Monday, June 27, 2011

5-4 bad decision against Arizona Clean Elections law

The decision in Arizona Free Enterprise Club's Freedom Club PAC v. Bennett came out today (PDF), a 5-4 decision ruling Arizona's Clean Election laws unconstitutional.  The dissent, it seems to me, has a much better case than the majority:
the program does not discriminate against any candidate or point of view, and it does not restrict any person's ability to speak.  In fact, by providing resources to many candidates, the program creates more speech and thereby broadens public debate. ...
At every turn, the majority tries to convey the impression that Arizona's matching fund statute is of a piece with laws prohibiting electoral speech. The majority invokes the language of "limits," "bar[s]," and "restraints." ... It equates the law to a "restrictio[n] on the amount of money a person or group can spend on political communication during a campaign." ...

There is just one problem. Arizona's matching funds provision does not restrict, but instead subsidizes, speech. The law "impose[s] no ceiling on [speech] and do[es] not prevent anyone from speaking." ... The statute does not tell candidates or their supporters how much money they can spend to convey their message, when they can spend it, or what they can spend it on. ...

In the usual First Amendment subsidy case, a person complains that the government declined to finance his speech, while financing someone else's; we must then decide whether the government differentiated between these speakers on a prohibited basis--because it preferred one speaker's ideas to another's. ... But the speakers bringing this case do not make that claim--because they were never denied a subsidy. ... Petitioners have refused that assistance. So they are making a novel argument: that Arizona violated their First Amendment rights by disbursing funds to other speakers even though they could have received (but chose to spurn) the same financial assistance. Some people might call that chutzpah.

Indeed, what petitioners demand is essentially a right to quash others' speech through the prohibition of a (universally available) subsidy program. Petitioners are able to convey their ideas without public financing--and they would prefer the field to themselves, so that they can speak free from response. To attain that goal, they ask this court to prevent Arizona from funding electoral speech--even though that assistance is offered to every state candidate, on the same (entirely unobjectionable) basis. And this court gladly obliges.
(See my previous argument against the Institute for Justice's position on this, with some subsequent clarifications on other aspects of the law.)

The majority position on this issue is that the unconstitutionality arises from the way that the subsidy to clean elections candidates is tied to campaign spending by the non-clean-elections candidates; I take it that had the subsidy been a fixed amount the argument would not have worked at all.

There's a good overview of the issues at the SCOTUS blog.

Saturday, June 25, 2011

Arizona Department of Public Service's security breach

LulzSec breached the security of the Arizona Department of Public Service (DPS) at some point in the past, and on June 23 around 4 p.m. Arizona time, posted some or all of what they had acquired.  This included the names, email addresses, and passwords of several DPS officers as well as a number of internal documents which appeared to have been obtained from email attachments or perhaps from the compromise of end user systems.  The documents included a PowerPoint presentation on gang tattoos that purported to be a way of identifying Islamic radicals, which was reminiscent of similar ludicrous law enforcement presentations from the 1980s about identifying Satanic cult members by their black clothing and occult symbols. (Some police departments still promote such nonsense, citing exposed fraud "Lauren Stratford" as a source).  The documents also included a bulletin which expresses concern about the "Cop Recorder" iPhone application.

On June 24, DPS posted a press release responding to the attacks, accusing LulSec of being a "cyber terrorist group"--a term better reserved for the use of criminally disruptive activities intended to cause physical harm or disruption of critical infrastructure, not embarrassing organizations that haven't properly secured themselves.  In the press release, DPS enumerates the steps they've taken to secure themselves and the safeguards they've put in place. It's an embarrassing list which suggests they've had poor information security and continue to have poor information security.

First, their press release has a paragraph suggesting that the damage is limited, before they're probably had time to really determine that's the case.  They write:

There is no evidence the attack has breached the servers or computer systems of DPS, nor the larger state network. Likewise, there is no evidence that DPS records related to ongoing investigations or other sensitive matters have been compromised.

Just because they have "no evidence" of something doesn't mean it didn't happen--what records did they review to make this determination?  Were they doing appropriate logging?  Have logs been preserved, or were they deleted in the breach?  Do they have centralized logging that is still secure?  When did the compromise take place, and when did DPS detect it?  The appearance is that they didn't detect the breach until it was exposed by the perpetrators.  What was the nature of the vulnerability exploited, and why wasn't it detected by DPS in a penetration test or vulnerability assessment?  LulzSec has complained about the number of SQL injection vulnerabilities they've found--was there one in DPS's web mail application?

