Huh. Knowing diddly about Hanson beyond the name and the ubiquity of their early hit "Mmm-Bop," I never figured they'd make a video for one of their songs, "Thinkin' 'Bout Somethin'," that would tip its and their hat to Ray Charles' cameo in The Blues Brothers. It's not quite a cut-for-cut homage, but it's as close a visual tribute as they could probably get within time and budget constraints to Charles' rendition of "Shake a Tail Feather." A couple of shots from Hanson's video even feature the well-known elevated rail crossing background from the film (via green-screen, I assume).
How's the music? I'm the wrong one to ask, since I really believe in my own advice. Allmusic's Stephen Thomas Erlewine has an opinion, though. I can say that the songs themselves are not especially alike, though there are deliberate hints of the earlier performance in the electric piano line of Hanson's.
Monday, August 16, 2010
Sunday, August 15, 2010
Thought on certificate authorities
An article warning of "a weak link in secure Web sites" notes that the Electronic Frontier Foundation has expressed concerns about the trustworthiness of some of the certificate authorities, or CAs, on the Internet.
This does not represent a new threat. Trustworthiness has always been a requirement of the SSL (secure sockets layer) security protocol, which is what lies behind so-called secure Web sites. What's new is that the New York Times is bringing it to everyone's attention.
Now the question is whether people are going to have to accommodate another area of complexity in their lives.
First, let's lay a little groundwork. SSL (actually TLS, but let's skip lightly over that) is actually not at the root of the problem. Rather, it relies explicitly and heavily on earlier work from the Telecommunication Standardization Sector (ITU-T), specifically, on a standard that the ITU-T defined called X.509. X.509 is the standard that introduced the world to CAs.
X.509 envisions a world of trusted authorities, godlike institutions that certify identity over a network. If a person presents this certification to a computer, the computer consults the CA and verifies that the presenter is who he claims to be.
That explanation is grossly oversimplified, but it gets to the heart of the aforementioned brouhaha over CAs. You might be wondering why anyone would trust the certification issued by the CA. It's a perfectly reasonable question, and the answer has two parts.
Let's start with the second of those parts. There must be a way to tie together the CA's certification to the entity (a person or an organization, like a company) claiming to hold that identity. That's where cryptography comes in: the certification is only regarded as valid if the presenter successfully meets a cryptographic challenge, part of which is inextricably tied to the certification itself. That's what happens, under the hood of your computer, whenever you visit a secure Web site. The complexity of the cryptography, or rather, the complexity of getting it right, is where most of the security community's time, energy and attention has been focused for a couple of decades.
Again, this is a gross and incomplete simplification, but that doesn't matter because the current problem is with the other part of the answer to "why should we trust CA certifications?" Quite simply, we trust the certifications because we trust the CAs. That has always been an explicit and bedrock assumption underlying X.509.
And that brings us back to the expressed concerns about the trustworthiness of CAs. What do we do when we can't trust one of them?
Fifteen years ago I attended a conference in which one of the presenters proclaimed, "Let a thousand CAs bloom." His point was that in our daily lives, we encounter many different levels of required trust, and thus many different ways of attesting to identity have evolved. Your local coffee shop may be willing to give you a free cup if you're short on cash one day because the staff recognizes your face. Your bank is going to require a government-issued photo ID if you want to do anything more than get change. The source of trust is different for each situation.
Online, however, there is primarily one source of trust: the CA. (Technically minded folks, leave aside PGP and the critical role of DNS for the sake of this discussion.) If a CA attests to the identity of Macy's online, that has to be good enough for us, because we have no other way of determining identity.
However, an untrustworthy CA can certify that some other entity is Macy's. The only way to discern whether or not you're dealing with the real Macy's is to do cryptographically secure checks of the certification chain back to the CA. Your browser can (and usually does) perform those checks, but you still need to know with what CA the real Macy's registered. How many of us know that? And intermediate CAs complicate the situation further, since you have to know which of them should be part of the certification chain, too.
