Sunday, July 10, 2011

Desert Air podcast

A group of Tucson atheists and skeptics have started the Desert Air podcast, available via iTunes.  Three episodes available so far.

Skeptics and "backward masking"

Below these two videos is a post I made (perhaps to the Kate Bush fans' "love-hounds" mailing list, I don't recall) back in 1986 regarding a 1985 Christian "rock music seminar" about alleged Satanic backwards messages in rock music.  I was familiar with the claims of supposed "backwards masking" where the sounds of ordinary lyrics were interpreted to have different messages when reversed, as well as actual examples of recordings that were put into songs in reverse.  The former seemed to me to be examples of subjective validation, and I tested it myself by closing my eyes and covering my ears when the presenter gave their claims about what we were supposed to hear prior to playing the samples.  Subsequently, this became one of the first tests the Phoenix Skeptics conducted as a student group at Arizona State University in October 1985.  We invited the speaker to give his demonstrations before our group, but required him to play the samples first without explanation and have everyone write down what they heard.  The result was that on the first pass, those unfamiliar with the samples had a wide variety of responses; on a second pass, once the expectation was set, everybody heard what they were supposed to hear.

It's interesting that this demonstration, the key example of which was a sample from Led Zeppelin's "Stairway to Heaven," made a comeback two decades later--being used by skeptics to show the power of suggestion and expectation, as these two videos from Simon Singh and Michael Shermer demonstrate.

Simon Singh, 2006:


Michael Shermer, 2006 TED Talk:


Date:  Wed, 5 Feb 86 15:35 MST
From: "James J. Lippard" 
Subject:  Christian Death/rock seminar
Reply-To:  Lippard@MIT-MULTICS.ARPA

Yes, I've heard of Christian Death, though I haven't heard much by them.  That
reminds me of an article I wrote in October for ASU's "Campus Weekly"
(alternative campus newspaper) about a rock seminar I went to, and here it is.
The article was never printed, as the newspaper folded.  (Note: There was
originally an additional paragraph about a fourth type of backwards
message--the kind that's at the end of the first side of "The Dreaming".)

      Druids were Satanists.
      Van Morrison reads Celtic literature.
      Therefore, Van Morrison's music is evil.

   I had hoped this kind of feeble guilt-by-association reasoning applied to
rock music by religious fanatics had died off.  No such luck.  The above was
typical of the reasoning presented at a seminar on rock music on October 21 by
Christian Life.  Not only is the first premise false, the conclusion is a non
sequitur.

   Things looked promising enough at first.  A quote from the Confucian
philosopher Mencius about how the multitudes "act without clear understanding"
was projected on the large screen in Neeb Hall before the presentation began.
When the show finally started, the speaker gave some facts about the size of
the music industry and its influence on society.

   For a while things were rational.  Since the seminar was focusing on the
seamy side of rock, it seemed reasonable to show slides of Lou Reed shooting
heroin on stage, Sid Vicious, Kiss, and so forth.  Still, the impression was
given that this was representative of the majority of rock music.  Obscure
groups such as Demon, Lucifer's Friend, and the Flesh Eaters say nothing about
rock in general.

   Apparently the writers of the seminar were aware of this, because it then
shifted to analyzing album covers of fairly popular groups.  But this analysis
was taken to a ridiculous extreme, pulling interpretations out of a hat.  If
an album cover had a cross on it, it was automatically blasphemous.  Any other
religious symbols on an album along with a cross were putting down
Christianity by calling it "just another religion."

Other symbols also drew criticism.  From the following Bible verse, Luke
10:18, it was concluded that lightning bolts are a demonic symbol:
  And He  said to them,  "I was watching  Satan fall from  heaven
     like lightning."

   Since all lightning bolts are evil, the lightning bolts in the logos of
Kiss and AC/DC show that they are in league with the devil.  Interestingly, on
the backs of many electrical appliances is a symbol which serves as a warning
of potential shock hazard--a yellow triangle containing a lightning bolt
exactly like the one in AC/DC's logo.  Surely this is a more obvious source
than the Bible for AC/DC's lightning bolt, given the electrical symbolism in
their name and many of their album titles.

   As the Jesuits knew, if you teach a child your ways early, he will likely
follow them for the rest of his life.  But to conclude from this that Led
Zeppelin is trying to influence children because there are children on the
cover of their _Houses of the Holy_ album is absurd.

