Cyberwar or Cyberhype?

Over the past week, the blog-sphere of the computer security world has been ambushed with some serious discussions about whether all of the talk going in the nation about the threat cyberwar is nothing more than hype. Some would argue it is being used as a scare tactic to push political and agency agendas, while others would argue that it is a valid and prevalent issue. In the world of information technology, this is often times an issue – important concepts, ideas, or issues are over-hyped and then dismissed. In some cases dismissing technology hype completely is valid (see NoSQL), while in others it could be very dangerous.

Richard Bejtlich over at TaoSecurity summarizes the argument of those that believe it’s all just cyberhype nicely:

Their argument is simple.

  1. The government wants to control the people, or obtain a resource, or pursue some objective that could not be reasonably achieved if transparently presented to the citizenry.

  2. The government “propaganda machine,” sometimes in coordination with “the media” and “big business,” “manufactures” a “crisis” whose only solution is increased government power.

  3. The people acquiesce in order to preserve their safety, and the government achieves its objective

It’s not too far-fetched to believe that politicians and intelligence agencies have some agenda of their own. It is also not too far-fetched to believe that the government uses propaganda and scare tactics to push those agendas – but that does not mean a threat does not in fact exist. Bejtlich goes on in his article to state that the cyberwar is in fact real, regardless of if it follows the traditional definition of “war”. In a followup article, he continues to support his argument by using a variety of political frameworks for defining what actually constitutes as war.

While Bejtlich obviously believes that cyberwar is in fact real, others such as renowned security professional Bruce Schneier has a different take on it all. In one of his recent articles, Schneier argues that the threat has been exaggerated. A number of government officials, have been quoted as saying that the cyberwar is a real and prevalent threat. According to Schneier, “…the entire national debate on cyberwar is plagued with exaggerations and hyperbole.” Schneier goes on to explain several examples of the overuse and misuse of the term cyberwar and states that we are in fact not a cyberwar. He believes that we should have a Cyber Command and be prepared for war having improved cybersecurity, but says that there is no more of a threat of a threat of a cyberwar than there is a ground invasion.

While Schneier presents a few valid and convincing points, I largely agree with Bejtlich, in that the cyberwar is in fact a real and an important threat that most certainly needs to be addressed. Yes politicians use rhetoric to sell the public on the need for change in policies. And yes agencies do oversell the threats to push their personal agendas. With no real definition for who has power in the case of cyber attacks, it is no surprise that every one wants control. Even if the threats are somewhat exaggerated, it does not mean the threats do not exist.

Attacks on classified networks, whether these be denial-of-service attacks or attacks used purely to obtain information are real threats. If it is known that our networks are vulnerable and not defended, a foreign agency can use this fact to their benefit to prevent communications when we really need them. It is surprising that Schneier would dismiss the attack on Estonian websites in 2007 as “simple hacking”. A denial-of-service attack, while simple in execution can cause a tremendous amount of damage when mission critical services are interrupted. Even if networks are being attacked as simple proof-of-concepts, it poses a real threat. Reconnaissance is the first step in covert warfare. This fact does not change in a cyber arena.

I feel it is hard to argue, knowing that our networks are being attacked on a regular basis (regardless of where the attacks are originating from), that there is not a cyberwar going on. It is imperative that we defend our networks, and imperative that we understand the consequences of failure. This is not to say I fully agree with the media and politicians who exaggerate the actual threat. There is no question of whether or not the threat has been exaggerated, but that does not mean we should entirely dismiss the threat or that a cyberwar does in fact exist.

Posted in Politics, Privacy, security, Uncategorized | Tagged , , , , , , , , , , , , , | 1 Comment

Are We Witnessing The Death Of Privacy?

While the death of privacy may seem like a far-fetched concept, particularly in the United States, it really is an idea that we should be paying attention to.  To be perfectly honest, it was an idea that even I dismissed just a few months ago, but it has slowly been beginning to scare me a little more as I pay more attention to the generational differences.

What really sparked this paradigm shift in my line of thinking about the security of privacy was a conversation I was having with my good friend John a few months ago.  We were walking through our local Kroger late at night as college students tend to do and discussing the uselessness (or usefulness as my friend argued) of Facebook Chat (since then you can now integrate FB Chat with clients so I use it all the time… They were listening to my complaints). I was explaining how I never use it because it requires me to be locked in the browser, and there is no way of really being notified of a new message if I happen to be on another desktop or window etc… I’ve always been a big fan of clients for services.

My friend responded to me that younger generations find tremendous value in it due to the fact that they do not see any reason anyone would ever use a “Screen Name” to talk to their friends.  For those of you reading this wondering what I’m talking about, it was a trend made popular by AOL’s chat service from back in the 90s. I brought up the anonymity on the net argument, and his response was a simple one that caught me off guard:  “People don’t care about that anymore”.  I was unable to respond to that mostly because after thinking about it for a few minutes I realized it was true.  Even back in my high school days, I had friends who would post everything about their lives on the internet without thinking about potential repercussions.

The Social Networking Problem

The whole idea bothers me really.  With all these social networking sites like MySpace and Facebook, and blogging on the rise, people have this tendency to share everything. Then we have Twitter and now you have people constantly posting about their lives.  Don’t get me wrong, these tools are great, but is it really okay… is it really safe for us to be so willing to share everything about ourselves to the world?

I personally hide myself as much as possible on these sites. I use them for keeping in touch with people that I know. Not for meeting random people on the internet. You still can’t trust that the person on the other end is who they say they are. Even with me only adding or sharing information with just my friends, I still limit that for several reasons: 1) My prior statement remains true – I can’t verify that my friend’s account hasn’t been hacked, or if it’s being used by a friend that they shared a password with (another point we’ll come back to), 2) By putting information on these sites, I’m putting a lot of trust in the site that is hosting the information. Facebook openly sells information. At a point, any Facebook employee had access to information for ANY user. That’s too much trust.

Another little known fact about Facebook -  they literally track and keep a history of everything you do while on the site. Every page view, picture view, wall post, message sent, even attended, group started, ad clicked, chat conversation had is logged and stored. With the right kind of analysis on this information, you could generate a pretty accurate profile of a person.  To be honest, I wouldn’t be surprised if Federal agencies aren’t already doing such things. Big brother isn’t the government, it’s Facebook.

