Releasing Criminals

My friend Sameer takes issue with my hoping for experimentation by criminals, on two grounds:

First, he believes I’m encouraging violence. This wasn’t my intent. I assume that there are all sorts of ways to non-violently behave badly, from calling a guard snookums to having a tattoo needle in your cell. However, I don’t know.

His second argument is that my criteria for release are orthogonal to being a menace to society: That this fellow could be a clever psychopath. This is true. I made the (again unstated) assumption that, like most people in jail, this fellow is in jail for a non-violent drug crime.

If he’s in jail for violence, or needs to commit violence to get out, that would temper my previous position.

How Much Is Risk Management Worth?

David Akin blogs that Fitch Ratings has purchased Toronto’s Algorithmics for $175M (the press release is datelined New York, so I’m guessing that’s a US dollar figure).

Algorithmics makes risk management software, focusing on market risks for banks, things like hedging strategies and BASEL II compliance (based on a quick read of their site.) So one answer is that better risk management is worth $175m.

But presume that you know a lot about other banks’ risk management strategy, because you make the software that drives it. Can you anticipate their actions and use that against them? (Fitch seems to be only in the ratings business, and so may not be positioned to do this.)

A good day for liberty

In its powerfully worded decision, the [UK Law Lords] said that the government’s “draconian” measures unjustly discriminate against foreigners since they do not apply to British citizens and constitute a lopsided response to the threat of a terrorist attack.

(From The New York Times, see also the BBC or Volokh.)

WASHINGTON (AP) — A [US] federal judge ruled Thursday that an American held in Saudi Arabia for suspected links to terrorism might be able to challenge his detention in a U.S. court because there is “considerable” evidence U.S. officials were behind the arrest.

(From the AP via the New York Times, or Volokh.)

The way to win a kulturkampf is by showing off the best parts of your kultur. Its a good thing we have the courts to do that, when our executives are deranged. Hey, that balance of power thing was a good idea. Maybe some others could adopt it?

Clever criminals

Over at Marginal Revolution, Alex Tabarrok quotes a letter from an inmate:

[Inmate:] A privately owned and publicly traded company like CCA has no incentive to rehabilitate criminals.  It is in the best interests of the company for even more criminals to exist.  Unfortunately, the same is true of government run prisons.  And contrary to what you may have been told, prisoners are not paroled because they have indicated by their actions or behaviors while inside that they are less likely to reoffend; they are let go because the Parole Boards believe that will commit another crime.  This way the prison lobbyists can then “prove” that parole doesn’t work.  The Department of Corrections gets less money from paroled prisoners than it does for those kept inside.  And also, “good” inmates are less trouble (less labor) than the trouble-makers, and so trouble-makers get released.

[Alex:] Good analysis.  I hope, however, that he does not test his theory on how to gain early release.

Alex did not elaborate, but it seems to me that this fellow is clever, insightful, and may well be a fine person to get released. Not knowing why he’s in prison, I hope he does test his theory, and that he shares with us the results. All in the name of science.

Quickies has an interesting article about taxes and your phone company. Any article that starts with an error about how long ago the Spanish American war took place is a little worrisome, but I love watching badly written law becoming irrelevant.

Stefan Geens has a great article taking a simple question and exploring the math required to answer it. And I love his format, and his commenters. Why don’t I get great comments like his?

Browser privacy from the server?

A friend writes and asks:

I’m working in NYC now, as the Web Admin for Safe Horizon. We’re the largest service agency in the
US for victims of violence, crime or abuse. We’re interested in
putting in some features into our site, but we have to protect our
visitor’s privacy, since they might be visiting our site from a
computer their abuser also uses.

We have instructions on our site detailing how to delete your history,
empty your cache, etc. And we don’t use cookies. But, I was wondering
if there might be an easier way for our visitors to stay safe. I know
there are proxy sites that allow you to surf anonymously, and telling
them to use those is certainly an option.

But, I was wondering if there was a better way. I found out about a
company called Apparently, they have a “click here once and
the rest of your session is not recorded” technology. But, it’s only
for IE 5+ for Windows. Granted, that takes care of 90% of our
visitors. But, if they’re doing it, maybe someone else is too.

I’m not familiar with Ponoi: Does it work? Is anyone familiar with something else that the site can do to help? Comments are open, and appreciated!

Signalling by Counting Low Hanging Fruit?

I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product.

I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static source code analyzer. Would it work to provide a copy of the results of RATS, run across your code? Firstly, this is pretty easy to do. You run rats -R * > report.txt and you get a report. A company could give this report to customers, who could weigh it, and have more information than they have today. (Literally. A long report, taking more pages, means worse software. At least, it means worse software as seen through a RATS filter.)

That filter is imperfect. First, it rewards worthless behavior such as changing strcpy(dest, "foo") to strncopy(dest, "foo", 3) so that RATS won’t complain. Next, it rewards writing code in languages that RATS doesn’t scan. This is somewhat useful–code written in C will have more string management errors than code written in another language that doesn’t have string manipulation problems. Given the number of such errors, the added incentive to move away from C is not economically perverse.

It would be fascinating to know if the items that RATS detects are predictive of other bug density. On the one hand, much research into quality assurance and testing indicates that bugs do cluster. On the other, the use of a library call that sometimes has security problems may be disjunct from other types of bugs in how concentrated it is. Knowing if RATS is predictive would allow us to judge how useful a signal it is. There may be other useful things to do with the data, too.

