Bleg: Picture editor?

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice frame for me as I post them.

I’m willing to spend a little money, but not a lot of time per photo.

Your advice please?

Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR.

To date, I’ve found reports from Cisco, IBM/ISS, Kaspersky, McAfee, Microsoft, Sophos and Symantec. Are there others that cover malware? (I’m leaving off Verizon since it doesn’t cover what I need for this particular project.) Recent things like the Nocebo paper here are also interesting.

If you know of other reports that will help me gain insight into the state of the world, please leave a comment.

Elsewhere…

Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy:

  • “Meeting of the Minds” with Andy Jaquith and myself in either text or audio.
  • Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video

Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars.

When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of Saltzer and Schroeder, illustrated with scenes from Star Wars.

So if you’re not familiar with Saltzer and Schroeder:

Let me start by explaining who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That paper has been referred to as one of the most cited, least read works in computer security history. And look! I’m citing it, never having read it.

If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I’ll illustrate using Star Wars. Because lets face it, illustrating statements like “This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor” using Star Wars is a tricky proposition. (I’d use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)

Security Blogger Awards

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability.

But, really, there’s no reason for this to be a fair fight.

So we’re asking our readers to help us cheat. For the next month, whenever you see any of the judges (Mike Fratton, Bill Brenner, Kelly Jackson-Higgins and Larry Walsh) buy them a drink, mention how entertaining our story of the day was, and send us the bill.

We thank you. And remember, as you drink to our success, you’re making America stronger, strengthening your community, reducing taxes and fighting terrorism. Future generations will thank you.

Comment Spam

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com

I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.

The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my 50mm to a friend for a few days so he could get hooked make an informed decision about buying one.

Now, I know there are lots of people in our communities who post up their photos, and that’s their choice. I like to maintain some privacy-control of how I’m presenting myself. I have posted photos from my trip to South Africa and from the Privacy Enhancing Technologies conference, but those are almost journalistic. There’s something tremendously revealing about what subjects people photograph and share. Go ahead. Look. Ask yourself, who takes pictures like that? Why did they share that? What does it say about them?


Me, I prefer that people focus on my photos for themselves, and not for who I am. And I prefer to present a professional image that’s a carefully cropped subset of the whole.

And what I’m re-discovering is that it’s tremendously hard. A few of the shots at the end of the PETS set are, if I do say so myself, very nice. I have some bald eagles that I shot on Lake Washington while boating with some co-workers. Which stream do those go in?

There’s also a technical hard: I dug into EXIF a fair bit with exiftool, and there’s at least two serial numbers in each raw photo. (Camera body and lens. I don’t vouch for completeness, but for a Canon camera, start with exiftool -SerialNumber -InternalSerialNumber -CameraSerialNumber.) If you set IPTC data automatically, you have to remember to strip it. There are micro-variations from manufacture which (supposedly) can be used to fingerprint a lens, but my expectation is that’s complex and requires some reference images. I’m prepared to re-evaluate that exposure when Moore’s Law comes along for a conversation.

Then there’s wanting to be noticed. I remember being a new blogger, and obsessively watching the stats for new links. Compulsively linking to the big bloggers in the hopes of some love. Writing articles to bait some of the carnivals. Linking back whenever someone gave me a link. If I posted the photos (or even a link here), I’d presumably get a fair number of views. Does that do anything for me? Some folks have given me really great feedback and advice, but let’s face it, giving a new photographer advice is hard. There are so many things you could say, and which ones will help them improve? Does this person take feedback well?

Is there a technological approach which might help, with a crowd of photographers who commit to jointly telling the world their nicknames if there’s a decent anonymity set? But really, isn’t that just the old saw about the dancing bear all over again? (And doesn’t it go up against what Bob Blakley was saying? More on that shortly.) So for now, I’m interested: is there a better way to frame this?

What should the new czar do? (Tanji’s Security Survey)

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

I think it’s a fascinating question, and posted my answer over at the New School blog.

Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy.

As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15.

And speaking of PETS, I took a bunch of photos. Should I get permission before posting them to the net? None are embarrassing or compromising. Perhaps as the organizer of a privacy conference, I should hold to a higher standard?