regimental(Num 194) after action reports) when the line broke but this time it was different. As my buddy EW might say, “There they were surrounded on all sides!”.

A 30-minute firefight ensued Sunday morning, pitting 10 guardsmen against dozens of insurgents. When the shooting ended, 26 guerrillas barbarians [edited for honesty] lay dead and another was mortally wounded, while six others were wounded and another was captured unharmed.

Read the above and thought of this song…complete with Midi file for the aural impaired.

Note to Barbarians: Don’t Mess with Kentuckians unless your odds are better than 3:1 in your favor and even then…no guarantees.

[UPDATE: And then I read this on Smash’s site…good news indeed…]

Schiavo: Death Watch

Thursday, March 24th, 2005

Looks like we as a society have reached the point where we are all willing to let our laws run right over the top of our morality. I’ve heard folks ask the question, “Would you want to live like that?”…but this isn’t about me…and it’s not about you dear reader unless you are Mike Schiavo or Mr. and Mrs. Schindler. Frankly, it has grown beyond even them now that Congress has gotten involved and got us all wrapped up in the mess because they felt the need to pass a terrible bill that ultimately had no impact.

Now it seems the whole discussion has moved to the judiciary and how they are really accountable to no one and seem to be doing whatever they wanna do. While the bill the Congress passed and President Bush signed into law is unconstitutional…until Rehnquist and the gang SAY it’s unconstitutional it remains the law. That law told the Judge James Whittemore to take a new look at the situation:

Section 2: Procedures of S686

In such a suit, the District Court shall determine de novo any claim of a violation of any right of Theresa Marie Schiavo within the scope of this Act, notwithstanding any prior State court determination and regardless of whether such a claim has previously been raised, considered, or decided in State court proceedings. The District Court shall entertain and determine the suit without any delay or abstention in favor of State court proceedings, and regardless of whether remedies available in the State courts have been exhausted.

Websters defines “de novo” as:

Main Entry: de no·vo
Pronunciation: dE-‘nO-vO, dA-
Function: adv or adj
Etymology: Medieval Latin, literally, from (the) new
: over again : as if for the first time: as a : allowing independent appellate determination of issues (as of fact or law) b : allowing complete retrial upon new evidence —compare ABUSE OF DISCRETION, CLEARLY ERRONEOUS
NOTE: A de novo review is an in-depth review. Decisions of federal administrative agencies are generally subject to de novo review in the U.S. District Courts, and some lower state court decisions are subject to de novo review at the next level.

Judge Whittemore flat out ignored this Congressional Act basing his opinion on prior court cases. This started an avalanche of court decisions leading right up to Rehnquist’s little party who essentially said “I hear ya knockin’ but ya can’t come in!”…and here we are.

We are at a crossroads here. We have a choice to make. Either we accept the legal process with maybe a harsh sneer at Judge Whittemore or we ignore the legal process and follow Ann Coultier’s approach. One choice means a woman lives while the other means a woman dies.

This is a hell of a place to be. I hate to see her die but we have her husband saying she didn’t want to be kept alive if she found herself in this position. Now, her husband is a real twit but the law gives him certain rights because he *IS* her husband. If we allow the law to reign here then she dies.

May God give you peace Terri because it seems that we as a nation just don’t care.

I pray that you have come to Faith in Christ while trapped in that shell.

Trouble in the park last night…

Thursday, March 24th, 2005

Last night police moved into the park to apprehend a trouble maker. The suspect has been causing trouble since he arrived in town last Sunday. Rumors swirl around town that the suspect was claiming to be a “King” insinuating an attempt to overthrow the government. Much wilder claims have been made about this man and his band of miscreants.

In the small hours this morning Court was opened and all the Judges came in to review the case against the suspect. In the unprecedented hearing witnesses stepped forward condemning the man as everything from a demon to heresy for claiming to be the Son of God. Rubbish. He’s clearly nuts. Judgement was passed and the penalty would be death. An automatic appeal will be heard by the Governor of all people tomorrow.

For now the suspect has been placed in Custody of the Governor’s guards.

Matthew 26

Michele get’s hit by the Bloodhound exploit

Tuesday, March 22nd, 2005

A friend’s blog was recently hit with a bug that caused some trouble for her. In her comments a reader asked how this could be possible. This page is for them and anyone else interested in the fun that can be had with Cross Site Scripting or XSS.

Consider this link:

When viewed in the browser it looks like this: Google

There’s all kinds of things we can put inside href=”HERE ” that can do fun things and…well…not so fun things.

