Not so RuggedCom… time to set up a blacklist
Published April 28, 2012 | 
RuggedCom has sold mission critical routers to the US Gov’t, utilities, and others with an undocumented backdoor installed. This is totally inexcusable and RuggedCom should be out of business as a result. Under no circumstances should any IT company produce a product with a backdoor installed. I can understand the need to for an easy way for the company to work with the router’s internals, but having a default admin account password should be sufficient. At least then the customers could change the default password and make the router secure.
I don’t know if RuggedCom’s leadership knew of this backdoor. This could have been the result of a lazy engineer, or in response to a program manager putting pressure on the team to get things down quicker. No matter what, there was a definite failure in both the technical leadership at the company and in their Quality Assurance team.
RuggedCom is a Seimen’s company. This is the same Seimens that was targeted by Stuxnet, and the same Seimens with a long history of security issues in their industrial controllers.
If a company is caught doing this crap they should be publicly blacklisted, and they should loose all of their customers and as a result, go out of business. Just the fear of a possible backdoor has caused Huawei serious problems in getting contracts with non-Chinese governments. While there is no proof that I’m aware of, they still can’t get several of the big contracts that they want to. There is also fear that when IT equipment is manufactured overseas, that the foreign companies may put backdoors into the systems. This fear is so serious, that at least one IT company I know of only installs their firmware in the US after the systems are manufactured. Talk about adding complications to your manufacturing and testing procedures, especially when you can’t test the equipment until it is shipped half way around the world.
RuggedCom got caught, and I applaud the researcher that found the backdoor. Had this been just an accidental vulnerability, then this would be a very different story. However, with an intentional backdoor… it is a much more serious story. RuggedCom should pay to replace all of their compromised routers with equivalent non-RuggedCom routers and shut down. If they sold compromised routers to the US Gov’t, then they should be investigated for treason or other applicable law violations.
I suspect RuggedCom will try to spin this as best as they can, and to update their routers to remove the known backdoor. I give them credit for at least admitting that there is a factory backdoor. It would have been interesting to see if there was any internal discussions on just the approach of just denying it. However, this isn’t a typical design flaw. This is incompetence and a complete misrepresentation of their expertise. Here’s what their webpage says about their products:
RuggedCom products are designed for use in harsh environments such as those found in electrical power substations, oil refineries, military applications, roadside traffic control cabinets and metals and minerals processing.
Now, I don’t think that any of their customers that are responsible for oil refineries, military, and so on will agree that a system with a factory backdoor are really designed with those harsh environments. Farewell RuggedCom, and I hope that as each of your employees find new jobs that you’ll take security seriously and be an advocate for secure products in your new companies.
I hope that with the pending demise of RuggedCom and the need for a blacklist of incompetent manufactures, that those that don’t take security seriously now, will start doing so.
Does it matter if VMWare’s source code is released?
Published April 26, 2012 | VMWare has admitted that their source code for ESX has been found on a Chinese network. Does it matter?
Yes: If the source code is poorly written and has inherent vulnerabilities, then the source code could be useful in developing tailored exploits to attack organizations using VMWare.
No: If the source code is well written and secure, then it will not provide any insight that will provide any help develop exploits.
So, the answer could either be Yes or No… it all depends on the quality of the source code. Now, this is only from a security perspective. The accidental release of VMWare’s source code could certainly provide a competitor insight into how to compete with VMWare, and how compete. The theft of proprietary software is still theft and is a crime.
I hope that VMWare wrote high quality and secure code. I suspect they didn’t and there will be new exploits against VMWare.
House approves CISPA… WTF?
Published April 26, 2012 | The House voted on, and passed CISPA today. I didn’t even know that it was up for vote, nor was there much if any debate on this. CISPA is basically SOPA 2.0 with some changes. I am disappointed in Congress for passing this bill. I appreciate the need to share intelligence data between ISPs and the Government, but a bill isn’t required for that at all. Nothing is preventing the NSA, FBI, or anyone else in the Gov’t to share data. The data itself it owned by the people, and therefore should be shared by default. It does make since to share classified information that would put our intelligence sources and methods at risk. I don’t advocate breaking the law by sharing classified information, but I do believe that there are plenty of legitimate ways for the Gov’t to share threat data with ISP’s without the need for any new laws.
So, they have passed CISPA and now we will have to wait for the Senate to take up the vote. I wonder if there will be an outcry such as we had with SOPA, and if those that run the internet will speak out. Until legislation is written with those that use the internet in mind whatever they write will not work.
