I knew those Bratz were trouble

As if Barbie isn’t a bad enough role model, it seems that at least one Bratz doll came complete with actual marijuana as an after-market accessory.
The unlucky recipient’s mom quickly called 911 when she found the contraband packaged with the doll she received in the mail, having thought it was an identical doll she recently purchased via E-Bay.

Capt. John Sifford of the Rowan County Sheriff’s Dept., said that drugs are frequently sent through the mail and that this particular doll was “obviously meant for someone else.”

Well, whose name and address were on the package??
Did The Dealer accidentally send the “special” Bratz doll to one person, and another to somebody who expected a bit more under his tree? Something tells me there’s more to this, and that it’s funny.

Fingerprinting Visitors

guard-tower.jpgIn a scary story, the Christian Science Monitor reports “US creates terrorist fingerprint database:”

Last year, the Department of Homeland Security (DHS) announced the completion of a database system that collects electronic fingerprints of both the index and middle fingers of every noncitizen entering the US. The system now documents 64 million travelers. The Homeland Security database is being linked with the FBI’s database of more than 40 million subjects.

The effort prevented 1,300 convicted criminals and immigration law violators from entering the US, and blocked 1,000 others from gaining visas, according to Mr. Chertoff.

So, doing a little math, 38% of those blocked by the system were neither convicted criminals or immigration law violators. I would think that the latter category would be a subset of the former: that all immigration law violators are convicted criminals. Perhaps immigration law is special, and doesn’t require a conviction to be considered a criminal. Perhaps the accusation is sufficient.

Regardless, it’s important to ask, why were those 38% of denied visitors denied? And would you be counted in that 38%?

In closely related news, DHS has apologized that Safana Jawad was stopped and strip searched for “being connected to a suspicious person.” Maybe they were concerned she was concealing the suspicious person under her clothes?

CSMonitor story via 27B stroke 6. Guard tower image from Puppet.org. Safana Jawad story via Flying Penguin.

The Price of Nothing and the Value of Everything

money-mattress.jpgIn the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version.

I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally tempted by the service for some of my own domains.

The Economist also thinks it’s a good idea, so much so that they slur us in IT security:

IT bosses tend to argue that web-based software is not secure. Their real fear, probably, is that web-based software will mean fewer jobs in corporate IT. But the trend will be hard to resist. Trusting the web with your software is not so very different from trusting the bank with your money, instead of keeping under the mattress at home.

There are several things to object to here. The first is the smug attack on the professionalism of corporate IT people. I find it all the more obnoxious for hiding behind the word “probably” which is one of the oldest rogue’s tricks in journalism. I won’t dwell on that too much, because it is unusual for The Economist to have such a lapse, and this one is forgivable because it is probably caused by the onset of tertiary syphilis in the responsible editor. (I’ll apologize for my counter-slur if a paper supporting the claim that the probability that “security” concerns are actually about budgets is greater than 0.5 is accepted at WEIS this year.)

The next thing to object to is the confusion between software and data. Email, and any concerns with it, are not about the software, they’re about the data. Anyone who has qualms about outsourcing to Google most likely has it about the data, not about the software.

Another confusion The Economist makes is between money and information. There are a number of differences between money and information, but one that is relevant here is that if my bank is robbed, I still have my money (which is one of many reasons why banks are better than mattresses). This is not true with information. If information is stolen, you can’t pull it back. Furthermore, Google isn’t going to insure or indemnify against information loss the way that governments and banks indemnify depositors. If an outsourcer gets broken into, it’s still my breach, and breaches are not cheap.

Not only are emails information, but they are corporate documents. They can be subpoenaed or discovered. I have no idea what would happen if I were in a lawsuit and Google were asked to turn my email that they host over. I would hope that Google would refuse, but what happens if a judge disagrees? Let us also not forget that any such dispute would happen in the US courts. It would also be subject to US national security laws, and these laws not only require your service provider to turn over your emails, but require them not to tell you about it. Additionally, some assert that emails lose their status as protected communications after they’ve been aged for 180 days. My eyebrow is raised, as I am an equal-opportunity cynic, but that’s hardly tin-foil-hat territory.

