Periodic Spiral

periodic-spiral.jpgThe periodic table is under-appreciated as a design masterpiece, and as an iconic representation of science. The table works as a taxonomy, showing someone who knows how to read it a great deal of information about the elements based on their arrangement in space.

So it’s pretty audacious to come out with a re-design:
The Periodic Spiral envisions a remedy to the flaws in conventional periodic tables by illustrating hydrogen’s ambiguous relationship to the noble gases and halogens while recognizing its relationship to the alkali metals; it also fully integrates the lanthanons and actinons into the design.

Via Information Esthetics.

No soup for you!

Harkening back to Adam’s post a while back concerning EC being blocked or miscategorized by various “security” products, tk of nCircle posts that has been blocked from some security vendor sites.

This reads to me like the equivalent (speaking of analogies) of Toyota blocking, rather than the categorization of as evil in some more general sense.  Still, it makes no sense to me, at all.

Certification Shmertification

So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor them talking about how great they were. Though they do discuss some of the downsides, it comes across as an afterthought as opposed to a balanced discussion over whether they actually matter or not. Fortunately, we have folks like Martin McKeay and Rich Mogull with other viewpoints.
Six years ago or so, I got my CISSP and it has yet to make a difference to my career aside from getting one of those silly little ribbons for my badge at the RSA conference. Though at one point, my entire team had their CISSP certifications and it was great for taunting vendors. Neither really justifies the existence of the certification though.

Do Kings Play Chess on Folding Glass Stools?

butterflies.jpgOver at the OSVDB blog, blogauthor writes:

On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software security process in which Window Snyder (former Microsoft security strategist) said “These are entire classes of vulnerabilities that I haven’t seen externally. When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.” referring to vulnerabilities that were proactively removed. The article goes on to say “Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.”

Anyone else curious about these? Less than a year, and three new classes of vulnerabilities? Come on Window, you left Microsoft, you can speak up now! Steffan, spill the beans, give us details!

So, here are the details. No, just kidding. I can’t talk about the details, but what I can talk about are taxonomies. I can talk about taxonomies for hours. I think, by analogy, that stack smashing may be an order. Perhaps a family. Closely related are the integer overflow and format string. Each places code in the expected path of execution, overwriting it. More distant are command stuffing (my term for the classic “; echo $stuff > /etc/passwd”) or sql injection. Cross site scripting belongs to the phyla of code/data separation, or perhaps the family of output validation.

I’m not sure if there’s a taxonomy here at all. By taxonomy I mean a repeatable, exclusive, reproducible system of questions that a variety of experts can ask of a sample and classify it in the same way. To be a taxonomy, you need exclusivity. You can’t be both a person and a penguin. Not all data fits neatly into taxonomies because of that exclusivity requirement. You can, for example, be both a Mac and Windows user. Thus, being a Mac or PC user isn’t a good taxonomic classification.

What’s the natural ordering of relations of emergent phenomenon?

Oh, the title? It’s a memonic for the Linean taxonomy of life: kingdom, phyla, class, order, family, genus, species. And the photo is Drawers of Curiosities, by smalleyta.


There are a bunch of ways to estimate how many people have died in the Iraq war.  One is to keep track of news stories and official reports of combatant and civilian deaths, and add them up.

Another is to employ the tools of epidemiology and demography.  Until now, we’ve had essentially only the former to rely on.  That has changed with the release of a report [pdf] from the Bloomberg School of Public Health at Johns Hopkins and the School of Medicine at Baghdad’s Al Mustansiriya University, in cooperation with the Center for International Studies at MIT.

The headline-making conclusion is that the excess death toll from violent causes is estimated to be approximately 600,000 since the start of the war.  This is ten times higher than other estimates, such as those by

I predict that the authors of this work, their motives, and especially their conclusions, will be the subject of much uninformed debate, and more than a little derision.  It has happened before, when a demographer had the temerity to contradict the US government over the death toll in the Gulf War.  Her job was saved thanks to the efforts of the ACLU and the American Statistical Association.  Those inclined to criticize this latest work would do well to remember their history.

Update:  I neglected to provide a link to the methodological appendix (“full report” means something different to CNN than it does to me!)

Update: The Social Science Stats Blog provides further reading on the methodology.

The Crap in Credit Reports


On August 10, after his family was refused a home loan, an Arcata man was mortified to find the phrase “son of Saddam Hussein” included on his credit report. “I looked at it and couldn’t believe my eyes!” Said the Arcata man who asked that only his middle name, Hassan, be divulged.

The routine credit check, pulled by the Arcata family’s prospective mortgage company, lists the alleged alias under the section titled “Borrower Bureau Alert Information:” “HASSAN ALIASES: AL-TIKRITI, ALI SADDAM HU.S.SEIN DOB: 1980 ALT (ALTERNATE) DOB: 1983; POB: IRAQ; NATL: IRAQI; SON OF SADDAM HU.S.SEIN AL-TIKRITI…”

A partial name match to the individual listed on the Arcata man’s credit report, “Hassan” is the man’s middle name, but any likeness to the description of Hussein’s son ends there.