Drupal vs WordPress
Published April 16, 2012 | My wife is considering opening up her own small business, so I’ve been tasked with developing her website. So, for the past couple of weeks I’ve been looking at Drupal. I’d like to use Drupal to run her site. This site is on Wordpress. I had considered using Drupal when I set up this site, but I found that it was too difficult for me to figure out in a short time.
After working with Drupal for a few weeks, my observations are:
- Drupal is not for the faint of heart.
- Incredibly capable yet incredibly complex.
- Lots of books on beginning Drupal and expert Drupal, very few in between.
- Will never replace Wordpress from being the easy, yet capable solution.
- Has a huge potential for being a business “platform”.
Drupal is not for the faint of heart
Wow, they certainly make downloading Drupal and standing up the basic front page easy. After that, it is steep learning curve on nodes, modules, themes, menus, data architecture, and so on. It isn’t a product, it is a lifestyle. You have to drink the koolaid and tough it out. I’m in the middle of this now, and I hope that soon the light bulb will come on and the mental aerobics I’m going through will finally straighten out.
Incredibly capable yet incredibly complex.
When you read the list of sites that are on Drupal you can easily get impressed. There are some big hitters there, and it is clear that Drupal can hold up to huge traffic and do almost anything you want it to. The range of available modules, the ability to create your own type of content, and the extendability of Drupal make it into a swiss army knife of web hosting. It can do anything you want it to do… assuming you know how to make it do that. With all of these capabilities come all of the possible options, configurations, and combinations of differing pieces and parts. I feel like they dumped all of the parts for different makes of cars in the garage, and then said to put the different cars back together. While the documentation is there, telling the difference between the Ford parts and the Chevy parts to begin with isn’t an easy task. Eventually you will either figure it out or die in the process.
Lots of books on beginning Drupal and expert Drupal, very few in between
As I’ve been learning, I’ve been looking at the different books available on Drupal. There are those introductory books on how to get a simple website up and running in only 145 steps, and there are those that help the intermediate experts become masters. I’m not stupid, and I can figure out how to install Drupal and set up a basic site. I’m looking at trying to go from the beginner (where I am now) to the intermediate guy. So, if this was a class, I’d be past the first two lessons, and not quite ready for my Senior Project. There just aren’t any books out there that I’ve found that address this class of student. Maybe I’m missing it, and I am finding some great information within blogs and posts on Drupal.org, but I’m not finding the book.
Will never replace Wordpress from being the easy, yet capable solution
I can’t imagine using Drupal for a simple blog. If you already knew Drupal it might be doable, but definitely not for the folks that are just looking for a place to call home on the web (outside of Facebook). It is easier to get a basic and functional site up and running. I don’t know what the original inspiration for Drupal was, but for Wordpress it appears to focus on making it capable, yet simple. I suspect you can go quite wild in Wordpress if you want to, but for Drupal I feel like you thrown into the wilderness on day one.
Has a huge potential for being a business “platform”
My wife wants to run a business. The business is service based, so each customer buys a day of service, and when they use that day, it is deducted from their account. Pretty simple. Also, what I expect is pretty common for small businesses. So, my goal is to allow the customers to manage their account on-line (buy more days, see how many days are left, etc.), and for the business to be able to track all of the accounts. Given that Drupal puts all of the data in a single database and can incorporate e-commerce, it seams like a good solution. If this was anything larger than what we are considering, I’d throw in a DMZ, intranet, firewalls, and all of the big iron crap necessary to protect your main business systems from the externally facing systems. However, that is not the case here and it is feasible to back off to paper processes and to back up the data via printing.
I get the feeling that leveraging the roles and rules within Drupal, this could be a powerful small business tools. Not only can you interact with your clients, you can also conduct your internal business process. Why have Sharepoint when Drupal can do the same thing. This would be a killer project for something like Aquia or another company to take on as a hosted service. Make it simple to set up an on-line store and to manage inventory within the company. Maybe even work with the major small business providers such as Quickbooks. Drupal could become the dominate small business platform, especially for new small businesses that don’t have the resources to develop their own internal software. I don’t think they will compete with SAP, Oracle, IBM, or in-house work in well established large businesses, but that is okay.
