Taxpayers Stuck With Tab, but not in Seattle

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena.

Of course, in Seattle, blah blah it’ll be so profitable, that it’ll make us a world class city while unlocking a stream of buzzwords and nonsense.

No, really. That seems to be the level of public discourse right now. The taxpayers of the region are being asked to pony up as much as 400 million bucks to help a hedge fund manager offload risk. That strikes me as doubly unwise. First, there’s lots of better ways we could allocate a possible $400 million dollars of spending. Second, when making a deal with a hedge fund manager to take risk, you should look for the sucker in the deal. It’s unlikely to be the hedge fund.

A flame about flame

CNET ran a truly ridiculous article last week titled
“Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with

The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher.

ZOMG! A virus that deletes files! Now that is cutting edge technology! It’s shit articles like this that reifies the belief that the security industry in general and the AV industry in specific is filled with people who are completely out of touch with the rest of the world.

“These guys have the capability to delete everything on the computer,” Thakur said, according to Reuters. “This is not something that is theoretical. It is absolutely there.”

ProTip to Symantec and Reuters, viruses have been doing this since at least the 80s. Are you really that desperate for yet another story that this is the level that this is the sort of thing you feel is worthy of a press release and news article. How about you save that time and effort and instead focus on making a product that works better.

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard.

I call this my law of perversity in computer security.

Today, Kashmir Hill brings a great example in “So which is it?”

Privacy online

Contradiction much? When it comes to the state of online privacy, the media tend to send mixed messages, but this is one of the more extreme examples I’ve seen.

It’s just perverse: it’s hard to be sure when someone wants to rely on the data to protect kids, but it’s easy (for marketing firms) when we prefer to remain private.

Future of Privacy Seeks Input

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third edition of Privacy Papers for Policy Makers.

The selected papers will be distributed to policy makers in Congress, federal agencies and data protection authorities internationally.

PRIVACY PAPERS FOR POLICY MAKERS 2012
The Future of Privacy Forum (FPF) invites privacy scholars and authors with an interest in privacy issues to submit papers to be considered for FPF’s third edition of “Privacy Papers for Policy Makers.”

PURPOSE
• To highlight important research and analytical work on a variety of privacy topics for policy makers
• Specifically, to showcase papers that analyze current and emerging privacy issues and either propose achievable short-term solutions, or propose new means of analysis that could lead to solutions.

For more info, http://www.futureofprivacy.org/issues/fpf-advisory-board/.

Mozilla’s Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll have to find the special line.

Obviously, I’m just kidding. Mozilla isn’t hosting a vegan BBQ in Dallas, but they are hosting one for your browsing privacy, by their choice for the “Do Not Track” (DNT) setting.

Poll after poll shows that people around the world prefer privacy, in the same sort of way they prefer cow burgers. This preference is stable, extending back decades, and being shown in nearly every poll. So why is Mozilla defaulting to not setting DNT?

Meanwhile, [some participants in] the W3C [working group are] is suggesting that the best we can possibly do is whenever you install a new browser, it goes through an Eliza-like process of interviewing you about weird technical settings, rather than having a great first-run experience.

Now it’s true, some people are ok with a tradeoff between what advertisers want (to trade content for ads) and what they want (privacy). Some advertisers go so far as to claim that there would be no content without ads, and they are, simply, flatly wrong. There is and will continue to be, content like this, which I hope you’re enjoying. I’ll draw to your attention that this blog is ad-free. We write because we have ideas we want to share. I’m sure that with fewer ads, we’d see less Paris Hilton ‘content’. But more importantly, the advertising industry is good at spreading messages. If they need DNT “off”, perhaps they could spread the message of why that’s a good thing for people, and, as is their wont and charter, convince people to make that change.

But the simple truth, known to the ad industry, the W3C and to Mozilla, is that most people prefer not to be tracked, in the same way most people prefer beef burgers. The “please let us track you” people have a hard message to spread, which is why they prefer to fight in relative obscurity over defaults.

Some additional background links: “Ad industry whines while privacy wonks waffle,” “Could the W3C stop IE 10′s Do Not Track plans?

I should be clear that my distaste at the idea of a vegan BBQ is mine. Even if my employer and I both prefer beef burgers, my opinions are mine, theirs are theirs, and I didn’t cook this blog up with them.

