Not Because It Is Easy, But Because We Can


Twelve barrels of the world’s most alcoholic whisky, or enough to wipe out a medium-size army, will be produced when the Bruichladdich distillery revives the ancient tradition of quadruple-distilling today. With an alcohol content of 92 per cent, the drink may not be the most delicate single malt ever produced but it is by far and away the world’s strongest. Malt whisky usually has an alcohol content of between 40 per cent and 63.5 per cent.

Mark Reynier, Bruichladdich’s managing director, said: “We are doing this because we have this ancient recipe and therefore we can. It is unlikely that we will ever produce any more quadruple distilled malt again, so we expect it to become much sought after.”

(From the Times Online, via DM. I wonder if they’re patenting the process?)

Patents and Innovation

dog-cakes.jpgIn responding to “New Products, Emerging from Chaos,” Albatross makes a good comment about how the RSA patent expiry didn’t lead to an immediate outpouring of new products. Albratross also mentions how transaction costs encourage people to look for new ways to solve a problem. Mordaxus says there has been an explosion in the use of cryptography since the RSA patent expired — it just took a while.

Even though neither commenter mentioned it, I want to start with the issue of language, which is the elephant in the room. The most trenchant critique of the system involves language. There are important disconnects between the words used to describe the patent system, and the reality of the system.

The way the courts interpret “new” and “non-obvious” has lost all relation to the plain language meaning of the words. That disconnect drives a great deal of anger at and disdain for the system. The form in which software patents have evolved means the original bargain, of disclosure for protection, does not work in my field. Software engineers don’t read patents. They are, almost without exception, incomprehensible. I recall being shocked to hear that chemists actually read each other’s patents.

Continue reading

On Computers and Irony

I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident.

Similarly, while it’s quite hard to make code that runs and does what you want, it seems to be quite hard to make code that does all that, and also doesn’t run when you don’t want it to. As is illustrated by “OSx86 10.4.4 Security Broken. (Guess Who Done It?).” In this case, the security they’re referring to is the ability of the OS to only run on Apple hardware.

Ironic. It feels like it ought to be easier.

How Much Does A Firewall Reduce Your Risk?

firewall-shirt.jpgIn a recent post, “The Future Belongs To The Quants,” Chris suggests that risk mitigations must be quantifiable. My post “In The Future, Everyone Will Be Audited for 20 Years,” lists what the FTC is requiring for risk mitigation. It seems none of it is quantifiable. Chris?




(Incidentally, I think this iptables shirt may be the single geekiest t-shirt I have ever seen, including the vendor room at probably 10 Defcons. From lilit’s photostream.)

Analysis of University of Texas, 4,000 encrypted SSNs, Laptop

admit-nothing.jpgThere is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened:

The private health information and Social Security numbers of nearly 4,000 patients of the University of Texas M.D. Anderson Cancer Center are at risk after a laptop containing their insurance claims was stolen.

Patients and patients’ families were notified this month of the theft, which occurred in November at the Atlanta home of an employee of PricewaterhouseCoopers…

“The laptop that was stolen does have sophisticated encryption software, so it will be very difficult for someone to access patient information,” Carrie Lyons, M.D. Anderson’s chief privacy officer, wrote in a Jan. 30 letter. “Even though it will be difficult for someone to access patient information, we feel you should be informed of this incident.”

Continue reading

Relentless Navel Gazing, Part 8

We made a few changes yesterday. There’s now a special archive page for the “Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars” series of posts. I’ve gotten more kudos for that series than anything else, so added a way for you to read them all in the order they were presented. Enjoy!

We’ve moved to a Creative Commons Non-Commercial, Attribution license, meaning (roughly) you’re free to take this all and mash it up as you see fit, as long as you credit us and aren’t doing it for money.

Perhaps less interesting, but also nice is a move from the numbered posts to more readble URLs, which I’d wanted to do for a while, but was worried about archival links. Thanks to the lovely and talented Lisa, we’re all set (with a lot of redirects). It makes it easier to work with the links.

