« October 2003 | Main | December 2003 »
November 28, 2003
Spam increasing
I've been tracking the spam I receive on my personal account for a little over a year now (since October 2002).
During that time, the spam I receive has about doubled. Last October I received 1,390 spam messages. This October, 2,214. Last Sept, 798. This Sept, 1,597. This month, I'm on track for over 2,300, more than double the 935 spams received last November.
I've put several spam tools in place to help with this. That keeps down the number of spam messages I actually have to deal with (move into my spam folder) to about 10-20 per day.
Having to manually deal with 100-300 out of 2,000 spam messages each month isn't so bad, but it's getting to be a bother (up until 3 months ago, my spam was automatically filtered by spamassassin). I'm thinking very seriously about starting to implement some more spam-fighting mechanisms, such as disposable addresses and authenticated email senders. I may also need to implement bayesian mail filtering, better than I am doing now. The spammers are getting better at circumventing the spam filters, so time to one-up them again.
Posted by pete at 10:18 AM
November 6, 2003
Chunk's back
Kelly Genessy started his journal-of-a-dieter back up again. I added him to my list of links again.
I hope he sticks with it (the blogging and the dieting) this time. I've enjoyed all of his blog entries (there have been only two, but it's still true). They're interesting, educational and usually motivating.
I just switched from my summer exercise routine (late-evening walks around the neighborhood) to my winter routine (Gene Fullmer gym). It's been a few years since it was feasible (convenient) to exercise at the gym, and I've been enjoying it (though it's been painful to get going a few days).
Posted by pete at 9:35 AM
November 5, 2003
Those incompetent "free-ware" laggards are everywhere
After reading Howard Strauss' The FREE, 0% APR, Better Sex, No Effort Diet article showing the open-source/free-software movement for what it really is, I did some research to see if this something-for-nothing mentality is a software phenomenon only, or if it may have infected other areas of society.
Boy was I surprised. It turns out that the "open source" disease is rampant and infectious. I found numerous examples of untrained, obviously marginally-competent individuals posing a threat to legitimate, qualified private-enterprise-employed professionals.
The professional automobile remote-hands business is under threat by thousands, maybe millions, of completely unqualified individuals who every day "help" other randomly-encoutered people, with tasks such as "jump-starting" (electrically re-powering), "tire changes", "running out of gas", and even "getting stuck". Why someone would trust an unqualified, untrained, unknown and unpaid person to deliver these services is beyond me. Obviously these people are hoping that by providing the service without charge, they will gain the experience to get a high-paying job in the automotive remote-hands business, and develop a customer base in the process.
Even the fact that these "samaritans" (as they're sometimes called) refer to their customers as "strangers" clearly indicates the unprofessional, short-term, nature of the relationship, when clearly what people most want in these situations is to form a long-term mutually-beneficial relationship with the professional who shows up fully equipped to do the job.
I found similar infiltration rampant in our schools (untrained moms acting as wanna-be teachers in the classrooms, lunchrooms and libraries), hospitals and rest homes (thousands of unpaid people taking jobs from professional clowns, readers, nurses and counselors), "homeless" shelters (where unemployed chefs were being served "food" by unpaid untrained food servers), and various clubs where teenage children were being deliberately trained how to replace professional mentors, by unpaid, untrained mentors. "Neighbors" are taking jobs from the security industry by reporting (what they, in their unskilled minds, think is) suspicious activity at nearby houses. They regularly take jobs from lawyers, insurance agents, and money from innocent passers-by, by "clearing snow" (if you could call it that, you should see the "equipment" they use to do it) off sidewalks of other houses owned by equally incompetent people.
Something has to be done about this. But I pretty much gave up hope when I found out that Our President of these United States (who I also found out has no formal education or training as a United States President, and must have taken the job because he was unqualified for a much better-paying position in the private sector) has become the worst enemy of the hard-working professionally-trained ... professional. He is calling for "volunteers" to work for free and undermine and eliminate high-paid professional jobs. Check this out: http://www.usafreedomcorps.gov/
Obviously the future of our country, and the capitalism we all enjoy(ed), is at stake. Let's do all we can to eliminate the "free" labor movement, and get highly-paid, trained, competent professionals to do the work they're entitled to do.
Posted by pete at 10:14 AM | Comments (1)
State of Security Psychosis
Last week I had the opportunity to teach a 2-day in-depth class on I.T. Security. Troy had written the presentations, but got sick at the last minute and I volunteered to help out with Patrick, Troy's security cohort. There were about 20-30 security and I.T. professionals from public and higher education around the state who attended the class.
It was an educational experience for me to hear what was interesting to the class, what issues they were struggling with, and what they were doing to solve the problem. Some of the things I learned:
Security is no longer hypothetical. Most of the people in the class were experiencing 1-5 security incidents per month that were seriously impacting their users (i.e. machine down, network down, server down). It sounded like several people were in the middle of a Nachi or Blaster incident, and most of the others had experienced one recently. The Security Summit is no longer about educating I.T. on what they're missing: they aren't missing it now.
