2/24/04

Martinis, #2

Order a martini in Ukraine at your own risk. I've not been everywhere, but the places I've been don't seem to get it. This was confirmed by a friend who lives in Odessa. He said to me, "Hey, you like martinis! I had one the other day when visiting a prison. The director insisted I join her in a martini. I thought, 'Ugh.' But it was very good. I was surprised. She showed me the bottle. It said 'Martini' right on it."

Ummm. Yeah. I had to tell my friend he still didn't like martinis. He had a drink, in a cocktail glass, of dry vermouth. What's strange -- but not that strange -- is that the prison director thought it was a martini. I suppose it was false sophistication.

2/21/04

Basis for Salvation

In his weblog cataloging his thoughts and growth in the Orthodox Faith at http://confessio.blogspot.com/ my friend Steve Fallin muses on the question, "Are we even looking at the right thing?" This is a short response to that. Most excellent Theophilus,

Well, the question that separates the men from the boys, as they say -- and in this context, I really mean denominations from each other -- is the answer to the question "What is the basis for our justification." This is shorthand, of course, for 1) how and when are we saved from hell, 2) on what basis are we saved, 3) what is our standing now before God, and a bunch of others. Whose righteousness is this anyway?

The Reformed world (ah, how I am speaking for the whole of the Reformed faith... Not) is comfortable with the apparent tension between Paul and James. Both of them are canonical and the true word of God. The tension is in our minds, I think, because we like things neat and tidy. We want to be able to say, "Oh, okay -- gotcha. All I have to do is this, that, and a lot of the other." But it is not like that. We say, "I don't understand. How can salvation be 'sola fide', 'sola gracia,' and still have James's epistle in the mix?" But what is the problem? There is no contradiction. God says, through Paul, "this not of yourself, it is the work of God so that no man can boast." And through James, "faith without works is dead." Where's the tension?

You bring up predestination, and write, "Some time ago, I discovered that this basic back and forth has been going on since Geneva and Wittenburg." Brother, try since the beginning of time. The underlying statement is, "it is not my fault!" See Adam's accusation of Eve. See Cain's reaction to God's challenge. Paul addresses this question, as I am sure you know, in Romans 9. People will always ask this question. (Talk about a straw man! :-)) And -- I am not sure that the Luther and Reformed view on this is as different as you imply, but I could be mistaken, not being a Lutheran. But your view if Calvinism is certainly wrong. I think you misunderstand irresistible grace. (I taught a class wherein we examined some of these from a Reformed perspective. ( http://www.avolio.com/~fred/ss/ddf/index.html). I only wish we had recorded them.)

Does the view of irresistible grace mean God forces a person -- "rapist to the elect" is the word you used? Well, no. But we have to make a step back. What is the state of man according to Scripture? Old and New Testament alike affirms what Paul says. Outside of Christ we are dead in our sins. We were spiritually dead. Not sick. Not misguided. Dead.

What can a dead person do to save himself? Nothing. Even if we think about someone who is nearly but not completely physically dead, the analogy still holds up. What can the comatose person do? Nothing. What can the unconscious person lying at the bottom of a pond do? Nothing. Someone who is able must resuscitate, if anyone is going to. Someone other than the person must do it. And that is what God does to those the Father chooses to give to the Son. Why? For His own glory. (See Ephesians 1.)

So, those God foreknew (Rom 8:29) he chose before creation to be given as a gift to the Son (Eph 1:4-5). He established that point in time when that person would be called by the gospel (Rom 8:28-30). In order to respond to that outside call, the person must be regenerated -- he who is spiritually dead is made alive (Titus 3:5, Eph 2:4-5). The Holy Spirit gives that person a new nature, one that sees his true condition and sees his need of a Savior. The Spirit gives the gifts of faith and repentance (Eph 2:8-9, Acts 20:21, HEB 6:1). The believer is justified (declared just or righteous) forensically (legally) on the basis of Christ's righteousness (Rom 3:24-26). Christ's payment saves us from the penalty of hell. He also took God's righteous wrath -- the Father's anger towards us -- on the cross, so we need no longer fear that. God gives us a righteousness not of ourselves. So, we can stand before God without fear. But wait, as the say. There's more.

