After a recent hard drive failure on my Mac, I realized just how much I hate the web. No, that’s not really true. I don’t hate the web. I think the web is great. Advertising on the web, that drives me to distraction. And so I realized how much I appreciate Mike Solomon’s PithHelmet plug-in for Safari.

Pithhelmet does a very good job as an ad blocker, but it’s more than that. It allows for per-site configuration of Safari. So I can turn on Javascript for a small subset of websites, perhaps Flash for another. It’s fantastic.


Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.”

When the patch comes out, many people will reverse engineer it to figure out the vulnerability as most of us know. On the same note, like the exploits, IDS signatures follow the exploits that follow the patches. So if an unpatched ‘0-day vulnerability’ is being exploited, how do we know? There will be a significantly lower chance of detecting such an attack to know this statement is true.

(I’ve offered a way to test this in “Proof Of Concept Code, Boon or Bane,” and “Microsoft pre-warning of patches.”)

MBP On Impatience

Martin Pool, whose blog lacks a comment facility, quotes a history of Windows NT:

The first two weeks of development were fairly uneventful, with the NT team using Microsoft Word to create the original design documentation… Finally, it was time to start writing some code.

(I wish I’d seen this line a couple of days ago and could have quoted it in my bzr talk; I spent at least six full weeks writing and reviwing design documentation for that. 🙂

Martin, clearly your productivity would have been higher if you’d used Word to create your design documentation!

Distributed Innovation

In the New York Times, Virginia Postrel writes about the work of Eric von Hippel, head of the Innovation and Entrepreneurship Group at the Sloan School of Management at MIT, who has a new (academic) book, “Democratizing Innovation.”

But a lot of significant innovations do not come from people trying to figure out what customers may want. They come from the users themselves, who know exactly what they want but cannot get it in existing products.

One of the themes I’ve meant to explore is how interesting new things appear out of the froth. Emerging from the Chaos. Postrel discusses open source software, along with a variety of sports. She also covers restaurant recipes:

To help chefs create the final recipes themselves, Ernie Gum, director of food product development for the Nestlé FoodServices division of Nestlé USA, developed what Professor von Hippel called a “tool kit” of preprocessed food ingredients identical to those actually used in the factory – for example, a chili purée processed on industrial equipment. In field testing, Professor von Hippel found, the tool kit cut the time to develop new foods from 26 weeks to only 3.

I think recipes are a fascinating example, because they exist in a space that’s being squeezed. That is the area not covered by intellectual property rules. If I have, say, butter-poached lobster, or squash and goat cheese pizza, I can go make it, at home or in my restaurant. Both examples are generally acknowledged to have been created by particular chefs (Thomas Keller, and Alice Waters, respectively.) Some cookbook authors will acknowledge that, others don’t. But neither chef can come after you with a recipe patent, and that lack of threat is critical to innovation.

Great companies learn how to either tap innovation, or do a good job defining ways that they create an ecosystem around their new products. In the computer business, a good deal of the success of Microsoft Windows is attributed to how well Microsoft did at making it easy to program. They took steps to lower the cost of entry. Apple, traditionally, has not. But it offers beautifully designed products, like the ipod, that have a few well defined interfaces, and those interfaces are being used in a host of innovative ways. Companies that neither make their products easy to enhance, nor make them stylishly desirable, end up like General Motors.

Back in the computer business, it took me all of 15 minutes to add the Technorati links to the bottom of my posts. Most of that was because I spent a few minutes trying to figure out how to make Movable Type encode links for Technorati. Then I said, hey, I bet they’ll do the right thing, even if I’m lazy. And they do. I then messed up the Movable Type syntax, and that took longer to fix. Technorati made it easy, MT made it harder. Hmmm.

One final note. I think the name of Professor Hippel’s book, “Democratizing Innovation” is unfortunate. It’s not a matter of democratization. People have always voted (with their wallets) for products that help them solve problems. What the tool-kit approach really does is drive down the costs of bringing a new product to market. Bringing down costs reduces risk. It accelerates the innovation cycle. Democracies are about picking winners that everyone can live with. In stark contrast, most people have no idea about most of the new innovations. They’re emerging too quickly to track.

“£155,000 per instance of fraud”

Bruce Schneier writes:

The UK government tried, and failed, to get a national ID. Now they’re adding biometrics to their passports.

Financing for the Passport Office is planned to rise from £182 million a year to £415 million a year by 2008 to cope with the introduction of biometric information such as fingerprints.

A Home Office spokesman said the aim was to cut out the 1,500 fraudulent applications found through the postal system last year alone.

Okay, let’s do the math. Eliminating 1,500 instances of fraud will cost £233 million a year. That comes to £155,000 per instance of fraud.

… assuming that the new measure prevents all 1,500 instances, of course.

Small Bits: Airport Security, Tax Web Bugs

  • Stupid Security covers an AP story:

    Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude.

    None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph:

    “A lot of people will be shocked at the billions of dollars we’ve spent and the results they’re going to see, which confirm previous examinations of the Soviet-style screening system we’ve put in place,” Rep. John Mica, R-Fla., told The Associated Press on Friday.

