Monday, November 23, 2015

A few thoughts on OpenBSD 5.8

I've been using OpenBSD since way back at release 2.3 in 1998, so I've gone through upgrades that took a fair amount of work due to incompatible changes, like the switch from ipf to pf for host firewalling or the change to ELF binaries. The upgrade from 5.7 to 5.8 was a pretty smooth and easy one, for the most part. The two most painful changes for me were the replacement of sudo with doas and the dropping of support in the rc.conf for the pf_rules variable.  While sudo is still available as a package, I like the idea of reducing attack surface with a simpler program, so I made the switch. The two things I miss most about sudo are the ability to authenticate for a period of time and the ability to have a single config file across a whole set of servers. The former I'm just living with, the latter I've adjusted to by having a single config file that has lines commented out depending on which server it's on. I did have one moment of concern about the quality of doas when it incorrectly reported the line number on which I had a syntax error in the config file--fortunately, this was just a failure to increment the line count on continuation lines (ending with a "\") which is fixed in the -current release.

The removal of the pf_rules variable support from rc.conf was a bigger issue--I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pf_rules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be. This wasn't the first time an incompatible change decreased my level of security--the removal of tcpwrappers support from SSH was another. I used to use a combination of pf rules and hosts.allow as additional layers of protection on my SSH access, and had a set of tools that allowed me to easily add IP addresses to or remove them from my hosts.allow files. This would have been a layer of defense still in place with the loss of my pf rules, had it still been in existence. Fortunately, I also have SSH on a non-standard port and only allow SSH key logins, not user/password logins, and most of my systems can't be reached on any port without first making a VPN connection, which requires two-factor authentication.

A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments. My "reportnew" log monitoring tool has a feature that allows you to be notified if files that are expected to change on some periodic schedule do not change, and that would be more appropriate than getting daily notifications that yes, the autotrust anchor file has been updated yet again. But what would really be ideal here would be a check that the non-comment components have not changed. (Others have also complained about this.)

A final issue I've run into with OpenBSD 5.8 is not a new issue, but it's one that still hasn't been fixed with pf. That is that pf logs certain traffic (IGMP in particular) when it matches a rule that does not call for logging. This appears to be the same issue that was fixed earlier this year in pfsense, which is derived from an older fork of pf.

Monday, July 20, 2015

Al Seckel exposed

"I believe that we are rapidly transitioning from an Age of Information to an Age of Misinformation, and in many cases, outright disinformation." -- Al Seckel, in an interview published on Jeffrey Epstein's website, "Jeffrey Epstein Talks Perception with Al Seckel"

Mark Oppenheimer's long-awaited exposé on Al Seckel, "The Illusionist," has now been published and I urge all skeptics to read it. Seckel, the former head of the Southern California Skeptics and a CSICOP Scientific and Technical Consultant who was listed as a "physicist" in every issue of the Skeptical Inquirer from vol. 11, no. 2 (Winter 1987-88) to vol. 15, no. 2 (Winter 1991) despite having no degree in physics, has long been known among skeptical insiders as a person who was misrepresenting himself and taking advantage of others. Most have remained silent over fear of litigation, which Seckel has engaged in successfully in the past.

An example of a legal threat from Seckel is this email he sent to me on May 27, 2014:
Dear Jim,
News has once again reached me that you are acting as Tom McIver's proxy in
spreading misinformation and disinformation about me. Please be aware that
I sued McIver in a Court of Law for Defamation and Slander, and after a
very lengthy discovery process, which involved showing that he fabricated
letters from my old professors (who provided notarized statements that they
did not ever state nor write the letters that McIver circulated, and the
various treasures who were in control of the financial books of the
skeptics, also came forth and testified that no money was taken, and McIver
was unable to prove any of his allegations. The presiding Judge stated that
this was the "worst case of slander and defamation" that he had ever seen.
Nevertheless, even with such a Court Order he is persisting, and using (and
I mean the term "using") you to further propagate erroneous misinformation.
Lately, he has been making his defamatory comments again various people,
and posting links to a news release article by the Courthouse News (a press
release service) that reports the allegations set forth in complaints. Just
because something is "alleged" does not mean it is True. It has to be
proven in a Court of Law. In this case, after a lengthy discovery process
(and I keep excellent records) the opposite of what was alleged was
discovered, and the opposing counsel "amicably" dismissed their charges
against me. The case was officially dismissed. In fact, the opposing
counsel has been active in trying to get the Courthouse News to actively
remove the entire article, and not just add a footnote at the end.
I note that you have been trying to add this link to my wikipedia page. I
have never met you, and am not interested in fighting with you. I am
attaching the official Court document that this case was filed for
dismissal by the opposing counsel. You can verify yourself that this is an
accurate document with the Court. So, once again, McIver has used you.
My attorneys are now preparing a Criminal Complaint against McIver for so
openly violating the Court Order (it is now a criminal offense), and will
once again open the floodgates of a slander and defamation lawsuit against
him and his family, and anyone else, who aids him willing in this process.
This time he will not have his insurance company cover his defense. This
time that axe will come down hard on him.
For now, I will just think you are victim, but please remove any and all
references to me on any of your websites, and that will be the end of it.
You don't want to be caught in the crossfire.
Yours sincerely,
Al Seckel
--
Al Seckel
Cognitive neuroscientist, author, speaker
Contrary to what Seckel writes, we have, in fact, met--I believe it was during the CSICOP conference, April 3-4, 1987, in Pasadena, California.  I am not an agent of Tom McIver, the anthropologist, librarian, and author of the wonderful reference book cataloging anti-evolution materials, Anti-Evolution, who Seckel sued for defamation in 2007, in a case that was settled out of court (see Oppenheimer's article). I have never met Tom McIver, though I hope I will be able to do so someday--he seems to me to be a man of good character, integrity, and honesty.