   In the interest of "fair play", quotes from several artists denying any
involvement with the occult were given.  But these were shrugged off,
including the disclaimer at the beginning of Michael Jackson's _Thriller_
video which says, in part, "this film in no way endorses belief in the
occult." Michael Jackson is a devout Seventh Day Adventist, so I seriously
doubt he had any more intent in promoting the occult through _Thriller_ than
the creators of Caspar the Friendly Ghost.

   Finally, the seminar got to its most entertaining subject: backwards
messages on rock albums.  There are several types of messages commonly
referred to as "backmasking," most of which were covered.  The first is a
message recorded normally, then placed on an album in reverse.  The example
given was from ELO's Face the Music album, which says "The music is
reversible, but time is not.  Turn back, turn back..." There is little doubt
about the content of such messages.

   The second type of backwards message is where words are sung backwards,
phonetically.  On Black Oak Arkansas' live album _Raunch and Roll_, there is
no question about what they are trying to do when the singer shouts "Natas!"
The conference speaker seemed to imply that this message was unintentional,
however, when he gave an example of a song by Christian Death.  The words are
sung backwards (as seen on the lyrics sheet), but pronounced in reverse
letter-by-letter rather than phonetically.  He seemed surprised that this
resulted in nonsense when reversed.

   The third type of backwards message is where a perfectly ordinary record
album is played in reverse to produce gibberish and creative imaginations
supply the translations for supposed messages.  According to the speaker, this
must occur in one of three ways.  Either they are intentional, accidental, or
spiritual.  They can't be intentional, because creating such a message is
unimaginably complex.  They can't be accidental, otherwise we would hear
messages saying such things as "God is love" or "the elephant is on the back
burner" as often as we hear messages about Satan.  Therefore, the messages
must be spiritual (i.e., Satan caused them to occur).

   This completely ignores what has already been well-established as the
source of these messages.  Someone person plays his records backwards,
listening for evil messages, and hears something that sounds like the word
"Satan".  He then tells his friends to listen for the message, and plays it
for them.  Since they have been told what to hear, their mind fills in the
difference between the noises on the album and the alleged message.

   This explanation was mentioned, but was dismissed out of hand because, the
speaker claimed, the backwards messages are as clear as most rock lyrics are
forwards.  He played the first message, in Queen's "Another One Bites the
Dust", without telling the audience what to hear.  I heard no message, but he
told us that we clearly heard "start to smoke marijuana".  When the tape was
played again, I could hear it.

   The rest of the messages of this type played at the seminar were
accompanied by text on the movie screen telling the audience what to listen
for.  I closed my eyes to ignore the hints, and was unable to hear anything
but gibberish.  The same method was used and the same results obtained by
several other audience members I questioned after the presentation.

   In addition, an anti-rock program aired a few years ago on the Trinity
Broadcasting Network stated that there were several messages on Led Zeppelin's
"Stairway to Heaven", including "here's to my sweet Satan" and "there is power
in Satan".  The rock conference, on the other hand, combined these two into
one large message which began "my sweet Satan" and ended "whose power is in
Satan".  Having heard the TBN version first, those were what I heard when they
were played at the conference.  If the words "there is" can be mistaken for
"whose", isn't it possible that the same is true for the rest of these
messages?

   Even the transcriber of the backwards messages had problems coming up with
words to fit the message.  The slide for Rush's live version of "Anthem"
played backwards read:
  Oh, Satan, you--you are the one who is shining, walls of Satan,
     walls of (sacrifice?)  I know.

   As any ventriloquist knows, many sounds can be mistaken for many other
sounds.  An m for an n, a t for a d, a c, a z, or a th for an s.  Given that
the most frequent letters in the English language are ETAOINSHRDLU, it is no
surprise that something sounding like "Satan" is quite common.

   With enough effort, evil symbolism and backwards messages can be found
anywhere.  Try visiting a record store and finding satanic symbols on
Christian album covers, or listening to some Christian albums backwards.  I'm
sure much can be found with little difficulty.

   It is true that most rock is not Christian.  It is even true that much of
it conflicts with the Christian faith in some way.  But to bury these points
in a mire of fuzzy logic and fanaticism by engaging in a witch hunt is
counter-productive.  Before the conference, I commented to a friend that if
"Stairway to Heaven" was played backwards, the presenters would have destroyed
any credibility they had.  That, unfortunately, was the case.


    Jim (Lippard at MIT-MULTICS.ARPA)

Additional information:

ReligiousTolerance.org has a good overview with scientific references on the subject.

