Jihad Watch: Muslims claim unfair treatment at Canadian border

I’ve been debating if I should respond to this idea of unlimited searches of Muslims again, and realized that there’s a perhaps interesting analogy.

JihadWatch quotes an AP story

BUFFALO, N.Y. — An Islamic civil rights group Wednesday accused U.S. border agents of religious profiling after dozens of American Muslims were searched, fingerprinted and photographed while returning from a religious conference in Toronto.

[DHS spokeswoman Clemens said:] “We have ongoing credible information that conferences such as the one that these 34 individuals just left in Toronto may be used by terrorist organizations to promote terrorist activities, which includes traveling and fund raising,” Clemens said. “As the front-line border agency, it is our duty to verify the identity of individuals _ including U.S. citizens _ and one way of doing that is fingerprinting.”

[Robert Spencer of JihadWatch closes:]
One easy way to do that would be to cooperate with such inconveniences without complaining about profiling. The bottom line is still that if you are not doing anything wrong, you have nothing to worry about. Americans must accept these irritations as an unavoidable price of living freely and securely in America today. I myself have been stopped and searched many times at airports, and have never complained about it, nor will I ever, even if I were held for hours somewhere and had to miss my flight.

I’ve responded to the claim that Muslims have nothing to fear (although perhaps not as eloquently as JihadWatch’s commenters; anyone who doubts that Muslim American citizens should be vigilant about their liberties should read the comments on these stories.)

However, lets look at this specific action: Fingerprinting 34 Americans for attending a conference. Now, I might say that this makes sense if there were agents at the conference who can say that yes, this conference was a collection of people advocating the violent overthrow of the government, and Americans there stood up and joined in.

However, to only stop and fingerprint in that case sends a signal that an agent was present, and you’ve got a mole. That’s bad. If Islamic terrorists are willing to murder Theo Van Gogh, they’re certainly willing to kill a mole. And such undercover agents deserve our protection and gratitude; they’re the best way to catch those who would otherwise kill Americans.

There’s an analogy here to the use of information gleaned from cryptanalysis. If you use the information that you’ve gotten, you may reveal that you’ve broken the enemy’s codes. If you don’t use it, what good has it done? The best way to resolve this dilemma is either subtlety or dramatic victories, such as the battle of Midway in the second World War.

However, these are not foreigners we’re dealing with, they’re American citizens, who are (nominally) being treated differently because of their beliefs and their politics. There needs to be a 4th Amendment test of government intrusion into their lives. Some people might object that this is wooly liberalism, and that in these times we can’t afford as much liberty as we’ve had in the past. They are quite wrong. Liberty is the core enlightenment value over which we’re fighting. We need to embrace our values, and show that even under threat, we cherish them. To do anything less is to hand terrorists a moral victory.

Finally, I am reminded of the book, The Infernal Machine, which I reviewed on the cypherpunks list a while back.

Quick Links

Cory points to another example of anti-consumer activity, this time Apple disabling the high quality audio-in on the ipod. How to fix it at Hack-a-day. Also via Hack-a-day is the paper Enigma machine

Scrivner discovers that Uncle Sam admits to cooking the books, in a way that the SEC would never tolerate from a public company. Too bad we accept it from the government, because all American citizens will be paying for this for a long time.

Cory vs DRM

Cory Doctrow posts a delicious rant against Wired’s review policy here. Unfortunately, he fails to stress what I think is the a point. Wired is writing reviews. Those reviews are supposed to be impartial. Whatever you may think about DRM, it is clearly an important mis-feature of a product which you may buy. Informed reviewers, such as those at Wired(?) ought to talk about it in every review they write. That they don’t, that they follow Chris Anderson’s “but nothing I care about that I can’t work around in one way or another” directive, convinces me to look elsewhere for reviews. To be fair, Chris also says “[Wired] Test and the rest of our reviews do take points off for intrusive DRM when we encounter it.” However, as Cory points out, DRM can be explicitly designed so that a reviewer does not encounter it. It can be a six or twelve month time bomb in a product. A reviewer ought to be investigating such things.

Cory’s rant closes:


PS: Does that “nothing I care about” line remind anyone else of a Potter Stewart-like failure to provide a crisp test?

[Update: Cory posts again, responding to the claim that the market will sort it out without reviewers mentioning DRM.]

Congratulations to Mozilla

product-firefox.pngI’ve always believed that my readers are smarter and better looking than average, and now I have proof. Yesterday, for the first time, over half (50.3%) of the visitors to this site were using Mozilla or Firefox. (As summarized by AWStats.)


  Browsers Grabber Hits Percent
Mozilla No 10308 31.4 %
Unknown ? 9786 29.8 %
Firefox No 6204 18.9 %
MS Internet Explorer No 2448 7.4 %
NetNewsWire No 1711 5.2 %
Safari No 972 2.9 %
Opera No 589 1.7 %
Netscape No 312 0.9 %
OmniWeb No 171 0.5 %
Konqueror No 74 0.2 %
  Others   231 0.7 %

Quick Links

John Robb has an article at Global Guerrillas about the cost of terrorist attacks and their impact on the economic equilibria at work in cities, based on a report by the NY Fed.

