Emergent Chaos
Cat Le-Huy is a friend of friends who has been "detained" entering Dubai. I put detained in quotes, because he's been thrown into prison, where he's now spent a few weeks.
He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of hashish, which is basically some specs of dust. The law firm representing him wants a £25,000 retainer.
It used to be that the United States, the United Kingdom (where Cat lives), and Germany had a certain moral high ground with regards to the arbitrary detention of their citizens. Unfortunately, the executives of our countries have tossed away that high ground with our own arbitrary detentions. In the US, we detain not only foreigners, but our own citizens.
So, what does this mean to you?
First, please donate to Cat's legal defense fund.
Second, don't go to Dubai. They're competing to be the next "Disneyland with the Death Penalty," and that should hurt their businesses and that should hurt their bizarre attempts to bring in tourists.
It might mean other things, but we'll leave that for future blog posts.
[Updated: fixed donation link.]
Bookmark this post:
I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example:
Mordaxus: What do you have to hide? That's the obnoxious way to ask why one needs a persona. What problem does a persona solve? Is there another way to do this?
Bob Blakley: It has nothing fundamentally with "hiding". It has to do with compartmentalizing risk.
There's no good reason getting my social security number stolen should result in my bank account getting cleaned out and my credit record being polluted. This only happens because I have to "invest" my bank account in a transaction (and hence put it at risk) every time someone asks for my SSN. If I have a persona which has its own ID number and a separate bank account with a limited amount of my money in it, when I engage in a transaction I only have to put "as much of my resources and information as necessary" into the transaction. This means that my other resources (the ones I "hide") do not have to be exposed to thieves and other bad actors.
One can of course use a persona to adopt a personality other than the one used at work or socially. This can be destructive (as when it's used to perpetrate fraud or otherwise deceive) or constructive (as when one builds an interesting character in an online game, or constructs a persona as an artist, and so on).
Mordaxus: Won't this just let people run amok? Many people think that "anonymity" (which I put in quotes because it includes pseudonymity to these people) is the root of many evils. I disagree and think it is a lack of accountability. It doesn't really matter, though. How will personae make the situation better for anything from identity theft, to paying one's bills, to politically-motivated Wikipedia edits?
Bob Blakley: An LLP isn't anonymous, and it is accountable. The government agency which creates it requires a registration process. If something socially harmful is done using the LLP, the normal legal process can be used to associate the LLP with its owners (in fact ownership is usually public information). But as long as the law is followed, the liability incurred by the LLP does not transfer to the owners, and the owners can shield their "real" identities from transaction partners as long as the follow the law and the rules of LLC operation.
Regarding Wikipedia edits, assuming for the moment that there is actually a problem with them, an LLP is not designed to prevent politically-motivated activity of any kind including edits, and, as noted above, it's not designed to be a vehicle for unbreakable anonymity.
Mordaxus: How will it actually protect me? This comes back to asking what a persona is actually good for.
Bob Blakley:Liability limitation is what LLCs are all about. The fundamental notion of the corporation is that it allows individuals to invest some of their resources in an enterprise which might sustain significant losses, without putting at risk resources which are not invested in the corporation.
Today the liability-limitation (and taxation) benefits of incorporation are enjoyed by business enterprises and the wealthy, but mostly not by private citizens who are not wealty. The LLP proposal is essentially intended to provide the risk-management benefits today enjoyed by the rich to everyone.
Mike Neuenschwander Good questions. I know Bob already took the bait on this one, but I'll add a little more in the way of theoretical background. First, persona building is an important human activity. In everyday experience, it's easy to perceive the self as unified, fixed, separable identity, but that's not the case at all. (The philosophical / scientific discussion of the topic can be found here.) When you probe the idea of self bit deeper, you realize that people construct personas for nearly every relationship they engage in. They do this to fill a role that the relationship requires. Personas help set expectations among participants in a relation, provide protections for participants, and set parameters for behavior. Personas also "instruct" participants on how to behave. Role playing an archetypal character is an efficient method for humans to disseminate wisdom throughout society and across generations.
In the natural world (vs the online world), mechanisms exist to place costs on the creation of personas, so people can't create an indefinite number of them. The natural world also makes it costly to shed personas or to defect from relations and society. In other words, there are natural processes in the natural world from keeping the system in check. In the digital world, they're woefully sparse. We have "emoticons" (which emote individuals' feelings) but we need "social emoticons," which promote empathy, reciprocity, and trust among individuals.