Location Based Services

Facebook isn’t the only criminal here though… Let’s talk about Twitter, Google, and the iPhone for a minute. Perhaps it’s just me, but Location Based Services seem like the most unsafe idea ever. Yes they provide a level of convenience and context to situational events, but there is one major problem with the implementations that we’ve seen with the applications that have been produced – They give people the ability to stalk you. Think about it. Google Latitude is built for broadcasting your location to your friends (or the world if you want). Twitter has location based services so when you tweet, your location can also be shot off (don’t worry it’s an opt-in system… which is even scarier considering the number of people who use it). The biggest criminal, however, has got to be Foursqaure.

Foursqaure, for those of you that don’t know, is an application that asks users to share their location. The real crime is the way in which they convince users to do this. If you share your location, every time you go back to a particular store or spot, you “check-in”.  If you check in more times at a particular location than anyone else you can become the “Mayor” of that location! How fun! Except for now that you’re broadcasting your location, and where you spend most of your time, if I want I can build a nice profile of when you’re not at home so I can rob you, or stalk you without ever having to leave my home. Grats!

Grocery Stores

Grocery stores are also adding to the privacy problem. Particularly in this current economy, it is really easy for grocery stores to get you to sign up for these free cards that give you absolutely great discounts on items you buy in stores. It is very uncommon to find a grocery store that doesn’t offer these. It wasn’t really apparent to me what kind of implications this had on privacy, however, until about a year ago. I received a phone call from my local Kroger informing me that Nestle Toll House had recalled a number of its products (cookies) due to some issue with them (I don’t remember specifics) and that I was receiving the phone call because I had purchased these products in the past few months. My train of thought went something like this: “Oh wow, that’s awesome that they called me to let me know… I hope I don’t get sick… wait a second how did they know I bought those cookies and how did they know how to get in touch with me…”

Then it hit me. I signed up for one of those cards when I moved into the area because I wanted to get those discounts. Part of signing up is providing your phone number (which they say is so you can not have the card and still receive the discounts), but it actually serves multiple purposes. They want to be able to contact you. You receive ads in the mail because you also provided your address. They’re also selling your information to advertisers. We don’t care though, because we get those discounts.

Generation Z

For starters, this isn’t my label. This is the label you were given based on when you were born. Generation Z refers to all of those born between mid-1990s through 2009. There’s a reason the theme at last years Defcon was blame the 90s. It’s funny… I have younger siblings that were born during this time frame that (at least for the moment) seem to know better than to share everything about themselves on the internet. That know better than to give a boyfriend or girlfriend their passwords. That could also be due to the fact that I shove security down their throats on a regular basis, but that can’t be proven.

Fact of the matter is, a lot of these Gen-Zers are out there doing exactly those things that I mentioned. They do so without thinking about the repercussions of sharing everything about yourself with the world. Without thinking about the damage that can be done by some disgruntled friend or ex. They’re being led by bad models of privacy and just accepting them because they simply do not know any better. Is this due to a lack of education by my generation? Generation Z is following along with these bad models of privacy which are essentially killing the concept slowly, but surely.

CEOs and Privacy

Know what’s really scary? When CEOs don’t think privacy matters. Especially CEOs who run companies that pretty much own every piece of data that is shared on the internet. I’m looking at you Eric Schmidt and Mark Zuckerberg. Let’s start with Zuckerberg… Mark is a young twenty something CEO who started the most used social networking site ever. The site has exploded since its inception and now gets more traffic than even Google. The site I’m referring to of course is Facebook. Facebook has been under a lot of heat in the past (and even today) about their privacy policies. They keep changing the policy so that information is shared, and can be sold. As I said in another post, this is nothing we shouldn’t expect from Facebook as a company because it is just that -  a company.  My issue comes when CEOs such as Zuckerberg say things like “We view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are” when his views of those social norms are slighted towards the benefit of his company.

Perhaps that is a little harsh. Let me phrase that a little differently. Zuckerberg claims that the social norms of what people will share and with whom they will share that information have changed, but the fact of the matter is Facebook has led that change. Over the years, every time Facebook updated their privacy policy, there was an uproar of sorts from their users (or at least the ones who cared to pay attention). Leading the masses of sheep who aren’t paying attention into a dark hole and claiming that it is the social norm is a tad twisted.

Even worse than Zuckerberg, however, would have to be Eric Schmidt. Schmidt is Google’s CEO, and in an interview earlier this year in response to a question about whether or not people should trust Google as much as they do he says “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”  Now, that would almost be a valid statement except for the fact that it just isn’t.  There are a million and one different ways I could blow that statement out of the water, but we’ll save time and skip that. [Insert your own example here]. I gotta give Schmidt credit though – at least he doesn’t lie. “But if you really need that kind of privacy, the reality is that search engines – including Google – do retain this information for some time.”  When the CEO of the company that literally owns every piece of your life (think about it  – maps, e-mail, chat, code, everything…) is bold enough to just tell you, “we keep your information, your privacy doesn’t exist as far as we’re concerned”, maybe this whole notion of privacy is becoming a novelty. 

Is Privacy Dying Before Our Eyes?

I would like to think that at some point, people will begin to realize how much they are really exposing to the world and how dangerous it is. I would like to think that these past few years will be something that we look at as a quick slip in the future. What scares me the most is the fact that I know what I personally can do with the information people share out their on these sites… And I’m no Kevin Mitnick. I’m just some guy who happens to think about things from a security standpoint. If I were a worse person, lives could be destroyed and identities stolen very easily.

By all accounts, privacy does seem to be slowly dying. I hope – for all our sakes – that there is some major awakening that reminds people why privacy has existed in the past. Why it is not always best to share everything about your life with the world. I am not saying we need to “fight the power” and destroy Facebook, Google, Twitter and the like. They are all great tools – but only when used in safe manners. If privacy dies, we’re welcoming a world of chaos with open arms.

Posted in Application Development, General, Privacy, security, social networking, Tech Ed, Web Development | Tagged , , , , , , , , , , , , | 1 Comment

NoSQL – Not The End Of RDBMS

There has been a lot of noise on the web recently in regards to the death of relational database management systems.  This is not the first time there has been such sacrilegious chatter, but it is the first time that developers as a whole are really starting to pay attention to it.  There is good reason for everyone to start paying attention to the NoSQL movement, but it is not the end of relational database management systems.  That being said, in this article we are going to take a look at what exactly NoSQL is all about and how it can be beneficial.

