Pro-User Zealot!

Get the bumper sticker!

The background is that a Canadian MP, Sam Bulte, referred to people other than her film and music business corporate backers as “pro-user zealots” at an all candidates meeting. (Michael Geist has a good summary in “The Bulte Video, Boingboing has covered it extensively, and Technorati can help you find lots of posts on the issue, which seems to be the only reason anyone is blogging about her campaign.) “Those backers should be free to back candidates that they like, but I do worry about Ms. Bulte not getting out enough and talking to her constituents with the right to vote. They might tell her that having a rootkit installed by Sony on their computers is bad, or complain that they can’t copy a recording they made of themselves with a MiniDisc player. Further, I am proud to be a pro-user zealot, although I do hate the term “user” as a derogatory synonym for customer.

[Update: Err, when saying, “get the bumper sticker” and expounding upon one’s pro-user zealotry, it might be helpful to actually link to the bumper sticker, such that users may act on the suggestion provided.]

Happy Birthday, CVE!


The sixth presentation was based on a paper titled “Towards a Common
Enumeration of Vulnerabilities
” by David E. Mann and Steven M. Christey
from the MITRE Corporation. This presentation also generated considerable
interest from the audience. They tackled the problem of dealing with
several heterogeneous vulnerability databases and presented the Common
Vulnerability Enumeration (CVE) mechanism for sharing of vulnerability
data. They related the CVE to current practices on vulnerability data

From the “2nd Workshop on Research with Security Vulnerability Databases” writeup in IEEE Cipher. From a recent email to the CVE editorial board:

Our CVE compatibility evaluation program has continued to grow, with
Bob Martin’s leadership. Now, over 230 products and services, from
140+ organizations, have at least declared their intentions for CVE
compatibility. 53 products have obtained official “CVE Compatible”
status, with another set of products to be announced soon.

All from one talk, seven years ago, and an awful lot of hard work along the way.

(Disclosure: I’m working with MITRE on a CVE related project.)

What Software Do I Like?

delicious-library-beta.jpgIn a comment on “Software Usability Thoughts: Some Advice For Movable Type,” Beau Smith asks “What Mac software do you like?”

That’s a tough question for three reasons: First, there’s enough decent software (consistent, attractive, discoverable) that the bad stuff can generally be avoided. Secondly, I’d like to choose examples which are either free or cheap, because I think that’s more useful, than, say, commenting on Excel. Thirdly, Apple has an excellent set of “Human Interface Guidelines,” which seemingly most developers have read. The HIG really create a floor for what Mac developers tend to do, and the Mac faithful crush anything that falls near or below that floor. As I’m writing this, I’m reminded of a vignette in the Ars Technica review of Delicious Library:

This is a splash screen for a beta—something that will never be seen by more than a handful of people. Note the bullet hole, the magic marker graffiti, the scratched-out slogan, the haphazardly placed logo sticker.

Linux users, think about this image the next time you download a release version of a product without a comprehensive sample configuration file or with “cosmetic” bugs. Windows users, think about this the next time you see a poorly drawn 16-color icon or toolbar graphic in a multi-hundred dollar commercial software package.

That said, I’d like to discuss two apps a little bit: iCal, which ships with the OS, and “Notational Velocity.”

I like ical quite a bit. It took a little exploration to get used to, and some things didn’t work quite as I wanted. For example, I wanted recurring todo items to help remember to pay bills. Almost as good, I use recurring “all day” appointments in a finance category. I use the same sort of thing to manage travel information. It works quite well for me.

Notational Velocity is useful because of how small and fast it is, and how well searching works. Now that I have a program that implements incremental search, I find not having it in other places to be a lack. It’s that useful.

More than any particular feature, I appreciate the effort that goes into making something look easy.

UK various breaches

  • Deptarment of Work and Pensions, 8,800 identities
  • Her Majesty’s Revenue and Customs (HMRC) was forced to close down the tax credits website at the start of December last year, after a spate of fraudulent claims came to light which exploited the stolen identities of Department for Work and Pensions staff.

  • Network Rail, 4,000 identities
  • Primarolo divulged the information after it was also revealed that 4,000 Network Rail employees had their personal details stolen and bank accounts set up under false pretences…Brian Contos of security firm ArcSight said: “This incident has been described as one of Britain’s biggest benefit frauds – with one in seven staff at Network Rail falling victim to this identity theft. [Both quotes from “Tax Credit Fiasco.”]