Not satisfied with that, God adopts the believer into His family (Eph 1:5 Rom 8:15)! Not only as children, but given the full rights of the first born Son. He doesn't leave it at that. He puts His Holy Spirit inside of us, and the Spirit sanctifies us throughout the believers life (Phil 2:12-13, Heb 12:14, Thes 4:7). (That's the process in all of this, in the Reformed view). Our position is guaranteed by the Holy Spirit -- with the Holy Spirit Himself (Phil 1:6, Heb 12:2). We will not be cast aside. We were bought with the Blood of Christ. And some day, God promises, we will be with the Lord and we will be like the Lord (Rom 8:30, 9:23).

What about those He does not save, the objects of wrath Paul speaks of? They get what they deserve. And I write that with sadness. But the Bible clearly teaches this. And those who reject Christ, are doing exactly what they want to do.

So, how should we then live? In communion with each other and with Father, through the Son, in the power of the Spirit. Amen.

2/20/04

Secure Security Products?

Quick -- What was the first commercial firewall product with an announced serious (as in, one could "get root") security vulnerability? No, not Check Point. It was Gauntlet. (Disclaimer: it was after NAI took over, and after I left. I.e., someone else's watch. :-)) That was a few years ago. This latest vulnerability is current. SearchSecurity's write up is at here. The US CERT's Alert -- sorry, the Technical Cyber Security Alert (is this stuff great, or what?) -- number TA04036A is at TA04-036A.html. The sobering and predictable overview states, "Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on." Oh, this vulnerability is in the new Application Intelligence component of Firewall-1. ("Application Intelligence" is a marketing term for their application gateway technology, the stuff they called old technology in the late 90s. See my column "Debunking the Firewall Hype" at here.)

I am not (anymore) going to kick Check Point when they are down. This is for two reasons. First, they are not down (though their stock is not tracking the market growth... opps, sorry... really now). Second, the problem is one shared by many other vendors: the lack of an overarching and pervasive security architecture. "Security architecture," as in how the product itself is developed and secured. "Security architecture," that is not a buzzword in a press release, naming an API, but is documented and periocically checked. Just as enterprises must have a network security policy that implements a security architecture -- with both periodically reviewed and validated, security products must have a security architecture used with similar regularity. It is not Check Point. All security vendors have to be much more careful. And what about you? When was the last time you asked a security vendor to describe its security architecture?

Secure Coding? Of Course.

Andy Briney, in his February Information Security Magazine [NOTE: Searchsecurity no longer keeps old archives. This takes you to iranscience.net.] column, called "Secure Coding? Bah!", makes the claim that while we may ask for secure software, it is "Not gonna happen." He sees pursuing secure programming as "totally impractical."

Of course, he's wrong, though not completely. He correctly talks about incentives. But then makes a jump to suggest that there is no money to research how to accomplish this. Also, he says, this is a very complex and specialized problem.

Research is not needed. Use of proper tools and programming languages is. Tools exist to tighten up code and find possible problems. Also, it is not specialized. Poorly written software crashes all the time. We are used to it. But, it is not unique to security. Sometimes a buffer overflow results in a system hang. Other times it allows an exploit.

While I disagree with his claim that "Secure coding is yet another silver bullet," I agree that "Risk reduction is all about reducing vulnerabilities, mitigating threats and lowering event costs." Andy doesn't believe that secure coding is part of the solution, except theoretically. I believe it can be.

Check out his column at the above-cited URL and look for discussions elsewhere on it at seclists.org, or by using your favorite search engine and looking for the title of his column.

Getting Rid of the Last Click for Secure E-mail

Check out a paper by Jon Callas. In it, Jon talks about solutions that he has proposed for making encryption more widely used. Download the PDF file.

I've written on this subject before. (See my "Secure E-mail collection" at here.) The technology and related software to easily use encryption has been around for 15 years. Aside from our apparent lack of belief in the need for it, the use of cryptography and the need for some level of ubiquity have been speedbumps for its use. Rather than go through the details, I suggest you listen to the webcast. Also, you can see my review of PGP Universal by clicking on Painless PGP.

You Tried to Send a Virus... Or Did You?

