Emergent ChaosI've realized recently that I have no real idea of what's happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation.
The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. It's clear to me that the US needs to stay the course, as bad as that may well become, because pulling out would be an unmitigated disaster. Al Qaeda got a huge boost from the (US backed) Islamist victory over the Soviet Union in Afghanistan. Withdrawing from Iraq would give them another huge boost, even if they've lost in Afghanistan to the US.
(From Editor and Publisher on Fassihi, via BoingBoing.)
[Update: several people have asked, how can you believe that "it's anything but *cked up over there?" My answer is reading the Iraqi blogs, it just doesn't seem that what they're witnessing is either the doom and gloom of the left wing press, or the sunshine of the right-wing press. Its really hard for me to judge what's really going on at any sort of macro level.]
Bookmark this post:
It's always good to see our best resources being applied to the most important things in society, like voting. The "independant" validation, paid for by the software creators, is closed to the public. But when the Nevada Gaming Commission gets into the act, it seems they know a scam when they see one. (Disclaimer: I voted in that Defcon study, but have no evidence my vote was counted.)
For more information, see the Black Box Voting book page, Avi Rubin's site, or Rebecca Mercuri's site. Dr. Mercuri was the first one I know of to start beating this drum, and we owe her a vote of thanks.
[Update: The story isn't actually new. I'd heard Nevada was requiring audit trails, but hadn't heard it was the NGC that was responsible until Randal Schwartz pointed it out to me. (I'd link to the message, but it hasn't been through moderation yet.)]
Bookmark this post:
Bob Morris maps hurricanes Ivan, Charley, and Frances against voter maps. (No mention of Jeanne, which seems to have taken the same path as Frances.
Enquiring minds want to know, is this that Bob Morris?
Bookmark this post:
I'm speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a "Privacy Industry View of Reducing Cybercrime." This is an extended version of Zero-Knowledge's talk we gave to law enforcement.
I'm speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on "Beyond Penetrate, Patch and Pray," which is a new talk that I haven't put online yet.
I'll be attending (but not speaking at) Phreaknic in Nashville, on the 22nd and 23rd.
Bookmark this post:
Ed Felten has a great post over at Freedom To Tinker about Rather-Gate:
In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked -- the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, and kerning will prove instructive to would-be amateur forgers, who will know not to repeat the mistakes of the CBS memos' forger. Who knows, some amateur forgers may even figure out that if you want a document to look like it came from a 1970s Selectric typewriter, you should type it on a 1970s Selectric typewriter. The discussion, in other words, provides a kind of roadmap for would-be forgers.On top of educating forgers, the debate, at least for those who followed it, has provided an education in document authentication. So not only are the forgers smarter, but so is the general public. That's a very good thing.
Many security problems are built into products because the designers don't know about a problem, or become convinced that no one else will discover it. A better educated public helps to address both these issues: Designers are more likely to know about problems, and once they know them, management is less likely to dismiss them as improbable or obscure.
Bookmark this post:
Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just "practising his basic rights, namely free speech".There are times I love cultural imperialism, and this is one of them. The idea that some rights are inalienable has spread around the world, and made the world a better place.
(Via BBC)
Bookmark this post:
More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday.The problems, unsurprisingly, are managerial:
The F.B.I. "has not prioritized its workload nationwide to ensure a zero backlog in the F.B.I.'s highest priority cases - counterterrorism cases and, in particular, Al Qaeda cases," the report found.The 9/11 Commission report found flaws with the "lead office" system that the FBI has, where the office where a case originates gets all the credit. I wonder if that plays in here?
Audio recordings that relate to Qaeda investigations are supposed to be reviewed within 12 hours of interception under F.B.I. policy. But the report found that deadline was missed in 36 percent of nearly 900 cases that the inspector general reviewed. In 50 Qaeda cases, it took at least a month for the F.B.I. to translate material.Heads ought to be rolling at this point.
Quotes are from a New York Times story, see also what the BBC had to say. The title, incidentally, is from a September 10th intercept.
Overall, it doesn't make much difference that the Army kicked out nine linguists for being gay. That's less than 1% of the workforce at the FBI. But it does indicate that our national priorities remain somewhat skewed.
Maybe if we stopped insisting that security and liberty are always opposed, and started talking about how liberty and security can complement each other, we'd be doing better?
Bookmark this post:
I've just finished the 9/11 commission's report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.)
One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique is that after the largest attack on American soil since the civil war, they fail to think big. They spend time drawing lines on org. charts.