There are so many “platforms” today, but they are primarily focused to host custom applications. I can go buy computational power that will be my platform, but that assumes that I’m a software developer and software is my business. I can’t imaging the ice cream place down the street really considering building custom applications on EC2. But I can image them wanting to have a website, where folks can order ice cream cakes. But the real seller is that from home they could figure out employees hours, their supplies, how the books look today, and and to help automate keeping their stock where it needs to be. Allow them to make ice cream and to avoid having to worry about what it will take to a small business.
There may be small business solutions out there now that fit this bill. I really don’t know, and if they are out there, I doubt that they are based on a community model like Drupal.
Conclusion
Right now my goal is to create a simple site for my wife, and to see where we go from there. I’m hoping to figure Drupal out at least enough to not have to fall back to Wordpress or to make an attempt a Dreamweaver. I doubt I’ll get the non-customer facing or e-commerce integrated in the first round. I’m looking at Square on the iPad as our cash register since it take a lower cut than most of their competitors. I’m also concerned that I want to be able to conduct business when the internet is down, so a 3G iPad may be a more robust solution.
The more I get into Drupal the more I’m impressed and overwhelmed. I would feel better if I was an HTML/CSS/PHP expert, but I’m not. I just have a vision in my head as to what I want when I’m finished. It really sucks having use-cases figured out and then to struggle with bringing them to life. Hopefully soon.
Is Open Source Software a Threat?
Published March 3, 2012 | I have recently gone through a governmental Information Assurance (IA) process to gain permission to connect a stand alone development network to a broader government network. In the process, we got feedback on potential “threats” to our approach. While none of these were serious enough to prevent getting permission, one of the comments made really irritated me. It stated that the use of Open Source Software (OSS) posed a threat to the security of the network.
So, is OSS a threat? I don’t believe so, and in fact, I believe that in most cases quality OSS pose less of a threat than their commercial counterparts. All software, both OSS and commercial, may introduce vulnerabilities into a system. Software has bugs, bugs can be exploited, and therefore all software may pose a threat (hint, don’t keep software on your system you don’t need). But, is OSS more threatening than commercial software.
It will certainly depend on the software. If the actual question is if there is someone that is actively updating and patching the software, then it depends. For example, Firefox is an open source piece of software that is constantly being patched and improved. However, Windows 2000 is commercial software that is no longer being patched. So, which one is more secure? Firefox. However, if the roles are reversed and the open source software has been abandoned, and you are comparing it to a commercial piece of software that is being actively patched, then the commercial software is more secure.
However, what happens if everything is equal. Let’s say that both the open source software and the commercial software are being actively patched. Now, here’s where my opinion is that the open source software is actually more secure. The key issue is that as a customer I can look at the code if I wish. While that may be unlikely and I may not understand what I’m looking at, the fact that it is doable is a motivating factor for the open source developer to be more careful in writing the program. Their success is based on being able to stand behind their source code, not just the application itself. In a commercial application, it is about the program and not the source code. It could be a good looking and capable piece of software but written by monkeys from a security perspective.
It is frustrating with the IA community isn’t filled with software developers, but instead a new breed of engineers that are groomed by the marketeers of commercial software. Not many, if any, open source developers go out and sell their software to the government. If you hear it enough, it must be true. Well, here’s my challenge to the IA community. Show me some actual facts to back up your claims. If you can’t, then stop being biased towards commercial software. I want you to do your job and to do it well, and that means that you have the trust of your customers. With crap like this you loose all trust and so when you have something important to say, it is likely going to be received with doubt.
Again, all software has the potential to introduce security concerns into a network. It doesn’t matter if it is open source or commercial.
Posted in Computers, Military, Technology | 
IA, Information Assurance, Open Source, OSS | 
Leave a commentCome to Jesus moment for SCADA developers
Published January 22, 2012 | A couple of years ago, Firesheep created a come to Jesus moment for many of the most popular web sites on the internet. It demonstrated for anyone interested (no skill needed) that not using SSL was bad, and that anyone’s account could be hacked. All responsible websites have responded by increasing their security and the internet is a better place for it.
At the S4 Conference SCADA systems were put under the wire brush and found as insecure as those websites targeted by Firesheep. Iran learned the hard way that SCADA isn’t secure with Stuxnet.
SCADA is designed by industrial engineers for industrial engineers, and not by computer security experts… and it shows. At the conference flaw after flaw was exposed which if exploited could cost billions and even cost lives. Unlike a Facebook account, SCADA controls physical processes and when something goes wrong, bad physical things can happen. The conference attendees speculated that there will be a Firesheep moment for SCADA and that the industry will have to react.
