In Search of the Perfect Investment

The saddest video I’ve ever seen. At congressional hearings this week on the Gulf Oil disaster, Louisiana Rep. Charlie Melancon, who represents much of the coastal area being directly affected by the spill, broke down in tears while delivering his remarks.

He started his testimony with “Having been through Katrina, Rita, Gustav, Ike and now the oil spill, the last five years have not been fun in Louisiana. … Everything I know and love is at risk.”

His lip quivering as he tried to keep his composure, Melancon couldn’t finish his statement. He submitted it for the record and walked out of the hearing.

Watch the video here. I’ve watched it three times and cried three times.

I love this country. But I often despair of it. Every president for the past fifty years has talked about making us “energy independent.” But everyone has failed. Today we use more oil and import far more of what we use.

I read with sadness, this report:

More than 800 giant wind turbines spin off the coasts of Denmark, Britain and seven other European countries, generating enough electricity from strong ocean breezes to power hundreds of thousands of homes. China’s first offshore wind farm, a 102-megawatt venture near Shanghai, goes online this month, with more in the pipeline.

But despite a decade of efforts, not a single offshore turbine has been built in the United States.

Experts say progress has been slowed by a variety of factors, including poor economics, an uncertain regulatory framework and local opposition.

Fortunately, the Obama administration did recently approve the most prominent wind turbine project — Cape Wind, off the coast of Massachusetts. But it took the death of Senator Kennedy before the Kennedy family finally came around and dropped their objections.

As a country, we buy oil from people who hate us. We borrow money from people who take our manufacturing base. We fight two wars for no purpose and with no end in sight. We pay to have military bases in countries that don’t need us — including  Germany and Japan. We criminalize drugs with disastrous consequences — from the violence in Arizona, to the huge number of  prisoners in our jails for victimless crimes. And after giving all that “bailout” money  to those nice, but failed banks, we didn’t ask for one head to roll — no change in management. No change in directors. We rewarded our 13 biggest banks for their failure.  Too big to fail. I wonder what message this sends to small entrepreneurs who can’t get a loan?

On April 22, 2010 new EPA regulations came into force. If you’re a contractor who paints must get certified with the Environmental Protection Agency (EPA).

I know about all this because I’m losing the tenant in my son’s apartment. I have a new one coming in July 1. The apartment needs some painting. I’d do some of myself.

No way. Unless I’m “lead paint certified,” the building management won’t allow me to touch my walls.

For me to become lead paint certified involves taking an eight hour course, passing an examination and receiving a graduation certificate.

At much expense, I’ve found a local  contractor who is lead paint certified. He tells me that a new competitive tactic is to rat to the EPA that the man painting your apartment is not lead paint certified… And the ultra-great news? The EPA is reputedly hiring 18,200 lead paint inspectors to enforce the new rules.

Wait till you see the new government agencies being created by the HealthCare bill. You won’t get sick from bugs. You will get sick when you hear about the new agencies.

Conficker,  and the Enemy within. If this doesn’t convince you to junk your Windows machines, nothing will. This is from the June 2010 of the Atlantic magazine:

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting …
THE FIRST SURPRISING thing about the worm that landed in Philip Porras’s digital petri dish 18 months ago was how fast it grew.

He first spotted it on Thursday, November 20, 2008. Computer-security experts around the world who didn’t take notice of it that first day soon did. Porras is part of a loose community of high-level geeks who guard computer systems and monitor the health of the Internet by maintaining “honeypots,” unprotected computers irresistible to “malware,” or malicious software. A honeypot is either a real computer or a virtual one within a larger computer designed to snare malware. There are also “honeynets,” which are networks of honeypots. A worm is a cunningly efficient little packet of data in computer code, designed to slip inside a computer and set up shop without attracting attention, and to do what this one was so good at: replicate itself.

Most of what honeypots snare is routine, the viral annoyances that have bedeviled computer-users everywhere for the past 15 years or so, illustrating the principle that any new tool, no matter how useful to humankind, will eventually be used for harm. Viruses are responsible for such things as the spamming of your inbox with penis-enlargement come-ons or million-dollar investment opportunities in Nigeria. Some malware is designed to damage or destroy your computer, so once you get the infection, you quickly know it. More-sophisticated computer viruses, like the most successful biological viruses, and like this new worm, are designed for stealth. Only the most technically capable and vigilant computer-operators would ever notice that one had checked in.