Before we jump into NoSQL, let’s talk about relational database management systems (RDBMSes) and why they are, and have been used.  In a RDBMS a database is comprised of tables, which are comprised of rows and columns.  Each row of the table is considered a record with a value for each one of the columns (though some of those values may be blank or NULL). Relational databases currently run the world whether you are talking about an online e-commerce site, the next big Web 2.0 Social Networking fling, or major enterprise applications. It is a great way to keep unrelated information separate while preserving the ability to link to semi-related information pertaining to a specific user. In short, relational databases are great for structured data.  There is of course one major caveat to that fact… Your data has to be structured.

Anyone out there who has spent more than five minutes designing a database knows the pains of building a schema that is efficient for the task at hand.  Data modeling, despite what many may think is a non-trivial task. If you are thrown a large set of data about customers, products, and sales for a online retailer,  with relational databases you do not want to be storing all of that information in the same table. You want to keep your product information separate from your customer information, and separate from the sales transactions. There are a number of reasons you want to do this such as avoiding duplicate data, giving data context, scalability, and security of information to name a few.

So what’s the problem?

One of the major problems with relational databases is their limited ability to scale. You typically have to scale “up” instead of “out” to get better performance with databases that are hit on a very consistent basis. That is to say, you have to throw more ram, faster processors, and hard drives with better IO at the database server to get optimal performance versus spreading the load across multiple servers. Granted there are things like Memcached out there to assist with the scaling out issue, but it is not always going to be the most optimal solution.

Performance is another big one that needs to be addressed. Just about every relational database out there is stored on disk and as everyone knows, disk IO operations (unless you’re using SSDs) are really expensive.  With transactions occurring constantly, these hits will eventually wear the disk down and require replacement, or at the very least be slow with large concurrent user bases.

There is also, of course, the issue of a relational model not always being necessarily the right model for the job. Think business intelligence and reporting tools. These tools just want a view of the data for analytical purposes. In order to get the information they want, large queries that run across multiple tables are written with various joins and specific rules for lack of information etc.. At the end of the day this is a cumbersome process that takes a large hit on the database for an analytics tool.

Enter “NoSQL”

I want to start by saying NoSQL is a terrible name for this movement. To be honest this movement is not really anything new, its a rehashing of old ideas that is making leaps and bounds due to the current tech-buzz: cloud computing.  The idea is to move away from relational databases and move into unstructured databases. For a lot of DBAs out there this is going to sound excessively sacrilegious and you may want to hang yourselves while reading it, but give me a few minutes and I promise you’ll regain your bearings.

Here goes: Unstructured databases lack the concept of tables. In fact, they lack the concept of columns, or schema in any sense. There is no data modeling with unstructured databases. You have one table filled with records with varying numbers and names for fields in each record. (I told you, give me a few minutes, keep breathing, you can get through this).  The idea is data does not always need to have a specific structure. There is no point in having fields in a record that have no value. That’s just taking up space (space is still reserved for a record, used or not in relational databases).

Indexing essentially becomes a hash map. Key value pairs. You give it a key, and it returns a record (or document) that has whatever fields it has and nothing more. Again this is all in one table. Think about this from a large dataset perspective. I need to get information in a single record. I know exactly where that record is in my dataset thanks to my key. Searching for it is a trivial task. We’re not doing the unnecessary look ups for data as done with B-Trees (how most indexing systems in relation databases are done).

“NoSQL” databases are being designed to reside on multiple servers. Think Amazon’s EC2. Large datasets in the “cloud” for processing. Replication is literally built into these systems, so no more of the master/slave type deal. Most of these NoSQL databases are being built to run in memory with the ability to persist on disk. That means less disk IO operations, thus saving you money in the long run. Virtual servers with shared data on a SAN anyone?

Another big benefit that I see with NoSQL is from an application design perspective. When designing applications, you can be a bit more generic. There is no need to know about the schema of a database. You build the application generically based on the data you receive from a particular record. Some app developers out there might be bothered by this concept, but if you start to really think about it, it saves you time in the long run. Reusable code for varying datasets.

This is not the end of RDBMS

All that said – this is not the end for relational databases. Not even by a long shot. What we have here is an opportunity to look at a different way to handle large datasets. A way to really take advantage of cloud computing. Should people be paying attention to the “NoSQL” movement? Yes, but let us make sure we are paying attention to it for the right reasons. From a development standpoint, this is another tool we can add to our arsenal. It is a powerful tool, but one that comes with a huge responsibility.

That responsibility is knowing when to use it. “NoSQL” databases are not always the answer. Relational databases will more times than not solve the problems you are looking to solve. It happens a little to often that we tend to hop on the bandwagon of technologies just to be early adopters. I don’t want to see a ton of “NoSQL” fanboys out there throwing it at everything they see. Be aware that “NoSQL” exists, and that it can potentially be very useful in the right situations.

Posted in Application Development, Databases, Tech Ed | Tagged , , , , , , , , , , , , , , , , , , , , , | 2 Comments

Can Policy and Power Be Mutually Exclusive?

Two nights ago while snowed in, one of my roommates and I got into one of those interesting political discussions that you always seem to have while in college.  It started off as a simple enough debate about whether or not capitalism is fair, and if not what type of economic system would work better.  As is the case with every political discussion, this did not end with just the discussion on economic systems. At some point we found ourselves discussing the United Nations and its authority to enforce any agreements made among the nations involved.  My roommate made an interesting point saying that while the UN may have authority they have no real power.  The UN itself does not have a body that it can use to enforce these policies, as it requires the participation of members of the UN to actually enforce.  Additionally, these members have the option to elect not to participate in enforcing certain policies.  Without the participation of the major members, the UN virtually has now power. The question then becomes can you have the authority to create policy without the power to enforce it?

The question itself is not a new one at all, and is in fact one that I have considered in other scopes (particularly in the security policy arena), but this discussion we had got me thinking about the issue in a different way. I want to start by discussing authority and power as completely separate ideas briefly.