I agree and disagree. I do think that if I were to buy a new SCADA system, I’d be able to find a wide range of improved security offered. I also think that I’d find systems that were upgradable and that could be easily patched in the future against evolving threats. What I don’t see is any reasonable expectation that the existing fielded systems will ever be fixed. The flaws extend beyond the server farm and into small control boxes scattered around power plants and industrial sites. This is more like IE 6 than Firesheep. No matter how much Microsoft has tried, IE 6 still lives on. It will take touching every single flawed box and potentially redesigning every single system to secure them. Firesheep was countered by using SSL at the servers. If countering required each user to replace their laptop, we would still hear about Firesheep.
I don’t know if there will ever be an event that causes industry to touch all of those boxes and to upgrade them. Those boxes are a sunk cost and they just work.. so why change them. It will be easier for industry to implement procedural changes to reduce (but not eliminate) the risk. Some industries such as nuclear power plants may make the effort, but will the dairy farm? Additionally, I doubt that any warranty associated with these boxes included this. They work as designed, so therefore the fact that they were designed without sufficient security isn’t something likely covered under warranty.
The people that wrote Stuxnet were targeting a specific set of SCADA controllers and intentionally prevented their software from attacking outside of a narrow set of parameters. They were unable to prevent collateral damage, but they did go out of their way to do so. The worse case scenario for the SCADA industry (both manufactures and users) is someone releasing a variant of Stuxnet that is as discriminating as a nuclear weapon. Remember the Conficker virus? You know, the one that infected 15 million windows computers. It didn’t care who you were. Now, put the Stuxnet payload on something as nondescript as that, and you’ll get the worlds attention. You will also cause physical damage across a wide range of industries.
It is unlikely that the industry will recall their boxes and replace them for free. It is also unlikely that most industries will pay to replace their SCADA systems with newer secure ones. The best we can hope for is that industries start building response plans for when their SCADA systems are compromised. At some point some virus is going to be released into the wild that does impact SCADA. It may be something that was designed to target a small population, but who’s controls were poorly designed. It may be something designed to show off the skills of some 15 year old hacker… I don’t know… but it will happen. The question isn’t if or when, but how will industries respond and how well are those contingency plans written.
Lightsquared vs GPS
Published December 24, 2011 | There has been several experiments showing that Lightsquare’s systems interfere with GPS frequencies. Lightsquare is now seeking a ruling to put the blame on the GPS manufactures and therefore be permitted to roll out it’s system while forcing the GPS manufactures to fix their systems. If this goes through it will be a disaster. First of all, the GPS systems in question are already out in the market, and Lightsquare’s isn’t. Even if this was the fault of the GPS equipment, there is not economical or technical way to update every GPS device, especially those that are securely embedded inside of systems.
But, this is not the GPS manufacture’s fault as Lightsquare will have you believe. GPS receivers are just that, receivers. They only listen for the GPS signal that is broadcasted from the satellites above. The GPS signal is very weak, and therefore the receivers must be sensitive to pick them up the signal. If Lightsquare is broadcasting too close to the GPS frequencies, or on the GPS frequencies, of course these sensitive receivers will pick it up. Welcome to basic radio theory. GPS receivers have been around for many years, and have evolved. In the beginning it took a long time to pick up a satellite and only a few could be picked up at a time. That wasn’t good enough for either military or commercial use (no good if your GPS only starts working after you arrived at your destination), so they pushed up the sensitivity and improved the processing. Now they have GPS receivers that can find your location quickly, just like we want it. The outcome of this is that a small buffer is needed around the frequencies to ensure that they aren’t accidentally interfered with. That is the price we pay to have a GPS system that works, and that is the frequencies that Lightsquare wants to use.
Sorry Lightsquare. Much of our civil infrastructure, consumer electronics, and military systems rely on GPS. If your systems are going to interfere with them then you lose. If your system was already deployed and GPS was new, then the roles would be reversed. You are the one coming late to the frequency party and therefore get stuck dealing with the outcome of several years of evolution of GPS.
I like what Lightsquare is trying to do, and I do hope that they can find some frequency band that will work for them. However, the GPS bands must remain off-limits. It is unfortunate for any company that has a good idea, and believe that they have a right to develop systems that border on the GPS, that their plans get screwed. The Government did a poor job of laying down a foundation for frequency management. There was no way to do it well, given that no one had any idea as to how wireless technology would evolve. The FCC has done its best with what it has, but it is stuck with many legacy decisions and systems that abuse the frequencies they are given. At some point we’ll have to make the same transition as we did with standard to digital televisions, but this time with military radios, satellite communications, and commercial wireless devices. It will be a challenge and will likely take several hundred years to complete. Until then, Lightsquare and others like them are stuck with what we have, no matter how unfair it may seam.