  • AFSCME 3357-HOF reports:

    While trying to discover if I was going to have to pay a penalty because Turbotax notified me too late that my income tax return was rejected, I discovered wat appears to be a massive privacy breach that might (or might not) be Turbotax related. While searching for information regarding penalties for rejected returns, I found that hundreds of complete rejected tax returns, including names, addresses, social security numbers, the whole 9 yards, are completely accessable on the web

Small Bits: Ameritrade, Tax & web privacy, revolution, medicine

  • It turned out someone I had dinner with last night had gotten an Ameritrade letter. According to her, Amertrade is not offering credit monitoring service.* “Lotus, Surviving A Dark Time,” has some good analysis:

    Well, duh with a PR stamp. How could they have heard of any such “misuse?” If customers had any bad experiences, how would they know it had anything to do with their Ameritrade account, since they weren’t told of the problem? And why did it take the company over two months to notify those potentially affected?

    [Update: This story at Computerworld says that Ameritrade is offering monitoring.]

  • At BoingBoing, Xeni reports a SF Chron story, Intuit & HRBlock’s “Web bugs may break law:”

    “The law states that it’s a misdemeanor for any company ‘to disclose any information obtained in the business of preparing federal or state income tax returns or assisting taxpayers in preparing those returns, including any instance in which this information is obtained through an electronic medium.'”

  • GetLuky comments on “Social” Services as an Inversion of Traditional Privacy. Interesting read, I’d love to hear more of his thoughts on privacy as autonomy, and the value of actual or apparent control. That is, del.icio.us offers access, correction, and other bits that Choicepoint does not.

    As an aside, what a nice trackback link. Why does MT insist on a new, complex link, instead of just appending /trackback/?

  • Mutualist Blog, specializing in “Free Market Anti-Capitalism” has an interesting article on “The Revolution is Not Being Televised.

    The alternative model that Holloway presents (according to Ross), centered on such decentralized grass-roots movements as the Zapatistas and the post-Seattle movement, has been analyzed under various names since the ’90s. The Zapatistas were taken as the leading example of this kind of “netwar” back in the ’90s, in a Rand study by David Ronfeldt and others. The idea was, by using the internet as an organizing tool, to put together ad hoc coalitions with little advance notice, and either to put together mass demonstrations in support of the Zapatistas or overwhelm (or “swarm”) government with phone calls, emails, letters, and generalized public pressure, than it could possibly cope with. Ronfeldt et al expressed their dismay in language quite similar to that used by Samuel Huntington in his 1970s lamentation over the “excess of democracy” and “crisis of governability.”

  • Thoughtcriminal Scrivner objects to medical experts reversing their advice as IngSoc is refined to greater heights of knowledge. TC Scrivner suggests that experts should explain themselves, leading to confusion on the part of the people. Room 101, Michael Moore.

CMU, 5,000+, Hacker

A hacker who tapped into business school computers at Carnegie Mellon University may have compromised sensitive personal data belonging to 5,000 to 6,000 graduate students, staff, alumni and others, officials said yesterday.

There is no evidence that any data, including Social Security and credit card numbers, have been misused, officials said. But they have begun sending e-mails and letters alerting those affected.

They include graduate students and graduate degree alumni from 1997 to 2004, master’s of business administration applicants from September 2002 through May 2004, doctoral applicants from 2003 to this year, and participants in a conference that was being arranged by the school’s staff.

The intrusion occurred April 10 but was not disclosed until late yesterday so Tepper could notify potential victims, school spokesman Mike Laffin said.

Kudos to CMU for investigating and notifying inside of two weeks, rather than dragging it out for months. The quotes are from “CMU says hacker broke into computers” in the Pittsburgh Post-Gazette, via Dave Farber’s IP list.

Choicepoint Earnings

ChoicePoint Inc.
(NYSE: CPS), today reported first quarter total revenue growth of 19 percent
compared to 2004. First quarter total revenue for 2005 was $259.3 million.

These expenses included approximately $2.0 million for
communications to, and credit reports and credit monitoring services
for, individuals receiving notice of the fraudulent data access and
approximately $3.4 million for legal expenses and other professional

ChoicePoint’s first quarter results will be discussed in more detail on
April 21, 2005, at 8:30 a.m. EDT via teleconference. The live audio Webcast
of the call will be available on ChoicePoint’s Web site at
http://www.choicepoint.com. There will also be a replay of the call available
beginning at approximately 10:00 a.m. EDT at the same Web address.

From the press release “ChoicePoint(R) Reports Record Revenue in the First Quarter of 2005

Small Bits of Security Chaos: Airports (2), Bastille Linux adds metrics

  • The Department of Homeland Security Office of Inspector General has written a report on TSA security:

    Improvements are still needed in the screening process to ensure that dangerous prohibited items are not being carried into the sterile areas of airports, or do not enter the checked baggage system. In our report on the results of our first round of testing (OIG-04-036), which we issued in September 2004, we made several recommendations for improvements in the areas of training, equipment, policies and procedures, and management practices. For the most part, TSA agreed with our recommendations and is taking action to implement them. However, despite the fact that the majority of screeners with whom our testers came in contact were diligent in the performance of their duties and conscious of the responsibility those duties carry, the lack of improvement since our last audit indicates that significant improvement in performance may not be possible without greater use of new technology.

