Mac “Virus”

There’s an alarmist headline at MacSlash about a new mac virus. Its been picked up in a bunch of places. The commenters correctly identify it as a rootkit, not a virus. A rootkit is a program you install, after break in, to hide your tracks.

Its not even a sophisticated rootkit. Its stunningly primitive. Reading it, I felt that I’d gone back to 1995 or so. It doesn’t even change ps or ls to hide itself.

It certainly doesn’t spam itself to other users, it doesn’t hide itself in documents so that it spreads when you send them, it doesn’t include any way to break into your computer. If someone adds it to one of those, a mac will still require that you enter a password before running most of those commands. (And there’s no code to prompt for a password.)

At some point, there will doubtless be viruses for the mac that deserve press. This doesn’t.

Organization in the way: how decentralization hobbles …

Another interesting article from Peter Merholz closes with:

Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest in usability seem to be creating marginally worse products. If you consider the problem of design in modern organizations, there’s a clear explanation for this seeming oxymoron. The more a company invests in UCD, the more likely it is to create a separate UCD group or department. This group then plays the role of “interface cop,” reviewing everything before it goes out. Of course, this bottlenecks development processes; thus, the UCD department becomes a point of pain to route around.

You can just drop in “security” for “UCD” and I bet the same thing will hold. Too many security groups are in the role of gatekeeper, not collaborator. They are charged with poor goals such as “no break-ins,” which are hard to evaluate, hard to tie to ROI, and may miss larger issues, such as phishing.

One of the better groups I know has the title “Loss Prevention” on the org chart. Names are powerful things, as are goals. Choose them carefully.

“Metadata for the masses”

In “Metadata for the masses,” Peter Merholz presents an interesting idea, which is build a classification scheme from free-form data that users apply. He points to Flikr’s “Cameraphone” category, which would probably not exist if there was only a pull-down list.

He also points up problems: Many categories for one thing (nyc, NewYork, NewYorkCity), one category that means many things (“Flow, for instance, can either mean optimal creative experience, or the movement of a fluid,”), and categorizations that are wrong.

I think there’s a tie here to memes, or ideas which encourage you to adapt them. If I see a tag which strikes me, is evocative to me, or I see as useful, I’m likely to use it myself. If I create a tag which I find evocative, but no one else does, (say, “Bastiat-ic”) its unlikely to get picked up. I am a big fan of evolutionary, or memetic systems like this, and am sorely tempted to try to include it in my project, but the goal of that project isn’t actually to create a taxonomy, its to create a useful naming scheme. I think a taxonomy is part of that, but others who get a say in the final analysis disagree, and so I’d like to focus on getting a taxonomic name space, rather than a cool evolutionary method for creating it.

(Via Nudecybot. Oh, and its too bad that there’s no RSS on Merholz’s page. I’d like to see their essays, but not their “appearance dates and other news.”)

What a Great Review

NudeCybot sent me a link to an interesting looking book on “Sorting Things Out.” I found this review resonated with how I often feel reading academic work:

This tragic book is full of important ideas and significant research, but it’s so poorly written you hardly notice. Other reviews kindly describe its style as “academic,” but it’s just bad writing. It’s really shocking that publishers still consider this kind of jargon-filled nonsense acceptable to publish outside of the UMI thesis-reprint circuit. (I write professionally, so I’m not unqualified to make this assertion.)

After making a cogent point with examples and internal references, the authors feel the need to bridge to the next section with this clotted delight:

“Leaking out of the freeze frame, comes the insertion of biography, negotiation, and struggles with a shifting infrastructure of classification and treatment. Turning now to other presentation and classification of tuberculosis by a novelist and a sociologist, we will see the complex dialectic of irrevocably local biography and of standard classification.”

Wha? What you mean to say is:

“This tension between personal experience and clinical priorities plays a large part in our current understanding of ‘tuberculosis.’ To further examine this tension, we will now examine the personal tuberculosis stories of a novelist and a sociologist.”

He’s spot on. I often find myself, when writing for academic conferences, adopting this sort of turgid, convoluted, overly wordy style, choosing to consistently refer to ourselves in a plural form, and using too many commas to show you, tediously, how smart (and, parenthetically, how clever), I must be. If English isn’t your first language, you’re entirely forgiven for writing in German, and translating.

As the Economist likes to point out, short words are best. Their Style Guide takes a few more words, but has extra details.

2-Fingerprint Border ID System Called Inadequate (

Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system “is no more than 53 percent effective in matching fingerprints with poor image quality against the government’s biometric terrorist watch-list.” Turner said the system falls far short of keeping the country secure.

Its not clear to me why they use this system, which a great many people (correctly) feel treats all visitors to the US as criminals, and now turns out to be inaccurate. A hand-geometry system would be more accurate, harder to alter, and less offensive.

(From 2-Fingerprint Border ID System Called Inadequate (washington post).)

Efficient Markets and Prediction

In a post below, I quoted my friend Craig commenting on the differences between election sites and the IEM.

Steven Landsburg had previously commented privately that IEM together with
TradeSports is inefficient. By playing one against the other you could make money on either likely outcome of the election.

So, if these markets were efficient, that wouldn’t be possible.

