The Daily Parker

I'm David Braverman, this is my blog, and Parker is my 5-year-old mutt. I last updated this About... page in February, but some things have changed. In the interest of enlightened laziness I'm starting with the most powerful keystroke combination in the universe: Ctrl-C, Ctrl-V.

Twice. Thus, the "point one" in the title.

The Daily Parker is about:

• Parker, my dog, whom I adopted on 1 September 2006.
• Politics. I'm a moderate-lefty by international standards, which makes me a radical left-winger in today's United States.
• Photography. I took tens of thousands of photos as a kid, then drifted away from making art until a few months ago when I got the first digital camera I've ever had that rivals a film camera. That got me reading more, practicing more, and throwing more photos on the blog. In my initial burst of enthusiasm I posted a photo every day. I've pulled back from that a bit—it takes about 30 minutes to prep and post one of those puppies—but I'm still shooting and still learning.
• The weather. I've operated a weather website for more than ten years. That site deals with raw data and objective observations. Many weather posts also touch politics, given the political implications of addressing climate change, though happily we no longer have to do so under a president beholden to the oil industry.
• Chicago, the greatest city in North America, and the other ones I visit whenever I can.

I've deprecated the Software category, but only because I don't post much about it here. That said, I write a lot of software. I work for 10th Magnitude, a startup software consultancy in Chicago, I've got about 20 years experience writing the stuff, and I continue to own a micro-sized software company. (I have an online resume, if you're curious.) I see a lot of code, and since I often get called in to projects in crisis, I see a lot of bad code, some of which may appear here.

I strive to write about these and other things with fluency and concision. "Fast, good, cheap: pick two" applies to writing as much as to any other creative process (cf: software). I hope to find an appropriate balance between the three, as streams of consciousness and literacy have always struggled against each other since the first blog twenty years ago.

If you like what you see here, you'll probably also like Andrew Sullivan, James Fallows, Josh Marshall, and Bruce Schneier. Even if you don't like my politics, you probably agree that everyone ought to read Strunk and White, and you probably have an opinion about the Oxford comma—punctuation de rigeur in my opinion.

Another, non-trivial point. Facebook reads the blog's RSS feed, so many people reading this may think I'm just posting notes on Facebook. Facebook's lawyers would like you to believe this, too. Now, I've reconnected with tons of old friends and classmates through Facebook, I play Scrabble on Facebook, and I eagerly read every advertisement that appears next to its relevant content. But Facebook's terms of use assert ownership of everything that appears on their site, regardless of prior claims, which contravenes four centuries of law.

Everything that shows up on my Facebook profile gets published on The Daily Paker first, and I own the copyrights to all of it (unless otherwise disclosed). I publish the blog's text under a Creative Commons attribution-nonderivative-noncommercial license; republication is usually OK for non-commercial purposes, as long as you don't change what I write and you attribute it to me. My photos, however, are published under strict copyright, with no republication license, even if I upload them to other public websites. If you want to republish one of my photos, just let me know and we'll work something out.

Anyway, thanks for reading, and I hope you continue to enjoy The Daily Parker.

I don't have all the details, but it looks like an employee at one of the hospital's vendors did something really stupid:

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

One can easily see how this happened: someone on the billing contractor's staff was taking a class of some kind and decided to use real, live, HIPAA-protected data for a project. My law-school Wills instructor, Jerry Leitner, would explain this by the "omnibus explanation," the thing that explains nearly every human endeavor that ends badly: stupidity.

The article mentions Stanford got fined $250,000 from the breach. I wonder if they'll be able to get a contribution award from the contractor?

Gulliver this afternoon examines whether we might want to examine them:

A new academic paper [PDF] from John Mueller (of The Ohio State University) and Mark Stewart (of the University of Newcastle in Australia) attempts to determine whether the return on investment justified those huge expenditures. ... [T]he findings in this paper are truly remarkable. By 2008, according to the authors, America's spending on counterterrorism outpaced all anti-crime spending by some $15 billion. Messrs Mueller and Stewart do not even include things like the wars in Iraq and Afghanistan (which they call "certainly terrorism-determined") in their trillion-plus tally.