There’s a really good in-depth article in the Acarta Eye on this Kafka-esque nonsense. The only thing I really want to add is that the problem is that OFAC issues a list, and then whacks people for not “complying.” Then naturally, everyone trips over themselves, because, after all, what’s this Hassan person and his ability to live his life versus COMPLIANCE! and FINES! and TERRORISTS!

If people could hold the credit agencies responsible for their libels, this sort of thing would be a lot more rare.

Via BoingBoing. Speaking of which, boingboing had more.

Pictured, Saddam Hussein’s son.

Real ID Will Waste $11 Billion

What could you do with $11 billion? How many ways could we make the world a better place with that money? I know! Let’s spend it on a national ID card! The $11 billion figure comes from the National Conference of State Legislatures, and doesn’t include wasted time by productive members of society.

On the bright side, that’s a lot less per-capita than the British National ID scheme, which reports will cost 10.8 billion USD.

Maybe the British scheme is more fully specified, and their cost estimates are more accurate.

New, Non-Obvious, and umm, Useful?

Orin Kerr has an interesting post over at Volokh Conspiracy, “Government Responds in United States v. Ziegler,” which contains this interesting bit:

But that’s simply not how the Fourth Amendment works. The “reasonable expectation of privacy” test is actually a system of localized rules: the phrase is simply a label, and what it actually means depends on the specific context as determined by the Supreme Court’s cases. The Supreme Court has decided dozens of cases interpreting the reasonable expectation of privacy test, and those cases offer specific interpretations for lower courts to use. As a result, the actual meaning of the Fourth Amendment is highly localized: “reasonable expectation of privacy” means different things in different contexts, and usually has nothing to do with the probability that a reasonable person would expect something to remain private.

It reminds me of the patent system, wherein the words “new,” “useful” and “non-obvious” have so deviated from their English meanings that the non-expert is helpless to engage.

“Reservoirs of Data”

Danielle K. Citron has put a new paper on SSRN,
Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of the paper reads:

A defining problem at the dawn of the Information Age will be securing computer databases of ultra-sensitive personal information. These reservoirs of data fuel our Internet economy but endanger individuals when their information escapes into the hands of cyber-criminals. This juxtaposition of opportunities for rapid economic growth and novel dangers recalls similar challenges society and law faced at the outset of the Industrial Age. Then, reservoirs collected water to power textile mills: the water was harmless in repose but wrought havoc when it escaped. After initially resisting Rylands v. Fletcher’s strict liability standard as undermining economic development, American courts and scholars embraced it once the economy matured and catastrophes such as the Johnstown Flood made those hazards impossible to ignore.

Public choice analysis suggests that a meaningful public law response to insecure databases is as unlikely now as it was in the early Industrial Age. The Industrial Age’s experience can, however, help guide us to an appropriate private law remedy for the new risks and new types of harm of the early Information Age. Just as the Industrial Revolution’s maturation tipped the balance in favor of early tort theorists arguing that America needed, and could afford, a Rylands solution, so too the Information Revolution’s deep roots in American society and many strains of contemporary tort theory support strict liability for bursting cyber-reservoirs of personal data instead of a negligence regime overmatched by fast-changing technology. More broadly, the early Industrial Age offers valuable lessons for addressing other important Information Age problems.

Via Prawfsblog

More on RFID Zappers

bug_zapper_frame.jpgThis seems to be the weekend of redux posts and back tracking to earlier in the year. Way back in January, Adam wrote about the RFID Zapper created by the folks at the annual Chaos Computer Club conference. Along a similar vein, Julian of, has also produced an RFID Zapper made from a disposable camera with built in flash. I love seeing hacks like this. It just makes me so happy. I’d love to see someone build something like this into an old ipod case since that would be even more innocuous looking.
[Image from: RFID-Weblog]
[Via: FIRST Security News]

Google Code Search

Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could do with this, but then I saw that Aaron Campbell had done a far better of job over on Arbor’s blog with “Static Code Analysis Using Google Code Search”. Check it out…

No Expectation of Privacy

Here in the U.S., one of our Old Order Amish communities has recently suffered an infamous crime — the murder of several schoolchildren.  Interest in this case has been high.  Naturally, the public’s right to know has been ably served, as journalists took plenty of funeral photographs, despite the fact that the Amish, on strict religious grounds, object to being photographed. 

 I don’t think I’ve ever seen someone publicly mock a dead child’s religion at her funeral before.

The last sentence of a Canadian Press story says more than I ever could:

At the behest of Amish leaders, a fund was also set up for the killer’s widow and children.