I’m not comfortable with that

February 17th, 2010 by adam

The language of Facebook’s iPhone app is fascinating:Facebook-iphone.jpg

If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information.

So first off, I don’t consent to you using that feature and providing my mobile phone number to Facebook. Not giving my cell phone to random web sites (including but not limited to Facebook) was implicit when that number was provided to you. Your continued compliance is appreciated.

What’s really interesting is the way in which this dialog deflects the moral culpability for Facebook’s choices to you. They didn’t have to create a feature that sucked in all the information in your phone book. They could have offered an option to exclude numbers. And why does Facebook even need phone numbers? Their language also implies that such transfers of third party data are not constrained by any law they have to worry about. Perhaps that’s correct in the United States.

But none of that is considered in the brief notice.

I don’t agree.

Screenshot by Dan Biddle.

Saltzer, Schroeder, and Star Wars

February 13th, 2010 by adam

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars.

When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of Saltzer and Schroeder, illustrated with scenes from Star Wars.

So if you’re not familiar with Saltzer and Schroeder:

Let me start by explaining who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That paper has been referred to as one of the most cited, least read works in computer security history. And look! I’m citing it, never having read it.

If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I’ll illustrate using Star Wars. Because lets face it, illustrating statements like “This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor” using Star Wars is a tricky proposition. (I’d use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)

Nelson Mandela

February 11th, 2010 by adam

freedom.jpg

Twenty years ago today, Nelson Mandela was released from prison on Robben Island, where he was imprisoned for 27 years for considering violence after his rights to free speech and free association were revoked by the government.

I learned a lot about the stories when I visited South Africa, and then more when my mom sent me “The World that was Ours” by Hilda Bernstein. She was an activist and the wife of one of the “Rivonia Trial.” Her book is a highly readable account of what life was like, and how people who started out as reformers were radicalized by increasingly bizarre and ineffectual attempts by the government to exert control.

It also gives a good sense of how absurd the actions of the apartheid system became as time went on. I could make snarky comparisons to the TSA, and believe me, I’m tempted. But the simple truth is that as bad as things have gotten in the US, they generally don’t even approach the dysfunction which existed in South Africa.

Looking at South Africa today, it’s easy to forget that twenty years ago, the country was engaged in an active race war with government forces shooting into funeral crowds every weekend. The work that Mandela, Desmond Tutu, and F.W. De Klerk and others did to stop the violence and build the society which exists in South Africa today is one of the success stories of our time. Yes, it has deep imperfections, but so does the world.

Photo from the Apartheid Museum. On the left is a ballot box.

My Sweet Lord, this is a Melancholy story

February 9th, 2010 by adam

There’s an elephant of a story over at the New York Times, “Musician Apologizes for Advertising Track That Upset the White Stripes.” It’s all about this guy who wrote a song that ended up sounding an awful lot like a song that this other guy had written. And how this other guy (that being Mr. White) took offense to the work of Mr. Kraft, a subcontractor to the folks who were producing a soundtrack for an ad being made for the US Air Force.

The whole thing’s a bomb, but the fact pattern keeps irritating something in my brain. It must be something subconscious.

In case you missed it

February 8th, 2010 by adam

Water, water everywhere, and not a drop to drink.

Security Blogger Awards

February 3rd, 2010 by adam

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability.

But, really, there’s no reason for this to be a fair fight.

So we’re asking our readers to help us cheat. For the next month, whenever you see any of the judges (Mike Fratton, Bill Brenner, Kelly Jackson-Higgins and Larry Walsh) buy them a drink, mention how entertaining our story of the day was, and send us the bill.

We thank you. And remember, as you drink to our success, you’re making America stronger, strengthening your community, reducing taxes and fighting terrorism. Future generations will thank you.

How to Make Your Dating Site Attractive

January 31st, 2010 by adam

bookio.jpg

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that.

So from a product management and privacy perspectives I found this article very thought provoking:

Bookioo does not give men any way to learn about or contact the female members of the site. Men can join for free, if they have been invited—and if a current Bookioo member can vouch for their information. They can then post a profile for the perusal of the female—and paying—members of the site. It’s those paying women, however, who get to call the shots.

As interesting as the approach is, what’s more interesting is how they came to it. They focused on a set of female customers, and asked what is it that they worry about, and what do they want? Co-founder David Olmos:

We think that women don’t feel comfortable with the current dating sites. The latter are too masculine: they were designed by men and they fundamentally address men’s needs. We know that many women prefer a different approach: they’re eager to socialize, to meet new people, and we propose to do that through activities. It may lead them to find a partner, of course, but they may as well enjoy an afternoon in a museum with a new girl friend whom they met Bookioo! So we propose to socialize through activities, common hobbies and common tastes.

As you can see, we actually want to revamp the “dating” concept, taking the perspective of women. The key issue for us is to make sure that women enjoy the level of privacy they wish and that the males’ profiles are fully validated. (“Bookioo: dating and social networking site gives women full control.”)

It’s also a very different approach to “creep management,” which we’ve covered in past posts like “Emerging dating paranoia,” “Dating and Background Checks in the UK” or “Dating & Background Checks in China

Today in Tyrranicide History

January 30th, 2010 by adam

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants.

The story of how John Cooke built his arguments against that claim is told in entertaining and accessible depth in “The Tyrannicide Brief” by Geoffrey Robertson.

As his website says, “Geoffrey Robertson QC has been counsel in many landmark cases in constitutional, criminal and media law in the courts of Britain and the commonwealth and he makes frequent appearances in the Privy Council and the European Court of Human Rights.” So he knows what he’s talking about, and he knows how to tell an engaging story.

The principle that no one is above the law is an important one. So today raise a glass and remember John Cooke.

Privacy and Security are Complimentary, Part MCIV

January 29th, 2010 by adam

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency.

In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google workers:”

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks…The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

If friends lists were not being aggregated, this attack would have been harder to execute. How much harder is tricky to judge without more information about possible attack vectors.

Also, this is a nice example of the sort of externality that Facebook imposes on the networks of their users. Because Facebook exposes the fact that we’re friends, I have to treat communications from my friends with more suspicion.

The Lost Books of the Odyssey

January 28th, 2010 by adam

Lost-books-odyssey.jpg
You should go read The Lost Books of the Odyssey. You’ll be glad you did.

I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, unwilling to tolerate experiments which ought to have been kept confined to a laboratory. And so, knowing that this book won a prize worried me greatly, but for reasons which I’ll get to in a moment, I persevered, and I’m glad that I did.

The “lost books” consist of very short stories, usually of a few pages or so. The context, is of course, the Odyssey, and the actions of its heros and villians.

It falls into that class of writing which is simply a delight to read. The stories are beautifully crafted, surprising and casting new lights on old stories.

The richness and character of the writing is exceptional and engaging, all the more so for the origin and nature of the work. As Zachary Mason explains in the introduction, “The Lost Books of the Odyssey” were in fact lost and recovered, in a feat perhaps nearly as impressive for its cryptanalytic acumen as for its literary importance.

It is entirely worth reading, and since I first read it, it has been winning substantial literary prizes, and the New York Times calls it “dazzling.”

Finally, I should mention that Zachary and I were roommates at Miss Hall’s School for Precocious Youth in Arkham, Mass. I would like to offer my most sincere apologies for anything he remembers.

[Updated, fixed a spelling error]