Authority implies having the right or authorization to do something, whether that just be the authorization to grant someone else permission to do something or, the authorization to actually perform a task yourself.  This can be seen in a wide range of examples, but to give a specific one, consider a DBA working with a group that requires limited access to information. That DBA may have the authority to grant CRUD permissions on specific tables, but may lack the authority to perform those CRUD operations his or herself.

Power, on the other hand, is more focused on someone having the ability to do something with or without the appropriate authorization. For instance, continuing with the prior example, a Data Analyst may have the ability to perform those CRUD operations once granted the authorization by the DBA; however, a hacker may also have the ability to perform these very same actions without having the appropriate authorization to do so.  To be clear, power has nothing to do with how the ability was obtained, but just the fact that the ability exists.  Instead of using a hacker, we could have used the DBA who may have the power to perform those CRUD operations, while lacking the authority to use them.

With a better understanding of authority and power, let’s take a look at policy.  A non-technical manager decides to implement a security policy for data access which restricts the DBA from performing any operations other than granting permissions to user approved by the manager.  The manager is implementing this policy because any unauthorized access to the information could be detrimental to the organization.  Bear in mind, that being non-technical, the manager has no way of enforcing this policy other than entrusting the DBA with the job of ensuring that only authorized users have access to this information.  The DBA has the power and authority to grant permissions.  The DBA also has the power to access this information, but according to the security policy he does not have the authority to access it.  How does the non-technical manager go about enforcing the policy effectively without having to just inherently trust the DBA?

An old saying is heard time and time again in the security world: “Trust, but verify.”  So the manager decides that he will do regular audits of who has accessed the data and require the DBA to provide these access logs on a weekly basis to ensure that the policy is indeed being enforced.  The DBA has the ability to alter these audit logs prior to sending this report, so this becomes an ineffective strategy very quickly.  The only other option this manager has is to hire someone whose job is to monitor access to data by all users including the DBA.  This will allow the manager to be informed of any unauthorized accesses and handle each case, but it only does so after the breach has occurred.  If this were mission critical or otherwise highly sensitive data, the damage would have already been done before the manager could take administrative action.

In this example, the real power to enforce the policy actually lies with the DBA not the manager.  The manager must trust some third-party to ensure that his policy is enforced.  Now this example has a solution, though it may not always be a feasible one.  The manager should only hire a DBA that he trusts absolutely to enforce this policy the way he sees fit.  What if the issue were instead, that users had a way to circumvent a policy.  A perfect example would be an organization that restricts users from loading executable files from external media to their machines.  The way this policy is enforced is by having as a part of a mandatory group of installed programs on the machines a Antivirus program that scans any attached media and quarantines any file that meets a specific set of criteria.  A user, intent on having a certain executable file loaded on their machine, circumvents the policy by turning off the Antivirus software until they can get the program loaded (real example).  The obvious solution is to prevent the user from being able to turn the Antivirus software off, but the user needs to have the ability to do this in special cases without having to go through hoops so you can not include this in your policy.  This is the Catch-22 that many policy makers find themselves in on a daily basis: having to give users power without authorization, or deny access without the power to prevent it.

I want to close the discussion from a technical standpoint with a few thoughts on how the issue can be addressed.  As technologist, we should be creating technology that allows policy makers to enforce whatever policies they want to make.  If that means getting as granular as the technology will allow you to get, then that is what needs to be done.  There is no reason from a technical standpoint that policy makers should not be able to enforce policies they make due to a lack of technical knowledge.  That being said, we must also be wary of allowing non-technical policy makers to make uninformed policy decisions in regards to technology.

More generally, it is still difficult to find a solution.  If an organization has no direct power to enforce a policy, do they actually matter?  At that point do the policies become just a mere suggestion?  If there is no consequence, that will be incurred due to the lack of power to enforce policies, then what stops the members affected by a policy from breaking it?  The technical issue can be solved by giving policy makers the power in a way that makes sense to them, but you cannot create power from thin air.  If the power to enforce a policy does not exist, the policy is nothing more than words.

This conversation can be taken somewhat literally, so I want to be clear on a few things. I do not advocate breaking policy just because policy can be broken.  To do so would be to support the breaking of laws that cannot be enforced and to promote illegal actions such as piracy.  What I am suggesting however, is that policy makers take a harder look at the policies they are trying to implement and only implement those which can be enforced.  This does not mean laws and policies have to be thrown out, just that they adapt to the powers that exist.

I’m interested to hear your thoughts on power and policy. Let me know what you think.

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

Whose Responsibility Is Privacy?

The one thing that Facebook has consistently pissed users off about over the years is Privacy. The Electronic Privacy Information Center (EPIC) filed a 29-page complaint with the Federal Trade Commission (FTC), claiming that Facebook mislead its users with the recent updates to privacy. The complaint pretty much says that the changes are confusing to users so instead of keeping their information safe users end up losing jobs, being embarrassed etc…  While the social media giant has made some tremendous screw ups in the past in the realm of privacy, I think it’s about time we cut Facebook some slack (just a little though…)

I read through the complaint which pretty much goes over the history of Facebook’s Privacy changes pretty accurately (albeit with a pretty heavy bias). I encourage you to read it on your own. I’m going to skip going over all of that and skip right down to the basis on which EPIC is filing this complaint (towards the bottom of page 23):

98. Facebook is engaging in unfair and deceptive acts and practices. Such practices are prohibited by the FTC Act, and the Commission is empowered to enforce the Act’s prohibitions. These powers are described in FTC Policy Statements on Deception and Unfairness.

99. A trade practice is unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

One of the major complaints has been that Facebook’s new privacy settings reveal too much of a user’s personal information without giving them adequate controls to effectively manage the security of their personal information.  This is one point that I have to immediately disagree with. Facebook has always given some very granular controls on who can access every piece of information that you post. In fact, it gives you the ability to set specific settings for specific friends that you have… So if you want to allow your college friends to see certain pictures, but not your boss, you can do that. The argument has been made that these settings are too confusing or too hard for users to find or modify… To that I say: No, not really… And if they are then too bad.

