Oh wait, what about 26.5 million violations of the Privacy Act? Monumental…I think we need a new word to describe the stupidity level and the sheer scope of this breach. But if the breach itself wasn’t bad enough it was the mishandling of the initial response by the VA that really upsets me (and I am a disabled vet with benefits, so I am directly affected by the monumental security “breach”.)

Last Friday I got a letter from the VA via the IRS informing me of the incident affecting at least 26.5 million vets, guardsmen, reservists and active duty military. So nice of them to let us know (seriously).. except that the incident occurred over a month earlier — May 3rd — and it went unreported for two weeks! Hello! Don’t you think someone should call the FBI — data security violation, 26.5 million vets names, addresses, Date of birth, socials etc.. Oy vey!

Unreported for two weeks!

26.5 million VA “customers” personal information protected by the privacy act is compromised and they sat on it for two weeks. By the time they let the FBI and police know about it they were chasing a two week old trail of what was hopefully a simple smash and grab. Unbelievable. Even more so because the analyst told senior officials about the robbery within a few hours of it happening! After that it took an additional three weeks for the VA to coordinate with the IRS to contact all veterans with the letter.

So far two heads have rolled over this, but I’m sure more will follow (they had better!) and there will soon be a complete revamping of the security policy and IT systems in the VA. Recent GAO reports, released after a recently announced VA lockdown, have only strengthened the case of congressional calls for Nicholsons head on a platter, along with the termination or resignation of all VA officials involved in any way in delaying the reporting of the theft.

In our house we will continue to monitor events in Washington as well as keeping a very close eye on all transactions in our accounts, it’s all we can do because while they were so kind in providing me with a number to call for specific information in the letter, when a veteran or service member calls the number as I did, they can’t get any information regarding whether your name is one of the compromised.

Monumental indeed… monumental stupidity in the breach of security, breach of trust and monumental mishandling of the whole affair.

Hi again, I noticed that I didn’t get a response from my last email to you. I’m using a new tool called Plaxo to update my address book. Your information will not be shared with anyone else. You do not need to download any software from Plaxo or register with Plaxo to send me your information. Please take a moment to review the information below from Plaxo and click the button to correct or confirm your contact information with Plaxo. If you want to update your address book too, get Plaxo at…

P.S. I’ve attached my current information in a vcard. If you get Plaxo too, we’ll stay in touch automatically.

The person who keeps sending these is a nice guy, but…
most of the emails from him are the latest jokes from the net (many not so “latest“) and chain e-mails. We would like to stay in touch, to keep up with what he is up to and how he is doing. If he were to start a blog somewhere we would look in on it weekly or get the feed from it. But that’s not really the point of this…

This Plaxo thing. What a naming disaster. Plaxo hmmm. What does that make me think of…

Get Plaxo – the all new mouth wash and tooth whitener that works while you sleep. Plaxo also enhances your breasts and enlarges your penis – ALL at the SAME TIME.

But WAIT!
Plaxo also cures baldness, cold-sores and dysfunctional relationships! Get your Plaxo today!

Plaxo is not responsible for any of the hundreds of side-effects you will experience, including but not limited to baldness, violent spasms, erectile dysfuntion, heart failure and brain damage. In an inconclusive 83% of test cases Plaxo caused severe tooth decay, leading to complete emergency denture replacement.

Of course, Plaxo is not any of that, but if someone were to ask what I think of when I hear the word Plaxo, well there you go. Right up there with Viagra.

No, no, this is an online, contact management application for Outlook. Dont believe me? Google it.

I’m not providing a direct link because I view Plaxo as an evil little spam and spam harvester application.

While the bill is dead (thankfully) the Governor doesn’t seem to understand why there was such an uproar over it, and has promised to introduce a new bill this legislative session to provide heightened Homeland Security for Rhode Island. He has stated that he will seek input from interested and informed parties. So basically all Rhode Island citizens then?

