Enblogment, bias

Larry Lessig and Dave Winer have the very clever idea of a polling site based on blog links and click-throughs:

[Lessig] wrote a passioned essay about the Presidential election of 2004, and he wanted to tell people who agreed with his choice to click on a link to express their support. And if they really supported what he was saying, they could write their own essay and link to the same page.

And then of course we’d seek out supporters of Bush and Nader to point to pages indicating support for their candidate.

I have one one word question: Badnarik? He’s on far more ballots than Nader.

Privacy Protectionism

This month the B.C. government passed a law to prevent the U.S. from examining information on British Columbians that is in possession of private U.S. companies.

The CBC reports on information about Canadians being sent to the US for processing, and the attendant legal risks. In Canada, they have strong-sounding data-protection laws that they don’t enforce, while the US has weak laws which give better protection to your video rentals than your medical history.

This doesn’t strike me as being about privacy, as much as protecting Canadian jobs. As Michael Geist points out, the new law only applies to data collected by the BC government, not data collected about the residents of that province. So the government can’t hire an American processing firm with possible economies of scale.

If the BC government really wanted to protect the privacy of its citizens, it might start by collecting less data, so that it wasn’t subject to these orders.

Paranoia is rampant

Neither, of course, is true. But these rumors testify to one of the most distinguishing — and disturbing — aspects about this election: Paranoia is rampant.

“I haven’t seen an election in which more people are worried about what’s going to happen to them on Election Day,” said Herb Asher, an Ohio State University political science professor. “This really is different this year. You have both sides who are absolutely suspicious of each other.”

So says a good story in the (Seattle) Olympian. Regardless of which candidate you support, what a bozo the other candidate is, or how Osama’s video was designed to support the other side, we’d all benefit greatly from a civil debate.

Ian Grigg on SSL

Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading.

The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m having trouble finding it. Can anyone help?

Regulate that Arbirtrage!

An update on the Americans Stream to Canada For Flu Shots story:

In eight days 3,800 people have jumped on the ship and paid their $105. Victoria Clipper’s Managing Director said the company had not expected there would be such a massive take up.

The company says the day trips still continue, but the number of flu shot travellers is now limited to 150 per day – at least until the last week of November. [Adam adds: Down from an average of 475]

Many Canadian clinics around the US – Canada border say their stocks are running low. Canada is not experiencing a national flu vaccine shortage.

(From Flu cruise operator cuts back popular service to Canada.)

Canadian Charter of Rights And Freedoms

So let me get this straight…

Quebec Court Judge Danielle Cote handed down a 153-page ruling that found two sections of the federal Radiocommunication Act violate the Canadian Charter of Rights and Freedoms.

Cote extended a grace period of one year before her ruling would come into effect.

So the law is a violation of Canadians’ rights to watch the TV of their choice, but the government can keep violating those rights for a year?

I’d be a lot more impressed if the Canadian courts were willing to intentionally add littles bit of chaos to society. When the courts struck down the pot laws, there were still arrests for a law that was off the books. There’s uncertainty in the law right now, even if Cote said her ruling doesn’t apply for a while. A year’s delay only makes it worse.

Canadian Charter, II

It seems a bizarre right to be allowed to watch TV, but not say insensitive things. (It’s sad that the car dealer felt ok insulting customers and turning away business. It’s sadder that the courts are intervening where the right answer would be more speech, publicizing intolerance and shaming the dealer.)

Johnnie Thomas again

On one occasion [Johnnie Thomas] was told that she had graduated to the exalted status labeled, ‘Not allowed to fly.’ She discovered that there was no method available for having ‘her’ name removed from the DNFL; indeed, one person from her local FBI office dismissively told her to hire a lawyer (although ironically, he refused to identify himself). An employee of the TSA informed her that ‘four other law-abiding John Thomases had called to complain.’

She ain’t got nothing on David Nelson. Every David Nelson in the country knows they’re on the no-fly list. And not being Senators or Congressmen, they have no hope of getting off. It even happens to the Chairman of the House Transportation and Infrastructure Committee.

(Inspired by Mark at BoingBoing.)

Online Extortion

There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.)

The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever these zombies were. On theory, its possible to build a very clever zombie that pretends to be a customer, and tries to login on a secure page. (Processing secure pages is slower than processing unsecured ones. Its not really visible on the client side as much as on the server.)

There are three main ways to defend yourself against a DDOS:

  1. Build enough capacity that you don’t care.
  2. Distinguish real and fake traffic, block the fake.
  3. Go undercover and learn about the attackers. Have them arrested.

(1) is hard, even if you’re Google.

(3) is challenging for a bunch of reasons that are clear from Menn’s article.

Let me examine (#2) in more detail. Because these attacks are executed by programs, it’s usually possible to find differences between the attack streams and the real customer streams. It may be possible to throw away attack traffic, and let real traffic through, depending on how programmable your network gear is.

Throwing away attack traffic is procedurally expensive. You need to capture a bunch of baseline traffic, and then compare attack traffic, to see if you can distill out an actionable signature. You then need to test your signature against real traffic and see what it would discard. All of this expense makes DDOS defense an excellent area for a company to come along and do this for you. A company could invest in a collection of experts, custom software to do this, and a regular stream of customers so that they can learn what works and what doesn’t. All that means that for any given DDOS attack, they can defend you cheaper than you can defend yourself. Cool! It’s specialization in action.

Now, what happens when the ACME corp launches their DDOS Defender product line? (As I hope is clear, I’m talking theory. I have no idea if there’s such a product name out there.) Well, the attackers start trying to learn what it does to block traffic, so they can change their code and get around it. Then you’ve got a little arms race going.

