Security Cameras and the Obedience Imperative


“People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,” said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, ride bicycles too fast or question the President. [Quote slightly edited for clarity.]

The quote is from Bloomberg, “George Orwell Was Right: Spy Cameras See Britons’ Every Move.”

I’m reminded of Milgram’s authority experiment, where he had men in white lab coats telling people that they needed to deliver electrical shocks.

(Via Slashdot, a ways back. Photo of Roxanne by L.N.L.)

Non-Tangible Security

artifact.jpgeBay is stopping all sales of “virtual artifacts.” Maybe.

This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says:

“The seller must be the owner of the underlying intellectual property, or authorized to distribute it by the intellectual property owner.”

This leaves into question some virtual artifacts where the seller is the owner of the intellectual property, but is clearly a virtual artifact. Expect debate.

I can’t say as how I blame them. It’s disappointing, but there are headaches that I wouldn’t want either. Some virtual artifacts, like things in Second Life, arguably fall outside that rule. Nonetheless, what resembles an economy in Second Life is hard to understand. The media love affair with Second Life seems to be turning into a hangover. Valleywag is a great place to see some of the backlash. Subscription numbers may be overstated. What passes for an economy isn’t as efficient as people might like. It isn’t very fun. Maybe it’s too much fun.

Some virtual artifacts fall into the eBay ban rule, but might still be okay to sell. Some games permit the resale of objects, but you can claim the people aren’t authorized to distribute, because there’s no explicit authorization of them as a sales channel. It’s definitely a gray area, especially if we consider the first-sale doctrine, but stores are not obligated to sell things they don’t want, and if eBay wanted to stop the sale of used books and records, it would also be disappointing, but within their liberty.

Some other virtual artifacts are not supposed to be sold. World of Warcraft, for example, has it as part of their terms of service that you’re not supposed to sell the game’s virtual artifacts. I think that such bans are not only ineffective, but the best way to fight a black market is to set up your own that undercuts it. But it’s their concern.

The real problem that eBay has to deal with is that when you’re selling stuff, as opposed to merchandise, the major problem is that of provenance. You have to know where those jewels came from. Did those artifacts leave the country legally?

There are a number of cases where bad people have hacked into VR accounts and sold the virtual goods. I can understand eBay’s conundrum. If someone wants to sell five sheep, a gnome, and a staff of domination, how do you know they have the right to do that, whatever the heck that means? I don’t blame eBay for deciding that it’s just too hard and they opt out. It’s a pity that they aren’t stepping up to figure it out, but I don’t blame them. Pioneers are the ones with the arrows in their backs, and after being a pioneer for a while, farming looks good. Of course, the problem is that software is a virtual artifact, even when it comes on a CD. So this is far from settled.
photo is Egyptian Temple, courtesy of iconolith.

Mordaxus, redux

We’ve enjoyed having Mordaxus with us for the last month or so, and are pleased that he’ll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts.

First, why do I have pseudonymous co-bloggers? There’s a long history of artists appearing under names not their own, ranging from the obvious (Sting, Bono or The symbol usually pronounced as 'the artist formerly known as Prince') to the less obvious Joe Strummer or Bob Dylan. Less
metaphorically, there’s “Publius,” who wasn’t always exactly one
person. We’re proud to continue these traditions here at the Combo.

Second, I’ve had several people ask me if Mordaxus is a Microsoft employee. Neither Mordaxus or Arthur are Microsoft employees. If they were, you’d know it, to satisfy both my own and the corporate code of ethics.

Lastly, nyms are about privacy, and separation. They allow you to
jazz things up, and not be always on message and in tune.

Photo “Jazz In Progress” is from Ivo Stad & Land.

Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected by an RFID reader. Hey, it works for babies, right?
(I am awaiting the comment about how this naive notion is fundamentally flawed. I know EC has some readers who have expertise with RFID. I am somewhat heartened, now that I Googled this brainstorm, that others have thought of it)

Speaking of Secret Events You’re Not Invited To

navel-gazing.jpgThere’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now.

Remember, this will be the most blogged event of RSA.

If you want in, blog about the event and trackback Martin McKeay.

Also covered in “Information Security Sell Out,” who comments:

Wow, the bloggers are almost outnumbering the vendors. Perhaps next year RSA will have a separate conference for Bloggers and another for those that actually matter to security.

Navel, for gazing, courtesy of mezone, and unlikely to appear at the party.

Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.”

  • First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer.
  • Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II – a DA Workshop.” Things with web pages are rarely secret.
  • Finally, it was a security summit, but hell, 50% is a rotten ratio for a headline.

