Unmeddle Housing More

Last month, I wrote:

But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t photogenic or sympathetic will lose out. (I’m thinking “DINKs” in gentrified urban areas.) Groups who aren’t already well-organized with good lobbyists will lose out. (See previous parenthetical.) Those who believed that the government housing subsidy would go on forever will lose. (“Unmeddling Housing,” January )

Now, the New York Times reports on the administration’s plan, calling it “audacious:”

The Obama administration’s much-anticipated report on redesigning the government’s role in housing finance, published Friday, is not solely a proposal to dissolve the unpopular finance companies Fannie Mae and Freddie Mac. It is also a more audacious call for the federal government to cut back its broadly popular, long-running campaign to help Americans own homes. The three ideas that the report outlines for replacing Fannie and Freddie all would raise the cost of mortgage loans and push homeownership beyond the reach of some families. (“Administration Calls for Cutting Aid to Home Buyers,” New York Times)

Audacious would be to put the mortgage interest deductions on the table. This is a move in the right direction, but it’s not going to let people express their real preferences in a market. It will continue to distort the market, reducing people’s flexibility to move, and encouraging them to make their major asset a non-liquid one which is likely to decrease in value as the US population ages.

Police Officers should be able to speak out

I got this in email and wanted to amplify it:

Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation officer in Arizona, Joe signed a letter in support of Proposition 19, California’s marijuana legalization initiative. He was fired for it. Now he needs your help, and so does LEAP.

Former deputy probation officer 
Joe Miller

As a retired police officer of 33 years who myself spoke out against drug prohibition as a private citizen while employed as a police officer, I am extremely disheartened by Joe’s termination and the bigger issue it represents. Firing law enforcement professionals for speaking out against policies they know are wrong is not only an unfair intimidation tactic but also a violation of First Amendment rights. I urge you to support their right to speak out by signing this petition now. Joe is not the first officer to face unfair termination for expressing his personal opinion. Former US border patrol agent Bryan Gonzalez’s case recently made headlines when he was fired after expressing his views on drug legalization to a fellow officer.

LEAP is always there to provide support to those ethical and courageous law enforcers who come forward and say that drug prohibition is a failed policy. Our speakers are law enforcement professionals who are as dedicated as they are distinguished. In the past month, our speakers have made 101 presentations and appeared in such prestigious publications as the Wall Street Journal, the San Francisco Chronicle, the Boston Globe, the Los Angeles Times, the Hartford Courant, the Village Voice and the Miami Herald. We even got President Obama’s attention. Our speakers have become the go-to source for the law enforcement perspective on drug policy reform, and in the past week alone, we have provided expert testimony for drug policy related bills in four states. [You should give LEAP some money to help – Adam]

The ability of law enforcers to criticize the policies they are responsible for upholding serves a vital public interest. It lays the groundwork for much-needed reform, supports harm reduction efforts and provides tangible evidence that these laws simply are not working.

Law enforcement officers have a unique position to comment on the efficacy of our laws. We need them to be able to speak freely as individuals about their experiences. Even if they’re being foolish and telling me to “Just Shut Up and Be a Good Little Socialist,” I support their right to speak their minds, and not be fired for it. (Even if, as in Officer Pomper’s case, I believe he would have been well advised to shut up.)

But civil liberties aren’t just for folks we agree with. I think Joe Miller deserves his job back, and I urge you to sign the petition and consider supporting LEAP.

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask:

A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow?

For example:

“An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops”

I don’t have a great answer, but I’m thinking someone else might have taken it on.

For Denial of Service attacks in the Microsoft SDL bug bar, we roughly to break things down to a matrix of (server, client, persistent/temporary). That doesn’t seem right for web apps. Is there a better approach, and perhaps even one that can translate into some good threat cards?

What should a printer print?

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens:

There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. We recently received an order which bore a strong resemblance to an ATM skimming device. Basically, the customer placed a 3D print order for a device similar to the one below which is inserted in an ATM machine.

The plastic part can be attached to an ATM machine and with the appropriate hardware and tapped keyboard can scan cards and get personal data. In most cases, such a device does not prevent the cardholder from withdrawing funds from their account, but as their card has been scanned, it can later be reproduced and funds can be stolen from their account.

Fortunately, our engineers were quick to react, and after communication with the customer, the decision was made to decline the order. We do not support criminal activity and will do everything in our power to prevent possible crimes.

