Seattle in the Snow

Posted on January 19, 2012 by adam

It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal.

We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle because he couldn’t manage the snow.

Now, there’s a couple of ways we could define the Nickels. It could be:

The amount of snow needed to cost a Mayor 10 points of approval rating
The amount of snow needed to cause a bus to slide down Olive way and teeter over the highway
2 millimeters
Enough snow to reduce the coefficient of city road friction by 1%.

I’m not sure any of these are really right, so please suggest other ways we could define a Nickels in the comments.

Ulf Muller

Posted on January 17, 2012 by adam

Ulf Müller I am saddened to pass on the news that Ulf Müller, a colleague at Zero-Knowledge Systems, has died in tragic and violent circumstances.

I remember Ulf as quiet, gentle, kind and am tremendously saddened by his loss.

The most recent news story is “Computer-Experte in Transporter erschlagen“.

Nils Kammenhuber of the Technical University of Munich is acting as a representative for the family.

Chocolate Waffles

Posted on January 16, 2012 by arthur

Too good not to share (inspired by: Chocolate-Hazelnut Waffles with Frangelico-Brown-Butter Syrup)

Ingredients :
6 oz. (1-1/3 cups) fresh ground whole-wheat flour
2 oz. (2/3 cup) natural cocoa powder
1-1/2 tsp. baking powder
1/2 tsp. baking soda
1 tsp. kosher salt
3/4 cup granulated palm sugar
2 large eggs, at room temperature
3 oz. (6 Tbs.) unsalted butter, melted
1/3 cup yogurt
1/2 tsp. pure vanilla extract
3/4 cup warm water

Directions:
Pre-heat waffle maker.

Mix the flour, cocoa powder, baking powder, baking soda, and salt in a medium sized bowl and mix thoroughly.

In a large bowl, whisk the sugar and eggs until smooth. Stir in the butter, yogurt, and vanilla until smooth. Mix in the warm water until smooth. Add the dry ingredients to the wet and fold until just mixed. It should still have some lumps.

Cook in waffle maker and serve warm.

Twitter Weekly Updates for 2012-01-15

Posted on January 15, 2012 by adam

New blog: Shocking News of the Day: Social Security Numbers Suck http://t.co/VuMV3faO #
RT @PogoWasRight Does *any* federal govt agency actually respond to FOI requests within 20 days? << Send GAO a FOIA with that question? :) #
RT @Digital4rensics On Computer Security Incident Information Sharing: http://t.co/GhGYOOjP – New Post Up! #
New worst practice: blocking paste of passwords in a web site. Do you want to make it hard to use a tool to keep good passwords? #
MT @EPICprivacy "People frustrated by not having a meaningful way to respond to #privacy invasions" listen to @marcrote http://t.co/ber8xWnS #
New School Approaches to Passwords: http://t.co/1MbVSXhd #
RT @0xabad1dea "the United States Court of Appeals affirmed Glik's First A right to record the actions of the police." http://t.co/LPV2SuCq #
RT @WeldPond Asterisk Hack Post-mortem http://t.co/UXTGCbsm << See, it doesn't hurt! #
RT @WeldPond Asterisk Hack Post-mortem http://t.co/UXTGCbsm << See it doesn't hurt to disclose! #
New blog: "The New School of Software Engineering?" http://t.co/VzhpNzxQ (H/T @curphey) #
Quick blog: "Google+ is not a space for free expression" http://t.co/vYE6yHLq #
RT @cstross: Facebook outs teenage gay man, destroying his life, via behavioural advertising: https://t.co/d9IPw9yO #
RT @normative @techdirt: The TSA Posts Its 'Top Good Catches Of 2011' List, Not One Of Which Is An Actual Terrorist http://t.co/kkwRR2ys #
New blog: Please vote New School for security blogger awards. http://t.co/j5Wx1Xx8 (plus endorsments: @rmogull & co, @chriseng & @DennisF) #
RT @MSFTsdl New Blog Post: http://t.co/q0sOsWuS Trustworthy Computing’s 10 Year Milestone – Reflecting on Humble Beginnings #security #
RT @DarkReading Not even DoD's CAC cards are safe anymore: Sykipot malware steals their creds. http://t.co/UDaebXWk #
RT @RSAConference RT @delphiisCEO New blog "Security's Dark Little Secret" http://t.co/OaTqsOXC << maybe we should start learning? :) #
RT @EPICprivacy EPIC in the News: DHS' X-ray scanners could be cancer risk to border crossers http://t.co/kZZ7eZDA via @declanm #
RT @alexmImmunity Liked Cushman's keynote and I agree with his points about having a social eng. & tradecraft depts in a pen-testing shop #
RT @Privacyactivism Passively scanning passengers going through ferry turnstiles in NYC with out their knowledge? http://t.co/gLM8jPaS #
"Because the technology does not use whole body imaging, privacy issues will not be a concern." http://t.co/gLM8jPaS << I call bullshit. #
RT @451wendy Analyst note from yesterday: Microsoft may offer 'big security data' for free https://t.co/0h7NNoh8 #
I love it when a plan comes together. #
RT @alexvans "Good" advert explaining what my brother @nickovs does these days http://t.co/ZsMaM2ML << Reads other people's email? ;) #
Where's the best history of the @defcon CTF? #

Please vote New School

Posted on January 12, 2012 by adam

We’re honored to be nominated in three categories for the Security Bloggers Awards:

Most Educational
Most Entertaining
Hall of Fame

On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote.