Porras, who operates a large honeynet for SRI International in Menlo Park, California, noted the initial infection, and then an immediate reinfection. Then another and another and another. The worm, once nestled inside a computer, began automatically scanning for new computers to invade, so it spread exponentially. It exploited a flaw in Microsoft Windows, particularly Windows 2000, Windows XP, and Windows Server 2003—some of the most common operating systems in the world—so it readily found new hosts. As the volume increased, the rate of repeat infections in Porras’s honeynet accelerated. Within hours, duplicates of the worm were crowding in so rapidly that they began to push all the other malware, the ordinary daily fare, out of the way. If the typical inflow is like a stream from a faucet, this new strain seemed shot out of a fire hose. It came from computer addresses all over the world. Soon Porras began to hear from others in his field who were seeing the same thing. Given the instant and omnidirectional nature of the Internet, no one could tell where the worm had originated. Overnight, it was everywhere. And on closer inspection, it became clear that voracity was just the first of its remarkable traits.

Various labs assigned names to the worm. It was dubbed “Downadup” and “Kido,” but the name that stuck was “Conficker,” which it was given after it tried to contact a fake security Web site, trafficconverter.biz. Microsoft security programmers shuffled the letters and came up with Conficker, which stuck partly because ficker is German slang for “motherfucker,” and the worm was certainly that. At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide—an estimated 500,000 in the first month.

Why? What was its purpose? What was it telling all those computers to do?

Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully comprehend all its inner workings. The ship contains many complex, interrelated systems, each with its own function and history—systems for, say, guidance, maneuvers, power, air and water, communications, temperature control, weapons, defensive measures, etc. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments, keeping it running or ready. When idling or cruising, the ship essentially runs itself without a word from Captain Kirk. It obeys when he issues a command, and then returns to its latent mode, busily doing its own thing until the next time it is needed.

Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander. He enlists the various operating functions of the ship to do his bidding, careful to avoid tripping any alarms. Captain Kirk is still up on the bridge in his swivel chair with the magnificent instrument arrays, unaware that he now has a rival in the depths of his ship. The Enterprise continues to perform as it always has. Meanwhile, the invader begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.

And now imagine a vast fleet, in which the Enterprise is only one ship among millions, all of them infiltrated in exactly the same way, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a worm like Conficker is to infect and link together as many computers as possible—the phenomenon witnessed by Porras and other security geeks in their honeypots. Thousands of botnets exist, most of them relatively small—a few thousand or a few tens of thousands of infected computers. More than a billion computers are in use around the world, and by some estimates, a fourth of them have been surreptitiously linked to a botnet. But few botnets approach the size and menace of the one created by Conficker, which has stealthily linked between 6 million and 7 million computers.

Once created, botnets are valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information from otherwise secure Web sites or computers, to assist in fraudulent schemes, or to launch denial-of-service attacks—overwhelming a target computer with a flood of requests for response. The creator of an effective botnet, one with a wide range and the staying power to defeat security measures, can use it himself for one of the above scams, or he can sell or lease it to people who specialize in exploiting botnets. (Botnets can be bought or leased in underground markets online.)

Beyond criminal enterprise, botnets are also potentially dangerous weapons. If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world, and potentially hobble or even destroy almost any computer network, including those that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself.

The key word there is could, because so far Conficker has done none of those things. It has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one yet fully understands how it works. No one knows how to stop it or kill it. And no one even knows for sure why it exists.

If yours is one of the infected machines, you are like Captain Kirk, seemingly in full command of your ship, unaware that you have a hidden rival, or that you are part of this vast robot fleet. The worm inside your machine is not idle. It is stealthily running, issuing small maintenance commands, working to protect itself from being discovered and removed, biding its time, and periodically checking in with its command-and-control center. Conficker has taken over a large part of our digital world, and so far most people haven’t even noticed.

The struggle against this remarkable worm is a sort of chess match unfolding in the esoteric world of computer security. It pits the cleverest attackers in the world, the bad guys, against the cleverest defenders in the world, the good guys (who have been dubbed the “Conficker Cabal”). It has prompted the first truly concerted global effort to kill a computer virus, extraordinary feats of international cooperation, and the deployment of state-of-the-art decryption techniques—moves and countermoves at the highest level of programming. The good guys have gone to unprecedented lengths, and have had successes beyond anything they would have thought possible when they started. But a year and a half into the battle, here’s the bottom line:

The worm is winning.

What does all this Conficker stuff mean? One of the many reader comments on the article came from someone called Stephenc28. It’s harsh and long, but worth reading:

Interesting story in a Chicken Little kind of way, but I think it really missed the point.