Best of luck Lightsquare, but stay away from my GPS… it is often the only thing that knows where I’m going… and I’d like to get there someday.
How the Government Goes About Creating a Crappy App
Published November 23, 2011 | Rich Jones posted a wonderful piece on gun.io on this horrible mobile application that the Occupational Safety and Health Administration (OSHA) created. He estimated that he could have done it for about $600, so he submitted a Freedom of Information Act (FOIA) request to find out how much this piece of crap cost for the Taxpayers. In total, the Android App, IOS App, and the Blackberry App (which was never released) cost slightly over $200,000. That’s right, a $600 app for $200, 000. On top of the $200,000 for the applications, the source code isn’t publicly available as it is considered a trade secret by the contractor Eastern Research Group.
Rich goes on asking how this could happen. Well, I don’t have any inside information on how OSHA did this application but I can hypothesize how this happened. Rich goes on how he’d like the system to work, and I applaud him for that vision. Now, let me work through the likely steps that resulted in this piece of crap.
- Somewhere near the top of OSHA a Senior Executive Service (SES) manager decided that OSHA “needed an App”. Everyone in Government is doing Apps, and OSHA is not going to let everyone have one but themselves.
- The poor manager assigned to this task has no technical or coding background. He or She is a mid-level manager, just trying to put food on the table. When he asks the Boss “What do you want the App to do?”, the answer is something like “I don’t care, just make an App and leave me alone about it.” Here’s the first major problem… there is no actual reason for the App, and no one has thought this through.
- The manager must now write a Request for Proposal (RFP) for the development of the App. This process takes about six months if you are lucky, and you must go through multiple legal and contracting reviews. Any creativity or vision will be stripped out of the RFP as too risky or unusual. The RFP will have language such as “The Contractor shall produce an App that provides users information about OSHA”. There won’t be any mock-ups, diagrams, or use-cases… it is all just words.
- The RFP will be a Firm Fixed Price (FFP) contract which allows the Government from taking any risk, or requiring constant management of the contract to ensure that everything is going according to plan. A FFP contract means that the Government provides the contractor (ERG in this case) a flat fee for the App. If it costs ERG $600 to make the App, then the rest is profit.
- The RFP “goes out on the street” for proposal. The Government waits for about thirty or sixty days for responses. Contractors will write a proposal and the proposal that is “technically acceptable, lowest costs” wins. Now, there are two poison pills for new and smaller companies. The first is that they are judged on “past performance”. So, if you don’t have any, it counts against you. In reality no past performance equals a neutral score, but you can’t take biases out of the people reviewing the proposals. Secondly, the RFP contains a lot of boiler-plate requirements which are very costly to satisfy. Only companies that have made it their business to get Government contracts get Government contracts. It is just too difficult for others to break into the business, but occasionally it does happen. Most often a company will leverage one type of contract for another. So, if a company runs an IT Help Desk, they will suddenly consider them a software development house, with the often predicted bad results.
- The contractor will take as much time to do the work as possible, even if they aren’t really working on it. For a FFP contract, you don’t want to deliver too early. That would give the Government the chance to complain and force changes. But if you wait until just before the end of the “period of performance”, there isn’t enough time for the Government to react, so they just accept what was delivered.
- Finally, but the time the App is actually delivered the SES has moved on to another job, and the new SES’s response is “we have an App, why?, okay… might as well publish it”.
There you go, from poorly defined requirements to a somewhat functional App. This is not how it can happen, but this is how the system is designed to work. It could be redesigned and changed, but that requires an act of congress, and they haven’t really demonstrated their capabilities to pass well thought out and written laws lately.
Rich also goes into the inability to gain the source code. The default data rights for such a contract are Government Purpose Rights (GPR). GPR is kind of like open source, but only within Government channels. This assumes there the mid-level manager understands something about data rights. If not, the contractors will likely try to slip in even more restrictive data rights in their proposals. If the manager is a rebel, they could push for “unlimited rights” which would all OSHA to release the code, but that really takes a lot of effort, and assumes that one of these companies is even willing to accept that contract clause.
