Tue, Jun. 21st, 2011, 05:54 pm
I ordered a number of books (around eight separate items) recently from a major book retailer that isn't Amazon. This was a single order, with the instructions to ship in as few packages as possible. Free shipping was available and taken.
The order was broken into four separate packages shipping out from three separate shipping companies.
A consultant could make a lot of money suggesting that maybe postponing an order by an hour or so on shipping to reduce the number of packages would be a good idea.
Wed, May. 4th, 2011, 10:15 pm
Sony and PCI
In looking online, I've seen numerous discussions about Sony and PCI. I've avoided talking too much about Sony, but I can't really keep my mouth shut. There's a few reasons for this. First, I work on PCI compliance, so I'm very familiar with the rules. But I also have nothing to do with Sony, so I don't have the potential for a conflict of interest.
Several reports about the incident have drawn my attention.
- The attack was against known vulnerabilities. Reports are now indicating it was an unpatched version of apache (6.1)
- The security code for the credit card number may have been compromised according to numerous reports (3.2.2)
- Firewalls appear to not have covered several key parts of the network (1.2)
The numbers list the requirement from the PCI DSS (document that describes the IT security requirements to accept credit card transactions) which are violated by the reported information. It's important to note that very little is confirmed by Sony.
Sony has sent emails indicating that credit card numbers may have been compromised and confirmed that the attack was based on vulnerabilities known to the security community. In their email, they explicitly state that the security code was not compromised. Given how little Sony is actually stating was not compromised, there is at least a reasonable chance that the second item above is incorrect, that the security code was not compromised.
I've seen questions about PCI compliance state of Sony. I do not know (and don't care to look) what class of merchant they are. I do know that Sony would have to be certified at some level to even be able to take credit cards. Most small merchants actually don't take credit cards, they rent equipment that does it for them. But Sony is storing those credit card numbers "encrypted", so they would be subject to PCI certification each year.
Section 6.1 (patch known security vulnerabilities) is a particularly worrisome item to me. I can actually understand a viable argument for not using firewalls on external facing systems (section 1.2). It's long and complex, but it boils down to that external box doesn't have to be used if you do it right on each and every host in your network). I cannot understand a viable argument for not patching. However, patching is essential, and I don't mean patching when one feels like it, or months after the system is brought online.
I personally suspect that fines will be levied at some level, even if just to warn other merchants that the payment card industry is serious. I also don't think that managers at other companies will care for more than a month or two. Security is rarely taken seriously until after it is on the front page for at least two days.
So everyone out there reading this, go click that friendly icon to check if you are up to date on patching. Don't forget that Adobe products are often not patched by your operating system patching mechanism, so you have to check that separately. This is particularly important for Adobe Flash. Your system is a target, even if just to help hide the real attackers on their next attack against a large company.
"Always assume that the company [collecting your personal data] is incompetent..."
I guess the zeroth law of computer security is finally being realized.
There is a solicitor's licensing ordinance in this area. Those who wish to go door to door, selling or pushing products must have a police department issued ID and present it prominently when they go door to dooring. The local police have told me in the past to call the police department on first offense by any solicitor. I don't do it every time, but if they make me at all nervous, I will.
So why is it that for every thirty or so door to door solicitors, at most one or two actually have a license? Even people who clearly know better and have had time to obtain one refuse. In one example, they were stopped, told to get a license and left. Several days later, the person came back to the door to peddle their goods. As soon as they were asked, they apologized and left.
Maybe I'm prejudiced. But I can't seem to find a restaurant that offers the kind of meal that I had tonight at home. Start with a good salad: multiple types of green, several kinds of vegetables, etc. Then the bread which is a rich, strongly flavored bread made with yogurt, honey, etc. Then the real meal, bacon wrapped tenderloin, twice baked potatoes, and green beans with almonds.
I can usually find one of them, sometimes two at a restaurant, but certainly not all of them. Okay, maybe there is somewhere such a place, but even the fancy steakhouses don't seem to do good bread anymore.
It's the traditional advice given young children. Don't speak just to be saying something. If you don't have something to say, then don't say anything.
But today, that advice is ignored completely. Social networking tools like Twitter now encourage people to say nothing at all, constantly. Authors are told that they have to write one more story about the popular character, even if it doesn't make plot sense, or the author has nothing more to write on that subject. (This has resulted in numerous unsatisfying stories, or contrived methods of just killing off the character so that the author can move on.) Television shows are forced to continue long after the writers have run out of good ideas, or stories to tell with those characters. Today, we even give such a name, jumping the shark. We argue about when a television show "jumped the shark".
