The Kristian Von Hornsleth of the Blogosphere?

Apparently, artist Kristian Von Hornsleth has been paying Ugandans to rename themselves Hornsleth, as a way of drawing attention to aid failures. His exhibit is sub-titled “We want to help you, but we want to own you.”

I think it’s brilliant. Regular readers know that we talk a lot about identity, id cards, and economics. So this is an art project that really touches me, and I’d like to participate. Mr. Hornsleth, will you donate one extra animal if I rename this blog the Kristian Von Hornsleth of the blogosphere for a week?

Via the BBC, “Storm over ‘pig-for-name’ artist.” To the racism question that leads the beeb story, I think that the racial overtones are cleverly used by the artist to draw attention to a very real problem of ineffective aid.

Frito-Lay’s New Snack Line


Frito-Lay spokeswoman Lisa Greeley, who said that the company made a commitment in 2004 to develop a healthier line of snacks but “never thought it would actually come to this,” described the Flat Earth brand as “tailor-made for the small, vocal minority of health-conscious consumers who apparently can’t just be content with salads, bananas, apples, or any of the literally thousands of fruits and vegetables already widely available.”

Frito-Lay Angrily Introduces Line of Healthy Snacks,” in America’s Finest News Source.

Guidance Software, Evidence and Software Provenance

So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software?

There’s also a concept floating around out there in executive suites of “software provenance.” The idea is that you should be able to track and understand who’s checked software in. I don’t know of any software that would really do that effectively.

Let’s assume that there’s some awesome, hard to hack, SDL’d version control software out there with integrated three-factor authentication that logs every check-in to paper and cryptographizes it out the wazoo. It hash-trees, it signs, it timestamps and publishes the good news in the newspaper. Let’s even say that it was installed at Guidance. I should mention that I have no knowledge of what’s happened at Guidance and this is all hypothetical.

Alice the hacker wants to install a backdoor in EnCase that will cause it to not see any file starting with the string “$sys$” and Alice can write code to do that. Let’s next say that Alice pwns Bob the developer’s workstation. She waits until he’s checking in a large set of files, and adds her back door. Bob does the chicken dance with his smartcard, swiptes his fingerprint, and types his 19 character password. And checks in Alice’s code.

I don’t know what it will cost Guidance to ensure its software makes it through the next court case.

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too.
Anyway, it seems like the SANS people have a bit of competition.
Check out this list:

  1. Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;

  2. Failing to implement simple, low-cost, and readily available defenses to such attacks;

  3. Storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;

  4. Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and

  5. Failing to employ measures to detect unauthorized access to consumers’ credit card information.

Ooops! My bad.
This isn’t a list of the top five security bonehead moves. This is a list of the things the Federal Trade Commission says Guidance Software did, resulting in the loss of thousands of customers’ credit card information, in violation of federal law.
Guidance, of course, are the makers of enCase, the market-leading computer forensics tool. The company admits no wrongdoing, and has entered a consent decree with the FTC.

Tufte, Godin, Juice Analytics

napoleons-march.jpgJuice Analytics comments on “Godin’s take on Tufte:

(Godin) I think this is one of the worst graphs ever made.

He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words.

I don’t think that is what graphs are for. I think you are trying to make a point in two seconds for people who are two lazy to read the forty words underneath

I think Seth has it just right. Personally, I can hardly resist the a well-constructed infographic, but I have an unnatural interest in data. For the many business users, better to construct information displays that are simple and to the point.

So, Seth’s points are good. They’re made in this video presentation at GEL 2006 (Google video, worth watching).

I’m really irritated by Juice’s words. It is never better to construct information displays that are simple and to the point, absent an understanding of why you’re constructing a display. If your point is “Napoleon lost a lot of lives attacking Russia” maybe a bar graph would do. Sometimes complex reasoning requires complex data. The question is not “Should your graphics be simple and to the point,” but rather “do my graphics help present the data and help people reason about it?”

To put it another way, start from the user story, use case, or scenario, and construct your information presentations to help that story along. Then, and only then, should you make it as simple and to the point as possible, but no simpler.

Privacy and “Required, not used”

So, I was commenting over on Econlog, and noticed this:

“Email Address (Required. Your email address will not display to the public or be used for any other purpose.)”

So, umm, what is it being used for?

This is both snarky (obviously) and serious (less obviously). The less obvious part is that information is being collected for no apparent reason, because some developer thought it would be good as an anti-spam measure or something. The lack of clarity is in violation of the basic privacy precepts of notice and purpose-specification, as well as minimization. Those are sometimes hard concepts for developers to grasp. We have a team of people to help developers through them, and get to the right results.

Maybe Microsoft Privacy Guidelines for Developing Software Products and Services should be required reading?

Signs of our times” photo by Thomas23.

Bag Matching and Lost Bags

Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:”

The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year earlier, a 33 percent increase. It got worse in September, with 183,234 more passengers suffering mishandled bags than a year earlier, up 92 percent.

Globally, about 30 million bags are mishandled each year, according to SITA, a company that sells software to airlines and airports for baggage and other systems. Airlines spend about $2.5 billion to find those bags and deliver them to waiting, often angry, passengers.

So does that mean that they lost 350,000 bags in September?

