Shostack + Friends Blog Archive


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004

Jihad Watch: Muslims claim unfair treatment at Canadian border

I’ve been debating if I should respond to this idea of unlimited searches of Muslims again, and realized that there’s a perhaps interesting analogy. JihadWatch quotes an AP story BUFFALO, N.Y. — An Islamic civil rights group Wednesday accused U.S. border agents of religious profiling after dozens of American Muslims were searched, fingerprinted and photographed […]


Quick Links

Cory points to another example of anti-consumer activity, this time Apple disabling the high quality audio-in on the ipod. How to fix it at Hack-a-day. Also via Hack-a-day is the paper Enigma machine Scrivner discovers that Uncle Sam admits to cooking the books, in a way that the SEC would never tolerate from a public […]


Cory vs DRM

Cory Doctrow posts a delicious rant against Wired’s review policy here. Unfortunately, he fails to stress what I think is the a point. Wired is writing reviews. Those reviews are supposed to be impartial. Whatever you may think about DRM, it is clearly an important mis-feature of a product which you may buy. Informed reviewers, […]


Congratulations to Mozilla

I’ve always believed that my readers are smarter and better looking than average, and now I have proof. Yesterday, for the first time, over half (50.3%) of the visitors to this site were using Mozilla or Firefox. (As summarized by AWStats.)     Browsers Grabber Hits Percent Mozilla No 10308 31.4 % Unknown ? 9786 […]


Quick Links

John Robb has an article at Global Guerrillas about the cost of terrorist attacks and their impact on the economic equilibria at work in cities, based on a report by the NY Fed. A terrorism tax is an accumulation of excess costs inflicted on a city’s stakeholders by acts of terrorism.  These include direct costs […]


More on ROI

You can get ROI from security solutions by automating manual processes. Patch management and automated password resets are two solutions that don’t need “incidents” to gain a return. says Pete Lindstrom, responding to my comments that: Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool […]


Biased Reporting has an article entitled “Craigslist costing newspapers millions. Which is nominally accurate, but a better title would be “Craigslist saving consumers millions.” Craigslist, which generates more than 1 billion page-views each month, also has cost the newspapers millions more in merchandise and real estate advertising, and has damaged other traditional classified advertising businesses, according […]


Talking is Tough

Anyone who talks to journalists to provide background or commentary says things that they wish they hadn’t. This is in contrast to when you’re making news, and can plan what you want to say, and it’s easier to stay “on message.” Kudos to Bruce for owning up to it. I’m sure I said that, but […]



With Yushchenko at 52% of the votes to Yanukovich’s 44%, it seems likely that he Yushchenko will be the next leader of the Ukraine. Congratulations to all who stood up for a fair and honest vote. Oh, and it means I can get a nicer stylesheet in place, too.


Froomkin 1, Treasury 0

Michael Froomkin sees the idea of the secretary of the treasury investing the social security trust fund, and finds it wanting.


The Intent of a Tank

“We used to talk about the intent of a tank,” Colonel Thomas explained in an interview. “If you saw one, you knew what it was for. But the intent of electrons – to deliver a message, deliver a virus, or pass covert information – is much harder to figure.” Ian Grigg points out an interesting […]


Database Flaws More Risky Than Discussed

Rob Lemos has an article in CNET about NGSSoftware. On Thursday, they released a slew of advisories about Oracle products with flaws NGS had discovered 3 months ago. Now, it turns out that the problems may be more risky than thought. Alternately, the release of the exploit code may have cause SecurityFocus to raise its […]


Keynote can't Export to Web?!?

I was just playing with Keynote, working on some slides for Shmoocon, when I realized that I couldn’t get my slides onto the web! Now, I’ve griped about how Powerpoint makes its slides for the web, but at least it makes them. It seem that Tim Bray figured this out a while ago, but I […]


Good Luck To Ukraine!

I hope that your elections go smoothly, fairly, and peacefully, and that when they’re done, the people’s will is respected.


Winning the Battles, Losing the War

A historian, Isaiah (Ike) Wilson III, Ph.D, gave a talk a few months ago at Cornell, entitled “Thinking Beyond War: Civil-Military Operational Planning in Northern Iraq.” His basic thesis seems to be that, in contrast to a carefully planned and executed war campaign, there were no definitive plans for what to do after the Iraqi […]


Banks issue 2 factor auth

There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues. While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by […]


More on SSNs and Risk

In writing about Delta Blood Bank earlier today, one of the issues I was thinking about was the unnecessary use of social security numbers, and how it’s an industry standard. One area where this is particularly evident is in the bifurcated market for cell phones. At one end are providers like Virgin and MetroPCS, who […]


Delta Blood bank

Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. … In addition to the letter…The blood bank will no longer require Social Security numbers from its donors… No longer require […]


TSA Backs Down

Starting today, the federal Transportation Security Administration is telling its screeners to keep their hands to the “chest perimeters” of women unless handheld metal detectors beep when waved over their breasts. I’ve mentioned outrage at TSA intrusiveness in the past. (From, via CSOOline.)


