Spliced feed for Security Bloggers Network

Security Catalyst Community: discussion forum activity for July 7, 2008 [The Security Catalyst]

Posted: 07 Jul 2008 05:00 AM CDT

As we roll into Monday (and after a holiday weekend in the US), there are several interesting posts ready for your comments, and plenty of insight to make your week even easier! Take a look at:

Join the in the Discussion!

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

The Evolution of Penetration Testing [spylogic.net]

Posted: 07 Jul 2008 05:00 AM CDT

Last week GNUCITIZEN posted an article entitled "Tiger Team Operations vs. Penetration Testing". I personally feel this is a spot on article and is a must read for anyone involved in either tiger team operations or penetration testing. The article focused on three areas in regards to these two types of assessments: quality, pricing and time frames. While these three areas are quite different when comparing a tiger team operation vs. a penetration test I see something more when it comes to penetration testing. I see the penetration test as we know it eventually evolving into tiger team operations.

While we will always need to conduct traditional network and web application penetration tests, clients and employers are asking us to conduct more "unique" assessments. These unique types of assessments include things like social engineering, client-side phishing, physical security reviews, user security awareness, or testing the overall security of a specific facility or business unit. These unique individual assessments are addressing the changing threat landscape and new ways information systems and people are being exploited.

A tiger team can address many of these different types into one unique assessment of it's own (including network and web application penetration when appropriate). Keep in mind, a tiger team operation is very different then a penetration test in terms of quality and quantity as GNUCITIZEN mentions. A tiger team requires multiple unique skill sets (for example a physical security specialist) and always requires multiple high performance team members. Let's also not forget about timing and preparation. A tiger team operation and a penetration test should always be conducted unannounced and to conduct the operation properly the team must be held to strict confidentiality. In regards to preparation, a tiger team operation may take many weeks and/or months to prepare. Why so long? The longer preparation time (meaning the reconnaissance phase) the closer you will get to simulating an actual attack on the targets selected. The real bad guys that want to do harm to your organization have the advantage of time...a tiger team must try to replicate this as close as possible. There may also be variations of a tiger team operation as well. Some methods may or may not need to be used depending on the scope and the target(s).

I am currently putting together a presentation for a conference later this year on how tiger team assessments work in a large corporate environment and how you can take these same concepts and use them either with an internal penetration testing program or for clients. More on this in the coming weeks. In the meantime, if you want to know what a tiger team operation/assessment is like...I recommend you check out the Tiger Team series that was on TruTV last year. You can find torrents and also view one of the episodes on the TruTV web site.

Mind the Storefront! [Branden Williams' Security Convergence Blog]

Posted: 06 Jul 2008 06:30 PM CDT

Dave Taylor has another guest post on StoreFrontBackTalk, this one alluding to a lack of audit resources to mind the storefront (like Minding the Gap!).

Store front security continues to be an issue for retailers even outside of PCI. Take physical security for example. Realize that a major retailer's data center tends to be a hardened facility that is not easily accessed (with the exception of a few notable ones that are for another post). There are security guards, badged access, and sometimes even man traps. Now visit that same retailer's store front. You might find accessible Ethernet jacks, or worse, a system room door that is unlocked or left wide open. Walk into there with an official ID and you might just jack in to that same VLAN or security level as if you jumped through all the hoops at the data center!

The point that Dave makes is the same one I'll make here. There are two things that will greatly mitigate the risks associated with weak physical security in the stores.

Remove all card data from the store (How about most of it? Or just unencrypted data?)
Deploy end-to-end encryption from the POS Terminal to the data center.

Companies that treat their store networks as trusted are fooling themselves. Those networks are either already hacked, or could easily be hacked (even if you ignored the obvious insider threat!). End to end encryption is a best practice for PCI (and in my opinion, it should stay that way for now), but it is definitely an example of layered security on top of compliance that will greatly increase a company's resistance to a breach.

Security Catalyst Community Blogrolling [The Security Catalyst]

Posted: 06 Jul 2008 05:51 PM CDT

I took some time today to validate the blog and podcast members of the Security Catalyst Community (SCC). The SCC was established to serve the needs of all bloggers, podcasters and professionals to have a common place to come together and share ideas. As the community grows, more voices representing different experiences and perspectives work to enhance the benefit for those who participate.