So let me delve in to the words “secrecy” and “privacy” just a little. The meeting was private: you had to know the secret handshake to get in. You had to agree not to talk about what was said. That’s about privacy. It also includes some secrecy about what, precisely, was said. As I’ve said before, privacy is a good way to build trust. It allows people to speak openly, because they can rely on anyone who blogs about it not being invited back.

I’m speaking for myself here.

From the “A Child Shall Lead Them” Desk

Response #24 in a discussion on FlyerTalk:

My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work.

Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening.

On the return flight, at JFK T-9, they found 2 more, both of which had been in there all along and been missed at LAX. As we rode the escalator down in T9, I told him that if this happened again, he would never get upgraded until he was 21 (it’s a harsh threat…) — and he reached in to his backpack and took out another partially empty water bottle.

It’s a Flawless Plan for Making Money

don-corleone.jpgFirst, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you’re better off selling the monopoly rights to the highest bidder.

It’s what Illinois is doing with their state lottery.

I was going to talk about the history of corporations as monopolies, and the issues with government run business, but Larry Ribstein said almost everything I wanted to say in “Selling State Lotteries.”

Maybe the state could do the same with health care?

Image credit: Emergent Chaos.

There are three types of authentication

cut-finger.jpgThey are:

  1. Something you’ve lost,
  2. Something you’ve forgotten, and
  3. Something you used to be.

Here is a sad tale of a man who has a failure on (3), realizes he’s done (2), and his solution to the problem. It’s a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.

The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the “ooo, shiny” technolust making you think that something is a good idea when it isn’t. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.

photo courtesy of split-ends.

I’m Glad I’m a Beta!

27B Stroke 6 tells us of a story. The domain was removed from the net by GoDaddy, its registrar.

Why? Because MySpace complained. He’s got a mailing list archive and it has some stuff in it that pissed MySpace off — security information about phishing attacks. That’s well and good, but GoDaddy yanked the whole domain!

Now we find out that GoDaddy gave its owner an hour to respond, when the data had been there for nine days. Well, that makes everything much better. Their rationale? We have to ProTeCT tHe chILdrEN!!! And on top of it all, it turns out that it was actually about one minute, showing that GoDaddy went to the same math school that Verizon did.

I actually don’t care much about the details, which you can read here.

I’m willing to agree on the very little I know that the offending posts oughta go, but I think they massively over-reacted, and are compounding the over-reaction with more over-reaction.

I can tell you that never have I ever been so happy to be a lazy slug who has never gotten my domains off of Network Solutions! Many people have hectored me to change for years, but it’s a pain and I never really liked the GoDaddy Super Bowl ads, either. I always defended myself by saying that having your domains with NetSol is like having your long distance with AT&T. They’re the devil you know.

I’m so happy to find out I made the right decision. Thanks, GoDaddy! And to all you who have made fun of me for years — Hah! You alphas work so hard, I’ll bet it will be easy to switch.

Rely only on the secrecy of that which can be easily changed

some-keys.jpgThe title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every voting machine they sell.

Ross Kinard looked at the key (they’re for sale on Diebold’s web site) and using some blank keys from Ace Hardware, made some keys, and sent them to Alex Haldeman, who blogs about it in “Diebold Shows How to Make Your Own Voting Machine Key.” Alex also reports that Diebold has removed the picture, now all over the internet, of their key.

I hope it can be easily changed, and I wonder if there’s a single key for ATM machines?

Also, thanks to the several friends who sent this to me!

When a 0% Success Rate is Worthwhile

There’s an article in, about “Turkish Hacker Depletes 10,000 Bank Accounts

A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul.

The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts.

That’s a hit rate of 0.314%. Which I’m not going to analyze today.

Additional resources, all in Turkish: “İnternet dolandırıcıları yakalandı,” “İnteraktif banka dolandırıcılığı” both seem to be “TSI” agency stories, and “10 bin müşteri hesabını boşalttılar” seems to be a site with additional details. Do any readers speak Turkish?

Funniest Spam of the Week

Hmmm, what to do, what to do? This is so funny on so many levels. How can you not like a phishing attack where the hook is a poll based on eBay being closed because of so many phishing attacks?

January 19, 2007

Dear eBay Community:

We have decided to close eBay on 27 February 2007 due to the repeatedly abuses on our company. We ask your opinion on this matter and we want to know if you agree with us or disagree .Below you can make your choice.

If you want eBay to stay open click YES otherwise click NO .Your opinion is very important to us. If 50% of the eBay members vote positive eBay stays open otherwise it will be closed.


eBay Team