Emergent Chaos
A Department of Brand and Integrated Marketing that is.
Bookmark this post:
Over at Sysinternals, Mark posts "Sony, Rootkits and Digital Rights Management Gone Too Far." [Update: If that doesn't work, try Sysinternals Blog; when I checked, it was the first post.] If you're at all technical, read it closely. If you're not, you should at least skim it. The story is that Mark (who knows more about Windows internals than many people at Microsoft) finds evil software on his hard drive, and it turns out that Sony put it there. As you read, look at chunks like:
A look at the Services tab of its process propertieds dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows.Ask yourself, is this the way you want someone to be treating you? Is this the way you want to be treated, as a Sony customer?
Also, how could I have missed "Use Sony DRM, Format Your Hard Drive?"
Bookmark this post:
There's a fascinating story at imedia connection, "Why Consumers Trust American Express:"
How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that "American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy." Moreover, she felt that American Express had done a lot to build consumer trust: "Trust and security have been the hallmarks of the American Express brand for more than 150 years. Our privacy program is a robust one that addresses the landscape of consumer concerns."I find this fascinating because its a company that's using privacy to their advantage. I've expected that to happen for a while, and its nice to see it being presented in the media. It's also fascinating because privacy here seems to be an assertion without data. Where are the supporting facts that show American Express cares about privacy?American Express sees a return on promoting consumer privacy -- that is, in making "trust and security" a hallmark of the brand. What we can take away from this is that consumer privacy is becoming an added value for a company. This is to say that some organizations are starting realize that they can build customer bases by saying "we protect you from identity theft."
But most interesting (to me) is that I see American Express as horribly anti-privacy. I remember when they bought Connection Machines to do data mining on their customers. I recall being turned down by Amex for a card because my address (a mail service) didn't match their database of acceptable residential addresses. They wanted to see utility bills, or other things that told them where I really lived. Nah. So my perception of Amex is quite different.
I'm guessing that this is another instance of different meanings of privacy: That consumers believe that Amex doesn't sell data about their purchasing habits, where I'm concerned about what they collect, and the shadows of me that they confuse with the real me in making judgments. My data shadow wasn't crisp enough for them, and so they wouldn't loan me money. (It was decidedly crisp enough for others to extend credit on fine terms.)
(Via Chapell.)
Bookmark this post:
In "The endgame on Iraq began a long time ago," Thomas Barnett writes some shocking things:
How on earth is this Zarqawi's worst nightmare? Zarqawi will portray this as the US being unable to fight, unable to prevent chaos, and its all because of his guys with improvised weapons. The US will be humbled, and al-Qaeda will have notched its second superpower.This is Musab al-Zarqawi's worst nightmare: the Americans safe behind their compound walls and everyday he's doing battle against Iraqis, or-more to the point-against Shiites increasingly backed by Iran, no friend to the global Salafi jihadist movement, being as it is exclusively Sunni in make-up. Meanwhile Kurdistan gets stronger and the 'failed state' scenario for Iraq is reduced to its irreducible one-fifth outcome: the 20% of the population that's Sunni live an existence you wouldn't wish upon your worst enemy.
And lets have pity for, and apologize to, that 20% of Iraqis, and think about, right or wrong, who they're going to blame. I think Zarqawi and company are to blame. I think the US had an obligation, after invading, to prevent the country from falling into civil war. George Bush knew that a civil war was likely. If only his son had listened to him. Continuing to quote Barnett:
Accomplish next? What did we accomplish? Iraq has been ripped apart, our allies in Turkey are focused on the Kurish state we built next door, and the Sunnis "live an existence you wouldn't wish upon your worst enemy." It's true that Iraq was the product of Imperial Britian drawing lines on a map, but that doesn't justify Imerpial America coming in and ripping it apart.Pretty it ain't, but realistic it was always. Bush's critics may crow about the 'failure' of 'Jeffersonian democracy,' but that asinine point won't be remembered by history. What will be remembered is that Saddam was taken down, the pretend state of Iraq returned to its constituent parts, and the Middle East was never the same again.
We got what we wanted in Iraq, and we triggered plenty of tumult and change in the region. Now that the endgame becomes obvious to critics and supporters alike, the real question we need to ask ourselves is, What do we seek to accomplish next in the region?
Now, Barnett has an interesting theory of a common set of perspectives which he calls "the core." (Everything else is "the gap.") Part of his theory is that the core should "pertube" the gap, that's always riled me. Now I know why. He has no goal. He's an imperialist, and, not liking the Bathist dictatorship, knocks it over, declares we've accomplished something, and thinks that more US meddling is a good idea?
Ummm, how about, and you know, just a thought...maybe we should have figured that out before "perturbing" things. Maybe we should fix what we broke before we go off and think "What better Middle East are we working toward?" Because with friends like this, I don't know that you need enemies.Not, Who do we invade next? Or what do we seek to prevent? But what do we seek to accomplish? What better Middle East are we working toward?
Now, I do think that we need to be working towards a better middle east. Except, following our stellar "wouldn't wish upon your worst enemy" performance, maybe we don't get to imagine that. Unfortunately, the people of the region really don't get to either. Their dictators and clerics do.
Raw, naked exercise of power is not going to win friends for anyone. Perturbation for its own sake, with "the Americans safe behind their compound walls," is going to become the core answer to "why do they hate us?" It may become because we perturb their lives for our own purposes.
Bookmark this post:
In "GE Puffer Stinks of Dr. Strangelove," Kim Cameron writes about his experiences with the new explosive detection machines:
People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt.I have a number of quick thoughts and questions:I had been told there would be "puffs of air", but these were not, by any definition, puffs.
"Puffs" make me think of cigar smoke. Or "Puff the magic dragon". Puffs of wind. But these were hurricane strength blasts.
Meanwhile the machine barks orders like a concentration camp commandant. Where did they get the voice? It speaks in a chilling metallic imperative borrowed from a really bad science fiction movie. In fact it was barely believable that adults would unleash this contraption on anyone.
(Thanks to Gunnar Peterson for the pointer.)
Bookmark this post:
Its that time of year again, when Congress decrees that you shift your clock back an hour to save miniscule amounts of energy. The fine folks of Arizona and Indiana have noticed that Congress doesn't really have the power to regulate time, and don't like playing along.
But if you think about it, time is an essential part of measurement. The official definition of a meter is "length of the path traveled by light in vacuum during a time interval of 1/299,792,458 of a second." Congress actually does have the power (Article 1, section 8) to establish standards of weights and measures. So, given that time is an essential part of how things are measured, and that measurements need to be in alignment with other parts of the solar system, it is actually proper for Congress to muck with the clocks occasionally. They should remember that the computer systems that track time may not be as clever as they would like to be, and be careful.
Anyway, I hope you all enjoyed an extra hour of sleep, and dreamt of a world in which Congress stopped to ask if time is a proper subject of regulation.
Bookmark this post:
From the lovely and talented Glimpse of A Grrl.
Bookmark this post:
Well, I don't know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don't own Porsches. Maybe you have to control for age.
Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure.
Jaquith handily, yet unwittingly, summarizes my opinion, and is more polite about it than I am inclined to be at the moment.
Bookmark this post:
If Nick Weaver and Jose Nazario are writing about it, it's probably way over my head, or interesting, or both. I am happy to say this is in the second category.
Bookmark this post:
Posted by AdamIt seems that most everything that one could say about the President of Iran calling for Israel to be wiped off the map has been said. Good articles include Daniel Drezner's "How crazy is Mahmoud Ahmadi-Nejad?" (about the strategy behind the statement), Hossein (Hoder) Derakhshan's "The fundamentalist minority" (about how Iranians feel about the US, and perhaps also Israel), or even an extended discussion of "The Video Game War ," by Jim MacDonald.
To what Hoder says, I'll add that a great many Israelis remember leaving Iran, including Israel's president, Moshe Katsav who was born in the same city as the former Iranian president Mohammad Khatami. (This detail from the New York Times story, "Iran's President Says Israel Must Be 'Wiped Off the Map'.")
In light of all of that, I'd like to compare and contrast the United States to Iran. As I pointed out in As I explained in "Critical Map of Alaska Disappears," when we wipe something off the map, we're talking about maps and wildlife refuges, not people.
Bookmark this post:
This may be day 45 and mile 76,000 for me, but for the Client it is D-Day for an Important Event (often their year's #1 event, for God's sake); hence my exhaustion and accompanying short temper must be thrust aside ... and downright cheeriness and spirited engagement must become the invariant orders of the day. Besides, such cheeriness, even if feigned, cheers me up first and foremost!(Via Paul Kedrosky's Infectious Greed.)
Bookmark this post:
Before I start on the Star Wars part of today's Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper "The Protection of Information in Computer Systems." That paper has been referred to as one of the most cited, least read works in computer security history. And look! I'm citing it, never having read it.