Here is the list of voices, active in the community (more than 5 posts), that work to enhance the overall community experience. We have over 30 members who are bloggers and podcasters! You can view the full list here: What Security Blogs and Podcasts are represented in this community? This explains the growing quality of the discussions, ideas, insights and solutions being shared on a daily basis!

Note: if you are a current community member and are not listed, please send me an email or private message and I’ll be certain to get you included.

The Security Catalyst (Michael Santarcangelo) | http://www.securitycatalyst.com
The Network Security Blog and Podcast (Martin McKeay) | http://www.mckeay.net
Security Ripcord Blog and Podcast | http://blog.cutawaysecurity.com
Education Security Incidents (Adam Dodge) | http://www.adamdodge.com/esi
An Information Security Place (Michael Farnum) | http://infosecplace.com/blog
Andy, IT Guy (Andy Willingham) | http://andyitguy.blogspot.com/
Andrew Hay | http://www.andrewhay.ca/
Scott Wright (Security Views) | http://www.securityviews.com
Security Renaissance | http://securityrenaissance.com/
Marcin Wielgoszewski | http://www.tssci-security.com
John Biasi | http://www.john-biasi.com
Chris Hoff | http://rationalsecurity.typepad.com
RioSec Security WebLog (Chris Byrd) | http://www.riosec.com
James Costello | http://genesyswave.bloggerteam.com/
Harlan Carvey, CISSP | http://windowsir.blogspot.com
Jon Robinson | www.jonsnetwork.com
Chris Harrington | www.infosecpodcast.com
John Gerber | http://www.securitymonks.com
Rebecca Herold | http://www.realtime-itcompliance.com & podcasts at http://www.realtime-itcompliance.com/podcast/
Randy Armknecht | http://www.rarmknecht.net
Didier Stevens, CISSP | https://DidierStevens.com
Amrit Williams | http://techbuddha.wordpress.com
David D Bergert, CISSP, CISA | http://www.infosecblurb.com
Justin Clarke | http://www.justinclarke.com
Lori MacVittie | http://devcentral.f5.com/weblogs/macvittie/
Andy Steingruebl | http://securityretentive.blogspot.com/
Security Thoughts (Allen Baranov) | http://securethink.blogspot.com
Brad Andrews | Brad on Security http://bradonsecurity.blogspot.com
Anton Chuvakin | www.securitywarrior.org
Keith Kilroy | http://blog.securitynow.us
Walt Conway | http://treasuryinstitute.org/blog/

Please take a moment to visit some of these resources to read their thoughts, and then come participate in the discussion at the Security Catalyst Community.

Join Us!

Article Review: Security Features on Switches [Security Karma]

Posted: 06 Jul 2008 10:08 AM CDT

InformIT: Security Features on Switches > Securing Layer 2

If you are a switch jockey you know the difficulties in applying security down the stack past layers 3 & 4 and into layer 2.
There are many layer-2 security features available but unfortunately in a large dynamic environment they are typically difficult to deploy. Chapter 2 from Network Security Technologies and Solutions (CCIE Professional Development Series) book by Cisco Publishing gives the reader a rundown of all the technologies at your disposal (when using a Cisco Catalyst switch of course!).

What did I learn?
Being a former switch jockey myself (and being security conscience of course) I was pretty familiar with most of the topics covered in this chapter. However, that isn't to say I know everything and there were definitely topics that I was either unfamiliar with or learned more about while reading.

The port-level controls is standard fair with a new twist (for me) I hadn't heard of the Protected Ports (PVLAN Edge) feature with basically prevents ports within the same VLAN from communicating with each other. This feature would allow you to forgo VLAN-ACL's if you didn't want any communication between ports to occur.

The section on ACL's was extremely straight forward with a few nice diagrams explaining the concepts thrown in for us visual-learner types. If you don't know ACL's yet I would recommend starting with a book geared toward the CCNA level and not the CCIE as this chapter explores a few advanced concepts (layer 2 and VLAN ACL being a few).

