Oh boy....

President Donald Trump revealed that a staffer with national security advisor Mike Waltz's office included the editor-in-chief of the Atlantic in a Signal group chat with senior Trump officials who were discussing plans for an upcoming strike on Houthi rebels in Yemen.

"It was one of Michael’s people on the phone. A staffer had his number on there," Trump told NBC in a phone interview when asked how Jeffrey Goldberg, the Atlantic's editor-in-chief, was added to the high-profile chat.

Who was the person with zero IT security expertise that had people in the DOD and NatSec part of the government using anything other than their own infrastructure for such things?

There's utterly no reason to ever trust any external system for sensitive information internal to the government.

Ever.

Let's say, for example, I send you an email.  I typically "sign" them.  By doing this the email has included both an attestation that it has not been altered, as otherwise the signature will not validate, and my public key.

Now if your computer has a trust chain to verify that -- and I publish that, by the way (so it can validate that public key is good) then you can now send me an encrypted message.  Once you do so not even you can read it -- only I can, because I'm the only one with the other half of the key.

With me so far?

Now let's say we start up a conversation and we have ten people in there.  I send an encrypted message to all ten. What I actually send is ten messages because each person's public key is different and again, each of them are the only people with the other half of it.  So far so good.  They each get it, they can decode it, but not the copy sent to anyone else -- and since I signed it if that signature verifies they know it hasn't been tampered with in transit.

But in this case, since you care about the integrity of who can be a part of conversations generally, all transmissions go through the government's infrastructure.  The government, incidentally, already has the PKI infrastructure (issuing certificates, attesting to them, etc. -- this is part of, but not all of, how a CAC card works) to do all this.

Thus when you send the message the server -- which is a DOD/NatSec server -- is the machine that processes it.  Because a public key is in fact public it knows who the message is going to (all of the recipients) and whether the DOD/NatSec servers issued the certificates involved and to whom.

The server cannot see the unencrypted contents of the message as only the recipient of each transmission has the private key required to decode it -- but it knows who its going to and their public certificate.  This means it can be set up to look at same and refuse to deliver a message if it is to someone who doesn't have a DOD-issued certificate and, for example, the other people in the communication do; it could either embargo it (after all, there might be circumstances where this is legitimate) or alert someone that something hinky may be going on, throw it in the trash summarily, or some combination.

It can't see the contents, but it can interdict the message before it ever leaves the DOD and identify who transmitted it because the machine that sent it is known.

In other words if you set things up properly, and run them properly, what happened can't happen and if it is attempted, either by accident or malice, not only does it not work the person who did it gets busted if the transmission was not legitimate.

Yeah.

That.

Security of communications is supposed to be important.... right?

So why did CISA, which is an official government agency, recommend Signal specifically when it has no nexus within the government and thus, while it may be end-to-end encrypted (and not full of holes, which I can't speak to since I've never looked at it in sufficient detail to have a valid opinion) it has no means of controlling who is in a chat nor to prevent anyone who might, whether through accident or malice, add someone unauthorized to a new or existing one and there is no means for the participants or organization to which they belong to vet who is in said chat.

You can have the best encryption on the planet -- absolutely impossible to break -- but if there is either someone foolish or malicious it is meaningless exactly as while you can have a fortified home or business if you leave the front door unlocked it matters not.

The entire reason you use a chain of trust and only allow entities known to have been authorized through that chain to be included in any sort of access regime is precisely this.  Humans are both fallible and, from time to time, corrupt.

Either is fatal to a security scheme and thus you must design in and insist on a control process to mitigate that risk.

We do not, at present, know if the breach here was due to stupidity (accident counts) or malice but what we do know is that CISA -- an official government source -- made a recommendation during the last Administration (so no, you can't lay this one on Trump) to use infrastructure for allegedly "secure" communications that lacked any measure of control over human accident or malice in terms of recipient (and group) management.

This incident, beyond the actual person who added (or changed) the recipient so that reporter was in the list, is directly chargeable against CISA and their recommendation.  Since it is their job to put forward such standards for the government this is a fatal failure and every individual involved in that process, no matter how small their involvement, must be both publicly identified and expelled.  As there was apparently no classified data breached as a result of this criminal sanction is not appropriate -- but permanent severance from any government employment now and in the future, along with summary and permanent revocation of any clearance held by said persons is not just advisable -- it is mandatory.

