One of the ironic bits about the RSA conference was the wireless network. Your username was your email and the password was on your badge. However, I had trouble logging in, so they gave me this username and password. I’m pretty sure that they didn’t record who I was as they did it. Even once they gave me this, the folks running the system knew that they needed to powercycle an access point to let Macs login.
I only made it in that once. Several friends also report that they never made it onto the wireless network. I very much appreciate RSA showcasing wireless security vendors like this. I suspect that the vendors appreciate it a little less.
Hunter S. Thompson killed himself last night. While I enjoyed his books, for me, his ultimate work wasn’t reading about times I hadn’t experienced, but when his writing was live and raw, about the day, when he wrote the definitive obituary of Richard Nixon.
He’s gone, and I am poorer for it.
After RSA, some friends and I went up to Russian River. I was looking at some old maps at the
Quinvera Quivira Vineyard, and the caption under one said “The author of this map is believed to have had access to Drake’s secret maps.” Today, large scale maps of everywhere are easily available. But there was a time when even large scale geographic knowledge was kept secret, and was the source of substantial competitive advantage. How to travel the spice routes, where the locals were friendly along the shipping routes, the location of islands, were all secrets at one point. With satellite imagery cheaply available, its becoming very hard to keep maps a secret, at any scale.
Are we less secure for this? Was there a full disclosure movement for maps?
Max Dornseif asserts it’s easy to find bugs. (Perhaps even easier than figuring out trackbacks for his blog?)
In an article in ACM Queue, Ioannis Samoladas, Ioannis Stamelos, Lefteris Angelis, Apostolos Oikonomou examine some measures of code quality between open and closed source apps.
Apple has made available a set of “Common Criteria” tools. The “evaluation” page is here. The evaluation criteria is “EAL 3, CAPP, version 1.d, October 8, 1999.” (The README is a bit better.)
If anyone would care to explain to me what I’ve just said, or, really, what the tools package does, I’d be much obliged.
PS: “Disatisfied? Help us improve!”
Jack Koziol has a long post on security issues with T-Mobile’s web site. (Via /.)
Did you know that Google’s “Dissatisfied? Help us improve” link only appears on the first page of a search? That’s fascinating–they expect their search to be so good that they get what you want on page 1, and you’ll complain if it’s not there. There’s a lot to be said for setting high standards for yourself.
Ian Grigg quotes an interesting article on passports.
Another good article on the economics of terrorism at Global Guerrillas.
Eric Rescorla discusses this account:
Officer Primiano expressed extreme frustration with me as soon as I began speaking of my rights to photograph in public places. She wanted to debate the wisdom of my taking pictures and asserted that in the wake of the Sept 11th attacks on our country, I should be more interested in aiding officials in their efforts to increase security than my rights as a citizen or journalist.
Peter Swire is thinking about these issues; he mentioned a very similar case to me recently. I’m encouraging him to write a mass market book on the questions and tradeoffs, because I’m impressed with the work he’s already done on disclosure, which I discussed in Swire on Disclosure.
See Taosecurity, on IDS and Choicepoint, and this choice excerpt from Reuters, relayed by Dave Evans at Corante’s Online Dating:
U.S. investigators notified the company of the breach in October, but ChoicePoint did not send out the consumer warnings until last week.
It’s fascinating that the company didn’t detect the breach, and that they seem to be unable to figure out all the records touched.
The Atlanta Journal Constitution (use Bugmenot) reports:
“We know that there is a national number that is much larger than that,” said Lt. Paul Denny of the [Los Angeles County] sheriff’s department. “We’ve used the number 400,000, but we’re speculating at this point.”
Executives at ChoicePoint, which maintains one of the largest databases of personal information in the country, acknowledged Wednesday that the number of potential victims is much larger than first thought. But they also suggested the actual number is lower than the law enforcement estimate.
The company said in a statement that “additional disclosures will be forthcoming to approximately 110,000 consumers outside of California whose information also may have been accessed.”
Lee said finding the criminals is complicated because ChoicePoint could not in all cases track the data requests to the accounts making the request.
I hope Richard, at TaoSecurity, takes Choicepoint to IDS kindergarden.
Ed Felten has a great post today, asking “How Competitive Is the Record Industry?”
How can we tell whether the record industry is responding competitively to DRM? An interesting natural experiment is about to start. MP3Tunes, a new startup headed by serial entrepreneur Michael Robertson, is launching a new music service that sells songs in MP3 format. Will the major record companies license their catalogs for sale on MP3Tunes?
In a competitive market, they would license to MP3Tunes. There are surely some customers who are willing to pay for music but don’t want to accept the hassles of other online music services. MP3Tunes will extract revenue from these customers.
I liked how my previous post on this subject read. It was very positive, and I like being positive about the future. (I’m not very good at it.)
However, there’s a contrast which needs to be drawn, between the way Yemen (Yemen? Yemen!?!) is handling some prisoners and the way the US is handling some prisoners. I do not intend an apologia for Yemen’s abuses. However, the contrast with Abu Ghraib and Guantanamo is pretty striking.
Choicepoint is a large credit bureau who denies being one. Yesterday, MSNBC reported that “more than 30,000 Californians” had been notified of problems. Now, no one opts-in to Choicepoint. No one can opt-out. They maintain files on you without your knowledge or permission. Now we know that at least 30,000 people were put at risk by criminal enterprises gathering data. But outside of California, we have no way of knowing how many.
In yesterday’s Toronto Star, Michael Geist makes the case that Canada should adopt a similar law. (Use Bugmenot for a login.) Perhaps its time for the US to do so as well.
[See also Chris Walsh’s comment which he wrote as I was working on this post.]
The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time.
The bill would force states* to fingerprint people, and do various gimmicky things to improve the quality of theatre surrounding the cards. When these things happen, everyone will need an ID card, and reliance on the cards will increase.
The 10 million Mexicans living illegally in the US will need to get real cards. To do so will require them, not to create fake identities and get cards issued in them, but to adopt the identities of Americans in the databases. Which is to say, mine.
Some might object that “fingerprinting will protect us,” but they’re wrong. producing fake fingerprints is understood technology, and a little nudge, nudge from the folks at the DMV will be all that’s needed.
A story that Ian Grigg picked up pointed to the 1986 immigration act as the start of the ID Theft epidemic.
You ain’t seen nothing yet.
* De facto, not de jure.
Michael Froomkin applauds those “Military lawyers at the Guantanamo Bay terrorist prison tried to stop inhumane interrogations, but were ignored by senior Pentagon officials.”
Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the airline “security” system:
- People spend longer in airports and spend more money in the retail outlets. The airport ecosystem becomes more profitable.
- Fast-track procedures for business class travellers encourage more business class travel. Self-service procedures reduce airline costs. The airlines become more profitable.
- People become accustomed to (and therefore more tolerant of) queues and delays. This allows for more flexible utilization of staff, aeroplanes and landing slots by airlines and airports.
The downside of all of this is that none of these things are economic benefits. They are costs imposed by the security regime, from which some folks are profiting. They are costs because people are not spending their money in ways that they would choose, if they could choose freely. They are instead spending money in less efficient ways. Because the costs are dispersed, and the beneficiaries are few, the beneficiaries are able to ossify the system. (See Olson’s
Logic of Collective Action, or Demosclerosis, by Jonathan Rauch for more on this idea.) There are additional costs and risks borne by those who don’t fly.