The rest of the chapter is spent on some of the lesser-known security controls available to network and security professionals. DHCP Snooping, Dynamic ARP Inspection, and Control Plane Policing (CoPP) are just a few of the subjects covered. Pretty paranoid stuff and most likely not deployed in most of your larger, non-ISP shops (in my experience, YMMV).

The article also gives us a list of best practices to follow for effective L2 security. I will list a few of these best practices but I recommend you click on the link above and read the article yourself as you will most likely learn something interesting and useful.

Always use a dedicated VLAN ID for all trunk ports.

Be skeptical; avoid using VLAN 1 for anything.

Disable DTP on all non-trunking access ports.

Use MD5 authentication where applicable.

Disable CDP where possible.

Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal operations.

Grave Robbers Hit Montgomery Ward For Up To 200K Credit Card Numbers [Security Karma]

Posted: 06 Jul 2008 09:08 AM CDT

The AP is reporting that the online-retail store Montgomery Ward was breached back in December with between 51,000 to 200,000 credit card numbers, expiration dates, and CVV2 numbers. Details of the breach aren't widely known and it wasn't reported whether Direct Marketing Services [DMS], the company that purchased the Montgomery Ward name out of bankruptcy, was PCI DSS compliant.

None of that information is that troubling to me however. Breaches happen. We learn from them (hopefully) and move on. What irks me about this one is that DMS didn't notify their customers after the breach occurred. Since the penalties for non-disclosure are far less (non-existent in some cases) than the costs associated with replacing credit cards and monitoring up to 200,000 credit reports DMS did what companies do best: Act in their own self-interest, watch the bottom line, and hope nobody finds out.

Obviously there is no easy solution to this problem. DMS followed guidelines and notified banks of the breach. However, it is not mandated that the bank notify a customer that their information was potentially compromised. Disclosure is left up to the merchant that was originally hit and will ultimately pay for any and all costs associated with replacement of cards and monitoring of accounts.

Unfortunately, this is a case where the private market will not lead to an efficient outcome. Legislation is needed in order to hold companies accountable for the non-disclosure of private and financial information breaches. We will see proper disclosure of breaches when we start walking CIO's and CEO's out of headquarters in handcuffs and making the fines high enough to make full disclosure seem like a bargain. I hope companies start doing the right thing by their customers but I, for one, will hold my breath.

Do Not Mobilize My Personal Data [ImperViews]

Posted: 06 Jul 2008 05:23 AM CDT

At least not to an unencrypted laptop device...

The 2^nd quarter of 2008 demonstrates the absurdity of a few lost/stolen laptops affecting thousands of people. Laptops that stolen from Hospitals , Banks, Schools, and government organizations, contained unencrypted private data of thousands of people (employees, former employees, students, clients, patients).

"The computer is password protected" is no longer an acceptable argument to relieve the affected people. Organizations still are not stepping up to their responsibility to govern the data, and to minimize the damage caused by the loss of laptops.

Take the Stanford University case as an example: 62,000 current and former Stanford employees are affected by this theft. The laptop contained their name, address, phone number, and SSN. Why? Well, according to Stanford's announcement the relevant table was erroneously copied to the laptop. The University mentioned that its information security policies and guidelines disallow storing unencrypted sensitive data on any unprotected system. This is a pretty restricted policy, but obviously its implementation is not audited.

With today's database activity monitoring and security solutions, It is possible to restrict the types of activities users perform with sensitive data without completely denying access to this data. After all, it is not enough to have a policy that forbids storing of unencrypted data on laptops, but cannot prevent it or at least issue an alert when data is jeopardized. Effective controls can actually detect the move of sensitive records or entire tables across the enterprise and in particular onto end-stations (not to mention mobile ones), giving the organization a heads-up before mishaps take place.

AT&T stolen laptop is the same story, different organization. Again the data on the stolen laptop included names and SSN of AT&T employees. The data was not encrypted, and AT&T declares that this is a violation of its policy. But why they are aware of this violation only after the laptop was stolen?

On both incidents the organization claim to have detailed accurate information of the data that was on the laptop, so we can assume that they do have some auditing on their database. Unfortunately, their audit trail does not give them real ability to govern the database on real time, and enforce their security policy. It is only a damage control system that functions after the damage has been done.