Next, they report what they've done in response, and again make statements about how "limited" the breach was:

Upon learning that a limited number of agency e-mails had been disclosed, DPS took action. In addition to contacting other law enforcement agencies, the Arizona Counter Terrorism Information Center (ACTIC) has been activated. Remote e-mail access for DPS employees remains frozen for the time-being. The security of the seven DPS officers in question remains the agency’s top priority and, since a limited amount of personal information was publicly disclosed as part of this breach. Steps are being taken to ensure the officers’ safety and that of their families. 

They've disabled the e-mail access that they believe was used in the breach--that's good.  Presumably the exposed officer passwords were discovered to be from this system.  Perhaps they will not re-enable the system until they have a more secure mechanism that requires VPN access and two-factor authentication--or at least intrusion prevention, a web application firewall, and effective security monitoring.  They've notified ACTIC--presumably in part because of their overblown claim that this breach constitutes "terrorism" and in part because there are some ACTIC personnel who have good knowledge of information security.  And they're doing something to protect the safety of officers whose personal information (including some home addresses) was exposed.


In the final paragraph of the press release, they list some of the safeguards they have in place:

- 24/7 monitoring of the state’s Internet gateway.
- Industry-standard firewalls, anti-virus software and other capabilities.
- IT security staff employed at each major state agency.
- Close coordination between the State of Arizona and state, federal and private-sector authorities regarding cyber-security issues.

This sounds like a less-than-minimal set of security controls.  Is that 24/7 monitoring just network monitoring for availability, or does it include security monitoring?  Do they have intrusion detection and prevention systems in place?  Do they have web application firewalls in front of web servers?  Do they have centralized logging and are those logs being monitored?  Are they doing event correlation?  How many full-time information security staff are there at DPS?  Are there any security incident response staff? Is there a CISO, and if so, why isn't that person being heard from?  Does DPS have an incident response plan?  Are they reviewing policy, process, and control gaps as part of their investigation of this incident?  Have they had any third-party assessments of their information security?  Have any past assessments, internal or external, recommended improvements that were not made?

These are questions journalists should be asking, which DPS should certainly be asking itself internally, and which organizations that haven't had a publicized breach yet should be asking themselves.  Breaches are becoming inevitable (a recent Ponemon Institute survey says 90% of surveyed businesses have had a security breach in the last 12 months; CNet charts the recent major publicly known breaches), so having in place the capacities to respond and recover quickly is key.

Here's how NOT to prepare:
Depth Security, "How to Get Properly Owned"

Here's how NOT to respond to a breach or vulnerability disclosure:
SANS ISC, "How Not to Respond to a Security Incident"

How to publicly disclose a breach:
Technologizer, "How to Tell Me You Let Somebody Steal My Personal Information"

Friday, June 24, 2011

Help Talk Origins bid for "Expelled"?

The assets of Premise Media, including rights to "Expelled," are going up for auction.  The Talk Origins Foundation plans to bid for the film, which includes production materials.  Their stated plan seems to be just to determine what interesting information might be in the production materials or raw footage and make that known, not, as I've suggested, make an "MST3K"-style version, or a version that points out and corrects the errors.

UPDATE (June 28, 2011): The winning bid for "Expelled" was $201,000.  My guess is that the film would only be worth that much to somebody who plans to promote it as-is without any significant re-editing, and thinks they can extract at least that much value out of it--perhaps via charitable deduction by giving it to a creationist organization.  There was a bidding war at the end between two bidders that drove the price up this morning from $43,000 (last night's high bid) to $201,000, which caused the bid to be extended 10 minutes beyond it's scheduled end time in one or two minute extension increments.  It was at $122,000 at the original auction end time, so that last $79,000 increase occurred in the last 10 minutes.

Monday, June 06, 2011

Expelled up for auction

Premise Media Holdings LP is in bankruptcy, and its assets are going up for auction online between June 23 and 28.  Those assets include the film "Expelled."  Perhaps a few of us should get together and buy it, and reissue it in a "Mystery Science Theatre 3000" format?

UPDATE:  As Damian Howard and Bob Vogel pointed out on Facebook, this adds financial bankruptcy to the moral and intellectual bankruptcy of the film.

Sunday, May 15, 2011

Challenge for Harold Camping followers

On May 22, 2011, we will either see that many Christians have disappeared and we've been left behind, or that the claims of billboards like this are completely false.  If any individual or group of Camping followers have a strong belief that the former is the case, I challenge you to sign an agreement to transfer to me $100,000, effective May 22, 2011, in return for one of two things.  In the case that you have, in fact, been raptured, I promise to use those funds to evangelize in support of your beliefs to try to save as many of those left behind as possible.  In the far more likely case that you remain behind, I promise not to engage in public ridicule and humiliation of your nonsense for a year.  So it's a win-win.  Any takers?

