“Not the Blitz”

So says SteveC, and he’s right: Its a relatively small group of criminals. At the same time, I can’t agree with his feeling that “These bombings occured in all probability because of our unprovoked invasion.” The United States was attacked before we invaded Iraq or Afghanistan. People who will kill civilians on the tube are evil, and will look for excuses for their evil. We ought to challenge those reasons, and not accept their evil, or the twisted logic they put forth to justify it.

[update: In a comment, Jim Horning pointed out that Iraq did not attack the United States. And while I could bobble and weave, I’ll simply say “thanks Jim!” and my apologies for the inaccuracy.]

Small Bits: Privacy for Infringers, IEEE Cipher, Oracle, Footnotes, and a Mug


  • Michael Geist continues to take the Privacy Commissioner’s office to task for protecting the privacy of infringers:

    Moreover, the Commissioner canvassed other banks and found that at least two others did allow their customers to opt-out of such marketing. Now if only the Commissioner would reveal which banks respected their customers’ privacy and which decided to fight its customer in order to continue to market to them against their wishes.

  • The Volubis Infosec News blog mentions that “The latest Cipher newsletter” (July) was just brought online.

  • At SecurityFocus, Rob Lemos has an article, “Oracle taken to task for time to fix vulnerabilities.” I think its clear that the threat of non-coordinated release of information is valuable, as it has made these extended periods between report and release rare.
  • Josh Gruber presents a view of footnotes on the web at “About the Footnotes.” Stefan Geens has another, which I think is gorgeous, and I look forward to re-designing my site so I can use his marginalia design. (That requires, I think, getting rid of all that sidebar stuff, which should be somewhere. I’d like that somewhere to be pop-open lists, but that seems to require Javascript. I prefer to design without Javascript, so I’m stuck until I have time to figure it out.)
  • Start the day off wrong: Drink from the Disappearing Civil Liberties Mug.

These cruel, wanton, indiscriminate bombings

With London being attacked again, I am heartened to see that the attacks were (apparently) less effective, and otherwise defer to the wisdom of Sir Winston Churchill:

These cruel, wanton, indiscriminate bombings of London are, of course, a part of Hitler’s invasion plans. He hopes by killing a large number of civilians, women and children, that he will terrorize and cow the people of this mighty imperial city and make them a burden and an anxiety to the government and thus distract our attention unduly from the ferocious onslaught he is preparing.

Little does he know the spirit of the British nation or tough fibre of the Londoners whose forebears played a leading part in the establishment of the parliamentary institutions and who have been bred to value freedom far above their lives.

This wicked man, the repository and embodiment of many forms of soul-destroying hatred, this monstrous product of former wrongs and shame, has now resolved to try to break our famous Island race by a process of indiscriminate slaughter and destruction.

What he has done is to kindle a fire in British hearts, here and all over the world, which will glow long after all traces of the conflagration he has caused in London have been removed.

He has lighted a fire which will burn with a steady and consuming flame until the last vestiges of Nazi tyranny have been burnt out of Europe, until the Old World – and the New – can join hands to rebuild the temples of man’s freedom and man’s honour, upon foundations which will not soon or easily be overthrown.

Winston Churchill, Sept 11, 1941

(The version above is taken from Mike Campbell.net, and is the most complete version I can find.)

Elizabeth Blodgett Hall, 1909-2005

Elizabeth Blodgett Hall, 95, founder of Simon’s Rock College, died July 18 at Geer Nursing and Rehabilitation Center in Canaan, Conn.

In 1964, with 200 acres of her family’s land and a grant of $3 million from the Margaret Kendrick Blodgett Foundation — a charitable educational trust established by her mother — she founded America’s first “early college.”

The idea for Simon’s Rock grew out of her conviction that the American secondary school was failing to adapt to the changing nature of adolescents, who were maturing earlier and who were anxious to accept academic and personal challenges and responsibilities that their high schools did not provide.

She believed that many bright young people can do college work before the normal age of high school graduation, and she defined the mission of her college as providing such students with the opportunity to begin college after the 10th or 11th grade. The college was chartered by the state in 1964.

(From the Berkshire Eagle obituary. In closely related news, Saturday’s New York Times had a story, “Students Say High Schools Let Them Down.”)

Who Has Time For This, Indeed?

David Cowan has a nice post on technologies he won’t fund, and why. It’s a great post. More investors should be up front about what they’re not interested in.

Bessemer has funded 16 security startups–more than any other traditional VC firm–but there are some areas of security that even we have never funded, despite the large number of these projects getting funded elsewhere. These opportunities fall into my Anti Road Map (without which I could never focus on my real road map)…

Cardsystems Death Penalty?

“CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts,” said Tim Murphy, Visa’s senior vice president for operations in a memorandum sent to several banks. “Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system.”

So reports the New York Times in “Visa to Bar Transactions by Processor,” via ISN.

This is sad for Cardsystems, and annoying for their customers, but an extreme response every now and then can help focus the mind wonderfully.

More on the FBI and ACLU

Over at Volokh, Orin Kerr writes “The New York Times ACLU Story Begins to Look A Bit Fishy.” The essence of Kerr’s argument is that with the ACLU’s request for any document mentioning the ACLU, of course they’re going to get a lot of documents:

I should point out that it is at least theoretically possible that all of the documents that “refer” to the ACLU are actually “on” the ACLU. At the same time, my tentative sense is that Lichtblau’s story may have a significant error.

So this seems to be plausible. The way that Federal agencies interpret Freedom of Information Acts compel citizens to make broad requests. Naturally, the FBI has lots of documents that mention the ACLU. There’s doubtless over 1200 pages of lawsuit memoranda.

