Posts from September 2009.

We don’t care. We don’t have to. We’re the MBTA.

In the words of the late, great, Irving Snyder, WA1ETG SK, I have a “tale of woe.” As always, as an employee of the fantastic Commonwealth of Massachusetts, the opinions of this website are my own and not the view of my employer or anyone else.

Late in August, I was in a rush on a Wednesday and couldn’t change my five dollar bill for ones to pay for parking. With the MBTA, they have something called an “honor box” in which you pay your $4 parking fee into a small slot numbered with your space. “No worries…” I said to myself, “…since I am in a rush, I will eat the late fee and just pay them when I get a violation notice.” A brilliant plan, correct? It was, I’ve done it before. Also, since I knew I was likely going to face the same problem on Friday I was just going to pay $10 with the Friday violation notice. This plan crashed to earth when I got the Friday violation notice:

One of these things is not like the other...

Can you spot the key difference between these two notices? According to the 8/21 notice, I have 8 outstanding violations. This is impressive, as with every violation notice previous to this, including the 8/19 notice, hasn’t included a peep about any kind of outstanding violations. So, I place an e-mail to LAZ Parking, as they suggested on their voice mail greeting, to ask them how the heck this happened. They politely provided me a spreadsheet showing that I hadn’t paid my violations numerous times since they took over.

Slight problem: I did pay them.

I’m no angel. According to the spreadsheet I had 16 violations since December 1st. However, I have been extremely thorough in paying my violations since the parking fee increase, specifically because I knew that $5/pop could add up quick. While I cannot specifically say “Oh, hey, I paid that violation on June 23rd.” (Because really, who remembers that?) There were two violations that I was sure I had paid. Also, apparently, I did possibly owe them $2.75 from a violation in December. I won’t even attempt to remember that.

So, I ask them how I can contest it? Well, simple, I just tell them which spot I parked in during those dates and they can check.

Slight problem: There is not assigned parking at the MBTA.

With the MBTA commuter rail, each spot is numbered and that’s the number you pay for. However, it’s first come first serve. Most days I usually get a spot in the between 50 and 100. But really, I now have to keep track of which spot I park in on a daily basis just in case LAZ says I didn’t pay? What? I explained this to the CSR and after following up a week later asking them if there was any movement on this she reiterated she needed the numbers.

This brings us to today.

I give up.

That’s it MBTA, you win. You’ve created a system where you can tell people they owe money and they have little to no recourse. You have a cash system, someone can have no proof they paid on random dates and in order to contest it, you make them jump through nearly impossible hoops. I give up. I am bending over and taking it.

So, now, in order to cover my ass:

  • I will be paying my outstanding fee with a check, probably hand delivered, and I will get a receipt.
  • Further violations will be paid with via a check, as suggested by LAZ, and I will be keeping the canceled checks on record.
  • After I get the canceled check, I will be following up with LAZ to make sure they credited it to my account.

Plus, just to add insult into injury halfway through the back and forth with LAZ, I get this on my windshield:

Insult to Injury

A $15 ticket because I was parking in the lot with an “outstanding balance”

Thanks, MBTA.

Amateur Radio gets left in the dust again…

I’m surprised this completely missed my radar. While reading the Commonwealth’s Statewide Communications Interoperability Plan the other day, I noticed that they made a reference to a broadband initiative on Cape Cod and the islands called OpenCape. This idea is for pushing a fiber solution out across the Cape and islands along with a Microwave backbone for backup. This peaked my interest for two reasons:

  1. I love me some speedy Internet
  2. It shows how far Amateur Radio is behind the times

OpenCape states on their “About us” page that:

The Cape, Islands and South Coast are the most vulnerable region in Massachusetts to natural disaster, such as a hurricane. Additionally, the region’s proximity to the Plymouth nuclear power plant adds to the region’s overall disaster risk. One of the lessons from Katrina and other major disasters is that communication infrastructure is key to both response and recovery.

Cape Cod lacks the robust and redundant system of communications it will need to respond to and recover from a natural or man-made disaster. Not only will the OpenCape network perform a daily economic role, but it will also serve as the redundant communications backbone in times of emergency.

This is eerily familiar to me as a south coastal Massachusetts amateur radio operator, as I’ve heard this same exact statement time and time again from people involved in Emergency Communications out on the Cape. There is no real link back to the rest of the state from the Cape and Islands. However, lets compare and contrast:

Faced with the same problem two groups came up with different solutions:

  1. Establish a “robust, high capacity communications infrastructure” both wired and wireless across the Cape
  2. Establish a 1200 baud VHF connection with WinLink.