Alright, that may have been a little bit harsh, but hear me out. I’ve been using Facebook for a good four years, and one of the first things I did when I started was modified my privacy settings so that I was pretty much invisible. My friends hated it because they couldn’t find me easily, and if they some how could they couldn’t even add me as a friend let alone see any of my information. This also meant that no one I didn’t want to find me or see my information could either. So, to be perfectly honest, when this recent migration occurred, I was fine. The system prompted me to “share my information with everyone” or keep my old settings. I kept my old settings and I was fine.

What I’m getting at is if users are going to get on the internet and share their information with websites such as Facebook, they should understand how to control such tools. Facebook is a company. Companies exist to make money. This particular company makes money by selling information (or advertising to you). While they haven’t made the best decisions in the past in regards to privacy, they’ve done a pretty good job of giving you control of who can actually access this information. So if you want to post pictures of you getting plastered on the company dollar, or engaging in illicit activities, then it is your job to make sure you control who has access to that information. If you decide to post on a friend’s wall about some illicit activity that you engaged in, and they don’t have their information blocked, then you’re the one that’s really at fault… not Facebook.

I really do not see this complaint going to far because the amount of benefit this site provides (as many users will attest) outweighs the injuries that its users incur due to it. Additionally, the injuries are self-inflicted. The argument comes up about the API and its access… If you have your controls set right the most that the API can obtain about you is your (Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages). Keep your profile picture clean. Other than that, the rest of the information is publicly available information. Any quick Google search could give me most of that and more “damaging” information.

The fact of the matter is, the responsibility of personal privacy resides with the user. If you have a problem with the way a site operates, then do not post your information on it. If you cannot read FAQs that are posted on a site that tell you how to protect your information, do not post it. Social Networking sites were not built for privacy. They were built for allowing users to network, and they do the best they can to help facilitate this… Okay, while trying to make money on the side, but can you really blame them. Here’s a thought. If you have such an issue with how Facebook handles privacy, stop using the site, and build your own that handles privacy in the most effective way.

I am not writing this because I firmly agree with all of Facebook’s privacy policies (or their others for that matter), nor do I work for Facebook, or support it 100%. I’m writing this because users need to start taking responsibility for the privacy of their own information on the internet. You can expect a bank not to release your current balance to public sources, or a hospital to not release your medical records, but when you post information on a social networking website that has specific terms and agreements about what can and cannot be done with the information you post, and how you control it, the responsibility lies with you.

Posted in Privacy, security, social networking | Tagged , , , , , , , , , | Leave a comment

The Importance of Engineering in Undergraduate Computer Science Programs

Recently I’ve been thinking heavily about the Computer Science program at Tech due to a number of changes that are quickly making their way into the curriculum. One of the more interesting decisions for changing the program that the Computer Science Department at Virginia Tech made was moving the Department into the College of Engineering. While the full potential of this move has not yet been realized, it was a move that has tremendous advantages for not only the department and its students, but also the industry and academia on a whole.

The advantages gained from such a move primarily surround the principles of Software Engineering. Software Engineering is a term that unjustly gets little to no credit among academics in the field. A large number consider it to be an abomination of sorts with no real meaning or value. They take it to be just one of those buzz words that is thrown about these days as “Web 2.0″ and the like have been in the past. The fact of the matter is Software Engineering is a term that is far too often overlooked, particularly in academia, which is a trend that needs to stop if we would like to see growth in the field of Computer Science on a whole.

The industry has changed substantially since the early 1960s. We are no longer in an era where the field of Computer Science is completely dissociated from the rest of the world. Every business and organization out there sees the tremendous amount of value in having technology available to make jobs more efficient by increasing productivity through the elimination of complex or tedious tasks from the agendas of workers. It has thus become more important that the gurus of the Computer Science field fall into professions that require they understand business and customer needs. The backbone of our economy lies on the efficiency and productivity of our businesses, and by transitive property, at the fingertips of those gurus.

All this being said, it is a wonder that members of academia refuse to accept software engineering as a part (let alone a major component) of the Computer Science discipline. In fact, there are a number of papers and articles that have written off Software Engineering as a “pseudo science”.  In his article titled “What Is Software Engineering”[1], William Curran, an Associate Professor of Computer Science at Southeastern Louisiana University, states, “A software engineer is no more an engineer than a novelist is a word engineer.” This statement is wildly false. An explanation of this claim requires an answer to the fundamental question that Curran asks in the title of his article; what is software engineering?

Providing an answer to the question on what Software Engineering actually is requires a firm definition of what engineering is in its broadest terms. Engineering is a multifaceted discipline in which science and mathematics are applied to practical problems. This definition states in a fairly explicit manner that engineering is applied science. As software is a product of Computer Science, Software Engineering is unquestionably the application of Computer Science to practical problems. It is important to define Software Engineering deliberately in terms of Computer Science in order to establish Software Engineering as subset of Computer Science. Establishing this hierarchy prevents the “tainting” of the field that some believe occurs when using the term Software Engineering.

This structure leaves us two branches of Computer Science. One branch is for those who focus on theory and dive into research developing the foundation that is Computer Science, while the other branch focuses on the more practical side of the field. A more complete understanding of this requires a more in depth look into what a Software Engineer actually does. A Software Engineer is one who develops software to make something more efficient or to solve a particular problem that could not feasibly be solved by a human in a reasonable amount of time. It would be a false assumption to say that the Software Engineer just jumps straight into developing this software. That is what “code-monkeys” are for.  The engineering part of the Software Engineer’s job is to define and solve a problem. This is done through standard engineering methods, which include defining the problem, designing a potential solution to the problem (without actually implementing), considering the implications, and redesigning the solution until the best possible solution is reached.

A Software Engineer does all of these things the same way any other engineer would: by reaching back to the science. There of course factors beyond the pure science that the Software Engineer has to consider such as risk management, and human interaction, but this is no different from a Chemist designing a vaccine to cure a particular disease. At the end of the day all of these products are meant to benefit people, and if there is more loss than gain, then the engineer has failed in solving the problem they sought to tackle. Software Engineering is therefore not a pseudo science, but a practical science. Every technique that a Software Engineer employs to actually develop the software and solve the problem at hand reaches back to the science. It does not cheapen the work of those in the field of Computer Science or the field itself, but in fact enhances both. Knowledge without application is useless. This is not to cheapen the value of the Science by any means. Software Engineering depends on the Science, but the Science also requires some form of application to be beneficial.