Bookmark this post:
A man in the UK has been arrested somewhat dramatically for illegally using a WiFi connection. The BBC reports it here as "Man arrested over wi-fi 'theft'" and El Reg as "Broadbandit nabbed in Wi-Fi bust." Each is worth reading.
The police statement is worrying. El Reg says:
Despite not having secured a conviction yet or even charged the man, DC Mark Roberts of the computer crime unit said: "This arrest should act as a warning to anyone who thinks it is acceptable to illegally use other people's broadband connections."
The worry is that the police seem to have decided what the TOS of the connection is for themselves. Bruce Schneier has said somewhat famously that his home wireless system is unprotected because he feels it is "neighborly." Ross Anderson leaves his open because he feels it leaves doubt open as to who did what on his network. An RIAA fishing expedition, for example, would have a harder time sticking on either of them.
If, as DC Roberts seems to be saying, it is illegal to use any wireless that is not clearly marked as being open, how does someone declare their wireless as open? Do you need to put some statement in the SSID?
That is a fine answer, but it leads to a second question: would then, having an open wireless system with a generic name be an attractive nuisance? It's a nuisance to have a swimming pool that is not fenced off, for example, because someone could stumble into it and fall in. In this case, an open wireless system is a nuisance because someone could stumble into it and commit a Computer Misuse without even realizing.
Could not then, there be civil or criminal penalties attached to putting up an unsecured wireless?
Or perhaps it be better for the police to only respond to complaints? That response could even include asking the complainer, "Have you put a password on your network?"
Photo courtesy of sholden.
Bookmark this post:
El Reg reports that "Pipex invites customer to get 'c**ted'" in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article.
There is, however, a second obscenity here that is far more subtle.
That obscenity is in the password selection advice and suggestions. The advice is:
We highly recommend you include at least one of each of the following to make your password more secure:
- A capital letter
- A lowercase letter
- A number
In case you're having trouble thinking of a new password, here are three that might be suitable.
Of course there's the amusement factor of the rude one being described as "might be suitable." I will note that ages ago when the world was young, some operating systems allowed vetting of generated passwords to avoid precisely this issue.
But that brings us to the two obscenities in the three suggested passwords. As you, Clever Reader, have no doubt already noticed, all three of the suggestions are eight-character passwords that are a capital letter followed by six lowercase letters followed by a digit.
Naïvely, they thought that this would be more secure than just lower case. However, there are 80,318,101,760 total passwords using their scheme, and 208,827,064,576 total passwords if you just use lowercase. The latter number is 2.6 times as many passwords.
In case you're bored with math, eight lowercase numbers is 268 total possibilities. In the latter case, you are trading 26 lowercase possibilities with 26 uppercase possibilities in the first character, so there's no actual improvement. Combine this with replacing 26 lowercase possibilities with 10 digit possibilities in the last character. Thus you have 267 * 10. Dividing them out, a lot of 26s cancel, leaving you with a ratio of 26/10 or 2.6. (If you are not only bored with math but bored with people explaining math, skip this paragraph.)
Here, then, is the second obscenity. Pipex customers are less secure for taking Pipex's advice.
This is also the problem with trying to increase the number of characters people use in a password. If you tell them to use a capital letter, they will capitalize the first one. If you tell them to use a digit, it will usually be the last character and usually be a 1. If it's not a 1, it'll be (ooo, this is so cool) "4u" or equivalent.
In short, when you convince people that using their dog's name, at best they move from "fluffy" to "Fluffy14me".
Photo "#26 Power street" by jnoc.
Bookmark this post:
How clean is that piece of food that you dropped on the floor? Do you really want to eat it? Harold McGee explores the five-second rule in the New York Times. Personally, I always heard it as the thirty-second rule. I guess that it's a good thing I have a strong immune system.
Bookmark this post:
The SnoopStick offers full realtime monitoring of another computer. It's Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.
Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.
There is other amusing information on the web site, such as:
All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.
Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.
What a relief! An industry-standard encryption algorithm. Wanna bet it's in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I'd love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?
Picture of the SnoopStick shamelessly appropriated from their web site, because I didn't want their weblogs to get the information. It's bad enough to write about them at all.
Bookmark this post:
I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I'd been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of irony.
The guy in the window seat was talking on the phone with the usual stuff you hear by people who are smart enough not to do business on the mobile. "Yeah, honey, I love you too." "Good to be home this weekend." That sort of washed over me as I thought, "Aww, that's sweet." (My SO and I text each other, and I was firing off a few equivalents, myself. Then he said something that jolted me out of my hearing-yet-not-paying-attention.