Ripping into ROI

Over at TaoSecurity, Richard Bejtlich writes: ‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group… Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary […]


Anti-American Nuts Unfairly Accuse Military of Torture

[DOD interrogators presented themselves as FBI agents and…] These tactics have produced no intelligence of a threat neutralization nature to date and CITF believes that techniques have destroyed any chance of prosecuting this detainee. If this detainee is ever released or his story made public in any way, DOD interrogators will not be held accountable […]


The problem(s) with ID cards

Europhobia nails the link between privacy and economics in the UK imposes national ID cards stupidity: But usually what gets them is “what? I’ll have to pay eighty-five quid for this thing?” No, Europhobia, they’ll have to pay 85 quid for the card, and another 10 quid in taxes for the backend database. (Figuring 60% […]


Mac Sysadmining: Find missing man pages

After upgrading to Panther and installing X-Tools, several people complained that some unix man pages, specifically section 3 (standard library), are missing. For example, if you try: % man 3 strcmp and get no man page, you need to follow procedure below: Remove /Library/Receipts/BSD.pkg/ (rename or delete) Insert Panther CD 1 Install BSD package from […]


Effects of democracy on health

The British Medical Journal has just published a study showing either that democracy makes you live longer, or living in a dictatorship kills you, by three Spanish professors.


Not Just A Good Defense

Michael Froomkin comments: We vastly overestimated the speed with which non-techies would take up the toys; the growing and enduring dominance of one software platform that didn’t take up the toys; and especially the ability of the empire to strike back via both tech (trusted user) and law (DMCA and worse). Some time about four […]


What Did Fox TV Know and When Did They Know It?

Scrivener has an interesting post about an episode of ‘Family Guy’ that shows Osama bin Laden bypassing airport security with a song and dance routine. “This was all quite amusing in 2000. Does it mean anything in retrospect? You decide.”


Econ and Security papers

Ross Anderson has added three papers to his Economics and Security Resource page: Fetscherin and Vlietstra’s DRM and music: How do rights affect the download price? shows that the prices of music tracks sold online are mostly determined by the rights granted to the purchaser – including the right to burn, copy or export the […]


Three By Froomkin

Michael Froomkin has three nice posts today. First, Inside The TSA, we learn that power tends to corrupt: This account of the goings-on at the MIA TSA branch, brought to you by the feisty local Miami New Times, is worse than not pretty. It’s pretty ugly: allegations of theft from passengers’ bags, sexual harassment (of […]


Good Old Fashioned Cooking

Julie, formerly of the Julie/Julia project, has an article in Archaeology on how to cook like the ancients. There are also recipies. Unfortunately, Mongolian Lamb Liqour is (as presented) less interesting than it sounds. (Via Samablog.)


First They Came For The Jews

The normally insightful JihadWatch writes: It sounds terrible: restricting their civil liberties. Until you read into the story and find that they’re talking about registration, profiling, and monitoring of mosques and Islamic organizations. Horrors! Registration may inconvenience some people, but after all, a lot of people were inconvenienced on 9/11; as with all these measures, […]


People Will Sign Anything

Doug Barnes has a great reciept on You Must Be Present To Win. [Update: Gosh, I wish I’d said something insightful here. Stay a minute, read the rest of my ramblings!]


Releasing Criminals

My friend Sameer takes issue with my hoping for experimentation by criminals, on two grounds: First, he believes I’m encouraging violence. This wasn’t my intent. I assume that there are all sorts of ways to non-violently behave badly, from calling a guard snookums to having a tattoo needle in your cell. However, I don’t know. […]


How Much Is Risk Management Worth?

David Akin blogs that Fitch Ratings has purchased Toronto’s Algorithmics for $175M (the press release is datelined New York, so I’m guessing that’s a US dollar figure). Algorithmics makes risk management software, focusing on market risks for banks, things like hedging strategies and BASEL II compliance (based on a quick read of their site.) So […]


A good day for liberty

In its powerfully worded decision, the [UK Law Lords] said that the government’s “draconian” measures unjustly discriminate against foreigners since they do not apply to British citizens and constitute a lopsided response to the threat of a terrorist attack. (From The New York Times, see also the BBC or Volokh.) WASHINGTON (AP) — A [US] […]


Clever criminals

Over at Marginal Revolution, Alex Tabarrok quotes a letter from an inmate: [Inmate:] A privately owned and publicly traded company like CCA has no incentive to rehabilitate criminals.  It is in the best interests of the company for even more criminals to exist.  Unfortunately, the same is true of government run prisons.  And contrary to […]


Quickies has an interesting article about taxes and your phone company. Any article that starts with an error about how long ago the Spanish American war took place is a little worrisome, but I love watching badly written law becoming irrelevant. Stefan Geens has a great article taking a simple question and exploring the math […]


Browser privacy from the server?

A friend writes and asks: I’m working in NYC now, as the Web Admin for Safe Horizon. We’re the largest service agency in the US for victims of violence, crime or abuse. We’re interested in putting in some features into our site, but we have to protect our visitor’s privacy, since they might be visiting […]


Signalling by Counting Low Hanging Fruit?

I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product. I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static […]


Referrer spam: The end is ROI

The first two claim to be UNDER CONSTRUCTION, and this makes my hypothesise that they are honeypots of a sort, respectively researching whether Deep-URLs (“/friendslinks.php”) or merely Root-URLs (“/”) are most effective methods of Referrer-Spamming, plus also providing a check to see which blogs are the most valuable ones to be worth spamming. In short: […]


Welcome, Carnival readers!