The bill in question seeks to limit the right to assemble and the right of free speech. It could also limit the right to petition—all rights defined and guaranteed in the first amendment. The act is primarily modifications of existing, outdated and probably unconstitutional acts dating from the period immediately following World War I when many ant-anarchy laws were enacted across the country. Most states have long since overturned those laws either through court decisions or legislative action, but in Rhode Island (where they are still on the books) the Governor is seeking to expand those acts into a new and chilling Homeland Defense act: “§ 11-43-12…Any person teaching or advocating…opposition to organized government,…disbelief in or opposition to organized government…shall be guilty of a felony and, upon conviction, shall be punished by a fine of not more than ten thousand dollars ($10,000), or imprisonment not exceeding ten (10) years, or both. ”

Will this come to pass? Hopefully not, it is already being opposed by Constitutional scholars and—not too remarkably considering Rhode Island’s civil liberties heritage—many private citizens who are assembling and voicing their opposition. Even if it does come to pass, I doubt it could stand the scrutiny of the courts. But better to not let it reach that point at all. As obnoxious and insulting as the Patriot Act may be, this proposed bill is even more so. I hope the citizens and legislature of Rhode Island kill this proposed bill with prejudice and send a message to the lawmakers around the nation that the First Amendment must not b sacrificed to attempt to secure a small portion of a (false) sense of security. Whats more I hope the legislature of Rhode Island sees the danger of having the old (and arguably unconstitutional) anti-anarchy laws from World War I still on the books, even if they have not ever been challenged in the state courts (probably because prosecutors chose not to use the law because they perceived them as unconstitutional and knew they risked the successful conviction of a criminal by using a highly questionable law to prosecute them when other laws existed that could be used to obtain a conviction.)

So if you are using or administering any Windows NT / 2000 / XP machines, read the CERT warning and go get your injection of Microsoft’s mystical magic antibiotic updates (if you are using IE and a flavor of XP you can just go to the Windows Update Service). “Don’t worry… it works—trust us. We’ll keep you nice and safe…we take security very seriously, after all we studied this for six months to create these patches.” In all seriousness I hope Gates gets raked over the coals on this (especially the time issue) when he delivers a keynote speech in two weeks at a security conference.

Here’s the header of CERT’s Technical Cyber Security Alert TA04-041A:

Original issue date: February 10, 2004
Last revised: –
Source: US-CERT

A complete revision history is at the end of this document.

Systems Affected

* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0 TSE
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003

Overview

Multiple integer overflow vulnerabilities in the Microsoft Windows ASN.1 parser library could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

…

Multiple Vulnerabilities in Microsoft Internet Explorer

   Original issue date: February 02, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

   Microsoft Windows systems running

     * Internet Explorer 5.01
     * Internet Explorer 5.50
     * Internet Explorer 6

   Previous, unsupported, versions of Internet Explorer may also be
   affected.

Overview

   Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
   the most serious of which could allow a remote attacker to execute
   arbitrary code with the privileges of the user running IE.

The good news is Microsoft has downloads available to patch the security holes. The bad news is one of the patches will break the ability for IE users to access some sites if the site uses authentication in the form username:password@www.example.com as the URL.

For a better patch I suggest getting a new browser such as Firebird.

Overview

The CERT/CC ® has been receiving reports of a new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a backdoor to the compromised system and possibly launch a denial-of-service attack against a web site at a fixed time in the future.

Description

The virus arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive.

Some messages containing the virus have had the following characteristics:

    Subject: 
    From: 
    To: 

    Body:
    (The body has been reported to contain one of the following three messages.)

    "The message cannot be represented in 7-bit ASCII encoding and has been
     sent as a binary attachment."

    "The message contains Unicode characters and has been sent as a binary
     attachment."

    "Mail transaction failed. Partial message is available."

In addition to the backdoor capabilities, the virus is also believed to have the capability to launch a distributed denial-of-service attack against a specific web site beginning on February 1, 2004. As with other malicious code having mass-mailing capabilities, W32/Novarg.A may cause “collateral” denial-of-service conditions in networks where either (a) multiple systems are infected, or (b) large volumes of infected mail are received.