I seem to be busting this out a lot lately:

OK, this isn’t a strict apples-to-apples comparison. I understand that the projects here are slightly different. OpenCape’s projected cost it $40 million while I’m sure the WinLink connection cost probably well under 0.1% of that. However, it demonstrates a disconnect between Amateur Radio and what the current environment is like for data connections. Today, everything short of my toaster is IP based. Existing infrastructure using IP is everywhere. What is Amateur radio still continuing to focus on? Kludges that keep bolting things on top of an outdated protocol that isn’t suited for today’s networks and then additional kludges to connect it back to the rest of the world.

OpenCape says that “Letters of support have been received from every town… Cape Cod and the Islands, police and fire chiefs associations…” which makes me wonder what exactly is going on out there. Are we squandering a valuable opportunity for deploying HSMM links on an intra and inter-town basis? While I’m not a fan of the “EmComm for the sake of EmComm” that a lot of ARES and RACES folks fall into, this would be a great way to “sell” amateur radio. If someone said to a Cape Cod based fire/police/EMA “Hey, I think I can give you an IP link off cape for short money that would continue to work during a disaster” I’d be shocked if there were no interest. If that goes well, what about then start setting up a mesh network between towns? Part 97 gives us tremendous leeway on 2.4GHz and there is ways to upgrade consumer equipment for cheap money. For the love of pete, how can we not do this?

Instead of keeping up with the times we are focusing on our 1200 baud links and getting left in the dust while people are beating us with better designed data networks. Data networks that are designed to work during disasters. Then, we wonder why the hobby is suffering.

More Mobile Operation Madness

Mark, K6HX writes another good article regarding the NSC and ARRL letters and does some math on what we might expect to see if we tried to find evidence on Ham Radio operation while mobile:

There are only about 660,000 or so hams licensed in the U.S. The vast majority of these do not operate mobile. The vast majority of those do probably spend most of their time listening. In such a case, we’d expect that the number of accidents caused to be much lower than those caused by cell phones, even if mobile operation was every bit as dangerous as using a cell phone. The overall instance of accidents may be only 0.1% or less of the levels we see from cell phones. One study estimated that 6000 accidents might have been caused by cell phones in California in 2001. Even if ham radio were as dangerous, we might expect to see only six accidents in the entire year from ham radio operation.

Now, the are some other variables at work that would be interesting to toss around:

  • A lot of amateur radio operators are older, would cause the rates to trend upwards?
  • Are amateur radio operators more distracted when we have to fiddle around, find a mic, adjust the radio, etc?
  • Is a study done in 2001 going to accurately reflect numbers in 2009?

However, the kicker of this whole article is not the post by Mark, but a comment done by Schley Cox:

I operate mobile with amateur radio using Morse code. I copy in my head, my eyes never leave the road in front of me and my right hand (sending hand) is not more than 2 inches from the bottom of the steering wheel. I tune my radio by ear only. I work a narrow range of frequencies without ever looking at the radio. Compare all these situations with using a cell phone, or even a mobile radio using a microphone.

My right and left brain don’t have much to do with each other and it doesn’t seem distracting to me to both send and receive Morse code while driving on stretches of highway. If I need both hands on the wheel while sending I simply send AS and the other operator knows to wait for a while. I don’t have to explain to her (or him) why I am stopping sending.

I don’t operate at all on busy highways. Period. There’s not even time to send AS somewhere (like I-65) while careening between lanes at 80 mph trying to keep from getting rear ended by the rush behind.

Holy crap, where do I begin? Mark makes the statement in a later comment that “This is precisely the kind of argument that I think we should all view with skepticism.” and I wholeheartedly agree. I’m scared the Mr. Cox can think he can do CW in his head and fully concentrate on driving. I will give credit to him for at least realize that doing it on a busy highway is bad, but I hope he isn’t sharing the road with me while I commute. Mark is right to point out that distractions come in all different shapes and sizes while driving: people in the car, twiddling the A/C, and using a mobile phone. It’s foolhardy to think that we are somehow above all that.

ARRL asks the question and the NSC responds, but will the ARRL listen?

