Interesting Tidbits (Adam)

  • John Gruber has an interesting article on the economics of being a one-man software shop, “The Life.” He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard.
  • Jeff Veen of Adaptive Path has announced “MeasureMap,” a new blog-focused log analysis program. I currently use AWStats, and its not great for blogs. It doesn’t help me see where links come from and go, it doesn’t give me good indications of spike or trends or context. So I look forward to seeing MeasureMap.
  • Bruce Schneier pointed to a lovely story about a French fraudster with panache:

    During the final call he asked for the names of her six richest customers. When she revealed them, he said that one was involved in financing terrorism and was about to withdraw a large sum.

    Gilbert then demanded all the cash at the bank so he could mark the notes with microchips and keep track of the terrorist. A total of €358,000 was to be put in an briefcase and slipped under the door of a brasserie lavatory. The manager did as she was told. The money disappeared.

  • Tom Ptacek explains how Sarbox interacts with security vulnerability announcements in “Today’s Contribution To ‘Vulnerability Science.’

  • Ian Grigg points out that Ben Laurie is blogging at Ben is taking issue with Kim Cameron’s “Laws of Identity.” It should be interesting to watch.

Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

  • Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉

  • Curt Hopkins points to a fascinating story about the folks who run the great firewall of China, translated from Chinese. I was going to comment on it, but Rebecca MacKinnon comes along and says not only what I was thinking, but a whole lot more, and more insightfully:

    But as with many Chinese news stories, the conclusion is less interesting than the debate raging within the body of the article. And what the article reveals is that there is a lot of pushing back and forth amongst the various players when it comes to the future of Chinese cyberspace. Internet entrepreneurs like the CEO of Fang Xingdong come out against proposals that Chinese internet users must register their real idenities at all times. The internet portal sites conducted surveys showing that their customers (not surprisingly) favor online anonymity…

  • Bruce Schneier points to new research that may obviate any justification for the TSA to look through your clothes:

    Here’s a piece of interesting research out of Ohio State: it’s a passive sensor that could be cheaper, better, and less intrusive than technologies like backscatter X-rays:

    “Unlike X-ray machines or radar instruments, the sensor doesn’t have to generate a signal to detect objects ¬ it spots them based on how brightly they reflect the natural radiation that is all around us every day.”

    “It’s basically just a really bad tunnel diode,” he explained. “I thought, heck, we can make a bad diode! We made lots of them back when we were figuring out how to make good ones.”

New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication.

And Mario’s comments on tor vs the Freedom Network are interesting:

Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w!

While I agree with this, I think there’s an interesting twist: Tor, having no visible user interface, is less likely to become associated with slowness. The Freedom client, in contrast, told you it was doing stuff, and, in hindsight, I think this may have been a problem.

(PS: Mario, you need an RSS feed.)

David Cowan Blogging

David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.”

His post about Too Many Security Startups? is fascinating:

The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over.

His answer goes beyond the obvious “Because people keep buying them!” and explains why that is, and why it will continue to be that way.

(Via Brad Feld.)

New Security Blogs

  • Jeff Moss takes blogging into thematically and visually new territory with The Black Pages, with Jeff posting on a theme, and then his speakers adding details. Now if only they had an RSS feed. Or my post. I wonder which they’ll get first?
  • I have a soft spot for the word “chaos.” I like the ‘K’ sound at the front. I like that its its short. To the point. So how could i I not like a blog titled “Kaos Theory?” Even if Tyler Taylor wasn’t a smart guy, I’d like the title. But he is smart. [And he can spell.] And you should check it out.

Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

  • Hal Stern has a blog! Hi, Hal!
  • Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up.
  • The BBC has an article on British reactions to ID cards:

    A German diplomat told me: “Nobody thinks about it, nobody questions it… if you’re in trouble, you just show it… we don’t mind giving information if it’s necessary.”

    the independent Information Commissioner, Richard Thomas…said the phenomenon had “a strong continental European flavour”, citing the example of communist east Europe and fascist Spain in the 20th century.

    What is clear, though, is that for Tony Blair the introduction of identity cards is a key part of establishing his political legacy before he steps down as prime minister. Cynics might say that is the real business requirement.

  • The Counterterrorism Blog has a fascinating post on “BOLTON AND THE ART OF COOKING INTELLIGENCE:”

    No one really appreciates what Bolton tried to do to the NIO for Latin America (NIO/LA). I have been privileged to know the NIO/LA for almost 19 years. He was my predecessor as the Honduran analyst and helped me learn the ropes and set the standard for doing good analysis. He is one of the best and brightest within the analytical community. Yet he has been vilified by some. I never cease to be amazed that a man like the NIO/LA, who started off in Washington working for Republican Congressman can be vilified by Republicans as some sort of liberal, Democratic activist.

