More Satellites Than You Can Shake a Stick At

This video is really amazingly inspiring:

Not only does it show more satellites than I’ve ever seen in a single frame of video, but the rocket that took them up was launched by the Indian Space Research Organisation, who managed to launch not only the largest satellite constellation ever, but had room for a few more birds in the launch. It’s an impressive achievement, and it (visually) crystalizes a shift in how we approach space. Also, congratulations to the team at Planet, the ability to image all of Earth’s landmass every day.

Launching a micro satellite into low Earth orbit is now accessible to hobbyists. Many readers of this blog could do it. That’s astounding. Stop and think about that for a moment. Our failure to have exciting follow-on missions after Apollo can obscure the fascinating things which are happening in space, as it gets cheap and almost boring to get to low Earth orbit. The Economist has a good summary. That’s not to say that there aren’t things happening further out. This is the year that contestants in the Google Lunar XPrize competition must launch. Two tourists have paid a deposit to fly around the moon.

But what’s happening close to the planet is where the economic changes will be most visible soon. That’s not to say it’s the only thing to watch, but the same engines will enable more complex and daring missions.

For more on what’s happening in India around space exploration and commercialization, this is a fascinating interview with Susmita Mohanty.

Video link: ISRO PSLV-C37 onboard camera view of 104 satellites deployment

Journal of Terrorism and Cyber Insurance

At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:”

Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this is not the case with terrorism risk. Even if insurance professionals learn about terrorism in the course of their daily business, as they move into other positions, their successors may begin with hardly any technical familiarity with terrorism risk. It is not surprising therefore that, even fifteen years after 9/11, knowledge and understanding of terrorism insurance risk modeling across the industry is still relatively low.

There is no shortage of literature on terrorism, but much has a qualitative geopolitical and international relations focus, and little is directly relevant to terrorism insurance underwriting or risk management.

This is particularly exciting as Gordon Woo was recommended to me as the person to read on insurance math in new fields. His Calculating Catastrophe is comprehensive and deep.

It will be interesting to see who they bring aboard to complement the very strong terrorism risk team on the cyber side.

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current.

Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned a great deal about what happens when you’re pitched while I was at a large company, and I can vouch for the realities he puts forth. The sooner you understand those realities and incorporate them into your thinking, the more successful we’ll all be.

After meeting with dozens of startups at Black Hat a few weeks ago, I’ve realized that the vast majority of the leaders of these new companies struggle to articulate the value their solutions bring to the enterprise.

Why does John’s advice make us all more successful? Because each organization that follows it moves towards a more efficient state, for themselves and for the folks who they’re pitching.

Getting more efficient means you waste less time per prospect. When you focus on qualified leads who care about the problem you’re working on, you get more sales per unit of time. What’s more, by not wasting the time of those who won’t buy, you free up their time for talking to those who might have something to provide them. (One banker I know said “I could hire someone full-time to reject startup pitches.” Think about what that means for your sales cycle for a moment.)

Go read “An Open Letter to Security Vendors” along with part 2 (why sales takes longer) and part 3 (the technology challenges most startups ignore).

What’s Copyright, Doc?

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday.

Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public Domain on January 1, 2014?

It’s near-impossible to see how our insanely long copyright terms, or their never-ending extensions encourage Dr. Seuss, Ayn Rand, Jack Kerouac or Ian Fleming to keep producing new work. Those authors have been richly rewarded for their work. But it’s easy to see how keeping those works under copyright reduces creative re-use of our collective cultural heritage.

What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash:

A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history private, $2.12 to eliminate advertising on apps, $1.19 to conceal personal locations, $1.75 to conceal the phone’s ID number and $3.58 to conceal the contents of text messages.

Those numbers seem small, but they’re in the context of app pricing, which is generally a few bucks. If those numbers combine linearly, people being willing to pay up to $10 more for a private version is a very high valuation. (Of course, the numbers will combine in ways that are not strictly rational. Consumers satisfice.

A quick skim of the article leads me to think that they didn’t estimate app maker benefit from these privacy changes. How much does a consumer contact list go for? (And how does that compare to the fines for improperly revealing it?) How much does an app maker make per person whose eyeballs they sell to show ads?

Lunar Oribter Image Recovery Project

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft.

Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this data preserved? Yes to both.

First View of Earth from Moon
That’s why I’ve given the project some money on Rockethub, and I urge you to do the same.

Should I advertise on Twitter?

Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.)