[Update: Clarified that I didn't mean to imply the decision was that of the W3C as a whole.]

Twitter Weekly Updates for 2012-06-10

  • RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars #
  • RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN #
  • RT @derekcslater What I learned when I left security http://t.co/AexcK8NN Advice on exec communication – great story, valuable perspectives #
  • RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. #
  • Imma let you finish @asus, but If you get past how sexist & asinine @asus was, you realize it's so bad it's hard to satirize #
  • RT @jeremiahg "Samsung Bug Bounty Program is under maintenance." ooops, did linking to just kill the site? << & will you get bounty? #
  • RT @jeremiahg Interesting twist on CloudFlare breach "..involved breach of AT&Ts systems that compromised oob auth" http://t.co/4nDDAxtB #
  • This Cloudflare blog http://t.co/KeUHAfoR shows how much we can learn when we talk about attacks, rather than hiding them. #
  • RT @netik OH: Of course you need extra gorilla suits. You can't wear a white gorilla suit after labor day. Geesh. #
  • http://t.co/On6Vcws7 doesn't make it easy to opt out (and if you're an AT&T customer, you should). Why not work from a phone #? #
  • New Blog: "On @Cloudflare's post-mortem" http://t.co/quXhyd3z #
  • RT @joshcorman follow for DM? << You know, there are email tools that give you 150+ characters, subject lines? :) #
  • RT @451wendy RT @rachelchalmers: There's a little black spot on the sun today. < It's the same old thing as yesterday. #
  • RT @thedarktangent Secretary says Cyber and Aviation security consume more of her time than ever before. #DHS < This juxtaposition scares me #
  • RT @thedarktangent honored to co-chair new task force on #cyber workforce development to develop a long term strategy for #DHS < Congrats! #
  • RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. #
  • Intrusive password policies spend compliance #
  • Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) #
  • RT @moxie If LinkedIn hasn't confirmed the breach, they havent fixed it either. You can change your PW, but attackers can just get it again #
  • MT @amrittsering Too bad there've been so few data breaches to help folks deal with the linkedin breach, if only we had a more learning opps #
  • RT @aloria Another password breach, another round of "how to create strong passwords" lectures. THEY'LL TOTALLY LISTEN THIS TIME! #adorable #
  • MT @jeremiahg Instincts telling me these incidents are connected. Wondering if all 3 using the same DEV framework. << or same PR checklist? #
  • I'll bet we see 10-20 announcements of password breaches hoping to be in the LinkedIn PR shadow. Reminds me a bit of Heartland/inauguration #
  • RT @451wendy @securityninja That would be fantastic. We need more security card games besides Elevation of Privilege. #
  • There's a fascinating difference between security people & normal folks when there's a guy on the bus with a test LTE wifi gateway. #
  • RT @AngryBFlay A dash of granola is a great way to add excitement to a dish if you have zero grasp of what the fuck excitement means. #
  • RT @MSFTnews To track or not to track? Not just a question, a choice for consumers and industry http://t.co/906dY7D4 #
  • RT @philvenables More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec. http://t.co/SiFpDkxT #
  • RT @3ricj Now everybody but me has my linked in password. This can only lead to future job offers. #

Powered by Twitter Tools

Edited Twitter Weekly Updates for 2012-06-10

  • RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. #
  • RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. #
  • Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) #
  • RT @moxie If LinkedIn hasn't confirmed the breach, they havent fixed it either. You can change your PW, but attackers can just get it again #
  • RT @aloria Another password breach, another round of "how to create strong passwords" lectures. THEY'LL TOTALLY LISTEN THIS TIME! #adorable #
  • MT @jeremiahg Instincts telling me these incidents are connected. Wondering if all 3 using the same DEV framework. << or same PR checklist? #
  • I'll bet we see 10-20 announcements of password breaches hoping to be in the LinkedIn PR shadow. Reminds me a bit of Heartland/inauguration #
  • RT @451wendy @securityninja That would be fantastic. We need more security card games besides Elevation of Privilege. #
  • RT @MSFTnews To track or not to track? Not just a question, a choice for consumers and industry http://t.co/906dY7D4 #
  • RT @philvenables More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec. http://t.co/SiFpDkxT #

Powered by Twitter Tools

Edited Twitter Weekly Updates for 2012-06-03

Powered by Twitter Tools