Monthly Archives: April 2008

Point Break, Live

Posted on by

The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the “screen test” wherein the volunteer Keanus (usually 5-15 men and women vie for the role) go through a grueling audition process. The part is then cast via applaus-o-meter.

Point Break Live. So very attitudinally mis-adjusted.. Via JWZ.

Marty Lederman, on a roll

Posted on by

You see, the CIA apparently uses the less dangerous version of “waterboarding” — not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge — involving the placing of a cloth or plastic wrap over or in the person’s mouth, and pouring or dripping water onto the person’s head. That’s the civilized version of waterboarding — the benign, anodyne, variant of the water treatment, the kind carefully administered by professionals. We would never dream of the barbaric practice of actually forcing the water into the nose and mouth.

Go read “The Underdeveloped Jurisprudence of the Forcing/Pouring Distinction” and wonder how the next President is going to avoid prosecution.

Microsoft Security Intelligence Report V4

Posted on by

Microsoft Security Intelligence Report (July – December 2007)

This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest online services on the Internet, this report provides an in-depth perspective on trends in software vulnerability disclosures as well as trends in the malicious and potentially unwanted software landscape, and an update on trends in software vulnerability exploits. The scope of this fourth volume of the report has been expanded to include a focus on privacy and breach notifications, and a look at Microsoft’s work supporting law enforcement agencies worldwide in the fight against cyber criminals. [Emphasis added.]

Emergent Chaos readers are unlikely to learn new details in the analysis. What’s important to me is that this helps to establish a new normal baseline around the way we’re using information that’s disclosed and gathered by folks like Attrition.

Quantum Cryptography Broken and Fixed

Posted on by

Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership).

The announcement says:

Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen Cederlöf, has shown that not even quantum cryptography is 100-percent secure. There is a theoretical possibility that an unauthorized person can extract the key without being discovered, by simultaneously manipulating both the quantum-mechanical and the regular communication needed in quantum cryptography.

Interestingly, the fix is to add some random bits into the channel. My understanding (I haven’t read the paper, just the announcement and the FAQ) is that this effectively adds a nonce to the protocol. I am amused that even an allegedly pure-physics security system needs a software patch.

This brings up an interesting question, though — if, with all its hype, quantum cryptography is not 100% secure, how secure is it? Is it 99.999999999999% secure? And why wouldn’t you just use 256-bit conventional crypto on a pair of IPsec routers you bought at Fry’s instead?

Reality imitates the Onion

Posted on by

I’m somewhat sure this is a real AP story, “Al-Qaida No. 2 says 9/11 theory propagated by Iran.” The Onion scooped them, with “9/11 Conspiracy Theories ‘Ridiculous,’ Al Qaeda Says.”

Unfortunately, no progress on the “fake tape” issue:

The authenticity of the two-hour audio recording posted on an Islamic Web site could not be independently confirmed. But the voice sounded like past audiotapes from the terror leader, and the posting where it was found bore the logo of Al-Sahab, al-Qaida’s official media arm.

(Via Orin Kerr at Volokh.)

Keynoting at ISSA tomorrow

Posted on by

issa.jpg
I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.”

The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format than the emergent chaos which makes it here.

I should mention, I’m doing this wearing my own hat, not a Microsoft one, and will avoid most any mention of threat modeling or SDL.

WEIS 2008: Register now

Posted on by


Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008
The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth your time).
Unfortunately, the complete program for this year is not up yet on the site, although hotel discounts end on April 24.
I’m going, and may show up a 2-3 days early. EC readers who also will be in town early and want to do some hiking, drop me a line and maybe we can arrange something.

More New School Reviews

Posted on by

Newschool-small.jpg
Gary McGraw says buy it for the cover:

The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book. (Gary McGraw)

while Ben Rothke says buy it for what’s in between:

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.


Let’s hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.
(Ben Rothke’s review on Slashdot)

Thanks very much for the awesome review, Ben!

Why Aren’t there More Paul Grahams?

Posted on by

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund:

And yet it’s the bold ideas that generate the biggest returns. Any really good new idea will seem bad to most people; otherwise someone would already be doing it. And yet most VCs are driven by consensus, not just within their firms, but within the VC community. The biggest factor determining how a VC will feel about your startup is how other VCs feel about it. I doubt they realize it, but this algorithm guarantees they’ll miss all the very best ideas. The more people who have to like a new idea, the more outliers you lose.

Paul is absolutely right. The more people who have to like a new idea, the more outliers you miss. However, any really good new idea is likely a combination of one really good insight, and several bad ones. It’s hard to dis-entangle them until you engage with the market. There’s a real question of how expensive that will be. There’s also the question of will a really bold new inventor listen enough to make the idea successful?

When I was at Zero-Knowledge, we spent a lot of time exploring ideas which have now come to fruition. Zero-Knowledge, under the name RadialPoint, is thriving. Selling security and privacy to consumers makes sense as part of an ISP package. Making it work, and figuring out what people were ready for, took a while. Some of the bits that they weren’t ready for, and perhaps weren’t ready for the market include the IP level privacy, a problem that the Tor Project is hard at work on. We also worked hard on ‘private credentials, which Credentica launched as U-Prove, and has since been acquired by Microsoft.

We had lots of new ideas at Zero-Knowledge, and a set of happy outcomes (as shareholders know).

But Zero-Knowledge, while bold, wasn’t even absolutely new. It was built on the ideas of the cypherpunks, and we even had a Chief Cypherpunk. Similarly, Google wasn’t the first of the search engines. It was innovative in how it worked, but it was several years after Yahoo!, AltaVista, and Ask. The bold ideas took a while to become profitable ideas.


So I think that it’s absolutely wonderful that we have a creative, chaotic froth of very little companies, and that Paul helps make that happen. I wish there were more. I love seeing what emerges from that chaotic experimentation. But that experimentation can be tremendously expensive, with people chasing many variations of the ideas.

Paul is chasing a variation on how funding happens. He believes passionately in that vision, and is putting his money where his mouth is. Will it work? Who knows? I’m glad there’s chaotic experimentation, and if Paul succeeds, I’m sure he’ll have many imitators.