Ever-changing landscape. We had several discussions about new types of attacks, motivated by recent changes in the spamming and miscreant communities (mostly that there's now a revenue stream for miscreants). At times this conversation got downright depressing. Coupled with that is the resurgence of user-carried worms/viruses (virii?): many, if not most of the Nachi/Blaster incidents happening now are caused by users who picked up the worm someplace else and carried it in on their laptop or over a VPN. How do you balance mobility and security?
Tech was easy--now we gotta deal with people. The strongest message I got from the discussion was that we're reaching the upper limit of the technology-based solution, and the next major advances in securing networks and systems will be achieved only through active, informed participation from the end-user. This will take a long time, though. In part, it's because I.T. has created (and/or been relegated to) a perspective that I.T. is solely responsible for (and capable of) managing networks and systems. Engaging end-users as an integral part of securing those networks and systems is a significant (non-intuitive, uncomfortable) change for I.T. and the users they support. I.T. professionals are much more comfortable (and usually better at) implementing a technology solution than they are at understanding, educating and involving less-/non-technical end-users. But until that happens, I.T. will have to invest more and more financial/time/political resources to achieve fewer and fewer improvements in security.
I got the distinct impression that while everyone in the class was willing, even excited, to install firewalls, VPNs, IDS's, IPS's, sniffers, and any other technology that may come along in the future, there was generally cold reception to the ideas of developing and implementing security policy, educating end-users, and engaging the executive and end-user communities in the next level of security improvements. This goes beyond the typical role of I.T., and Security needs to be more than just technology people (as it usually is): Security has to be adept at diplomacy, politics, human relations, empathizing with end-users, thinking strategically with executives. But I don't think Security is unique in that regard--I.T. in general has to make that transition as well.
It was an enjoyable and educational experience to teach this class.
Posted by pete at 12:17 AM
November 4, 2003
Not at NGN
I've attended NGN the last two years. This year I decided not to go (it costs a lot of money, and I have other stuff I want to spend my "professional development" budget on). So I am trying to get as much as I can without attending. We'll see how effective it is to read the daily posts and listen to the CD's (I hope Jim will buy them while he's there) and talk to Jim (who is attending).
From yesterday's daily update, I found this interesting:
We checked out Fred Avolio’s tutorial on network security, “Introduction to Network Security Warfare.” Despite innovations like Voltage’s, Mr. Avolio pointed out that security is, in some respects, not a next-generation network problem—the best security won’t come from “whiz-bang” new technologies, but from more diligent application of technologies and practices that we mostly already know.“Practically speaking, there are no real new problems and no real new solutions, only new ways of doing things,” Avolio said.
Avolio asked his audience, “Why is the threat rate significantly higher than eight years ago?” A few answers came back right away—more people on the Internet, the greater ease of launching attacks today, seemingly ever-increasing software vulnerabilities.
But Avolio added another interesting point: It’s become much easier over the years to send and launch executable files. Eight years ago, to send someone an executable file over the Internet meant trying to squeeze a big file down a very small connection. So you broke it up into multiple files and sent them individually. That meant the recipient had a lot more work to do just to launch that executable file. It was not a routine that people went through casually, as they do today.
Another article I saw yesterday addressed this topic from a different perspective.
We're coming to the realization (after years of searching, purchasing, implementing and failing at finding the right security product) that, as someone has said so well, security really is a process, not a product.
Posted by pete at 10:59 AM
Anticipating the new model OS's
Long before I was born (so I'm a bit hazy on this), when America had fallen in puppy love with cars, a "wonderful" tradition happened each fall. Auto makers would unveil, in the most dramatic fashion possible, the new models for next year. The local auto dealer would cover up their big plate glass windows for weeks in advance, with the new cars under heavy covers in the showroom, and a huge crowd would gather around the day/evening the car was unveiled with fanfare (probably bands and dancing and free hot dogs).
Most people don't care about new model cars like that anymore (we are interested, but it's not the highlight of the season).
When I started in The Industry (I.T.), Microsoft picked up on this tradition. Windows95 was as big as any rock concert that summer. Windows2000 out-did Win95. WindowsXP was even better. Rah Rah.
But Microsoft out-did Detroit. They didn't just unveil something we could immediately buy after weeks of excited anticipation. They started talking about Win95 in 1993 or so. And Win2000 was Win1998, Win1999, and Win2000 (and almost became Win2001 if I remember right). By the time we got to Win2000, the excitement was more of a sigh of relief, knowing that finally we'd stop reading about what we would eventually get, and we could finally get down to the business of running it. Microsoft was vicious with this, too, destroying all opportunities for competing products and even companies by showing customers what they would get in "just" another 6-12-18-24-30-36-... months, if they waited for Microsoft instead of buying a competing product that works now, but obviously has a dim future.
That was then. Things are different now. Not at Microsoft, who is doing the same thing with LoooooooooongHorn (was 2002, then 2003, then 2004, then 2005, now 2006). But with the competition.
Microsoft started a few months ago showing the world what they'd get in LongHorn. In 2006. Which based on past history, we know is probably 2-3x what will actually end up in the product. Get the developers jazzed, get a bunch of press, start telling customers that they'll regret going to OS X or Linux because LongHorn will be so much better, so stick to Microsoft even if the competition looks better now.