The only reason rogue CAs haven't flourished is that only a few CAs at the top of the certification chain matter. Verisign, for instance, will not risk its reputation by certifying anything other than the "real" Macy's. It also will decertify any intermediate CA (that is, any CA whose own identity is verified by Verisign) that, by certifying bogus identities, abuses the trust placed in it.
However, other CAs can and do operate at the top, and it's not clear which of them can be trusted. Some of them might have an incentive to issue bogus certifications, on behalf of criminal organizations, for instance. Others might just be sloppy.
You can, if you wish, look at the certification chain by which your browser verified a secure Web site. The information is presented in a highly technical way, however, and likely won't mean much to you. This view also doesn't answer the fundamental questions: are the CAs attesting to the site's validity all trustworthy? Are they the ones that the real business actually requested to certify that business's identity?
Unfortunately, there's no automatic and straightforward way to answer those questions. At the moment, the best we can do is to ask the real vendor to announce which CA(s) it uses to certify its identity. That's a highly unsatisfactory answer, of course, but it is, sadly, the best we can do.
This does not represent a new threat. Trustworthiness has always been a requirement of the SSL (secure sockets layer) security protocol, which is what lies behind so-called secure Web sites. What's new is that the New York Times is bringing it to everyone's attention.
Now the question is whether people are going to have to accommodate another area of complexity in their lives.
First, let's lay a little groundwork. SSL (actually TLS, but let's skip lightly over that) is actually not at the root of the problem. Rather, it relies explicitly and heavily on earlier work from the Telecommunication Standardization Sector (ITU-T), specifically, on a standard that the ITU-T defined called X.509. X.509 is the standard that introduced the world to CAs.
X.509 envisions a world of trusted authorities, godlike institutions that certify identity over a network. If a person presents this certification to a computer, the computer consults the CA and verifies that the presenter is who he claims to be.
That explanation is grossly oversimplified, but it gets to the heart of the aforementioned brouhaha over CAs. You might be wondering why anyone would trust the certification issued by the CA. It's a perfectly reasonable question, and the answer has two parts.
Let's start with the second of those parts. There must be a way to tie together the CA's certification to the entity (a person or an organization, like a company) claiming to hold that identity. That's where cryptography comes in: the certification is only regarded as valid if the presenter successfully meets a cryptographic challenge, part of which is inextricably tied to the certification itself. That's what happens, under the hood of your computer, whenever you visit a secure Web site. The complexity of the cryptography, or rather, the complexity of getting it right, is where most of the security community's time, energy and attention has been focused for a couple of decades.
Again, this is a gross and incomplete simplification, but that doesn't matter because the current problem is with the other part of the answer to "why should we trust CA certifications?" Quite simply, we trust the certifications because we trust the CAs. That has always been an explicit and bedrock assumption underlying X.509.
And that brings us back to the expressed concerns about the trustworthiness of CAs. What do we do when we can't trust one of them?
Fifteen years ago I attended a conference in which one of the presenters proclaimed, "Let a thousand CAs bloom." His point was that in our daily lives, we encounter many different levels of required trust, and thus many different ways of attesting to identity have evolved. Your local coffee shop may be willing to give you a free cup if you're short on cash one day because the staff recognizes your face. Your bank is going to require a government-issued photo ID if you want to do anything more than get change. The source of trust is different for each situation.
Online, however, there is primarily one source of trust: the CA. (Technically minded folks, leave aside PGP and the critical role of DNS for the sake of this discussion.) If a CA attests to the identity of Macy's online, that has to be good enough for us, because we have no other way of determining identity.
However, an untrustworthy CA can certify that some other entity is Macy's. The only way to discern whether or not you're dealing with the real Macy's is to do cryptographically secure checks of the certification chain back to the CA. Your browser can (and usually does) perform those checks, but you still need to know with what CA the real Macy's registered. How many of us know that? And intermediate CAs complicate the situation further, since you have to know which of them should be part of the certification chain, too.