Regular readers will note that I spend a lot of time looking at airline security. The recommendations there (around page 383) are clearly weak. More ID cards will not change things. We need to consider broader changes.
For example, they could have considered the drug war. The easiest way to smuggle weapons of mass destruction into the US would be to pack them in cocaine. Perhaps changes there are in order?
I'm not the first to notice this. Elizabeth Drew wrote a long article for the New York Review of Books, and the Center For Strategic and International Studies has an analysis (PDF) worth reading. An English professor at DeAnza college also caught my eye.
Bookmark this post:
Bookmark this post:
Recently, I found myself wondering why Hamlet had never gotten a proper treatment in Powerpoint. After another drink, I took it apon myself to remedy the situation.
Bookmark this post:
I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.(From Richard Bejtlich's TaoSecurity.)
This feels wrong to me. Investigating computer crimes is still a very labor-intensive process. (I'm experimenting to see how MarsEdit handles extended entries.)
To be able to say that intruders will 'eventually be caught,' we need to know:
This analysis assumes that computer crime resources are tasked with tracking down the low level attackers. There are other computer crimes that require investigation, which drive the odds even lower.
To be fair, Richard makes no claim that you will be punished, only caught. But what about the odds that you'll be punished? Deterring crime by catching and punishing offenders is thought to work on something like an "expected punishment" model: Criminals guess how likely they are to be caught, and what the punishment will be, and then make a payoff decision. I don't have a good estimate of how many arrested computer criminals are convicted.
Bookmark this post:
his changed recently -- spyware 'toolbars' started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some 'toolbar' .xpi file!Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don't know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like "Your browser will issue a warning. To use this site, click "please screw me." Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.Firefox 1.0PR now includes code to deal with this. Here's how it works.
Browsers have become big complex technologies. That's not a slam at the browser folks--users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.
Bookmark this post:
Do current security plans depend on no guns getting onto the planes? I hope not.
Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland Security Department.From The New York Times. Use BugMeNot if you need a login.
In other "guns on planes" news, John Miller, the head of the LAPD's counter-terror unit was detained Thursday after forgetting about a gun in his bag.
It's interesting that Miller got where he is via a PR and reporting background. The obvious charge is security as theater. However, reporters often end up knowing a huge amount about their subjects, and so I don't want to throw that charge without more research than I can do before dinner.
Bookmark this post:
So Verisign has teamed up with I-safe to issue "USB tokens" to children. The ZDnet story states that it "will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP]." To me that sounds a lot like an X.509 certificate, which Verisign has been trying, and failing, to flog to consumers for years. (It may be this.)
What's unclear is the privacy implications. If this is a X.509 cert on a USB token, then what this means is that children will not have privacy in these "kid only" spaces. They'll be subject to monitoring under their real name. This damages one of the best features of the internet, which is the ability of kids to go online and explore different identities fearlessly. Read their chatroom rules of use: Cyberdating is dangerous!
At least they're up front in their terms of service: You are being watched. Your name will follow you. Yeah, I wanna go play there.
Bookmark this post:
"BRANSON, Mo. - A Branson man has put a face to the anonymous references people often make to "they" by changing his name to just that: "They."How can you argue with messing with the entire English language?Not only is he making a statement about his name, but he's messing with the entire English language," friend Craig Erickson said.
(From AP via Languagehat.)
Bookmark this post:
This - the damage done to individual psyche - and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren't moving ahead as fast as expected, if cooperation is lacking and trust hard to find, and if the population seems apathetic and disengaged, it's just the fallen regime having its final chuckle from beyond the grave.is a fascinating piece in Chrenkoff (via Iraq The Model.)
Bookmark this post:
Coming home today from New York, I was a little more prepared. I still didn't have "government-issued i.d.," but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn't sure what to do with me and asked a more senior guard. The elder guard sternly insisted that I must have a photo.Below, I wrote about discretion for screeners. This is a great example of that discretion being used in a harmless and entertaining way. Of course, since anyone can get a book published, this can't last."This is a little weird," I said to the young guard, as I opened my bag and pulled out one of the extra paperbacks I'd snagged from my publisher. "I wrote this book, and here's my photo in it." He laughed and let me through. This time, they didn't even search my bags.
Bookmark this post:
So when Google Mail started up, I managed to register "account.management@gmail.com." I didn't have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time we saw each other.) Google has just closed the account.
The termination clause of their terms of use clearly allow this: "Google may at any time and for any reason terminate the Services, terminate this Agreement, or suspend or terminate your account."