Sunday, July 03, 2011

TSA security loophole exploited

As this blog has reported on multiple prior occasions (in 2006, 2008, and 2009, at the very least), the fact that U.S. airport security separates the checking of the boarding pass by TSA from the use of a boarding pass to check in to board makes it easy to get through security with a boarding pass that matches your ID while flying under a boarding pass on a ticket purchased in a different name.

Now, as The Economist (July 2, 2011) reports, Olajide Oluwaseun Noibi, a 24-year-old Nigerian American, has been arrested after successfully doing something along these lines to fly around the country, apparently on multiple occasions.  Only Noibi wasn't even using boarding passes valid for the flights he was on--he was caught with a boarding pass in another person's name for a flight from a day prior.  And he wasn't caught because the boarding pass was detected at check-in--he had already successfully boarded the flight and was seated.  He was only caught because of his extreme body odor and a fellow passenger complained, which led to his boarding pass being checked and found to be invalid.

Saturday, July 02, 2011

Cory Maye to be released from prison

As a result of the investigative reporting of Radley Balko, Cory Maye is about to be released from prison after ten years of incarceration and seven years after being sentenced to death on the basis of a terrible defense and kooky testimony from a now discredited and removed medical examiner.  Maye shot and killed a police officer during a no-knock drug raid against a duplex property in which Maye resided, on the basis of a report of unusual traffic at the other unit of the duplex by an unreliable informant.  Maye was defending his daughter from an unknown intruder kicking his door in.

Through the efforts of Balko and a legal team from Covington & Burling, Maye was removed from death row in 2006.

Monday, June 27, 2011

5-4 bad decision against Arizona Clean Elections law

The decision in Arizona Free Enterprise Club's Freedom Club PAC v. Bennett came out today (PDF), a 5-4 decision ruling Arizona's Clean Election laws unconstitutional.  The dissent, it seems to me, has a much better case than the majority:
the program does not discriminate against any candidate or point of view, and it does not restrict any person's ability to speak.  In fact, by providing resources to many candidates, the program creates more speech and thereby broadens public debate. ...
At every turn, the majority tries to convey the impression that Arizona's matching fund statute is of a piece with laws prohibiting electoral speech. The majority invokes the language of "limits," "bar[s]," and "restraints." ... It equates the law to a "restrictio[n] on the amount of money a person or group can spend on political communication during a campaign." ...

There is just one problem. Arizona's matching funds provision does not restrict, but instead subsidizes, speech. The law "impose[s] no ceiling on [speech] and do[es] not prevent anyone from speaking." ... The statute does not tell candidates or their supporters how much money they can spend to convey their message, when they can spend it, or what they can spend it on. ...

In the usual First Amendment subsidy case, a person complains that the government declined to finance his speech, while financing someone else's; we must then decide whether the government differentiated between these speakers on a prohibited basis--because it preferred one speaker's ideas to another's. ... But the speakers bringing this case do not make that claim--because they were never denied a subsidy. ... Petitioners have refused that assistance. So they are making a novel argument: that Arizona violated their First Amendment rights by disbursing funds to other speakers even though they could have received (but chose to spurn) the same financial assistance. Some people might call that chutzpah.

Indeed, what petitioners demand is essentially a right to quash others' speech through the prohibition of a (universally available) subsidy program. Petitioners are able to convey their ideas without public financing--and they would prefer the field to themselves, so that they can speak free from response. To attain that goal, they ask this court to prevent Arizona from funding electoral speech--even though that assistance is offered to every state candidate, on the same (entirely unobjectionable) basis. And this court gladly obliges.
(See my previous argument against the Institute for Justice's position on this, with some subsequent clarifications on other aspects of the law.)

The majority position on this issue is that the unconstitutionality arises from the way that the subsidy to clean elections candidates is tied to campaign spending by the non-clean-elections candidates; I take it that had the subsidy been a fixed amount the argument would not have worked at all.

There's a good overview of the issues at the SCOTUS blog.

Saturday, June 25, 2011

Arizona Department of Public Service's security breach

LulzSec breached the security of the Arizona Department of Public Service (DPS) at some point in the past, and on June 23 around 4 p.m. Arizona time, posted some or all of what they had acquired.  This included the names, email addresses, and passwords of several DPS officers as well as a number of internal documents which appeared to have been obtained from email attachments or perhaps from the compromise of end user systems.  The documents included a PowerPoint presentation on gang tattoos that purported to be a way of identifying Islamic radicals, which was reminiscent of similar ludicrous law enforcement presentations from the 1980s about identifying Satanic cult members by their black clothing and occult symbols. (Some police departments still promote such nonsense, citing exposed fraud "Lauren Stratford" as a source).  The documents also included a bulletin which expresses concern about the "Cop Recorder" iPhone application.