My friend Rob Sama is hosting this week’s Carnival of the Capitalists, and was kind enough to give me a shout out. So, welcome if you’re coming in from there. I’m traveling on business, so blogging will be a little slow, but please, have a look around! I try to apply economics to security problems […]


State Failure 101

Global Guerrillas has a great post on how US efforts in Iraq are broken: Unfortunately, the US effort to rebuild Iraq is out of synch (a full 180 degrees) with what is really needed.  If we map US efforts to Maslow’s hierarchy we see something quite unsettling. 


Two on Liberty

Ed Hasbrouck has a long post on the impact of the new “intelligence reform” bill on privacy and liberty. The CBC has an article on Australia imposing random drug tests on its consumer-units, or citizens, or something.


Strictly Off The Record…

Nikita Borisov and Ian Goldberg have released Off-the-Record Messaging, an IM plugin for private communication providing not only the usual encryption and authentication, but also deniability and perfect forward secrecy. Deniability avoids digital signatures on messages (while preserving authenticity and integrity), so there is no hard-to-deny proof you wrote anything in particular; in fact, there […]


Be Careful What You Wish For, Air Force

Federal Computer Week has a story about the Air Force’s efforts to patch faster: Officials’ ultimate goal is to have software patches implemented across the Air Force in minutes. During the next few months, they hope to cut the time from tens of days to just days, said Col. Ronnie Hawkins, director of communications operations […]


Mac toys has a nice page of software for techies switching to a Mac. Speaking of techie Mac use, I’m playing with subversion and the sweet looking SCPlugin. To make it see my ssh keys, I’ve added SSHkeychain. That required logging out and back in. After I did, I was getting lots of Keychain errors. It […]


CIBC & SB136

CIBC is a Canadian bank, who has recently been sued by a West Virginia scrapyard operator for faxing their customer’s private data to him. I’ve blogged about them here and here. (It turns out that other banks are doing the same thing, as David Akin blogs.) SB 1386 is a California law that requires companies […]


BarlowFriendz: A Taste of the System

John Perry Barlow writes about the apparently limitless suspension of the Constitution that’s already happened in airports. But randomly searching people’s homes against the possibility that someone might have a bio-warfare lab in his basement would reveal a lot of criminal activity. And it is certainly true that such searches would reduce the possibility of […]


Thoughts on Kerik's withdrawl

Kerik issued a statement saying: “In the course of completing documents required for Senate confirmation, I uncovered information that now leads me to question the immigration status of a person who had been in my employ as a housekeeper and nanny,” he said. “It has also been brought to my attention that for a period […]


Kerik Withdraws

The BBC is reporting that Kerik has withdrawn, citing personal reasons. The BBC also mentions controversy over his link to Taser, Inc, and a possible nannygate issue.


Regulating Private Spaceflight

Doug Barnes writes: There is a clear basis for regulation of objects that, with great force, fling themselves into the sky and have an opportunity to subsequently land on random people and property. Even from a purely selfish point of view, it’s not going to be good for the development of a commercial spaceflight industry […]


Google Groups, Privacy and Spam

Writing to Farber’s Interesting People list, Lauren Weinstein writes: Their new system is obscuring *all* e-mail addresses in *all* netnews messages in the archive (including the vast numbers of messages that do not originate within the Google environment and/or that predate the existence of Google Groups). This includes not only the addresses of individual netnews […]


Optimizing acceptable bugs?

In a recent comment, Pete Lindstrom asks: So do you think this can be modeled using a version of the El Farol’s Bar you post about in the future? Maybe we can optimize the number of acceptable bugs… How does/should the policies of Microsoft and Oracle affect this model? I’ve been thinking about this, and […]


Nice point

…it’s pretty scary when the only Asian leader taking your side is the allegedly former crony-capitalist-in-chief of an island police state best known for its canings and outlawing of bubblegum. Says Doug, and who am I to argue with him?


To sleep, perchance to sleep?

After installing Apple’s latest security update, my laptop no longer goes to sleep when I close it. Is anyone else with more time experiencing this? I am using Bernhard Baehr’s excellent Sleepwatcher, a daemon that allows you to add sleep and wakeup actions, but that hasn’t changed in a while. (If I had more time, […]


What Sci/Tech books are worthwhile?

Ed Felten writes about a library survey in which few tech books, and none worthwhile, made the top-1000 list. He concludes: It’s the technology books that really disappoint. These books are useful, to be sure, and it’s not surprising that libraries have them. What’s really sad is that no book about the intellectual content or […]


What cost security?

For traditional financial services alone, compliance with the PATRIOT anti-money laundering provisions is projected to cost $10.9 billion by the end of 2005, according to the research firm Celent Communications. No wonder that the champions of forced business spying didn’t want to present even this watered down procedure for congressional review, says banking industry consultant […]


Mac debugging

Daring Fireball points to a new Apple technote full of ways to debug programs under MacOS X.


Nobody goes there anymore, it's too crowded

In 1994, Brian Arthur introduced the `El Farol Bar’ problem as a paradigm of complex economic systems. In this model a population of agents have to decide whether to go to the bar each thursday night. All agents like to go to the bar unless it is too crowded (i.e. when more that 60% of […]


Destroying the airlines in order to save them

My friend Dave writes about trains vs. planes: On that topic, it’s not hard to make a point that train travel is really not far behind airline travel. For me, it was 45 minutes to the station, only 10 minutes to checkin and board, 7.5 hours to DC in a comfy seat (with 120v power […]


Code analysis and safe languages

Ekr writes: These tools aren’t perfect and it certainly would be nice to have better tooling, but it’s worth noting that a lot of the bugs they find are the kind of thing that could be entirely eliminated if people would just program in safer languages. For instance, the buffer overflow vulnerabilities which have been […]


Privacy lessons from CIBC

The disaster over at CIBC is telling, and bears a little exploration. The real victims, whose details were faxed to never saw the violation of their privacy. It was CIBC tossing data around incompetently, all the while publicly proclaiming their commitment to privacy. Wade Peer, a scrapyard operator in West Virginia brought the three years […]


Eating their own dogfood

In a move that surprises no one, the screensaver that Lycos created to target spammers has been used to target Lycos. The screensaver was designed to launch a DOS attack against sites that are known for their spamming techniques. (From Chris Richardson at SecurityProNews via Mort. See the ZDNet UK article for more details.)


