Hey Boo-boo, look where they hid the picnic basket!

I came across this NY Times article about a small black bear named Yellow-Yellow that was able to defeat a well designed bear resistant food storage container.

The article includes some interesting lessons:

• The method usually recommended for protecting food by placing it in a bag hung from a tree is routinely being defeated by bears that have figured out that an easily cut/bitten rope is usually not far away from their goal.
• Never underestimate the power of perseverance, patience, and practice. Intelligent defenders can often be outwitted by the less brainy with an excess of spare time and focus. Or put another way, multi-taskers don't always win.
• The folks at Bear Vault clearly get it (vis-a-vis their adversary) whereas, sadly, the folks at software companies often do not.
• And a great quote attributed to a Yellowstone Park Ranger on bear-proof garbage cans was "Turns out there is considerable overlap between the stupidest human and the smartest bear."
• Never, ever, market anything as being [something]-proof.

Interestingly I didn't find this on a camping or scouting site but through an information security site Emergent Chaos under the topic "Penetration Testing Your Products."

BTW. If you don't know about penetration testing, basically it is the practice of testing the security of something (such as a computer or network) by breaking into it. While this sounds all very exciting, the key thing to remember above all is that any testing of this kind requires formal permission (i.e. contracts). Any testing without permission (and I mean the kind of permission that can hold up in a court of law) could find you charged with a felony, indictable offense, or similar serious criminal charge in many countries. For more information see Penetration Testing and Ethical Hacking.

Background Checks and Scouting

Like many organizations Scouting requires leaders and volunteers to go through regular background checks. This is part of Scouting's due diligence to protect our members.

From time to time I hear questions from parents and prospective volunteers about Scouting background checks, such as how well they work or what to expect from the process.

For the most part these processes operate behind the scenes and are invisible. However, when the processes don't work as expected they can create a lot of disruption or worse. Another problem is that they don't always work as people expect. This leads to perceived to failures.

Background checking is a tool with limitations. How well we understand these limitations will give us a realistic perspective and can help head off problems.

In general, there are a number of types of background checks and many of them are performed regularly:

• Governments use background checks for security clearances. These range from simple to very complex and the checks at higher levels can be very intense and intrusive.
  
• Businesses use a variety of background checks: employment history, credit, criminal, some even use checks for money laundering and financing terrorists. Criminal checks catch things like convictions. One disadvantage is that they are unlikely to turn up anything on someone who has never been caught.
• Organizations that work with youth or the elderly need something more. It's called a Vulnerable Sector Background Check. All Scouting personnel get one every few years. These checks go beyond the criminal background checks. Exactly how far, I don't know, but I am told that it includes things other than convictions. They specifically look for pardoned sex offenders, charges without convictions, and they may include information on mental health that may be in police records. With these you have a better chance of catching someone earlier even if they don't have a prior conviction.

While there are a number of companies that provide these background checking services, both Criminal and Vulnerable Sector checks can also be arranged easily through most police departments.

One thing to understand with any kind of test of this kind is that there are three possible outcomes:

• Accurate results.
• False negatives.
• False positives.
  

A false negative is when some gets a pass but shouldn't. Periodically checking raises the chances of correcting these. False negatives are both worrisome and hard to detect. In fact they get detected when someone gets caught and then it's discovered they were not picked up and should be. These aren't common or the media would be full of such stories. And it is important to remember this only has a chance of working if the person has had some previous problems.

A false positive is when someone gets flagged and shouldn't. These are more common. In fact you are reasonably likely to see one if you wait long enough. If it's you or even someone you know, it will be stressful. Careful handling, discretion, and sensitivity by everyone involved is required. The person flagged will have to step aside for a time until a followup check is made. That usually involves more information, a trip to a police station and possibly fingerprints. Once everything is checked out these are usually cleared up. And always, the information should be handled as extremely sensitive and rigorously protected.

I have seen a number people caught by false positives. In general, they have been caused by lack of accurate information, coincidence, or identity theft. And all worked out correctly.

There is a darker side to background checks which raises some privacy and human rights concerns. It's not always clear what other information can turn up and how that could affect both individuals and groups. When minor or unrelated history is turned up, taking a zero-tolerance policy may do more harm than good. Not only will an individual be affected, but an organization may loose a valuable person.

To sum up, Scouting background checks are going to make our youth members safer. Understanding the process and its limitations will help everyone involved to get these working as smoothly as possible and deal with the inevitable hiccups.

Top 10 excuses for not securing your computer

I came across a good blog article describing the top 10 excuses people use for failing to secure their computers, here. It's actually a repost of another article.

This is the first time I've actually read this persons blog and I can't say much about their style and content other than this was a good article worth pointing to. A quick look shows posts about malware, viruses, security, and cleaning up infected computers.