On June 24, DPS posted a press release responding to the attacks, accusing LulSec of being a "cyber terrorist group"--a term better reserved for the use of criminally disruptive activities intended to cause physical harm or disruption of critical infrastructure, not embarrassing organizations that haven't properly secured themselves.  In the press release, DPS enumerates the steps they've taken to secure themselves and the safeguards they've put in place. It's an embarrassing list which suggests they've had poor information security and continue to have poor information security.

First, their press release has a paragraph suggesting that the damage is limited, before they're probably had time to really determine that's the case.  They write:

There is no evidence the attack has breached the servers or computer systems of DPS, nor the larger state network. Likewise, there is no evidence that DPS records related to ongoing investigations or other sensitive matters have been compromised.

Just because they have "no evidence" of something doesn't mean it didn't happen--what records did they review to make this determination?  Were they doing appropriate logging?  Have logs been preserved, or were they deleted in the breach?  Do they have centralized logging that is still secure?  When did the compromise take place, and when did DPS detect it?  The appearance is that they didn't detect the breach until it was exposed by the perpetrators.  What was the nature of the vulnerability exploited, and why wasn't it detected by DPS in a penetration test or vulnerability assessment?  LulzSec has complained about the number of SQL injection vulnerabilities they've found--was there one in DPS's web mail application?

Next, they report what they've done in response, and again make statements about how "limited" the breach was:

Upon learning that a limited number of agency e-mails had been disclosed, DPS took action. In addition to contacting other law enforcement agencies, the Arizona Counter Terrorism Information Center (ACTIC) has been activated. Remote e-mail access for DPS employees remains frozen for the time-being. The security of the seven DPS officers in question remains the agency’s top priority and, since a limited amount of personal information was publicly disclosed as part of this breach. Steps are being taken to ensure the officers’ safety and that of their families. 

They've disabled the e-mail access that they believe was used in the breach--that's good.  Presumably the exposed officer passwords were discovered to be from this system.  Perhaps they will not re-enable the system until they have a more secure mechanism that requires VPN access and two-factor authentication--or at least intrusion prevention, a web application firewall, and effective security monitoring.  They've notified ACTIC--presumably in part because of their overblown claim that this breach constitutes "terrorism" and in part because there are some ACTIC personnel who have good knowledge of information security.  And they're doing something to protect the safety of officers whose personal information (including some home addresses) was exposed.


In the final paragraph of the press release, they list some of the safeguards they have in place:

- 24/7 monitoring of the state’s Internet gateway.
- Industry-standard firewalls, anti-virus software and other capabilities.
- IT security staff employed at each major state agency.
- Close coordination between the State of Arizona and state, federal and private-sector authorities regarding cyber-security issues.

This sounds like a less-than-minimal set of security controls.  Is that 24/7 monitoring just network monitoring for availability, or does it include security monitoring?  Do they have intrusion detection and prevention systems in place?  Do they have web application firewalls in front of web servers?  Do they have centralized logging and are those logs being monitored?  Are they doing event correlation?  How many full-time information security staff are there at DPS?  Are there any security incident response staff? Is there a CISO, and if so, why isn't that person being heard from?  Does DPS have an incident response plan?  Are they reviewing policy, process, and control gaps as part of their investigation of this incident?  Have they had any third-party assessments of their information security?  Have any past assessments, internal or external, recommended improvements that were not made?

These are questions journalists should be asking, which DPS should certainly be asking itself internally, and which organizations that haven't had a publicized breach yet should be asking themselves.  Breaches are becoming inevitable (a recent Ponemon Institute survey says 90% of surveyed businesses have had a security breach in the last 12 months; CNet charts the recent major publicly known breaches), so having in place the capacities to respond and recover quickly is key.

Here's how NOT to prepare:
Depth Security, "How to Get Properly Owned"

Here's how NOT to respond to a breach or vulnerability disclosure:
SANS ISC, "How Not to Respond to a Security Incident"

How to publicly disclose a breach:
Technologizer, "How to Tell Me You Let Somebody Steal My Personal Information"

Friday, June 24, 2011

Help Talk Origins bid for "Expelled"?