Another one out in the wild…
For more information — not much more is available right now — check in with CERT/CC’s Incident IN-2004-01 page, which has links to updated virus database’s for the major AV packages out there. They also have the normal recommendations (which still go unheeded!) for limiting exposure.

So everyone be sure to keep your digital prophylactics fresh and ready.

Julie, an Air Force Reserves pilot, wanted to get a non-combat oriented flight simulator to give as a gift to her son, so he could get a feel for what his parents do for a living. (Julie’s husband is also a pilot in the Air Force (active duty)) Some moron at the Staples store she visited freaked out when she inquired if they had a non-combat oriented flight sim—like say, oh, maybe Microsoft’s Flight Simulator 2004 available both online and at your local Staples store for $49.99 ) Unfortunately the clerk apparently replied that no one made such a thing as it would be “illegal”. Julie left, obviously knowing this would get nowhere. After Julie left however, the clerk reported the incident to his manager who called the State Troopers, who sent a plainclothes trooper to the Olearcek house to investigate potential terrorist activity!

I’m really hoping that this story is a hoax of some sort–this type of idiocy coupled with paranoia is scary.

I spent the better part of this afternoon fussing with IPCOP 1.4(alpha5) to get it set up the way I want it. IPCOP is an excellent firewall/router package based on Linux. The newer 1.4 offers many improvements over the 1.3 version, and hopefully will go beta soon. There are a number of small bugs in this alpha, none that appear to be major, just a small pain for me getting things set up because of my particular wants and needs.

I installed IPCOP on my temporary host for it — really way over powered for the job and needed for other uses — an Athlon 1.2GHz machine. Eventually I want to get one of the EPIA CL series of low power mini-itx boards and build it into the router/gateway/firewall. The installation and basic configuration of IPCOP was smooth and the new web interface is much more useful than the current 1.3 version interface. I was disappointed by the limited QoS configuration options that the web interface allows – only based on ports. I need QoS mainly for the Vonage system, and it is easy enough to give high priority to it based on IP or mac address, then give varying levels of priority to other traffic based on port and traffic type.

I started with a fairly standard setup for IPCOP — an external ethernet (RED) connect to the Comcast cable modem, an internal (GREEN) ethernet to my computer network, and an ORANGE DMZ(De Militarized Zone) ethernet connection that I planned to use for both the Vonage ATA(Analog Telephone Adapter) and a development /testing web server. Unfortunately IPCOP is not configured to allow DHCP serving on the ORANGE network and the Vonage ATA is not set up to allow forcing it to use a fixed IP. The stock Cisco 186 (without the custom Vonage firmware) will allow you to set it to a fixed IP, but the Vonage installed firmware locks out that option. I understand not allowing DHCP on the DMZ, but for my purposes it presents a problem. So I switched the ORANGE network to be what IPCOP calls a BLUE network, designed to be used for wireless connectivity and such. It supports DHCP across the BLUE interface and from what I understand it should have provided me with almost exactly what I was looking for. Unfortunately the Vonage, and for that matter my sister-in-law’s new laptop, could not complete the DHCP process to get an IP assigned. I added the mac address from the Vonage ATA as a fixed assignment with no luck either. Every time the ATA (and the laptop) would end up with a partially completed DHCP assignment, and the IP range was from the GREEN interface not the BLUE.

At this point I gave up using the IPCOP web interface to get the job done, as I said there are still a few bugs to work out, and SSH’d into the IPCOP box. After about 20 minutes of vim’ing through all the files to see how they were — generally speaking — making IPCOP tick, I hacked the DHCP web interface cgi and added my own subnet assignments, along with changing the firewall rules to create, in essence two separate, isolated GREEN networks. I can add some pinholes to allow essential communication between the networks that I want. So the BLUE net is now not quite a DMZ, but an isolated network from the main internal net (on GREEN).