UPDATE (May 20, 2011):  Via Tom McIver:  "Camping has a very idiosyncratic scheme: basically amillennial, and a hybrid of his own Bible numerology and a variant of the World Week (world lasts 6,000 yrs after Creation) framework. Camping puts Creation at 11,013 BC, Flood at 6,000 + 23 yrs later at 4,990 BC, Christ's birth 7 BC, and end of Church Age / beginning of Tribulation 13,000 yrs after Creation. 7,000 yrs after Flood (13,000 + 23 yrs after Creation) is 2011. 1988--13,000 yrs after Creation--was beginning of Tribulation (and also the year Camping left the established church, deciding it was heretical and that all churches had been taken over by Antichrist). 2011 is 23 yrs after 1988 (previously, Camping had predicted a shorter Tribulation ending in 1994). May 21 is Rapture and Judgment Day, world is destroyed Oct 21." And: "Camping also made much of 1948 (founding of Israel), with next Jubilee supposedly 1994. He has much more numerology as well. Interestingly, he doesn't focus on political leaders or natural disasters (although I think the news reports of catastrophes and wars has increased his following)."

Saturday, May 14, 2011

My lousy Android experience

I've been a holdout on upgrading to a smart phone, in part because I haven't paid over $100 for a mobile phone since they were the size of a brick.  But after finding that I could get a Droid 2 Global on Verizon for $20 via Amazon Wireless a couple of months ago, I made the leap.

My initial experience was negative--Amazon sent me a phone with instructions to go to Verizon's web site to activate.  Verizon's website wanted me to enter a code from a Verizon invoice.  No such invoice was included, and none of the numbers from the Amazon invoice worked.  So I had to talk get through to a human being, at which point activation was fairly simple.  But one more hurdle arose when I had to login to a Google account, which was an obstacle of my own creation--I use very long randomly generated passwords with special characters, and have independent Google accounts for different services, so I had to choose which one to use with the phone before I knew what all the implications would be.  (I chose my GMail account, which has worked out OK.)

I wanted to set the phone up to use my own email servers, and to connect over VPN to gain access.  This proved to be an obstacle that took a few days to resolve, due to inadequacies and bugs in Droid applications.  The default VPN client doesn't support OpenVPN, so I had to gain root access to install an OpenVPN client.  This turned out to be the only reason I needed root access on the phone, and I managed to get that working without much difficulty.

The Email application, however, refused to send outbound mail through my mail server, which allows outbound port 25 client connections from internal hosts with no authentication but requiring TLS.  This combination simply doesn't work--I ended up setting up port 587 (submission port) with username/password authentication via Dovecot.  Though I would have preferred using client certificate authentication, I couldn't get it to work.  I still run into periodic problems with Email refusing to send outbound messages for no apparent reason--and the server shows no attempts being made.  There doesn't seem to be a way to select an individual message in the outbox for an attempt to re-send.

I managed to get contact and calendar synchronization working with my Mac, but I ended up exporting my iCal calendars to Google Calendar and using them as my primary calendars.  Most of the correlation of contacts in the phone from multiple sources (e.g., Facebook, LinkedIn, and my Address Book) worked fairly well, but some contacts are duplicated due to name variations.  Synchronization with LinkedIn is somewhat buggy, with first and last names showing up in contacts as "null null."  The Calendar app is even more buggy--I've created events on the phone that disappear, I've seen error messages in Portuguese and events with names that appear to be leftover debugging messages. I was also surprised to see that spelling correction was performed, without any prompts, on events I imported into the Calendar app from GMail (it incorrectly turned an acronym, "JAD," into the word "HAD").

I've received an SMS text message from one person which was identified as being from another person--looking at the specific contact information showed that the telephone number of the sender was associated with the correct contact, yet the name and photo displayed on the phone was of a different contact that had no association with that telephone number.

The phone's camera capability is pretty good, but when I connect the phone to my Mac, it launches iPhoto but doesn't find any photographs.  I have to import them manually by pointing iPhoto to the correct location on the SD card.