It’s a good thing the UK has a disclosure law the rules have changed, or each of these victims would be struggling alone to explain what has happened to them. The EU should pass a disclosure law. It’s good for victims of these crimes, it’s good for preventing these crimes, and it will be good for industry as a whole and the computer security industry in particular. Only those who know they have rotten security would oppose such a thing.

Do no evil

As readers of this blog probably are already aware, Google has been subpoenaed. The United States government is demanding, in part, that they provide a list of all URLs they index. This is something I’d expect them, or any other search firm, to want to keep secret.
Imagine my surprise when I read this in their response to the subpoena:

Defendant has already received URLs from at least one other major search engine. It is unclear why Defendant believes it needs URLs from Google.

Google goes on to state that they object to providing the information. Inquiring minds, however, want to know which search engine(s) did provide it. If they were forthcoming with that information, perhaps they also provided the other item which the government demanded: every search query from a one-month period.
Update five minutes later: AOL, Yahoo, and MSN did comply, sayeth BoingBoing.

Reacting to Web Pages


Researchers led by Dr. Gitte Lindgaard at Carleton University in Ontario wanted to find out how fast people formed first impressions. They tested users by flashing web pages for 500 msec and 50 msec onto the screen, and had participants rate the pages on various scales. The results at both time intervals were consistent between participants, although the longer display produced more consistent results. Yet, in as little as 50 ms, participants formed judgments about images they glimpsed. The “halo effect” of that emotional first impression carries over to cognitive judgments of a web site’s other characteristics including usability and credibility. We talked to Dr. Lindgaard about her study…

From “First Impressions Count in Website Design.” I found out about this via Wired News, but they didn’t link to the article, so I won’t link to them. Sucky website via

More on “A Ping” Privacy Invasion

Before I’d had much in the way of coffee, I thought that the “Firefox Ping URLs” might offer a way to scan the web for sites to avoid. It would be simple. For each site mentioned in a ping URL, add it to a blacklist. The trouble with this is that the same set of people who won’t offer fast redirects will simply set their ping servers to be the same machines that serve their content.

Firefox Ping URLs

mozilla.jpgIt’s all over the internet that Mozilla has added a “ping” attribute to URLs:

I’ve been meaning to blog about a new web platform feature that we’ve added to trunk builds of Firefox. It is now possible to define a ping attribute on anchor and area tags. When a user follows a link via one of these tags, the browser will send notification pings to the specified URLs after following the link.

I’m sure this may raise some eye-brows among privacy conscious folks, but please know that this change is being considered with the utmost regard for user privacy. The point of this feature is to enable link tracking mechanisms commonly employed on the web to get out of the critical path and thereby reduce the time required for users to see the page they clicked on. Many websites will employ redirects to have all link clicks on their site first go back to them so they can know what you are doing and then redirect your browser to the site you thought you were going to. The net result is that you end up waiting for the redirect to occur before your browser even begins to load the site that you want to go to. This can have a significant impact on page load performance.

So let me get this straight: Privacy invasion was annoying not only the privacy-conscious, but everyone else too, because it sucked. Your response was not to say, sorry, gosh, that sucks, try directing people through fewer slow forwarders, but to apply a technical fix to the problem? Hello? You could also help people fill out their social security numbers on phishing sites. Some things should not be optimized. Oh, and rather than implementing the feature with default off, and/or implementing the privacy UI then the feature, you just go head and builds as is?

The inverted flag is, of course, a classic marine distress signal.

Known unknowns?

Oracle has just released fixes for 82 vulnerabilities.
After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security researchers such as Alexander Kornbrust and David Litchfield have reported at least 137 Oracle vulns which remain unfixed. He then makes an excellent point:

If we consider that Oracle finds more than 75 percent of flaws in-house, and the total number of the unpatched bugs reported to Oracle just by the above-mentioned security researchers is 137, how many flaws has Oracle uncovered in-house that it still hasn’t fixed? Not sure I’ll get the answer from Oracle, but at least I have asked the question.

The 75% figure comes from Oracle, and is in principle impossible to know with precision. Its accuracy depends on the number of Oracle zero-days out there. As Krebs observes:

[I]f there are widespread attacks against Oracle database servers, it is unlikely most people will ever hear about them — that is, until an affected company is forced through various state data-breach notification laws to go public with a few details (none of which are likely to include the affected hardware or software.)