"[A] most common misjudgment has been to embrace extreme events as harbingers presaging a dire departure from historical patterns. In the months and then years after 9/11, as noted at the outset, it was almost universally assumed that the terrorist event was a harbinger rather than an aberration. There were similar reactions to Timothy McVeigh’s 1995 truck bomb attack in Oklahoma City as concerns about a repetition soared. And in 1996, shortly after the terrorist group Aum Shinrikyo set off deadly gas in a Tokyo subway station, one of terrorism studies' top gurus, Walter Laqueur, assured the world that some terrorist groups 'almost certainly' will use weapons of mass destruction 'in the foreseeable future.' Presumably any future foreseeable in 1996 is now history, and Laqueur’s near 'certainty' has yet to occur."

The paper also found that anti-terror spending has outpaced anti-crime spending by some $15 bn, despite crime costing society significantly more. The paper doesn't go into the politics of why this might be so, but I'll hazard a guess that cutting crime benefits more people a little while spending on anti-terror measures benefits a few people quite a bit. Lowering the likelihood that my car will suffer $300 in damage from a break-in has less immediacy than a $30m contract for a new security gadget would were I in that line of business.

Via Bruce Schneier, the author of How the End Begins describes how no one can ever be absolutely certain an order to destroy civilization is authentic:

Can the president start a nuclear war on his own authority—his own whim or will—alone? The way Brigadier Gen. Jack D. Ripper did in Dr. Strangelove? What if a president went off his meds, as we'd say today, and decided to pull a Ripper himself? Or what if a Ripper-type madman succeeded in sending a falsely authenticated launch order? You're about to kill 10 million people, after all.

Anyway, back down there in your launch capsule you might allow yourself to wonder: "This launch order, is this for real or for Nixon's indigestion?"

If you were asking yourself that question, you wouldn't be the only one. James Schlesinger, secretary of defense at that time, No. 2 in the nuclear chain of command, was reported to be so concerned about Nixon's behavior that he sent word down the chain of command that if anyone received any "unusual orders" from the president they should double-check with him before carrying them out.

So there you are, having just received the order to launch nuclear genocide. Should you suppress any doubts, twist your launch key in the slot simultaneously with your fellow crewman and send death hurtling toward millions of civilians halfway around the world? Without asking questions? That's what you're trained to do, not ask questions. Trainees who asked questions were supposed to be weeded out by the Air Force's "psychiatric consideration of human reliability" requirement. I've read this absurd Strangelovian document, which defined sane and reliable as being willing to kill 10 or 20 million people with the twist of a wrist, no questions asked.

Oh, yeah, I'll sleep well tonight.

In no particular order:

• Today is the 100th anniversary of the deadly Triangle Shirtwaist factory fire in New York, in which 146 workers died. If you want to know why we have unions in the U.S., read the story. This is the world to which the radical right are happy to return us.
• I have to hand it to Citibank and their crack team of fraud preventatives. Last week I bought a plane ticket from Chicago to London for about $700. A few hours later I attempted to put down a £100 deposit on a hotel room in London. Citibank declined the smaller charge, because it was an international purchase without card-in-hand, as they say. Note I bought the airline ticket online also.
  A 10-minute phone call to them, followed by an apologetic phone call to the hotel, and it went through fine. This morning, I bought a £58 round trip rail ticket from London to York on a day within both the air ticket and hotel reservation (both of which Citibank knows about), and their computer called me within seconds to warn me of yet more fraud. Fifteen minutes later they have finally—finally!—acknowledged that I might be in the UK for a couple of days, and possibly will be using my credit card to make reservations ahead of the trip. Note to people outside the US: They're not trying to protect me; they're trying to protect themselves. In the US, card holders have a $50 liability limit for fraudulent transactions; the bank's liability is essentially limitless. But still, guys?
• Microsoft's Raymond Chen has a funny anecdote about the Seattle Symphony Orchestra's front office getting confused between Paul Cézanne and Camille Saint-Saëns, complete with a handy chart to tell the difference.

That is all.

Via Bruce Schneier, a retired CIA codebreaker recently decoded a message sent to Confederate Lt. Gen. John Pemberton in July 1863:

The encrypted, 6-line message was dated July 4, 1863, the date of Pemberton's surrender to Union forces led by Ulysses S. Grant, ending the Siege of Vicksburg in what historians say was a turning point midway into the Civil War.

The message is from a Confederate commander on the west side of the Mississippi River across from Pemberton.

"He's saying, 'I can't help you. I have no troops, I have no supplies, I have no way to get over there,'" Museum of the Confederacy collections manager Catherine M. Wright said of the author of the dispiriting message. "It was just another punctuation mark to just how desperate and dire everything was."