Cool bug!

I believe this is a bug in Netnewswire, and will be reporting in there in just a second, but it’s so pretty I wanted to share it. Note the menubar has gone transparent, but is still readable. It looks way cool this way. Maybe someone will find a hook in the OS to allow us […]


Canadian privacy law & CIBC

Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada’s largest banks was flooding his fax machine […]


oooh, look an unscientific poll!

Go tell the pollsters that we’ve had enough government sponsored groping. [Update: You may use BugMeNot for a login, or you might want to create a new one for the poll, and feed the bugmenot database.]


Kerik for DHS?

The New York Times is reporting that Bernard Kerik, formerly of the NYPD, has been tapped for homeland security secretary. [Update: VikingZen has an alternate suggestion that shouldn’t be missed!],br> [Update 2: Declan has found a more relevant set of links than I did. Thanks to Secondary Screening.]


The metrics quest

There’s an interesting article on metrics over at CSO Online. The comments are great, too. Now if you’ll excuse me, I need to go ring a gong.


Freedom to travel in Ukraine

This information has been confirmed by another listener. She said that in ticket sales offices on Hnatyuk street in Lviv the cashier was extremely friendly to those who were traveling to Kiev, but she did record the passport data into some sort of catalogue. Maidan-INFORM has been stressing, that such practice of registering movement of […]


Training is not the answer

Florence Olsen writes in Federal Computer Week about security training: Last year, for example, officials at a federal financial institution tested employees’ adherence to the agency’s computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. [Kathy Coe, regional director of educational services at Symantec] […]


The death of marketing…

John Lebkowsky comments that he’s being paid to blog by “Marqui.” The first two headlines on their web site sums it all up: MARKETING IS IN A STATE OF CRISIS! Watch the demo (5 minutes) I have to spend 5 minutes figuring out how you distinguish yourselves as a marketing company? Sheesh.


Financial Cryptography: 2005 – The Year of the Snail

Ian Grigg is on a roll with good posts. See this 2005 – The Year of the Snail Since he’s doing the thinking, and I haven’t had my coffee yet, I’ll just ask, what happens when this gets 10x worse? Is there anything acting as a serious brake to that? Also, Ian says “serious money” […]


Amateurs study cryptography; professionals study economics.

Ian has a fine post over at financial cryptography: The only thing I’m unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public’s mind, the popular definition of economics is closer to the image that we […]


Worms swamp security

Security experts take it as a truism that you can’t defend everything. So you have to make choices about what attacks to worry about, and which ones to ignore. A study released today claims that unprotected hosts are attacked once per second. (USA Today reports on the study, and is utterly swamped. So I […]


Lycos' attack spammers@home

I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it: This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad […]


Paralyzed woman walks again

A SOUTH Korean woman paralysed for 20 years is walking again after scientists say they repaired her damaged spine using stem cells derived from umbilical cord blood. Hwang Mi-Soon, 37, had been bedridden since damaging her back in an accident two decades ago. Last week her eyes glistened with tears as she walked again with […]



SteveC, whose comments are broken, says: “wikinews is demoing here. When you have a hammer, everything looks like a nail. I can’t wait for wiki… wiki… wikigovernment. Or something. We could all edit the laws. yay!” Me, I want WikiAirlineSchedules.


CIA funded overthrows?

Cryptome points to a fascinating article in The Guardian about how the US is training young activists to undermine corrupt regimes: Funded and organised by the US government, deploying US consultancies, pollsters, diplomats, the two big American parties and US non-government organisations, the campaign was first used in Europe in Belgrade in 2000 to beat […]


Bad Security = Bad UI?

Allan Schiffman has sorted through the papers from the DIMACS Workshop on Usable Privacy and Security Software, and has summaries and recommendations in “Bad Security = Bad UI?.” [Update: Oh, the irony of a conference on usability naming all their files things like “blaze.pdf” or “garfinkel.ppt”– how about “blaze-usable-privsec.pdf,” so I can easily archive the […]


Music economics

Naxos is a classical music company. They bill themselves as the world’s leading classical label. They have a fascinating business model, which is that they find great ensembles, often in eastern Europe, have them record interesting music, and then sell it cheaply. I’ll often buy 2 or 3 Naxos CDs as experimentation. When they’re 7 […]



America’s Secret War, by George Friedman, is reviewed in the Australian: The Americans had established and then strengthened a military presence in countries surrounding Saudi Arabia – Yemen, Oman, Qatar, Bahrain and Kuwait. Invasion of Iraq would complete the encirclement. “From a purely military view,” Friedman adds, “Iraq is the most strategic single country in […]



The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.” These chips can be read from 30 feet away, today. That’s the opinion […]


New look

For Yushchenko, and fair elections. It’s a small thing, but show your support. Turn your blog orange.