BSD Kernel Stack Overflow

An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.

From the FreeBSD Advisory. Researcher advisory is at No word yet on if Macs are vulnerable. I think Richard at TaoSecurity sums it up well:

That’s cool. Insert wireless NIC, be 0wn3d. I’m glad I heard about this prior to Black Hat Federal next week.

Brokerage account zero liability

E*Trade is implementing a program under which it will reimburse on-line fraud victims for their losses, according to a New York Times report
This is an interesting step. Now the question is whether investors who prefer to use their pet’s name as a password will shift their accounts to E*Trade :^)

On the NSA Wiretaps

One of the noteworthy aspects to the ‘NSA Wiretap’ revelations is how it has galvanized a broad swath of people, far beyond the “usual suspects” to state that the program was a mistake, and we need to function within the rule of law. For example, Suzanne Spaulding, former assistant general counsel at the CIA:

Before I worked on the intelligence committees, I was a lawyer at the CIA. We understood that congressional oversight was key to maintaining the trust of the American public, which is vital for a secret agency operating in a democracy. True oversight helps clarify the authority under which intelligence professionals operate. And when risky operations are revealed, it is important to have members of Congress reassure the public that they have been overseeing the operation. The briefings reportedly provided on the National Security Agency (NSA) surveillance program reflect, instead, a “check the box” mentality — allowing administration officials to claim that they had informed Congress without having really achieved the objectives of oversight. (From “Power Play” in the Washington Post.)

Victor Comras and Daveed Gartenstein-Ross discuss the wiretaps in “The President’s NSA Wiretaps: Unnecessary Problems in the War on Terrorism” and “Defense Challenges to NSA Wiretaps: Legal Issues” (respectively) at the Counterterror blog. This is interesting as CT is a collection of experts in the field, many of very long public service. By and large, they have seemed to be for more power, fewer restraints, and a “whatever it takes” to win. They have also tended to believe that a wide variety of legal frameworks should be expanded to reflect this approach.

They will be raised, countered, considered and appealed in the context of numerous past, on-going and future terrorism-related cases. The same issues will be aired publicly, in the media and in Congressional hearings. And these issues, and the arguments in these cases, won’t go away anytime soon. In fact, they are likely to cause considerable complications and delays in prosecuting and winning these cases. So, the question must be asked: Was the President’s decision to authorize such NSA wiretaps on his own, arguably on the basis of his own constitutional authority, and without regard to FISA, a mistake? The answer to this question follows, in large part from the answer to another question. Was such unilateral action really necessary?

Dear Recruiter


My name is () and I am a recruiter for (). I came across your name on an internet search
and wanted to tell you about our opportunities available within our NYC and
Houston locations.

(), a key component of the firm’s () practice, provides the building blocks for a
secure and protected business environment. Employing state-of-the-art
technology, () security professionals deliver enterprise security and
risk-based services enabling our clients to take advantage of the evolving
electronic economy in a secure manner. STS professionals have extensive
experience with information security protection, system security planning,
information security assessments and implementation, security program
development, business continuity planning, and strategic technology planning.
These services help companies validate their infrastructure; design and
implement business processes and technology solutions; address regulations; and
educate and train management and employees.

If you are interested in exploring new employment opportunities, I would love
to talk to you about…

Having read all that, I’m confident that you have a position that’s great for me. Thanks especially for taking the time to include my name in your email, and letting me know what caught your eye. I know, there’s only a little bit about me online, so I ought to be able to guess why you’d like to hire me.

Oh, I know, you’re a body shop! Thanks for the blog-fodder. If you don’t want to be treated like this, let me say a good word for my friends at Alta and Associates. They’ve never placed me, and never pressured me to take a job that wasn’t right. I’ve not yet hired through them, but we still talk, and I value that they treat me like a person. Let me also say a word for my friend ClueChick, who writes about online dating, and often encounters this pattern.

Roll Clouds


These rare long clouds may form near advancing cold fronts. In particular, a downdraft from an advancing storm front can cause moist warm air to rise, cool below its dew point, and so form a cloud. When this happens uniformly along an extended front, a roll cloud may form.

Image and text from “Astronomy Picture of the Day.”