The news release Seckel mentions is regarding a lawsuit filed by Ensign Consulting Ltd. in 2011 against Seckel charging him with fraud, which is summarized online on the Courthouse News Service website. I wrote a brief account of the case based on that news article on Seckel's Wikipedia page in an edit on March 13, 2011, but it was deleted by another editor in less than an hour.  Seckel is correct that just because something is alleged does not mean that it is true; my summary was clear that these were accusations made in a legal filing.

Seckel and his wife, Isabel Maxwell (daughter of the deceased British-Czech media mogul, Robert Maxwell), rather than fighting the suit or showing up for depositions, filed for bankruptcy.  Ensign filed a motion in their bankruptcy case on December 2, 2011, repeating the fraud allegations.  But as Seckel notes, Ensign did dismiss their case in 2014 prior to his sending me the above email.

So why should anyone care?  Who is Al Seckel, and what was he worried that I might be saying about him? This is mostly answered by the Oppenheimer article, but there is quite a bit more that could be said, and more than what I will say here to complement "The Illusionist."

Al Seckel was the founder and executive director of the Southern California Skeptics, a Los Angeles area skeptics group that met at Caltech.  This was one of the earliest local skeptical groups, with a large membership and prominent scientists on its advisory board.  Seckel has published numerous works including editing two collections of Bertrand Russell's writings for Prometheus Books (both reviewed negatively in the Journal of Bertrand Russell Studies, see here and here).  He has given a TED talk on optical illusions and authored a book with the interesting title, Masters of Deception, which has a forward by Douglas R. Hofstadter.  Seckel was an undergraduate at Cornell University, and developed an association with a couple of cognitive psychology labs at Caltech--in 1998 the New York Times referred to him as a "research associate at the Shimojo Psychophysics Laboratory." His author bios have described him as author of the monthly Neuroquest column at Discover magazine ("About the Author" on Masters of Deception; Seckel has never written that column), as "a physicist and molecular biologist" (first page of Seckel's contribution, "A New Age of Obfuscation and Manipulation" in Robert Basil, editor, Not Necessarily the New Age, 1988, Prometheus Books, pp. 386-395; Seckel is neither a physicist nor a molecular biologist), and, in his TED talk bio, as having left Caltech to continue his work "in spatial imagery with psychology researchers as Harvard" (see Oppenheimer's exchanges with Kosslyn, who has never met or spoken with him and Ganis, who says he has exchanged email with him but not worked with him).

At Cornell, Seckel associated with L. Pearce Williams, a professor of history of science, who had interesting things to say when McIver asked him about their relationship. While in at least one conference bio, Seckel is listed as having been Carl Sagan's teaching assistant, I do not believe that was the case. The Cornell registrar reported in 1991 in response to a query from Pat Linse that Seckel only attended for two semesters and a summer session, though a few places on the web list him as a Cornell alumnus.

Seckel used to hang out at Caltech with Richard Feynman. As the late Helen Tuck, Feyman's administrative assistant, wrote in 1991, Seckel "latched on to Feynman like a leach [sic]." Tuck wrote that she became suspicious of Seckel, and contacted Cornell to find that he did not have a degree from that institution. You can see her full letter, written in response to a query from Tom McIver, here.

As the head of the Southern California Skeptics, Seckel managed to get a column in the Los Angeles Times, titled "Skeptical Eye." Most of his columns were at least partially plagiarized from the work of others, including his column on Sunny the counting dalmation (plagiarized from Robert Sheaffer), his column on tabloid psychics' predictions for 1987 (also plagiarized from Sheaffer), and his column about Martin Reiser's tests of psychic detectives (plagiarized directly from Reiser's work). When Seckel plagiarized Sheaffer, it was brought to the attention of Kent Harker, editor of the Bay Area Skeptics Information Sheet (BASIS), who contacted Seckel about it. Seckel apparently told Harker that Sheaffer had given his permission to allow publication of his work under Seckel's name, which Sheaffer denied when Harker asked. This led to Harker writing to Seckel in 1988 to tell him about Sheaffer's denial, and and inform him that he, Seckel, was no longer welcome to reprint any material from BASIS in LASER, the Southern California Skeptics' newsletter. While most skeptical groups gave each other blanket permission to reprint each others' material with attribution, Harker explicitly retracted this permission for Seckel.