If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I'll illustrate using Star Wars. Because lets face it, illustrating statements like "This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor" using Star Wars is a tricky proposition. (I'd use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)
On to the principle:
Keep the design as simple and small as possible.This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.
And so lets look at the energy shield which protects the new Death Star. It is, as General Akbar tells us, projected from a base on the nearby forest moon of Endor. And as you may recall, there were not only extra access paths which required reinforcement, but additional threats which hadn't been considered.
Firstly, why is it on the forest moon at all? Presuming that energy shields follow some sort of power-absorbtion law, the closer the shield is, the less power it will draw. But more importantly, being on the moon means that it is surrounded by forest, rather than cold, hard vacuum. The shield generator becomes harder to protect, meaning that additional protection mechanisms, each of which can fail, are needed.
Presumably, the Empire has power generation technology which drives the Death Star, and also the Star Destroyers. There's no need to rely on a ground-based station. The ideal placement for the energy shield is inside the Death Star, and traveling with it.
But instead, there's this bizarre and baroque arrangement. It probably comes from a fight between the Generals and the Admirals. The Generals wanted a bit of the construction process, and this was the bureaucratic bone thrown to them.
Expensive it was. mmm?
Bookmark this post:
The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, "The Tech Scene: Check Images A New Frontier For Forgery?"
The overall point is that since banks store check images and provide them to customers (thanks in part to Check 21), bad guys can also get their hands on them, increasing the chances of forgery.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that an online archive of check images can be a treasure trove for criminals - potentially more valuable than a checkbook or a few cancelled checks. Criminals can see a months-long spending history that could help them use forgeries to emulate a person's spending habits or estimate what check number a victim would be using at a specific time, she said.Banks have underestimated the potential of digital images as a forgery
tool, Ms. Litan said. Banks are more focused on preventing criminals from
using online payment services, such as wire transfers and bill payments,
to steal money from a customer's account."They just haven't realized that online criminals would resort to check
forgery," she said. "Crooks come in to look at your imaged checks to see
what your signature's like. They study the checks, and then they copy the
checks."
Maybe I'm not sufficiently old-school, but I'm more concerned about identity theft being facilitated here. After all, these images often contain exactly the kind of identity-related info crooks want, such as driver's license numbers, since these are often added to the checks by merchants at the time of purchase. Something tells me that these images aren't all encrypted as stored, so from a Bank's point of view there's the reputational hit from having to send out breach notices.
Bookmark this post:
For the last couple of weeks, peddlers have set up shop just outside Chicago's Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon.
Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 (the final game, thereby halving the Windy City's exposure to the terrorist threat), they were up to $20.00.
The jump to twenty bucks I understand, but what surprised me was the precipitous drop from $10.00 to $5.00 earlier in the week. Does this mean that the vendor expected a Sox loss, and the subsequent decline in the desirability of his merch? That's a mighty dismal view, for a guy whose team was up two games to none at the time.
Bookmark this post:
Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000.
Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada.
Alternative headlines that aren't as spooky?
How about: "Hardest hit firms lose $25,000 to Zotob" or maybe "At $7K, typical finance firm's loss to Zotob barely noticeable".
Bookmark this post:
It occurs to me that when a senior US governement lawyer says:Read Chris Beck's "CBC News: Flyers passing through U.S. have few rights, Arar judge told" for an analysis of how.foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to "gross physical abuse."that they are in direct contradiction to the US Constitution
I remember when I was in Tel Aviv, a strike shut down the airport. Our travel agent found us tickets from Amman to London to Boston. It was only when we had the tickets in hand that we saw a stop in 'DAM.' It turns out DAM is Damascus, Syria. One of our party was Israeli. We joked that it would be no problem: they'd take him off the plane, torture him for a month, and then let him go. No problem. We changed the tickets, because we didn't want to deal with crazy Syrian officials while in a transit lounge.
It's quite sad that the US is treating people in a way that we feared Syria might. There's no moral justification for forcing someone to enter the US, then denying they're legally in the US, while denying them the protection of law against the actions of the government:
If passengers are deemed to be inadmissible, they have no constitutional rights even if later taken to an American prison. Mason told Judge David Trager that's because they are deemed to be still outside the U.S., from a legal point of view.To put it another way, once you give up the rule of law, as Ms. Mason has, it becomes challenging to explain how the actions of the United States differ from those of a kidnapper."Someone who's inadmissible is in the same category as the people that the CIA snatches and grabs from other countries," said Barbara Olshansky, a lawyer for the U.S.-based Center for Constitutional Rights, which is suing a number of U.S. officials on Arar's behalf.
"You are fair game for however executive branch wants to treat you."
Mason said the interpretation means travellers can be detained without charge, denied the right to consult a lawyer, and even refused necessities such as food and sleep.
But beyond sad, this helps derail any hope we have left of being a positive force in the world. How can we tell the Iraqis that they should take our advice about how to build a society when we behave like this?
Bookmark this post:
Bookmark this post:
America's Finest News source reports, "Trick-Or-Treaters To Be Subject To Random Bag Searches:"
"Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of 'tricks' to extort 'treats' from unsuspecting victims," Chertoff said. "Such scare tactics may have been tolerated in the past, but they will not be allowed to continue this Halloween."While he would not elaborate on the specific threat, Chertoff said his office had "heard a couple spooky tales," and indicated that there was good reason to believe that Americans face "a very ghoulish scenario" this October.
Bookmark this post:
The basic idea is that when opening a document, a program has to make a decision on how to treat various bits of it. When the bits are jumbled together, its harder to make the right decisions. It's also harder to write security wrappers that will parse for things like Javascript or Office document macros, when those can be scattered throughout the document. The parser needs to understand the whole document, in the way that the receiver will, rather than just the code parts.
So if we were to separate code and data the way we've separated presentation and data into CSS and HTML, we should give serious thought to breaking out an HTML 'script' section. Yes, this would be hard, involving standardization and there's a huge back-compatability issue to be dealt with. But it seems to me that a separate script section would mostly or completely break cross site scripting attacks.
Similarly, with MS Office moving to an XML data format, it would be great to have an explicit "macros" setting at the top of the document. (I haven't checked to see where macros can occur in the current definition, but my belief is they can be scattered through the file.) [Update: See Kevin Boske's comment, apparently Microsoft is doing this.]
Several years back, I had a conversation with the person responsible for macro security in Office. I really wanted "tell me more" to link, not to the help, but to either a static analysis of the macros, or their content. Through the conversation, I was convinced that that was a great idea for a few hundred, or maybe even a few thousand people, but I was unable to suggest a dialog box that would give a typical user useful decision-making context and data.
If macros were at the top of the XML, then I could do what I really wanted to do: Read the macro myself before opening the document. (I don't trust that "disable macros" is fool-proof.) If I were writing a document firewall, I could make it faster and more effective.
One final point: Separating code and data allows the parsers to be smaller and more modular, which means faster and more reliable.
By separating code and data, not only do you gain security, but you gain performance and reliability. The sooner we start dealing with the back-compatability issues, the better off we'll be.
Bookmark this post:
You might have thought that the White House had enough on its plate late last month, what with its search for a new Supreme Court nominee, the continuing war in Iraq and the C.I.A. leak investigation. But it found time to add another item to its agenda - stopping The Onion, the satirical newspaper, from using the presidential seal.Silly Onion. Everyone knows the President reads and endorses Emergent Chaos, not the Onion. Who'd read anything with such a silly name?The newspaper regularly produces a parody of President Bush's weekly radio address on its Web site (www.theonion.com/content/node/40121), where it has a picture of President Bush and the official insignia.
"It has come to my attention that The Onion is using the presidential seal on its Web site," Grant M. Dixton, associate counsel to the president, wrote to The Onion on Sept. 28. (At the time, Mr. Dixton's office was also helping Mr. Bush find a Supreme Court nominee; days later his boss, Harriet E. Miers, was nominated.)
Citing the United States Code, Mr. Dixton wrote that the seal "is not to be used in connection with commercial ventures or products in any way that suggests presidential support or endorsement." Exceptions may be made, he noted, but The Onion had never applied for such an exception.
From The New York Times, "Protecting the Presidential Seal. No Joke."
PS: Dear Mr. Dixon, I'd like an exception for satirical use, but couldn't find a form on your web site.
Bookmark this post:
Bookmark this post:
Last week in "Notes from the Security Road," Mike Nash wrote:
My favorite moment on the trip -- which actually resulted in my circumnavigating the entire globe in just a week -- was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise Linux 3. Steve held Red Hots candies for each vulnerability that he would have had to manage as a Red Hat customer in the last six months. Steve ended dropping quite a few candies on the floor with 217 Red Hots (for 217 vulnerabilities in the last six months) to hold. In contrast, Windows Server 2003 only had 32 vulnerabilities for the same period.I find this to be a fascinating statement on a whole bunch of levels. Firstly, because it's such a great visual. Red Hots slipping out of your hands, and bouncing around the floor.
