Enblogment, bias

Larry Lessig and Dave Winer have the very clever idea of a polling site based on blog links and click-throughs:

[Lessig] wrote a passioned essay about the Presidential election of 2004, and he wanted to tell people who agreed with his choice to click on a link to express their support. And if they really supported what he was saying, they could write their own essay and link to the same page.

And then of course we’d seek out supporters of Bush and Nader to point to pages indicating support for their candidate.

I have one one word question: Badnarik? He’s on far more ballots than Nader.

Privacy Protectionism

This month the B.C. government passed a law to prevent the U.S. from examining information on British Columbians that is in possession of private U.S. companies.

The CBC reports on information about Canadians being sent to the US for processing, and the attendant legal risks. In Canada, they have strong-sounding data-protection laws that they don’t enforce, while the US has weak laws which give better protection to your video rentals than your medical history.

This doesn’t strike me as being about privacy, as much as protecting Canadian jobs. As Michael Geist points out, the new law only applies to data collected by the BC government, not data collected about the residents of that province. So the government can’t hire an American processing firm with possible economies of scale.

If the BC government really wanted to protect the privacy of its citizens, it might start by collecting less data, so that it wasn’t subject to these orders.

Paranoia is rampant

Neither, of course, is true. But these rumors testify to one of the most distinguishing — and disturbing — aspects about this election: Paranoia is rampant.

“I haven’t seen an election in which more people are worried about what’s going to happen to them on Election Day,” said Herb Asher, an Ohio State University political science professor. “This really is different this year. You have both sides who are absolutely suspicious of each other.”

So says a good story in the (Seattle) Olympian. Regardless of which candidate you support, what a bozo the other candidate is, or how Osama’s video was designed to support the other side, we’d all benefit greatly from a civil debate.

Ian Grigg on SSL

Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading.

The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m having trouble finding it. Can anyone help?

Regulate that Arbirtrage!

An update on the Americans Stream to Canada For Flu Shots story:

In eight days 3,800 people have jumped on the ship and paid their $105. Victoria Clipper’s Managing Director said the company had not expected there would be such a massive take up.

The company says the day trips still continue, but the number of flu shot travellers is now limited to 150 per day – at least until the last week of November. [Adam adds: Down from an average of 475]

Many Canadian clinics around the US – Canada border say their stocks are running low. Canada is not experiencing a national flu vaccine shortage.

(From Flu cruise operator cuts back popular service to Canada.)

Canadian Charter of Rights And Freedoms

So let me get this straight…

Quebec Court Judge Danielle Cote handed down a 153-page ruling that found two sections of the federal Radiocommunication Act violate the Canadian Charter of Rights and Freedoms.

Cote extended a grace period of one year before her ruling would come into effect.

So the law is a violation of Canadians’ rights to watch the TV of their choice, but the government can keep violating those rights for a year?

I’d be a lot more impressed if the Canadian courts were willing to intentionally add littles bit of chaos to society. When the courts struck down the pot laws, there were still arrests for a law that was off the books. There’s uncertainty in the law right now, even if Cote said her ruling doesn’t apply for a while. A year’s delay only makes it worse.

Canadian Charter, II

It seems a bizarre right to be allowed to watch TV, but not say insensitive things. (It’s sad that the car dealer felt ok insulting customers and turning away business. It’s sadder that the courts are intervening where the right answer would be more speech, publicizing intolerance and shaming the dealer.)

Johnnie Thomas again

On one occasion [Johnnie Thomas] was told that she had graduated to the exalted status labeled, ‘Not allowed to fly.’ She discovered that there was no method available for having ‘her’ name removed from the DNFL; indeed, one person from her local FBI office dismissively told her to hire a lawyer (although ironically, he refused to identify himself). An employee of the TSA informed her that ‘four other law-abiding John Thomases had called to complain.’

She ain’t got nothing on David Nelson. Every David Nelson in the country knows they’re on the no-fly list. And not being Senators or Congressmen, they have no hope of getting off. It even happens to the Chairman of the House Transportation and Infrastructure Committee.

(Inspired by Mark at BoingBoing.)

Online Extortion

There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.)

The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever these zombies were. On theory, its possible to build a very clever zombie that pretends to be a customer, and tries to login on a secure page. (Processing secure pages is slower than processing unsecured ones. Its not really visible on the client side as much as on the server.)

There are three main ways to defend yourself against a DDOS:

  1. Build enough capacity that you don’t care.
  2. Distinguish real and fake traffic, block the fake.
  3. Go undercover and learn about the attackers. Have them arrested.

(1) is hard, even if you’re Google.

(3) is challenging for a bunch of reasons that are clear from Menn’s article.

Let me examine (#2) in more detail. Because these attacks are executed by programs, it’s usually possible to find differences between the attack streams and the real customer streams. It may be possible to throw away attack traffic, and let real traffic through, depending on how programmable your network gear is.

Throwing away attack traffic is procedurally expensive. You need to capture a bunch of baseline traffic, and then compare attack traffic, to see if you can distill out an actionable signature. You then need to test your signature against real traffic and see what it would discard. All of this expense makes DDOS defense an excellent area for a company to come along and do this for you. A company could invest in a collection of experts, custom software to do this, and a regular stream of customers so that they can learn what works and what doesn’t. All that means that for any given DDOS attack, they can defend you cheaper than you can defend yourself. Cool! It’s specialization in action.

Now, what happens when the ACME corp launches their DDOS Defender product line? (As I hope is clear, I’m talking theory. I have no idea if there’s such a product name out there.) Well, the attackers start trying to learn what it does to block traffic, so they can change their code and get around it. Then you’ve got a little arms race going.

Acme’s natural response is to try to hide details about their defenses. The more work they can make an attacker do, the better off Acme customers are. So now Acme’s prospective customers have a problem. How can they tell Acme’s product from a system with the same marketing which does absolutely nothing?

This is an ideal place for signaling, and warranties are an established form. So, does any DDOS prevention company offer a money-back guarantee, or otherwise send a strong signal of their self-confidence? (I don’t know, but I bet my readers do.)