The last thing to remember is that despite what The Economist seems to think, rarely does one find a free lunch. Google does not offer email services for free. It sells them to you, and you pay by letting them use your data to sell adverts. Google’s payment is exactly the advertising value of scanning all your email. You may think it’s worth it, but you may not. I think this is something about which gentlebeings can disagree.

There are situations in which outsourcing one’s documents may make sense. If, for example, you’re a state university and your documents are ultimately the property of the taxpayers, then some of the security concerns go away. But not all of them. To get rid of the risks, an outsourcer would have to secure the data so that they can’t lose it or be compelled to release it. Unfortunately, that would most likely change the economics of the bargain and make it so that the outsourcer would be giving out a free lunch.

None of this means that outsourcing your domains to Google is a bad idea, it just means that there are costs, benefits, and risks. The cost of a Gmail-hosted domain is the value of the use of your information. This might be analogous to letting the bank use your money, and may be worth it. However, implying that managing your own information is like keeping your money in a mattress is wrong. It’s more like buying your own shares rather than letting a fund manager do it. It’s a tradeoff of many things: time, money, effort, etc. Surely an economist can understand the difference between saving and investing.

Trusting Privacy Promises

Michael Arrington writes at Techcrunch about a former law firm, all of whose records are going to be opened to the public:

Brobeck, Pleger & Harrison LLP was a well known law firm in silicon valley during the first Internet boom. They had thousands of startup and public company clients and handled all aspects of their legal needs. Their client list included Cisco. None of that mattered in the end though – the law firm dissolved in 2003 due to financial mismanagement after the downturn.

But now the nightmare could be beginning for Brobeck’s former clients. In a bizarre story, the bankruptcy court handling the Brobeck case, citing the historical value of the records, has given permission to turn over all confidential client documents to the Library of Congress and put on display in a new public archive. The project even has its own website and will have advertisements published in the Wall Street Journal and the San Francisco Chronicle.

This is one off the stupidest things I’ve seen in a while. First of all, these documents remain the property of the clients, not the law firm or anyone else. Those rights are being completely ignored by the court. Many of these documents will also contain extremely confidential information of third parties that were not clients to Brobeck and will therefore not be getting notice.

See “Somebody Needs to Stop this.

There’s a reason we prefer to trust our privacy to the laws of mathematics over those of man.

OCR and License Plate Cameras

great-license-plate.jpgIn “The Vehicular Thomas Crowne Affair: how to creatively defeat photo radar,” Scrollin On Dubs points out that:

I just got my plate from AZ DMV and happily installed it this morning. It can still be read by the keen eye but from one of those crappy photo radar pictures it will be a non-trivial task to make out the characters.

He has other comments about how traffic cameras have made a stretch of road more dangerous–read the post.

Via Thurston at “Not Bad for a Cubicle.”

All Privacy Invasion Fears Come True: Thanks, Alec

urinals.jpgIn March of 2005, Alec Muffett predicted “National loyalty cards,” and I mocked him for it. Since then, I’ve decided that all non-trivial privacy fears come true. And since then, Alec’s plan has taken another step.

The BBC reports about a new “Blair plan for ‘people’s panels’.” No, I didn’t make that up, Comrade. He really called them people’s panels, and the BBC tells us:

They will look at how retailers, such as supermarket giant Tesco, use loyalty cards to create databases of their clients and tailor-make services for them based on the information gathered.

That’s one of the three ‘major ideas’ they’re looking at. Apparently Parliament isn’t sufficiently obsequious any more.

Photo of urinals at the Las Vegas Hilton from Ann-Rocco.com.

Chip, Pin and Tetris

chip-and-pin-tetris.jpgSaar Drimer and Steven Murdoch will be getting lumps of coal from the banking industry, and amused laughter from the rest of us:

It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent anyone from replacing most of the terminal’s hardware and presenting it to customers as legitimate, so freely collecting card details and PINs.

See “Chip & PIN terminal playing Tetris” at Light blue touchpaper, along with the video link.