The choice that i.Materialise has made is their business. And I appreciate the impulse to protect people from the potentially negative side effects of their awesome business. At the same time, I think it’s a thought provoking and questionable decision for a whole slew of reasons:

  • There are legitimate uses for an ATM skimmer part. For example, as a security expert, I might want such a thing to wave around at conferences. Bank employees might want some for training people on what to look out for. (This is somewhat mitigated by their reaching out, but do I want a business that makes judgement calls about what I print? Maybe I’ll take my adult toy business elsewhere, rather than thinking about what it means for their engineers to be “quick to react.”)
  • The public needs to start to understand that physical objects like this are coming. As 3D printing becomes common, many things will become easier to spoof and fake. Caveat emptor will return. I expect we’ll see a race between high and low volume manufacturers where the high volume folks will specialize in things that are hard to make at home, perhaps using things translucent plastics, toxic ingredients and/or aluminum and titanium, both of which require high temperatures.
  • The banking industry needs to understand that skimmers are getting insanely realistic, and they would be fools to rely on the good graces of 3d printing firms. Skimmers are already so realistic that they’re being installed on in-bank ATMs. Banks are going to need to figure out what to do about that. I figure they can go seamless curvy metal, settle on a single card slot design and roll it out, or start hiring mural painters to customize each ATM machine. Banks will also find it increasingly expensive to stay with magstripe + PIN.
  • This may set a precedent for i.Materialize to not be a “common printer” but a co-conspirator in production. (I believe the company is in Belgium, so their mileage will vary.) In the US, we have a concept of a common carrier, that is, one that will take all customers who can pay. You can choose to discriminate, but if you do, you’re answerable for it. If i.Materialise produces a part that’s used in a future crime, they’ve set a precedent that their engineers should have prevented it. I certainly wouldn’t want to have to answer in court for the statement that we’d “do everything in our power to prevent possible crimes.”

But, it’s their business, and their choice to make. It’s important to understand that 3D printing is getting faster, cheaper and more exciting every year, and that’s going to lead to a lot of chaos emerging.

I’m not aware of anything that makes it unlikely that there will be commercial, inexpensive home 3d printers in 5-10 years. Many of those will be based on open source software like RepRap, just as many inexpensive home routers either ship with or advertise support for dd-wrt. Those home devices will print ATM skimmer covers because it will be easy to remove code that tries to censor what can be printed. They’ll also print bomb parts, “drug paraphernalia,” and print-at-home Star Wars toys. Sorry, Kenner! And Pottery Barn, your days of selling glazed clay may be coming to an end. Later on, we’ll be able to print with easily worked metals like copper, silver or zinc, and those patented cables will be conspicuous consumption.

What’s happening to music and books will happen to physical things. The experience (the concert, the cruise with the band) becomes part of the artist’s revenue stream. Etsy will replace WalMart, because it will be cheaper to print plastics at home than to print them in China, ship them and warehouse them. And you’ll be able to buy plastic and clay that you know are BPA-free, or whatever the latest fad is. You’ll get your circuits or other harder things at shops like Metrix:Create Space. What you’ll pay for, and what Etsy is set up to deliver, is artistry and uniqueness.

Most of us in what’s left of the first world will be able to print the things we want, in the colors, designs and customizations we want. We’ll be better off for it. GDP will likely go down while our standard of living goes up.

Whichever way all this goes, lots of chaos is going to emerge, and we’re going to live in interesting times.

(Thanks to Boing Boing for catching the story.)

Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and engaged with the historic events going on there. Further, I think it’s important to be engaged.

A number of folks challenged me, for example, “Care to enumerate some of those lessons? The big ones I see are risks of centralized bandwidth control, lack of redundant connections.”

There’s a number of ways that information security professionals can engage with what’s happening.

A first is to use what’s happening to engage on security issues with their co-workers and management on issues like employee safety, disaster recovery and communications redundancy and security. This level of engagement is easy, it’s not political, but it uses a story in the news to open important discussions.

A second way is to use Egypt as a source of what-if scenarios to test those sorts of plans and issues. This gives strong work justification to tracking and understanding what’s happening in Egypt in detail.

A third way is to use Egypt as a way to open discussions of how our technologies can be used in ways which we don’t intend. Often times, security technologies overlap with the ability to impose control on communications. Sometimes, for example with Tor, they can be used to protect people. Other times, they can be used to cut off communications. These are difficult conversations, fraught with emotion and exposing our deep values. But they are difficult because they are important and meaningful. Oftentimes, we as technologists want to focus in on the technology, and leave the societal impact to others. I think Egypt offers us an opportunity to which we can rise, and a lens for us to engage with these questions in the technologies we build or operate.

There’s probably other ways as well, and I’d love to hear how others are engaging.