A terrorism tax is an accumulation of excess costs inflicted on a city’s stakeholders by acts of terrorism.  These include direct costs inflicted on the city by terrorists (systems sabotage) and indirect costs due to the security/insurance/policy/etc. changes needed to protect against attacks.  A terrorism tax above a certain level will force the city to transition to a lower market equilibrium (aka shrink).  So, what is that level? 

Next, Ian Grigg discusses an article on corporate espionage:

… against American companies, generally by their competitors. It’s good because it is real. The threats are validated by court filings, research and surveys. This is what real security is about, determining what threats are out there, validating them and constructing economic models of their costliness. Only then can security people proceed to design economic security systems to address the threats.

I’m generally skeptical of claims of industrial espionage, but the Baseline article has six examples. Its not clear to me that’s enough to build a business case.

Finally, John Gruber has a long article at Daring Fireball on what to do before you patch your Mac, with some discussion of the superstitious, and potentially harmful advice that’s out there. Short answer: wait a day or three (gosh, where have I read that?), and backup first.

More on ROI

You can get ROI from security solutions by automating manual processes. Patch management and automated password resets are two solutions that don’t need “incidents” to gain a return.

says Pete Lindstrom, responding to my comments that:

Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool of free capital to draw on, etc. Techniques such as economic value add allow you to take some of these into account. But the biggest problem is that quantifying the cost of a breach is hard. Without knowing what the alternative is (to reserve or insure), its hard to justify much security spending. [Emphasis added.]

What I meant is not that ROI is impossible, but that there are better tools to use, even when you can quantify the costs. I’m in favor of quantifying costs and doing economic analysis. ROI, for example, doesn’t help you distinguish between two projects with an ROI of 100%. If one costs $1m, and returns 20% a year for the 5 year expected life of the project, and another costs $300,000, and has a 1 year return of $300,000, then the ROI is the same.

So yes, patch management and better password management are probably rational investments, and there are better ways to show that than ROI.

[Updated: Pete Lindstrom said that, not Peter Swire. Sorry!]

Biased Reporting

News.com has an article entitled “Craigslist costing newspapers millions. Which is nominally accurate, but a better title would be “Craigslist saving consumers millions.”

Craigslist, which generates more than 1 billion page-views each month, also has cost the newspapers millions more in merchandise and real estate advertising, and has damaged other traditional classified advertising businesses, according to a report published by Classified Intelligence.

Newspaper classifieds are horridly inefficient: They’re slow to publish, they’re hard to search, you can’t take down an ad when an item is sold, and because you’re putting ink on paper, you had to pay by the word, leading to a bizarre set of abbreviations. The shift to online classifieds will be a complete win as soon as someone figures out how to let you circle items onscreen.

Talking is Tough

Anyone who talks to journalists to provide background or commentary says things that they wish they hadn’t. This is in contrast to when you’re making news, and can plan what you want to say, and it’s easier to stay “on message.” Kudos to Bruce for owning up to it.

I’m sure I said that, but I wish the reporter hadn’t used it. It’s just the sort of fear-mongering that I object to when others do it.


With Yushchenko at 52% of the votes to Yanukovich’s 44%, it seems likely that he Yushchenko will be the next leader of the Ukraine. Congratulations to all who stood up for a fair and honest vote.

Oh, and it means I can get a nicer stylesheet in place, too.

The Intent of a Tank

“We used to talk about the intent of a tank,” Colonel Thomas explained in an interview. “If you saw one, you knew what it was for. But the intent of electrons – to deliver a message, deliver a virus, or pass covert information – is much harder to figure.”

Ian Grigg points out an interesting article in the New York Times on the difficulty of gathering data to monitor the net.

The article mentions spammimic and draft messages and how to use an ATM to send messages. (The article doesn’t mention that you can create a reasonable codebook of up to about a thousand messages by using deposits, or 100,000 messages if you deposit coins as well as bills.) And as long as we’re discussing clever steganography, has anyone investigated how many spare bits are in those Hallmark musical cards? It should be possible to add a little data in there, or even replace the chip with a smarter one. Who could tell the difference?

All reasons why bulk surveillance is going to have to be replaced by messy, difficult, targeted infiltration. Of course, if John Walker Lindh can do it, the CIA and FBI should be able to, too.

Database Flaws More Risky Than Discussed

Rob Lemos has an article in CNET about NGSSoftware. On Thursday, they
flaws NGS had discovered 3 months ago. Now, it turns out that the problems may be more risky than thought. Alternately, the release of the exploit code may have cause SecurityFocus to raise its threat estimate.