The revolutions are being blogged

From Iraq, the start of a new political party, and the jitters that come from living under totalitarianism. From Ukraine, people continue to rally and demonstrate against the hijacking of their democracy: The past four days have taught me something valuable: when I’m watching the situation unfold on television, I grow tense, fearful that it’s […]


Bush & Putin

Will President George W. Bush now stand up to Russia’s blatant imperial overreach in Ukraine? Will Mr. Bush protect America’s interest in the spread of democracy and free markets? While the President has touted good relations with his Russian counterpart, it is clear that Vladimir Putin financed and actively campaigned on behalf of an authoritarian […]


Evidence based…cooking

The curiosity that fueled the experiments in Mr. McGee’s first book is undiminished after 20 years, and his approach to cooking is still skeptical. He tries to take as little as possible for granted, asking at each step: Why am I doing this? Is there a better way? All this questioning has yielded conclusions, some […]


The democracy meme

“I will not accept the results of the presidential election until it is proved to me and the Ukrainian people that they are legitimate and credible in accordance with conditions set down by the constitution,” [Yanukovych] said in a statement. “I need no fictitious victory, a result which could lead to violence and victims. No […]


A market for journal articles, again

George Akerlof shared the 2001 Nobel prize in economics for his paper on “Lemon markets.” While reading Akerlof’s Nobel Prize essay, I was struck by the comment: I submitted “Lemons” there, which was again rejected on the grounds that the The Review did not publish papers on topics of such triviality. It seems to me […]


A lemons market for … anti-spyware

Anti-spyware software has many of the issues that other privacy software has had.* It’s hard to understand the technical means by which privacy is invaded. It’s hard to see that you have (some) spyware. And it’s hard to evaluate what anti-spyware software works, and what doesn’t. Well, it was. Eric Howes has started testing anti-spyware, […]


Travel Plans: Shmoocon

Crispin Cowan and I will be running a BOF at Shmoocon, on Evidence Based Security. Shmoocon is in DC, Feb 4-6 of next year.



These women and a good many others, both frequent and occasional travelers, say they are furious about recent changes in airport security that have increased both the number and the intensity of pat-downs at the nation’s 450 commercial airports. And they are not keeping quiet. … Most of the women interviewed said they did not […]


No fly list

A man with an expired passport got onto Air France flight 26 on Saturday, November 19th: Flight 026 from Paris to Washington Dulles International Airport was diverted to Bangor, Maine, after U.S. officials discovered that the man was listed on the government’s no-fly list. The man’s name also was on the State Department’s terrorist watch […]


Security and diplomacy

…Mr. Bush had to wade into a group of security agents to pull his lead Secret Service agent out of a shoving match with the Chilean police. The tape showing the president assuring the Chileans that his agent could come with him played over and over on television screens in the region this weekend. By […]


What I'd like from a social software web site

There are lots of so-called ‘social software’ web sites that help you umm stay in touch with friends, or make new ones or something (Friendster, Tribe, Orkut, etc). Some are more socially oriented, others are more about business. What I’d really like is one that supports my travel habits. I fly to lots of places. […]


Informed? comment

Experts tend to know that when journalists report on their subject, things get twisted up and wrong. You start to evaluate a publication by looking at how it does on subjects you know, and assume that its work is consistently at the same level. I’ve been (cautiously) reading Informed Comment, by Juan Cole. He tends […]


What's Google Worth?

I opened this blog, exactly three months and 250 posts ago, asking, “Why Did Google Pop?” (with a second post on the topic as well.) Nudecybot has two fascinating posts on Google today. The first is on Google bias, the second on gmail, and the fact that it now actually secures your email (way to […]


So who likes them?

Ryan Singel catches an AP article on RFID passports: On the latest passports, the agency has “taken a ‘keep it simple’ approach, which, unfortunately, really disregards a basic privacy approach and leaves out the basic security methods we would have expected to have been incorporated for the security of the documents,” said Neville Pattinson, an […]


Cost, Value of government

After the election, I asked What’s a Free Election worth?.” John Robb over at Global Guerrillas has a partial answer, which is what the 2nd intifada has cost both sides over 4 years: 10% of Israel’s GDP (roughly 2.5% of GDP per year), and a stunning 300% of GDP over 4 years for the Palestinians. […]



There’s a 3 page article in the Washington Post on phishing, the use of fake email and web sites to capture usernames and passwords. The phishers often target financial institutions. Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not […]


Deworming the Internet

The always engaging Doug Barnes has a new paper out, “Deworming the Internet“. The paper is more interesting because Doug is technically and legally savvy. (Always a dangerous combination.) The paper evaluates regulations, markets, government intervention, litigation, and finally, a set of suggestions for what is most likely to work. Its perhaps the most comprehensive […]


Secretly admired blogs

Discovered a bunch of friends’ blogs today: You Must Be Present to Win (Doug Barnes), Creative Destruction (Sameer), Evil Geniuses For A Better Tomorrow (Jim McCoy, from whom I stole the “Most Evil Genius” gag title I used while at Zero-Knowledge).


Stolen EFF docs at WIPO negotiations

The EFF is doing a great job trying to prevent bad law from being created at a global level. There’s a bizzare story of EFF docs being stolen and trashed to prevent their message getting out. Cory writes: We ended up posting a guard over the table — thanks to Rufus Pollock from the Campaign […]


Big mother is watching

Great cartoon at Ok/Cancel. [Update: The image doesn’t fit on a lot of browsers with my CSS so its now just a link.]


