Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been thinking about it.

About a year ago, I actually read Alvin Toffler’s Future Shock, which is a classic in the sense that everyone pretends to have read it. One of the themes that resonates with me is the psychological impact of of repeatedly changing jobs and cities, in leaving people with a lack of grounding in the place they live. Toffler discusses professionals who are more in touch with, and at home with, a distributed network of professional colleagues who they see at conferences than they are with their neighbors.

He also discusses the difficulties involved in staying in touch with increasingly scattered groups of friends, when the things we do to stay friends are harder to accomplish as it becomes hard to coordinate a group of friends to be in the same place at the same time.

I suspect that deep down, the psychological benefits of physical proximity for relationship management help people trump the awful commutes, taxes, and other disadvantages of living in Silicon Valley.

I can’t help but mention that Chris Allen has been writing quite insightfully about these issues in posts like “Dunbar Triage: Too Many Connections
Arriving here, I’m forced to examine my excitement that Zach is blogging again. On the one hand, I am genuinely happy to have insight, however small, into his life. At the same time, I miss having dinner with him and others whose company I enjoyed in Montreal.

PS: I’ve discovered that an acquaintance has set up an Amazon Associates account to contribute to my Alma Mater. Does anyone know how I can construct book URLs so that they take advantage of that account?

Small Bits of Chaos all Starting with Names

  • Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.)
  • Alan Chapell (whose blog is looking much nicer, but still needs RSS and individual post links) discusses (Thurs, April 28 entry) :

    When I confirmed that I’d been enrolled as a result of a purchase I’d made on the travel web site, I decided to end my relationship with the travel web site. Here’s where the fun started…

    I sent an email to the travel web site’s CS group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states:

    “If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” ([Chapell] paraphrased this to protect the company)

    [Frustration, frustration elided.]
    As a consumer, this is beyond frustrating. Btw, this is not some tiny website – it is a nationally advertised site owned by a fairly large company.

    Perhaps its time to involve their seal program…

    No, sir, it’s time to name names. Why are you protecting them? Shame them. Call them out. Use them as an example when you speak. Tell them that you’ll continue doing so until you believe that they comply with the terms and conditions they had on display when you signed up.

  • Kurt Voelker has an insightful post about “Lessons for Online Community in ChoicePoint Failures:”

    Think about credit agencies. When it comes to our digital reputations, systems like ChoicePoint and Equifax are reviled, while ranking and endorsing systems like eBay’s thrive. Why? Transparency. The eBay community incents its members to participate because they can see exactly who is saying what about whom. And interestingly, this transparency lets my digital reputation be as much about what I say of others, as it is about what other say about me.

  • Zach Brown (hi Zach!) has a great post in which he goes from C code to the philosophy of programming, entitled: Sloppy Systems Programming:

    It wasn’t that stat() failed, it was that suEXEC saw that it had just performed stat() on a link. It apparently decides that this is fatal, because it knows more about the security trade-offs of your environment than you do, and that when it sees this policy violation it will fail and lie to you about why it failed.

    Now, I’ll be the first to admit that this in itself is a very minor detail. The rub is that this sort of misleading behaviour isn’t rare at all. I think this struck a chord with me because it made me focus on my changing thoughts about what it is that I do. There was a time when I loved having a catalogue of this kind of behaviour in my head so that I could use all kinds of software and predict the ways in which I would have to work around its behaviour. It was super-fun to be an expert in so many details.

    But these days, and I won’t admit to a decade having passed, it all seems like so much wasted time. People who use this software should be focusing on solving their problems instead of spending time discovering that “cannot stat program:” can sometimes mean “I refuse to work with this file because it is a link.”

    It seems like after a few decades of building these kinds of software systems we could be doing a better job of it.

    The profusion of such issues, along with the social awareness that they’re ok, helped drive me to a Mac. On the Mac, they are distinctly not ok, and once you adjust your pain threshold downwards, its hard to remember why you put up with them.

Portland Withdraws Support from Terror Task Force

Mayor Potter, a former Portland police chief, earlier this year requested that the federal government grant him, the police chief and the city attorney top-secret security clearance — the same as task force officers — so that city leaders could have access to case files and more frequent updates. Potter said he wanted the ability to monitor investigative activities involving the city’s officers in order to make sure they obeyed state laws barring them from monitoring people solely because of their religious or political beliefs.

This case raises major issues of democracy. If the people of Portland have seen fit to elect Mr. Potter Mayor, what gives the FBI the right to say he can’t do his job, which includes overseeing his employees?

(“Portland, FBI Unit to Part Ways” in the LA Times, Via CSO Magazine “Security Feed.” Badge from the impressive police badges collection at )

Drivers License Fraud

As the trust and reliance people place in drivers licenses, the greater the incentive to get fraudulently issued ones. FoxNews reports on “Workers Charged With Taking Payoffs for IDs
” (via JihadWatch.)

“With a valid driver’s license, you establish an identity,” said Michael Garcia, assistant secretary of the Homeland Security Department.

The three Florida driver’s license examiners charged between $100 and $200 to falsely certify U.S. citizenship for the illegal immigrants, authorities said. Five accomplices recruited immigrants for up to $3,000 per license, officials said.

I have three comments: Firstly, I have an identity. Mr. Garcia demonstrates the stunningly introverted view of too many in law enforcement, that my identity stems from my documents, my existence in their databases, or the ability of those we used to call ‘civil servants’ to check my papers. My identity stems from me, not my papers.

Secondly, at $100 per false certification, it seems that there’s quite a supply of folks willing to wink and nod.

Finally, when the facilitators are making $3,000 and $200 is going to the fellow behind the counter, it becomes more clear why some people work for the state and others are entrepreneurs.

I’ve previously touched on this in posts like ““Economics of Fake IDs“, More on Nevada DMV” (about the truck crashing through the wall), or “SSNs and Drivers Licenses,” as well as a talk I gave at the Blackhat briefings, “Identity and Economics: Terrorism and Privacy.”

Way To Debate!

Since Choicepoint demonstrated that screening is hard, they’ve been repeating the phrase “We look forward to a national debate.” But at yesterday’s annual meeting, they once again failed to engage in that debate. The LA Times has an AP story “No Answers for ChoicePoint Shareholders” (Bugmenot, because no other paper has picked up the story, according to Google News.)
Or, The Atlanta Journal Constitution, “ChoicePoint boss deflects scam queries.” (Bugmenot)

In a quick and scripted annual shareholder meeting, ChoicePoint executives turned away any questions about the invasion of the company’s database by fraud artists.

But Smith said that because of investigations into the database scam, “we will not be taking questions relating to those matters in this annual meeting.”

It seems to me that understanding how management is handling these issues would be important to a shareholder.

Choicepoint Annual Meeting


But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders.

Lauren Waits, who oversaw ChoicePoint’s charitable giving program before leaving earlier this year, describes her former boss as a visionary who also can be intense and “quite hard on other people.” He has been impatient for government to act on ideas, such as storing DNA profiles on all felons in a central database that could be used to catch repeat offenders.

But the most difficult thing for ChoicePoint’s CEO hasn’t been the criticism or a grilling before Congress, said Rod Dowling, an investment banker who has worked with ChoicePoint. What Dowling said got to Smith most in the wake of the scam was that an Atlanta publication, Creative Loafing, published his home phone number and address.

That’s just a smidgen of the kind of information ChoicePoint supplies to clients every day. But Smith worried about his family’s safety and quickly changed his phone number, said Dowling, CEO of SunTrust Robinson Humphrey.

If only we could do the same when our data gets into untrustworthy hands.

From the Atlanta Journal Constitution, “Embattled CEO must take stage.”

Hofmeyr on Legislation

1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they are restricted to using specific technologies and practices, they won’t be able to take advantage of new developments.

So, having said all that, my suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure. And to offset the impact of losses, they should continue to incorporate the notion of quarterly scans by independent assessors, which is one of the few good things about the PCI Data Security Standard.

So writes Steven Hofmeyr in “The effect of legislation.” I’m in general agreement. I suspect that the 12 step programs being promoted by Visa and Mastercard are there because of demands from their smaller customers. Even larger customers would like to constrain their investment, by being told when they can stop spending on security to avoid fines from Visa or Mastercard.

Blockbuster, 65, Employee Miles N. Holloman

A former employee of a Blockbuster video store in Washington, D.C., has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods. Miles N. Holloman is charged with stealing credit card numbers, Social Security numbers and other private financial information from the application files of 65 customers, then using the data to open retail store and credit card accounts.

(From The Washington Post, via

Victory Against RFID Passports is Near

“The State Department seems to be putting down the purple Kool-Aid and looking at the serious problem this technology presents,” said Mr. Scannell, who runs an Internet site called; the first part of the name stands for radio frequency identification chips. “But no matter how much stuff you layer on the technology, it is still inappropriate.”

So says the New York Times, in “Bowing to Critics, U.S. to Alter Design of Electronic Passports.” So raise a glass and celebrate victory!

(Of course, these programs have a bad habit of coming back if we stop watching closely.)