Okay folks, it’s time for a government lesson. It’ll be short but sweet.

According to the U.S. Constitution, the President of the United States can not declare war. Only the US Congress can. In addition, Congress must approve all funding for said war, which must be justified every two years, as stated in Article 1, section 8:

The Congress shall have Power:

To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water;

To raise and support Armies, but no Appropriation of Money to that Use shall be for a longer Term than two Years;

In matters of war, the President is merely the supreme commander of U.S. combat and support troops per Article 2, section 2:

ARTICLE II, SECTION 2

The President shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States….

I bring this up after reading Roland Martin’s article on CNN.com titled “Tune in to 2008 before its too late” in which he states (bold emphasis mine);

For three hours a day on WVON in Chicago, I host a daily radio show and try to give people as much information as possible. Why? Because in a year, we’ll be voting on the president of the United States! You know, the person who can decide whether our troops invade another country or not?

Sorry Mr. Martin, but the President of the United States can not decide whether our troops invade another country or not. That’s the job of the Congress. The President can request permission to invade another country, but the final decision rests with Congress.

Now I do whole-heartedly agree with Mr. Martin that Americans need to pay more attention to the Presidential race than to Brittany Spears, the NFL, or their dream car. But in the process of doing so, they should also learn how our government works. And that goes for Mr. Martin as well.

Now I’m off to read my mil-blogs then check my fantasy football line-up.

Michael over at An Information Security Place has taken a bit of flack for calling out Douglas Schweitzer for a lazy and inaccurate (my words not Michael’s) definition of what a ‘bot’ is.

I chimed in on Michael’s behalf to agree that saying a bot is “essentially just another term for an infected computer” is only half the picture.

Yes, what is referred to as a ‘bot’ is a compromised computer, but its much more than that. A bot can be controlled by a remote entity. Bot’s use sophisticated means of communication with the ‘bot herder’, another name for the hacker who can control the bots. Often times they use IRC channels for command and control. Sometimes they leverage peer 2 peer networks for communication. And they are utilized for any number of nefarious acts such as spam relay, distributed denial of service (DDOS) attacks, click-through frawd etc. They have become a key element in the economy of the hackers because they are rented out for cash-money. Because of that, they are a very large threat to the Internet as a whole, and something we’re going to be battling for some time.

Bots used to be called zombies and I like that term better for the nefarious bots, because as Michael pointed out, there are good bots out there too, like web-crawlers (aka spiders).

If you’re going to provide a service to the general public and attempt to define a technical term, at least do it some justice and be accurate.

</rant>

I’ve been working a problem for several weeks now between vendor X’s UTM device and vendor Y’s firewall device. To bring you up to speed; we recently started deploying UTM devices to our satellite offices. Since each of our offices has its own link to the Intarweb, we have a VPN mesh for inter-office connectivity. The VPN’s all terminate at the firewalls and UTM’s.

The rub comes when the devices need to work out a problem with the VPN connection. If one side doesn’t adhere to the RFC then the other side won’t know what it’s saying.

That’s exactly the problem I’m running into now. One side drops the IPSEC tunnel but the other side doesn’t get properly notified. One side continues to send traffic encrypted with a now-dead SA and the other side discards the traffic. The problem gets worse because the ISAKMP tunnel remains up so one device continues to try to set up ‘quickmode’ and gets itself worked into an infinite loop where it won’t remove the old tunnel nor can it establish a new tunnel and lo and behold we have a link down until we manually flush all SA’s for the link.

This is one argument in favor of homogenous layouts but then you have the problem of complete exposure when your appliance model has a vulnerability.

Damed if you do, damned if you don’t.

I really do hate when I’m trying to troubleshoot a problem with vendor support and they say something like ‘there’s a new upgrade available that addresses several problems relating to the one you’re having and we’d like you to upgrade.’

I seriously have never had a situation where upgrading firmware solved a problem. ever (more…)

I took a trip to Iran last summer and took this picture in one of their holy shrines. In my description of the picture I mentioned the gorgeous architecture of the shrine but then said it was desecrated when the cleric lead the congregation through a chant of ‘death to Israel, death to England, death to America.’

Yesterday someone commented on the picture questioning whether the cleric did indeed say that and went on to talk about the ‘Pure & Wonderful Way of life’ of Islam. So I took a look at his pictures on flickr and found a picture of various assault rifles, sniper rifles, a grenade launcher an inert hand grenade and flares. Just in case the picture mysteriously disappears, here’s a screeny.

Nothing like fitting the wrong stereo type.