So, I'm not really complaining. I do wish I'd gotten a good prank from it.
I do hope they don't terminate the accounts that were associated with it, because a bunch of family members are using their accounts more in line with the way Google wants you to. But this raises a real worry. The lack of consideration for your account, along with that clause, may allow them to shut you out of your email. I'm glad I'm not seriously using the service.
There's a great business in selling gmail appliances for corporate email, I think. Google's reconsideration of the use of email was well overdue, and I'd like to be able to use their work without such worries.
Bookmark this post:
Happy Emancipation Proclamation Day!
On Sept 22, 1862, President Lincoln issued the Emancipation Proclamation:
"...all persons held as slaves within any State or designated part of a State the people whereof shall then be in rebellion against the United States shall be then, thenceforward, and forever free;Now, like many government proclamations, there was more to read in the fine print. This is a good summary, but essentially, Lincoln knew that his powers as President, even during wartime, were limited, and he was only able to free slaves in the confederate (rebellious) states.
Regardless, a great day for human freedom. Raise a glass to Abe Lincoln tonight.
Bookmark this post:
The New York Times reports that "The Transportation Security Administration said Tuesday that it planned to require all airlines to turn over records on every passenger carried domestically in June, so the agency could test a new system to match passenger names against lists of known or suspected terrorists."
The data will vary by airline. It will include each passenger's name, address and telephone number and the flight number. It may also include such information as the names of traveling companions, meal preference, whether the reservation was changed at any point, the method of ticket payment and any comment by airline employees, like whether a passenger was drunk or belligerent in encounters with airline personnel.Now, I may have missed it, but it seems that no hijackings took place in the US in June. So what does a successful test look like? What's more, information about how belligerent a passenger is on the plane is clearly not available before they fly, unless there's a new database of belligerent passengers that will be maintained. I saw no mention of such in the PIA or Federal Register notice.
The question is partially answered: "What we're looking for is the people who are actually on that list," said Lisa Dean, of TSA. Does TSA need a month of real data to see if they can match names, addresses, and phone numbers from a database?
This whole article forces me to ask, does the current system work at all? If there's a list of people who are a threat to aviation, shouldn't we have arrested some of them when they tried to fly?
This system isn't ready for testing, never mind using real data.
Bookmark this post:
Omar writes about
A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side.
According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in the area, a group of citizens who happened to be there noticed a bunch of young men who looked foreigners (turned out to be Syrians) that were gathering near the place and that looked suspicious. The citizens found their atittude very suspicious and they were not from the area, so they jumped on them and kicked them until some of them started to bleed and then turned them on to the American forces. Eyewitnesses said that the citizens were shouting “Terrorists. You are targeting our children and families. You are killing our youths”
I guess at least some Iraqis really don't like imperialists coming in and using their country as a proving ground for their theories of how the world should be. Incidentally, there seem to be a fair number of Iraqi bloggers out there, representing points of view that I don't see covered. Go find a bunch at random and read them.
PS: I make no claim that they're representative. And one or two might even be a fraud. But is that any worse than say, CBS?
Bookmark this post:
Don't read this if you're easily annoyed.
Bookmark this post:
Under CAPPS-2, the government would like the airlines to collect your name, home address, phone number, and date of birth. (Perhaps more, depending on the phase of the moon. Social security numbers have been mentioned.) The courts have already declared that airline privacy policies are meaningless. So, what will happen is that the airlines will get a very high quality data stream because you'll be under threat of arrest if you choose to creatively fill their database. They'll then be able to use this data for marketing purposes, a la their frequent flyer programs. They'll be able to pass it along to the credit agencies. They'll be able to do whatever they'd like to profit from data that they could never collect without a government program to back them.
Bookmark this post:
Ed Hasbrouck has another pair of good posts (1, 2) on the "Free Wheelchairs" program. In the first one, he quotes from "Department of Homeland Security Appropriations Act, 2005", H.R. 4567:
(2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted;There's an analogy here to intrusion detection programs, which was first pointed out by Taosecurity. That is that you may not have false positives, people mistakenly identified as terrorists, and you may not have false negatives, that is missing those who "may constitute a threat to aviation." In the computer security world, Intrusion Detection Systems are notoriously hard to tune so that they get the attacks you want, and don't produce huge amounts of noise. Some companies are dumping their IDSs because of this. Can we learn something about what may happen to CAPPS-2?(3) the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II or Secure Flight or other follow on/successor programs and has demonstrated that CAPPS II or Secure Flight or other follow on/successor programs can make an accurate predictive assessment of those passengers who may constitute a threat to aviation;
Assuming for a moment that the meaning of "constituting a threat to aviation" is that someone imminently and demonstrably plans to hijack, blow up, or otherwise attack a plane, then you need to catch them with tools handy. That might work better if we concentrate on looking for the tools, rather than collecting home phone numbers. If the meaning is broader than that, it may mean that you need to arrest them, or risk exposing an intelligence operation. If you tip your hand and show that a suspect is on a watch list, then the terrorist pool can be adjusted to deal with that.
