The Unanimous Declaration of the Thirteen United States of America


In CONGRESS, July 4, 1776

The unanimous Declaration of the thirteen united States of America,

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

Continue reading

RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  And so this week at RSA, I think more people should be eating the security community’s cryptographic dogfood.

As I evangelize the use of crypto to meet up at RSA, I’ve encountered many problems, such as choice of tool, availability of tool across a set of mobile platforms, cost of entry, etc.  Each of these is predictable, but with dogfooding — forcing myself to ask everyone why they want to use an easily wiretapped protocol — the issues stand out, and the companies that will be successful will start thinking about ways to overcome them.

So this week, as you prep for RSA, spend a few minutes to get some encrypted communications tool. The worst that can happen is you’re no more secure than you were before you read this post.

P0wned! Don’t make the same mistake I did

I fell victim to an interesting attack, which I am recounting here so that others may avoid it.

In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did not catch the substitution. I believe the attackers were not out to harm me, but that this trojan was put in place partially for lulz, and partially to allow a more-important attack on the systems RBAC mechanisms to succeed.

Attack Details

I was attempting to purchase a six pack of New Belgium Rampant IPA, shown immediately below.


I obtained the six pack from the canonical location in the system – a reach-in refrigerator in the supermarket’s liquor aisle. I proceeded to the cashier, who rang up my purchase, bagged it, and accepted payment.

I realized upon arrival home, that this was a trojan six pack, as seen below:


Clearly, the attacker to care to make his payload look legitimate. What I noticed later, was the subtle difference I zoom in on below




Yes, the attacker had substituted root beer for real beer.

Needless to say, this was a devious denial of service, which the perpetrators undoubtedly laughed about. However, this was likely not just “for the lulz”. I think this was the work of juvenile attackers, whose motives were to defeat the RBAC (real beer access control) system. Knowing that a purchase of real beer would be scrutinized closely, I believe they exfiltrated the target beer by hiding it in a root beer package.

Mitigations put in place by the system did not catch this error – the cashier/reference monitor allowed the purchase (and likely, the offsetting real beer as root beer purchase).

Possible Countermeasures

The keys to this attack were that the trojan was in the right place in the search path, and that it appeared legitimate. Obviously, this location must be readable by all, since items need to be fetched from it. However, allowing items to be placed in it by untrusted users is a definite risk. Technical constraints make the obvious countermeasure — allowing only privileged stocking, while permitting “world” fetching — presents serious usability concerns, and increases system cost, since the privileged stocker must be paid.

Nonetheless, such countermeasures are in place for certain other items, notably where the cost to the system — as opposed to the user — of an illicit item substitution is quite high.

Lessons learned

Ultimately, system usability and cost tradeoffs put the onus on the end-user. Before taking a non-idempotent step, inspect the objects closely!

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award!

New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.

Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful that it’s intended as a complement.

What will the archaeologists think?

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures:

So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be confused by the strange objects they find?

I hope someone has at least left them a note.

Which and That

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost.

Which, as they say, makes a mockery of that rule.

Alternately, “That, as they say, makes a mockery of that rule.”

Alternately, “That, as they say, makes a mockery of which rule.”

I think we may be taking this too far.

2013 PET Award for Outstanding Research in Privacy Enhancing Technologies

You are invited to submit nominations to the 2013 PET Award.

The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS).

The PET Award carries a prize of 3000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from April 16, 2011 until March 31, 2013.

The complete Award rules including eligibility requirements can be found at

Anyone can nominate a paper by sending an email message containing the following to

  • Paper title
  • Author(s)
  • Author(s) contact information
  • Publication venue and full reference
  • Link to an available online version of the paper
  • A nomination statement of no more than 500 words.

