On the Assimilation Process

Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble finding a way to be effective in Microsoft’s culture.

So I wanted to pipe up and say I’m having a heck of a lot of fun, and have found places and ways to be effective. I’m getting to develop and share things like our SDL Threat Modeling Tool, and I get to be very transparent about the drivers and decisions that shape it. I’ve got some even cooler stuff in the pipeline, which I’m hoping will be public in the next year or so. My management (which has shifted a little) is supportive of me having two external blogs.

It’s been a heck of a ride so far. Dennis Fisher asked a great question to close this Hearsay Podcast, which is what surprised me the most? I was a little surprised by the question, but I’m going to stand by my answer, which is the intensity and openness of internal debate, and how it helps shape the perception that we’re all reading from the same script. It’s because we’ve seen the debate play out, with really well-informed participants, and remember which points were effective.

I can’t wait to see what happens in the next three years.

Emergent Traffic Chaos

Paul Kedrosky has an amazing video:

As described in the New Scientist:

Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video).

They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in distances between cars, breaking down the free flow, until finally a cluster of several vehicles was forced to stop completely for a moment.

The Cost of Anything is the Foregone Alternative

The New York Times reports:

At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the 1988 bombing of Pan Am 103 over Lockerbie.

It’s long been a truism of economics that the cost of anything is the foregone alternative. In this case, a huge amount of our air travel security spending goes into ensuring that you can’t fly if your name and ID don’t quite match (looking at you, Jim), rather than preventing convicted terrorists from getting aviation licenses.

The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking.

The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng Huat, who advised cancer patients taking this drug to carry a doctor’s letter when traveling to the United States. (“Cancer patient held at airport for missing fingerprint“, Reuters, May 27 2009)

Reuters classifies this as “oddlyEnoughNews,” but in fact it’s not odd at all that over time, additional layers of “no” will expose conditions unimagined by their designers. Chaos will emerge. In a free society, that chaos is an accepted part of life. We stop only that which is explicitly denied, not that which the designer didn’t anticipate. In information security, we often default to deny, because we know our imaginations are limited. But the role of security in society used to be carefully limited, for precisely these reasons.

(Via Slashdot)

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “
Clear Shuts Down Registered Traveler Lanes

Clear collected a lot of data:

The information that TSA
requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration
Number (if applicable), current home address, primary and secondary telephone numbers, current email address, date of birth,
place of birth, gender and height. TSA also lists as optional, but helpful, the following personal information: home addresses,
driver’s license number and employer’s name and address…digital photo and digital images of all of your fingerprints and your irises…your credit card.

This raises a very serious problem with a company like Clear/Verified Identity Pass, Inc. The in-depth, validated customer data is likely to count amongst such a company’s most valuable assets. Their privacy policies make no mention of what would happen to it in the event that the company goes bust.

Does anyone know where Clear was incorporated? Maybe I’ll bid at the bankruptcy auction.

[Update: Tamzen points out that there’s an update on their site, promising that Clear will abide by the “Transportation Security Administration’s Security, Privacy and Compliance Standards” and “take appropriate steps to delete the information.” Google thinks that those standards might refer to “Transportation Security Administration’s Security, Privacy and Compliance Standards.” Me, I wonder why they say “take appropriate steps” rather than just promising to delete it. Back in the day, Brill’s Content might have taken them to task for that.]

Iran Links

Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN:

Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them.
On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to play smartass, and I’m not going to play your f**king game.”
Bierfeldt is director of development for the Campaign for Liberty, an outgrowth of the Ron Paul presidential campaign.
Unbeknownst to the TSA agents, Bierfieldt had activated the record application on his phone and slipped it into his pocket. It captured the entire conversation.
An excerpt:
Officer: Why do you have this money? That’s the question, that’s the major question.
Bierfeldt: Yes, sir, and I’m asking whether I’m legally required to answer that question.
Officer: Answer that question first, why do you have this money.
Bierfeldt: Am I legally required to answer that question?
Officer: So you refuse to answer that question?
Bierfeldt: No, sir, I am not refusing.
Officer: Well, you’re not answering.
Bierfeldt: I’m simply asking my rights under the law.
The officers can be heard saying they will involve the Federal Bureau of Investigation and the Drug Enforcement Administration, and appear to threaten arrest, saying they are going to transport Bierfeldt to the local police station, in handcuffs if necessary.
Near the end of the recording an additional officer enters the situation and realizes the origins of the money.
Officer: So these are campaign contributions for Ron Paul?
Bierfeldt: Yes, sir.
Officer: You’re free to go.

Suffering for Art


Joseph Carnevale, 21, was nabbed Wednesday after a Raleigh Police Department investigation determined that he was responsible for the work (seen below) constructed May 31 on a roadway adjacent to North Carolina State University. Carnevale, pictured in the mug shot at right, was charged with misdemeanor larceny for allegedly building his orange monster from materials pilfered from a construction site. According to an arrest warrant, Carnevale “destroyed three road blocking barrels by cutting and screwing them together to form a statue.”

Via The Smoking Gun.

Posted in art

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009.

PETS features leading research in a broad array of topics, with sessions
on network privacy, database privacy, anonymous communication, privacy
policies, and privacy offline. (The PETS 2009 program is here.)

Like last year, we also present the HotPETs workshop, which showcases hot new research in the field.

We will also be presenting the Award for Outstanding Research in Privacy
Enhancing Technologies to researchers who have made an outstanding
contribution to the theory, design, implementation, or deployment of
privacy enhancing technology.

Important dates:

Stipends deadline: July 2
Hotel group rate deadline: July 5
Earlybird registration deadline: July 9
Symposium: August 5-7

Venue and registration information, as well as the program, can be found
at the PETS 2009 website.

We hope to see you in Seattle!

– The PETS 2009 organizers