At the same time, I’m curious to see how the advertising system works. I’d like to understand it and blog about it, but Twitter would like to maintain confidentiality around the program. They’re engaged in white-hot competition with Facebook and Google to be the new advertising platform of the future. At the same time, it’s less transparency than the exceptionally high bar that Twitter has generally aspired to.

That said with the launch of Control-Alt-Hack, my collaborators have stuff to sell and give away. (Not to mention maybe a sales bump for The New School of Information Security?) Or maybe I could promote other books that I think people should read, like “Thinking, Fast and Slow“). Does the nature of what I’m advertising change the calculus? Would advertising the giveaway make it different?

Then again, I do lots of “advertising” on Twitter already–I advertise the book, the game, blog posts, ideas I like. Does paying to bring them to more people dramatically change the equation?

Interestingly (and I think this is something that can be discussed, because it’s visible), I’m offered the chance to promote both tweets and myself.

I’d be really interested in hearing from readers about how I should take advantage of this, and if I should take advantage of it at all.

Taxpayers Stuck With Tab, but not in Seattle

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena.

Of course, in Seattle, blah blah it’ll be so profitable, that it’ll make us a world class city while unlocking a stream of buzzwords and nonsense.

No, really. That seems to be the level of public discourse right now. The taxpayers of the region are being asked to pony up as much as 400 million bucks to help a hedge fund manager offload risk. That strikes me as doubly unwise. First, there’s lots of better ways we could allocate a possible $400 million dollars of spending. Second, when making a deal with a hedge fund manager to take risk, you should look for the sucker in the deal. It’s unlikely to be the hedge fund.

Washington State Frees Liquor Sales: some quick thoughts

I hate to let an increase in liberty go by without a little celebration.

For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed by Costco.

This is an interesting experiment in letting a little chaos emerge. Unfortunately, it’s not really a transition to a free market, since there are all sorts of licensing restrictions on who may trade in the demon rum. However, there will initially be about 5 times as many legal retailers as were previously present.

The transition is going to be messy. There’s lots of licensed retailers who haven’t obtained inventory. There’s a thousand people who were voted out of their jobs. Change is often messy.

After the transition, I expect prices will be roughly the same because of taxes and fees. What I expect will be much better is the selection and variety, especially of locally produced products from folks like Oola and Pacific Distillery. Many of those businesses were seriously inhibited by the complex and chummy system that was present.

I also expect surprise and look forward to it.

So raise a toast to the slow unwinding of a very silly system of prohibition.

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which locks science behind a paywall is the ACM. As it turns out, the ACM is having elections, and I’m a member, so I thought maybe I could usefully vote on this issue. So I went to the ACM website to see what’s being said on it. Here’s what I had to go through to find the answer:

  • Are the elections important enough to be listed on the home page? Apparently not.
  • Maybe it’s an issue of importance to the ACM Membership? Nah.
  • Maybe I can find something about it on ACM US? That’s actually the “public policy” arm.
  • So perhaps it’s a matter of who will be on Boards and Committess? No, that points to this page, which is highly informative.
  • Maybe it’s under MyACM? Nope
  • Ahhh! Finally, it’s under Membernet: here

And it turns out that there’s no one running for the board of the ACM who’s running on open access issues. That’s too bad.

So let me be very clear. I’m a one-issue voter for academic societies. I believe that open access to science is a key part of everything that these societies should be doing, and it’s the only part that involves change to the business, and thus controversey.

If you want my vote, run on an open access platform.

(If you’re not familiar with the arguments for open access, see The Open Access Pledge site, The Cost of Knowledge site, or this faculty memo from the library of a small college in Cambridge, Mass.)

[Update: Don’t miss the comment by Brighten Godfrey, who’s been reaching out to the candidates, and gathering their positions.]

It’s a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?

The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any losses.

This not only a lie, it is a blatant lie, contradicted by statements later in the article:

…Seattle and King County would finance $200 million — likely in bonds — to cover construction costs. The city would recoup its money through lease payments and the taxes on everything from tickets to concessions from the arena.

Let me translate that into plain English. The taxpayers of Seattle and King County would sign a bond. We’d be obligated to pay it back if or when the Supersonics new team leaves town. Also, let me comment that the use of “would” is inaccurate. The word that the writers sought and were unable to come up with is “might”, as in: “the city might recoup its money…”

One more quote:

It’s hard to argue against the idea of an arena that pays for itself.

It’s even harder to guarantee it, though.