But then I asked myself, what are those Red Hots? Are they just candy? As Red Hots they are discrete, countable bits of cinnamon goodness. But what is candy, but sugar (and in this case cinnamon)? The bag of sugar that goes into the Red Hots is just that, a bag of sugar which the Ferrara Pan Candy Company separates and crystalizes into Red Hots. But there are other ways to mix that sugar into candy. For example, when you take that same weight of sugar, melt it and add hot air, you get a big blob of cotton candy. (Unfortunately, I don't have a cotton-candy machine, or you'd have a picture of how big they get.) Or if you melt 217 Red Hots together into a lump, you get something more densely packed, and more manageable. Perhaps its sad, but I'm spending a lot of time lately dealing with questions of taxonomies and atomic units in security configuration, and so I can barely help asking what they measured, and how they chose to divvy up the sweet mess that are vulnerabilities. It's also interesting because (as I'll explain) they happen to be slightly factually incorrect in the claim.
More after the break.
So, the statement: "Windows Server 2003 only had 32 vulnerabilities for the last 6 months." Sorry, that's almost certainly wrong. When Microsoft gets a private bug report, they go and look for related vulnerabilities in the code, and try to fix them all. This makes lots of sense, although it does increase the amount of change the patch introduces, which has reliability impacts. So because Microsoft does look for other issues and fixes them, then 32 patches implies more than 32 bugs, or vulnerabilities.
Had he said "patches," this would I think, be an accurate statement.
So I'm going to pretend that he did say that. I'm perfectly willing to believe that Microsoft counted patches, had 32 patches, and since patches fix vulns, the claim became that they fixed 32 vulns.
What's more, patches are a very good thing to measure. Patches, after all, have become a staple of the system administrator's job. Sometimes, patches even line up one-to-one with vulns. But patches are not the only thing you could measure. You might measure CVE entries. CVE entries sometimes line up one to one with patches (Microsoft's MS05-043, Red Hat's RHSA-2005-307.html), and sometimes not (Microsoft's MS05-042, Red Hat's RHSA-2005-365).
It may be interesting to look at vulnerabilities, rather than patches. It's not so interesting to the system administrator, but it's far more interesting to the security analyst. Vuln counts are approximated by CVEs, but again if a vendor fixes four stack smashes in a function at the same time, and issues one patch, its likely to get one CVE. That's true of both open and closed source vendors. Now, with the source, its possible, but time consuming, to examine each change, and see if it fixes a vuln. But that may not be complete or easily reproducable by a second analyst. Changing an int from signed to unsigned may fix several integer-related problems, exploitable in different places. It could be a one line fix to several exploits.
It might be interesting to count how many things are open to an unauthenticated attacker, versus someone local. It might be interesting to split things by code from the vendor, versus external code they've included. (Then again, it might not. I don't think Red Hat gives me that choice on install, and even if they do, they're still selecting packages and integrating them into a system. Shouldn't they be held responsible for the integrated system, which, after all, is what they sell?
It could be interesting to count how many are rated critical by the vendor. (Thankfully, both Microsoft and RedHat have moved to a Critical/important/medium/low scale.) It would be better to use an independent measure, like CVSS, or CERT metrics, but CERT's metric unfortunately includes a concept of scale, making it great for both people worried about the state of the infrastructure, and worthless to anyone else. I guess they know who's paying their salaries. (As an aside, I talked about the CVSS system, and there's some good links there.)
I thought, but have only anecdotes, that the one CVE:one patch is more common in open source projects. But in looking at a small data set of Red Hat patches, that theory is contradicted.
The only thing worse than doing analysis on your own prejudices and impressions is doing analysis on really small data sets. With the former, there's less risk of people misunderstanding what you've done. So perhaps at this point, some data would be helpful. So bear with me as I try to collect some data. The first thing I notice is that RHEL3 is the previous release. (Red Hat's Security Updates page is here.) The second thing is that there are 6 versions of the OS: Enterprise Linux AS, ES, and WS, along with Desktop, Cluster Suite, and Developer Suite. I started by looking at security advisories for RHEL 3 AS. There were 230. Which, incidentally, is not equal to 217. Ahah! Last 6 months, they said. But, now I'm looking at 97, with a generous definition of "last 6 months" (namely, everything back to the end of February, 2005). I'm not actually hand counting, I pulled the HTML table of advisories from the web page, and have been editing it up. That was a good 15 minutes of work, so maybe I'll email someone at Microsoft and see if I can learn precisely what those Red Hots represented.
Having said all of that, readers paying close attention may have noticed that I haven't justified the act of counting. Counting (or measuring) is an important part of gathering data to answer questions. And I've left the questions implied. The first is "which system is easier to manage securely;" the second, "which system is more secure?" I don't actually gather enough data to answer either, because I really wanted to focus on the many different things you might count.
Bookmark this post:
Rosa Parks passed away this evening. She was 92.
Bookmark this post:
Various data protection bills to be consolidated?
[P]ressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories has slowed, the pressure inside the Beltway for preemption of state laws from business groups isn’t likely to stop.USACM Technology Policy Web Log
In my earlier post on this, I said these bills were interesting in ways that transcend information security. What I had in mind was the textbook illustration they provide of interest group politics.
The ACM's Tech Policy blog has had great coverage of all of this for a while. Highly recommended.
Bookmark this post:
To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them.Read Peter Gutmann's "US Banks: Training the next generation of phishing victims" on the Cryptography mailing list.
As translation, "To save a buck, we're going to make it even harder to tell if you're at a real Bank of America site, or a fake. We care about your privacy."
Bookmark this post:
Posted by Adam
Lots and lots of people are commenting on the first public release of flock. After I met Bart Decrem, he was nice enough to let me into the alpha, and so I'd like to offer a slightly different perspective, about what's changed, and the rate of change.
I think that examining what's changed in a few months is valuable, because it tells you about how agile and responsive a company will be.
First things first: The new home page. The explanations of how to use get started are new, and a great help.
Next, the blog editor in which I'm typing this. Its now a window, as opposed to a tab, which makes a lot of sense. Some old features which made things hard to use are gone, and I like the new editor a lot more. Tooltips would rock, as would a way to see what's
being trackedback. It would also be nice to apply my blog's css to a post as I edit, but I can see how that might be tricky. (Let me also note that when I saved this blog post, quit Flock, and re-opened it, each period followed by anything other than a newline had a question mark after it.)
It now has an integrated history search. Browser history search is awesome, as I've talked about before, and integrating it into the browser makes lots of sense. Integrating it into the browser history is really a nice idea, although Retrospective's ability to display context is also cool.
Finally, it feels much more responsive than it did before.
I think its solid progress, and I'm quite glad to see someone thinking about taking the browser to a new level.
Bookmark this post:
In 'honor' of the Sessions bill (see "The hand is quicker than the eye" and "Adding Silent Insult to Injury (Senator Sessions' 'privacy' act)"), we offer up stories about three breaches. Under Sessions' bad law, the state of Georgia would not be coming clean with its residents, nor would the California school system.
I think its coincidence that two of the three breaches today are by government agencies, but this bill puts business ahead of the American citizenry.
Bookmark this post:
State officials on Friday began notifying 465,000 Georgians that they might be at risk of identity theft because of a government security breach detected in April.From The Atlanta 'Bugmenot' Journal Constitution, "465,000 Georgians at risk for ID theft." I've mentioned this story before in "Georgia DMV, employee Asif Siddiqui, 'hundreds of thousands,'" and "Asif Siddiqui Update." Georgia population 2004 estimate (8,829,383) from US Census Bureau.Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. But she said officials are alerting 244,000 motorists and 221,000 retired teachers, state employees, school employees and others who participated in the state Health Benefits Plan in 2002 that a former GTA employee downloaded their personal information to his home computers.
...Officials say they have yet to determine why Siddiqui wanted the information or why it appears not to have been used in three years.
...Since the breach was uncovered, the GTA has changed its policies on employee access to information, Goldberg said. GTA employees also are required to sign a form promising not to disclose or misuse any information they have access to through their jobs.
Bookmark this post:
The personal information of tens of thousands of California children -- including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs -- is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.From "Software glitch reveals private data for thousands of state's students S.F. administrators close program to update passwords." Reporter Nanette Asimov was good enough to respond to my email and clarify that the ID numbers in question are not SSNs, making this far less bad than it could have been....
The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher's user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.
There's a lesson there for businesses that are still using SSNs as identifiers. There's also a lesson that some of the California privacy laws are having positive effects. I've discussed the positive effects of 1386 frequently, but also SB 168 (forbidding use of SSNs as identifiers in some places). California's legislature is doing a good job of shifting the legal rules surrounding capturing and relying on government-authenticated identification information. We're not where we ought to be, but we're getting there.