The only reason rogue CAs haven't flourished is that only a few CAs at the top of the certification chain matter. Verisign, for instance, will not risk its reputation by certifying anything other than the "real" Macy's. It also will decertify any intermediate CA (that is, any CA whose own identity is verified by Verisign) that, by certifying bogus identities, abuses the trust placed in it.
However, other CAs can and do operate at the top, and it's not clear which of them can be trusted. Some of them might have an incentive to issue bogus certifications, on behalf of criminal organizations, for instance. Others might just be sloppy.
You can, if you wish, look at the certification chain by which your browser verified a secure Web site. The information is presented in a highly technical way, however, and likely won't mean much to you. This view also doesn't answer the fundamental questions: are the CAs attesting to the site's validity all trustworthy? Are they the ones that the real business actually requested to certify that business's identity?
Unfortunately, there's no automatic and straightforward way to answer those questions. At the moment, the best we can do is to ask the real vendor to announce which CA(s) it uses to certify its identity. That's a highly unsatisfactory answer, of course, but it is, sadly, the best we can do.
Wednesday, August 11, 2010
Steven Slater vs. the passenger
The reaction to Jet Blue flight attendant Steven Slater's profane tirade to a planeload of passengers and subsequent bail-out via an emergency-hatch slide has been pretty much what I would have expected. Most people are understanding, ruefully citing the lousy conditions that everyone on planes must endure nowadays. Some--and I count myself among their number--wonder why the passenger whose willful disregard of the flight crew's instructions ignited this fiasco hasn't suffered any adverse consequences for her abusive and unsafe behavior.
A few, however, made comments similar to this one, although this was the most strident wording I found in a cursory scan. (Typos and poor grammar are as in the original.)
I wonder if this was written by the passenger in question. It certainly reeks of the same self-centered sense of entitlement and lack of civility she demonstrated.
A few, however, made comments similar to this one, although this was the most strident wording I found in a cursory scan. (Typos and poor grammar are as in the original.)
We know the airline industry games, and we don't like them. Flight attendants just like mortgage servicing operators, like Cops in Compton know who and what they represent. If you don't like your job, go do something else. We as Americans have the right to express any emotion, any sentient, in any time or place (beside obscenity) even at 30,000 feet.
I wonder if this was written by the passenger in question. It certainly reeks of the same self-centered sense of entitlement and lack of civility she demonstrated.
AV vs. text
In case the absence of "multimedia" in the form of pictures, embedded video, and embedded audio in this blog wasn't a clear enough sign, I'm biased toward plain old text.
I can cite all kinds of reasons, most of uncertain validity to normal people. However, the bottom line is that for the most part, the material I would find most compelling to mention, news footage, is just as readily communicable in plain text. I can gloss text far more readily than I can scan audio or video, too, which means I don't have to spend a lot of time to hit the highlights of a piece. This turns out to be incredibly important if, like me, you tend to lose hours in dictionaries and encyclopedias because you're endlessly fascinated by nearby or related items. It requires a good deal of willpower, and the aforementioned skimming ability, to prevent myself from losing even more hours on the Web. (I will not lightly sojourn to TV Tropes again, having been unable to tear myself away for the better part of twelve hours during my first visit.)
So I tailor this blog to suit myself as a visitor, which is a little weird, but there it is. Oh, and did I mention it's a hell of a lot easier to manage a blog whose contents can be represented as text files rather than multimedia presentations?
I can cite all kinds of reasons, most of uncertain validity to normal people. However, the bottom line is that for the most part, the material I would find most compelling to mention, news footage, is just as readily communicable in plain text. I can gloss text far more readily than I can scan audio or video, too, which means I don't have to spend a lot of time to hit the highlights of a piece. This turns out to be incredibly important if, like me, you tend to lose hours in dictionaries and encyclopedias because you're endlessly fascinated by nearby or related items. It requires a good deal of willpower, and the aforementioned skimming ability, to prevent myself from losing even more hours on the Web. (I will not lightly sojourn to TV Tropes again, having been unable to tear myself away for the better part of twelve hours during my first visit.)