- Gal

What To Buy? [securosis.com]

Posted: 05 Jul 2008 10:36 PM CDT

This is a non-security post… I did not get a lot of work done Thursday afternoon. I was shopping. Specifically, I am shopping for a new laptop. I have a four year old Fujitsu running XP. The MTBF on this machine is about 20 months, so I am a little beyond laptop shelf life. A friend lent me a nice laptop with Vista for a week, and I must say, I really do not like it. Don’t like the performance. Don’t like the DRM. Don’t like the new arrangement of the UI. Don’t like the lowest-common-denominator approach to design. Don’t like an OS that thinks it knows what I want and shoves the wrong things at me. The entire direction it’s heading seems to be the antithesis of fast, efficient, & friendly. So what to buy? If you do not choose Windows, there really are not a lot of options for business laptops. Do you really have a choice?

I was reading this story that said Intel had no plans to adopt Windows Vista for their employees. Interesting that this comes out now. Technically speaking, the Microsoft “End of Life” date for Windows XP was June 30th. I sympathize with IT departments, as this makes things difficult for them. I am just curious what departments such as Intel’s will be buying employees as their laptops croak? With some 80,000 employees, I am assuming this is a daily occurrence, so I wonder how closely their decision-making process resembles mine. I wonder what they are going to do. Reuse XP keys?

I have used, and continue to use, a lot of OSes. I started my career with CTOS, and I worked on and with UNIX for more than a decade. I have used various flavors of Linux & BSD since 1995. I have had Microsoft’s OSes and Linux dual booting on my home machines for the last decade. I am really not an OS bigot, as there are things about each that I like. For example, I like Ubuntu and the context cube desktop interface, but I am not sure I want that for my primary operating system. I could buy a basic box and install XP with an older key, but worry I might have trouble finding XP drivers and updates.

Being an engineer, I figured I would approach this logically. I sat down and wrote down all the applications, features, and services I use on a weekly basis and mapped out what I needed. Several Linux variants would work, and I could put XP in a virtual partition to catch anything that was not available, but the more I look, the more I like the MacBook. While I have never owned a Mac, I am beginning to think it is time to buy one. And really, the engineer in me got thrown under the bus when I visited the Mac store http://store.apple.com/. %!&$! logic, now I just kind of want one.

If I am going through this thought process, I just wonder how many companies are as well. MS has a serious problem.

Chinese hacker soap opera [The Dark Visitor]

Posted: 05 Jul 2008 10:11 AM CDT

On the 21st of June, we told you about SKSgod selling a trojan downloader called “Chinese Hacker Vampire” and the online controversy that ensued when another hacker took credit for it. The end? No, fresh drama has been introduced into this saga.

Author of Chinese Hacker Vampire Program JAILED!

On 4 July, News.cn reported that an 18-year-old hacker surnamed Zhou had been arrested in connection with selling the trojan downloader program. Police from Chongqing City launched an investigation into the case after receiving a phone call from an anonymous source who reported that there was a website selling the Chinese Hacker Vampire downloader. According to the report, Zhou’s website even threatened to shutdown the anti-virus software industry.

On July 1st, Chongqing police captured Zhou while still asleep in his apartment and he later made a full confession to the crime. The end? No.

Silly police, you can’t arrest a vampire

Decided to visit SKSgod’s website and see when he last posted and surprise…it was 5 July. Wait, wasn’t he jailed on July 1st? Nope. SKSgod is just having a real run of bad luck with people stealing his program and identity.

On 5 July, he posts an apology to all the people who lost money purchasing the Chinese Vampire downloader and promised to use his energy to create a better program. One person in the comments section suggested that his time and energy could be put to better use. So, that was funny.

On 4 July, when the story was breaking about the arrest, he posted three separate articles dealing with the rumor. All three postings had the same theme, complaining about how all this news was hurting his reputation.

Is he at all concerned about the poor schmuck shown getting arrested? Nope, this is all about him and his online creds. The end? Who knows.

Passport-peeking probably pervasive [Emergent Chaos]

Posted: 04 Jul 2008 04:56 PM CDT

Back in March, we wrote about unauthorized access to Barack Obama's passport file.