Greenwash, Security Theatre, and Skepticism - Critical Thinking

Critical thinking is an essential life skill. It lets us make good decisions and can protect us. People don't exercise it all the time, but people who exercise it more tend to be more successful. And people who fail to exercise it can become victims of one sort or another.

So I wanted to comment on some current examples where critical thinking helps.

Greenwash

The term "Greenwash" has been around for about 20 years but has only recently made it into the mainstream. Basically, Greenwashing is about companies exaggerating and overstating their environmental contribution. An advertising con-job carried out on the public. Often where companies spend more advertising their greenness than actually contributing to the environment.

• For a history and definition see Wikipedia, here.
• For a consumer index, see the Greenwashing Index, here.

Companies marketing products have a long history of spinning the benefits of their products even when the benefits are dubious. The spin can range from the relatively harmless, such as stating what a product already does, to deception, such as deflecting attention away from a problem area. Critical thinking can help you see through this.

Update: I saw a related survey on "What should we do about bogus ‘green’ technologies?" at another Scouters blog.

Security Theatre

The term "Security Theatre isn't as mainstream yet. It refers to security measures that give people the illusion of security rather than providing real and measurable security. A lot of the security measures put in place since 9/11 fall into this category.

Examples of this include no-fly-lists. While they seem like a good idea at first glance, they break down under scrutiny. The problem with the list is that it isn't properly maintained; it is subject to false alarms - it has been used to detain babies, children, well known public figures, politicians, sky-marshalls, and inconvenience many thousands of people; there is no visible oversight of its effectiveness; known terrorist suspects have been kept off it; and there is no evidence to support that it has ever stopped an attack. I won't get into more detail on this debate, but if you're interested you can find more by one of the leading critics of Security Theatre, Bruce Schneier, who has posted many articles on his widely read blog. A few are below:

• The No-Fly List
• Five-Year-Old Boy Detained by the TSA
• Sky Marshals on the No-Fly List
• No-Fly List to Be Scrubbed (cleaned up)
• Canadian Privacy Commissioner Comments on the No-Fly List
• In Praise of Security Theater

Security Theatre and it's mindset has been a healthy target for comedy:

• The Chaser, an Australian team has made fun of this with such episodes as "Airport Security" and the "Trojan Horse". Video clips are available on You-Tube here and here.
• The TV series "Boston Legal" dedicated part of an episode to the absurdities of the no-fly list. An audio clip can be found here (mild language warning).
  

Skepticism and extraordinary claims

The world is full of doomsday prophecies and other bunk. A healthy does of skepticism is useful for dealing with extraordinary claims. There are lots of people who will waste your time seeking attention, money, and fame. All of this they take from you without providing anything of value back.

Current examples include:

• The end of the Mayan calendar in 2012 predicts the end of civilization. This is no more true than suggesting the earth would end after December 31st, 999AD or 9999AD - the calendar is just a bit stranger. See here and here.
• Planet X is coming to destroy us. Planet X was originally an astronomical reference to a presumed missing planet or unknown planet beyond Neptune. Pluto didn't fit the bill and it took over 50 years to resolve the facts. Later the name was usurped by conspiracy theorists. The predictions aren't supported by facts and the date for doomsday has been revised. See articles, here, here and a series of articles here.

Update: The crop of bunk surrounding 2012 never seems to to end. Fear mongers and misguided folks keep reviving it and scaring people with these fabrications. Dr. Ian O'Neill at Astroengine has written a fine series of articles debunking these. Have a look at 2012 Doomsday Fabrication: Abusing Science and Making Money.

Some bunk that has passed their best before dates:

• Venus Transit (in 2004) Floods
• The Grand Alignment of Planets Disasters (2000 and many previous years)
• Asteroid 2007 TU24 near miss disasters. For a description of this rock see Wikipedia. For the debunking see this and this. For a told-ya-so, see this.
• Planet X (2003).
  

So exercise your critical thinking and save your time and money. Better don't let the fear mongers profit!

Wanting to believe

People are often predisposed to believe in a cause. The problem with this is that people often suspend their critical thinking and can be taken in. They can overreact to circumstances. Or they can mis-evaluate the situation.

To demonstrate this, a group took a petition to an environmental event. The petitioners (correctly) claimed that there was a substance associated with all major sources of water pollution and sought a ban on the chemical. What was it? Check out dhmo.org for a wealth of information of dihydrogen monoxide (dHmO, aka H2O). Sadly, a large number of people just listened to the spin and signed the petition to ban water!

While there is nothing wrong with wanting to believe or belong, we still need to be careful to apply some critical thinking.

Understanding Website Tracking

Most web sites track their visitors for any of a host of reasons. What the operators do with that information depends on their motives and intent. I track visitors to this site using a free service called Statcounter. My motives are to understand my audience better. One example of this is my article "Browser Wars part Deux". Others track for security, or ad revenue, or more sinister purposes. We as an audience may choose to agree or to disagree with how we are tracked and why.