What Bowden (the author) wrote was the cops and burglars story. The burglars are smarter than the cops and better equipped at the moment – think of the narcos and the Mexican police. And if the point of the story is for us all to be good and scared and feel helpless, then that’s OK. Mission Accomplished, as they say.

But if we take a slightly closer look at this situation, it looks a lot different. It’s not just this police story, but something bigger. The real story is that the police and the news media have been letting everyone know that there are bad burglars wandering around the neighborhood and the good citizens have been refusing to get locks for their doors and windows and refusing to use the ones they have because it’s too expensive or too inconvenient.

Windows, the near-universal operating system, is vulnerable to all kinds of cyber attacks. Some of this was because when it was first built, security thinking was less sophisticated than it later became (though Unix-based operating systems like Apple’s OS X and Linux reach back to the same era of development and were built in ways that made them much safer), some of it is because Microsoft is in a difficult spot. To make its OS as tamper-resistant as OS X, for example, the system would have to be rebuilt from the ground up. While MS (Microsoft) has the capital and human talent to rebuild, it has a huge user base hugely invested in existing hardware and programs and that has demanded backward compatibility from MS (more or less successfully) for the life of Windows.

This means that MS must patch and build incrementally rather than redo from the ground up. If going to the new, virus-resistant Windows means that the end user will have to get new hardware and new programs to run on it, the inertia holding the user in the Windows world vanishes. The user could go forward into brave new Windows. But there’s no special reason for him or her to do this. New Windows becomes one of a number of alternatives in a post-Windows world and has no special advantages (and some obvious disadvantages) in the commercial world compared with OS X or some other form of Unix. The Microsoft management that launched that kind of change would have a lot of explaining to shareholders ahead of it.

The situation here is similar to that of the dependency of the industrialized world on petroleum. Everyone thoughtful knows that this creates problems. It’s a non-renewable resource controlled by unstable governments who (mostly) do not wish us well and the use of it is causing environmental changes with obvious health and probable more general bad results. Yet, there’s no easy way to break out of it. The existing commercial world is financially anchored in petroleum and governments, even if they have the vision and political will to do something about the issue, have to proceed slowly.

The cyber-world problem is a more immediate crisis-in-the-making than the petroleum dependency one. As the industrialized world gains in computing power and controls more and more of what it does (financial transactions, power grids, weapons) with computers, it becomes more and more vulnerable to criminal or warlike attacks on computers, as both Jim Fallows and Richard Clark have recently written. It is foolish to control a warship or a power grid or a financial network with an operating system that is permeable to outsiders.

The relatively low barriers to entry into the computer superpower world, thanks to the vulnerabilities of Windows, puts large parts of the infrastructure at the mercy of criminals or hostile foreign powers.

Everyone who thinks about this issue knows this, but nothing is being done. Microsoft can’t do more than create patches and improvements and no government has the power to make it, or the computer user base, do anything more.

So we are living in a state of emergency created by flaws in how we run our economy and how our commercial and political worlds interact. It’s as if the Mafia or a drug cartel acquired nuclear weapons. And we know what should be done but can’t figure out a way to make it happen.

As things stand now, it appears that things like our financial system or power grid or who knows what continue to exist at the sufferance of thugs in Ukraine or Belorussia or Israel or East Asia and of a handful of foreign governments. In fact, Google (if it decided to stop Doing No Evil) could probably shut down the entire Western world.

Sign for Cycle Oregon. On the weekend of July 16-18, I’ll be in Oregon with my son and his fiance  riding Cycle Oregon.

There’ll be about 1,700 of us admiring and riding Oregon’s beautiful hills. Join us. Click here.

The French Tennis Open is on. It’s playing on ESPN2 or The Tennis Channel. The published timetable is useless, since it’s been raining in Paris. That’s delayed matches and forced playing them at non-scheduled times. You can also watch it on the Internet. Click Tennis Channel. Make sure you download the high-def plug-in. It really works.

Harry Newton, who’s happy BHP and EWA rose strongly yesterday. Apple is now selling iPads in Australia and Japan. The crowds buying the iPad have been extraodinary, lining up through the night. Everybody, their uncle and their uncle’s wife wants an iPad. I have never seen such excitement over a  high-tech product. Nice thing for Apple, it sells stuff and stuff and more stuff to go on the iPad — from songs to software, from movies to games. Apple gets a cut. In contrast, what does Microsoft sell — Windows and Office and then what? Nothing! I hear Steve Ballmer’s being kicked out of Microsoft. Couldn’t happen to a nicer guy. Since he took over ten years ago, Microsoft’s market capitalization has more than halved.  He missed the iPod, the iPhone, the iPad, etc. What a arrogant nebisch.