Bookmark this post:
Due to what Montclair State University officials are calling an "inadvertent error," the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud.Etc, etc, files found by a student ego-surfing on Google. Read "Negligence At MSU Exposes 9,100 Students to I.D. Theft" for more, and note the word "negligence" creeping into a story. Via InfoSecurity News
Bookmark this post:
Earlier this month, I posted "Archimedes' Death Ray," about the MIT team trying to replicate Archimedes' legendary defense of Syracuse, setting fire to ships with polished mirrors.
Now Mythbusters has brought MIT Professor David Wallace to San Francisco to:
...attempt to set fire to an 80-year-old fishing boat with a contraption made of 300 square feet of bronze and glass failed to prove or dispel the myth of the solar death ray.(From "MIT team seeks to recreate Archimedes fabled death ray in SF.")
Now, as any fool knows, Sicily, where Syracuse is located, is at 37.5 degrees north, and 15 degrees east. Now, San Francisco is at umm, 37 degrees, 46 minutes north, which means that the sunlight is, well, just about equally intense. So claims that the sunlight would be more intense in Syracuse are going to depend on when the battle of Syracuse took place. And that, I wasn't able to find.
Bookmark this post:
Omid Sheikhan has been sentenced by the Iranian court to one year in prison and 124 lashes.The Iranian leadership hates being laughed at. But most people can't have you whipped for laughing at them. Have a cartoon.Omid was first arrested last year, confined for two months, including one in solitary confinement, and tortured, due to his blog which featured satire on the Iranian situation.
When he was brought to court on October 8 he faced different charges, due to the fact that even in the Iran judicial system it would have been difficult to convict him on charges relating to his blog. Instead, he faced, and was convicted on, charges stemming from "morals" violations, including "having unlawful relations, drinking wine, corruption of morals (for having a birthday party) and possessing satirical pictures of Iranian politicians."
Apparently, posting that cartoon could get you 124 lashes in Iran. There's a petition to have charges dropped. Please sign it. The Committee To Protect Bloggers has more.
Bookmark this post:
I just skimmed the Sessions' bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system:
3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a reasonable investigation, or notification under paragraph (2), that a significant risk of identity theft exists as a result of a breach of security of the system of such agency or person containing such data, the agency or person shall notify any individual whose sensitive personal information was compromised if such individual is known to be a resident of the United States."Significant risk" is not defined, making a loophole large enough to drive an UPS truck through.
Bookmark this post:
Arlen Specter and Pat Leahy have proposed the "Personal Data Privacy and Security Act of 2005". This is a comprehensive proposal, and is opposed big-time by various industry lobbies. As reported in the October 21, 2005 American Banker, this bill has hit a snag, and is languishing in Committee.
Meanwhile, another bill, courtesy of Jeff Sessions (R, Alabama) which should be vastly more palatable to those objecting to the Specter, Leahy proposal, has been voted out of Commitee. Presto, change-o!
A quick excerpt, for those living in states which already have laws providing better protection than that offered by the Sessions proposal:
The provisions of this Act shall supersede any law, rule, or regulation of any State or unit of local government that relates in any way to electronic information security standards or the notification of any resident of the United States of any breach of security pertaining to any collection of personal information about such resident.
These two proposals are interesting reading, and for reasons that go well beyond information security.
Bookmark this post:
'There is a Party slogan dealing with the control of the past,' [O'Brien] said. 'Repeat it, if you please.'Read the report in the Times, "Arctic Map Vanishes, and Oil Area Expands." And do note that whatever the fellow has been coached to say, when people accidentally dispose of things, like maps with legal standing which happen to be attached to foamboard, they don't replace those maps with foamboard of the same size. They simply dispose of such them.'"Who controls the past controls the future: who controls the present controls the past,"' repeated Winston obediently.
'"Who controls the present controls the past,"' said O'Brien, nodding his head with slow approval. 'Is it your opinion, Winston, that the past has real existence?'
Again the feeling of helplessness descended upon Winston. His eyes flitted towards the dial. He not only did not know whether 'yes' or 'no' was the answer that would save him from pain; he did not even know which answer he believed to be the true one.
Feel free to click on the map for the original, undistorted version.
Bookmark this post:
Richard Bejtlich predicts that the Snort network monitoring tool will be hit with a worm shortly in "The Coming Snort Worm." He has some good qualitative analysis, and Tom Ptacek disagrees with him in "Opposition Research."
I find it fascinating that we know so little that two smart guys like Tom and Richard can disagree over something so apparently simple as "does source availability make a worm more likely?" (It makes debugging your worm generally easier, but it also means that the target is running on a greater variety of platforms, so the worm will fail to compromise some vulnerable systems.)
Bookmark this post:
Or, perhaps, in this instance, having a cow would be a perfectly fine response, as it is revealed that the average European cow gets a subsidy of $2.62 a day. About 3,000,000,000 people live on less than that.
Doubtless, if cows could call their representatives and vote, the subsidy would be higher.
(Research by Oxfam, reported by the Guardian "Subsidising cows while milking the poor," via Alex Singleton, via Johan Norberg.)
Bookmark this post:
Brilliant retelling of the Tell-tale Heart, by Poe, in the style of Dr. Suess.
True, I've been shaken - and true, I've been bad.(Via boingboing.)
But how can you say that this elephant's mad?
This Loopidy sickness has sharpened my brain!
My ears are quite large, and I hear things quite plain.
So before you pass judgment, please let me explain...
Bookmark this post:
As we now know courtesy of the Philippines' National Capital Regional Police Office, a typical terrorist is "a man aged 17 to 35, wearing a ball cap, carrying a backpack, clutching a cellular phone and acting uneasily" [manilatimes.net].
This critical piece of intelligence, I am sorry to report, seems to have taken a step closer to reality, now that the Chicago Police Department, in conjunction with various federal law-enforcement agencies, is establishing a "security bubble" around the ballpark colloquially (and now accurately) known as "the Cell" -- the Windy City's US Cellular Field. In order to get within a block of the stadium, you have to have a ticket, and the area will be patrolled by thousands of police. This purports to decrease the likelihood of a terrorist attack during the World Series.
(Personally, I'd prefer to see the risk exposure limited by having the Sox take it in four.)
Bookmark this post:
(Mixing from the front page and merchandise page of the very cool Openstreetmap project.) Steve Coast is willing to ship to the US, with fees and conversions, its £18.69, or $32.68 ($38.60 with a signature requirement. Via Steve's Blog, but apparently this has shown up elsewhere. I'm glad I got my order in fast.
OpenStreetMap is a project aimed squarely at providing free geographic data such as street maps to anyone who wants them. This is because most maps you might think of as free actually have legal or technical restrictions on their use, holding back people from all walks of life who would like to use a map for one reason or another.
OpenStreetMap has put together all the GPS data it has in London and made a stunning poster from it. It's a limited edition A0 (841mm x 1189mm) high quality black and white print, signed and numbered by Tom Carden and Steve Coast. Available to you for 10 GBP plus postage and poster tube (contact steve-at-asklater-com, pickup available from dorkbot London or other events).
Bookmark this post:
I don't know how Ethan Zuckerman is finding time to enjoy the conference, but his series of posts from Pop!Tech make me jealous that I'm missing it.
Bookmark this post:
In Friday Star Wars Security blogging, I was planning to start on Saltzer and Schroeder this week. But I'm going to detour a bit into genetic privacy (and Star Wars, of course). I'm inspired in part by an interview over at GeneForum with bioethicist Insoo Hyun. Hyun is studying cloning with the South Korean team lead by Dr Hwang. It's a fascinating issue, there are many issues raised, of ethics, of liberty, of how you fairly judge science when one line of research is hobbled. There was also Dan Solove's article on genetic testing in the workplace.
Now, we all know that the Republic's medical technology is wildly different from our own. They can make Anakin a new hand out of big ugly gold stuff, but they can't tell that Padme is carrying twins? And twenty years later, everything is falling apart, but they make Luke a natural looking replacement hand? Does war drive the Empire's medical profession that fast?
But really, I want to think about genetic privacy, Luke and Leia's ignorance of their heritage, and how unlikely it all really is.
The Republic was big on databases. We see several (and their limitations) in the course of the prequels. We see blood-testing technology which detects the midachlorians in Anakin's blood. It is nearly inconceivable that the Jedi, at least, didn't maintain a genetic database of their membership. I also can't see the Empire issuing identification without taking a genetic sample.
I'm not quite sure where all of this leads. But in a world of billboards advertising paternity tests, I do think it raises a fascinating set of questions.
Bookmark this post:
Chris talks about market failures, but I'd like to take a different direction and talk about organizational failures. Security flaws in products code come from defects in design and implementation, and are allowed to ship because they are not caught the testing process (or because it's too late to fix them.) There are also operational flaws, made worse if the product doesn't ship in a secure state, or if it lacks a security manual.