We’d also like to urge you to vote for our friends at Securosis for “Best Representing the Security Industry.” We don’t think Securosis actually is the best representative of the industry today. But I think they represent what we all ought to aspire to be, a empirical, business-aware industry. So please consider them as a part of the broad “New School” sort of slate. We’d also like to put a word in for the ThreatPost podcast as a great mix of technical and non-technical content, and for Veracode for best corporate blog. We’re suggesting Veracode in large part for Chris Eng’s empirical and side-splittingly funny thought leadership videos, but also for a general avoidance of FUD in their blogging.

But whomever you like, please take a moment to vote.

(Cross-posted from the New School blog.)

Google+ is not a space for free expression

Posted on January 11, 2012 by adam

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope.

It turns out, Google — without telling me — went into my account and deleted my profile picture.

See “Dear Google+” for the details of why MG Siegler’s picture looks like this:
Gmg3
Yet another reason that we, retro-style, run our own blogs.

Shocking News of the Day: Social Security Numbers Suck

Posted on January 9, 2012 by adam

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security number as a means of authenticating the customer, Javelin found. The pervasive use of Social Security numbers was surprising, given the importance of Social Security numbers as a tool for identity theft, said Phil Blank, managing director of security, risk and fraud at Javelin. (“Banks Rely Too Heavily On Social Security Numbers, Report Finds“, Ann Carrns, New York Times)

Previously here: “Social Security Numbers are Worthless as Authenticators” (2009), or “Bad advice on SSNs” (2005).

Twitter Weekly Updates for 2012-01-08

Posted on January 8, 2012 by adam

RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 #
RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc #
New podcast with @dgwbirch: http://t.co/HKeKOVyW #
New short blog: "The irony overfloweth" http://t.co/6VsrF9JO #
Wow. The Wikipedia article on Infosec certifications currently lacks any dissent on the value of certs. http://t.co/SzdJZHAp #
RT @jayjacobs I've taken a job with the Verizon Risk Intelligence team! << Congratulations to Jay, @wadebaker & the rest of the DBIR team! #
Reflections on trusting "Verified" http://t.co/2FgkajVz #
RT @gbullard The first correction listed is the greatest I've ever seen:
http://t.co/6aRN9uK6 #
New School blog: "Comments on Steve Bellovin's Lessons from Suppressing Research" http://t.co/W2wEUMDB #
RT @tgoetz glad to see the FDA issue some sort of restriction on antibiotics in animals, even if a watered-down version http://t.co/kCI5fZzo #
RT @DanielSolove I will be speaking at Microsoft (DC) tomorrow: about my PII article. Event description here: http://t.co/iMrPChQf #
Some additional comments on the password change paper: http://t.co/oYDhY0EA #
RT @hypatiadotca For all the Sous Vide geeks: Open Source PID (via @3ricj) http://t.co/zYFZ6DVA #
RT @thisisparker Very cool: @Schneier auctioning off galley copies of new book "Liars and Outliers"; proceeds to @EFF and @EPICPrivacy #
RT @ErrataRob Vint Cerf is profoundly wrong in saying that the Internet is not a human right http://t.co/wrfyIzA1 #
RT @Jim_Harper @adamshostack @thisisparker I think you mean @schneierblog #
RT @csoandy Ahhh, one hour, second trick of Elevation of Privilege. Good game, @adamshostack. << glad it helps! #
RT @csoandy Lots of trash talking. "I don't see how that's possible here!" "Can't you see how easy this is!" Good framework. #
RT @SecWonk CPEs 4Free: @adamshostack on @Kaspersky Podcast, Methods of Compromise+ New School & Learning http://t.co/uqRH3iBG #CPEs4Free #
RT @Ellen_CK Keynoting BSides PHX http://t.co/NgIIzh7F :) << Cool! #
RT @DanaEpp Get to introduce threat modeling via "Elevation of Privilege" game to new members of the dev team. Good way to end the week! #

The Irony Overfloweth

Posted on January 3, 2012 by adam

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?”

The irony of using a targeted ad, on Facebook, to ask for more privacy protection…

Twitter Weekly Updates for 2012-01-01

Posted on January 1, 2012 by adam

RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line #
RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! #
I wonder what Woz thinks of being able to get a blue box on his apple phone? (cc @kevinmitnick) #
I'm super-happy to see @rmogull, @Beaker, @nselby & more arguing over quality & speed of breach disclosure. #AVeryNewSchoolChristmas :) #
It's cool that Skype's preferences uses a segment of 1984 as the sample chat when showing that logs are kept. #
Very interesting history of names at #28c3 http://t.co/dL1ztjmL /cc @_nomap @privacyint #
RT @doctorow Adversarial stylometry data-set/research https://t.co/SPtQ72XX #28C3 < Totally rad! #
RT @jeremiahg New blog post: "Terrified" http://t.co/AlorWtcd << Kudos on speaking up! #
RT @Beaker Easy, because "outcomes" require analysis, modeling & understanding. Controls can be bought, installed & checked off #
So has anyone written up an analysis of the GoD dump? (mm.txt) #
RT @evilcyber I can probably narrow the GOOG stuff down to about a 6 month window in 2003. :) << There's stuff when Aleph1 was at SFocus #
RT @argvee @evilcyber @adamshostack we got it down to 3. #

Emergent Chaos

The Emergent Chaos Jazz Combo