I've seen the phone crash repeatedly, especially when using location services (Google Navigation, Maps, and Yelp have been repeat offenders).  There also seems to be some caching of location information that gets out of sync with other location information.  For example, I saw Yelp correctly show me nearby restaurants, but refuse to allow me to check in to the one I was sitting in because I was "too far away"--and Maps showed my location being somewhere else I had been earlier.  In one case, thousands of miles away--an attempted Yelp check-in after returning from a vacation in Hawaii showed my location on the map as still being in Hawaii.  In at least one case, I was unable to get my location to update for Yelp until I rebooted the phone.

I've had issues doing things as simple as copying and pasting a URL from Firefox to Facebook or Twitter.  I copy the URL, verify that it's in the clipboard correctly, but when I go into Facebook or Twitter to paste it, it is truncated.

The number of bugs I run into seems awfully high for very basic applications.  The problem is no doubt in part due to the way development occurs between Google, Motorola, and Verizon, and Linux development, which also seems to be an obstacle to fixing security vulnerabilities.  The May 2011 issue of CSO magazine reports that Coverity has done two scans of Android source code for the HTC Incredible, finding 359 defects (88 critical) on the first scan last November and 149 defects (106 unfixed from the previous scan) on a more recent scan.  Accountability for the code is distributed across the aforementioned groups.  (Also see this CNet story, or the Coverity report itself.)

I wonder if I would run into problems like this with an iPhone.

UPDATE (May 19, 2011): And now there's a security vulnerability identified in version 2.3.3 of Android and earlier (I'm on 2.2, and can't update until Verizon pushes an update), which potentially exposes contacts, calendar events, pictures, and other items stored in Google-hosted services, if users access those services via unencrypted WiFi.  Although the connections to those services are over SSL-encrypted HTTP, there is a returned authToken that can be intercepted and used for subsequent logins to those services.  I've never used my Droid on unencrypted WiFi networks, but I'll now take extra care to make sure that I don't.  Version 2.3.4 fixes the problem for contacts and calendars but not for Picasa photos.

UPDATE (November 16, 2011): It's still been a horrible experience, and I still see regular crashes, particularly when using map and location-related applications.  A new discovery today while traveling is that the World Clock widget does not know when Daylight Saving Time occurs--the option labeled "Daylight Savings[sic] Time: Adjust displayed time for Daylight Savings" appears to just set the clock forward one hour, not display the correct current time taking into account the date and whether Daylight Saving Time is in effect in the given location.  I traveled to the east coast and saw that my World Clock widget time for New York was one hour ahead of the actual time in New York.  It's utterly ridiculous that this widget requires the user to check and uncheck this option manually when Daylight Saving Time is in effect or not--that's exactly sort of simple task that computers are equipped to do on our behalf.

Sunday, May 08, 2011

Chris Rodda's Liars for Jesus available free online

After witnessing the despicable pseudo-historian David Barton on "The Daily Show," inadequately rebutted by Jon Stewart, author Chris Rodda decided to take action.  She's giving away her book, Liars for Jesus, which carefully documents the historical revisionism of Barton and others, online as a PDF.

You can download Rodda's book here.  You can also purchase a paper or Kindle copy of the book from Amazon.com.

Rodda depends on income from her book, but felt it was important enough to give it away.  I suspect she'll see an increase in sales along with the free distribution.

UPDATE:
Rodda's book seems to be selling well:

Paperback:

Kindle:

Friday, April 29, 2011

Salt therapy: Where's the evidence?

Today there was a Groupon offer for salt therapy from the "Salt Chalet Arizona."  Sufferers of respiratory illnesses are offered the chance to sit in a room containing salt for claimed relief of symptoms.  I posted the following at the Salt Chalet Arizona's blog, which is awaiting moderation:
“Although there have been few clinical studies” — are there any that provide any empirical support for the claims made on this site? It seems to me that solid empirical support for safety and efficacy are absolutely essential requirements for any medical claim. What is the mechanism of relief, is that relief more than would be expected from a placebo effect, does it last, and are there any harmful short or long term consequences?
To its credit, the blog's repost of a newspaper article about a similar service offered via a Pakistani salt mine includes the following skeptical passage:
But Shahid Abbas, a doctor who runs the private Allergy and Asthma Centre in Islamabad, said that although an asthma or allergy sufferer may get temporary relief, there is no quick-fix cure.

“There is no scientific proof that a person can permanently get rid of asthma by breathing in a salt mine or in a particular environment,” he said.