The flaw in most Computer Science programs is that they produce two types of students: Students that can code until their fingers come off or students that appreciate the value of the theory and research and decide to continue developing the field. There is absolutely nothing wrong with these two products, but the fault is these programs lack the creation of a third type of student. That is to say they do not create Software Engineers. The value in a Software Engineer is that they can efficiently solve problems and implement them. You can give a developer any specification for a product and they can churn out code and produce a product that works, but it is the Software Engineers that you can hand a problem and leave it to them to develop a specification for a product and implement a solution that not only works, but works in the most efficient manner.

A significant number of undergraduates who receive their Bachelor’s Degree in Computer Science will head straight towards the industry. At current, the industry is flooded with developers who write brilliant code, but lack the ability to solve the problems that industry hands to them. The System Architects and other positions of the like are reserved for those who have gone on to higher education and received their Masters or Doctorate Degrees in Computer Science because they are the ones who know how to solve problems. Computer Science programs at Universities need to shy away from this trend. Every single Computer Science graduate, whether they are in an undergraduate program or a graduate program should leave with the ability to not only develop software, but also solve problems. This is achieved by teaching engineering methods in CS Programs.

Some would argue that this would flood the market with a number of Engineers who disagree on ideas or cheapen the value of a graduate degree. What it actually does is provides greater opportunity for advancement in the field of Computer Science. The more challenges that are solved, the harder the challenges become. Having great minds in the industry allows for the potential of these challenges being solved. Additionally, facilitating an engineering mindset throughout a Computer Science curriculum will also increase the number of students who remain on the side of academia due to their commitment to tackling the most challenging problems that the field faces at any given time.

Simple changes can be made to Computer Science programs to focus more on the practical application of the knowledge gained through analysis and research. Furthermore, an engineering approach to research and analysis enhances the value of the knowledge obtained. If members of academia remove the mindset that applying engineering methodology to Computer Science devalues the Science, the programs will begin to produce better engineers to face not only the problems of today, but the problems of tomorrow as well. The Computer Science Department at Virginia Tech has made a great first step in this direction, but there needs to be more of a movement by the entire academic community for the benefits to truly be realized.

[1] –

Posted in Programming, Tech Ed, VT | Tagged , , , , , , , , , , | Leave a comment

That Nasty Firefox Extension

So there has been a lot of noise on the interwebs about this new “malware”/”virus”/”worm” that apparently no anti-virus software has been able to detect or remove recently. Last week I was infected with this nasty little thing and it was really starting to piss me off. I had been searching madly across the Internet (using cached search pages, a little work around this bug) to try and find the solution to this little issue. I also ran every piece of malware and anti-virus software I have… which by the way is a lot.

After my holy-trinity of virus-killing software (Malwarebytes, Avira, and CCleaner) found nothing numerous times I was starting to get excessively frustrated. Then I came across a forum posts of Firefox users who all had the same issues… Turned out this was a Firefox specific problem (which of course I wouldn’t know because I never use IE, I assumed all was infected).

One user (bless him) said that this was an extension related issue, just find the extension folder that was modified around about the date you noticed the infections and remove it. Restart Firefox and it works without the problems. Me and my curious self… decided that I wanted to look at the code of this little thing.

So I dug in and copied the XUL (XML User Interface Language) file and opened it to see the code. These files, as a side, are used to change the user interface of Firefox, and are the reason that some extensions can make web pages change and do all the weird and cool things that we all seem to love… They are also the reason for my frustration over the past week..

So I open the file and look at the code and its very simple actually… Here are a few lines…

if( loc.match(/google\..+\/search.*[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘google’;
//    } else if(loc.match(/search\.ua.+[&\?]q=([^&]*)/)){
//        keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&\?]p=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘yahoo’;

There are actually a number of lines like this for every single browser. Simple regular expressions and checks the search engine. If it matches, then you are going to see these random redirects to some adserver, then to a page of their choosing… Found this little variable, which is apparently the server your requests are redirected to and changed.

var __d = “”;
I love the Internet, but I hate stuff like this out there. Anyways, Removal instructions are simple:

1.) Go to: %Mozzila Firefox%\extensions\

2.) Delete folder xxxxx where xxxxx is something like {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} and has a modified date around the time you got infected.

3.) Restart Firefox, problem solved.

And if you’re anything like me, look at the code for yourself and see exactly what it was doing… While nasty, its actually a pretty neat trick. Useful if you want to say… spy on someone using your internets. Oh, Change passwords if you’ve used any while being infected. Can never be too safe.

Posted in Tech Ed | Tagged , , , , , , | 4 Comments

Installing phpmyadmin and PHP 5.2.* on a Centos 5.2 Server (updated)

So I spent the better part of last night (12-3:30am) trying to figure out just exactly how to get phpmyadmin installed on my Centos 5.2 Server. Now, I’m no dummy when it comes to linux, package management etc… But this was a task which apparently many other people have had trouble with. I finally gave up on it and went to bed, woke up this morning and went back to it… At which point I actually figured everything out and now have PHP 5.2.8 installed working with phpmyadmin 3.1.2 (which to day, all the most recent stuff) using mysql-server 5.1.31.

So here’s how I did it: Apparently the repositories that Centos 5.2 uses by default still have php 5.1.* so you can just do a yum update or yum install php. The first step here is to set up the Remi repository. He maintains a repository that has the most up to date version oh php and all of its extensions. You can set this up by doing the following:

$ wget

$ wget

$ rpm -Uvh remi-release-5-7.el5.remi.noarch.rpm epel-release-5.3.noarch.rpm

This will set up the Remi repository for yum. By default it is disabled so you’ll have to use the –enablerepo option with yum when you are using it to install or update anything. So in order to update to php 5.2.* you just say:

$ yum –enablerepo=remi install php

To verify that you have php 5.2.8 installed issue a

$ php -v

And you’ll get a response like:

PHP 5.2.8 (cli) (built: Dec  9 2008 14:11:33)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

At this point I assume you already have mysql and mysql-server installed and configured. If not just issue:

$ yum –enablerepo=remi install mysql-server

It will install all of the necessary dependencies including mysql. Configuring mysql server using mysqladmin is actually out of the scope of this but there are plenty of tutorials online for that. Make sure you set up your   and passwords for accessing it otherwise you’ll have issues later.