Security is a process, not a product.

I happen to be one of the people who believes its worse than worthless as are all of the Federal regulations on same -- including Title I, IDEA (Individuals with Disabilities Education Act) and more.

Why?

Because all I look at in judging whether something works is results, and if you do something and don't get forward progress almost immediately whatever you did is at best worthless and might be harmful.

Like, for example, this instance:

An appellate court judge recently sided with Tennessee student William A., ruling that the student was denied the free public education to which he is entitled under the Individuals with Disabilities Education Act (IDEA).

"William graduated from high school without being able to read or even to spell his own name," Circuit Judge Raymond Kethledge wrote in his judgment. "That was because, per the terms of his IEPs, he relied on a host of accommodations that masked his inability to read."

But exactly what are you entitled to under the various State Constitutional protections to which IDEA (at a federal level) applies?

The premise of an IEP is that it is individual (thus the name) and serves to attempt to equalize outcomes.

There's a basic problem with that premise, which is that there are two real ways to equalize outcomes and only one of them is good.

The first is to improve the outcome for the person who is behind.

The second is to damage the outcome for all the other people, thus all are now equal but you harmed everyone else in pursuit of the goal.

"The Trees", a song by Rush, points out what happens if you try to address such an issue the bad way.

Back when I was in school we had a "short bus"; kids being kids yes, there was plenty of ridicule for anyone who rode it.  Those who couldn't keep up in a regular classroom went to different classrooms where the pace of learning was different, usually much slower.  In addition those who were bored out of their skulls were often skipped a grade (or sometimes even two.)  The latter was frequently a disaster not on academics but rather on the social aspects of things because schools then, as today, were either incapable, unwilling or both to remove disruptive kids from class and thus the bullying was horrid and, being younger and smaller, those skipped often had no chance of defense (and yeah, the bullying was often physical to the point of what any fair-minded person would consider criminal assault and battery.)

But the former recognized that many of these kids simply couldn't hack the work in a regular classroom.  IDEA, passed in 1975, effectively tried to make this illegal; instead any kid who was unable was put on an "IEP" and all attempts were made to keep that kid in a regular classroom with various supplemental assistance.

This sounds superior -- but it didn't work and when those kids were disruptive the school did not remove them to a different place, often because such was ruled illegal since it was "discrimination" to do so.

This cannot be laid just on administrators, by the way -- although teachers will often try to do exactly that.  This is one of the challenges with teacher unions and government employees generally; in the private sector if your boss is a jerk and screwing up your progress the obvious and best course of action is to quit and go work somewhere else.  If you don't, and the job doesn't get done, its still on you because you got paid and yet failed to produce the expected functional product or service.

This is true in teaching as in all other endeavors from sweeping floors to literal rocket science but of course we never hold anyone accountable that way in schools because as a government-funded institution the money flow doesn't come from voluntary contributions by customers who come in the door and buy things -- and who can go somewhere else, removing said funds and thus cause the firm to fail.

The extreme examples of failure of this policy show up all the time -- like here:

Two students were arrested after allegedly violently beating a teacher at a high school in Fort Lauderdale, Florida, on Thursday, according to the Fort Lauderdale Police Department.

The altercation, captured on video, shows Jayvis L. McClover, 19, and Roddrick McQueen, 19, approach a teacher at Dillard High School at approximately 2 p.m. on Thursday, "verbally threatening to attack him," police said.

The two, who are both enrolled at Dillard High School, then "intentionally launched a synchronized physical attack" on the teacher. McClover and McQueen "repeatedly punched the teacher in the face and head with closed fists," causing the educator to fall to the ground, police said.

What are two 19 year old boys doing in High School at all?  There are reports these two are freshmen, meaning they're more than four years behind where they should be -- and this presumes they were actually doing work at the grade level they were in which, given the amount of time they were behind, is unlikely.