The assets of Premise Media, including rights to "Expelled," are going up for auction.  The Talk Origins Foundation plans to bid for the film, which includes production materials.  Their stated plan seems to be just to determine what interesting information might be in the production materials or raw footage and make that known, not, as I've suggested, make an "MST3K"-style version, or a version that points out and corrects the errors.

UPDATE (June 28, 2011): The winning bid for "Expelled" was $201,000.  My guess is that the film would only be worth that much to somebody who plans to promote it as-is without any significant re-editing, and thinks they can extract at least that much value out of it--perhaps via charitable deduction by giving it to a creationist organization.  There was a bidding war at the end between two bidders that drove the price up this morning from $43,000 (last night's high bid) to $201,000, which caused the bid to be extended 10 minutes beyond it's scheduled end time in one or two minute extension increments.  It was at $122,000 at the original auction end time, so that last $79,000 increase occurred in the last 10 minutes.

Monday, June 06, 2011

Expelled up for auction

Premise Media Holdings LP is in bankruptcy, and its assets are going up for auction online between June 23 and 28.  Those assets include the film "Expelled."  Perhaps a few of us should get together and buy it, and reissue it in a "Mystery Science Theatre 3000" format?

UPDATE:  As Damian Howard and Bob Vogel pointed out on Facebook, this adds financial bankruptcy to the moral and intellectual bankruptcy of the film.

Sunday, May 15, 2011

Challenge for Harold Camping followers

On May 22, 2011, we will either see that many Christians have disappeared and we've been left behind, or that the claims of billboards like this are completely false.  If any individual or group of Camping followers have a strong belief that the former is the case, I challenge you to sign an agreement to transfer to me $100,000, effective May 22, 2011, in return for one of two things.  In the case that you have, in fact, been raptured, I promise to use those funds to evangelize in support of your beliefs to try to save as many of those left behind as possible.  In the far more likely case that you remain behind, I promise not to engage in public ridicule and humiliation of your nonsense for a year.  So it's a win-win.  Any takers?

UPDATE (May 20, 2011):  Via Tom McIver:  "Camping has a very idiosyncratic scheme: basically amillennial, and a hybrid of his own Bible numerology and a variant of the World Week (world lasts 6,000 yrs after Creation) framework. Camping puts Creation at 11,013 BC, Flood at 6,000 + 23 yrs later at 4,990 BC, Christ's birth 7 BC, and end of Church Age / beginning of Tribulation 13,000 yrs after Creation. 7,000 yrs after Flood (13,000 + 23 yrs after Creation) is 2011. 1988--13,000 yrs after Creation--was beginning of Tribulation (and also the year Camping left the established church, deciding it was heretical and that all churches had been taken over by Antichrist). 2011 is 23 yrs after 1988 (previously, Camping had predicted a shorter Tribulation ending in 1994). May 21 is Rapture and Judgment Day, world is destroyed Oct 21." And: "Camping also made much of 1948 (founding of Israel), with next Jubilee supposedly 1994. He has much more numerology as well. Interestingly, he doesn't focus on political leaders or natural disasters (although I think the news reports of catastrophes and wars has increased his following)."

Saturday, May 14, 2011

My lousy Android experience

I've been a holdout on upgrading to a smart phone, in part because I haven't paid over $100 for a mobile phone since they were the size of a brick.  But after finding that I could get a Droid 2 Global on Verizon for $20 via Amazon Wireless a couple of months ago, I made the leap.

My initial experience was negative--Amazon sent me a phone with instructions to go to Verizon's web site to activate.  Verizon's website wanted me to enter a code from a Verizon invoice.  No such invoice was included, and none of the numbers from the Amazon invoice worked.  So I had to talk get through to a human being, at which point activation was fairly simple.  But one more hurdle arose when I had to login to a Google account, which was an obstacle of my own creation--I use very long randomly generated passwords with special characters, and have independent Google accounts for different services, so I had to choose which one to use with the phone before I knew what all the implications would be.  (I chose my GMail account, which has worked out OK.)

I wanted to set the phone up to use my own email servers, and to connect over VPN to gain access.  This proved to be an obstacle that took a few days to resolve, due to inadequacies and bugs in Droid applications.  The default VPN client doesn't support OpenVPN, so I had to gain root access to install an OpenVPN client.  This turned out to be the only reason I needed root access on the phone, and I managed to get that working without much difficulty.