There is a lot of misunderstanding out there about security and privacy on the Internet and during our browsing experience. Trying to understand the ins and outs of all of this is technical and a bit arcane. Most people don't have the time, patience or the background for it. I do. It's part of my job. Information security has been part of my job for most of my career.

With security and privacy, most of the time people get upset about the wrong things. It's not that their concern is misplaced, it just that people aren't that good at estimating risks.

Sometimes we choose to give up a bit of our privacy for things like free email accounts. Most people believe that companies like Google use their free email as vehicle to deliver ads. Automated analysis suggests something you might want. The most successful companies doing this will be the ones that are effective (suggesting something you really want or need) and not offensive or pushy.

Occasionally, these services get it wrong and the results can be quite funny. Because this blog is hosted by Google, I use a Google account just for it. A lot of the emails going through relate to scouting and astronomy. Google, through Gmail , displays a line at the top of my inbox informing me of interesting products and services. Sometimes it tells me about things relating to camping or astronomy. Regularly, it tells me about astrology, or doom and gloom sites (Nostradamus), and other weirdness. I don't mind it as it's not too pushy.

Website visitors are typically tracked by IP addresses and "cookies". Many people get upset about companies tracking their browsing habits. It's seen as an invasion of privacy and been the focus of a wide debate. The other part of the problem is their use by spammers and criminals.

As with most things, organizations that are the most aggressive in their use of technology tend to cross a line and become the focus of intense debates such as this. The debate then focuses on the use, abuse, and perceived abuse of the technology which then becomes a question of trust. This is no different from your real world business choices.

The first thing people need to know is that not all tracking is bad. In fact, some is necessary. To tell the difference, you need to understand how tracking works. There are several methods described below. If you don't want all the nitty-gritty read the italic paragraphs in each section.

People are tracked by means of IP addresses, Cookies, Web Bugs, and by coordinating the use of these things. Cookies and Web Bugs can even track you as you move a laptop from one place to another (e.g. home, work, hot spots).

IP addresses

Basically, IP addresses aren't all that good for tracking people by themselves because they can be shared and because they don't remain constant. If you want to see your IP go to What's my IP address.

That may change in the future as we change to a newer standard for IP addresses called IPv6 which is intended to allow every device to have its own unique IP.

If you want to know more about how this works read the points below. Otherwise skip a bit.

• IP stands for Internet Protocol. IP addresses are how are computers know to talk to each other. When you visit this blog, your browser needs an IP address. You type mangsbatpage.433rd.com and your browser asks the Internet's Domain Name System (DNS) to return an address. Today it sent back 72.14.207.121. Because this is a server at Google, it's unlikely to change too often. The computer I'm writing this on also has an IP address. It's dynamic and assigned by a home firewall/router. It's also private and can't be seen on the Internet. Finally there is the one that my firewall/router has. That one is assigned by my ISP dynamically and changes from time to time. It can be seen on the Internet. That one is also shared by other computers in my house.
  
• IP addresses were intended to be unique. In practice their aren't enough of them and they get shared and reused. As a result, they aren't in themselves all that good at tracking people.
• As I mentioned, some IP addresses are dynamic and change over time.
  
• Other IPs are fixed and represent many people. Large companies typically funnel all of their employee browsing through a few IP addresses. While most Internet Service Providers assign individual IP addresses to customers, AOL is (or was) a counter example and operated much like a large company.
• IP addresses in and of themselves aren't a great indicator of individual behaviour.
• There should be a healthy privacy debate around IPv6.

Cookies

Cookies are more commonly used for this tracking and as a result they are both abused and misunderstood. Cookies are essentially a way of associating information with a name to provide a memory for web servers. That's actually needed because in their basic form web servers can't tell one page request (or people) apart. Cookies that are very specific and restricted facilitate transactions. Cookies that are broad and unrestricted are open to abuse.

If you want to know more about cookies read the points below:

• Web servers are "stateless" which is just a fancy way of saying that they have no memory from one page to another. This is fine if the site is just only informational. If there is some kind of transaction happening the site must have a memory. You wouldn't want it any other way.
• Cookies can be restricted to specific sites. So-called secure cookies are generally a good thing. For example when you bank on the Internet, you most likely use cookies. When you sign on to a secure web site the server returns you a cookie called a secure session cookie. It's really just an enormous random number. Each time you click a new button or move to a new page withing that site, that number is how the web site knows how to connect the dots between the actions on each page. Of course the if someone were to get this number they could impersonate your session. There's a whole host of things done to prevent this.
• That's one reason why the banks encrypt their sessions.
  