At the time, a Washington Post article quoted a State Department spokesman:

"The State Department has strict policies and controls on access to passport records by government and contract employees"

The idea was that, while snooping might occur, it would be caught by controls put in place specifically to detect accesses to the records of high-profile people.

Well, as it turns out the State Department may not be quite as good at detecting such accesses, or at following up (shocking, I know).

In a July 4 article, the Los Angeles Times reports:

A federal investigation of unauthorized snooping into government passport files has found evidence that such breaches may be far more common than previously disclosed, and the State Department inspector general is calling for an overhaul of the program's management.
In a report issued Thursday, the inspector general found "many control weaknesses" in the department's administration program, including what investigators said was a lack of sound policies on training staff, accessing electronic records and disciplining workers who break privacy rules.

According to the article, passport files may be viewed by over 20,000 government workers and contractors. In a sample of 150 celebrities chosen for examination by investigators, 85% had been accessed at least once. One was accessed over 100 times (!) in the last six years.

Amusingly, at a press conference held on July 4, State said that half of those who had access in March no longer have it. They also were unable to say whether spot-checks on detected accesses were taking place in the past. Put those together and you have a system where at least twice as many people have access as need it, and privileged operations are recorded but the folks in charge do not know if the audit trail is used.

The redacted report is available at the C-SPAN web site, but not at the State Department's near as I can tell. Draw your own conclusions.

Whathehuhnammm…heh, heh. [The Dark Visitor]

Posted: 04 Jul 2008 07:06 AM CDT

That was the actual sound that came out of my mouth when I first viewed this picture from Xinhuanet of People’s Armed Police officers demonstrating new Olympic counter-terrorism equipment:

Eastwood, if you can bring me back one of these Segways-of-Death…man, we are buds for life!

Dataloss via Stupidity. [.:Computer Defense:.]

Posted: 04 Jul 2008 01:43 AM CDT

Sometimes we hear about dataloss via theft or loss of a computer. For the most part (assuming I don't hear about it happening to a company on a weekly basis), I can (eventually) forgive the company (even if my personal data has been lost). After all accidents (losing a computer) and burglaries are a fact of life. Does this excuse the practice of not encrypting data? Nope... but as I said... eventually I forgive the company, after all years ago when these were paper files, they weren't encrypted. At the same time, I do feel that there should be serious government fines handed out to companies that lose sensitive customer data (my forgiveness doesn't exclude the requirement for punishment of some sort).

What I can't forgive though is dataloss via stupidity... That is, throwing away sensitive data without making an effort to destroy it. I shred pretty much everything that comes to me in the mail at home... (everything I don't save anyways). I've worked in places where DBAN was utilized religiously before laptops were assigned from one individual to another or old desktops were sold off. I even took a bench grinder to a hard drive one time (although that was more for fun... but it did destroy the data).

I just read this blog post (via Consumerist) and it reminded me once again of the stupidity that sometimes happens. I can get replacing old computers... I even get throwing out the computer (although I'd think that there are plenty of places to donate the machine). I can't get leaving your employee and customer databases, along with letters to customers in place (screenshots on the original blog). This really does come down to Dataloss via Stupidity and I think that's how we need to start defining it.

Someone needs to go and put a big notice on the door of the offending Curves that mentions how poorly they treat customer data. We should start doing this to all companies that fall victim to Dataloss via Stupidity. This is a prime example of one of those unforgiveable acts.

Now I know someone is saying, "But you just said you can forgive accidents... maybe this was an accident." This isn't an accident... Throwing away a letter to a single customer without shredding it that contains personal information... That's an accident. Turning around to grab a drink from the vending machine and having your laptop stolen... That's an accident. Taking a used computer and just tossing it in the trash... that's not an accident... that's stupidity.

In Texas they've got a law requiring those that service computers to have a PI license. Perhaps it's time that we start thinking about licensing to use a computer... We could even have stages of licensing:

Stage 1: Allowed use of a computer
Stage 2: Allowed access to the internet
Stage 3: Allowed use of a computer for business purposes
Stage 4: Allowed to repair a computer
Stage 5: Allowed to dispose of or destroy used computer equipment.