Security Signaling

Signaling is a term from the study of lemons markets. A lemons market is a market, such as in used cars, where one party (the seller) knows more than the buyer. There are good cars (peaches) and bad ones (lemons). The buyer is willing to pay a fair price, but can’t distinguish between the cars. The buyer won’t pay a peach price for a lemon car, as such, the price for used cars is lowered to that of the price of a lemon. The concept was introduced in 1970 by George Akerlof in “The Market for ‘Lemons’”

A few years after the Lemons paper came out, Michael Spence wrote a set of papers in which he asked, why do students pay for education? The answer he came to was that it was a useful signal to employers that the student is the sort of person they’d like to hire.

How does all of this apply to security? This is long enough that it’s in an extended entry…

Continue reading

Notational Velocity

Andrew Stewart pointed me to Notational Velocity, an interesting little note taking app. Its a little disconcerting at first, because you only have one note area, and the way to create a new note is to just overwrite the old title. (There’s a menu item to rename something.)

But worth checking out if you’re a mac user. And the photoshop on the page is pretty cute.

“Television cameras captured the moment the Cuban leader fell”

Unfortunately, the BBC is simply reporting on him falling over, not on his 45 year dictatorship being toppled, the Cuban people gaining a measure of self-determination, or the freedom to speak one’s mind:

A few blocks away, a 27-year-old man who didn’t want to give his real name, had some advice for the only president either he, or his father, has ever known: “Take a break.”

He checked over his shoulder in case anyone was listening, before whispering: “It is about time Cuba had a new history.”

Secondary Screening: JetBlue FOIAs

Ryan Singel has a long and worthwhile post at Secondary Screening on the JetBlue FOIAs.

I have only one thing to add, which is that his closing line somewhat misses the mark:

But this issue is not going away as there is at least one report coming out soon that will further complicate the debate over how to keep terrorists off airplanes.

No, it will “complicate” the debate over if or how to best track all Americans and visitors as we travel around our country.

But I’m forced to forgive him after such a long and interesting post over the mechanics of it all: the newspeak does draw one in.

The Tree of Life, COI-ly

The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1]

This technique helps settle the question of “Is Astraptes fulgerator one species or several?”[2]. The butterfly in question looks the same as a butterfly, but there are important variations in the caterpillar forms.

Which, as I strugle to create a taxonomy for a specific set of computer security issues, shows that I am doomed to fail, and that may just be ok.

[1] Who the heck told them they could throw a ‘c’ out in the midst of a protien name like that? Do these people have no respect for the English language?
[2] It was keeping me awake at night, too. (As many as 10 species in Costa Rica alone.)

So Cynical, I Wish I’d Thought of It.

My friend Craig Sauer wrote:

In the spirit of the equal time, here’s what’s keeping me from being
optimistic about Kerry’s chances: The Iowa Electronic Markets.

You’ll have to read on the site to get the real skinny, but basically, the
IEM is a real-money futures market where people make informed “bets” about
who is going to win. It’s predictive power is very different from polls,
because it asks its participants who is more likely to win rather than who
the participants favor. For example, if the futures market was based on
which presidential candidate will win California’s electoral votes, even
Bush supporters would pay lots more for Kerry shares than Bush shares. The
market relies on its participants having collective knowledge that predicts
the outcome.

One would think, based on the recent trends in polls, and how nice things
are looking at, that Bush shares would be dropping and
Kerry shares on the rise. But this is not the case.

So what do the IEM traders know that the polls aren’t showing? Probably
that the smart money assumes that Bush has Florida and Ohio fixed. The
polls are showing how the voters will vote. They aren’t showing how the
vote count will turn out.

Hackers sabotage Waikato (NZ) food company

Computer hackers have emailed 3000 of the company’s customers, saying a company product – lamb chips – are being recalled due to an infectious agent, and the warning has since been posted on internet message boards.

Sad as it is for Erik Arndt and Aria Farm that this has happened, I think this is interesting as a foretaste of what’s to come as more business happens mostly online, and there’s money to be made in hacking.

“Fine store you’ve got here — shame if your customers were to get email announcing that your credit card database had been stolen…We can help you with that…”

Protecting your revenue stream from this sort of disruption is a fine way to justify security spending. Compare and contrast with “trust,” as suggested in the Computerworld story below.

(From a story” in STUFF.”)

“What your CEO thinks about security”

Larry Poneman writes:
Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals:

  • What is the security return on investment?
  • What is the probability of a catastrophic security failure?
  • What is the cost of self-insuring against security risks?
  • What are the tangible benefits of being an industry leader for security?

Unfortunately? It sounds to me like tending to fiduciary duty before spending money.

There’s some great insight into CEO attitudes towards security in here. But the people who need attitude adjustment are the security experts who think that our discipline deserves special treatment and attention. We need to start answering those fundamental questions, then we can look to see budgets that are more to our liking.

(From What your CEO thinks about security (and how to change it) Computerworld, via Info Security News.)

Neal Stephenson at /.

In order to set her straight, I had to let her know that the reason she’d never heard of me was because I was famous.

Mind you, much of the authority and seniority in that world is benevolent, or at least well-intentioned. If you are trying to become a writer by taking expensive classes in that subject, you want your teacher to know more about it than you and to behave like a teacher. And so you might hear advice along the lines of “I don’t think you’re ready to tackle Y yet, you need to spend a few more years honing your skills with X” and the like. All perfectly reasonable. But people on the Beowulf side may never have taken a writing class in their life. They just tend to lunge at whatever looks interesting to them, write whatever they please, and let the chips fall where they may.

Slowly I gained the upper hand, for, on defense, [William Gibson’s] Praying Mantis style was no match for my Flying Cloud technique.

Go read it.