    But doesn’t ask, do we need to screen better? Is the current system good enough?

  • ABC News
    Report: Private Screeners Outdo Public:

    A congressional investigation found airport screeners employed by private companies do a better job detecting dangerous objects than government screeners, according to a House member who has seen the classified report.

    The Government Accountability Office found statistically significant evidence that passenger screeners, who work at five airports under a pilot program, perform better than their federal counterparts at some 450 airports, Rep. John Mica, R-Fla. and chairman of the House aviation subcommittee, said on Tuesday.

    And we haven’t had a repeat of 9/11? Maybe we don’t need a new program to invade the privacy of people world-round to secure aircraft? (Maybe we do; I think we need to take a re-think.)

    Via InfoSecNews, who have additional Keystone Koppery.

  • Cryptome (offsite) points to two more DHS reports from the DHS Inspector General: DHS on TSA Security Operations Irregularities, and DHS on TSA Passenger Baggage Thefts. Both big PDFs. [Added in an update.]
  • Jay Beale has this to say about the new release of Bastille Linux, a tool that hardens your operating system against attack:

    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They’ll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

Choicepoint, April 20

  • Presto Vivace reports that:

    During the April NCC AIIM meeting, a member of the audience asked how the IRS’ Free-File could avoid becoming another ChoicePoint, clearly a reference to recent security breaches. Everyone in the room immediately understood the reference; no explanation was needed.

  • CBS Marketwatch reports “For now, little way to halt firms’ leaks of consumer data,” with lots of Choicepoint. Also, this gem from Lexis Nexis spokesperson Steve Edwards demonstrates how far we have to go:

    “We’re setting up [new guidelines] to help them administer and protect their IDs and passwords. I won’t get into too much detail there because then we’re giving away the secrets to the bad guys,” Edwards said.

    Let me guess, 7 or more characters, mixed letters and numbers, change regularly, and don’t share it? Did I give something away to the bad guys?

  • Kim Zetter at Wired reports “ChoicePoint Division Changes Tack:”

    Rapsheets, a Tennessee company purchased by ChoicePoint last year, provides instant criminal background checks to employers and organizations to help them screen workers and volunteers.

    The move brings the company into compliance with the Fair Credit Reporting Act, or FCRA, which requires background-checking services to either provide employers with the most-current information available from public records or to notify workers and job applicants when they are providing an employer with damaging information about them that is likely to affect their job prospects.

    “The high road would be for them to say, ‘We’re going to verify anything before we deliver a record to an employer,'” [Mike Coffey, president of Texas investigation firm Imperative Information Group] said. “They’re still going to put the onus back on the consumer to make sure that everything is correct.”

Trackbacks vs. Technorati?

Kip Esquire points to WILLisms, who wants to “Save the trackback.”

I think I’m running about 10-to-1 spam trackbacks to real ones. It’s clearly because I talk about nothing but poker and viagra.

I have to say, I love getting real trackbacks. I like it when people take what I’ve said and expand on it. I hate getting semi-trackbacks, where a poster sort-of refers to what I’ve said, doesn’t link to me, and throws in a trackback. I hate, hate, hate, spam trackbacks. MT’s interface for dealing with them, frankly, stinks. It stinks even with MT Blacklist. I accidentally delete real trackbacks all the time because of how stinky it is. It should show more of the post. It should go through the last 15 minutes of trackbacks and say “Do you want this one, too?”

So all that said, what WILLisms doesn’t cover is “Are trackbacks better for blog readers than Technorati?” Is it better to have a trackback mechanism, or rely on search engines? Search engines are harder for me to fix. If someone throws in a fake link, or a link that only shows up when the search spider arrives, I can’t easily fix that. Is that sufficient to make trackback spam worthwhile?

PS: I’ve added Technorati links to all my posts.

[Update: Michael Froomkin asks a very similar question in ““]

Ameritrade, 200,000 SSNs, Backup Tape

Some days I feel like I’m playing Clue…It was Mr. Mustard, in the study with the lead pipe.ameritrade.gif

Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing their personal information has been lost, MSNBC.com has learned. The tape contained information spanning the years 2000-2003, and included both current and past consumers of the online broker, according to spokeswoman Donna Kush.

Bob Sullivan reports at MSNBC. Via Volubis.

Removing Excel Macros?

I have a document where I started to create a macro, then realized that some clever search and replace would work. So I stopped creating the macro. But now, the document (which I share with others) has a macro in it. Sure, its possible to open with macros disabled, but I’d like to remove the thing, so that I don’t contribute to dialog-box numbness and errors.

Is there a way to remove a macro from a document using Excel X for Mac?