Shostack + Friends Blog Archive

 

Dear TSA, How Do We Contact Thee?

Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments: I tried for 30 goddamn minutes to figure out how to comment. That’s why there are only 15 comments. All I could find was a Privacy […]

 

The New Transparency

Sometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not […]

 

Radiation

How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights? Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to […]

 

More on Godin and Tufte

There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?) Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with […]

 

The Two Minute Rule for Email and Slides?

So I’ve been discomfited by the thoughts expressed by Tom Ptacek and the Juice Analytics guys over what presentations are for, and a post over at Eric Mack’s blog, “A New Two Minute Rule for Email.” The thing that annoys me is the implicit assumption that all issues should be broken down into two minute […]

 

Fanning the flames, security metrics style

Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following.  The saying often quoted from Lord Kelvin (though the substance, I believe, ismuch older) that “where you […]

 

Halvar on Vulnerability Economics

Back in July, I wrote: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting […]

 

Banksy Videos: Security Is Everyone’s Responsibility

Following on Arthur’s post about Banksy, and for your weekend amusement, videos of Banksy installing his artwork are at his site. I had to hand-enter URLS to get the videos to display, they’re of the form http://www.banksy.co.uk/films/video5.html, with the others being 1, 3, and 4. Via Alec Muffet.

 

Small Bits of Chaos

Michael Giest is covering Canadian Parliamentary hearings over that country’s privacy law in “PIPEDA Hearings – Day 01 (Industry Canada)” “PIPEDA Hearings – Day 02 (B.C. Privacy Experts)” Bakelblog vents about the petty tyranny of immigration bureaucrats in “Welcome to America, Fuckwads!” Alec Muffet has interesting and detailed comments about the broken security of the […]

 

Banksy Again

Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing […]

 

Happy Geeky Thanksgiving

Hey everyone, it’s time to celebrate Thanksgiving here in the U.S. Or in the words of Anya, engage in “ritual sacrifice with pie.” If pie isn’t your thing, perhaps cookies are. kung-foodie points us to Joseph Hall’s Ubuntu and

 

England and Wales to fingerprint motorists at traffic stops

Via the Beeb: Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities. A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints. Police say they will save time because […]

 

Selling Security?

Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying: I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident […]

 

On Awareness

Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness. It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in […]

 

Carole King said it best

“It’s too late, baby” Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops. Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is […]

 

The Kristian Von Hornsleth of the Blogosphere?

Apparently, artist Kristian Von Hornsleth has been paying Ugandans to rename themselves Hornsleth, as a way of drawing attention to aid failures. His exhibit is sub-titled “We want to help you, but we want to own you.” I think it’s brilliant. Regular readers know that we talk a lot about identity, id cards, and economics. […]

 

Frito-Lay’s New Snack Line

Frito-Lay spokeswoman Lisa Greeley, who said that the company made a commitment in 2004 to develop a healthier line of snacks but “never thought it would actually come to this,” described the Flat Earth brand as “tailor-made for the small, vocal minority of health-conscious consumers who apparently can’t just be content with salads, bananas, apples, […]

 

Guidance Software, Evidence and Software Provenance

So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software? There’s also […]

 

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too. Anyway, it seems like the SANS people have a bit of competition. Check out this list: Failing to assess adequately the vulnerability of its […]

 

Tufte, Godin, Juice Analytics

Juice Analytics comments on “Godin’s take on Tufte:” (Godin) I think this is one of the worst graphs ever made. He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words. I don’t think that is what graphs […]

 

Privacy and "Required, not used"

So, I was commenting over on Econlog, and noticed this: “Email Address (Required. Your email address will not display to the public or be used for any other purpose.)” So, umm, what is it being used for? This is both snarky (obviously) and serious (less obviously). The less obvious part is that information is being […]

 

Bag Matching and Lost Bags

Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:” The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year […]

 

Vulnerability Game Theory

So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things […]

 

All Non-Trivial Privacy Fears Come True

A few months back, I said “Ironically, privacy advocates warned that the number would become a de facto national ID, and their concerns were belittled, then proven right, setting a pattern that still goes on today.” In thinking about Alec Jeffrey’s come-to-Jesus moment, I realized that we can state that another way: All non-trivial privacy […]

 

Cypherpunks, Sameer make the Oxford English Dictionary

cypherpunk, n. Computing slang. A person who uses encryption when sending emails in order to ensure privacy, esp. from government authorities. For the full text, see his post, The OED. Me, I’m disappointed that they didn’t quote the Forbes article.