We’ve all received the emails telling us that our bank wants to update certain information about us and requests that we go to their website. They are kind enough to include a link to the bank that might look like this:

But the real link sends you someplace else. By hovering your mouse over the link, right clicking, and selecting VIEW SOURCE or PROPERTIES or LINK PROPERTIES or whatever the equivalent is in your browser you would see something like this:

By clicking on the link you would end up on my site and not your bank. Typically this isn’t what you would want to happen but in this case it’s relatively safe. For those who are paranoid, we always check the source before we click unsolicited links…and most solicited links…and we would see that the actual target site isn’t the site where we want to go. There are ways around this as well. We’ll continue on with the example:

Looks the same but…where are you going this time. Here’s the source:

It’s the same thing just encoded as hexidecimal.

Now…let’s get tricky. Some bloggers are relatively tech savvy. They know alittle about javascript and the power that can be had with it. Let’s include some javascript in a link and see what happens:

Again…looks fine in the browser but what about the source:

So now you have Javascript executing as a result of clicking a link. This can’t be good. But it’s visible in the source so we’re all good right? No.

Same link but encoded in hex:

I don’t know for certain as I didn’t do any analysis of the machine but I’m guessing a comment or trackback was left on the site that forced a malicious script on her blog. When people loaded the page the script was executed which forced some stuff to the readers computers…that stuff being a Compiled Windows Helpfile(*.CHM) which then executed beginning a big long nasty string of events ranging from antivirus programs being triggered to outright infections.

If you think you have been attacked by the bloodhound.exploit.6 exploit then you can find “cleanup” instructions here.

If you want to learn more about this exploit, the DShield list has a great writeup by Peter Stendahl-Juvonen.

Schiavo: Bills of Attainder

Sunday, March 20th, 2005

Greetings Wikipedia researcher!  Somehow this article got linked to the Bills of Attainder article in Wikipedia.   In early 2005 a case was thrust into the public eye of a woman with severe brain damage and no discernible cognitive capabilities.  Her husband said she didn’t want to live this way.  Her parents said she would’ve wanted to live on.  There was no living will.  There’s you update…  and now the article.

Tonight at 9pm the House is set to begin debate on an already passed Senate bill(S. 653) that specifically calls for the relief of the parents of Terri Schiavo.

I’m no constitutional scholar by any stretch but this sounds like a kind of Bill of Attainder. Bills of Attainder are defined as:

A legislative act that singles out an individual or group for punishment without a trial

While Mrs. Schiavo is not being punished by the government, she is singled out and at the moment of her death, whether that is in 2 weeks or 20 years from now, the legislation becomes moot. Since we have only her husband’s word on her thoughts regarding her treatment in the event she was left unable to make the decision herself, this bill may WELL be a Bill of Attainder since the bill would be forcing her to continue to be fed…thus extending her life.

The Senate’s bill has disaster written all over it. (more…)

Terri Schiavo

Friday, March 18th, 2005

UPDATE: Normally I update at the bottom but SingleMind, as usual, has done a much better job of summing up how I feel about this.

I’m more than alittle irritated about the fiasco going on in Florida. For along time I’ve watched this drama from afar without so much as a meaningful comment to others who shared their thoughts with me. Over the past couple weeks my attention has been drawn more to this and the more I think about it the angrier I get. At myself for not being more outspoken before. At Terri’s husband for being a murderous thug. At the so called “judicial system” in Florida and now at my representation in DC.

Peggy Noonan’s piece talks about the political fallout for Republicans if they don’t do something to stop Terri’s murder. Andrew McCarthy’s piece is far less political and really hits the nail on the head:

The right of the innocent to live isn’t contingent on the good will of governments and courts. — It derives from a higher law, as does the obligation to defend it.

We all have much to lose here and very little to gain by sitting on our hands and watching this woman starve to death. We can rant and scream about the legal situation and bitch and moan about the stunning lack of competence in our federal leadership but this situation is quickly spinning beyond those realms. What we are watching in Florida is on the same par as this, this, and this.

Prayers for Terri and her family.

There are days….

Wednesday, March 16th, 2005

Sometimes you just wanna end it all. No no silly, not suicide. There’s no honor in suicide regardless what the barbarians say.

No, I mean destroying the planet. According to the article at Sam’s Archive it won’t be easy…better start now.

Privacy Reform

Monday, March 14th, 2005

Stumbled across this on Crypto-god Bruce Schneier’s blog.

