At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars.
I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That is “The Security Principles of Salzter and Schroeder, Illustrated with Scenes from Star Wars“. Enjoy!
Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs.
Issues like this are why it’s important to release data. It enables independent error checking, but also allows people to slice and dice the issues in ways that otherwise are only accessible to a privileged few with the raw numbers.
Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs.
Once again, Kip’s wrong.
First, Kip is wrong, and ought to know he’s wrong about those operators. Those operators are likely to get bored and be unable to focus on the images after a while. That’s why the TSA inserts fake images of weapons in its XRays. Detecting these anomalies is hard. (Perhaps TSA inserts fake images in the nudatron images, but I didn’t see any mention of such functionality in the system requirements that EPIC forced TSA to release.
Second, he doesn’t understand why Al Qaeda would focus on underwear bombs. Really? You don’t get that for a failed attempt, millions of people will be photographed naked, groped and humiliated? They focus on the things that make the bureaucracy that Hawley built convulse. That bomb didn’t even make it onto the plane, and we’re all expecting the next shoe to drop.
That’s my takeaway from a new study of 2,000 households by Consumer Reports:
There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. (“Study: 13 Million People Haven’t Touched Facebook Privacy Settings“, Consumerist)
Consumerist’s headline focused on the small portion who haven’t touched their privacy settings. I think much more interesting is that based on the Consumer Report numbers, 91% of Americans have taken the time to dig into Facebook’s privacy controls. Also, 72% lock down their wall posts. Those are privacy protective actions, and we regularly hear how those privacy controls are hard to use, and how frequently Facebook changes them.
We often hear privacy-invaders making claims that Americans don’t care about privacy, or won’t do anything about it. Those claims are demonstrated to be false, and false amongst even those least likely to be privacy-concerned (young, willing to be on Facebook).
So next time you hear someone make one of those claims, ask them why 91% of Americans change their privacy settings.
As an aside, the article has a really clear summary of the many privacy problems around Facebook.
Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter.
I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here.
I would be totally excited for someone to Kickstarter production of Elevation of Privilege. Letting other people make it, and make money on it, was an explicit goal of the Creative Commons license (CC-BY-3.0) that we selected when we released the game.
So why don’t I just set up a Kickstarter? In short, I think it’s a caesar’s wife issue. I think there’s a risk that it looks bad for me to decide to release things that Microsoft paid me to do, and then make money off of them.
Now, that impacts me. It doesn’t impact anyone else. I would be totally excited for someone else to go make some cards and sell them. I would promote such a thing, and help people find whatever lovely capitalist is doing it. I would be happy to support a Kickstarter campaign, and would be willing to donate some of my time and energy with things like signing decks, doing a training sessions, or whatnot. I even have some joker cards that you could produce as a special bonus item.
So, if you think Elevation of Privilege is cool, please, go take advantage of the license we released it under, and go make money with it.
[Update: I don’t have exact numbers, but have seen quotes for quantities around 5,000 decks, production might be around $2-3 a deck. At smaller quantities, you might end up around $5-7 a deck. YMMV. So a Kickstarter in the range of $5-10K would probably be workable, although you’d certainly want to think about shipping and handling costs.]