Security Breach Resources

I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on.
There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful.
The URL is
I am clearly not web designer (nor do I play one on TV!), but I wanted to play around with iWeb, so there you have it. I’d be happy to hear any feedback.
BTW — I already know the images are too large. Apple took my 40K JPGs and made them nice fat PNGs. I’ll fix it soonish.

Dear Lazyweb

I’m looking for code that will parse the emails sent by online travel agencies and airlines. Ideally, it would be Python code that allows me invoke something like itinerary.get_next_flight(msg) and get a dictionary of (to, from, airline, flight #, date), etc. Does such a library exist?


Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.

Continue reading

“Illegal Political Activity”

handcuffs.jpgSomething is seriously wrong when the New York Times has an article “I.R.S. Finds Sharp Increase in Illegal Political Activity,” and fails to mention the free speech issues associated with the claptrap coming out of Congress:

While pointing out the extent of the problem, the agency published more guidance for nonprofit organizations, including examples of what is permissible and what is not. Mr. Everson warned that the agency would be more aggressive in addressing illegal political activity as election campaigns moved into full swing.

I don’t need guidance about what is permissible if I have freedom.

The future belongs to the quants

The title is of course stolen from Dan Geer.
By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database.
In dismissing the case with prejudice, the court took note of an earlier case:

The facts of this case are closely analogous to Stollenwerk v. Tri-West Healthcare
Alliance, No. Civ. 03-0185, 2005 WL 2465906 (D. Ariz. Sept. 6, 2005). In Stollenwerk,
the defendant’s corporate office was burglarized and a number of items stolen, including
computer hard drives containing the personal information of defendant’s customers.
In support of their negligence claim, two plaintiffs relied on the opinion of an expert who
described their injury as “an increased risk of experiencing identity fraud for the next seven
The district court expressly rejected the expert testimony because
“the affidavit of plaintiffs’ expert conclusorily posits that plaintiff’s risk of identity fraud is
significantly increased without quantifying the risk.???

(emphasis mine)
IANAL, and I apologize to any lawyers reading this for my selective quotation and elision of case citations and footnotes. I have no opinion on the merits of this case because I do not know the law, particularly the case law.
That having been said, the juicy part is the part I emphasized — you want to say you were harmed because you were put at increased risk? You need to quantify that risk. I may be reading too much into this, but this looks to me like the judge in Stollenwerk was saying “Don’t bring me experts who draw conclusions they don’t back with data. Don’t give me a ‘red-yellow-green’ dashboard. I want to see how much additional risk you now are burdened with”.

New Products, Emerging From Chaos

impressionist-london.jpgIn a trenchant comment on “Secretly Admiring,” Victor Lighthill writes:

Not to disrespect Ron Rivest or Credentica’s Stefan Brands, but patenting your ideas in crypto is, historically, a great way to ensure that it takes them 15 years to go from concept to use.

While there may be important grains of truth in this, and while I’ve railed against patents, and think the system is substantially flawed, I don’t think patents are the mainstay of what holds back new products.

Continue reading

Subject: Attention! Several VISA Credit Card bases have been LOST!

You know breaches are reaching the public consciousness when spammers use them to make money. I got this in email yesterday, along with a URL that I don’t feel like linking. Banks would do really well to send less email with the words “click here,” and more saying “visit our site using a bookmark.”

Good afternoon, unfortunately some processings have been cracked by hackers, so
a new secure code to protect your data has been introduced by Visa. You should
check your card balance and in case of suspicious transactions immediately
contact your card issuing bank. If you don’t see any suspicious transactions,
it doesn’t mean that the card is not lost and cannot be used. Probably, your
card issuers have not updated information yet. That is why we strongly
recommend you to visit our website and update your profile, otherwise we cannot
guarantee stolen money repayment. Thank you for your attention. Click here and
update your profile.

(I added the logo.)