The IPCOP machine is truly the weak link in this scheme, but then it is fairly small and well vetted code base, with the main firewall rules on the RED interface still pretty tight. The good news is that both networks work independently as they should and the Vonage ATA grabbed the proper IP right off the bat. I still have to add some QoS rules to the system, and as I said before I was slightly disappointed that the QoS web interface only allows port based rules, but that should be easy enough to implement in rc.d files through SSH. Overall IPCOP is an excellent firewall/gateway system that will run on just about any legacy machine out there. For most purposes it will set up in about 5–10 minutes and does not need much by way of tech experience. I knew going in that this was an alpha code base — I knew there would probably be issues. The issues were all in all minor, and should be fixed well before the release version comes out, well except probably the QoS issue, but that is really a design and implementation choice, not a bug.

All through this I was working from both my Toshiba (5205-S703) laptop and my sister-in-law’s new Toshiba Satellite A15-S129 laptop. I really do like Toshiba’s laptops. This one was on sale for about $800 after rebates and Niki desperately wanted to replace the aging Micron GoBook that I got helped her get when I worked for MicronPC — what, 5 years ago. So she ordered it online and had it delivered to me so I could go over it and add a few apps and such that she wants. The Satellite is larger than what she is used to but this $800 laptop offers quite a bit of power and features — 40GB hard drive, DVD/CDRW, 10/100 NIC, 256MB DDR (max 1GB), 15" XGA display, decent speakers built in and powered by a 2.4GHz Celeron. Obviously for me this isn’t the best notebook for processing photo’s and doing 3D work, but for her it will be a lightspeed jump from the old 300MHz GoBook! It would also make an excellent system for my wife and my son to use, as they mainly want it for Quicken, web and email but they don’t want a full blown desktop or even a hidden desktop with a flat panel. Temporarily, if it will handle the load of modern flash and director based games, the GoBook will be their laptop, I doubt it would sell on eBay or similar places as it is a 4-5 year old notebook.

Update:

The whole purpose of updating IPCOP to 1.4, adding QoS rules and putting the Vonage ATA on it’s own network interface was to maximize the quality of the Vonage phone “line”. We have been getting too many drop-outs in the line if the computer was accessing the net at all. Being served by cable modem, we have plenty of bandwidth (checked often and at various times) to handle both the Vonage and light to moderate net use simultaneously. So far the new configuration and the QoS rules have made a dramatic improvement in the line quality (sorry, reverting back to telco speak for what is essentially a pure TCP/IP device). I’ll have to bug my folks or someone with a standard landline phone to do more comprehensive tests. I figure I can ramp slowly up to two or three downloads of the latest Fedora from a fast mirror and a large upload to my server to really see how well the Vonage holds up with the QoS rules I put in place.

Available from Amazon:

• The Telecom Riot Act of 2004 — 29 Reasons To Not Celebrate The 20th Anniversary Of The Baby Bells
• The State of the Economy as seen through eBay auctions and trends — summary: If there’s a recovery on, we’re not seeing it…
• According to my 2004 Farmer’s Almanac, sunrise will be at 7:14am here with the tide still high, and the FBI will now be eying me more suspiciously. Yes they actually released a warning brief to their offices and police nation wide that almanacs are a probable terrorism tools and to “watch for suspects carrying almanacs, especially if they include suspicious notations or marks.” Add all that to the fact that I am a library card carrying, scuba-certified veteran….
• WikiPedia the excellent online open encyclopedia –along with it’s spin-off projects are in financial need. There have been some outages recently caused mainly by the fact that they have no spare hardware to cope with routine failures. As with any similar system, when a failure occurs the load on the rest of the system increases and as their system is already heavily taxed, results in cascading failures. WikiMedia is looking to raise at least $20,000 to get new hardware so they can continue their growth and provide redundancy in the system. This is a great resource that I use on average every other day. WikiMedia is a Non-Profit organization and appears to qualify any donation as tax deductible, although of course IANALFAOTABSOMFAFA(I Am Not A Lawyer, Financial Adviser or Tax Adviser But Some Of My Friends And Family Are)