Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security:

I am delighted to announce that Crispin Cowan has joined the core Windows Security Team!

For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy. He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot!

Let me add my own welcome. Crispin and I have collaborated on a couple of projects, and I look forward to working with him more, and seeing what happens when he applies himself to Windows security.

[A clarification: Crispin is joining Microsoft, not Emergent Chaos (today, anyway). I remain the only MS employee blogging here, and my comments do not represent my employer. I was simply excited and wanted to share the news.]

Microsoft Has Trouble Programming the Intel Architecture


Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.)

Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.

However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That’s worth complaining about.

The reason, according to El Reg is blink-inducing:

Microsoft argued that the technical problems involved in porting Visual Basic at the same time as revamping Mac Office to work on Apple’s Intel platform would have meant further delays.

I have demonstrated the absurdity of that argument in my headline. Please, I’m a technologist. I can imagine the real reasons. It was a pain in the butt; it would have required hiring another person or two; it seemed futile to port it when Office 2009 is going to get rid of it. I understand. Don’t insult my intelligence. Don’t lie to me.

The truth is that you didn’t want to, because it would suck. And what are we customers going to do, anyway? So that means you don’t have to do it because you don’t want to.

OpenOffice sucks. No, really, it does. I have co-workers that use it and watching them always brings a smile of schadenfreude to my lips. When trying to bend Word or PowerPoint to my will makes me want to put my fist through the screen, nothing makes me feel better faster than strolling into someone’s office and saying, “I dunno, maybe I ought to switch. How do you do XXXX in OpenOffice?” It’s cruel; it is the equivalent of seeking out someone with no feet because you have no shoes. But hey. I admit and argue the necessity of using Office, but I am Mordaxus, not Pangloss.

Pages is cute and nice for new work, but people don’t send me Pages documents, they send me Word documents. Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize — but when someone says, “Would you look at this deck” it’s a ppt.

There will be those who are scrolling for the reply button to tell me that Pages and Keynote can import Office documents. They can. I still need Office, because they import Office document, not interoperate with them.

Longer work is another issue. Over the last couple of years, I’ve become a LaTeX expert again. The irony is that I stopped doing most of my work in LaTeX because Word 3 was better for so many things. Nonetheless, nothing is as drop-dead gorgeous as a TeX document.

This weekend, a friend who writes books recommended Scrivener to me as an alternative for long documents. Scrivener is more or less a project manager for large documents. I’m going through the tutorials, which are amusing. It reminds me in other ways of the wonderful Notebook by Circus Ponies.

Nonetheless, the friend who pointed me there uses Word.

This brings us back to the matter at hand. As painful as it is for Microsoft, they are a monopoly. Not using Office is not an option. Sure, I can screw around with beautifully designed, fun to use productivity managers, but you have to use Office. (Or LaTeX.)

The plus side of being a monopoly is that you are ubiquitous, and money doesn’t do anything as plebeian as grow on trees for you. The minus side is that when a tree falls in the forest on some power lines, you hear it, and you have to fix it!

Forget duty, let’s talk self-preservation. Microsoft, if you don’t want to go the way of Western Union, AT&T, IBM, Bessemer Steel, or The Railroads, you have to at least pretend you like us, your customers. Getting rid of VBA is a great idea. It was an abomination in the first place, breaking the data/code separation that security needs. But if you’re going to can it in 2009, you have to can it in 2009, not 2008. The result is that we’re going to get more hair-pulling for another year.

How taxing is it to read a tape?

3410-tape.jpgIn “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it will undermine their credibility. (For example, “it’s snowing in Jamaica” makes no sense as a parenthetical, and would undermine my credibility if I said it.)

So I found an offhand comment reported by Beth Pariseau in “IRS sent tax database on unencrypted tapes” to be fascinating:

The IRS confirmed to SearchStorage.com that copies of its tax database were distributed to state agencies on unencrypted tapes before Sept. 30, 2007. A source at one state agency said the tapes were also sent using common carriers, such as FedEx.

The source, whose agency received the database information on a regular basis, said the IRS had formal guidelines for agencies to place the tapes behind three layers of physical security — inside a locked box, for example — and restrict access to “need-to-know” personnel. He added a fourth layer of physical security, but that still didn’t make him feel comfortable. “These were standard IBM mainframe tapes,” he said. “It didn’t take anything special to read them.”

I found this really interesting because our anonymous source tosses off the idea that reading a tape is easy. This is in stark contrast to everyone who reports breaches, who goes on and on about how hard it would be to read their DLTs.

This expert didn’t give that nonsense a second thought. Journalists should be more skeptical, and so should you.

Interestingly, there’s a second tie to Cohen’s book. In it, he lays out how the Athenians, worried about the taxman, created private banking. The taxman has rarely worried about the welfare of the taxed.

[Update: An anonymous correspondent points to "Who Must File Magnetically," which points to IRS publication 1220. Encryption is specifically forbidden ("Do not send encrypted data."), and the tape format is clearly documented. See part C.05 on page 35 of the PDF, or printed page #29.]

Photo: IBM 3410 tape system. Image courtesy of IBM. Story via PogoWasRight.

Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:”

The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data: Attrition.org, the Privacy Rights Clearinghouse (PRC), and the Identity Theft Resource Center (ITRC).

Then Thomas Claburn writes “Data Breaches: Getting Worse Or Better?” in Information Week:

The year 2007 may or may not have been a record-setting year in terms of data breaches. Whether it was or wasn’t depends on how one counts.

Then Dissent followed up again, in “Second look: What kind of year was 2007 in terms of data breaches?

Perhaps it would be more conservative to conclude that we simply don’t know whether the total number of incidents rose, fell, or remained the same (because of the lack of a national disclosure law), but with media sources claiming that it was “record year” in terms of number of incidents, I thought it important to point out where the data do not support that assertion.
lots of analysis elided
The bottom line is that if we want to make any sense out of data, we need more transparency and mandatory disclosure so that we can get ALL of the numbers on ALL of the incidents.

I’m so eager to jump into this conversation, but have other writing that I need to finish. So go read what Dissent wrote, and I’ll just comment on how excited I am to see the emergence of all of this analysis around breach notices.

One man’s vulgarity is another’s lyric

DOYLESTOWN, Pennsylvania (AP) — A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him.
David Binner sent the check after receiving a $5 parking ticket. He calls it “a temporary lapse of judgment.”
Clerks were offended by the message, and the disorderly conduct charge was filed because the comment was obscene, police Chief James Donnelly said.
“He was contrite enough to offer an apology, and I think that satisfies the people who were insulted by it,” he said.

Associated Press, via CNN
So what vulgarity was so “obscene” the police had to step in?

“The F-word isn’t what it used to be,” attorney [for the check-writer] Keith Williams said. It doesn’t have a sexual connotation anymore and so can’t be considered obscene, he said.

I guess that about says it. Meanwhile, the local police Chief explains that clerks were “insulted” when they saw this naughty, naughty expression while they were being paid from the public purse.
As an idealistic youth, I read Cohen v. California. So should the Chief:

The ability of government, consonant with the Constitution, to shut off discourse solely to protect others from hearing it is, in other words, dependent upon a showing that substantial privacy interests are being invaded in an essentially intolerable manner. Any broader view of this authority would effectively empower a majority to silence dissidents simply as a matter of personal predilections.

Cohen v. California, 403 U.S. 15 (1971)

TSA’s insecure “Traveller Identity Verification” site slammed by Oversight Committee

First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report:

TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”
The TSA official in charge of the project was a former employee of the contractor The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
TSA did not detect the website’s security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”

House Oversight and Government Reform Committee
As for accountability,

Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.

Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper:

The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs.

He wanted to prove the story was a fuss about nothing.

But Clarkson admitted he was “wrong” after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.

Clarkson published details of his Barclays account in the Sun newspaper, including his account number and sort code. He even told people how to find out his address.

“All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,” he told readers.

It’s easy to mock (fun too!), but I’m not sure it’s the right response. Risk assessment is hard. Our instincts about how hard these things might be are often wrong. Criminals often live in places where it’s worth weeks or a month of their time to steal £500. That’s twice the average income in some places. Each risk assessment takes time and energy to perform.

As chaos is all around us, our ability to reasonably and quickly assess risk is stuck in another time.

Thanks to Phil Hallam-Baker and Ryan Singel for pointing this out. Phil has great video on his blog.

The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s a section to describe the breach:

Description of Breach (please select all that apply): [ ]Hacking incident; [ ]Inadvertent disclosure;
[ ]Stolen computer, CD, tape, etc; [ ]Lost computer, CD, tape, etc; [ ]Insider wrongdoing;
[ ] other (specify):_______________________________________________ [Attach additional description if necessary]

mmm, “attach additional description if necessary.” It’s a far cry from earlier “a general description of what happened.” That was what Ontario was asking for at the start of this year. New York’s “if necessary” could go, requiring additional descriptions. I’d love to read those, and I look forward to it.

I can be optimistic because States, and their attorneys general, are going to compete to best protect their citizens. As they’ve competed, the sky hasn’t fallen. Even at TJX, with the biggest disclosed commercial breach in the US so far, sales were up.

I love the emergent chaos of breach laws, and I look forward to lots more in the New Year.

How about a little fire?


At WD-50 I saw something done to the potatoes that makes a cook scream, “yes!” A method of cooking the potatoes with an explanation using true understanding of the molecules inside the potatoes and the effects of heat on them.

The potatoes are peeled, sliced, and cooked in a water bath at 65 degrees celsius for 30 minutes. The potatoes are transferred to an ice bath to cool completely. At this point the potatoes are still crisp, seemingly unchanged. Once cooled, the potatoes are cooked just as you would have had you just peeled them. If the potatoes are seemingly unchanged, you might ask what on earth did they just do?

For the answer, you’ll have to read Today’s Secret Ingredient…Heat at TastingMenu.

And the McGee article she refers to is “The Invisible Ingredient in Every Kitchen.”
There are few things more chaotic than fire, and few emergent results more yummy than a nice pizza cooked in a brick and wood oven.

Photo: January 6th by Lili’s One-a-Day.