Security Cameras and the Obedience Imperative

obedience-school.jpg

“People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,” said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, ride bicycles too fast or question the President. [Quote slightly edited for clarity.]

The quote is from Bloomberg, “George Orwell Was Right: Spy Cameras See Britons’ Every Move.”

I’m reminded of Milgram’s authority experiment, where he had men in white lab coats telling people that they needed to deliver electrical shocks.

(Via Slashdot, a ways back. Photo of Roxanne by L.N.L.)

Non-Tangible Security

artifact.jpgeBay is stopping all sales of “virtual artifacts.” Maybe.

This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says:

“The seller must be the owner of the underlying intellectual property, or authorized to distribute it by the intellectual property owner.”

This leaves into question some virtual artifacts where the seller is the owner of the intellectual property, but is clearly a virtual artifact. Expect debate.

I can’t say as how I blame them. It’s disappointing, but there are headaches that I wouldn’t want either. Some virtual artifacts, like things in Second Life, arguably fall outside that rule. Nonetheless, what resembles an economy in Second Life is hard to understand. The media love affair with Second Life seems to be turning into a hangover. Valleywag is a great place to see some of the backlash. Subscription numbers may be overstated. What passes for an economy isn’t as efficient as people might like. It isn’t very fun. Maybe it’s too much fun.

Some virtual artifacts fall into the eBay ban rule, but might still be okay to sell. Some games permit the resale of objects, but you can claim the people aren’t authorized to distribute, because there’s no explicit authorization of them as a sales channel. It’s definitely a gray area, especially if we consider the first-sale doctrine, but stores are not obligated to sell things they don’t want, and if eBay wanted to stop the sale of used books and records, it would also be disappointing, but within their liberty.

Some other virtual artifacts are not supposed to be sold. World of Warcraft, for example, has it as part of their terms of service that you’re not supposed to sell the game’s virtual artifacts. I think that such bans are not only ineffective, but the best way to fight a black market is to set up your own that undercuts it. But it’s their concern.

The real problem that eBay has to deal with is that when you’re selling stuff, as opposed to merchandise, the major problem is that of provenance. You have to know where those jewels came from. Did those artifacts leave the country legally?

There are a number of cases where bad people have hacked into VR accounts and sold the virtual goods. I can understand eBay’s conundrum. If someone wants to sell five sheep, a gnome, and a staff of domination, how do you know they have the right to do that, whatever the heck that means? I don’t blame eBay for deciding that it’s just too hard and they opt out. It’s a pity that they aren’t stepping up to figure it out, but I don’t blame them. Pioneers are the ones with the arrows in their backs, and after being a pioneer for a while, farming looks good. Of course, the problem is that software is a virtual artifact, even when it comes on a CD. So this is far from settled.
photo is Egyptian Temple, courtesy of iconolith.

Mordaxus, redux

alt="chaosjazzcombo.jpg" align="right" />
We’ve enjoyed having Mordaxus with us for the last month or so, and are pleased that he’ll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts.

First, why do I have pseudonymous co-bloggers? There’s a long history of artists appearing under names not their own, ranging from the obvious (Sting, Bono or The symbol usually pronounced as 'the artist formerly known as Prince') to the less obvious Joe Strummer or Bob Dylan. Less
metaphorically, there’s “Publius,” who wasn’t always exactly one
person. We’re proud to continue these traditions here at the Combo.

Second, I’ve had several people ask me if Mordaxus is a Microsoft employee. Neither Mordaxus or Arthur are Microsoft employees. If they were, you’d know it, to satisfy both my own and the corporate code of ethics.

Lastly, nyms are about privacy, and separation. They allow you to
jazz things up, and not be always on message and in tune.

Photo “Jazz In Progress” is from Ivo Stad & Land.

Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected by an RFID reader. Hey, it works for babies, right?
(I am awaiting the comment about how this naive notion is fundamentally flawed. I know EC has some readers who have expertise with RFID. I am somewhat heartened, now that I Googled this brainstorm, that others have thought of it)

Speaking of Secret Events You’re Not Invited To

navel-gazing.jpgThere’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now.

Remember, this will be the most blogged event of RSA.

If you want in, blog about the event and trackback Martin McKeay.

Also covered in “Information Security Sell Out,” who comments:

Wow, the bloggers are almost outnumbering the vendors. Perhaps next year RSA will have a separate conference for Bloggers and another for those that actually matter to security.

Navel, for gazing, courtesy of mezone, and unlikely to appear at the party.

Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.”

  • First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer.
  • Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II – a DA Workshop.” Things with web pages are rarely secret.
  • Finally, it was a security summit, but hell, 50% is a rotten ratio for a headline.

So let me delve in to the words “secrecy” and “privacy” just a little. The meeting was private: you had to know the secret handshake to get in. You had to agree not to talk about what was said. That’s about privacy. It also includes some secrecy about what, precisely, was said. As I’ve said before, privacy is a good way to build trust. It allows people to speak openly, because they can rely on anyone who blogs about it not being invited back.

I’m speaking for myself here.

From the “A Child Shall Lead Them” Desk

Response #24 in a discussion on FlyerTalk:

My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work.

Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening.

On the return flight, at JFK T-9, they found 2 more, both of which had been in there all along and been missed at LAX. As we rode the escalator down in T9, I told him that if this happened again, he would never get upgraded until he was 21 (it’s a harsh threat…) — and he reached in to his backpack and took out another partially empty water bottle.

It’s a Flawless Plan for Making Money

don-corleone.jpgFirst, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you’re better off selling the monopoly rights to the highest bidder.

It’s what Illinois is doing with their state lottery.

I was going to talk about the history of corporations as monopolies, and the issues with government run business, but Larry Ribstein said almost everything I wanted to say in “Selling State Lotteries.”

Maybe the state could do the same with health care?

Image credit: Emergent Chaos.

There are three types of authentication

cut-finger.jpgThey are:

  1. Something you’ve lost,
  2. Something you’ve forgotten, and
  3. Something you used to be.

Here is a sad tale of a man who has a failure on (3), realizes he’s done (2), and his solution to the problem. It’s a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.

The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the “ooo, shiny” technolust making you think that something is a good idea when it isn’t. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.

photo courtesy of split-ends.