But if this is the case, why are there over twice as many documents about Greenpeace? (2,383 Greenpeace, 1,173 ACLU.) It would seem reasonable that the ACLU would be mentioned all over the place. So, for now, I’ll stay with the “on” hypothesis: That whatever spin may be in the press release, the FBI has been compiling dossiers on the ACLU.

Also, Daniel Solove has a good update to his article discussing the trust aspects of the FBI and the ACLU.

Oh, That’s Why


Last week, I asked,

Now, if Evan Kohlmann can get to this gathering, and if John Walker-Lindh can meet bin Ladin, why haven’t we penetrated and shut down more groups which are openly calling for murder?

Today’s New York Times has the answer in “Large Volume of F.B.I. Files Alarms U.S. Activist Groups:”

WASHINGTON, July 17 – The Federal Bureau of Investigation has collected at least 3,500 pages of internal documents in the last several years on a handful of civil rights and antiwar protest groups in what the groups charge is an attempt to stifle political opposition to the Bush administration.

The F.B.I. has in its files 1,173 pages of internal documents on the American Civil Liberties Union, the leading critic of the Bush administration’s antiterrorism policies, and 2,383 pages on Greenpeace, an environmental group that has led acts of civil disobedience in protest over the administration’s policies, the Justice Department disclosed in a court filing this month in a federal court in Washington.

Way to allocate resources, guys. As the Economist once said, “we now accept unreservedly that we should have always known the Bureau was bound to cock it up in the end.”

Acxiom, 8.2 gb of love, Bad Password

In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data.

“According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through hacking of encrypted passwords.”

“Evidentially,” indeed. Do you really want to let these people decide when a breach is a threat to their customers? What if they’d accidentally configured their IDS with the same password?

Fingerprints at Disney: The Desensitization Imperative

The Walt Disney Corporation has started fingerprinting all visitors to their parks. They claim, incorrectly, that the fingerprint scans can’t be turned into pictures of fingerprints.

True Americans understand that fingerprinting is for criminals. A presumption of guilt — of criminality — underlies a company taking your fingerprints. In “Welcome to Disney World, please let us scan your fingers,” Eric Rescorla lays out that Disney’s motivation is to “price discriminate.” Being at a Disney park for 3 days is $171, 10 days is $208. So a neighborly thing to do is sell or give away the second half of your 10 day ticket. This is very similar to why airlines check your ID: Not for security, but to allow them to maintain high prices on one-way tickets. Closely related is Andrew Odlyzko‘s work, which I’ve discussed in “Economics of Price Discrimination.”

If I were Disney management, famed for customer service and stinginess, I might realize that the deterrence value of the system is high enough to achieve the effect that I want. Even if I don’t turn the system on. I don’t need to actually use the fingerprints, deal with the errors (what the biometric industry cutely calls the “insult factor), or worry about speed.

This could be security theater at its most useful. You deploy a bunch of fingerprint readers. Then you watch ticket scalping fall through the floor. It’s a cheap way to protect their revenue stream. Too bad about the unfortunate societal side effects.

So let me talk about the societal impact of treating your customers like criminals.

The first impact is that you’ll raise a lot of people’s blood pressure, and get them to swear they’ll never go to Disneyworld again. That’s ok, I haven’t been in twenty years anyway. So that’s probably small.

Second, and more important is the creeping normalization of fingerprinting. We’ve already seen that such systems, even in tightly controlled conditions, produce some problems. (I’m actually surprised at how few problems are reported, but if a US Visitors’ fingerprints don’t match the computer, the problem is a large one.) This normalization is probably intended. There are alternate systems, such as hand geometry, which do as well or better, are less stigmatic, and are harder to cheat. So why don’t we see more of them?

Some people might ask, what’s the problem with using fingerprints?

There are several. The first is that fingerprints carry a mystique and stigma which interferes with reasoning about them. That your fingerprint is unique does not mean that a computerized fingerprint reader will properly and uniquely identify you. You leave your fingerprints everywhere. This is what makes them useful to law enforcement. But it also makes it easy to forge. Fingerprints are also hard to change. And finally, even if fingerprints are easy to steal…well, sometimes a picture is worth a thousand words.

Dear Adium People…

You make a very nice client. But the “Remove Contact” menu item in the Contact menu is fucking broken. It is not clear that “Remove Contact” means “Blow away this entire group of contacts.” How about (1) making the item name plural, and (2) adding the list of contacts to be deleted to the warning dialog?


Finally, private to a bunch of folks: if I don’t IM you for a while, please don’t take it personally.

David Cowan Blogging

David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.”

His post about Too Many Security Startups? is fascinating:

The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over.

His answer goes beyond the obvious “Because people keep buying them!” and explains why that is, and why it will continue to be that way.

(Via Brad Feld.)

A New Birth of Freedom in Iraq?

The Committee to Protect Bloggers reports that prominent Iraqi blogger Khalid Jarrar has been taken into custody by the Iraqi mokhabarat, or secret service. Jarrar is author of Secrets in Baghdad and is the brother of Raed from Raed in the Middle.

B.L. Ochman has the scoop. Raed has more.

If the United States is serious about “building the institutions of a free society, a society based on freedom of speech, freedom of assembly, freedom of religion, and equal justice under law,” then the United States will doubtless object, loudly, to secret arrest and detention. (Quote from President Bush, June 28 address.)

I’m with Curt Hopkins, who says “If Khalid is being charged with something, charge him, and do so in the light of day.”

Small Bits of Irony