• The random number must be extremely strong to prevent guessing.
• The random number is only good for a short while. When it expires, you must login again.
• Some web sites change the random number from page to page.
• Shopping cart sites use cookies to keep track of what's in your cart. They are similar to what the bank does but you might not need to log in.
• Wikipedia has an article on Cookies here.
  

Web Bugs

Another way you can be tracked is by the use of so-called "web bugs". These are references to invisible files hidden in a web page that are associated with a unique number. By embedding the same bug in emails and different web pages along with additional reference information, you can be tracked. Unlike cookies and IP addresses, I'm not aware of a clear need for web bugs beyond tracking. In fact there are lots of examples of abuses using this technology.

If you want to know more about cookies read the points below:

• Web bugs are often image files such as JPEGs that are drawn with a 1 pixel x 1 pixel size. There are other methods and a broader description can be found on Wikipedia.
  
• The references number is usually an argument to the file name (after the ? in the URL)
• The bug is really the reference and not the file.
  
• Tracking is possible because the name of the file and the unique number appear in the logs of servers you visit.
• Several email products can disable web bugs.
  

Tips

• If you are doing transactions like banking, you might want to shut down your browser and start it up from scratch to do your banking and shopping. When done the shut down and restart again. This will minimize the possibility of information accidentally leaking between different web sites.
• Most browsers allow you to select which cookies you'll allow to be set. You can also block entire sites and networks. The down side is that the frequent interactions when the browser asks you about each cookie can be highly annoying. There are also cookie managers that allow you to remove and block unwanted cookies.
• Browsers often allow you to control the loading of offsite image files
• Java script can be even more dangerous in what it can steal from your computer. I strongly recommend people use tools like Firefox's NoScript Add-on. This allows you to permit specific sites to use scripts.
  

Browser wars part deux!

Most people take browsers for granted and think of the browser wars as ancient history. Well they're back.

Some of this diversity is a good thing. But the problems of security and compatibility lurk beneath the surface.

Browser diversity

There are a surprising number of browsers out there and even a small site will get a fair spread of visitors. Judging from the visitors to this site (and discounting my own activity), we have:

• Internet Explorer or IE (50%) with 3 versions
  
• Firefox (36%) with 6 versions
  
• Safari (7%) with 1 version
  
• Opera (1.3%) with 5 versions
• Others (5%) including Konqueror, Camino, Netscape, Mozilla (pre firefox), and the ever popular blank or noname.

I have yet to see a visit by a Flock user.

Recently Apple has been trying to make a big splash with Safari. They got themselves into a bit of hot water by being aggressive and misleading using the iTunes updater to install Safari on Windows, here. And looked a bit silly because the click through license disallowed installs on Windows, here.

Security

Older browsers are vulnerable to all kinds of security problems and are actually unsafe on many pages.

Unpatched security vulnerabilities make it possible for criminals to easily infect computers by planting malicious code on web sites and waiting users to visit. It's been called "drive by downloading". It's not just reserved for fake websites and spam blogs, many legitimate web sites have been laced with nasty malware.

Security studies in 2005 and 2006 comparing IE with Firefox found that IE (v6) was unsafe 98% of the time! In fact, about 30% of our visitors are running unpatched browsers.

• About 20% of the visitors to this site are running the insecure IE v6!
• Also about 2.5% of visitors to this site are running insecure versions of Firefox.
  

Of course, not all vulnerabilities are equal and if you want to do some research, vulnerability information can be found at Secunia.com as well as numerous other websites. Click on one of these links for a vulnerability summary for IE7, IE6, IE5.5, IE 5.0, Firefox 2, Firefox 1, Netscape 7, Camino, Opera 9, Opera 8, Safari 1, and Flock 1.

Firefox can be supplemented by a variety of Add-ons which can improve both functionality and security. A few of my favorites are NoScript and Adblock Plus.

Compatibility

Older browsers are also functionally problematic. It goes beyond not supporting newer web functionality, some of them don't follow standards and require web developers to go through all kinds of quirky hoops to get even simple web pages to display properly in all browsers. IE6 and earlier were notorious for being non-standard. Developers even have a name for one of the problems, it's called Quirks Mode. It's been argued that Microsoft likes this because it promotes their lock-in. Developers by and large hate it because it destroys interoperability and promotes lock-in.

By way of example, when our web developer put together the "Forest Friends" page for the 433rd website the animals originally lined up properly only in IE. The site looked nasty in every other browser. Some experimentation and adjustment was required to get it working for standards based browsers like Firefox and Opera. If you look in the page source, you will see comments describing the gory details of how the page was adjusted.

End6!

One web developer has been so miffed by these problems, he started a campaign called End6! to get rid of IE6 (and earlier) non-conforming browsers. This was picked up by another group, here, and caused some controversy, here. Just to be clear, he's not trying to get rid of IE. Just old non-conforming IE.

Take the End6! test, here. Of course it requires JavaScript to be enabled.