Late in July, the ARRL wrote a letter to the National Safety Council regarding the operation of amateur radio while mobile. Joel Harrison, W5ZN, president of the ARRL wrote lobbied (lets not kid ourselves, that what the ARRL does) the NSC to help them ensure that Amateur Radio is not caught up in no-cell-phones-while-driving laws by waving the bloody shirt of public service.

Amateur radio operators provide essential emergency communications when regular communications channels are disrupted by disaster. Through formal agreements with federal agencies… Amateur Radio volunteers protect lives using their own equipment without compensation. The ability of Hams to communicate and help protect the lives of those in danger would be seriously hindered if… governments do not ensure that Amateur Radio operators can continue the use of their mobile radios while on the road.

Now, don’t get me wrong. I use my FT-7800 in my car on an almost daily basis. I am by no means innocent and I did write my representatives when Massachusetts tried to pass a cell phone ban in 2008. It’s my hobby, I enjoy it, and in the car is the only time I get the “play radio” for the most part. I enjoy talking to my friends via it. I try to be responsible, however, I think that if anyone tells you that they are 100% concentrated on driving while they are playing radio, they’re a bold-faced liar.

President Janet Froetscher of the NSC’s response is very political and does a great job at walking right down the middle by giving a response without giving a response. While everyone is touting the NSC’s statement saying that “NSC does not support legislative bans or prohibition on [amateur radio] use” and counting it as a victory, however, the letter from the NSC says some very different things:

We are not aware of evidence that using amateur radios while driving has significant crash risks. We also have no evidence that using two-way radios while driving poses significant crash risks. Until such a time as compelling, peer-reviewed scientific research is presented that denotes significant risks associated with the use of amatuer radios, two-way radios or other communication devices, the NSC does not support legislative bans or prohibition on their use.

Sounds like we’re in the clear, right? Well, kind of. Indeed, there is no evidence that using two-way radios while driving poses significant crash risks, but what evidence are we citing that shows there isn’t a link? From the ARRL policy statement on mobile operation:

is aware of no evidence that [mobile] operation contributes to driver inattention. Quite the contrary: Radio amateurs are public service-minded individuals who
utilize their radio-equipped motor vehicles to assist others, and they are focused on driving in the execution of that function.

Hmmm… That doesn’t sound like compelling, peer-reviewed scientific research to me. What did the ARRL present in their letter to the NSC?

As ARRL Chief Executive Officer David Sumner has observed based on more than 40 years of experience, “Simplex, two-way radio operation is simply different than duplex, cell phone use. Two-way radio operation in moving vehicles has been going on for decades without highway safety being an issue. The fact that cell phones have come along does not change that.”

This is, by definition, anecdotal evidence. Plus, would you really trust this if the National Association for Juggling president state that, after 40 years of experience, he observed that juggling is completely different from cell phone use and has been going on for decades without highway safety being an issue? I wouldn’t and neither should you. When I read this back in August, I did find this a bit amusing as the first thing that popped into my head is the final scene in the movie Thank You for Smoking. The protagonist, who used to lobby for the Tobacco industry, is talking to clients in a meeting regarding cell phone usage:

Gentlemen, practice these words in front of the mirror: Although we are constantly exploring the subject, currently there is no direct evidence that links cellphone usage to brain cancer.

Amateur Radio is in the same position. There is currently no direct evidence that links mobile operation with accidents. The kicker is that there is no evidence that mobile operation is safe either. From what I can tell, there have been no studies regarding the issue. I think that if the ARRL was really interested in safety concerns, they would commission a third party study on this. However, like any special interest group (again, this is exactly what they are and I have no problem with it) their primary interest is promoting their interests.

Froetscher also made a statement to the ARRL that I have not seen mentioned in any coverage of the letter either:

I appreciate your focus on the use of amateur radios for emergency communications during disasters. I encourage ARRL to adopt best practices for the safe operation of vehicles that confines use of amateur radios while driving only to disaster emergencies. You may want to consider documenting this through a formal policy for all of your members.

This is the political equivalent of the NSC saying “…and the horse you rode in on.” By the ARRL using Amateur Radio’s disaster communications as a shield to hide behind in order to avoid being banned under distracted driving laws, the NSC called them out on it. If we, as amateurs,  “provide essential emergency communications when regular communications channels are disrupted by disaster”, why is the ARRL telling its members to avoid using their radios while mobile unless there is an emergency? While the obvious answer is “because we want to play radio” I don’t think the ARRL is going to say that. So, instead, since the ARRL is touting the response, I look forward to them working with the NSC to re-draft their policy to limit mobile Amateur Radio use to only emergency and disaster situations.