Notice how little of that has to do with 'bad code,' and how much of it has to do with security as part of the development lifecycle. Microsoft understands this. Not only have they trained all their developers (which I think is still unique in the industry), but they have trained all(?) their program managers and executive level training is in the works.
Dropping liability onto 'coders,' for 'code' they write ignores the reality that software production is an economic process involving a great many non-coders who influence the output.
If you're going to put liability around bad products, you need to put it onto those who can effect change in the products.
PS: I did a series last year on the value of signaling as a means to address information asymmetry in "Security Signaling," "Signalling by Counting Low Hanging Fruit," and "Ratty Signals."
Bookmark this post:
Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth -- alot of code stinks, and people are damaged by it.
The reason good programs (which means those with fewer bugs) do not drive poor programs from the market lies in the information asymmetry characterizing the software market. As discussed by Ross Anderson [PDF], the market for software is a "market for lemons": sellers know more about the quality of their product than do buyers, leading buyers to assume the worst, lest they (in their optimism) be taken to the cleaners. Higher-quality products are thus driven from the market, leaving a market of lemons.
Solutions to this suboptimality include the use of guarantees -- presumably, a car dealer willing to warranty a vehicle for many months has reason to believe it is not a lemon, and evaluation schemes: an automaker who can point to a "5-star rating" by an independent evaluator presumably can command a higher price.
Legal liability is also an appropriate remedy in that the possibility of getting hammered by a jury provides an incentive to be truthful about product quality, but my point is that it is only part of the mix.
In the case of software, guarantees are rare but not unheard of, and some evaluation schemes wind up being captured by vendors.
Independent researchers who identify SW vulnerabilities also act as evaluators of a sort -- if, that is, all SW is subject to the same amount of scrutiny. It isn't, of course, which is why rigorous research into methods of predicting software quality is critical. Andy Ozment is doing good stuff [PDF] on this.
Hopefully, continuing research and greater data availability will allow us to have a more compact and tractable for non-geeks version of this (from http://hissa.nist.gov/~black/softwareFacts.html) instead of a shrink-wrap license:
Software Facts |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Name InvadingAlienOS Version 1996.7.04 Expected number of users 15 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
When vendors know we know what they know, they won't act so much like used car salesmen, particularly if it'd get them hauled into court.
Edited at 2342 CST 10/20/2005 to add author ID at top, and missing paragraph tag
Bookmark this post:
Via Alec Muffett's dropsafe, I learned of a British SF television program which eerily predicted a future Britain in which
a sinister governmental department that has abolished individual rights and introduced ID cards for all citizens, rationing and sophisticated electronic surveillance
I would have preferred to have gotten a transdimensional police box.
Bookmark this post:
The EFF has done some great work on how high resolution color printers are embedding tracers in every document they print. It's at "DocuColor Tracking Dot Decoding Guide." I'd call them high quality printers, but how could I? They intentionally distort every document they print on the off-chance it contains evidence of thoughtcrime.
The work was done by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew "bunnie" Huang. Also, Hack-a-day has some good links in their story.
I'd really prefer not to live in a world which is built on the assumption that everyone is a criminal, and that we need to deploy tracking technologies to catch those dastardly people before they, umm, print again.
I was having trouble finding a concise way to say this, but Alex Tabarrok nails it in his post entitled "Goodbye Samizdat."
Bookmark this post:
I referenced Larry Ponemon's "After a privacy breach, how should you break the news?" months ago.
Now there's more data, in a survey sponsored by the law firm of White and Case. They have a press release, and you can download the full survey.
As Chris pointed out, knowledge is good. According to the survey, there's a four-fold shift in customer churn if you notify well or notify poorly. Best, of course, not to have the data, or if you have it, to keep it safe. But if you mess up, you do get one last chance for redemption.
(The dam is on Staples Mill Pond, in Richmond, VA.)
Bookmark this post:
During the final call he asked for the names of her six richest customers. When she revealed them, he said that one was involved in financing terrorism and was about to withdraw a large sum.Gilbert then demanded all the cash at the bank so he could mark the notes with microchips and keep track of the terrorist. A total of €358,000 was to be put in an briefcase and slipped under the door of a brasserie lavatory. The manager did as she was told. The money disappeared.
Bookmark this post:
From New York's Information Security Breach and Notification Act:
7. (A) IN THE EVENT THAT ANY NEW YORK RESIDENTS ARE TO BE NOTIFIED AT ONE TIME, THE PERSON OR BUSINESS SHALL NOTIFY THE STATE ATTORNEY GENER- AL, THE CONSUMER PROTECTION BOARD, AND THE STATE OFFICE OF CYBER SECURI- TY AND CRITICAL INFRASTRUCTURE COORDINATION AS TO THE TIMING, CONTENT AND DISTRIBUTION OF THE NOTICES AND APPROXIMATE NUMBER OF AFFECTED PERSONS. SUCH NOTICE SHALL BE MADE WITHOUT DELAYING NOTICE TO AFFECTED NEW YORK RESIDENTS.(bold mine, caps in original)
Would that every state's breach disclosure law had such a central reporting requirement. As Emil Faber memorably put it, "Knowledge is good".
Bookmark this post:
The roundtable I did as part of the Security 360 (with Amy Roberts, Peter Cullen, and Gerry Gebel) is now archived at "Microsoft Executive Circle Webcast: Security360 with Mike Nash: Managing Privacy in Your Organization." Since I've been posting a lot recently, I'll repeat: after filming I participated in Microsoft's Blue Hat, you can read my "Blue Hat Report."
Bookmark this post:
Microsoft UK National Technology Officer Jerry Fishenden warns that the push for a national ID card in Great Britain could lead to identity fraud on a gigantic scale unlike anything that has been seen before. The Register reports...and
Charles Clarke confirms that ID cards will be a massive waste of both time and money - well, what else can he mean by guaranteeing that the personal details contained on ID cards won't go beyond those currently held on passports? If we've already got passports holding that information (with which we can, erm... prove out identities), why, precisely, do we need ID cards as well?From CSO and Europhobia, respectively. Europhobia has some great analysis links, too.
[It turns out that Jerry Fishenden has a blog: NTO - UK, where he posted the full text of his article. I also enjoyed his perspective on the artificiality of the split between science and the arts.]
Bookmark this post:
In "Online Dirty Tricks at American Airlines
" Gary Leff reports:
The Wikipedia entry on the Wright Amendment (the law which restricts destinations of flights taking off from Dallas' Love Field, which serves -- and was intended -- to protect American Airlines from Southwest) was edited by someone using an American Airlines domain.I'd bet that American has a firewall, and probably even some net nanny software that controls where employees can go. I'd also bet that both log, as a matter of standard business practice.American dismisses the event as actions by rogue employees that it cannot identify.Someone using an Internet service provider registered to American edited online encyclopedia Wikipedia last week to describe Southwest Airlines as "a notoriously litigious company constantly seeking to change laws to gain an advantage."
Now, if Wikipedia were a, umm, "a notoriously litigious company," or even a litigious one, they might choose to sue American Airlines. Subpoena some logs. Maybe even request that the web browser caches of marketing department employees be examined.
There are lots of benefits to keeping great logs. It's important to remember that there may also be hidden costs, as I mentioned last week in "Businesses for privacy."
Bookmark this post:
I'll confess to some stage fright, since this blog's readership is probably two or three orders of magnitude larger than what my fortnightly rants over at my place probably garner.
Anyway, I hope to have posts forthcoming about a few things, among them CVSS, and research into estimating the impact of security events (variously defined) on firm valuations.
My thanks to Adam for his gracious hospitality, and to those reading this for their kind indulgence and, I anticipate, invigorating feedback.
Bookmark this post:
One of the things that happens as a blog takes on a personality is that readers start to send you links to things that are "more your blog than theirs." Over the last few months, Chris has fed me something between a third and a half of the breaches listed in my breaches archive. At one point, I looked at the third or fourth post that he'd sent me and said, "Would you like to guest blog?"
So in important ways, Chris has already been feeding content into Emergent Chaos, as well as his own blog at The Security Blanket. I'm excited, and please join me in welcoming him as our first guest blogger.
Bookmark this post:
As I experiment with bringing in guest bloggers, the old subtitle of the blog, 'Musings from Adam Shostack on security, privacy, and economics' is now inaccurate. Now I could simply declare this "Adam Shostack and friends," but that is both boring and, with no offense to my invitees, inaccurate. (I've never met the fellow who will likely be the first guest.)
Names and headlines have power. They shape perception, and interact with the reality of what people write.