I don't have conclusive answers on this issue -- but what I do know, and it cannot be disputed, is that fifty years after IDEA was passed into law it has utterly failed and no successful attempts at reform have been made and implemented.  That these cases continue, and they're not rare by any means (there's another who assaulted a teacher in Florida - and drew prison time - with the "cause" being the teacher confiscating his Nintendo.  He's suing the school claiming they're responsible for his violence!) can be found with even the most-cursory search in virtually every school district across America.

A school that graduates someone with a credential representing a given level of proficiency when that person cannot even read or write has no excuse for said act.  That's fraud, both upon the person with the alleged diploma and every employee of said school, along with all of them in all the previous schools along the way from the point where said kid was identified as unable to perform to grade level and passed anyway has defrauded those spending the money -- in other words, all the taxpayers in that state and locality.  Worse, the harm is both permanent and severe in that you can't get the 12 years or more back that was expended by the kid and thus there is no money remedy that makes the former child whole.

There are multiple schools in various areas in this nation where zero of the students are proficient at grade level, per standardized testing.  Not one employee of said school earned their salaries by honest employment when measured by results.  Yes, the janitor who swabs the floors did in fact clean the floors but the reason the janitor has a job at all is so the school can produce competent graduates.  A restaurant that failed 100% of the time to produce edible food for sale would be out of business in a week, including the janitor who in fact cleaned the floors and tables, yet these entities continue to forcibly extract funds from the taxpayer and their employees, by expending said funds while not returning anything of value to society in the final product of their effort, contribute demand in the local economy and thus drive up the price of all goods and services in said area.

This has to be fixed -- and what's clear, after five decades of both Republican and Democrat Administrations is that it can't be fixed within and under the Department of Education.

That which all political entities with a voice have had sway and control over, through five decades of time, and have entirely failed at said mission, is not reformable as if it was possible given the various divergence of political opinion and capacity to execute on same it would have happened.

Therefore all you can do in such a situation is to delete it -- and thus return to the States the full, unbridled authority to regulate same.

Some states will continue to fail, but others will not.

This was the "magic" of the original design of America -- with 50 States, all independently making decisions such as this, you have fifty times the number of potential answers to a given issue under test and while some or even most will fail the odds go up that one or more will succeed, and those that do will be rewarded by the people (via people moving there) while the failing ones will be punished (via people fleeing with their families and tax revenue.)

An interesting pattern was noted here recently -- crawlers that didn't look to be search-engine related.

"Crawlers" request data from your web server "as a person - sort of."  They're robots, and the usual use of them historically is to populate search engines, which if done in a respectful way is of benefit to the site owner.  Respectful robots do this with time and rate limits because they're not paying you anything, they are imposing load, and thus your incentive to let them is that they cause people to visit your site when they query the search engine.  That is, there's value both ways.

There is also a "robots.txt" file you can populate that tells a robot (or all robots) what places it should not index.  There are plenty of reasons to do that; you might have, for example, static content that is in a file but isn't useful to a user as a search term, but is something you display (e.g. your copyright data.)  Those lookups are entirely wasted on both ends, so you tell the robots not to do that.  You can also list specific robot "identifiers" as "don't index at all" but that's not an enforcement, its a request.

Of course the problem here is that since its a request a robot might ignore it.  That's not very nice, but again, its an "ask."

Of late there has been quite-significant growth in "crawlers" that aren't indexing for public benefit and they are ignoring directives in the robots.txt file.  That is, they're crawling not to populate a search engine but for other purposes, including using the data for AI training or even to market against your site, and because they're acting maliciously they also ignore your directives in robots.txt.  This is a gross violation of the premise of the web, which is that you scratch my back and I scratch yours: I let you crawl my site because you're going to direct readers to my pages with the results of doing so (either in a search engine or in advertising bidding.)

Leaving aside the legal issue (copyright) of taking material for other than its published use and for commercial gain of the taker without agreement on compensation (or an explicit exemption) to the publisher, which is unlawful by the way, there is the fact that traffic and processing is not free and if you're going to take without any sort of colorable claim that the person you take it from will benefit why should they let you do it?