ENISA issues “Golden ATM Rules” – A good idea? Too little too late? Or both?

OK, this floated across Twitter over the weekend:

With the annual cost of ATM crime in Europe approaching half a billion Euros, ENISA, the European Network and Information Security Agency, is urging consumers to be more aware of the risks and take precautions to avoid personal loss. The rapid growth in the number of ATMs, combined with more sophisticated attacks and fraud has resulted in an alarming 149% rise in ATM attacks in 2008.

For those of you who don’t know what ENISA is, they’re kind of the EU equivalent to US CERT. While I think that the “Golden Rules” are mostly fluff, I’ve always felt that Europe is more of the FEBA of ATM based attacks. This is a good start at trying to address issues with ATMs and I applaud it. However, with more and more sophisticated attacks coming out against ATMs, is ENISA trying  formulate battle plans against horse cavalry when the bad guys are deploying armored tanks? Could the effort of creating these be better used to start pushing banks to start reevaluating ATM security? ENISA seems to be aiming for “low hanging fruit” in this case, however,  this strategy could backfire. It’s possible that they’re setting themselves up for failure if these malware based attacks start to prevalent. If people, by some strange miracle, start taking these recommendations to heart, follow them, and still get owned, ENISA is going to have a tough time explaining themselves.

There are a lot of issues with it, but I’ll be the first to say that the perfect is the enemy of the good. This is a step in the right direction. I would love to see this start being pushed in the United States. ATM skimming scams are starting to become increasingly common across various regions in the United States. Various European gangs are starting to export attacks, sending them to other countries to steal data, so this is rapidly becoming a global problem. Ideally, in the United States at least, it would be great if some of the big banks started pushing PSAs to their customers regarding skimming and shoulder surfing. This could be sticky as I think we’d see “third party” ATM vendors scream bloody murder if the big banks say “Look out for sketchy ATMs!” I also know for a fact that Bank Of America has “free standing” ATMs (like the one at the MA-24/I-495 rest stop, complete with a Cisco router visible inside the machine, *shudder*) in some spots and I doubt they would want to drive people away from them. But still, could you picture a bank embracing ATM security? I’d certainly consider moving my business to them. The more evil side of me would love to see technology advocacy groups start pushing this as well. It be interesting to start seeing stickers on ATM proclaiming them possibly unsafe to use similar to the circa-2005 “This phone is tapped” stickers that were placed on pay phones across the US. I am sure that the banking industry would be in a tizzy if these started showing up on numerous ATMs overnight.

So, this has become a bit of a rambling post with no clear point to tie it all together. So, I’ll guess I’ll just give kudos to ENISA and tell everyone to read the Golden Rules and follow them. You’ll be glad you did.

5 Things You Might Not Know About Ben Jackson

I don’t know why this appealed to me, considering that I can’t stand these things on Facebook/e-Mail/etc, but since Andrew Hay did it, and since he started it, I felt like I should play along.

  1. I was the host of a weekly “hacker” podcast for about a year. It was a lot of work, but I do miss it. It was fun to rant and rave for a few hours a week.
  2. I did not go to any dances or proms in High School
  3. I am a published author. Another one of those things that was a lot of work but it was a lot of fun at the same time.
  4. My wife and I met on the Internet before it was “trendy”. For a long time we would skirt the question “How did you meet?” because of the looks we would get. During our wedding, the priest mentioned it in his sermon and we were sure that this was the first time a few people in the audience found out.
  5. I flunked out of Computer Science in college (Calculus) and transferred to Computer Engineering Technology (“Computer Engineering lite” as I called it) which I graduated from.

I will not, however, “tag” anyone else. I can’t stand being “tagged” and therefore will not “tag” anyone myself.

Why corporate IT chains your computers

Farhad Manjoo over at Slate recently did his best Moses imitation and cried out “Let My Office PC Go!” and railed against restrictive IT policies in the Office environment. While I understand his pain, it illustrates the disconnect between users, IT, and Information Security.

