Twitter Weekly Updates for 2012-05-20

  • RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport http://t.co/Id8TKH9r // I feel safer already. #
  • Freedom gropes for all @seatac! /cc @tsastatus. #
  • RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" http://t.co/TnR3n56k #armsrace #
  • Great question for @beaker: why has innovation in sanitation exceeded innovation in security? #
  • RT @DanaEpp In DC @ the security dev conference. Missing you both. Adam, I taught some people EoP at the reception tonight 😉 << cool! #
  • RT @jeremiahg it really is stunning how silly infosec's historical list of "best-practices" look when contrasted with data. #
  • RT @JohnLaTwC Nice job @adamshostack for your work on the Autorun update. Dropping infections by 60+% #
  • RT @jeremiahg RT @adamshostack: @jeremiahg Is that clueless, or cynical that the assessments are assessing the right things? < C) Both #
  • For those at AusCERT, quick pointer to additional Star Wars & Information security content: http://t.co/yfY6F9nl #

Powered by Twitter Tools

My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars.

I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That is “The Security Principles of Salzter and Schroeder, Illustrated with Scenes from Star Wars“. Enjoy!

What Kip Hawley Doesn’t Understand About Terrorism

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs.

Once again, Kip’s wrong.

First, Kip is wrong, and ought to know he’s wrong about those operators. Those operators are likely to get bored and be unable to focus on the images after a while. That’s why the TSA inserts fake images of weapons in its XRays. Detecting these anomalies is hard. (Perhaps TSA inserts fake images in the nudatron images, but I didn’t see any mention of such functionality in the system requirements that EPIC forced TSA to release.

Second, he doesn’t understand why Al Qaeda would focus on underwear bombs. Really? You don’t get that for a failed attempt, millions of people will be photographed naked, groped and humiliated? They focus on the things that make the bureaucracy that Hawley built convulse. That bomb didn’t even make it onto the plane, and we’re all expecting the next shoe to drop.

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports:

There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. (“Study: 13 Million People Haven’t Touched Facebook Privacy Settings“, Consumerist)

Consumerist’s headline focused on the small portion who haven’t touched their privacy settings. I think much more interesting is that based on the Consumer Report numbers, 91% of Americans have taken the time to dig into Facebook’s privacy controls. Also, 72% lock down their wall posts. Those are privacy protective actions, and we regularly hear how those privacy controls are hard to use, and how frequently Facebook changes them.

We often hear privacy-invaders making claims that Americans don’t care about privacy, or won’t do anything about it. Those claims are demonstrated to be false, and false amongst even those least likely to be privacy-concerned (young, willing to be on Facebook).

So next time you hear someone make one of those claims, ask them why 91% of Americans change their privacy settings.

As an aside, the article has a really clear summary of the many privacy problems around Facebook.

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter.

I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here.

I would be totally excited for someone to Kickstarter production of Elevation of Privilege. Letting other people make it, and make money on it, was an explicit goal of the Creative Commons license (CC-BY-3.0) that we selected when we released the game.

So why don’t I just set up a Kickstarter? In short, I think it’s a caesar’s wife issue. I think there’s a risk that it looks bad for me to decide to release things that Microsoft paid me to do, and then make money off of them.

Now, that impacts me. It doesn’t impact anyone else. I would be totally excited for someone else to go make some cards and sell them. I would promote such a thing, and help people find whatever lovely capitalist is doing it. I would be happy to support a Kickstarter campaign, and would be willing to donate some of my time and energy with things like signing decks, doing a training sessions, or whatnot. I even have some joker cards that you could produce as a special bonus item.

So, if you think Elevation of Privilege is cool, please, go take advantage of the license we released it under, and go make money with it.

[Update: I don’t have exact numbers, but have seen quotes for quantities around 5,000 decks, production might be around $2-3 a deck. At smaller quantities, you might end up around $5-7 a deck. YMMV. So a Kickstarter in the range of $5-10K would probably be workable, although you’d certainly want to think about shipping and handling costs.]