In recent months I, probably along with many of you, received e-mail from an MX server informing me that the e-mail message I sent to someone (someone I did not know) contained a virus. In some cases the helpful mail server bounced the infected attachment back to me. And in all cases, the errors were in response to e-mail claiming to be from me, but not from me.

Brian Martin of Attrrition.org discusses this and makes the charge that these anti-virus companies are commiting spam. His interesting discussion is at attrition.org. There is only one statement in this article I must protest against (see if you can guess), but found the discussion compelling. At the very least we should carefully consider how we set up our mail gateway antivirus systems.

2/18/04

Save your sanity -- Backup that PC!

As computer disks have gotten larger, we, their users, store more and more data on them. We store digital photos, voice and video, and e-mail messages. We store school and work projects, writing assignments, books-in-process, draft proposals, and our electronic bankbooks (remember those? and address books. Additionally, we buy and install new software when required or desired.

So, what do you do when disaster strikes? By disaster, I mean any loss of data that cannot be handled by a simple "undo" function. (The Windows "Recycle bin" will save you from most accidental file deletions.) But, what do you do if
  • Your notebook PC is stolen
  • You mistakenly edited a file and need to recover a previous version.
  • You delete a file too large to store in the Recycle bin
  • You have to reformat your hard drive
  • Your hard drive has a "head crash" (which is as horrible as the name, and the event, sounds)
The last two won’t happen in a million years (notice, I wrote have to reformat), but what if it did? What would you do?

Why, you’d recover the data from your last back-up disk. Don’t have one? You need to. Here’s what to do.
  1. Get something on which to back your data up. I suppose Microsoft and others expect you to do that to another partition on your hard drive. That will help in some situations, but obviously not in the case of theft or disk failure. You might already have a CD recorder or writer. If one did not come standard with your PC, go out and buy one. If you are incertain about opening up your computer to add the driver (or if you have a notebook PC), buy one that will plug into your computer’s USB port. Recall CDRs are "write-once" devices while CDRWs allow you to add , delete, and replace files.

    Recordable drives and media are less expensive. A few years ago, I spend $300 when I bought my first CDRW drive to do back-ups. Today, after rebates I can get one for $50. It is worth the expense.
  2. Get software to do back-ups and restores. If you use Windows, it has a program named "Backup." This will do just fine for basic backups and restores. (Find it under Accessories/System Tools. If it is not there, load it from your Windows disk.)
  3. Create a system recovery set. It should back up everything on your system, including programs you added since first getting your system.
  4. Create and schedule automatic backups of your system. Do not routinely backup your whole system, but do save the files that change. An easy way to get all of your data files is to select "My Documents" in your backup program. I also recommend you select individual user settings under "Documents and Settings" on the C drive. One thing you will decide here is where to save the backup sets. I recommend saving them to your CDRW drive. You can keep it in the drive (or put it back when you are finished using it), and have backups run at night. Or, if you don’t leave your computer on, make sure you remember to back it up daily. (This is so you might actually do it weekly.)
  5. Decide what type of backup you’ll do. I do incremental backups. This only backs up files that changed since the last backup. This takes less space in the backup, but recovery of files will require going through more backup files (maybe on multiple CDs).
  6. Finally, test the system by seeing if you can recover a file that you previously backed up. Come on! You know why.
I use "Backup MyPC" by Stomp, Inc. It does everything the program you got "free" with your computer does, but it also backs up systems on my home network as well as writes to CD-Rs. What I mean is, I can leave a CD-R (not CD-RW) in my drive and have backups run every night. When the CD-R is full, it automatically pops it out and waits for me to put in and label the next disk. I have very little to do. I like that part.

So, what should you use? Try the one that came with your computer first. See if it does what you want. But, you do have to use it for it to be effective.

2/2/04

What Character Are You?

Okay, so why am I disappointed? I took this test. I saw it at a friend's weblog. I thought it would be fun to take. He was "rated" as "Yoda." Me? Well, you see: Galadriel. Should I be insulted? What's it say about me? Well, probably nothing. :-) No, I'm secure enough not to mind, and even to post this. And, anyway, when you look at the results of everyone who took the test, Galadriel is #1 with over 42,000 matches.

Ah, well... Click on the photo and take the test. (Note, this takes you off my web site.)
Which Fantasy/SciFi Character Are You?