Actually, it’s easy to guarantee that the arena pays for itself, or at least that the taxpayers don’t pay for it. The builders finance the arena. See how easy that is? They issue the bonds, they reap the profits. Then the people of Seattle and King county are guaranteed to not be on the hook.

Pretty simple, if the Seattle Times would stop relaying lies about who’s on the hook for bonds issued by Seattle or King County.

Look, while I’m opposed to having to sit in traffic for yet more sporting events, I shouldn’t have a say in how these folks spend their money. The arena backers should feel free to spend their money, plus as much as anyone will loan them, to build a stadium, buy a team, or hold a parade. That’s what freedom is about. But the people of Seattle should not carry any of the risk. The money should be entirely private.

Maybe the plan can’t work without Seattle bearing some of the risk. If that’s the case, that’s because this isn’t the sure thing that its backers want us to think. It means that the bankers see this as a risky thing, and want to transfer that risk to some sucker. I don’t want to be the sucker who’s paying for a failed deal. Do you?

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully.

So first, what was said:

(Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability too.
(me) Thanks! I’m not advocating against risk, but asking when. Do you evaluate bugs 2x? Once in threat model & once in bug triage?
(Wendy) Yes, because I see TM as being important in design, when the bugs haven’t been written in yet. 🙂

I think Wendy and I are in agreement that threat modeling should happen early, and that probability is important. My issue is that I think issues discovered by threat modeling are, in reality, dealt with by only a few of Gunnar’s top 5 influencers.

I think there are two good reasons to consider threat modeling as an activity that produces a bug list, rather than a prioritized list. First is that bugs are a great exit point for the activity, and second, bugs are going to get triaged again anyway.

First, bugs are a great end point. An important part of my perspective on threat modeling is that it works best when there’s a clear entry and exit point, that is, when developers know when the threat modeling activity is done. (Window Snyder, who knows a thing or two about threat modeling, raised this as the first thing that needed fixing when I took my job at Microsoft to improve threat modeling.) Developers are familiar with bugs. If you end a strange activity, such as threat modeling, with a familiar one, such as filing bugs, developers feel empowered to take a next step. They know what they need to do next.

And that’s my second point: developers and development organizations triage bugs. Any good development organization has a way to deal with bugs. The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.

So if you expect that bugs will work better then you’re left with the important question that Wendy is raising: when do you consider probability? That’s going to happen in bug triage anyway, so why bother including it in threat modeling? You might prune the list and avoid entering silly bugs. That’s a win. But if you capture your risk assessment process and expertise within threat modeling, then what happens in bug triage? Will the security expert be in the room? Do you have a process for comparing security priority to other priorities? (At Microsoft, we use security bug bars for this, and a sample is here.)

My concern, and the reason I got into a back and forth, is I suspect that putting risk assessment into threat modeling keeps organizations from ensuring that expertise is in bug triage, and that’s risky.

(As usual, these opinions are mine, and may differ from those of my employer.)

[Updated to correct editing issues.]

“Pirate my books, please”

Science fiction author Walter John Williams wants to get his out of print work online so you can read it:

To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist countries. So I downloaded my own work from thence with the intention of saving the work of scanning my books— I figured I’d let the pirates do the work, and steal from them. While this seemed karmically sound, there proved a couple problems.

Read more in “Crowdsource, Please.”

I’d like some of that advertising action

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan.

One element of this is the “VRM” or “vendor relationship management” space, where we let people proxy for ads to us.

As I was listening, I realized, I’m in the market for another nice camera. And rather than doing more research, I would like to sell the right to advertise to me. There’s a huge ($59B?) advertising market. I am ready to buy, and if Fuji had shipped their #$^&%^ X100, I was about ready to buy it. But even before the earthquake, they were behind in production, and I’m ready to buy. So I could go do research, or the advertisers could advertise to me. But before they do, I want a piece of that $59B action.

I don’t want to start a blog. (Sorry, Nick!). I don’t want to sell personal information about me. I want another nice camera. How do I go about accepting ads into this market?

I’m willing, by the way, to share additional information about my criteria, but I figure that those have value to advertisers. Please send in your bids for the answers to specific questions. Please specify if your bids are for exclusive, private, or public answers. (Public answers prevent others from gathering exclusive market intelligence, and are thus a great strategic investment.)

So, dear readers, how do I get a piece of the action? How do I cash in on this micro-market?

If I get a highly actionable answer, I’ll share 25% of the proceeds of the advertising with whomever points me the right way.