Daniel Solove(George Washington University, Assoc. Prof Law) and Chris Jay Hoofnagle(Dir. EPIC) released their A Model Regime of Privacy Protection on March 10th. It’s a very good layout of the challenges we face with regard to protecting our private information along with ideas as to how to handle the challenges.

Good Points:
1) Meaningful Informed Consent. They reference the fact that Gramm-Leach-Bliley is ineffective with regards to opting out of data sharing(Section 2-a) . They go on to recommend a notification procedure when policies are changed at companies like ChoicePoint.

2) One-Step Exercise of Rights. Ever tried opting out of spam? Sure, they log the fact that your email is active but they also put you through 7 layers of hell before they say, “Oh alright”. With ChoicePoint Et al keeping “cradle to grave” records on virtually everyone and selling them to the highest bidder it becomes critically important that we, the creators of those records, have a way telling them to get bent. Solove and Hoofnagle recommend a central mechanism for folks to use similar to the DO NOT CALL list operated by the FTC.

3) Secure Identification. Social Security Numbers are a big NO NO. They are used everywhere from your movie rental place to the…well…the Social Security Administration. Solove and Hoofnagle recommend the use of passwords. Biometrics are wonderful but if they are stolen the resulting damage is practically unstoppable short of killing the victim. This opens up a whole other can of worms with the likes of Paris Hilton and her cell phone woes.

Not So Good Points

Won’t list them chapter and verse because I really like the ideas they talk about overall and don’t want my own political leanings to cloud that fact. The big problem I have with alot of their recommendations is that they, Solove and Hoofnagle, drop the responsibility of protecting this information primarilly in the lap of the FTC. There is passing mention of implementing fines for companies that break the laws but the oversite of those laws is left to the FTC.

Dunno…this is an EXCELLENT starting point but I think there’s still work to be done. I am going to try and make sure this finds its way to a desk at Kentucky’s Legislative Research Commission.


Sunday, March 13th, 2005

SANS/GIAC is dropping the practical assignments for their certifications.

I hold two SANS certs, the GSEC and the GCIH. You can click on the buttons on the left hand column to learn about them. For both of these I had to complete a practical assignment which was a paper on a particular topic. Under the PAPERS section on the left column you can find mine. These practicals are what set SANS apart from the rest of the certification world. They required practicals for every certification…not just the more senior certs like Cisco and others do. A SANS Certified professional could be considered a DEMONSTRATED PROFESSIONAL in the security world because of the practical. But no more.

I sent the following letter to SANS regarding the issue:
While I bow to the vision of the SANS/GIAC leadership, I can’t help but think this is a bad idea. The practicals are what has set SANS/GIAC apart from the other certs. Has there been any thought given to keeping the practicals as an option for certification? This would effectively allow what you want while providing those who want the additional challenge, and recognition, to move ahead of the rest of the pack.

I could whine about the many hours I put into both of my GIAC certs and the pride I take in attaining them but that would only serve to demonstrate my love of whining. What I can say is that the lack of available time to complete these certs is simply a cop out. My day job regularly requires 80hr weeks. My consulting business also takes a substantial amount of my time. I still managed to complete both certs…didn’t sleep much but I completed them. The point is holding a GIAC cert demonstrates not only a certian level of expertise but also a committment to a goal. Passing the exams was a CAKE WALK compared to fulfilling the requirements of the practical assignments. No matter how difficult you make the exams nothing will replace the challenge and the required mastery of the material that the practical assignments held.

Count me in the “Respectfully Dissenting” column.
I’m profoundly saddened by this…okay…”profound” may be a strong word but the thought of the SANS certs becoming anything close to the MCSE as far as overall reputation just sickens me.

I still believe there is only one REAL certification track for serious security professionals and that is SANS/GIAC.

Italy to stop paying ransoms

Saturday, March 12th, 2005

The London Times Online is reporting that PM Berlusconi has promised President Bush that he will stop paying ransoms for his countrymen.

Fancy that. I’m sure that Fabrizio Quattrocchi appreciates that as he looks down on his former countrymen. As you may remember this is the man that faced his death with a National Pride that I only pray that I could muster under the same circumstances.

And from the “sublime to ridiculous” department:

Gustavo Selva, chairman of the standing committee for foreign affairs in the lower house of parliament says, “The Italian team should have known what to expect, but it appears they didn’t realise how sophisticated the American military are.”

Oh please…come on Chairman Selva, our abilities are well known and if your Intel guy didn’t understand this perhaps he should have been in another line of work. Of course…now he is. Prices are high in the Intel and War business and when you screw up you simply must pay them.