Security & Outsourcing

[Inland Revenue] learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated. Computing has a good basic article on security issues in outsourcing of IT […]


A Market for Journal Articles?

In A Market for Journal Articles, Alex Tabarrok refers to a paper by David Zetland on A Market for journal articles. Zetland suggests that journal publishers should buy manuscripts in an auction.  You probably already have some objections, Where would the money come from?  Why would journal editors buy what they can get for free? […]


The height of logic

“The question was, why do I support a strong dollar policy? The answer is because it is our policy,” [US Treasury secretary John] Snow said. “Our dollar policy remains unchanged because a strong dollar is in both the national and international interest.” He pledged to curb the US massive budget deficit – but said the […]


TSA's identity obsession

US Homeland Security undersecretary Asa Hutchinson said the current practice of airlines giving the names of passengers to US officials 15 minutes after take-off did not make sense. … “If we have to have information 60 or 45 minutes before, you’ve got to close off the passengers that come in at the last second,” he […]


Glad to be a perfect straight man

In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better: Legislate/enforce the law Buy exploits now and then Create Software security data sheets More honeypots I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information […]


TSA ignores the public

As I and others >predicted, the TSA has chosen to run roughshod over our concerns. Interestingly, they claim that we have implicitly consented to the data being used this way. That’s interesting, because in the comments which I sent to them, I explicitly stated that I don’t consent. (Search this document for the words “do […]


Comments on the TSA’s dissing of America

Thanks to Ed Hasbrouck for catching the TSA’s disdainful response to the American people. Quotes are from the TSA’s Notice of Final Order for Secure Flight Test Phase and Response to Public Comments. Because the document is apparently a scan of a printout, I can’t copy text, and thus chose which words I bother to […]


Blog changes

Thanks to Dave and Lisa, I’ve moved to a new host. Things may have unsettled during the move. We’ve also added a feature that closes comments after a bit, because old posts are getting nothing but blogspam.


A downside to data warehousing

A long story in the New York Times ends: Still, as Wal-Mart recently discovered, there can be such a thing as too much information. Six women brought a sex-discrimination lawsuit against the company in 2001 that was broadened this year to a class of about 1.6 million current and former female employees. Lawyers for the […]


How not to find vulnerabilities (2)

Pete Lindstrom has argued that we need to end the bug-hunt: Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences. There is a rarely mentioned upside to all this bugfinding, which is that researchers use the exploit code to […]


How not to report vulnerabilities

This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2. Robert Lemos at CNET writes: “We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.” However, Microsoft’s […]


Kaspersky Labs switches to a new naming scheme

Kapersky Labs makes some of the best anti-virus software out there, as analyzed by the Virus Test Center at the University of Hamburg. They recently announced a new naming scheme. I’ve been thinking a lot about naming schemes recently, and I think this one could be better. Let me take it apart, and explain why. […]


Selling Security

The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor. Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in […]


"An abundance of caution"

Hundreds of passengers were evacuated briefly Thursday from the main terminal at Dulles International Airport outside Washington after airport screeners thought a suspicious image on an X-ray monitor might be a gun. Screeners spotted the image about 4:40 p.m. EST Thursday and the terminal reopened about an hour later. Passengers went through security checkpoints again, […]


Mac 10.3.6

Macworld excerpts a very detailed analysis of the MacOS 10.3.6 update. Its too bad that Apple chooses to give us a 22 item change description when they’ve changed upwards of 1,000 files.


Two on Risk

There’s a nice interview with Kathleen Hagerty over at CSO. She’s a finance professor, talking about risk. (Speaking of business school professors, work by Martin Loeb and Lawrence Gordon on the Economics of Information security investment is outstanding, and unfortunately, not online as an html or pdf file.) Second, I just got around to reading […]


WTO, Bastion of liberty?

Antigua and Barbuda have won a case at the World Trade Organization, claiming that US laws against internet gambling are a violation of the WTO rules.


More on 700 Arrests

Yesterday, I mentioned the 700 arrests [in the United States] in an attempt to deter terrorist activity. Also yesterday, several residents of The Hauge violently objected when the police showed up to arrest them. This is a pattern in the arrest of Al Qaeda suspects: Some of them decide that shooting the police is the […]


DETER testbed

There’s a coalition of universities working on a security testbed, called DETER. It’s an excellent idea, and apparently, they’re up and running. I look forward to the output from the conference. I hope they’ll ensure that all papers are online and available to the public.


Rushed Security

Samablog, irked that Rush has stolen his joke, explains that you can get at all of Rush’s $7 a month content, just by turning off all the scripting stuff in your browser. He then goes on to say: “What it says that a celebrity of Limbaugh’s stature keeps his site so insecure, I don’t know.” […]


9th Circuit limits police privacy

The chief warned Anthony Johnson to point his video camera elsewhere, then wrestled the camera away and put Johnson in jail for recording communication without permission, court records say. … A 9th Circuit U.S. Court of Appeals panel last week reinstated Johnson’s suit, which had been thrown out by a federal magistrate in Tacoma, and […]


Easier to get forgiveness than permission

So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing? Asks Nudecybot. And the answer is…NOW! Why wait? Generate some keys and use them!