Now, on the one hand, these issues, and their patches, have been known for a while. Anyone really interested could use binary diffing tools, by folks like Halvar Flake (400k PDF), or Todd Sabin. So a company attempting to use risk management techniques for patching has had quite a bit of time to test, wait for a patching window, and then apply the patches. In the meanwhile, they’ve been vulnerable to a small number of competent attackers and their associates who’ve known since the patches came out how to exploit. Anyone who waits for an exploit to become public in a case like this is likely to become a victim.

However, it’s also possible that the vendor’s choice of how to characterize the risk was either incorrect, or chosen to put them in the best light. Without the technical data about the exploit being easily available, there’s no check on the vendor’s assessment. So the risk management numbers may well have given the wrong result: A ‘high’ risk vulnerability that should have been patched may have been labeled ‘medium,’ and a customer with a low cost of downtime may have decided to accept the risk of being attacked, rather than the risk of system change.

On a closely related note, folks who release a fully automated compromise of XP SP2, or IE overflows on Christmas eve are being poor sports. Whatever you think of Microsoft’s security practices or of full disclosure, there’s little reason to put millions of people at risk by releasing an advisory when people who would write the fix are presumably on vacation, as are the people who would install a fix.

[Update: Put in link to Todd Sabin’s work.]

Keynote can’t Export to Web?!?

I was just playing with Keynote, working on some slides for Shmoocon, when I realized that I couldn’t get my slides onto the web! Now, I’ve griped about how Powerpoint makes its slides for the web, but at least it makes them.

It seem that Tim Bray figured this out a while ago, but I missed it. Others comment that it should be possible to move from XML to HTML, but it’s still just a wishlist item.

Do any of the free software packages have a solid presentation creator, with good export to powerpoint and web?

Winning the Battles, Losing the War

A historian, Isaiah (Ike) Wilson III, Ph.D, gave a talk a few months ago at Cornell, entitled “Thinking Beyond War: Civil-Military Operational Planning in Northern Iraq.” His basic thesis seems to be that, in contrast to a carefully planned and executed war campaign, there were no definitive plans for what to do after the Iraqi army collapsed. “In short, there was no operational plan for the post-offensive because the postoffensive phases were viewed as someone else’s mission” is how he summarizes his thesis. This is all made more interesting because he’s not some bleeding-heart peacenik, but a Major in the US Army:

From April to June 2003, this author chronicled the war effort as a researcher and a primary writer for the Chief of Staff of the Army’s (CSA’s) Operation Iraqi Freedom (OIF) Study Group. This assignment offered great opportunity to view the execution of combat operations from a frontline vantage point, to conduct formal interviews with soldiers of every ground unit (US Army, US Marine Corps, and UK Forces) engaged in the march up country to Baghdad and record their experiences and lessons gathered. From July 2003 to March 2004, this author participated more intimately in the war effort, serving as the chief of plans (chief war planner) for the 101 st Airborne Division (Air Assault). In this capacity, this author participated in and led the planning of combat (offense; csupport, and civil reconstruction efforts in northern Iraq.

He characterizes the state of affairs on the ground today:

The lack of an endstate-driven campaign plan prior to the commitment of combat forces in Iraq has contributed to the present state of civil-military affairs in Iraq: a Coalition Provisional Authority (and now a “sovereign” interim Iraqi government) lacking long-range vision and the know-how to put into action those goals and objectives its has figured out thus far, and a combined and joint military force with the expertise in getting things done – be it destruction or reconstruction – yet hobbled by a lack of resources, a lack of a winning plan and strategy, and an over-abundance of misdirected bureaucratic “assistance.”

His report is in two major parts, the pre-war planning, and the experience of the 101st Airborne division in Northern Iraq. That Northern Iraq hasn’t fallen into disarray is actually impressive: The Kurds would like nothing more than to secede and start their own country. There’s a substantial Baathist regision. Turkish special forces were scattered throughout. He explains why, and proposes ways to improve things, both in the rest of the country, and in US military doctrine and training.

I feel a little bad in that he asks we not cite his work without permission. But these are important policy questions, and the document was on a public web site. The entire report is worth reading if you care about why we are where we are.

Now all of this was drawn to my attention by an article in the Washington Post, Army Historian Cites Lack of Postwar Plan:

Army Gen. Tommy R. Franks, who as chief of the Central Command led the war planning in 2002 and 2003, states in his recent memoir, “American Soldier,” that throughout the planning for the invasion of Iraq, Phase IV stability operations were discussed. Occupation problems “commanded hours and days of discussion and debate among CENTCOM planners and Washington officials,” he adds. At another point, he states, “I was confident in the Phase IV plan.”

A rank amateur in the art of reading statements written by media consultants would think that the Major and the General are contradicting each other. But they’re not. Wilson argues that the planning was insufficient, chaotic, and missed important factors for organizational reasons. Of course Franks, as a participant in the system, didn’t see these flaws at the time. Of course he was confident: If he wasn’t, the plans would be revised until he was. But were the plans critiqued, and did those critiques reach his ears? Wilson says no.

[Update: James Fallows has a long piece in the Altantic on the war, and post-war planning process.]