As I thought about what I'd like to do here, the image that sprang to mind was a jazz combo. There's a selection of songs, even standards, that we might play here. How we play them is controlled by the song, the participants and the interplay between them, and the soloist at a given time. There's tension, straining against the beat, there's improvisation within a set of rules. (If you have to ask what they are, you ain't never gonna know.)
I hope that as we play, we're going to change what we play. We'll get bored playing the same tunes, and play them differently.
I look forward to seeing what emerges on the Emergent Chaos Jazz Combo, and I hope you enjoy participating.
Oh, and the picture is "Jazz at Loeb (Combo #4)," by Bernard Krigstein.
Bookmark this post:
Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft's Chief Privacy Strategist.
I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the conversation comes through on the webcast. The webcast will be today, 18 October, at 9AM Pacific time, which is about an hour from now. The main event page is here.
Bookmark this post:
Shmoocon was a great get-together last year, and I look forward to being there this year, especially now that they've announced a first batch of speakers.
Via the Shmoocon RSS feed. No, just kidding, they don't have an RSS feed.
Bookmark this post:
The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great job as hosts.
Thursday was the executive sessions, speakers gave truncated versions of their talks, once in the morning, and once in the afternoon. There were a very senior group of folks in the room, up to people like Jim Allchin, Brian Valentine, and a lot of other names that I recognized, but don't remember.
Andrew Cushman did a great job of framing the talks, explaining why they were selected, and the reasons that they were important. The audience was engaged, and a couple of times, people turned and asked "Why do we do that?" of the person responsible for a feature that was being (ahem) presented in a new light.
The speakers, myself, and Dan Kaminsky got to have a lunch session with Jim Allchin, and a few other Microsoft folks. Jim talked about new features in upcoming products, and got our thoughts on how Microsoft is doing, and how they could do better.
There's lots more after the break.
The speakers were:
Each of these talks was given in a longer version on Friday. Before we get there, I'll mention two other bits: tours of both the Windows build lab, and a really good presentation about the sustaining engineering lab and processes. I have an ongoing interest in patch quality, and got to meet the people who build and ship the hotfixes, and hear lots about their process. John, I hope you get to put that stuff on the web soon.
Friday, we were in what I understand is Microsoft's largest conference room, and the speakers gave longer, more detailed versions of their talks. Most of the speakers spent most of the day in the speaker lounge, so Microsoft's employees could discuss what they were hearing without worrying they were going to be quoted here. (Although only once or twice did anyone in earshot of me say that they weren't comfortable answering a question, and only once did someone get really worked up about an attack. Lots of Microsoft folks gave very deep explanations of why things work the way they do, and the tradeoffs they made.)
At the close of Friday's session, Dan Kaminsky and I joined the other speakers for a panel discussion with lots of audience questions. We had a lot of panelists, which made for somewhat challenging panel management, and a few of us ended up talking more than others. In a day or two, I'm going to reprise and expand on one of my answers, about separation of code and data.
That evening...well, lets just say, darling, you looked great in aluminum foil, and God Save the Queen!
PS: The New York Times has a report in "At Microsoft, Interlopers Sound Off on Security." Pete Lindstrom has some comments in "Microsoft's Blue Hat"
[Update: Slashdot has an article, "Microsoft Consults Ethical Hackers at Blue Hat, too.]
Bookmark this post:
Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft's Chief Privacy Strategist.
I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the conversation comes through on the webcast. The webcast will be tomorrow, (Tuesday) 18 October, at 9AM Pacific time. You need to pre-register here.
As an aside, Microsoft Studios has awesome art on the walls: blueprints derived from a wide assortment of TV shows, from the Kramer's apartment in the Honeymooners to Gilligan's Island, to the Addams Family Mansion to the ship from Lost in Space. Very cool, I should have taken pictures.
Bookmark this post:
Several folks have sent me a link to a Free Market News article "HOMELAND SEC. SURVEIL ALL AOL FILES," with a suggestion I link to it. I thought it was squirrelly, but when the normally quality Chief Security Officer Magazine picks it up, I felt a need to respond. And frankly, I call bull.
by staff reports The U.S. Department of Commerce (DOC) claims [1] America OnLine is providing the U.S. Department of Homeland Security (DHS) "unlimited surveillance" of their members, according to the London-based Financial Reporter [2] newspaper. According to a recently released [3] DOC report [4], "AOL works 'closely' with the DHS to supply information on any AOL customer. It reportedly allows agents from these entities 'free and unfettered' access [5] to AOL Hq. at Dulles, Va. for the purpose of 'watching over and keeping surveillance' … on the millions of AOL customers."Ok, so my questions are:
Bookmark this post:
I've slept in three different hotels in the last ten days or so, and noticed a number of things that (seemingly) could be done a lot better.
The panel is black data on an orange background. I'd guess that 80% or more of the screen was glowing. Which means, even at its dimmest, it was too bright. I threw a pillow over it, and used the alarm on my cell phone.
(There's an analog here to Tufte's data ink principle, and that is to minimize the number of pixels which glow. I want my room to be pitch-black until I want to be awake.)
Bookmark this post:
If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure.So writes Rich Stiennon in "Dangerous meme." He's absolutely right. Training people to resist con men who say precisely the same thing as a business isn't going to work.This meme must be eradicated from the gene pool.
Bookmark this post:
Over at the History News Network, Keith Halderman reports on medical marijuana. It seems that the cool kids don't want to be taking any drug that old geezers use:
“Nine years after the passage of the nation’s first state medical marijuana law, California’s Prop. 215, a considerable body of data shows that no state with a medical marijuana law has experienced an increase in youth marijuana use since their law’s enactment. All have reported overall decreases of more than the national average decrease — exceeding 50% in some age groups — strongly suggesting that enactment of state medical marijuana laws does not increase teen marijuana use.”And in Slate, Jack Shafer reports on "Chief Justice Rehnquist's Drug Habit:"
for the nine years between 1972 and the end of 1981, William Rehnquist consumed great quantities of the potent sedative-hypnotic Placidyl. So great was Rehnquist's Placidyl habit, dependency, or addiction—depending on how you regard long-term drug use—that by the last quarter of 1981 he began slurring his speech in public, became tongue-tied while pronouncing long words, and sometimes had trouble finishing his thoughts.Now, I'm not pointing this out to dis-honor the dead: I believe that we all have the right to take drugs of our choice, as long as we're not hurting others. I just wish that those who made our drug policy agreed with me.
I was simply unaware of this bit of history, made all the more interesting by Rehnquist's role in crafting the war on drugs. (I'm remembering a bit in "Smoke and Mirrors" in which Rehnquist proposed measures which he said the Supreme Court would never uphold, but can't find my copy right now. It's hard for the youth of the nation to remember a time when the Supreme Court wouldn't uphold expansions of police power.)
Bookmark this post:
We take a break from our regularly scheduled, deeply-movie-focused, Friday Star Wars security blogging to mention the Chewbacca defense, and its interplay with a story that's floating around.
First, if you're not familiar with it, "The 'Chewbacca Defense' is a satirical term for any legal strategy that seeks to overwhelm its audience with nonsensical arguments and thus confuse them into failing to take account of the opposing arguments and, ultimately, to reject them." (From Wikipedia.)
Second, the story going around about how a Daniel James Cuthbert used a web browser (lynx) to explore a web site:
Cuthbert clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in.(From The Out-law.)
The story is often shortened to "Man jailed for using alternate web browser," or "It's official - doing due diligence is a criminal offence!" (Let me dismiss that by saying due diligence is done with permission.) Or "Daniel Cuthbert’s Travesty of Justice."
The trouble is, this makes no sense. It's a pure Chewbacca defense. If Cuthbert thought the site was a phishing site, why did he try to execute path traversal and SQL injection tests? That's not to say that I think those should be crimes, its simply to say that the defense of "That was a perfectly innocent thing to do" would fit better with the facts.
It would make sense to use whois and traceroute to see where the site is. But those tests tell you nothing about the owner of the site, and precious little about its security. It may well be that he did this, and I haven't read about it.
Again, I couldn't tell you how often I do things like that. Especially now that it's a crime. It ought not be. But there is something fishy about the defense.
Alec Muffet has a good set of links in "'Regrettable' conviction under Computer Misuse Act." Next week, we'll be sure to get to Saltzer and Schroeder.
Bookmark this post:
I'm at Microsoft's 'Blue Hat' event, and it's been fascinating. Very senior folks got briefed today while I sat in the back of the room and (mostly) listened. I'll blog some thoughts shortly, but I expect to continue to be mostly unresponsive through Sunday.
Bookmark this post:
February 10-12, 2006 San Francisco CA, USAcodecon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community.
All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code.