So I tailor this blog to suit myself as a visitor, which is a little weird, but there it is. Oh, and did I mention it's a hell of a lot easier to manage a blog whose contents can be represented as text files rather than multimedia presentations?
Krugman on "going dark"
Paul Krugman's column entitled "America Goes Dark" perfectly sums up what I think is wrong with this country. Read the whole thing, but if you're looking for a quick overview, his own words do the job well:
Libertarians like Ron Paul and his son Rand spew this bogus rhetoric, but I can respect them at least for (more or less) walking the walk. Mainstream Republican politicians, on the other hand, have fed ill-informed voters' desire to pay less than they should for government services they don't realize they're getting (Medicare is a government program, dummies), while at the same time lacking the courage to make meaningful cuts to those services. Those politicians know how much effective government really costs. They know they've contributed as much or more to the national debt in the last decade as the much-reviled Democrats, only their priority has been defense- and national security-related programs, some of dubious utility (keeping my shampoo off the plane is not, I aver, greatly helpful to aviation safety). Even with their much-ballyhooed devotion to our collective safety, Republicans have made some terrible decisions: for instance, the security screening at our major ports is still all but nonexistent due to the G. W. Bush administration's preoccupation with passenger air travel, a more visible, hence more politically important, element of the transportation security puzzle. (I'll admit, I don't know whether the Obama administration has put forth any greater effort to screen incoming cargo shipments.)
Oh, and there was the totally unnecessary invasion of Iraq, too. That Republican-led boondoggle has bled hundreds of billions of dollars from our national coffers and ballooned the debt to obese levels. Democrats weren't guiltless in the rush to war, but they weren't in power, either.
As usual in this benighted country, we're eager to embrace the simplistic because it keeps us from having to think. "Government is bad, it's wasteful, it's incompetent" -- once you make that your credo, you don't have to wonder whether it's just possible government does anything good, much less investigate how well it actually performs.
Wake up, dummies, before we do more damage to ourselves than we can repair.
Everything we know about economic growth says that a well-educated population and high-quality infrastructure are crucial. Emerging nations are making huge efforts to upgrade their roads, their ports and their schools. Yet in America we’re going backward.
How did we get to this point? It’s the logical consequence of three decades of antigovernment rhetoric, rhetoric that has convinced many voters that a dollar collected in taxes is always a dollar wasted, that the public sector can’t do anything right.
Libertarians like Ron Paul and his son Rand spew this bogus rhetoric, but I can respect them at least for (more or less) walking the walk. Mainstream Republican politicians, on the other hand, have fed ill-informed voters' desire to pay less than they should for government services they don't realize they're getting (Medicare is a government program, dummies), while at the same time lacking the courage to make meaningful cuts to those services. Those politicians know how much effective government really costs. They know they've contributed as much or more to the national debt in the last decade as the much-reviled Democrats, only their priority has been defense- and national security-related programs, some of dubious utility (keeping my shampoo off the plane is not, I aver, greatly helpful to aviation safety). Even with their much-ballyhooed devotion to our collective safety, Republicans have made some terrible decisions: for instance, the security screening at our major ports is still all but nonexistent due to the G. W. Bush administration's preoccupation with passenger air travel, a more visible, hence more politically important, element of the transportation security puzzle. (I'll admit, I don't know whether the Obama administration has put forth any greater effort to screen incoming cargo shipments.)
Oh, and there was the totally unnecessary invasion of Iraq, too. That Republican-led boondoggle has bled hundreds of billions of dollars from our national coffers and ballooned the debt to obese levels. Democrats weren't guiltless in the rush to war, but they weren't in power, either.