The music of his voice shifted from rubato and legato to marcato and strict tempo. "You tell Connor," he said, "that when I get home, I don't want the first words out of his mouth to be, 'Where's my iPod?'" I suppressed staring, but my eyes bounced off of the end of their swivel pins.
I thought, "Dude, you stole your kid's iPod!" There was silence on his end, and I have no idea what she said. I just thought again, loudly, hoping his conscience might hear, "Guy! You stole your kid's iPod! I mean, jeez, I can see "borrowing" it once to see if you like this whole digital music stuff, but DFW's got a bleeding vending machine for the critters right at A19! Can't you at least bury a Shuffle in your expenses?"
So Connor, if you read this because we're 1337-ish, show this post to your dad. And if he's still being cheap, install Limewire on his laptop and start sharing Sinatra or something. Maybe the RIAA will notice.
photo courtesy of Michael P. Whelan.
Bookmark this post:
They are:
Here is a sad tale of a man who has a failure on (3), realizes he's done (2), and his solution to the problem. It's a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.
The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the "ooo, shiny" technolust making you think that something is a good idea when it isn't. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.
photo courtesy of split-ends.
Bookmark this post:
The NYT reports, "Rough Treatment for 2 Journalists in Pakistan" and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years.
However, a computer was seized, sources were roughed up and possibly jailed or killed:
Come on. You don't have crypto? You've never heard of PGP (to name the obvious famous one)? That's so easy to find I won't even paste in the link. I hope when you get a new laptop you'll consider protecting your sources.Since then it has become clear that intelligence agents copied data from our computers, notebooks and cellphones and have tracked down contacts and acquaintances in Quetta.
All the people I interviewed were subsequently visited by intelligence agents, and local journalists who helped me were later questioned by Pakistan’s intelligence service, the Inter-Services Intelligence.
Bookmark this post:
Seventy Percent of Americans think we need more laws to protect them from identity theft and all that.
I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to Alice, he cannot try to collect it from Bob. That's all we need. If we have that, we'll have all the legal protection we need to solve identity theft.
The threat of identity theft comes from Larry's business practices. Larry wanders around hawking credit. "Yo, Alice, Bob, either of you want to borrow some money for lunch? A car?" There are a lot of advantages to easy credit, but disadvantages as well. In addition to the usual ones of people amassing too much debt (whatever that means), identity theft is actually the result of easy credit.
Perhaps Larry is nearsighted, perhaps Larry is stupid. Perhaps Larry is dumb like a fox. However, what happens is that Alice borrows money from Larry and says, "I'm Bob." Larry marks that down, and then goes and hits up Bob for payment. Bob is understandably confused.
That's it, that's the security scenario of identity theft. We're going about solving it the wrong way, because the real cause of identity theft is Larry's business practices. I can (and probably will, in a future post) tell you how to reduce the chances of identity theft. These are actionable suggestions; they are things you can actually do. None of us can presently deal with the real problem, so we have to make do.
There is nothing in law, morality, or ethics that requires Bob to pay up when Larry lends to Alice. Unfortunately, we've all let Larry get away with it. We've made it be Bob's problem, when it isn't. Let's make no mistake here, Alice is committing fraud. But Larry is the enabler, and really not only owes Bob setting the record straight, but reimbursement for the trouble Bob had to go to because Larry is stupid (even if it's stupid like a fox).
If Congress wants to do something for consumers, it would be to require lenders to be responsible. Yes, this would crimp their style. For example, one bank sends my household mail for pre-approved credit cards at a rate of more than one per day. We used to shred them, but now we package everything up in the business reply envelope and send it back to them. Perhaps it would be part of the slow slide into tyranny for the nanny-state to effectively prevent banks from sending 400 credit-card offers to a single household per year, but the right to swing your arm stops at my nose, and the right to beg, plead, whine, and wheedle me to borrow more stops when you can't tell Alice from Bob.
An alternative solution would be for some ambulance-chaser to file a class action lawsuit. I think that it could be extremely successful, properly done. Contract law covers these cases, or at least it's mystifying to me why it doesn't.
Apparently, however, it seems that our current legal system does not support this intuitively obvious notion that bad business decisions do not create liability on some third party. If Congress wants to help people, it will do something simple and sane. It's not Bob's fault that Larry is stupid. Photo of Larry The Lender courtesy of jonmc.