Now, I never check bags if I have a stop-over, because if you check bags, there is no way they’ll allow you to hop onto a new flight. It’s a “security measure.” No, I take that back. Bag matching is a real security measure, designed to ensure that you’re on the same flight as your bag. The assumption is that there are more people willing to commit murder than suicide. But given that its an actual security measure, shouldn’t they not be letting 350,000 bags go astray every month?

Before you say it’s an economics issue, maybe they should assign those people making you take off your shoes and checking your ID to doing something useful.

Vulnerability Game Theory

So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things we missed. I hope that the defense in depth tools (/gs, safeseh, ASLR, UAC) help control the customer impact.

So, that said, I’d like to think about this from the researcher point of view. If you’re a clever researcher who’s finding Vista issues, what do you do with them? I think there are three different answers.

First, if you have one, you publish it immediately. Ideally, you do that in a responsible way, but you don’t want to risk your one vuln being found independently and fixed.

Next, if you have a few vulns, you sit on them all, and try to measure the independent find rate, so you know how long they last. When you have that estimate, you decide what to do with what’s left.

Finally, if you have a lot of vulns, and are hoping to sell them, you drop 0day on us as a marketing and advertising ploy. Whoever releases the first working exploit against Vista is going to bring themselves a lot of notoriety, and bring our customers a lot of pain. It’s sorta cool that no one’s done this yet. Maybe they’re waiting on the release to business or consumers? That’s an interesting gamble–you’ll get more attention, but you’re also making a bet that you expect no one will take the “first vuln” credit between now and then. So the longer it takes, the larger the implied compliment on waiting: It’s hard to find vulns, and I expect to be able to wait.

Implied compliments aren’t all that interesting. Someone will have the first issue.

What matters isn’t the first day, it’s the first year. I think we’re pleased with the work done, know that it’s never-ending, and are optimistic that Vista’s first year is going to look substantially better than XP’s first year. That’s the first real test: do we see fewer vulns, and are the vulns of lower average severity? The second real test is what happens to real customer impacts? That’s the test that matters most, and is far harder to measure.

All Non-Trivial Privacy Fears Come True

big-brother-award.jpgA few months back, I said “Ironically, privacy advocates warned that the number would become a de facto national ID, and their concerns were belittled, then proven right, setting a pattern that still goes on today.” In thinking about Alec Jeffrey’s come-to-Jesus moment, I realized that we can state that another way: All non-trivial privacy fears come true.

There are no reasoned and thought through warnings of invasions of privacy which have not come to pass. They don’t always come true in precisely the form which people anticipate, but that makes them no less true or prescient. I’d thought that Orwell’s viewscreens in homes haven’t quite come true, but the police chiefs of Chicago and Houston are hard at work on fixing that. (Search on mandatory cameras in homes.)

I’m excluding random drunken rants, or paranoia about orbital mind-control lasers. By non-trivial, I mean though-through discussions of how new technology will, at best, creep past its stated mission. More likely, it will bound past it as we make systems which are more flexible, better interconnected, and cheaper.

(There’s a physicist who asserted that all non-trivial theorems are true, but I can’t recall his name.)

Reason #2453 Not To Mug Magicians

On Friday, BoingBoing linked to a great story about some kids mugging magician David Copperfield. Copperfield used sleight-of-hand to hide the items in his pockets:

The assistants handed over money and a cellphone, but the illusionist turned his pockets inside out to reveal nothing, although he was carrying his passport, wallet and cell phone.

So I guess sometimes obscurity can be security.
[Photo from the cnn article.]
[Edit: fixed a typo: thanks acr0nym]

Two On Identity

self-portrait.jpgThere’s the Budapest Declaration on Machine Readable Travel Documents:

By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose.

The Budapest declaration is via Bruce Schneier. Next up we have USA Today on “If it’s really you, what color is your car?” via both Pogo Was Right and Dan Solove, who opines in “Verifying Identity: From One Foolish Way to Another

The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you — after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people’s backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.

The disdain of banks for their actual customers, those pesky, diverse, demanding idiots, grows by the day, and grows with every regulation which distracts and drags down the level of “service” on which they might otherwise compete.

Photo: self-portrait by j_photo.

New Zealand to literacy: “l8r!”

Via CNN:

WELLINGTON, New Zealand (AP) — New Zealand’s high school students will be able to use “text-speak” — the mobile phone text message language beloved of teenagers — in national exams this year, officials said.
Text-speak, a second language for thousands of teens, uses abbreviated words and phrases such as “txt” for “text”, “lol” for “laughing out loud” or “lots of love,” and “CU” for “see you.”

Image of a ‘u’ is from Brenda Anderson.

Better Dead than Red?

Via the Beeb, writing about a county board election in South Dakota:

Marie Steichen, who died of cancer in September, beat a Republican rival by 100 votes to 64 and became a county commissioner posthumously.
The election list closed on 1 August, but Ms Steichen’s name was kept on the list for Tuesday’s election.
Voters knew she was dead but wanted to make a point, a local official said.
“They just had a chance to make a change, and we respect their opinion,” Jerauld County Auditor Cindy Peterson told the Associated Press news agency.

Ms. Steichen’s victory increments the counter of Republicans vanquished by deceased opponents, the best known example likely being John Ashcroft, defeated by the deceased Mel Carnahan (D) in a 2000 senatorial contest.
[Comments now turned on. My bad. cw]