Rich makes some good points in his rant. Unfortunately, the established government contracting process has been established to maximize profit while minimizing productivity. In many ways it is a works program. Now, I’m sure that isn’t the true stated purpose of it, but is how it ends up. I would like to see the system change, but I’m not sure writing my congressman will help in this case.
Posted in Computers, Politics | Android, ERG, Government Contracting, iPhone, OSHA | Leave a commentVirus Takes Down AF Drones…WTF
Published October 8, 2011 | Wired has an article on a computer virus that has infected the Predator and Reaper control stations at Creech AFB. Someone screwed up big here. First of off, why was infected media introduced to the classified system? Secondly, why wasn’t there a clean backup that they could use to restore to?
These systems operate on a classified network. So, either the bad guy has access to the classified network and introduced the malware there (not a happy thought), or someone broke the rules and transferred media from the internet to the classified network (another no-no). Now, there are always exceptions to the rules, but in those cases all media should have been scanned prior to connecting them to the classified network. So, what happened here? Someone screwed up. Someone didn’t follow the rules assuming that they didn’t apply to them, or that what they were doing at the moment was too critical to slow down and follow the rules. Maybe the system they use to scan media was broken, or perhaps it wasn’t loaded with the right virus signatures. Either way, something went wrong.
Secondly, why don’t that have a clean system to backup from? This is a weapon system, not a video game. In the article they go on about how they had to build the system from scratch again and again, always resulting in the same re-infection? Why? Doesn’t the system have a clean backup? With the advent of virtual machines, snapshots, backup tapes, replication, and so on… you’d think they should be able to backup without a problem. Now, the exception would be if the virus is hiding in some firmware and if that is the case, they are in more trouble that they realize.
I guess the real last question is why are they using Windows at all? Why is the military using a commercial grade operating system that is the largest target on the planet for viruses to run a critical weapon system? Shouldn’t this be on SELinux? I bet the decision was made in the name of convenience and cost savings… so, how convenient is it now? Saving money? We need to realize that if IT systems are weapon systems, then we need to treat them as such. This isn’t the same as my PC at home. People generally don’t die if my PC goes up in smoke at home, but what happens if someone through the virus learns how to insert commands to a Reaper. How does it look when the Reaper fires a missile at friendly troops… and we learn that it was the result of someone highjacking the system. If they can highjack people using their bank’s website, they could certainly do this… and learning the system through a keylogger is the first step in that direction.
The Predator program has been an insane success. It went from a science project to a major weapon system overnight. Had it gone through the traditional acquisition cycle, it would have likely failed. However, in its rush to be fielded, they took shortcuts such as their selection of operating systems. It might be time now to rethink this. If you are going to go with Windows, then you need to secure it correctly. If you are a critical system, then you need to be able to boot from a clean backup. Yes, this means more engineering and more costs, without any obvious operational value… but it also means that you can continue to operate through these type of issues. Mission availability and robustness should be a valued operational characteristic. I doubt that this incident will cause anything to be changed. I just hope that it won’t take one of our UAV’s to be highjacked and the death of friendly troops to finally make us change how the system is designed and used.
Thanks Steve
Published October 8, 2011 | As everyone on this planet probably knows by now, Steve Jobs has died. I came late to the Cult of Mac and it wasn’t until not only was I ready to spend that kind of money, but also that they had developed an ecosystem worthy of me paying so much for a computer. Up to then I had been a Windows guy, and I always had an arsenal of utilities just to keep the machine working.
Steve was very lucky. Not only did he have a vision, but he also had the tenacity and resources to make his vision into reality. I think most importantly, he learned from his mistakes. It must have been something for him to see Apple take off based on his vision. How proud he must have felt for himself and his team, when the world’s shoppers embraced his vision with their checkbooks. I would guess it would be like being the head of NASA as the first man stepped on the Moon.
I don’t know if anyone else could duplicate Steve’s success. There are certainly many people out there with great visions, but few are as lucky to be surrounded by just the right opportunities and resources as Steve was. I would like to think that we will see more like Steve come out into the open.
Steve was a Buddhist, and if he is correct, he will be likely reincarnated. I like the concept and believe it myself. There may be a newborn somewhere with Steve’s soul, wailing away in his Mother’s arms. I have to wonder what such a baby will grow up to be like. Maybe someday in a few years we’ll see this rising star of a man and realize him for what he is, Steve 2.0. Until then, the world will morn his loss, as well as the loss of all who have passed.
Thanks Steve for the vision you brought to this world, and all of your hard work. Best of luck in the new life, and enjoy your iPad in your iCrib.