Aug. 16 - Last year a Chinese mathematician, Xiaoyun Wang, shook up the insular world of code breakers by exposing a new vulnerability in a crucial American standard for data encryption. On Monday, she was scheduled to explain her discovery in a keynote address to an international group of researchers meeting in California.

But a stand-in had to take her place, because she was not able to enter the country. Indeed, only one of nine Chinese researchers who sought to enter the country for the conference received a visa in time to attend.

"It's not a question of them stealing our jobs," said Stuart Haber, a Hewlett-Packard computer security expert who is program chairman for the meeting, Crypto 2005, being held this week in Santa Barbara. "We need to learn from them, but we are shooting ourselves in the foot."

A policy designed to protect national security by preventing technology transfer from the US to China has actually hurt national security by preventing technology transfer from China to the US. If you know someone at State tell them to read this article. This matter is very serious and they should have made an exception in this case and gotten the visas in time.

Chinese Cryptologists Get Invitations to a US Conference, but No Visas

It was all wormy over at CNN yesterday. Around 1:30pm EST, multiple Internet worms targeting recent vurnerabilities disclosed in Microsoft Operating Systems struck the CNN newsroom.

Wolf Blitzer was not quoted as saying "we get signal", as the remainder of his broadcast became dominated by the worm story. A stream of reports similar to "CNN Atlanta, NYC, and LA report being effected, as do ABC News, the New York Times, and corporations such as Caterpillar" were delivered by Blitzer in Breaking News tone from The Situation Room.

"He didn't look as nervous as that time when Jon Stewart was beating up the Crossfire team in the other studio," a random viewer pointed out, "he was in form."

Lou Dobbs, Arron Brown, and the rest of the CNN Staffers waged through the crisis in order to get important news about the Israeli Gaza pullout and a riot surrounding $50 used Apple laptops through to the people. Fox News appeared to be unaffected.

Shortly after the hand-over to Lou Dobbs, a representative from the DoD made the statement that both the FBI and CERT regarded the current worms as "low impact". Dobbs responded, "It seems high-impact from where I'm sitting."

The worm story was still in focus during prime-time as commentators such as Kevin Mitnick offered advice and and insight about computer viruses to the CNN audience, and CNN staffers who were still having problems logging into the TURNER windows domain. Mitnick accurately pointed out that viruses often find their way onto corporate networks not by bypassing firewalls, but by being brought into the protected network environment via laptops infected elsewhere.

"There are several technical approaches that could avoid CNN's current situation," said Industrial Memetics Acting CEO Nick Levay, a widely respected expert on security issues. "A good example would be to require all laptops brought in from the outside world to only use the wireless network, and to treat that has a hostile network." Levay continued, "A quarantine zone of sorts is necessary to determine if machines being brought onto the network are carrying dangerous worms and/or viruses."

Rumors are passing around that the worms had similar effects on Capitol Hill, but Help Desk representatives were unavailable for comment at press time.

Developing...

CNN.com - Somebody set us up the bomb

The following is from a transcript (via Cryptome) of Roscoe Bartlett (R-MA) speaking about the threats posed by nuclear weapons being used to create EMP pulses:

Iran has conducted tests with its Shahab-3 missile that have been
described as failures by the Western media because the missiles did not
complete their ballistic trajectories, but were deliberately exploded
at high altitude. This, of course, would be exactly what you would want
to do if you were going to use an EMP weapon.

Today we are very much concerned, Mr. Speaker, about asymmetric
weapons. We are a big, powerful country. Nobody can contend with us
shoulder-to-shoulder, face-to-face. So all of our potential adversaries
are looking for what we refer to as asymmetric weapons. That is a
weapon that overcomes our superior capabilities. There is no asymmetric
weapon that has anywhere near the potential of EMP.

Iran described these tests as successful. We said they were a failure
because they blew up in flight. They described them as successful. Of
course, they would be, if Iran's intent was practicing for an EMP
attack.

Iran's Shahab-3 is a medium-range mobile missile that could be driven
on to a freighter and transported to a point near the United States for
an EMP attack. I might state that an early use of EMP is a common
occurrence in Russia and Chinese war games.

The DPRK is also an entity we would have to worry about attempting an EMP attack, although the likely target would be Japan.

I found this speech very interesting. I have thought about EMP before, but I only considered it a threat that would come from the more advanced nuclear powers, such as Russia and China. Bartlett makes it expressly sound like that is not the case. I decided to do a little research, so I started flipping through the Industrial Memetics rolodex.