It seems that meeting subparagraphs (2) and (3), which are both good criteria, is going to be quite difficult. Perhaps airline security should start with a focus on people bringing dangerous things onto planes, rather than who they are, and trying to discern their motives. That's not to say that if intelligence agencies are watching someone, they should never share that with TSA for extra scrutiny. But this isn't about a watch-list, its about behavioral profiling of the American people, in a manner that has never been shown to work.
Bookmark this post:
Eugene Volokh rightly criticizes a corespondent for his ad-hominum attacks on NYC Mayor Bloomberg, who said (I'm quoting Volokh):
But Bloomberg insisted that there's no proof that the NYPD did anything wrong. "There is absolutely no evidence whatsoever that there was any intent by any law-enforcement official to hold people any longer than was absolutely necessary to process them," he said before marching in the Mexican Day Parade on Madison Avenue.But Bloomberg should know that the city was found in contempt of court for its processing. See MSNBC: "Police carted Pincus to a holding cell topped with razor wire and held him for 25 hours without access to a lawyer." and "The first mass arrests came three days before the Aug. 30 to Sept. 2 convention, when police swooped down on Critical Mass, a loosely knit collective of bicyclists who periodically flood city streets and slow traffic. Police usually tolerate the disruption, but that night officers arrested more than 200. Kelly told New York magazine that he wanted to send protesters a message." (Emphasis mine.)Bloomberg pointed out that many protesters who were arrested have already pleaded guilty. "I suspect that most of them [did so] because they know they don't have a case," he said. "They broke the law . . . They might as well just plead guilty and go on."
Newsday quotes Legal Aid attorney Michelle Maxian as saying "The mayor himself has admitted that in the pens, they caught both innocent and guilty people. Police will be unable to distinguish which was which. And most people were not actually violating the law."
So while invective may not be needed, it certainly seems that Bloomberg knows who doesn't have a case, and it's not the protesters.
The people who will pay for this aren't just the protesters and the innocent people caught in literal police drag-nets, but the taxpayers of New York, when the city is rightfully sued for the behavior of the police.
Bookmark this post:
I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It's great when you land in a new city. It hasn't been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. Just now, I got one telling me that it's 10.15 (It's actually 10.30.)
There are a whole bunch of security protocols which rely on having roughly correct time. I hope none of them are implemented with a reliance on the PCS network.
Bookmark this post:
September 19th is National Talk Like a Pirate Day
"Dude, anyone got the new Metallica?"
Bookmark this post:
Samablog points to the new nickel design which will have either a buffalo or a depiction of the pacific coast on the back. The buffalo refers to the Louisiana Purchase, while the pacific coast refers to Lewis and Clark's expedition .
Despite his careers as a lawyer, diplomat, Secretary of State, and President of the United States, Jefferson considered three achievements to be his enduring legacy:
That's what he asked be engraved on his tombstone. The ideas in each of those are in many ways, still revolutionary. In a much more religious age, Jefferson wrote "we hold these truths to be self-evident; that all men are endowed by their creator with certain inalienable rights..." (emphasis added). He wrote "their creator," rather than "God," in a document where every phrase was argued over. What would he have thought about gazing at the words "In God we Trust?" on the currency of a country he did so much to shape?
I blame the Hamiltonians.
Bookmark this post:
Over at BoingBoing, Cory points to a USA Today story at NewsIsFree about more screening. There seem to be four components:
As to the "groping," it was inevitable. If the goal is to keep all knives off planes, then you need to rub-frisk every passenger. Maybe they can at least hire better looking screeners to do it?
Bookmark this post:
There's a brilliant post over at Orcinus about the 9/11 commission, whose (outstanding) report I'm just getting around to reading.
Really, if the Kerry campaign is serious about persuading the American public that Bush is a serious liability when it comes to securing the nation from the terrorist threat, this should be Exhibit A: Bush fought the formation of the 9/11 commission for a year, and continued to fight its work throughout.
