Yes, I've got a thing for remembering 9/11/2001 (see the picture on the bottom of my home page). And I have always been intrigued by the closing of the US airspace that day and the days following. (See this photo from Gander International Airport.)

In NetSec Letter #13 from 23 October 2001 entitled "Afterthoughts and Lessons to Learn," I said, How do we know the good guys from the bad? ... Get the good guys out of the sky. The principle demonstrated is important. The fewer potential attack agents, the fewer avenues of attack, the easier your task of protection and detection can be."

I got this book for my birthday from my darling wife. It is a book of wonderful stories of individual's stories describing the affects of that day on stranded travelers and the locals, and how a 10,000-person town doubled in size for a few days. Because of the subject matter, it cannot help invoke tears in some (like me). Over and over again, my heart was touched with the stories of simple caring, one for another. This was a great birthday gift.

"... for I was hungry and you gave Me food; I was thirsty and you gave Me drink; I was a stranger and you took Me in; I was naked and you clothed Me ... Assuredly ... in as much as you did it to one of the least of these you did it to Me."
Matthew 25:35-40

Well, I screwed up. I claimed to have found the source of the quote "He who forgets his own history is condemned to repeat it." I referenced this sort of problem in blog entry Security Redux. I even said, I got it from a "reputable source (i.e., not the Internet)"

Only that sources was wrong. I wrongly credited Sir Walter Scott. When I failed to find the quote anywhere on the Internet, I started to figure I was wrong. (Ironic, eh?)

The quote was wrong as was the author. According to the online version of The Columbia World of Quotations at http://www.bartleby.com/66/29/48129.html, the correct quote is, "Those who cannot remember the past are condemned to repeat it." The attribution is "George Santayana (1863–1952), U.S. philosopher, poet. Life of Reason, 'Reason in Common Sense,' ch. 12 (1905-6)." Measure twice, cut once. Or, in this case, don't believe everything you see on the Internet, but also do not believe everything you read on paper. And maybe Scott did say something along these lines, but I cannot find it.

You may well wonder "What debate would that be?" Well, it was a big deal back in the olden days. Stan Kelly-Bootle reminded me of this in his April "Son of Devil's Advocate" at http://www.sarcheck.com/skb/. (His column used to appear on the very last page of UNIX Review magazine. It was usually the first thing to which I turned.)

His SODA column contains a "This column N years ago," padding the size of the column, even though he is no longer paid by the word. Old habits die hard. It was in this section that a reference to the RISC vs. CISC question appeared under the heading "RISC vs. CISC Commotion." In it, Stan said,

I urge you to read Nick Tredennick's five page Viewpoint called "It's Not RISC vs. CISC -- It's New vs. Old" in the February issue of Microprocessor Report, Vol 3 Number 2 ...

Okay, that's not new nor surprising. Guess they forgot to patch. See www.neowin.net/comments.php?id=20516&category=main.

The only reason I mention this it to use this as a vehicle to point to a new newsfeed from my friends at WatchGuard. That's where I read about it. (Disclosure: I used to be on their advisory board.) Called WatchGuard Wire, it is an RSS news feed. Even though I do not regularly write for them, they still have clue. (;-))

Check it out at the WatchGuard Wire Web page.

Recently, I ranted about PTT technology on mobile phones. (Find it here.) Someone named Saso called me to task:

... it seems to me that you left a bit too much as an exercise for the reader. What am I talking about? The Push to talk service provides people with a perfect eavesdropping device. TSCM industry will love this one.

All mobiles should be already banned from meeting rooms, but since they're not, often they get used as one party's way to let more people in to the discussion as there's physically present parties. For that to work in the old days, you'd need an accomplice on the inside or a physical access to the room. Now, all you need is the name of the one of the parties attending a strictly confidential meeting and their direct call number. And you don't even have to be anywhere near the meeting place, like in the old times. Is the handset beeping loud enough when you establish a connection? Loud enough not to be drowned in the average office noise? Street noise?

These are all good points, and yes I should have made some observations and recommendations instead of just grumping. First, the open questions to answer:

• Is it possible to turn off this feature? Almost certainly, "yes."
• Can someone else connect with you without your knowledge? "Yes," if you miss the BEEP.
• Can someone else listen in without your (you are the owner of the phone) knowing it? "No," you have to hold a button down when talking just like a real walkie-talkie.
• But, can an insider broadcast a meeting to an outsider without anyone else knowing it? Sure. But, this is the case with all mobile phones. This is one reason they are prohibited in certain secure facilities. (That and the cameras that come with them. See Dave Piscitello's comments here.)

So, probably this feature on mobile phones is more of an annoyance than a security risk. But, there is a similar feature in some office telephone systems: the intercom.

To my left is a "COMDIAL Impact" telephone set connected to the office phone system where I sit today as I type this. Anyone here can "Intercom" to my phone set. There is a beep and they are expected to speak, such as, "Fred? Call from your wife." Or, "Fred? Would you stop by?" Now, the important part is the notification BEEP. What if someone does this when I am out getting a cup of coffee? What if a bad guy did something to my phone so that it did not beep? Would I know someone was listening? There is a visual indication that the phone is connected to someone else's, but would I notice it? (No, I would not.) In an office environment, that would concern me more than Push to Talk. But, PTT is still more annoying.

Is it me, or is the word "actionable" finding its way into conversation? Don't get me wrong. I think it is terrificly useful word. But, did anyone use it before the "9-11 Commision" ( The National Commission on Terrorist Attacks Upon the United States) hearings? Apparently, yes. A Google search turns up "about 500,000" hits. Limiting the search to "past year" gets it down to "about 196,000," but it is close to that when I crank it down to "past 3 months."

So, I know that it has always been a word, especially used in the law. But, it strike me that it is similar to the word "overzealous" as used during the Watergate hearings. ("A long time ago, in a galaxy far, far away..." for you youngsters.) The word was always there but never so often used until after Watergate.

We in computer and network security, and those who claim to be, find ourselves talking about paranoia. Now, the definition we are talking about is the second one we find on dictionary.reference.com, "Extreme, irrational distrust of others." In computer and network security, the "extreme" part is alright, as is the "distrust of others." Of course, it is the "irrational" part that doesn't belong.

Rational distrust versus irrational is often what seperates the grownups from the youngsters (darn, that is the second time I wrote that word on this blog today, and it is still a year before I turn 50!) -- in Internet parlance, the wizards from the newbies. It does not seperate those who have certifications from those who do not have them (not in the direction you might think, anyway). It takes experience and it takes risk assessment taking into account all controls too know what to be afraid of and what not to.

Yeah I might be a little bit loco
But it keeps me from losin' my mind
Oh but half insane that's ok
Babe a little bit crazy's alright.
-- From "Loco," by David Lee Murphy

Who thought that this is a good idea? In case you are not familiar with this, Nextel, Verizon, and other mobile phone companies offer this "walkie-talkie" mode for making an instant connection to another phone. Nextel's demo explains that 1) you look up the user's number, 2) Push the button to "instantly connect" to him, and 3) you will hear a chirp JUST START TALKING AND HE WILL HEAR YOU. Some of us must need this. I'm thinking firefighters, police. But then, oh yeah, they have radios already. Most of us probably don't. I'm thinking surgeons, doctors, lawyers, tinkers, tailers, soldiers, sailers... me. Can I turn that sort of thing off? I suppose so. But, can't turn it off on someone else's phone. I have to listen to the other side of the conversation shouting out of the phone held 5 inches in front of the intended listener's face, and to his response, spoken loudly and clearly. Do we really need instant connections? Do we need instant access to each other?

Don't get me started on Blackberrys... Soon I may have to carry one.