Wednesday, March 30, 2011

Information security threat models, folk & expert

I've written a pair of blog posts for Global Crossing's "Defense in Depth Security" blog based on recent work by Rick Wash and by multiple people at Intel including Timothy Casey about modeling the agents behind information security threats. The first post is about non-expert home computer users' "folk models" of the threats from viruses and hackers,which makes the point that seemingly irrational decisions about security may in fact be completely rational based on their conceptual understanding of the threat they believe they are combatting.  Only by changing their understanding of the threat, which requires not just information but appropriately salient information and the right incentives, are we likely to see changes in user behavior.  I point out an example of a recent news story that might help provide both elements with regard to one type of vulnerability, open wireless access points.

The second blog post, which will appear tomorrow, is about expert models of threat agents--the Intel Threat Agent Library.  Intel created a large set of attacker personas and identified their attributes, for use in matching against vulnerabilities and prioritizing controls as part of a broader risk assessment process.

I'm happy to discuss these further either here or at the Global Crossing blogs.

Saturday, January 08, 2011

Rep. Gabrielle Giffords shot at Tucson grocery store event

Rep. Gabrielle Giffords (D-AZ CD8) was shot this morning at an event at a Tucson grocery store, along with several other people.  The Tucson Citizen reports that she was "shot point blank in the head."  This brings to mind a previous gun incident at another Tucson event at a grocery store in August 2009.

The image below is from Sarah Palin's website, "Take Back the 20."  The lower right target sight image on Arizona is Congressional District 8, which was one of the "targets" for candidates who supported the Health Care Reform bill to be defeated.


UPDATE: CNN reports that an employee of a nearby business reported "15 to 20 gunshots" and 12 victims.

UPDATE: The Arizona Republic reports that at least four of the victims are dead.

UPDATE: NPR reports that Rep. Giffords is one of the dead and that the killer, a male in his teens or twenties, was apprehended at the scene.  The death toll is up to seven.

UPDATE: KOLD News-13 in Tucson says Giffords is not dead but is in surgery at University Medical Center.

UPDATE: Another version of Palin's "target map" explicitly called out Giffords as a target:


UPDATE (1 p.m. Arizona time): The Palin takebackthe20.com gunsight map has been removed.

UPDATE: In an MSNBC interview after her office was vandalized after her vote for Health Care Reform, Rep. Giffords said:
We need to realize that the rhetoric, and the firing people up and … for example, we’re on Sarah Palin’s ‘targeted’ list, but the thing is, the way she has it depicted, we’re in the crosshairs of a gun sight over our district. When people do that, they’ve gotta realize that there are consequences to that action.

UPDATE (1:29 p.m.): Talking Points Memo reports that a federal judge was also one of the shooting victims. There will be a UMC press briefing at 1:30 p.m.

UPDATE: NBC reports that the federal judge is one of the dead.  That judge, John Roll, was chief judge  of the U.S. District Court for Arizona and received death threats last year over an immigration case.

Sarah Palin has deleted her tweet from March, below:


UPDATE: Correction, the tweet above has NOT been deleted from Sarah Palin's tweetstream.

UPDATE (1:54 p.m.): The shooter suspect in custody is named Jared Loughner. The Pima County Sheriff's Office reports 6 dead, 18 wounded.

UPDATE: A YouTube video from Jared Lee Loughner.  He was a student at Pima Community College and apparently a disturbed individual.  Here's an apparent sample of his writing:

Hello, and welcome my classified leak of information that's of the United States Military to the student body and you. Firstly, I want you to understand this from the start. Did you know grammar is double blind, listener? Secondly, if you want to understand the start of revelatory thoughts then listen to this video. I'll look at you mother fuckin Anarchists who have a problem with them illegal illiterate pigs. :-D If you're a citizen in the United States as of now, then your constitution is the United States. You're a citizen in the United States as of now. Thus, your constitution is the United States. Laugh. I'll let you in on their little cruel joke that's genocidal. They're argument is appeal to force on their jurisdiction with lack of proof of evidence. Each subject is in question for the location! The police don't quite get paid correctly with them dirty front runners under section 10? Their country's alliances are able to make illegal trades under section 10. Eh! I'm a Nihilist, not someone who put who put trust in god! What is section 10 you ask? If you make a purchase then it's illegal under section 10 and amendment 1 of the United States constitution. You make a purchase. Therefore, it's illegal under section 10 and amendment 1 of the United States constitution. We need a drum roll for those front runners in the election; those illegal teachers, pigs, and politicians of yours are under illegal authority of their constitution. Those dirty pigs think they know the damn year. Thirdly, tell them mother fuckers to count from 0 to whenever they feel a threat to stop their count. We can all hope they add new numbers and letters to their count down. Did you run out of breath around the trillions, listener? Well, B.C.E is yet to start for Ad to begin! What does this mean for a citizen in any country? Those illegal military personal are able to sign into a country that they can't find with an impossible date! How did you trust your child with them fraud teachers and front runners, listener? Did you now know that the teachers, pigs, and front runners are treasonous! You shouldn't jump to conclusion with your education plan. The constitution as of now, which is in use by the current power pigs, aren't able to protect the bill of rights! Do you now have enough information to know the two wars are illegal! What is your date of time, listener? Fourthly, those applications that are with background checks break the United States constitution! What's your riot name? I'll catch you! Top secret: Why don't people control the money system? Their Current Currency(1/1) / Your new infinite currency (1/~infinte) This is a selcte information of revoluntary thoughts! Section 10 - Powers prohibited of States No State shall enter into any Treaty, Alliance, or Confederation; grant Letters of Marque and Reprisal; coin Money; emit Bills of Credit; make any Thing but gold and silver Coin a Tender in Payment of Debts; pass any Bill of Attainder, ex post facto Law, or Law impairing the Obligation of Contracts, or grant any Title of Nobility. No State shall, without the Consent of the Congress, lay any Imposts or Duties on Imports or Exports, except what may be absolutely necessary for executing it's inspection Laws: and the net Produce of all Duties and Imposts, laid by any State on Imports or Exports, shall be for the Use of the Treasury of the United States; and all such Laws shall be subject to the Revision and Controul of the Congress. No State shall, without the Consent of Congress, lay any duty of Tonnage, keep Troops, or Ships of War in time of Peace, enter into any Agreement or Compact with another State, or with a foreign Power, or engage in War, unless actually invaded, or in such imminent Danger as will not admit of delay. Each subject is unlocatible!

UPDATE: Another video shows someone, apparently Loughner, burning a U.S. flag.  His YouTube profile says:

Name: Jared Lee Loughner
Channel Views: 271
Joined: October 25, 2010
Website: http://Myspace.com/fallenasleep
Hometown: Tucson
Country: United States
Schools: I attended school: Thornydale elementary,Tortolita Middle School, Mountain View Highschool, Northwest Aztec Middle College, and Pima Community College.Interests: My favorite interest was reading, and I studied grammar. Conscience dreams were a great study in college!
Movies: (*My idiom: I could coin the moment!*)
Music: Pass me the strings!
Books:
I had favorite books: Animal Farm, Brave New World, The Wizard Of OZ, Aesop Fables, The Odyssey, Alice Adventures Into Wonderland, Fahrenheit 451, Peter Pan, To Kill A Mockingbird, We The Living, Phantom Toll Booth, One Flew Over The Cuckoo's Nest, Pulp,Through The Looking Glass, The Communist Manifesto, Siddhartha, The Old Man And The Sea, Gulliver's Travels, Mein Kampf, The Republic, and Meno.

UPDATE: Someone who knew him in 2007 says his politics then were left-wing.  Looks like a flag-burning nihilist kook, perhaps schizophrenic.

UPDATE: The Arizona Daily Star has fairly detailed background on Loughner, who would interrupt his pre-algebra class with "nonsensical outbursts" and was barred from class.

UPDATE: A New York Times profile of Rep. Gabrielle Giffords, titled "A Passionate Politician with a Long List of Friends."

UPDATE (January 9): The federal complaint against Loughner.  Loughner was good enough to leave clear evidence of premeditation at his home.

UPDATE: A "second suspect" turned out to be the cab driver who drove Loughner to the Safeway, who came inside as Loughner had to get change to pay him.  He has been cleared as to any involvement in the shooting.

UPDATE (January 10): The Daily Beast points out, via the Southern Poverty Law Center, that Loughner's rants closely resemble the writings of Milwaukee-based David Wynn Miller, in talk about grammar and mind control--which brings us back to right-wing nutcases.

UPDATE (January 11): CNN is still saying it can find no link between Loughner and any groups, while Boingboing has posted further comparison to the insanity of David Wynn Miller.  It's amazing that this guy has people buying into his nonsense and trying to use it in court (always unsuccessfully, of course).

UPDATE: The DC points out that Loughner was a commenter at the UFO/conspiracy website AboveTopSecret--where his fellow commenters found him difficult to understand, considered him to be crazy, and asked him to get help before he hurt himself or someone else.  Despite mental health programs in Arizona that allowed anyone in contact with him to report him, and Pima Community College's recognition that he had mental problems, no one reported him to the state for evaluation.