"Better Than Nothing Security"

Eric Rescorla has a great post reporting from the IETF on the “Better Than Nothing Security BOF.” As I see it, this boils down to an understanding that paying for digital signatures is very expensive, while we’ve known for ten years that “keys are cheap.” (Thanks, Eric!) The SSH folks got this very right: You […]


Vonage, FCC

U.S. regulators ruled Tuesday that providers of Internet-based phone call services fall under the jurisdiction of the federal government and cannot be regulated by states. … Vonage has been battling public utilities officials in Minnesota who want the company to register in the state as a telecommunications service, subjecting it to rate regulation and other […]


Garbage In…

There’s a post over at BoingBoing, laughing at some poor software transcription of Jabberwocky. Hello? What do you expect? The poem is full of nonsense words. If my speech recognition program starting putting brilling and slithy toves in my text, I’d be pissed off. So of course it gets this wrong. C’mon, folks, you want […]


NC Voting Issues Could Lead To Special Election

“The bottom line that we have heard from the manufacturer is that these votes are not missing. They’re lost,” county commissioner-elect Tom Steepy said. “It’s very disheartening. It really is.” Damn right it is. Voting machines should produce paper ballots, or their CEOs should offer to commit sepuku over any failures. (From Carteret Voting […]


Chinese Flee Formal Banking

The friends often lend each other large amounts on the strength of a handshake and a handwritten i.o.u. Both sides then go to an automated teller machine or bank branch to transfer the money, which is then withdrawn from the bank. Or sometimes they do it the old-fashioned way: exchanging burlap sacks stuffed with cash. […]


700 arrests made to avert election terrorist attack

Jihad Watch points to an AP story: More than 700 people were arrested on immigration violations and thousands more subjected to FBI interviews in an intense government effort to avert a terrorist attack aimed at disrupting the election. As with past unrealized al Qaeda threats, law-enforcement officials said yesterday they don’t know for sure whether […]


Happy Berlin Wall Day!

We need more holidays that celebrate liberty. The fall of the Berlin Wall is a good a day as you can find. However, Wikipedia points out that: Some believe November 9 would have made a good German National Holiday, since November 9 is also the date of the declaration of the Weimar Republic in 1918. […]


Hamdan vs Rumsfeld

The only three facts that are necessary to my disposition of the petition for habeas corpus and of the cross-motion to dismiss are that Hamdan was captured in Afghanistan during hostilities after the 9/11 attacks, that he has asserted his entitlement to prisoner-of-war status under the Third Geneva Convention, and that the government has not […]


Richard Clarke says get over 'cyberterror'

Overuse of the term ‘cyber-terrorism’ is confusing board directors and preventing much needed investment in IT security, says former White House security advisor Richard Clarke. Now if we could just get rid of the term “cyber,” we’d be all set to have a mature discussion. (From VNUnet, via InfoSecNews.)


Computer Security and The Human Factor

Nudecybot has a thoughtful post on Computer security and the human factor. He takes a discussion we had, and organizes it well. He talks about airline safety vs computer safety, and how an anonymous reporting system has helped in the airline case. I think there’s two bits that he misses that make the airline safety […]


Mac Trivia: Zero Byte resource error

You can probably skip this post. I wanted to blog it to help people with this problem solve it faster. It involves the Mac System update tool throwing up a dialog that says: A networking error has occurred: zero byte resource (-1014). Make sure you can connect to the Internet, then try again. [Update, 20 […]


Mac Trivia: Zero Byte resource error

You can probably skip this post. I wanted to blog it to help people with this problem solve it faster. It involves the Mac System update tool throwing up a dialog that says: A networking error has occurred: zero byte resource (-1014). Make sure you can connect to the Internet, then try again. I was […]


Corporate governance goals impossible

There’s a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. “CIOs are now relying on convoluted processes rather than using sound business judgement based […]


Corporate governance goals impossible (II)

Further quoting from that same article in the Register about the impact of new rules: Business managers becoming fed up with FUD In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security […]


New Software

Thanks to our industrious sysadmin, we have a new rev of MT in place. It’s much more aggressive about weeding comments, so what you say won’t show up instantly. If your real comment doesn’t show up, please drop me a note. And please, do leave comments. Even if it’s against your better judgement. (Yes, I’m […]


Al Qaeda's use of cryptography – scant evidence

Not too long ago, I gave a talk on privacy technology to the Atlanta chapter of the High Tech Crime Investigators Association. It was a talk that several of us at Zero-Knowledge had learned to give. The basic method for talking to police about privacy is to start from the need to reduce and prevent […]


"Good thing there's a monopoly"

“Unionized employees at the SAQ are launching a four day strike that will shut down Quebec liquor board stores for the weekend.” Says the Montreal CBC site. The SAQ is Quebec’s government owned liquor monopoly. Non-SAQ stores can sell only bad wine and some beer. (No, really, there’s a list of approved wines that others […]


More maps

Bigpicture has put up 11 map links, some of which are very cool. I really like the parallel maps of 2000 vs 2004. (If you use Safari, with its transparent drag, you can produce your own overlay maps!) I also like the county-by-county maps, they’re elegant. Not so good is the chartjunk map from the […]


Return Addresses

Canada Post has apparently told the world that they’ll only deliver mail with a return address. This is clearly silly, phone books are full of valid return addresses for your city. Over at StupidSecurity, nrh asks: Part of the reason I delayed was that I was trying to find out if this was even legal. […]


Obfuscated Voting Redux

No, not the elections, silly, the contest! And now the results are up, and it seems that Michal Zalewski is in the lead.