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. I went to a tiny school, Simon’s Rock, and on December 14, 1992, Wayne Lo murdered my friend Galen Gibson and Professor Ñacuñán Sáez. He also shot my friend Tom McElderry. I can still remember the phone call from my friend Chi, telling me that Tommy had been shot and was in the hospital. I remember being up all night, spreading what little information we had by phone, and wondering what the hell was going on. I remember that weeks later, I’d get emails from co-workers whose local papers in places like Japan finally carried the story. For years after, I took December 14th as a day off, because it was hard to handle life with that weighing on you.

It’s a sad reality that we now have enough school shootings that one of them was going to fall on an anniversary of another. (Statisticians call this the birthday problem.) It’s also a sad reality that we have enough of them that schools, police and emergency responders have plans for them.

What a fucking world.

Some people like to say things like “time heals all wounds,” but you know? Greg Gibson isn’t going to get his son back. Ñacuñán’s family isn’t going to get him back. And twenty or more families in Sandy Hook will never again be the same. I’m having trouble editing this more than a month later because of how the memories flood back.

All that to say that I have some understanding of these events, and I think I can talk about them differently than a random observer.

A lot of people are using this tragedy to say we need gun control. I understand where they’re coming from, and I disagree. We’ve had a lifetime of marijuana control, and it didn’t work. We suffered under crypto controls, and they didn’t work. Assholes who want a gun will likely to be able to get a gun whatever regime we put in place. There’s some truth to the claim that if guns are outlawed, only outlaws will have guns. Maybe we’d gain some ability to catch these nuts early, but maybe not. Those who say that easy availability of guns drives murder rates must do better than simply cherry picking data. What makes the US worse than Switzerland or Israel?

Yesterday, the President outlined a set of proposals including expanded background checks, and signed executive actions including one to “encourage federal agencies and state governments to share more information.” And now I find it hard to speak, and hard to remain silent.

Infringing privacy would not have stopped the events at Sandy Hook, and I worry that reducing privacy around mental health care is going to deter people who need health care from getting it. That may mean that more people will end up hurt or dead. I’m confident that no one wants that, and we need to rationally consider the tradeoff.

I also see a lot of people who are worried about gun control being so strident that they’re undercutting their own case. I agree that gun control is a poor response, and I think the NRA are coming off like a bunch of idiots. I’m trying not to be strident, just add a voice to say that even from a position of grief, it’s possible to see that what’s proposed probably will not meet the goals.

I don’t know what we should do. I do think that taking the entire TSA budget and moving it to mental health care would be a fine start.

Another fine way to proceed would be to threat model and try to judge the efficacy of the mitigation techniques. (For those who don’t know me, I spent a few years designing threat modeling tools and techniques which you can read about here.) Perhaps that starts from data on how people who use guns to hurt themselves or others get them. There’s an easy trope of “buys a gun and shoots someone.” Is that because it’s common, or because the stories are highly “available” and spring to mind? I don’t know, and in that vein, more studies of gun ownership and gun violence are probably going to help. Whatever approach to threat modeling we take should also include the hundreds of millions of guns owned by hundreds of millions of people and not misused.

We can and should do better than bringing back ideas that didn’t pass muster in calmer times. We should be cautious about trading a little liberty for a little safety. And whatever we do, we should do so respectful of the victims.

Comments are closed.

Test post

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another.

I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that most people who blog blog about.

We set this up and I have finally gotten around to making a test post.

So thank you, Adam and the rest of the jazz combo. I’m Jon Callas, and I’m on bari sax and english horn.

An Argument Against Jargon

Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the prose to get to the ideas.

One of the little things that made me squee with delight was where he said:

Why call them System 1 and System 2 rather than the more descriptive “automatic system” and “effortful system”? The reason is simple: “Automatic system” takes longer to say than “System 1” and therefore takes more space in your working memory. This matters, because anything that occupies your working memory reduces your ability to think.

I am totally dropping that on the next person who uses “novel” where they mean “new”. (And yes, you can make the argument that novel means “not really new but not publishied in some peer-reviewed place, and you can take that argument, fold it until it’s all nice and sharp, and then store it as appropriate.)