This is, I think, a good case study in how the problem of "affiliate fraud"--being taken in by deception by a member of a group you self-identify with--can be possible for skeptics, scientists, and other educated people, just as it is for the more commonly publicized cases of affiliate fraud within religious organizations.

This just scratches the surface of the Seckel story. I hope that those who have been fearful of litigation from Seckel will realize that, given the Oppenheimer story, now is an opportune time for multiple people to come forward and offer each other mutual support that was unhappily unavailable for Tom McIver eight years ago.

(BTW, one apparent error in the Oppenheimer piece--I am unaware of Richard Feynman lending his name for use by a skeptical group. He was never, for example, a CSICOP Fellow, though I'm sure they asked him just as they asked Murray Gell-Mann, who has been listed as a CSICOP Fellow since Skeptical Inquirer vol. 9, no. 3, Spring 1985.)

"Oh, like everyone else, I used to parrot, and on occasion, still do." -- Al Seckel (interview with Jeffrey Epstein)

Corrected 22 July 2015--original mistakenly said Maxwell was Australian.

Update 22 September 2015--an obituary has been published for Al Seckel, stating that he died in France on an unspecified date earlier this year, but there are as yet no online French death records nor French news stories reporting his death. The obituary largely mirrors content put up on alseckel.net, a domain that was registered on September 18 by a user using Perfect Privacy LLC (domaindiscreet.com) to hide their information. (That in itself is not suspicious, it is generally a good practice for individuals who own domain names to protect their privacy with such mechanisms and I do it myself.)

Update 24 September 2015: French police, via the U.S. consulate, confirmed the death of Al Seckel on July 1, 2015. His body was found at the bottom of a cliff in the village of Saint-Cirq-Lapopie.

Update 21 December 2015: A timeline of Al Seckel's activities may be found here.

Thursday, January 01, 2015

Books read in 2014

Not much blogging going on here lately, but here's my annual list of books read for 2014:
  • James Altucher, The Choose Yourself Stories
  • Nate Anderson, The Internet Police: How Crime Went Online, and the Cops Followed
  • David V. Barrett, A Brief History of Secret Societies: An Unbiased History of Our Desire for Secret Knowledge
  • Peter Burke, A Social History of Knowledge, vol. 2, From the Encyclopedie to Wikipedia
  • Danielle Keats Citron, Hate Crimes in Cyberspace
  • Harry Collins, Are We All Scientific Experts Now?
  • Christopher Hitchens, Hitch 22
  • Christopher Hitchens, Mortality
  • Bruce E. Hunsberger and Bob Altemeyer, Atheists: A Groundbreaking Study of America's Nonbelievers
  • Walter Isaacson, Steve Jobs
  • Brian Krebs, Spam Nation: The Inside Story of Organized Cybercrime--From Global Epidemic to Your Front Door
  • Kembrew McLeod, Pranksters: Making Mischief in the Modern World
  • China Miéville, The City and the City
  • Roger Pielke, Jr., The Climate Fix: What Scientists and Politicians Won't Tell You About Global Warming
  • Michael Sacasas, The Tourist and the Pilgrim: Essays on Life and Technology in the Digital Age
  • Oliver Sacks, Uncle Tungsten: Memories of a Chemical Boyhood
  • James C. Scott, Seeing Like a State: How Certain Schemes to Improve the Human Condition Have Failed
  • Karen Stollznow, God Bless America: Strange and Unusual Religious Beliefs and Practices in the United States
  • Daniel Suarez, Daemon
  • Daniel Suarez, Freedom
  • Nassim Nicholas Taleb, Antifragile
  • Sabrina Verney, XTUL: An Experience of The Process
  • Timothy Wyllie, Love Sex Fear Death: The Inside Story of the Process Church of the Final Judgment
  • Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
I made progress on a few other books (first five this year, next four from last year, last two still not finished from two years ago):
  • Gabriella Coleman, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous
  • Peter Gutmann, Engineering Security
  • Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
  • Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
  • Richard Bejtlich, The Practice of Network Security Monitoring
  • Mary Douglas and Aaron Wildavsky, Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers
  • James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
  • Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications
Top ten for 2014:  Sacks, Miéville, Isaacson, Hitchens (both), Wyllie, Zetter, Collins, Pielke Jr., Pigliucci and Boudry.

(Previously: 201320122011201020092008200720062005.)