This isn't about politics as it seems to be practiced today, with a storm of invective and attacks. It's about an honest look at what went wrong, and preventing it from happening again. That's a process that requires openness and honesty, not blind trust, and not requests for such.
During the fights over cryptography laws in the 90s, we spent a great deal of time on the claim from high-ranking government officials, "If you knew what we knew, you'd agree with us." This claim was put to rest by a dozen generals, admirals, ambassadors, and former spies who served on the National Research Council's report Cryptography's Role in Securing the Information Society. That report plainly stated that while details of operations needed to remain secret, the arguments themselves had all been discussed openly. In much the same way, those details that have come out have argued strongly against secrecy. Condoleezza Rice's description of the (then classified) "Bin Ladin determined to strike in US" Presidential Daily Brief as "purely historical" is exhibit A.
Bookmark this post:
Ian Grigg has some very interesting comments on Verisign's certificate business and what it means for privacy, over at Financial Cryptography
Bookmark this post:
The New York Times reports:
he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit's leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress.
A senior official disputes this:
A senior intelligence official who asked not to be identified strenuously disputed Mr. Scheuer's criticism about the resources assigned to the war against Al Qaeda. "The assertions are off the mark," the official said. "There are far more D.O. officers working against the Al Qaeda target both at C.I.A. headquarters and overseas than there were before Sept. 11," the official said, using the abbreviation for the Directorate of Operations, the C.I.A.'s clandestine arm. "Our knowledge of and substantive expertise on Al Qaeda has increased enormously since 9/11. The overall size of the counterterrorism center has more than doubled, and its analytic capabilities have increased dramatically."
But are the claims really incompatible? One official refers to the Bin Laden unit, the other to Al Qaeda and counter-terrorism. It seems to me that all the claims may be true.
Bin Laden may be effectively isolated. His communications need to go through chains of couriers, and thats slow and difficult. So focusing on more active players may make some sense.
Then there's the question of what you do if you find him. If you kill him, you risk making him a martyr. If you capture him, do you bring him to trial? Recall that he's already been indicted over the first set of World Trade Center attacks.
(Ecto seems to be losing parts of posts on me. Feh!)
Bookmark this post:
The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!
Bookmark this post:
Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps.
I'm not sure what to think about the tool. On the one hand, good for them! Helping customers secure their systems by finding problems is a good, even if some people don't think so. On the other hand, Microsoft could have sent a note to all their MSDN (Developer Network) customers about the problem. So why the effort for a tool? A tool, I think, is in line with what John Pescatore was suggesting, which is customer pressure on vendors to release more secure code.
Microsoft has something of a head start on this, having trained their entire staff. Is this the start of an "Unbreakable" campaign from Microsoft, or perhaps something more subtle? Either way, nicely done. [Update: Fixed OIS link. Thanks, Max!]
Bookmark this post:
Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we've pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make.
I'm still trying to find out what's in Apple Remote Desktop security update, to make a good decision about if I should install it.
Bookmark this post:
Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder....Police used a crane to extract him from the ledge as his supporters chanted "free Batman" from behind a police cordon.
From the New York Times story. Or, Google News has more. The men were protesting for more father's visitation rights after divorces, and the right to carry ladders in public, which will shortly be banned in England. An exception will be made for those who have a builder's license, pass a background check, and pay an annual fee.
Bookmark this post:
I started asking what are the odds, and then ended up at a back of the envelope, why are these so rare?
Bookmark this post:
Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It's not just in-house tech makers that need a word in their ears - the analysts suggest end users should give vendors grief about tightening up their security procedures too.
John Pescatore, the analyst in question, nails it. If you want more security from your vendor, you've got to make it a buying criteria. If you want more security from your developers, you've got to make time for it in the schedule, and you've got to give them tools and training to know what to do. Better security isn't hard, it just costs some money. Do you prefer to spend that up front, or on operations later?
Bookmark this post:
It has a General and Miscellaneous Topics section, too.
Articles must be given a primary classification, and may be given arbitrary additional classifications. The first article in the first volume I was published in was 54C40, 14E20 secondary 46E25, 20C20.
That's (54C40 Algebraic properties of function spaces), (14E20 Birational Geometry:Coverings), (46E25 Rings and algebras of continuous, differentiable or analytic functions {For Banach function algebras, see 46J10, 46J15})*, 20C20 Modular representations and characters).