We hereby solicit papers and demonstrations. Papers and proposals due: December 15, 2005, Authors notified: January 1, 2006
Bookmark this post:
In "In the Classification Kingdom, Only the Fittest Survive," Carol Kaesuk Yoon writes about the profusion of naming schemes for animals:
Then there's uBio, which has sidestepped the question of codes and regulations altogether and instead aims to record every single name ever used for any organism, scientific or common, correct or incorrect, down to the last variation and misspelling, as a way of linking all information ever recorded about an organism together.And I used to think this was simple. But as Clay Shirky has pointed out, vocabularies are most useful for a particular task, and different tasks, even in the same domain, may require slightly different "meta-data." (That is, the information about the data in the taxonomy.)The All Species Foundation aims not only to record all names but also to find every species and describe it, all in 25 years. And then there's Wikispecies, Species 2000, the Electronic Catalogue of Names of Known Organisms and many more. Some have already come and gone, or nearly so, and others are expiring for lack of sustained funds.
So ZooBank finds itself born in the midst of a Cambrian explosion of initiatives, a proliferation not merely of Web sites and databases but of ideas about how to accomplish the task of naming and organizing all of life. And though disorder may be the most abhorrent thing to a tidy taxonomist, sometimes a little chaos can be healthy. [mmm, chaos!]
I'll note that uBio sounds a lot like the CVE, which is a computer vulnerability concordance, (concordance at Wikipedia) even though not everyone agrees with that definition.
Bookmark this post:
One of the things that I've meant to do here is have a little chaos now and then, and see what emerges. One type of chaos that I've been aiming for is carefully selected guest bloggers. In talking to someone about that, he asked:
What are the editorial parameters? Looking to avoid a possible "I let you babysit my kld, and you fill his mind with all sorts of insane ideas!" situation.So, to be honest, I'm not really sure. So I'd like your thoughts.
My parameters are:
Bookmark this post:
Some prominent business organizations are complaining to Congress that the Patriot Act makes it too easy for the government to get confidential business records.From the Lincoln, NE Journal Star, "Business heavyweights want to limit Patriot Act powers."These groups endorsed proposed amendments that would require investigators to say how the information they seek is linked to individual suspected terrorists or spies. The changes also would allow businesses to challenge the requests in courts and speak publicly about those requests.
This is the first organized criticism from big business of the anti-terror law that was passed after the attacks of Sept. 11, 2001. It also comes as Congress heads toward a vote on whether to extend some disputed provisions that expire at year’s end.
...
The signers are the U.S. Chamber of Commerce, the National Association of Manufacturers and the National Association of Realtors, the Association of Corporate Counsel, Financial Services Roundtable and Business Civil Liberties Inc.
I suspect a lot of it has to do with the cost of compliance. After all, sending an administrative subpoena or 'national security letter' is free, or close to it. It's free of oversight, or close to it. Well, free to those making the requests.
So the real meaning of privacy here is not your privacy: It's the desire of the companies to be left alone.
Bookmark this post:
A few weeks ago, I reported on PlayMobil's airport screening playset in "From The Mouths of Toymakers." Dan Solove shows his true commitment by buying one, and documenting his hours of fun in "The Airline Screening Playset: Hours of Fun!" Read it.
Bookmark this post:
In Balkinization, Stephen Griffin writes about the efforts to get government and society functional again in New Orleans in "The Katrina Experiment." In a pair of posts that are, to me, closely related, Michael Froomkin writes about "My notes from the ‘The Great Debate’ at State of Play III" and "Summing Up 'The Great Debate' at State of Play III."
All three are about the interaction of society and government. In Froomkin's case, they're discussing virtual worlds: the multi-playered, extended descendants of video games which are now meaningful enough to their players, and sufficiently interactive with the real world that people have been selling items, and even murdering each other, over events that arise in the games.
Bookmark this post:
I usually call my collections of links 'small bits,' rather than roundups, because I make no effort to round up all of what's interesting about a subject. But today's subject, especially the first items, I can not call small.
Here his how the chilling account by the Guardian's Benjamin Joffe-Walt begins:That Guardian account is not pleasant reading should not be seen as an excuse for not reading it. China is seeking entry into the club of modern civilized nations. (It seems, since she wrote the first post, that Mr. Lu in fact survived.)The last time I saw Lu Banglie, he was lying in a ditch on the side of the street - placid, numb and lifeless - the spit, snot and urine of about 20 men mixing with his blood, and running all over his body.
I was born in Tehran and it's enough for the US to treat me like a potential terrorist.Hoder, I'm not in your situation. I'm in the situation of watching my government act like fools, and treat you like a suspected terrorist. At least in that, I can stand with you: Every time I go to the airport, I'm treated like a suspected terrorist. I speak out as best I know how, and try to learn to do better. My feelings are captured well by a quote that's been on my personal homepage for slightly over four years:That's mainly why I missed ConvergeSouth, the recent conference on blogging. What would you do if you were in our situation?
The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality. We live exactly as we please and yet are just as ready to encounter every legitimate danger...It's from Pericles funeral oration, 2400 years ago.
I think we gain a lot from having folks like Hossein in our country, and it makes me deeply sad that we treat him based on his accident of birth in Tehran, rather than as a Canadian, the passport he now carries.
Bookmark this post:
In a letters sent to Buxx [prepaid debit cards] users and dated Sept. 23, [Bank of America] warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped selling in January.From Infoworld, "Bank of America notifying customers after laptop theft," via Chris Walsh. Buxx seems to be an offering of Visa Debit Processing Service.The laptop, which belonged to an unnamed Bank of America "service provider" was stolen on Aug. 29, said Diane Wagner, a BofA spokeswoman. The bank was notified of the theft on Sept. 9, and began sending out the letters after a two-week investigation, she said.
Bookmark this post:
Letters have gone out to about 10,000 Ground Zero rescue and cleanup workers, notifying them that a computer containing Social Security numbers and health records was stolen, leaving them vulnerable to identity theft.The New York Daily News reports that Malcolm Mitchell, 27, of the Bronx was arrested in "Man arrested in theft of computer with WTC hero info."The letters were sent by the World Trade Center Medical Monitoring Program, which is providing free health-care services to the workers. Workers are being warned that "someone with sophisticated computer abilities might be able to access this information," even though there is no evidence anybody has done so, according to the correspondence that was dated Sept. 22.
Officials with the program told the New York Police Department of the theft, which occurred at an office on East 102nd Street on July 10 -- more than two months before the letters were sent.
The letter explained that the information contained no names, but did include "other potentially identifying information, including Social Security number, zip code and date of birth as well as limited health information, including findings from patient physical exams (lung and nose exams). There was no information from the mental health exam."
(Thanks to Chris Walsh.)
Bookmark this post:
Congratulations to Thomas Schelling, who was awarded the Nobel Prize in economics (with Robert Aumann). Schelling, amongst many accomplishments which Tyler Cowan discusses here, put forth the notion that there are questions with answers which are correct because those are the answers everyone would choose. (The canonical example is where do you meet in New York if your cell phone runs out of batteries before you can fix a place? Under the clock in Grand Central.)
He was not only insightful about economics, he was able to write about new and important ideas in an accessible and understandable way. I had the pleasure of sitting across from him at lunch at a conference once. He was funny, engaging, and had great stories. That storytelling ability figured into his writing in a way that many economists would do well to emulate.
Bookmark this post:
Boeing and Airbus insist there was no immediate danger. The mechanic had to be standing in precise spots with a particular walkie-talkie tuned to a specific frequency and with a certain signal strength.There's lots of stereotypical good detail: The vendor insisting it would be hard, an independent expert insisting it's easy...
Bookmark this post:
There's some fascinating tidbits about how Federal Express plans for the unforseen in a New York Times story, "Have Recessions Absolutely, Positively Become Less Painful?" I wonder what (if anything) information security could take away from this sort of approach?
It had been a busy day for Georgia businesses, and FedEx's regular nightly flights from Atlanta to the company's Memphis hub were overbooked with packages. So the local crew made a call to a sprawling, low-slung room here at headquarters, where people hunch over computer screens showing weather maps and flight plans, and asked for help from the five empty FedEx jets that roam over the United States every night.Via Marginal Revolution....
Besides Las Vegas, the flying spares leave from Duluth, Minn.; Laredo, Tex.; Fort Myers, Fla.; and Portland, Me. All take circuitous paths to Memphis, passing near major cities like Dallas, Denver and St. Louis.
On a typical night, one of the five makes an unexpected stop to collect an overflow of packages, one lands to bail out a plane needing a repair, and three arrive in Memphis as empty as they were when they took off.
Bookmark this post:
It couldn't happen to bluer people, with the possible exception of the sneetches.The people of Belgium have been left reeling by the first adult-only episode of the Smurfs, in which the blue-skinned cartoon characters' village is annihilated by warplanes.
The short but chilling film is the work of Unicef, the United Nations Children's Fund, and is to be broadcast on national television next week as a campaign advertisement.
From the Telegraph, "Unicef bombs the Smurfs in fund-raising campaign for ex-child soldiers," via It's All About Control.