 

Reason #2453 Not To Mug Magicians

On Friday, BoingBoing linked to a great story about some kids mugging magician David Copperfield. Copperfield used sleight-of-hand to hide the items in his pockets: The assistants handed over money and a cellphone, but the illusionist turned his pockets inside out to reveal nothing, although he was carrying his passport, wallet and cell phone. So […]

 

Two On Identity

There’s the Budapest Declaration on Machine Readable Travel Documents: By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies […]

 

New Zealand to literacy: "l8r!"

Via CNN: WELLINGTON, New Zealand (AP) — New Zealand’s high school students will be able to use “text-speak” — the mobile phone text message language beloved of teenagers — in national exams this year, officials said. Text-speak, a second language for thousands of teens, uses abbreviated words and phrases such as “txt” for “text”, “lol” […]

 
 

Better Dead than Red?

Via the Beeb, writing about a county board election in South Dakota: Marie Steichen, who died of cancer in September, beat a Republican rival by 100 votes to 64 and became a county commissioner posthumously. The election list closed on 1 August, but Ms Steichen’s name was kept on the list for Tuesday’s election. Voters […]

 

Popping pills

Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person. So, […]

 

Mike Howard beats me to the punch

His posts on “Microsoft hosts OEM partners for a crash-course in SDL (Day Two)” and “Microsoft hosts OEM partners for a crash-course in SDL (Day Three)” cover much of what I wanted to say: My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very […]

 

One Graph, Zero Credibility

Let’s see..we’ve got shadows, random colors, and the colors are graduated, and so is the background. Displaying 13 digits takes 109,341 bytes (in the original), for a remarkable data density of .0001 digit per byte. Anti-phishing working group? You can, I hope, do better. Via the F-Secure blog, who don’t have per-post links.

 

Talking to OEMs

My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)” As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for […]

 

"Mission Accomplished"

The White House has been gloriously editing history for the edification of the people. Or, as Roger Bakel points out: Remember Bush’s speech on the aircraft carrier three and a half years ago, in which he declared an end to major combat in Iraq while standing under that instantly notorious ‘Mission Accomplished’ banner? Well, the […]

 

On Elections

I heard on the radio last night that these are the most expensive elections in US history. (It was not clear if that was accounting for inflation, or considering Presidential elections as well.) They also said that only about 50 of the 454 Congressional seats are considered to be in play. This years after McCain-Fiengold […]

 

Invade Privacy in Haste, Repent at Leisure

A pioneer of Britain’s DNA database said on Wednesday it may have grown so far beyond its original purpose that it now risks undermining civil rights. Professor Alec Jeffreys told BBC radio that hundreds of thousands of innocent people’s DNA was now held on the database, a disproportionate number of them young black men. … […]

 

Participatory Security

Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]

 

Giant Elephants in London, Redux

I found this beautiful set of photos of the Sultan’s Elephant show in London. (Mentioned previously.) Photos by Simon Crubellier. Found while searching for a photo to go with “If you’d seen the things I’ve seen with these eyes of yours…” Since we’re being slightly political, can you imagine this show being put on anywhere […]

 

More things to Do With the "Last 4"

Apparently, in Ohio, you’ll be able to vote if you know the last 4 digits of an SSN. As the Cleveland Plain Dealer reports: Voters who don’t have identification will be able to vote at next week’s election by presenting the last four digits of their Social Security number and casting a provisional ballot. Will […]

 

"Keep Defect Data Public"

The National Highway Traffic Safety Administration (NHTSA) is again bending to the will of the auto industry as the agency is proposing to restrict access to information about consumer complaints, warranty claims and service reports. NHTSA was ordered by Congress to make information about problems with vehicles public after it withheld information about the blowout […]

 

What a Sad Waste

Someone who likes his privacy sent me this link to an “Encyclopedia of Privacy.” It’s 672 pages, for $199. How many people are going to read that? How many copies are they going to sell? Its sad that they’ve chosen to lock up all that work that way, rather than putting it somewhere where the […]

 

Topology Editors Resign En Mass

The New York Sun reports, “A Rebellion Erupts over Journals of Academia:” “Elsevier’s prices are very high,” said an emerita mathematics professor at Barnard College, Joan Birman, who resigned a few years ago from the board of an Elsevier journal, Topology and Its Applications. She said her feeling was, “We do the work, we check […]

 

Public Library of Science and The Journal System

Dave Weinstien has a really interesting article, “PLOS – Open Access science:” PLoS has an “intrinsic tension” [Hemai Parthasarathy] says because most of the people who started the journal don’t believe in elite publishing. “We think it’s wrong for tenure committees to pass the buck” to the editors of the top-tier journals. That’s why they’ve […]

 

How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.” What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, […]