Google doesn't seem to be specialized in searching these things. Those 4 numbers as a search don't return the specific paper, but then, the specific paper isn't online. There are search engines that are able to search by MSC. (It's under "Class") in that link, or try to navigate in Norwegian. I did, before finding the English link.
UPDATE: The * after the {see 46J10, 46J15} was going to be a footnote, explaining that {braces} represent prioritization--you must check to see if 46J10 or 46J15 are better fits.
Bookmark this post:
The basic problem is economic. Doctors are much better paid in the US than in Canada, and doctors can easily move. Its also harder for a doctor to be entrepreneurial in Canada, not only because of the extra paperwork, but some things that they may want to do are actually banned. For example, a doctor can't open a private surgery with the plan to sell overnight stays, even if people want to pay for it. The slur against that is it would 'create a two-tier system.' Similarly, the supplemental health insurance I had while working in Montreal would pay for a private hospital room, but there were either none or very few, reserved for senior politicians and the otherwise well-connected. Apparently a private room counts as two-tier.
Of course, there is a two-tier system now. A well-off friend once flew to the US for treatment he needed. It seems that Canada could do a better job of providing base care while still providing the base level of health care which they do. And another friend, just to balance the anecdotes, has gotten good long-term care for an unusual and life-threatening condition. He'd be long bankrupt in the US.
Bookmark this post:
The great linguist Chao Yuen-Ren once wrote an essay in Chinese using only words which (in Mandarin) would be transliterated as shih (using Wade-Giles; shi in pinyin). You can see the text in characters and two transliterations, read the translation ("A poet by the name of Shih Shih living in a stone den was fond of lions..."), and hear both Mandarin and Cantonese readings hereVia LanguageHat, where you can see the reference chain.
Bookmark this post:
Bookmark this post:
The Webflyer points to a great David Rowell column, including:
An argument ensued. Ms O'Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested her for disorderly behavior. After some three hours of questioning by police and FBI, they eventually released her.Now, while I agree that you can't trust those senior government officials on anything, I can't see three hours of questioning. The airlines are clearly using the police to threaten passengers who think their service stinks, and are speaking out.Ms O'Leary is not only a former US Secretary of Energy, but also a current board member of United Airlines, and has been for almost five years.
Bookmark this post:
Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical model of the factors that contribute to the usefulness of hiding information. (Semi-mathematical because there's no numbers attached, but rather "high/low" rankings.)
There's a variable, "L", that Swire uses to refer to how much an attacker learns from each attack. He mentions in the context of surveillance that (III.4, page 24) secrecy helps the defender a great deal. It helps an eavesdropper to stay secret when listening to attackers plan. I think that estimating L is hard, harder than Swire gives credit for. And a good estimate of L is important, because if your estimate of what your attacker is learning is too low, you make bad decisions. "Oh, no, that'll take them weeks to figure out."
He then evaluates why computers are different, mainly in that attacks can be honed and perfected and then replicated. It then gets really interesting when he drags in a relationship to the Efficient Capital Markets Hypothesis (ECMH). "Efficiency in the Open Source paradigm also means that all relevant information is already known to outsiders -- disclosure of a vulnerability does not help attackers. The claim here is that the open source paradigm has implicitly assumed what is called the 'strong' form of the EMCH, that 'current security prices fully reflect all currently existing information, whether publicly available or not.'" (III.5.b, p 28). I think this is actually not correct.
We can look at information flows as being three markets: There's a public market, a restricted market, such as is created by official, but controlled information sharing, like ISACS, and an underground market. The best market is where information is factored in quickly, and the market has low transaction costs. So we might re-state Swire's claim as "...sufficient relevant information is already known to attackers -- publicdisclosure of a vulnerability does not further help attackers." Its easy to see that a public market has much lower transaction costs than a restricted market, but its hard to know how good the underground market actually is.
Bookmark this post:
Over at American Spectator, Shawn Macomber writes about being arrested in New York this week, and suggests a reality TV show is in order:
It could be called POWDERKEG! Each week, I'll be arrested without my rights being read to me and held for 14 hours while police refuse to tell me what charges I'm being held on. Meanwhile, the kumbaya squad will talk politics nonstop to see if they can make my head explode.
Bookmark this post:
Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin's have moved to email.)
"Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own systems of classification such as organization of content content on a website." Is actually the exact opposite of my starting position as I learn about these. I thought that the 'underlying realities' of biology, that this descended from that, or in chemistry, there are this many electrons in a shell, lead to 'natural taxnomies.' Boy, was I ever wrong. (The periodic table can be read as a taxonomy, and the position of atoms in it predicts certain characteristics of those atoms. For example, the 'noble gasses' are off to the far right, and their electron shells are filled.)