Small Bits of Chaos: Airports, Junk Mail and Employment Law (Context-free)

  • zippo-camera.jpgScared Monkeys asks “Could Iris Scanning be Coming To an Airport Near You?” (As if the TSA hadn’t wasted enough money on machines that don’t work, or seizing zippo lighter cameras.) Maybe the camera in their iris scanner was busted?
  • New blog “The Dunning Letter” claims to be from a long-time junk mailer, now repentant.

    So, how do we solve the problem? I’ll tell you how. Congress must pass federal legislation, giving consumers 100% control over the use of their name and personal information. Don’t you think your own privacy is something that should be solidly under your jurisdiction? And don’t you believe you should share in the $4 billion junk mailers make annually from the sale of your name and private data? Your answer should be a resounding YES to both questions.

  • Corporate Counsel lists the “The 10 Most Bizarre Employment Cases of 2004.”
  • TK at NCircle blogs about “Context is Mandatory.” (Hi, TK!) While I was reading that, in another window, I was searching for a good definition of Chartjunk. Tufte discusses context as key to explaining data, and there’s this great quote:

    “Lurking behind chartjunk is contempt both for information and for the audience. Clarity and simplicity are the complete opposite of simple-mindedness. Data-thin, forgetful displays move viewers toward ignorance and passivity.”

Well, Hello Nurse!

The fine folks over at NCircle seem to have been given a directive from on high: Let there be blogs! And there were. And ncircle saw, and they were good. And someone said, let the bloggers be prolific, and behold, they were, with 18 or more posts in 5 days.

Great coverage of CanSecWest, and oooh, look, mmurray was in my talk at Security Leadership. (I agree with his summary. I was trying to deliver common sense, not anything earth-shattering. I’d love your thoughts on the second half, about pushing for more secure code, mmurray? Again, I was aiming for common-sensical, but was it effective?)

And where’s my man TK? If I don’t get some TK blogging, the little clock man gets it.

Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been thinking about it.

About a year ago, I actually read Alvin Toffler’s Future Shock, which is a classic in the sense that everyone pretends to have read it. One of the themes that resonates with me is the psychological impact of of repeatedly changing jobs and cities, in leaving people with a lack of grounding in the place they live. Toffler discusses professionals who are more in touch with, and at home with, a distributed network of professional colleagues who they see at conferences than they are with their neighbors.

He also discusses the difficulties involved in staying in touch with increasingly scattered groups of friends, when the things we do to stay friends are harder to accomplish as it becomes hard to coordinate a group of friends to be in the same place at the same time.

I suspect that deep down, the psychological benefits of physical proximity for relationship management help people trump the awful commutes, taxes, and other disadvantages of living in Silicon Valley.

I can’t help but mention that Chris Allen has been writing quite insightfully about these issues in posts like “Dunbar Triage: Too Many Connections
Arriving here, I’m forced to examine my excitement that Zach is blogging again. On the one hand, I am genuinely happy to have insight, however small, into his life. At the same time, I miss having dinner with him and others whose company I enjoyed in Montreal.

PS: I’ve discovered that an acquaintance has set up an Amazon Associates account to contribute to my Alma Mater. Does anyone know how I can construct book URLs so that they take advantage of that account?


Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.”

When the patch comes out, many people will reverse engineer it to figure out the vulnerability as most of us know. On the same note, like the exploits, IDS signatures follow the exploits that follow the patches. So if an unpatched ‘0-day vulnerability’ is being exploited, how do we know? There will be a significantly lower chance of detecting such an attack to know this statement is true.

(I’ve offered a way to test this in “Proof Of Concept Code, Boon or Bane,” and “Microsoft pre-warning of patches.”)


I’ve added Screendiscussion to the blogroll. I don’t always agree with Geoff, but he seems insightful, interesting, and genuinely willing to grapple with the questions that his profession raises. He also posts actual posts, rather than a clipblog.

For example, this morning’s post is “Background Checks Must Be Relevant, and points out a case where people’s medical background was dug into so that they could rent space at an airport.

They also say the checks went above and beyond federal security requirements, and they admit the county had no written guidelines for what information would disqualify a person from doing business at the airport.

Also, I’ve removed Abusable Tech, for inactivity. I think I’m going to aim to emulate Kip Esquire’s Elite Eleven. I like the idea of a short blogroll. Maybe the security score?