Well, I decided not to, and thus identified a bunch of these aggressive robots that as near as I could tell by investigation were either (1) training AIs or (2) collecting data they were then selling to other competing properties as "search optimization" bids, that is, they're using my data to market directly against me.

Not anymore they're not -- I altered my blog software so that if you're a crawler and get identified as one of those that is either presumed to be acting maliciously or for training AI type things, including specifically ignoring the robots.txt file, you get a nice pink screen that says "Robot identified and rejected; go away" instead of whatever you were trying to access.

What was the impact of this?

Zero in terms of unique actual users.

But a 30% decrease, roughly, in terms of bytes passed!

If you run a web property you need to look into this.  From the data roughly one third of the data you are processing and transmitting, and thus one third of your operating cost for said processing and transmission, may be consumed by robotic actors who are using that data to deliberately harm your operation, either by training AIs against your material or marketing directly against your operation to others, including if you sell physical or digital products, your direct competitors!

Nobody in their right mind would permit this sort of abuse if they knew about it but I'll bet not one web operator in a hundred knows the scope of this -- until I collected the data, analyzed it in full and then implemented the block, which does take a bit of work, it was certainly not clear to me that one third of the traffic volume was in fact these aggressive and harmful (to me) robotic "readers."

As some of you who've followed me know the Tennessee Smokies (Cubs AA affiliate here) had their last games in Sevier County's stadium right off I-40 this last fall, moving to a newly-built stadium in Knoxville.  The irony is that the club used to be in Knoxville before moving here.

Being that I used to go somewhat regularly and often bought my tickets online an hour or two before the game, and they were very nicely priced (as was the beer and parking) they've been spamming me with season ticket solicitations.  Naw, but what I was very interested in was their single-game pricing -- which they had not yet disclosed.

Until now, with a "flash sale" they sent me Sunday morning.

Its double -- literally -- what it was at the other park.

Best of luck to the Smokies at that price.

You priced yourself out for me, and there's no way to come back from it when you insult someone who's really liked you folks, and spent money and evenings in your ballpark, when you do something like that -- especially when you're all gushing about how "its good for the team and the local business environment."  There wasn't anything wrong with the existing park, by the way -- it was extremely friendly, the sightlines were excellent and there was literally not a single bad seat in the place.

I'm sure its good for the construction company, the condo/apartment place going up right there, and similar.  However, in addition Knoxville has doubled street parking "meter" prices, removed all free street parking in the general vicinity (including during times there is no game, like this last weekend), and then to make it worse also has removed physical meters with the capacity to accept quarters or a card at said meter, so now you must use their "app vendor" on your phone which surcharges your parking by a dollar a crack on top of per-hour price doubling.  Thus for an hour-long period of time your cost has basically tripled to park on the street funneling some of the money to their "preferred" private vendor who they gave the street parking contract to on top of it.

I hope Knoxville and all the eateries and bars in the vicinity love what that does to all the nice places I used to go and spend money at in Old City, especially during the week when they typically ran "happy hour" deals -- which has now gone to zero for me as well since the formerly-available option to park for free is now limited to the two lots behind Mill and Mine under I-40 which are a half-mile or so walk to said establishments -- and who knows how long that will persist before the city decides to put those on the mandatory "you must pay through our preferred vendor and let them******you" game as well should you choose not to park on the street.  It won't kill my weekend visits to a couple of my favored downtown establishments at this point because, at least so far, the city lots remain free to park in on weekends.

Perhaps the people of Knoxville will actually flock to a ball game at double the price it used to be 15 minutes up the road (or perhaps none of them have cars and thus now will go where before they would not) and perhaps all those who don't live within walking distance will not care about the screwing they take with the parking situation.  I'm sure the beer at said stadium is likewise double the price but I'll never find out by stepping foot in there, never mind the impossibility of a reasonable parking option -- where it was $5 at the old stadium and no shortage of spaces to park right there at the stadium, ever, even during major busy games where they were nicely filled which did occasionally occur.

Someone's gotta pay for that nice shiny new stadium "development" -- but it won't be me, and unfortunately since the local businesses either didn't oppose this or failed to put a stop the collateral screwing of anyone coming into that general part of the city by car I won't be visiting them  and spending money there nearly as often either.