In reality that's going way overboard (just like the Texas law), but something needs to be done to prevent the stupid from using computers... and something really needs to be done to prevent Dataloss via Stupidity. Perhaps Curves should be slapped with a nice, big fine just to remind people to think first.

In Congress Assembled, July 4, 1776 [Emergent Chaos]

Posted: 04 Jul 2008 01:18 AM CDT

In CONGRESS, July 4, 1776

The unanimous Declaration of the thirteen united States of America,

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

He has refused his Assent to Laws, the most wholesome and necessary for the public good.

He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.

He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only.

He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures.

He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people.

He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within.

He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.

He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.

He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries.

He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people, and eat out their substance.

He has kept among us, in times of peace, Standing Armies without the consent of our legislatures.

He has affected to render the Military independent of and superior to the Civil power.

He has combined with others to subject us to a jurisdiction foreign to our constitution and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For Quartering large bodies of armed troops among us:

For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us, in many cases, of the benefits of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies:

For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever.

He has abdicated Government here, by declaring us out of his Protection and waging War against us.

He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people.

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty and perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands.

He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions.

In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people.

Nor have We been wanting in attentions to our British brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends.

We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by the Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor.

The signers of the Declaration represented the new states as follows:

New Hampshire

Josiah Bartlett, William Whipple, Matthew Thornton

Massachusetts

John Hancock, Samual Adams, John Adams, Robert Treat Paine, Elbridge Gerry

Rhode Island

Stephen Hopkins, William Ellery

Connecticut

Roger Sherman, Samuel Huntington, William Williams, Oliver Wolcott

New York

William Floyd, Philip Livingston, Francis Lewis, Lewis Morris

New Jersey

Richard Stockton, John Witherspoon, Francis Hopkinson, John Hart, Abraham Clark

Pennsylvania

Robert Morris, Benjamin Rush, Benjamin Franklin, John Morton, George Clymer, James Smith, George Taylor, James Wilson, George Ross

Delaware

Caesar Rodney, George Read, Thomas McKean

Maryland

Samuel Chase, William Paca, Thomas Stone, Charles Carroll of Carrollton

Virginia

George Wythe, Richard Henry Lee, Thomas Jefferson, Benjamin Harrison, Thomas Nelson, Jr., Francis Lightfoot Lee, Carter Braxton

North Carolina

William Hooper, Joseph Hewes, John Penn

South Carolina

Edward Rutledge, Thomas Heyward, Jr., Thomas Lynch, Jr., Arthur Middleton

Georgia

Button Gwinnett, Lyman Hall, George Walton

Image: Washington's copy of the Declaration of Independence, from the Library of Congress.

It’s the End of the World as We Know It… [.:Computer Defense:.]

Posted: 04 Jul 2008 12:54 AM CDT

And I feel fine...

By morning most likely everyone will have blogged about the recent court ruling that Google hand over the YouTube logs to Viacom (MTV & Paramount Pictures parent company).

Oddly enough I saw a clip on BBC News that was mentioning popular articles on their website. The first thing my wife said was, "Does this mean I should stop going to YouTube?" My immediate response was, "Why?" To which she responded, "If I watch something that's copyrighted, can't I be sued or something?"

Now this was the way the short little news clip presented itself, and I'm definitely not a lawyer but my answer was, "No." Now maybe I'm wrong, and I'll probably be the only one to say this, but I don't see how this is a big deal. Viacom wants to compare the viewing habits on their copyrighted material vs non-copyrighted material. I actually think they have a right to do that. It comes down to this... find a way to keep the copyrighted material off the site or give people who's copyrights are violated access to statistics.

Based on the article, that's all Viacom wanted... statistics. Well at one point they wanted to YouTube source code but that's a ridiculous request. Google probably should have just granted them access to the statistics right away. I honestly don't care if Viacom figures out who I am and what I've watched on YouTube.

I do hope that Google gets the right to anonymize the logs before passing them on, but they should have been doing that all along... there was no real reason to store IP Addresses for any length of time.

Anyways... it'll be interesting to see what Viacom gets in the end, and how many people cry that this really is the end of the world.

Let Freedom Ring [The Dark Visitor]

Posted: 03 Jul 2008 09:36 PM CDT

US Declaration of Independence