Now, you’ll want to install php-mysql. Again use the remi repository for this, otherwise you’ll end up with tons and tons of dependency issues. Trust me, I learned this the hard way…

$ yum –enablerepo=remi install php-mysql

This will install the module for you and add it to php.ini so you don’t need to add the It does the same for mysqli.

So now you’ve got everything you need set up properly, so install phpmyadmin. Get the tar ball from the server, extract it somewhere in your htdocs folder, create a system link called phpmyadmin.  Go into the phpmyadmin and create a folder called config. Issue:

$ chmod o+rw config

Now because you’ve already set everything else up, you won’t receive the errors that I got on my first attempts. Now go to http:/ and follow the steps there. It’s a very nice little graphical interface that helps you set the configuration file. After this is done, move the file in the config directory to the head of the phpmyadmin directory. Then remove the permissions you set before:

$ chmod o-rw config

That’s it. Now you can go to and log in using your credentials for mysql-server.

Hope this saves everyone from running into all of the issues I had.

Posted in Programming, Server Setup, Tech Ed, Web Development | Tagged , , , , , | 31 Comments

DRM and the Future of Digital Media Distribution

I have to start off by giving credit for this entry to my co-worker Red ( It started off as a discussion of what exactly DRM is, but got me to thinking about a few other things as well – particularly the future of how media will be distributed.

Before I get into this whole thing, I do want to note that my opinions are strongly influenced by being a CS major and the whole Open Source concept. I believe that copyright laws in the US need to be reformed drastically, and that the major media industries need to hop on board and prepare for the huge change that seems somewhat inevitable. What I suggest here may not be the exact way that things need to happen, but I feel I can safely say I provide a proposal that would be a step in the right direction.

The distribution of media has certainly changed over the years.  There was a time when the only way people could hear music was if they were in the presence of the source.  From the radio to records to cassette tapes to CDs and MP3 players, we have seen a drastic change over time in how people listen to their music. We have also seen changes in how movies, and television shows are watched. From antenna, to cable, to Direct TV, VHS, DVRs, TiVo, DVDs and Blu-Ray.

Advancements in technology have made all forms of media readily available to anyone with an Internet connection. Peer 2 Peer file sharing programs like Limewire and BitTorrent have made this access even more widespread. Within minutes, a use can have access to a high definition DVD or Blu-Ray rip of a movie that hasn’t even hit the shelves yet (for free).

Years ago, in order to prevent this “unauthorized” copying and distribution, many publishers, hardware manufactures, and copyright holders began implementing various forms of DRM. DRM stands for Digital Rights Management but is essentially a generic term that refers to access control. It is implemented at various levels to prevent people from being able to copy, modify, or redistribute media.

Now, basically the way this works is by using an encryption scheme to access content. In ’96 the Content Scrambling System (CSS) scheme was introduced for DVDs and required hardware manufactures such as Sony, Samsung etc… to sign an agreement saying they will restrict access to output devices on there hardware while the media is playing and then they get the key to decrypt the discs. There’s an unwritten rule when it comes to computers…. No system is safe. Anything can and will be cracked, its just a matter of time. This was and so was every other scheme that came out including the new Blu-Ray schemes.

Technical Note (You can skip this if you want, just additional info for those curious.): The way these schemes are gotten around is a little thing called an analog hole. The idea is, at some point the digital media has to be decrypted and is eventually played in analog form. No DRM to control analog signals, so it is thus susceptible to being copied by some other program or hardware device at this point.

We clearly stated earlier that everything can and will be cracked, so how do you stop this duplication and distribution… You make it expressly illegal. In 1998, the US passed an Act called the Digital Millennium Copyrights Act which makes it illegal to produce or provide any technology that circumvents DRM. Now would be a good time to note that the government aims to protect the copyright holder (the creator of the work). What also happens, however, is the complete disregard for those who purchase the media.

It was once believed that when you purchase a CD or movie that you own it. Meaning you have the right to do as you please with it, including making digital copies because as we all know, hard copies degrade over time. With DRM, this is impossible… In fact, it is illegal, because in order for me to make digital copies I would need to strip the DRM from my legally purchased media. The way the industry tries to defend this is by saying once you purchase the media, you don’t own the media, you only own a license to use the media.

Does anyone else see a problem with this? Lets take a moment and talk copyrights. The copyright system in this country is tremendously flawed. It is impossible for someone to create derivative works (regardless of their improvements) without violating a copyright unless permission was previously obtained. Remixing music together for some very nice composition, or using scenes from various movies to create a new one, is essentially illegal.

The copyright system is designed to give the originator of the work “God-rights” to it. They can in effect stop progression because no one else can even attempt to make improvements. The Harry Potter novels are a perfect example of this. The stories Potter and his crew cannot legally be continued by another author without permission from the originator.

The same is done in software applications. It is illegal to reverse-engineer applications and expand or modify them even if it is for the better. Your everyday software imposes these restrictions. MS Office, Internet Explorer, AIM, etc… The Open Source community thinks a little differently and provides a bit of a model that should be followed in everyday US copyrights. When you obtain Open Source Software (freely available*) you get access to the code so you can modify and change it, and even provide to the rest of the world your changes. Most Open Source licenses merely say, give credit where credit is due.

That model of course could not work for the music and movie industries… Hell it barely works for the software industry as there is still a battle against open source… Open Source is winning. The problem with this model is too many in between people lose out on money. So the producers and advertisers, and all the unnecessary minions, lose out on the big bucks that they don’t deserve in the first place. A CD sells for about $16.00. Artists will see a very small percentage of that money. Maybe about $2.00 actually makes it to the artist.

Lets move just a little bit to movies. This is something that really bothers me. Well maybe not as much as TV shows, but we’ll get there… If I purchase a movie, I want a digital copy. Discs are annoying, and with devices like the WD TV HD Media Player coming out, unnecessary. But its illegal for me to rip these things to a hard drive, even though I bought them. I want to watch my movies anywhere. Just like I want to play my music anywhere. Why should copyright holders be able to dictate what I do with my media?