It turns out that even with such natural divisions, there are many good ways to classify the kingdoms of nature. Ironically, Nudecybot points to Six Degrees: The Science of a Connected Age as a possible answer. Six degrees is, of course, a reference to a classic Milgram study that I wrote about a few days ago, saying that Milgram was better at the experiments than at the theories around them.
So, there's no perfect taxonomy, only the question of is a taxonomy useful for the purpose at hand. And the purpose at hand needs a tighter definition than it has today.
Bookmark this post:
If you ever saw Julia Child or Jacques Pepin take apart a chicken, you'll remember how easy they made it look. It's a level of skill that we can all aspire to.
Watching Ed Hasbrouck take apart the latest incarnation of free wheelchairs for paraplegic children is like watching Julia Child take apart a chicken. He does it so well that you don't even stop to marvel at his skill. Go read what he has to say about the utter lack of sense and lack of legal standing that the TSA has to be implementing these programs.
Bookmark this post:
In Wikipedia vs. Britannica Smackdown, Ed Felten takes my challenge. In the meanwhile, I'd done some hypothesizing, here.
So how'd I do?
Hypothesis 1 is spot on.
#2 is more challenging to assess: The errors in Britannica are smaller, and I think I'll judge myself wrong.
#3 I think is accurate, if only because of the long entry on Microsoft.
#4 Ed did not assess, or comment on.
#5 Ed didn't check Encarta.
So, I think I get 2 out of 3 for the tested hypothesis.
Bookmark this post:
A few days ago, I challenged Ed Felten to do some more comparison work. In the spirit of Milgram, I didn't propose a theory. (This was mostly because I was trying to make a good joke about assigning the professor homework, but couldn't come up with one.) However, on consideration, I think that I should propose some theories, and also not influence the experiment.
So, hypothesis 1:
Wikipedia will have 30-50% more entry coverage than the others.
In particular, I don't expect Ed Felten will have an entry, and I
expect one of his two computer science entries to not be in each
comparison encyclopedia.
Hypothesis 2:
The quality of Wikipedia, measured by errors detected, will meet
that of the others.
Building a large encyclopedia is a lot of work, and I don't expect that the quality assurance and fact checking will be great anywhere.
Hypothesis 3:
The quality of Wikipedia, measured by the depth of the entries,
will be substantially greater than the comparison.
Techies aren't noted for brevity and conciseness, and the web doesn't
have physical constraints holding down the size of the entries,
whereas each DVD you ship may add $2 to the cost of a product. I
expect that the difference would be largest against the print or CD
versions.
Hypothesis 4:
The quality of Wikipedia, as measured by the accessability of
entries, will be lower.
By accessability, I mean how good the
basic introduction and contextualization are, and how well the entry
takes you from no knowledge to some.
Hypothosis 5:
Ed will believe that Encarta's entry on the Microsoft trial is
biased towards Microsoft.
Analysis:
An encyclopedia must be measured first on accuracy, and secondly on
breadth. A roomful of monkeys writing entries does not get you a
useful encyclopedia, but neither does one with one entry. (There are
a great many useful topical encyclopedias which address this by
constraining themselves to one subject.
I expect that Wikipedia's accuracy will be roughly that of the others,
and it will win, hands down, on breadth and depth. However, this test
is biased by the selection of terms, where they are known to a
computer science professor. If my hypotheses pan out, it would be
fascinating to see if we could recruit from across the Princeton
faculty, to see if the same tests hold true across wider disciplines.
(I did two short tests, on Rabbi Akiba, and Brillat-Savarin.
Wikipedia spells it Akiva. But I
don't have a comparison document to compare to.)
Bookmark this post:
As part of a larger project on security configuration issues, I'm doing a lot of learning about taxonomies and typographies right now. (A taxonomy is a hierarchical typography.)
I am often jealous of the world of biology, where there are underlying realities that can be used for categorization purposes. (A taxonomy needs a decision tree. Any trained person using this tree should classify the same items the same way.)
A new type of shark has recently been discovered, in the Sea Star Aquarium, in Coburg, Germany. This is (at least) the second zoo that the shark has been in.
We are not embarrassed," said [Schonbrunn Zoo] spokesman Dr Ekkehard Wolf. "We get thousands of exotic animals every year. It is not possible to categorize them all. (From The Telegraph.)