Bookmark this post:
Rob Sama IM'd me a link to some Mac launch rumors at "http://www.macpro.se/?p=3014." He then commented:
Rob: I was the one who pointed that out to Cringley, and Calzone had pointed it out to meThe MSM (MainStream Media) practice of taking a comment from "a reader" and running with it is old. As is the habit of trivializing them by calling them "a reader," or perhaps using 'reader' as a title, as in 'reader Rob Sama.' I mean, what's more passive than a reader, contrasted with the power of 'columnist?' After all, the columnist has opinions. They like sharing those opinions. And the editor has declared those opinions to be worth reading. By readers. You know, the little people. Like bloggers.Adam: and you got no cred?
Rob: I guess. I mean, columnists like that often say "a reader told me..." and stuff like that
Adam: I think that's an MSMism that's going to go away
Or maybe not like bloggers. Because bloggers don't have editors, although many hope to make it into the big time of being linked to by Boingboing, or Nielsen Hayden, or heck, anyone with more readers than ourselves.
But more to the point, bloggers aim to give credit where it's due. Where did a link come from? Who said things that triggered a post? (Nominally, I should be linking my Friday Star Wars security blogging, but I figure its so well known I don't need to.) This is a part of the democratizing aspect of blogging that's so exciting: Anyone can do it. Anyone can set up a blog on a free service and see if they can collect some readers.
This is one of the reasons that some people are threatened by, and feel a need to trivialize bloggers and our pajamas. There's chaos out here, and there's no editor to protect you. What hierarchy there is comes from pre-blogging status, tenure as a blogger, and meritocracy. Taking each of those in turn: When Richard Posner or Mark Cuban start blogging, their prior achievements generate a readership for them. There's a set of folks who want to hear what these people have to say. Tenure as a blogger is pretty simple. There's probably 10 super-geniuses out there with blogs. Future Nobel prize winners. Oscar winners. Who haven't broken through yet, but are talking about their work in their blogs. Over time, people will notice and link to them. But it doesn't happen overnight. It happens, and here's point 3, to those who do well.
That's why I'm always genuinely happy to meet readers or get comments: It's really hard to do this in a vacuum. Thursday, I had a good chat with a gentleman from Ironport, and, not having gotten a card, don't want to mangle your name. But you mentioned liking the longer view bits.
And so over time, "a reader writes" is going to disappear, in favor of naming names. Because the writer will remember being the little fellow, hoping for the link from the widely-read.
Bookmark this post:
Boingboing directs us to "Archimedes Death Ray: Idea Feasibility Testing," in which an MIT class decides to test Archimedes' ray: The use of mirrors to set warships on fire.
Mythbusters claimed it was a myth, that the idea couldn't be made to work. Well, the MIT class gave it a shot, and it turns out that, as pictured, you can light a bunch of wooden planks on fire with sunlight at a good distance (100 feet or so).
That's pretty darned cool.
Somethings nagging at me.
So...that's a fascinating feasibility study, and was probably a lot of fun to do. But something struck me as I looked at the mocked-up boat, sitting high and dry on the MIT lawn, and then on the roof of a parking garage.
There's no water.
Now, that might be an acceptable oversight if this was a class at say, the University of the Sahara. But as people who have visited MIT are aware, MIT happens to be close to water. (I provide a map for easy reference. The first experiment, on the lawn, appears to have taken place across the street from the red push-pin at 77 Mass Ave.)
Now, you might think that the lack of water in the set up isn't a very big deal. After all, as the concentrated light hit the wood, the water would simply steam off. Of course, that steaming off would slow the process, and warn the sailors that pouring more water down the side on their boat would be a fine idea. Old sailors tend to be quite aware of the dangers of fire, and have a variety of methods for fighting it.
But more important than the lack of water as a fire retardant is that water is a liquid, and things floating on water are rarely stable. They bob. They bounce. They drift (even at anchor.) Each of those increases the difficulty of keeping the light focused on one spot. It also introduces a targeting trade-off: If you ignite near the water line, so that the fire rises through as large an area as possible, then you're igniting wetter wood, and have to heat the adjacent wood as well. (The MIT guys targeted right above the water line.) Your hot spot may also dip into the water, cooling it off. So your aim point needs to be higher up, causing less damage, and increasing the ability of those on the ship to fling water at it.
And so, when we ask ourselves, could Archimedes' Ray have worked, we need to take into account the water, the movement of the ship and the ability of the soldiers to keep light focused on a single spot.
Bookmark this post:
VADER: Where is that shuttle going?
PIETT (into comlink): Shuttle Tydirium, what is your cargo and destination?
PILOT VOICE (HAN)(filtered): Parts and technical crew for the forest moon.
VADER: Do they have a code clearance?
PIETT: It's an older code, sir, but it checks out. I was about to clear them.
In modern cryptography, a system is designed so that even when the cryptosystem is fully known, it is hard to break. The only part that must be kept secret are the keys which are used to encrypt the message. In many modern designs, the "bulk" or "symmetric" encryption keys that are used for each message are generated specifically for that message, and then discarded. The clever cryptosystems that allow us to do that are called "public key" or "asymmetric" systems. (I like asymmetric, owing to the fact that the two participants each has a different key.)
Changing keys is useful. An attacker who learns the key learns nothing that helps them break any message encrypted with a different key. That's the essence of Kerkhoff's principle: that systems should be designed that way.
Even if you're using public key encryption systems (and I'll simply assume the Empire is), changing your keys now and again is helpful. If rebel scum steal your keys without you realizing it, then periodic re-keying ensures that the problem is bounded in time.
In a military situation, where your opponent will go to great lengths to steal keys, there's a logistics issue of how to distribute the new keys. You can't send them over a channel which is secured by the old keys. You need to use either a separate system (and how do you ensure those keys are secure?) or couriers. But when your units are dispersed across the planet or a galaxy, you can't have a daily courier service. You also have to plan for your courier service to fail, either because the courier is intercepted, or the rendezvous point is unavailable. So you need to send out a set of keys that will be used over the next N cycles.
In the second world war, the allies took advantage of this, by attacking Nazi weather ships. (The plan may have originated with Ian Flemming, who went on to write the James Bond novels.) By capturing keys, the allies were able to read Nazi traffic.
Regardless, Piett was about to authorize the shuttle's landing. The history of cryptography is littered with examples that didn't take place a long, long time ago, but whose pattern is the same. The desire to believe that everything is ok, the pressure of the routine, and the operator's belief that the slightly abnormal is close enough to normal combine together to justify bending the rules a little bit.
Piett is about to accept an out of date key, he is making a decision which is militarily, cryptographically and psychologically probably sensible. The design of the process means that such anomalies are to be expected. That expectation is why stealing keys is worth heroic efforts. (Such efforts are the reasons behind Jack Shaftoe's work in Stephenson's "Cryptonomicon.") Even with systems designed according to Kerkhoff's principle, key management is a hard challenge.
Incidentally, be sure to check out the Piett Gallery, from whom I borrowed today's image. Next Friday, we may detour back to Tatooine to answer a reader question, or I may start in on Saltzer and Schroeder's classic work. I'm still looking for a good web version that I can link to. Finally, thanks to DM for pointing out some flaws in the first draft.
Bookmark this post:
As an aside in a longer article, Dan Markel writes:
As a matter of blogging ethics, I think the way to handle it is to post an apology and clarification and to remove the inaccurate material, with a followup email that clarified the situation.This is dangerously wrong. The inaccurate material needs to stay, because other people will link to it, and look like crazy people. If my change is merely grammatical, spelling, or punctuation, and I find it, I'll slip it in. If someone else finds it, I'll usually use <strike> to
To be clear, I'm not accusing Dan of being dishonest or advocating dishonesty, but stating that I had a pretty strong reaction to his comments that the inaccurate material should be removed.
It's a blog. We make mistakes. Own up to it, and move on. Don't try to edit it out of the past.
[Irony of ironies, as Allan Friedman points out in a comment, I neglected to link to the original article. Dan Markel's article is here, and I've added the link in the natural place above.]
Bookmark this post:
Daniel Solove and company have launched a new blog, "Concurring Opinions." Today, they posted their privacy policy.
I think they'll be sued shortly by Experian, for copyright infringement.
Bookmark this post:
I should also mention that I had a good time at the Detroit IT Security Summit. I thought there was an interesting and broad selection of panelists, including some technical people and some senior managers. I didn't get to talk to as many folks as I might have liked, but that's always the case.
Bookmark this post:
On the "Meet the Bloggers" panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005.
Also on the panel, Ed Vielmetti brought up a really good point that I hadn't heard recently, that of FAA after-incident reports, and how they contrast to the head-in-the-sand approach the computer industry takes. I think such after-incident reports are needed to help temper any liability system that might get built.
Bookmark this post:
