Shostack + Friends Blog Archive


Small Bits of Chaos

Simson Garfinkel announces a new article analyzing the security of Skype.

JihadWatch comments on a story on NPR yesterday, bemoaning the descriptivist reality that Jihad is now used to describe violent acts of terror. I heard this story on the radio, and the commentator’s prescriptivist bias of “Darn it, this is what the word means!” really annoyed me.

Schneier has a short bit on the damage done by false positives in security. I think it’s worse than this: Because terrorism is so rare in the US, our systems don’t need to evolve to effectiveness. Anyone who has been to Israel, the UK or France can observe measures which evolved through a long period of active terror. French trash cans, designed to drive the force of a bomb upwards, and not make shrapnel, are a great, subtle example of this. In the US, we get drivers license checks.

CIO Today has a story about the Yankee Group claiming that the total cost of owning open source software may be higher than software you pay for. The costs show up in programming, maintenance, and lack of good support. Given the (fairly standard) claim that upfront hardware and software costs are 20-30% of the 5 year outlays in a project, this makes some sense. I do think that the highest performing organizations out there are on redundant arrays of cheap linux boxes, but they’re a thin tail, not the norm.

6 comments on "Small Bits of Chaos"

  • Hey, man, you should skype me sometime!

  • adam says:

    I don’t use that shit. It’s insecure. 😉

  • Pete says:

    re: descriptivist vs. prescriptivist – reminds me of the concern over the word “hacker”. Where do you come out on that?

  • adam says:

    I’m fond of the old meaning of the word hacker–It’s useful and descriptive, and we need a word with that meaning. Clearly, it’s been adopted to have other meanings, and I can’t well espouse emergent chaos and then declare the results suck. I prefer to use the more descriptive ‘script kiddie,’ the compund ‘malicious hacker,’ or other terms when describing attackers of various stripes. Its my hope that doing so enhances clarity and makes everyone happy.
    Incidentally, script kiddie was about the 50th coined term for, you know, script kiddies, but the first that stuck. I think if you want to argue over a definition, the best way to do so it to out-compete those who want to corrupt your word.

  • quietpc3400 says:

    US airport security driver lic checks are really much more about legally enforcing airlines business models (variable pricing based on user and short term travel), TSA knows they are useless for security purposes.

  • adam says:

    Thanks for your comments. I have to say, I’m not sure I agree with either of your points. We don’t know who’s putting DL checks in place (Gilmore v Ashcroft), and we know that some airlines don’t price that way, but still require ID.
    If TSA knew license checks are worthless, why are they spending money on their “secure flight” program?

Comments are closed.