Emergent Chaos

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon.
From her post (which I quoted in mine as well)

It is my experience that unless you push yourself really hard to stay away from your sweet spot comfort zone of I-Know-All-I-Need-To-Know-And-I-Feel-Very-Comfy-In-This-Job/Kitchen-Thank-You-Very-Much, and move kitchens or chefs or hire people who are much closer to your level than you feel comfortable having them, you will become stagnant in your baking skill and knowledge.

True for security as well. See my post for more.

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who can’t say that.

We struggled with the tremendously hard problem of privacy. We did it for something bigger and more important than ordering your groceries online. We didn’t succeed at the first business plan, or the second, but we plugged away at it, listened to prospective customers and partners, and the company is still in business and going strong as RadialPoint.

We learned an awful lot. We learned that people are awfully passionate about privacy. Hundreds of thousands of people signed up to try our software. We had a guy who called support after buying a new computer to get privacy. I remember the woman who took his call telling me how sad she was she had to get off the phone and take other calls. And we learned that what we meant when we said privacy wasn’t what other people meant.

I think too much of today’s privacy debate is wrapped up in a similarly nebulous term, identity theft. It’s hard to address a problem that’s so vague. But that’s a post about today, not about ten years ago.

We hired a lot of great people who I knew. I met a lot of great people, too. Went to work with one of them, Dave Clauson at another startup, Reflective. Work with some of them again (Hi Christian! Hi Stefan!).

For me, the key lesson was to really drink deep of your prospective customer’s pain. To accept that they may have a label that you really understand better than them (“privacy”) and that it doesn’t matter. What matters is how they see it, and how they understand your solution. Zero-Knowledge made me skeptical of great technology as a problem solver, when the customer is asked to understand it or care. Your customers never care about your technology anymore. They care about what pain it solves.

I’d love to go back and tell myself ten years ago to love the customer better. There’s other lessons. I’d love to seized the day and some of its opportunities better. But in the end, that flight to Montreal put me on the path to where I am today.

So a huge thank you to all of our customers and prospective customers. Thank you to Ian for introducing me to Austin. Thank you, Austin and Hamnett for offering me the job. Thank you to all of my co-workers, employees and friends of the company.

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read:

The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….”

Senior programmers getting a quarter-mil in “comparable firms”? Comparable in what way? Other multi-billion Ponzi schemes that stole from rich suckers and charities alike? Is this another thing to be angry at AIG for? (Cue rimshot.)

I know it’s a tell-all, but tell more, tell more. Another intriguing morsel can be found in:

The employee was part of a trading group, which was able to break a security code that he says led them to a site that was supposed to be seen only by the Madoff family. It showed the profits and losses of the legitimate businesses.

The group broke the code? The person broke the code? And do tell more. Perhaps the author, Lucinda Franks, has some more details for us. Or maybe she’s saving them for a second Pulitzer.

Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin.

I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard henna softened to strange before visiting Maiyim-Baron-sama’s web site.

One of my co-workers there was an American chap who spent at least part of his childhood on Okinawa, married a Japanese woman, and was living permanently there. He helped greatly in my craziness.

The term isn’t precisely an insult, and it isn’t precisely a compliment. If you came to lunch and two Japanese on extended stay were discussing Marlowe, Sheridan, and The Great Vowel Shift in their comic stereotypically bad accents, you’d see a bit of what henna gaijin means. Being a henna gaijin is a bit like being a dancing bear. The people watching you throw yourself into their culture are amused, a bit admiring, a bit repulsed, and a bit piteous that you might think enough you could succeed at any degree of assimilation.

It’s harder for a Brit to be a henna gaijin than an American because part of the craziness is the things you get wrong. Brits won’t get into the wrong side of the car or look the wrong way when crossing a street. Having to do a right-left shift along with everything else adds to the dancing-bear-ness of being a henna gaijin. Having to re-learn to read and write is also a lot of it.

However, I knew my place and threw myself into the craziness aspects. Since it’s impossible to blend in, I dressed to stand out. It was winter, so I wore a long black coat and a white silk aviator’s scarf. I came in to work in the morning with a breakfast of sushi rolls and heated cans of oolong tea (which I used as hand-warmers in my coat pockets, having left my gloves back in New England). I’d go do traditional things natives never did, such as go to the Kabuki theatre. I’d sign my name in a mix of kanji and (shock horror) hiragana.

Most importantly, I’d point out other things that were crazy. I would playfully suggest that actually “gaijin” means “barbarian.” No, no, no, no, they’d insist. I’d be amused, because it isn’t true, but the disdain gaijin get makes it closer to barbarian than a culture that has no irony is comfortable with. Brits will find themselves asking forgiveness for ever suggesting Yanks don’t do irony. Japan is an irony-free zone and when you forget this you must follow through or cause your hosts to lose face. Do not say anything like, “Oh, that sounds the the perfect way to spend a Sunday” because you will be spending your Sunday in precisely that way. If you mix irony and natto, you will get a side-spitting tale you can use for the rest of your life.

My fellow henna gaijin and I would refer to each other as firstname-kun and our colleagues as lastname-san, partially for effect (the ostentatious use of -kun) but also because gaijin call each other by their given names rather than surnames. How henna.

I also insisted that *I* was the Easterner, and they were the Westerners. My proof was simple. What direction did I go in when I came to Tokyo? East. And what direction did they go in when they went to Boston? West. Therefore, while Japan may be the land of the rising sun, that’s because it’s in the far west rather than the far east. If it weren’t in the west, the sun couldn’t rise in the east. If it were in the far east, the sun would rise overhead. QED. (And yes, the sun does rise overhead in Boston. If you don’t believe me, come find out for yourself.)

Henna gaijin.

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

Or something like that. You have to know how to use a Mac and be British. Her Majesty needs you.

Michael Howard has broken the news: “Crispin Cowan joins Windows Security:

I am delighted to announce that Crispin Cowan has joined the core Windows Security Team!

For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy. He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot!

Let me add my own welcome. Crispin and I have collaborated on a couple of projects, and I look forward to working with him more, and seeing what happens when he applies himself to Windows security.

[A clarification: Crispin is joining Microsoft, not Emergent Chaos (today, anyway). I remain the only MS employee blogging here, and my comments do not represent my employer. I was simply excited and wanted to share the news.]

If you need a change in your life, consider this job posting:

Title: IT Security Architecture Manager Needed

Company: TJX Companies

Location: Framingham, MA

Skills: Very strong technical security background in both the mainframe and distributed environments.

Term: Full Time

Pay: DOE

Length: Full Time

Detail:

TJX Companies is seeking an IT Security Architecture Manager who has at least
6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred.

Read on. If you like being the sheriff who cleans up town, this could be for you!

Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.”

On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how you greet your friend John.

But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It’s a Google search for “Mike Figgis.” All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (filmbug.com), and link #5 (mooviees.com) all have pictures of him.

Admittedly, IMDB says he was born in Cumbria, England, and hollywood.com (link #4) says he was “Kenyan-born.” Hmmm. Highly suspicious. But filmbug says,

Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.

And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948
(Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there’s a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, “Cumberland” instead of “Cumbria” and unless you’ve taken Latin, that might look suspicious as well.

So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent “Sugartits.”

Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they’d made it easy.

Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it’s not true.

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.

Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.

There is other amusing information on the web site, such as:

All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.

Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.

What a relief! An industry-standard encryption algorithm. Wanna bet it’s in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I’d love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?

Picture of the SnoopStick shamelessly appropriated from their web site, because I didn’t want their weblogs to get the information. It’s bad enough to write about them at all.