Bookmark this post:
Bookmark this post:
 |
 |
| Authorized Da Vinci Code Cryptex from The Noble Collection. It's very nice, made of good, solid brass. It avoids many combination lock issues. I tried some obvious ways you can cheat a letter from such a device and it was well-made enough that they didn't work. It's a nice bit of work. |
| Also, Japanese Hakone puzzle boxes from Pandora's Puzzle Boxes. These are beautiful inlaid wooden boxes that you have to open up by sliding pieces of the box around. They're rated by both size of the box and the number of moves needed to open it. |
The puzzle box is both harder and easier than the Cryptex. You can brute-force the Cryptex in 265 moves, but you know what the moves are. It's still a bit of a trick to know just how to slide the letters in place (that's a good thing) as well. I found that pleasing in the Cryptex. The sliders for each ring are analog with no wussy little ratchets.
If you have a 27-move Hakone box, it's only 27 moves, but you have to know what the moves are, and that's a challenge in and of itself. The boxes go all the way up to 78 moves. New boxes are a bit stiff, and so there's also a manual dexterity aspect to solving it, even if you know how to.
I recommend getting one of each. If the recipient has been naughty, put the solution for the Hakone box in the Cryptex and the Cryptex solution in the Hakone box. If the recipient has been very naughty, there are many opportunities for crypto-sadism. You can put a crib in the Cryptex's setting of the initials of some significant person or place. You can put a clue to the Cryptex solution rather than the solution itself in the Hakone box. Add more boxes for more fun.
Bookmark this post:
There's the Budapest Declaration on Machine Readable Travel Documents:
By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose.The Budapest declaration is via Bruce Schneier. Next up we have USA Today on "If it's really you, what color is your car?" via both Pogo Was Right and Dan Solove, who opines in "Verifying Identity: From One Foolish Way to Another"
The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you -- after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people's backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.The disdain of banks for their actual customers, those pesky, diverse, demanding idiots, grows by the day, and grows with every regulation which distracts and drags down the level of "service" on which they might otherwise compete.
Photo: self-portrait by j_photo.
Bookmark this post:
Now, destroying 10 planes might be murder on the scale of 9/11. It would certainly be shocking and despicable. I'd like to point out that the Iraqi people can certainly concieve of that level of terrorist violence, because they underwent it in July, having lost 3,438 people.
Bookmark this post:
Bookmark this post:
Via the SacBee:
WASHINGTON (AP) - FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes.One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday
The article continues:
That means, in an example of a worst-case scenario, one key could be used to unlock up to 10 mobile homes in a park of 500 trailers.
Uh, no. Actually, worst-case would be one key opens every trailer. Ten is the expected value (assuming randomly distributed locks)
There's already a single "key" that opens every trailer door. It's called a hammer. It isn't clear to me that replacing these lock cylinders is a smart way to spend money.
Would it be unreasonable to ask the users of these trailers to foot the bill for the new lock cylinders themselves? Seems that making this a FEMA-managed task will increase the total cost, and probably delay the fix.
What do others think?
Bookmark this post:
Is that enough acronyms yet? In Adam's previous post, Justin Mason commented:
There's another danger of this -- even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging (or whatever the attacker may have in mind).
This brings me back to my post from yesterday about RFIDs in passports. As our friends at Flexilis have shown us, this can get even more insidious. To wit:
Additionally, it may be possible to determine the nationality of a passport holder by “fingerprinting” the characteristics inherent in each country’s RFID chips. Taken to a logical extreme, this security vulnerability could make it possible for terrorists to craft explosives that detonate only when someone from the U.S. is nearby.
Check out their video of the risk of an unshielded RFID...
Bookmark this post:
EKR is the voice of reason when he points out that of course RFID passports are clonable, when he responds to all the press brouhaha about, Lukas Grunwald's demonstration at Black Hat showing that an RFID passport can be duplicated using off the shelf parts. This outcome is hardly surprising, this is yet another side effect of using an inappropriate technology for an inappropriate situation.
This combined with Flexilis's discovery that the shielding of the new RFIS passports is completely inadequate means that a passport could possibly even be cloned at a distance.
Bookmark this post:
Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.Wow. Fifteen months since Choicepoint, and that's being written? There's a new set of expectations out there, and it hasn't taken long to set. Thank you, Choicepoint. The quote leads an article, "Are Banks Required To Give Notice of Database Hacks?" on