After speaking to a friend who is an expert in Nuclear Physics, it doesn't look like this is something we would have to worry about coming from Iran, DPRK, or Al-Queda. In the situation Bartlett used as an example, a nuclear weapon detonated 400-600km over the United States, the EMP charge released would be measured in the millivolts-per-meter range, assuming the weapon had a yield of around 30 kilotons. That yield is a best guess for what we could expect of a first generation weapon from an entity like Iran, the DPRK, or Al-Queda. That's a far cry from the type of weapon that created the 5 kilovolts-per-meter pulse experienced in Hawaii during the Fishbowl Series of tests in 1962. Its safe to assume that Iran and the DPRK do not have tritium production and are not working with thermonuclear bomb designs yet.

I did not think to ask what the EMP strength would be like for a 30kt device detonated at 100km. Enough to take out civil communications/power somewhere like NYC or Washington? Given the discussion I had, I'm assuming the EPM created would still be of negligible strength. At that point, nukes start to look more useful in the context of traditional style tactical delivery.

Bartlett on EMP

"It's all about the 'memes,' " says Stan Jonas, head of interest rate strategy at Fimat USA in New York... "Those guys say it and about a week or two later, the guys on Wall Street pick it up."

The Big Picture: WSJ: Economists Join Blogging Frontier

FOR IMMEDIATE RELEASE - 8/13/2005

The Industrial Memetics Institute is proud to announce that Zachary Patten has been added to its ranks as a Resident Engineer. Patten's addition continues Industrial Memetics mission of assembling a staff with extensive expertise in its two primary areas of focus, Internet Communities and Security Research.

Patten and Industrial Memetics founder Tom Cross have past experience working with each other dating back to the 1990's when they developed the Sentry Inc. flagship product CyberAngel, which was designed to facilitate the tracking and recovery of stolen laptops. Patten's work in the security space also includes the development of Encryption Software, Intrusion Detection Systems, and Border Network Security Management Platforms for Silicon Valley companies such as OneSecure and Dataway.

Patten's Internet Community work currently includes the development and administration of VinylBeats.net, an online community focused on DJ turntable beat mastery. VinylBeats is a central point for getting news, reviews, and information about upcoming events. VinylBeats hosts a live stream every Thursday night, and past streams can be accessed in their mixes section.

Patten's induction follows a recent decision by the Industrial Memetics BoD to only induct new residents in person. "We have taken the virtual office environment thing a little too far," stated Acting CEO Nick Levay. "From this point on, we need to start treating elements of how [our team structure] works much more seriously, it should mean something to be a part of this."

When asked how he felt about the Industrial Memetics Induction Process, Patten responded, "Wow, that was hard! I wasn't expecting that."

"I'm happy with where VinylBeats is going," Patten said in discussion before his induction, "but I would rather be building my own [codebase] than using someone else's."

"In my past experience working with Zach, he has always shown a remarkable ability to lay things out in a way that makes logical sense," stated Tom Cross, who is currently 'on sabbatical' from Industrial Memetics, but was present for Patten's induction, "he may be exactly what we need to bring a new level of functionality to MemeStreams UI."

There are no plans to merge MemeStreams and VinylBeats, which slightly resembles a certain News Corporation web property. VinylBeats will remain under the control and direction of Patten.

"This may present an excellent situation to experiment with protocols like OpenID," said Nick Levay. "Once folksonomy style tagging goes into MemeStreams, it will be possible to easily syndicate focused news, reviews, and other content to sites such as VinylBeats." Nick rattled on, "We are more interested in creating an environment to work on that type of thing then we are in merging web properties."

Patten will be maintaining a presence in the MemeStreams Community at: http://www.memestreams.net/users/infinite/

Direct all inquiries to Acting CEO Nick Levay by email at nick @at@ nicklevay.net.

These hackers did not have this target before; if Lynn hadn't
presented his findings, many, or most of them would likely not even
know about it. (All indications are that it will be an exceptionally
difficult flaw to exploit, and took Lynn years of research to find. On
the other hand, a large group of hackers working in concert could
substantially reduce that time). But now that Lynn's blown the lid off
of it, every hacker from Boise to Shanghai knows about it. That's
simply not smart.

It does not surprise me that the independent voice of the Microsoft IT community doesn't get the reality of Lynn's disclosure. If the theme of this all is broken security culture, this a yelp from the center of the black hole.

If Mike had discovered a new vulnerability in BIND that Vixie already had a patch out for, no one would be making the arguments this guy is. The whole point is that Mike exposed a type of attack that people had not been considering a present threat. Of course all the hackers are working on it. That's the type of eternal vigilance we practice in our craft. We now see a space in which problems can and will occur, we must know the extent of it, and fully engage the problem. Anything else is the wrong approach.

Redmond, Thanks for Nothing...

Friedman checks in on the Energy Bill:

Sorry to be so cynical, but an energy bill that doesn't enjoin our auto companies to sharply improve their mileage standards is just not serious. This bill is what the energy expert Gal Luft calls "the sum of all lobbies." While it contains some useful provisions, it also contains massive pork slabs dished out to the vested interests who need them least - like oil companies - and has no overarching strategy to deal with the new world.