See a picture (and read the article) at Unterwasser.de or read Google's translation
Even the lucky biologists run into difficulty classifying their species. I feel better trying to classify minimum time between password changes.
Bookmark this post:
this post by Todd Zywicki clearly illustrates the difference between law professors and economics professors.
Bookmark this post:
In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria.
The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale of the other half of a round-trip ticket, which cost the same as a one-way.
CAPPS, incidentally, has been renamed the "free wheelchairs for paraplegic children" program, to make it harder to argue against, and to get around a congressional mandate that the program not be deployed until someone actually thinks it through.
In his comment, Kevin Dick gets it mostly right--there are other items that you want to keep off the planes (pepper spray, for example), but the right technique in a free society involves enabling passengers to fight for their lives, and fortifying the flight deck. There's a lot that could be done that hasn't been. For example, consider an "airlock" system, with two doors at the front of the plane, with a restroom inside. The doors open one at a time. There may be an air marshall inside. (A curtain prevents anyone from seeing.) Now hijackers need to get through two doors. They can't storm the cockpit while the pilots are being fed or using the restroom. This is very expensive. It would require a new bathroom for the high-revenue business travelers up front. It makes a section of plane unusable for reveune generation. But it is entirely free of civil liberties implications for fliers.
Bookmark this post:
Over at Freedom To Tinker, Ed Felten writes about the Wikipedia quality debate.
He takes a sampling of six entries where he's competent to judge their quality, and assesses them. Two were excellent, one was slightly inaccurate, two were more in depth, but perhaps less accessible than a standard encyclopedia, and one (on the US Microsoft anti-trust case) was error-prone.
Ed writes: "Until I read the Microsoft-case page, I was ready to declare Wikipedia a clear success." However, I think his experiment is only one-third to one-half done. I think that Ed ought to look up the same 6 entries in another encyclopedia or two, and report back. I'd suggest the Britannica, which is usually considered the gold standard, and perhaps Microsoft's Encarta, which may be the most widely used.
I can't do this experiment the way Ed can, because firstly, I don't have an EB account, and second, because I don't know all the topics to the depth he does. I could pretend, and perhaps miss errors that he'd catch, or sample six other articles, and perhaps I will over the weekend.
Bookmark this post:
Over at TaoSecurity, Richard writes:
Remember that one of the best ways to prevent intrusions is to help put criminals behind bars by collecting evidence and supporting the prosecution of offenders. The only way to ensure a specific Internet-based threat never bothers your organization is to separate him from his keyboard!
Firstly, I'm very glad that the second, qualifying sentence is there. It provides some context. However, I'm not sure that I care that a specific threat stops, what I care about is that the class of threats go away.
If the odds that a specific criminal hacker goes to jail are low, then the penalties need to be exceptionally severe and well publicised to create a deterrent effect. (This is roughly a criminal attack loss expectancy, which someone smart has done work on.)
We can see that the odds that an attacker goes to jail are relatively small because there is clearly a large attacker population, and very few criminal sentencings. I'm curious how many attacker convictions we'd need each year to change the economics of this and deter 15 year olds from bringing down CNN?
Bookmark this post:
I've recently finished The Man Who Shocked the World, a biography of Stanley Milgram. The book's title refers to the "Authority Experiments," wherein a researcher pressured a subject to deliver shocks to a victim. The subjects of the experiments, despite expressing feelings that what they were doing was wrong, were generally willing to continue.
Other work Milgram did lead to the "six degrees of separation" meme, insight into mental maps of cities, the "lost letter" technique of assessing public opinion, and the concept of the "familiar stranger." He was outstanding at creating illuminating experiments in social science.
I learned in reading this book that Milgram had enormous difficulty getting grants. The review committees who essentially gatekeep over government grants wanted him to work from a theory. (Its not clear from the book if they thought research should support a theory, or correctly understood that great research involves undercutting a theory.)
There's an interesting tie to computer security here, in that there is a group of researchers who do nothing but interesting experiments, whose results and replicability are shared through what is variously called demonstration code, "POC" (proof-of-concept), or "sploit" (short for exploit) code. Many of these researchers use pseudonyms in their publication, and are considered annoying by the computer security establishment (both commercial and academic), whose work they poke holes in.
In contrast, I think these researchers do an important service by demonstrating how security can be broken. If you consider the hypothesis "This software is resistant to attack," a few bytes of exploit code is an elegant refutation.