Acme’s natural response is to try to hide details about their defenses. The more work they can make an attacker do, the better off Acme customers are. So now Acme’s prospective customers have a problem. How can they tell Acme’s product from a system with the same marketing which does absolutely nothing?

This is an ideal place for signaling, and warranties are an established form. So, does any DDOS prevention company offer a money-back guarantee, or otherwise send a strong signal of their self-confidence? (I don’t know, but I bet my readers do.)

Amazon (3 Comments on SteveC)

Something about a post by Steve got to me…

Whenever amazon comes up in conversation I tell people how particularly behind they are but I don’t think I get the point across.

Who does better? I find that it always works better to say who does well, rather than who does poorly. Let people figure out the latter on their own.

Take a design perspective on amazon. Their website is basically crap. It has accreted so much its like a ship covered in barnacles with the hull removed – you can use the shell of barnacles itself to sail upon. Consider the simple task of finding recommendations of items to buy. You’d think they’d subtract items you have bought from them or items already on your wishlist from that, but no. Its such a simple thing, the kind of thing you don’t want them to miss. The kind of thing Apple would pick up on but Microsoft not.

Do they not have that? For a while the US site had a “I already have this” checkbox…I never checked it because its none of their business. I mind telling them what I own and I mind their assumption that if I own it I like it, more than I mind seeing extra items in the suggestion box.

And finally, with regard to the “smell of desperation,” if I can sell you a credit card at 12%, borrow money from the fed at 2, and pay someone else 5% to manage the accounts, then I’m making a risk free 5% on my money. (I don’t know if I can offload management and non-payment risk at the same time.) Now, that’s not a brilliant return, but given that Amazon has chosen to hold onto a lot of cash, making a low risk 5% seems like a fine bit of financial engineering.

“Getting nothing wrong is for the uninspired”

Nat has a typically insightful post inspired by Muine, a radical re-think of what a music player on your computer should do.

Why would those things be there? Because every other music app has those features, and if you’re building a music tool, you’ve got to have them too. Only, somehow, you’ve got to do them better than everyone else. How could you possibly put out a music player without the ability to burn CDs from a playlist? Or without a five-star rating system like Windows Media Player? Are you paying any attention to what’s going on?

Now, if only his blog had labels on posts, (instead of days), comments, and maybe some sort of trackback feature…

Bejtlich on Intrusion Data

Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?:

Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According to Carlos Ramos, assistant secretary at CDSS, the compromise “was discovered on Aug. 30 by Berkeley IT staff using intrusion detection software.” I wonder if the IDS was Vern Paxson’s Bro, developed in the International Computer Science Institute and featured in chapter 9 of The Tao of Network Security Monitoring? As I mention in the book, Vern previously used Bro to track intruders at UC Berkeley.

The three events that he mentions are clearly a source of data that should be studied. But the data I need is on hundreds, or thousands of intrusions. Enough to do statistical analysis. Enough to analyze defensive postures and test hypotheses about what goes wrong enough to allow a break-in. For example, a question that a sample of three doesn’t answer is: “Were these events typical, or extraordinary?”

Common Criteria

Statistics gleaned from the labs’ Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland.

So far, 100 percent of the products evaluated have been approved, she said. The testing directly improved 30 percent of the products tested by eliminating security flaws that could have been exploited by attackers. About 40 percent of the products evaluated were improved by the addition or extension of security features, Schaffer said.

Critics say Common Criteria testing costs too much and takes too long, but Schaffer argued that these claims are made by those who do not have firsthand knowledge about the testing. Feedback from the labs shows that testing for Evaluation Assurance Level (EAL) 2 — the minimum level of security, which includes products such as firewalls, intrusion-detection systems, routers and switches — costs $100,000 to $170,000 and takes four to six months. The highest level of security — EAL 4, which includes operating systems that support peer-to-peer communications — costs $300,000 to $750,000 and takes one year to two years.

So let me get this straight:

  • Spend $100,000 and have a 30% chance of finding a flaw, and a 40% chance of adding features?
    Have I got a deal for you! Give me $50,000, I’ll run gcc -W on your code, and give you a trademarked “Adam seal of approval.” No issues? No charge.
  • Spend half a million dollars to get to EAL 4?
    As I said before, too easy, and too expensive.
  • No product has failed evaluation.

No product fails evaluation because you get to keep coming back for more, secretly. That you had to do so is very useful information. But only the final certification report published; what you did to get there is not. That’s hard to change. I’d sure want a dry run before I got a real report.

But let’s look at this from the sellers perspective. If you’re developing product, what do you get for your $100,000? You could get 3-6 months of high quality security review by an expert. Or you could send a signal that you’re interested in the government market. A signal, you’ll recall, is something that’s hard to fake, and communicates useful information in the situation where the seller knows more than the buyer reasonably can. A signal should be easier for an honest player to send than one who is misrepresenting themselves. The other thing that the CC signals is that you have large piles of documentation. Unfortunately, it doesn’t really imply that your product is any more secure.

(See the original story at Federal Computer Week.)

DHS Inspector Report

According to a new report from the Department of Homeland Security’s inspector general, airport screeners still Need Improvement. That will not come as a surprise to anyone who travels, but some of the details, as reported by A.P., are still disturbing:

-Screeners aren’t tested on when they should pat down passengers and what the passengers’ legal rights are.

Well, duh, no one knows what the passenger’s legal rights are. Can’t expect the screeners to.

(From Washington Post, by way of Hit and Run.)