If RATS output became accepted in the marketplace, would it be easy to forge the signals? Unfortunately, it would be. Generating a report that is 2 pages shorter than the competitions is easy. Just cut lines from the file. Simple inspection won’t reveal that. There are ways to examine binaries, but they require skill and a little time. I don’t think this is likely behavior. A company that certifies that it ran a test, and alters the results of the test is engaging in deceptive trade practices. And yes, there may well be used car dealers who offer fake warranties, but they’re few and far between. The downside is too large.

Finally, I’d like to run this through a 5 step process proposed by Schneier in the April, 2002 Crypto-gram, to see what we learn. (Read the article for clarification on why this is a fine evaluation framework. I’m abusing it slightly, by looking at a signal, rather than at a security measure.)

  1. What problem does the security measure solve?
  2. How well does the security measure solve the problem?
  3. What other security problems does the measure cause?
  4. What are the costs of the security measure?
  5. Given the answers to steps two through four, is the security measure worth it?

Distributing RATS output helps to solve the question of how a customer should evaluate software. The question of how well it does this, as noted is open. There are some clear problems. There’s no security problem caused by the technique. It’s cheap to do. And so, even though its not a great signal, its probably worthwhile.

Referrer spam: The end is ROI

The first two claim to be UNDER CONSTRUCTION, and this makes my hypothesise that they are honeypots of a sort, respectively researching whether Deep-URLs (“/friendslinks.php”) or merely Root-URLs (“/”) are most effective methods of Referrer-Spamming, plus also providing a check to see which blogs are the most valuable ones to be worth spamming.

In short: I hypothesise that the referrer-spammers are now doing ROI (“Return On Investment”) calculations.

writes Alec Muffett. Go read it.

Welcome, Carnival readers!

My friend Rob Sama is hosting this week’s Carnival of the Capitalists, and was kind enough to give me a shout out. So, welcome if you’re coming in from there. I’m traveling on business, so blogging will be a little slow, but please, have a look around! I try to apply economics to security problems here, and there’s also a lot on personal liberty, which any good reader of Hayek knows is linked to economic freedom. So enjoy! Comment!

State Failure 101

Global Guerrillas has a great post on how US efforts in Iraq are broken:

Unfortunately, the US effort to rebuild Iraq is out of synch (a full 180 degrees) with what is really needed.  If we map US efforts to Maslow’s hierarchy we see something quite unsettling. 

Two on Liberty

Ed Hasbrouck has a long post on the impact of the new “intelligence reform” bill on privacy and liberty.

The CBC has an article on Australia imposing random drug tests on its consumer-units, or citizens, or something.

Strictly Off The Record…

Nikita Borisov and Ian Goldberg have released Off-the-Record Messaging, an IM plugin for private communication providing not only the usual encryption and authentication, but also deniability and perfect forward secrecy. Deniability avoids digital signatures on messages (while preserving authenticity and integrity), so there is no hard-to-deny proof you wrote anything in particular; in fact, there is a toolkit to help people forge messages, making it extra-hard to pin things on you. Perfect forward secrecy means that your past messages and conversations remain protected even if your keys are compromised.

You can read the OTR protocol description, download the source code for the gaim-otr plugin, or grab a gaim-otr binary package for Debian or Fedora Core.

(Stolen from Paul W)

Be Careful What You Wish For, Air Force

Federal Computer Week has a story about the Air Force’s efforts to patch faster:

Officials’ ultimate goal is to have software patches implemented
across the Air Force in minutes. During the next few months, they hope
to cut the time from tens of days to just days, said Col. Ronnie
Hawkins, director of communications operations in the Office of the
Deputy Chief of Staff for Installation and Logistics.

Also in recent news, Microsoft will be providing Air Force specific windows builds. Also recently, EDS took down between 40,000 and 80,000 computers in the UK’s Department for Work and Pensions, in an attempt to roll out a patch. That’s the downside to a monoculture.

The upside is that you have far fewer configurations to test on when your builds and configurations are tightly locked down, and that saves a lot of money. If your MTTR is low because you can roll out images to an affected system, then you may be willing to take that risk. At the DWP, clearly, the MTTR was not low.

Low MTTR and fast patching shouldn’t be your only goal. Systems hardening, either by your local experts, or from companies like PiVX, Sana, or Immunix can reduce the need to patch against various attacks. I hope these companies start publishing a running list of what patches you need to install if you have their systems. (And warranting that the list is correct.)

So a low time to patch isn’t what the Air Force should be chasing: Its a low exposure time. But then, they need to balance that with expected downtime for patching. And from here, I’d just be repeating myself with what we’ve already said in the time to patch paper (PDF).

(Via ISN.)

Mac toys has a nice page of software for techies switching to a Mac. Speaking of techie Mac use, I’m playing with subversion and the sweet looking SCPlugin. To make it see my ssh keys, I’ve added SSHkeychain. That required logging out and back in. After I did, I was getting lots of Keychain errors. It turns out that by default, SSHkeychain locks your keychain on when the screensaver activates. There’s a “custom” security setting to make this work the (less secure, more convenient) way I want it to work.