As usual in this benighted country, we're eager to embrace the simplistic because it keeps us from having to think. "Government is bad, it's wasteful, it's incompetent" -- once you make that your credo, you don't have to wonder whether it's just possible government does anything good, much less investigate how well it actually performs.
Wake up, dummies, before we do more damage to ourselves than we can repair.
Saturday, August 7, 2010
Old 97's live and for free
It was flat-out wonderful that the state of Texas, seeking to boost tourism, decided to have the Old 97's play free shows in conjunction with a traveling exhibit. In San Francisco's Justin Herman Plaza, the boys played for over an hour, including an encore. The main set included a rendition of R.E.M.'s "Driver 8," one of four to be featured on an upcoming EP of covers; they also performed a couple of songs from their new album, due in October. For my part, I was delighted beyond words that a couple of Murry's songs made it onto the set list: the theme-appropriate "W. TX Teardrops" and the absolutely lovely "Color of a Lonely Heart is Blue." It must be said that both Rhett Miller's and Murry Hammond's singing sounded rusty, but Miller in particular was energetic enough to compensate for any vocal shortcomings. And, um, this was a free show!
Classic toons on demand
Should have mentioned this before, but if you have Comcast cable TV, take a look in On Demand / Kids / Kids WB / Looney Tunes. There you'll find several Golden Age Warner Bros. cartoon shorts. The highlights currently include Along Came Daffy and Bugs Bunny and the Three Bears, both ending 10 Aug 2010; other classics include Duck! Rabbit, Duck!, Little Red Riding Rabbit (one of the best Bugs Bunny cartoons ever, courtesy of the underappreciated Friz Freleng, and featuring an uncredited Billy Bletcher and Bea Benadaret sharing vocal chores with Mel Blanc), and an entirely unexpected but welcome Merrie Melodie from 1938, Katnip Kollege.
If you have time for only one, check out the latter: like most '30s cartoons it is rarely, if ever, shown on television because of its relatively antique look and feel compared to the better-known shorts from the '40s and '50s, yet it boasts a terrific soundtrack. Stalling was still hewing closer to sweet rather than hot jazz and the recording loses much of the higher frequency sound that would give later cartoons, especially those of the '40s, their distinctively brassy tone. As was common in his '30s work, there was not much in the way of abstract orchestral accompaniment: rather, the music consists almost entirely of brief quotations of well-known themes, including a verse or two, plus the chorus, of Let That be a Lesson to You, better known to later audiences from 1951's Hare We Go (remember Bugs singing, "Oh, Columbus was the discoverer of America"?). Lots of singing by male tenors, solo and choral, are another characteristically '30s-ish touch that disappeared when the Merrie Melodies were no longer required to plug Warners songs.
Katnip Kollege is a delightful trip back to a time before Warners had perfected its house style and it was still acceptable to make a cartoon that served as our great-grandparents' version of a music video.
If you have time for only one, check out the latter: like most '30s cartoons it is rarely, if ever, shown on television because of its relatively antique look and feel compared to the better-known shorts from the '40s and '50s, yet it boasts a terrific soundtrack. Stalling was still hewing closer to sweet rather than hot jazz and the recording loses much of the higher frequency sound that would give later cartoons, especially those of the '40s, their distinctively brassy tone. As was common in his '30s work, there was not much in the way of abstract orchestral accompaniment: rather, the music consists almost entirely of brief quotations of well-known themes, including a verse or two, plus the chorus, of Let That be a Lesson to You, better known to later audiences from 1951's Hare We Go (remember Bugs singing, "Oh, Columbus was the discoverer of America"?). Lots of singing by male tenors, solo and choral, are another characteristically '30s-ish touch that disappeared when the Merrie Melodies were no longer required to plug Warners songs.
Katnip Kollege is a delightful trip back to a time before Warners had perfected its house style and it was still acceptable to make a cartoon that served as our great-grandparents' version of a music video.
Subscribe to:
Posts (Atom)