The Email application, however, refused to send outbound mail through my mail server, which allows outbound port 25 client connections from internal hosts with no authentication but requiring TLS.  This combination simply doesn't work--I ended up setting up port 587 (submission port) with username/password authentication via Dovecot.  Though I would have preferred using client certificate authentication, I couldn't get it to work.  I still run into periodic problems with Email refusing to send outbound messages for no apparent reason--and the server shows no attempts being made.  There doesn't seem to be a way to select an individual message in the outbox for an attempt to re-send.

I managed to get contact and calendar synchronization working with my Mac, but I ended up exporting my iCal calendars to Google Calendar and using them as my primary calendars.  Most of the correlation of contacts in the phone from multiple sources (e.g., Facebook, LinkedIn, and my Address Book) worked fairly well, but some contacts are duplicated due to name variations.  Synchronization with LinkedIn is somewhat buggy, with first and last names showing up in contacts as "null null."  The Calendar app is even more buggy--I've created events on the phone that disappear, I've seen error messages in Portuguese and events with names that appear to be leftover debugging messages. I was also surprised to see that spelling correction was performed, without any prompts, on events I imported into the Calendar app from GMail (it incorrectly turned an acronym, "JAD," into the word "HAD").

I've received an SMS text message from one person which was identified as being from another person--looking at the specific contact information showed that the telephone number of the sender was associated with the correct contact, yet the name and photo displayed on the phone was of a different contact that had no association with that telephone number.

The phone's camera capability is pretty good, but when I connect the phone to my Mac, it launches iPhoto but doesn't find any photographs.  I have to import them manually by pointing iPhoto to the correct location on the SD card.

I've seen the phone crash repeatedly, especially when using location services (Google Navigation, Maps, and Yelp have been repeat offenders).  There also seems to be some caching of location information that gets out of sync with other location information.  For example, I saw Yelp correctly show me nearby restaurants, but refuse to allow me to check in to the one I was sitting in because I was "too far away"--and Maps showed my location being somewhere else I had been earlier.  In one case, thousands of miles away--an attempted Yelp check-in after returning from a vacation in Hawaii showed my location on the map as still being in Hawaii.  In at least one case, I was unable to get my location to update for Yelp until I rebooted the phone.

I've had issues doing things as simple as copying and pasting a URL from Firefox to Facebook or Twitter.  I copy the URL, verify that it's in the clipboard correctly, but when I go into Facebook or Twitter to paste it, it is truncated.

The number of bugs I run into seems awfully high for very basic applications.  The problem is no doubt in part due to the way development occurs between Google, Motorola, and Verizon, and Linux development, which also seems to be an obstacle to fixing security vulnerabilities.  The May 2011 issue of CSO magazine reports that Coverity has done two scans of Android source code for the HTC Incredible, finding 359 defects (88 critical) on the first scan last November and 149 defects (106 unfixed from the previous scan) on a more recent scan.  Accountability for the code is distributed across the aforementioned groups.  (Also see this CNet story, or the Coverity report itself.)

I wonder if I would run into problems like this with an iPhone.

UPDATE (May 19, 2011): And now there's a security vulnerability identified in version 2.3.3 of Android and earlier (I'm on 2.2, and can't update until Verizon pushes an update), which potentially exposes contacts, calendar events, pictures, and other items stored in Google-hosted services, if users access those services via unencrypted WiFi.  Although the connections to those services are over SSL-encrypted HTTP, there is a returned authToken that can be intercepted and used for subsequent logins to those services.  I've never used my Droid on unencrypted WiFi networks, but I'll now take extra care to make sure that I don't.  Version 2.3.4 fixes the problem for contacts and calendars but not for Picasa photos.

UPDATE (November 16, 2011): It's still been a horrible experience, and I still see regular crashes, particularly when using map and location-related applications.  A new discovery today while traveling is that the World Clock widget does not know when Daylight Saving Time occurs--the option labeled "Daylight Savings[sic] Time: Adjust displayed time for Daylight Savings" appears to just set the clock forward one hour, not display the correct current time taking into account the date and whether Daylight Saving Time is in effect in the given location.  I traveled to the east coast and saw that my World Clock widget time for New York was one hour ahead of the actual time in New York.  It's utterly ridiculous that this widget requires the user to check and uncheck this option manually when Daylight Saving Time is in effect or not--that's exactly sort of simple task that computers are equipped to do on our behalf.