You ask your IT manager to let you use something that seems pretty safe and run-of-the-mill, and you’re given an outlandish stock answer about administrative costs and unseen dangers lurking on the Web. Like TSA guards at the airport, workplace IT wardens are rarely amenable to rational argument. That’s because, in theory, their mission seems reasonable. Computers, like airplanes, can be dangerous things—they can breed viruses and other malware, they can consume enormous resources meant for other tasks, and they’re portals to great expanses of procrastination. So why not lock down workplace computers?

Here’s why: The restrictions infantilize workers—they foster resentment, reduce morale, lock people into inefficient routines, and, worst of all, they kill our incentives to work productively. In the information age, most companies’ success depends entirely on the creativity and drive of their workers. IT restrictions are corrosive to that creativity—they keep everyone under the thumb of people who have no idea which tools we need to do our jobs but who are charged with deciding anyway.

Productivity and Morale are two very important things and I understand where Farhad is coming from. I agree that draconian restrictions can kill productivity. In my career (2001-ish) upper management decided to install web monitoring software at my place of work unannounced and came down hard on people who spent “too much” time on the web (including yours truly). It didn’t matter that my work was getting done, or I got glowing reviews from the users I supported, or that I spent my time on technology sites,  I was spending “too much” time on the web. The “solution” to this was to have me sit there and stare at my e-mail folder waiting for a support ticket. Loads of fun.

While Farhad does a great job illustrating that productivity can go up when users are given more control over their desktops, he inadvertently provides and example of exactly why users shouldn’t be given free reign over their desktops:

When I worked in an office not long ago, though, a new man in IT decided that forwarding company mail to my Gmail account might violate the Sarbanes-Oxley Act. I tried to explain that was ridiculous—Sarbanes-Oxley proscribes deleting mail, which I wasn’t doing, and, anyway, the IT department had no problem forwarding mail to people’s BlackBerries and iPhones.

Uhhh… Hey what now? While the only SOX I know in detail are the red ones, this, as a “security guy” makes me cringe. SOX aside, this is very much a BadThing™, and while yes, this might make it incredibly easy to access your work e-mail from home and give you all kind of options that your work e-mail environment may not provide it’s a bad move from a security viewpoint. How is it bad? This can be illustrated by the massive Twitter document leak this past July. A combination of bad passwords and Google Apps absolutely reamed Twitter. By putting your e-mail to a non company controlled system you are bypassing any kind of security that your company provides. Internally your IT department may have firewalls, anti-virus, intrusion detection systems, strong password policies, etc. Google, Hotmail, Yahoo, etc provides none of this for your account. If your IT department is smart, they’ll notice your account being accessed by someone who shouldn’t have access to it, while if you use GMail, how do you know that your account isn’t compromised? More importantly, how can you prove it isn’t?

As a side note, Blackberrys and iPhones are their own beast within themselves. Thankfully, RIM and Apple as of the iPhone 3GS provide pretty good restrictions on enforcing secure usage. For example: we can require you to enter a complex password if you haven’t used your device for 15 minutes. This provides us with a reasonable assurance that if you leave your device in the back of a Taxi while you’re sloshed on a Friday night, it limits the exposure of the information it contains to 15 minutes. While it’s not perfect, it does give us a bit of breathing room. If you set up some kind of Rube Goldberg system where your device checks into GMail which you sync your device to, you’re torpedoing this.

Farhad compares IT workers to the TSA, and while I’m not going to suggest that all IT workers are helpful and flowery, I can make the counter point that many times a “rational argument” boils down to “I want to use this because I want to use it” rather then providing justification. More often then not when someone “wants something” for their PC, they can rarely provide reasoning equating to “Look! Shiny!” and when pressed to answer some fairly basic questions on why they need it, it suddenly becomes the IT department standing in the way of progress. That’s not to say that there are cases when users provide an actual business justification on why they need a product and said business justification has outweighed the risk, it’s just that it seems to be the exception rather then the rule.

I’m not saying that IT needs to lock down PCs into some kind of 1984-esque environment (Although, quite frankly, it would make my job a hell of a lot easier), nor am I agreeing that everything would be sunshine and puppies if we allowed users to completely control their PCs. What I’m saying is that both IT and users need to meet each other halfway on this issue; while IT needs to understand that certain products and websites can help users do their jobs better, users need to understand that certain products are not allowed for a reason.

The entire discussion really can be reduced to a single question. IT departments face this question regularly and if we follow Farhad’s advice I think it should be passed on to the user.

As a user, are you ready to accept personal responsibility if something you want affects the security of the network?

Keep that in mind the next time you want to use Facebook at work.