In business even, this advice would be useful. Many people, from managers to techies feel they have to attend meetings, to speak up on them even though they have nothing of interest to say. This isn't the person who comes to the meeting to listen quietly and only speaks up when they actually have something to say. This has caused numerous meetings to get confused or go overly long.
Probably the most extreme case of following this advice was Sir Isaac Newton. As I understand, through many years in parliament, his only statement of record was a point of order, requesting the windows be opened on a particularly warm day.
One of the hazards of continuing to take violin lessons and sticking with it. I have more than a couple years of experience. This means that I no longer mesh well with the adult ensemble groups that can be assembled through where I take lessons, but I'm not a professional player by any means and thus cannot join a real orchestra, certainly not without a huge time commitment that I'm not ready to make right away.
Sun, Jan. 23rd, 2011, 07:30 pm
Bread and salt
For many years, I've been told that bread must have salt in it to cook right. It will not develop the right flavor, it won't rise correctly, over rising, etc.
A cookbook I've come to trust on breads said one doesn't need salt, but one should slow down the rising slightly. "Cut it out, or leave it out entirely" was the advice given.
So we tried it. I decided that a recipe with a fair amount of whole wheat flour would be ideal for such purposes. For me, it rises slower anyway, and I often need to add gluten to ensure it rises nicely. Decided to do pretzels. The texture was different, actually a bit heartier than I would expect, but that could also be the fact that I've never done a whole wheat dough for a pretzel recipe. One of my first thoughts was actually to compare it to a whole wheat bagel, which means it isn't for everyone.
But the cookbook vindicated itself. The entire recipe had only trace salt and was more than just edible.
Fri, Dec. 10th, 2010, 09:18 am
Many years ago, I got a headset to use for working at home. It was a very nice unit, with speakers for both ears (binaural) and a good noise canceling microphone that has been proven effective time after time. Recently, the ear pads finished wearing out for the second time (the first set of pads lasted me about four or so years.) But the unit is so old now that I couldn't even identify the unit readily. Nothing I could find easily online would tell me even the model that I had anymore.
Amazingly, a call to the technical support of the original vendor (that no longer markets end user products under their own name), and they were able to identify the unit and give me a parts supplier in my overall area. There was only one problem. The parts vendor had a ten dollar minimum order. We had to talk about what duplicates to order in order to get to that minimum amount. I should be good for another ten years with this thing.
Admittedly, it was a very expensive unit when I got it, but lasting this long already, and no sign of breaking made the unit a good deal. Unfortunately, I can't anticipate any electronic devices I buy lasting that long anymore.
Wed, Nov. 3rd, 2010, 08:54 am
Once again, I'm noticing some physical limitations that once were not so obvious, even if they were there before. For most day to day life activities twenty years ago, most of these issues weren't a problem. Now, with changes to society and technology, at least one of them is more of a problem today than it was before.
On the flip side, one problem that I have is much less limiting today than it would be in society twenty years ago, and that one issue is far more serious.
This has led me to look more at some of the accessibility features of various technology how far it has come and how it has gone backwards in some cases.
Movie theaters are pretty much gone from feasibility today. They shove a giant screen in front of you, try and destroy your hearing with volume levels completely unacceptable, and often use techniques that are designed to induce at a minimum headaches, and have been known to induce seizures.
Restaurants are now much more accessible than ever before. It isn't just the food, but the environment. Smoking is now routinely prohibited in many restaurants, meaning I can at least walk in and not have to leave within five minutes. Nutrition information may finally be required to be available (assuming that isn't something that the new Congress attempts to repeal). I remember in the past the servers had no idea of if milk was even used in a dish. On the negative side, restaurants seem to think no one minds an alcohol based sauce where the alcohol flavor is so strong that you wonder if they even stood near the dish for five seconds.
Office buildings are not exactly doing well. Basic janitorial service seems to be getting rarer rather than more common. Little things like vacuuming common areas is no longer standard where I work. Instead of replacing old and worn out furniture, I've repeatedly been asked to continue to use chairs that were partially broken. The one time I could get a replacement chair, the chair completely fell apart (multiple pieces). Using simple air filters seems to be rare now.
My biggest gripe though are strobe lights because that is done in the name of improving safety while reducing it. It used to be standard practice, no bright lights aimed above the road if other drivers may be nearby. No strobe lights allowed at all. Now, school buses have mandatory strobe lights aimed to blind any nearby driver. What happened to the practice of warning people that strobe lights are believed to induce seizures in some percentage of the population and that exposure should be limited? Switching police cars lights to strobe lights doesn't improve visibility of the vehicle over older style emergency lights.
We as a society have a long way to go in basic accessibility.