The White House? It blocked an amendment that would have required the president to find ways to cut oil use by one million barrels a day by 2015 - on the grounds that it might have required imposing better fuel economy on our carmakers.

Many technologies that could make a difference are already here - from hybrid engines to ethanol. All that is needed is a gasoline tax of $2 a gallon to get consumers and Detroit to change their behavior and adopt them. As Representative Edward Markey noted, auto fuel economy peaked at 26.5 miles per gallon in 1986, and "we've been going backward every since" - even though we have the technology to change that right now. "This is not rocket science," he rightly noted. "It's auto mechanics."

We do need to hold the auto manufactures' asses to the fire to get any change in this area. I can easily demonstrate why:

I am a typical American. I want a black Dodge Charger SRT8 with a 6.1L Hemi V-8 and all its massive crushing horsepower and torque. I want to pass traffic at 125-Mph in the right lane. I want people to hear the lyrics to Hang on St. Christopher, Highway Chile, Crosstown Traffic, Bad Habit, Novacane, and Search and Destroy spiking through their minds as my rumbling jet black road warrior speed machine glides by them at a pace all men both fear and lust after deep inside. When I hit the highway, I am the American Mad Max, and you best obey the golden rule of the highway, "Get the fuck out of the way".

I am more than willing to admit that I am part of "the problem" as I leave a trail of earth polluting fumes, shattered nerves, and glowing asphalt along the many links of the most wonderful Eisenhower Highway System. On this highway system, I am the worlds forgotten boy, the run away son of the nuclear a-bomb. The one who has already decided where they are going to be in 45 seconds and exactly how they are going to get there. Somebody has got to save my soul.

So look out honey, we best start using technology. My road-warror tendency is not a thing that can be defeated. It must be met head on and subverted with something other than high gas prices and speeding tickets. Where the hell is the HEV I'll settle for? Given gas prices and insurance costs, its clear a battle is already being waged against me, specifically. I must be pacified, I cannot be defeated. The United States must negotiate with my kind of terrorist. Its up to the auto industry to do it. With the right kind of economic concession, I might be willing to change my ways.

Too Much Pork and Too Little Sugar - New York Times

Cringley's got a great columns about some possible dangerous usage of our regulation law:

Here's an example of how it will work. Imagine your bank is a medium-sized publicly traded bank headquartered in the U.S. midwest with a national charter (that is, regulated by federal, rather than state, banking authorities). Now imagine your bank is not in compliance with Section 404 of Sarbanes Oxley. Section 404 requires as part of the regular audit process that the bank's accounting firm (generally one of the Big 4) certify whether or not the bank is Section 404 compliant. Accounting firms, having paid billions in penalties recently for overlooking accounting errors at companies like Enron and Tyco, aren't going to be lax about this provision. If the bank isn't Section 404 compliant, which means they haven't applied sufficient internal controls to data, the auditors will report that.

Now what?

Well, if your bank isn't in compliance (many won't be), they'll have to very quickly get in compliance. They'll also have to pay a fine and perhaps one or more officers of the bank will do some time in prison. Really.

But there is a funny thing about banks, and that's the way they are regulated and controlled, which makes possible a very different outcome in the case of a Section 404 violation. Technically, the bank can't even continue to operate, because the legal definition of a bank is as a compliant organization. So a very real possibility is that your bank will be forced to merge with another bank that IS in compliance.

That's the new scam. Big banks with sophisticated IT operations are going to appear at the doors of smaller, less sophisticated, banks literally demanding the keys. They'll take over the building, the tellers, and of course the deposits for a price tag that may well be zero.

That's a heck of a deal for everyone except the bank's current shareholders.

PBS | I, Cringely . August 4, 2005 - The New Robber Barons

A minor update was just pushed out to the site that fixes a bug in the user searching / find people page. It had been skipping users between the first and second page of results.

Some changes have been made to the titles on pages. This should have the effect of our results in search engines being more clear. We may continue to tweak titles for awhile.

Note: I've gotten several emails from users who have forgotten their password. There is a way to automatically reset your password built into the system. After an incorrect login, it provides you with a link to click. A new password will be sent to you in email. If you need your email address changed, be sure to include what you want it changed to in your initial email to MemeStreams Support. This speeds things up.

John Jay Hooker, a Nashville lawyer and two-time Democratic nominee for governor, plans to challenge Gov. Phil Bredesen in the party primary next year.

His fellow Democrat has been "awful" in his handling of TennCare and ethics, Hooker said, citing instances when Bredesen's staff shredded sexual harassment files and handed out honorary trooper badges. And he faults the governor for accepting campaign funds from out-of-state donors and political action committees, a common fundraising practice.

John Jay Hooker to run for TN Governor