TV shows… Now this is a bit ridiculous that I’m even writing about it at all. When I watch cable television, I get to watch shows for free… I can store them on my DVR, and watch them over and over, and whatever.  For some reason though, people are sued over downloading television shows in digital format… Television shows that are also freely available on the Internet from the producer’s websites. What is the harm in letting someone watch something that is otherwise free, at there convenience (like when they don’t have an Internet connection)? Why are content providers fighting so hard to make sure that I can’t copy things from my DVR to a hard drive to clear up space and save things I want to watch later?

The war on “digital piracy” is excessive to say the least. It is also one that the media industries and the government are losing and will continue to lose. Within the next decade, it will be very uncommon to find anyone that actually purchases CDs (especially when they can download single tracks DRM-free now for so little). No one will go out and buy a $30 blu-ray disc when they can have the digital content fast and unrestricted. The media industry needs to pay attention to trends and jump on board fast.

Here’s my proposal for the future of digital media distribution. Audio tracks should be available to download, DRM-free for a much lower cost. At $1.29/track a person has almost no benefit in downloading music. DRM-free music is a necessity as people have a large variety of mediums they use to play there music and they like to share it among each of those mediums without having to pay for it twice.  You can’t give people a million devices and tell them to buy them all and then buy the same data for each individual device. More people would legally obtain their music were it not for DRM restrictions and excessive costs. This by the way also takes out all the middlemen. The artists will be the sole person to benefit from the sale of these tracks and that’s all that matters.

And so what if people do still share music on P2P programs. The music industry should work like the software industry. Software companies don’t make their money from selling software, they make it in consulting fees, and configuration with big businesses. Artists will make their money through endorsements by companies, concerts, and tours.

Movies – I envision a future where all movies are distributed in HD digital formats via the Internet. No need to waste money producing the disc, people want to store the media on hard drives. When you can buy a Tera-byte drive for under $200, there is no reason to not store your media. Sell the DRM-free digital formats for prices well below that of a disc. Most of the money made in movies comes from the time it was in theaters and endorsements from companies looking for advertisements in the movies.

If the media industries would stop being greedy, they would see that you don’t lose as much as they think they will by providing a fair and acceptable means for obtaining media. The government also needs to take a step back from this battle and revamp the way we do copyrights. Its old and outdated… We’re moving into a new age very quickly, and certain laws should be adjusted to align with that.

That’s my rant. Maybe someone will actually pay attention to how we do these things and fix it for the better… Or sooner or later, the media industries won’t be making any money at all.

Posted in Tech Ed | Tagged , , , , , , | Leave a comment

Movies, iPods, and Evil Apple

So I recently ran into a bit of a technology issue in regards to video encoding which initially looked like it was heading towards a solution which required $$$… I don’t like spending money on technology issues.  Like all issues, however, there was an open source solution! Yay for the Open Source community…

Before I get into the solution let me give you a little back story on the issue I was having: For every person that hates Microsoft (in general), there is a half a person that hates Apple and Steve Jobs. For every CS Major that hates Microsoft, there are at least 2 that hate Apple. My point here… Both are evil, but I’m beginning to feel like Apple is even more evil than Microsoft.

A few months ago I decided I wanted an iPod. I avoided it for years, but I was tired of CDs, tired of listening to the same music over and over again… And with no MP3 playback in the car it was just frustrating. Of course when I buy things, I buy the most expensive thing out there so I got a Black 6th generation 120 GB iPod Classic. Great iPod, I love it, video playback, podcast, the whole nine yards.

Now anyone that has an iPod knows that for the only efficient way of managing stuff you put on the iPod is iTunes… Enter Evil #1: iTunes is good for two things: 1) Organizing your media and 2) keeping you all locked down because Apple hates you…

(Side note: This is from the actual iTunes License Agreement
“..You also agree that you will not use these products for any purposes prohibited by United States law, including, without limitation, the development, design, manufacture or production of missiles, or nuclear, chemical or biological weapons.”)

So initially I had the issue of putting songs on there, because for whatever reason when I was younger I ripped my CDs using Windows Media Player… Apple, your iPod, and iTunes hate *.wma so you must convert. Typically iTunes will try to convert to ACC which is Apple’s crappy proprietary format for songs, but I prefer mp3 which is universal. Conversion tools for songs are out there, but in general you have to pay for anything good. It sucks. (If anyone knows of any GOOD conversion tools, let me know)

So I got past that and I was happy, tons of music, good stuff iPod is great. Starting downloading podcast and that was great… Then I decided I wanted to put some of my movies on my iPod. Various comedy shows etc… Now in general, most movies you have on your computer are in the standard universal AVI format correct? So obviously when you try to add those to your iPod, it will be able to play them back right?

WRONG! Turns out you can’t even add *.avi files to your iTunes Library. You have to convert to mp4 or m4v. Ah, but beware, not both formats can be played back on your iPod. So me having purchased QuickTime Pro for some random reason a while ago decided to use the export tool that it had to convert to the correct format… But QuickTime doesn’t even support AVI! Apple is horrible. So I go out and find some crappy tool that converts from avi to mp4. It does its magic, it plays in QuickTime and even adds to iTunes… But can’t be added to my damn iPod! So I take this new file and try to export to the iPod format… The export tool that QuickTime Pro has failed 4 times. It sucks… As does its father Steve Jobs.

So at this point I’m fairly pissed off, and I keep searching for ways to do this and I find this beautiful tool called HandBrake. It converts pretty much all formats and fairly quickly… I went from avi to m4v for my iPod no problem in under 30 minutes a movie that was 1 GB in size. I now enjoy movies on my iPod. I recommend this tool to everyone… Its free and can be gotten from

Now one more thing that I must add that I found during this whole process… Apprently it is illegal, thanks to the Digital Millennium Copyright Act to override and DRM thats been put into DVDs etc… Now, I thought that once you bought and owned a DVD you can do as you wish with it… Just not make copies and sell them for profit. I thought you could make copies for yourself, including conversion so you can watch them on whatever medium you choose… I thought wrong. When you buy a DVD, you are merely buying a license to watch that movie.

This is just a tad confusing because if I bought a license to a movie… and destroyed my physical copy, I should easily be able to go back and get another physical copy correct? Nope… I hate legislation on technology… It fails because the Government knows nothing about technology… I hope Obama actually fixes some of this stuff with the new CTO of the Country…

That’s all for now.

Posted in Tech Ed | Leave a comment