Consider how much has happened with Linux and OS X in the last 3 years. Consider that there are no fewer than a dozen competing products that are indistinguishable from the functionality that Windows provides, in many cases superior (Open/Star Office, AbiWord, Koffice, KDE, Gnome, iLife, OS X, Red Hat, Sun Java Desktop, SuSe, etc). Many of these are not much older than 3 years.
Consider that most of these projects issue major releases, with substantial improvements both in usability and underlying functionality, at least once per year.
Microsoft will probably include many new features in LongHorn. Some of those will be improvements on what's already available. Many competing products/projects will be able to implement those features as quickly as Microsoft releases them. This in addition to the progress they will already make on their own in catching up to and surpassing Microsoft (and each other). Most of the competing products (contrary to what Microsoft often says) do not compete feature-for-feature, but take a dramatically different (and often better) approach to solving the problem (compare OpenOffice vs. Office, or GIMP vs. Photoshop).
Microsoft also can't adequately address many of their customers' most serious problems with WindowsXP/.NET, until LongHorn is available (how many people are dreading the next 3 years of patching XP before LongHorn provides a different method). In fact, they will focus more effort on encouraging customers to wait for LongHorn, and developing LongHorn, while focusing as few resources as possible on existing maintenance (because that just sets LongHorn back further--all of the security issues in Win95/98/Me/2000/XP have to really be causing havoc for LongHorn).
All the while competing OSS and OSS-based projects (like OS X) are picking up steam. By the time LongHorn is released, the software (and I.T.) industry is going to be very different. Microsoft isn't going to go out of business, but they have/are going to have some very serious competition and more threats to their success than they've had since the early 1990's.
The anticipation is delicious.
Posted by pete at 9:18 AM
November 3, 2003
Fooey on mutual funds
I became a Very Engaged Investor in June 1999 when I sold my ISP. I started on a traditional route, meeting with a professional investor (Solomon Smith Barney, I think). Shortly after, I read The Motley Fool Investment Guide (and several other books from the Fool and other authors), and began my education as an Individual Investor (I didn't end up using a professional investment manager, in part due to The Fool).
One of the most interesting discoveries I found was that professional managers don't seem to do better than the market very frequently. In fact, I got the distinct impression (and a few authors said as much) that the primary purpose of the professional investment industry is self-preservation (watch CNBC for an afternoon or so with that in mind and see what you think). The Fool advocates that an individual investor (apparently with a lot of time) can do as well as professional managers. I tried this for a couple of years, with mixed results. It's a lot of work, and I just don't have that kind of time.
Earlier this year, I came across Rational Investing in Irrational Times. This book delves at length into the tricks that mutual fund managers use to make their funds look like they are performing better than they actually are, and again, how professional managers rarely out-perform the market. It also addresses the many foibles investors commit that undermine the investment performance they could otherwise achieve. The vehement recommendation of the author is to stick to index funds (not surprising, since he is a researcher for one of the major index fund companies). But it's hard to dispute (or disbelieve) the facts he presents to back his position (and they are even more credible to someone who has experience as an investor).
That was just so much information to factor then. Apparently Mr. Swedroe wasn't the only one who was noticing these inconsistencies. The Mutual Fund Industry has come under intense scrutiny recently by Congress, and not ended up looking good.
In March I began investing strickly in index funds, and I plan to use that strategy indefinitely (index funds have the benefit that they are the market--they represent what professional managers are always trying to out-perform, and rarely do). Here's the balanced, diversified portfolio I plan to use for at least the next 10-15 years (rebalancing annually):
Hypothetically, some people, some of the time, could outperform the market using any number of hypothetical investment strategies (or professional managers using those same hypothetical strategies). I'm more interested in real results, and am confident that 90+% of the time, my simple strategy will outperform those hypothetical strategies.
Posted by pete at 11:07 AM
November 1, 2003
Making the switch
About a month ago (well, I guess two now), I got fed up with the now almost daily routine of Windows patching. This happened while I was on vacation and had to immediately apply the first of what would end up being four patches for RPC vulnerabilities. I got to download the patch via dial-up (1 hour), and I guess that gave me plenty of time to think about how frustrating it is to try to be a secure Microsoft customer.
A few weeks later, I was in possession of a brand-new 15" Powerbook laptop. I've spent the last several weeks getting to know and appreciate being an Apple customer.
Yesterday was one of several days I've had to just immerse myself in OS X. I had hoped to do that Wednesday and Thursday, but ended up teaching a class at the UEN Tech Summit instead. I spent the day fixing a few things that had broken with my Panther upgrade (Emacs on Aqua for example) and playing around getting to know applications like iSync, Mail, XCode, OmniGraffle, and iCal.
It's been a long time since switching to a new laptop kept me up late at night. I'm glad trick-or-treating was kind of slow last night, because I was having a lot of fun just getting to know this new environment.
I've spent enough time getting to know OS X that I can start migrating from Windows now. Hopefully next week I will be able to complete The Switch.
Posted by pete at 10:18 AM | Comments (2)