That day, 4 July 1863, the Union not only captured Vicksburg but also prevailed at Gettysburg. Historians generally agree the two victories effectively ended any possibility of the Confederacy winning the war, though they would continue to fight for another 20 months.

The full text of the message to Pemberton reads:

"Gen'l Pemberton:

You can expect no help from this side of the river. Let Gen'l Johnston know, if possible, when you can attack the same point on the enemy's lines. Inform me also and I will endeavor to make a diversion. I have sent some caps (explosive devices). I subjoin a despatch from General Johnston."

The last line, Wright said, seems to suggest a separate delivery to Pemberton would be the code to break the message.

The news story has more details about how they found the message, and how they broke the code.

I've recently had the opportunity to work on-site with a client who has a strong interest in protecting its customers' privacy. They have understandably strict policies regarding who can see what network data, who can get what access to which applications, etc. And they're interested in the physical security of their buildings.

At some point, however, process can stymie progress, and this client recently added a physical security measure that can stand as a proxy for everything else about how they function. Not content with having a full-time security guard at each lobby entrance, and with doors that require an ID to open, they now have a man-trap-style revolving door system. Only one person can enter the door at a time, or alarms sound. The doors move slowly enough that even the slowest walkers—and this is far Suburbistan, so there are many—can get through without hurrying. And to make extra-special-certain, these doors require a second ID badge.

Now, the client building is 30 km from the nearest city of any size, and that city doesn't even rank in the top 50 by population. In order to get to the building you have to drive some distance from anyplace you'd ever want to be, then cross a parking lot whose area, according to Google Maps, is four times greater than the building's footprint. In other words, they're protecting the building from...nobody. Nobody will ever lay siege to this place.

This aptly demonstrates the philosophy throughout the organization: they have immense barriers that have no purpose except to prevent any actual work from happening. My effort for this particular client lasted several long weeks and produced, in the end, about fifteen lines of code. They brought 60 developers onto the project to speed it up, with the result that 60 developers tripped over procedures and project management at immense cost to the company to produce something four guys in a garage could have done in the same length of time.

There's a punchline, a poignant one for the day after Elizabeth Edwards died: the client is a major health-insurance company.

Do you want to know why the U.S. spends more on health care than any other country? I think I have the answer.

N.B.: The title of this post comes from one of my favorite quotes, usually ascribed to Napoleon Bonaparte but probably coined by Robert Heinlein: "Never attribute to malice that which is adequately explained by stupidity."

Via Schneier, the Department of Homeland Security will soon get rid of color-coded warnings:

In an interview on “The Daily Show” last year, the homeland security chief, Janet Napolitano, said the department was “revisiting the whole issue of color codes and schemes as to whether, you know, these things really communicate anything to the American people any more.”

The answer, apparently, is no.

The Homeland Security Department said the colors would be replaced with a new system — recommendations are still under review — that should provide more clarity and guidance. The change was first reported by The Associated Press.

I wonder what that guy at O'Hare—the one who says "The current threat advisory level is orange" all day—I wonder what he'll do now?

Security guru Bruce Schneier has great advice about when to change your passwords:

The primary reason to give an authentication credential -- not just a password, but any authentication credential -- an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.

... An attacker who gets the password to your bank account by guessing or stealing it isn't going to eavesdrop. He's going to transfer money out of your account -- and then you're going to notice. In this case, it doesn't make a lot of sense to change your password regularly -- but it's vital to change it immediately after the fraud occurs.

... So in general: you don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.

A good friend woke up this morning to find her email and Facebook accounts hacked, with a message sent out to everyone in her address book that she'd been robbed at gunpoint while visiting London and desperately needed a credit card to get on the plane back home.

Other than the story's baseline implausibility (a gun robbery in London being about as likely as getting trampled by a moose in Atlanta), there were other clues it was a phisher. For one thing, my friend is an American lawyer, not a Nigerian criminal, so she has a direct, concise, and moreover punctuated writing style not immediately in evidence in the phishing message.

The take-away, to all the would-be phishers reading this: you'll get farther with your frauds if you learn better English. Next time, instead of asking for credit-card numbers, write this: "Help! I am being held captive unless I can draft a 500-word essay on epistemology, and they'll only allow me one reference book! Please, I'm desperate, send me Strunk and White before I use unnecessary words!"

Oh, and also try hacking your victim's spouse's account, which will make it harder for people to verify the dodge.