British Petition

There’s a petition to stop ID cards in the U.K. Alas, there’s no where for residents of Clark county, Ohio, to express opinions. (Via Steve at Fractalus.)


Microsoft pre-warning of patches

[Microsoft] will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release… The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected. This has been available to select customers for a while. […]


Morris Worm is Sweet 16

Sixteen years ago, the first worm spread across the Internet. It used password cracking, a buffer overflow in fingerd, and a flaw in sendmail to spread. At least today, sendmail seems more secure. Passwords and buffer overflows, check back in sixteen more.


Symposium on Usable Privacy and Security (CFP)

The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and […]


"Stop … Hurting … America"

Sure, the Electoral college is mostly winner-take-all, but America isn’t. The “red/blue” divide nonsense on TV is all about polarizing the country. See the map bigger here. It’s like Jon Stewart said to the boys at Crossfire: Stop hurting America. (Via BoingBoing.)


No Right To Be Free of Airport Searches?

Ed Hasbrouck writes: For the first time ever, lawyers for the USA Transportation Security Administration (TSA) will appear in court tomorrow in Seattle to try to defend their (still largely secret) procedures for the compilation and use by the TSA, law enforcement agencies, and airlines of “No-Fly” and “selectee” watch lists. … I got word […]


Liberties Eroded

On three occasions over the past five months, Tubiana said, outside judges assigned to review the vendor’s case have set deadlines for investigating magistrates to either indict or release him. The deadlines have passed, but his client remains locked up, court documents show. “There is in fact no control” over these magistrates, he said. “They […]


Reliability and Security

However, Engler thinks the security explanation should be taken with a grain of salt. His research in the late 1990s aimed to improve the reliability of software. Security analysis was part of the story, he says, but “basically, we just didn’t want stuff to crash.” (writes Jon Udell in Infoworld.) But Crispin Cowan has a […]


What's a Free Election worth?

As we go into the 54th Presidential elections under the US Constitution, two things , possibly related, have struck me. The first is the elections in Afghanistan. Millions of people ignored threats and went out to vote. Millions of them were women, given a say in their country’s government for the first time. The other […]


"I am searching for the truth as long as I can"

I recently blogged about Ted Taylor, and the book he inspired. He passed away recently: Thirty-one years ago, The New Yorker published a profile of nuclear weapon designer Ted Taylor, written by John McPhee. Published in book form as “The Curve of Binding Energy,” this was the first time the prospect of nuclear terrorism was […]


Rehnquist's Health

The announcement suggests that Rehnquist is suffering from anaplastic thyroid cancer, a rare and aggressive form of the disease, said Herman Kattlove, an oncologist and medical editor for the American Cancer Society. The anaplastic variety is the only type of thyroid cancer that is treated with chemotherapy. “It’s not treatable by surgery, only by chemotherapy […]


Hello? Earth to Justice Dept…

The New York Times reports: Lawyers for many of the detainees, including the ones named in the Supreme Court ruling, say the Bush administration is purposely ignoring the justices’ mandate and stalling. They cite the government’s refusal to acknowledge that detainees are entitled to free access to lawyers to make their cases before federal judges. […]


Enblogment, bias

Larry Lessig and Dave Winer have the very clever idea of a polling site based on blog links and click-throughs: [Lessig] wrote a passioned essay about the Presidential election of 2004, and he wanted to tell people who agreed with his choice to click on a link to express their support. And if they really […]


Canadian Privacy Law again

Last week, I commented on Michael Geist’s column. In part 2, he took an excellent direction. He suggests not only economics, but a legal structure that forbids Canadian companies’ compliance with US orders. Read it.


Privacy Protectionism

This month the B.C. government passed a law to prevent the U.S. from examining information on British Columbians that is in possession of private U.S. companies. The CBC reports on information about Canadians being sent to the US for processing, and the attendant legal risks. In Canada, they have strong-sounding data-protection laws that they don’t […]


Paranoia is rampant

Neither, of course, is true. But these rumors testify to one of the most distinguishing — and disturbing — aspects about this election: Paranoia is rampant. “I haven’t seen an election in which more people are worried about what’s going to happen to them on Election Day,” said Herb Asher, an Ohio State University political […]


Ian Grigg on SSL

Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading. The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m […]


Regulate that Arbirtrage!

An update on the Americans Stream to Canada For Flu Shots story: In eight days 3,800 people have jumped on the ship and paid their $105. Victoria Clipper’s Managing Director said the company had not expected there would be such a massive take up. The company says the day trips still continue, but the number […]


Canadian Charter of Rights And Freedoms

So let me get this straight… Quebec Court Judge Danielle Cote handed down a 153-page ruling that found two sections of the federal Radiocommunication Act violate the Canadian Charter of Rights and Freedoms. … Cote extended a grace period of one year before her ruling would come into effect. So the law is a violation […]


Canadian Charter, II

It seems a bizarre right to be allowed to watch TV, but not say insensitive things. (It’s sad that the car dealer felt ok insulting customers and turning away business. It’s sadder that the courts are intervening where the right answer would be more speech, publicizing intolerance and shaming the dealer.)


Johnnie Thomas again

On one occasion [Johnnie Thomas] was told that she had graduated to the exalted status labeled, ‘Not allowed to fly.’ She discovered that there was no method available for having ‘her’ name removed from the DNFL; indeed, one person from her local FBI office dismissively told her to hire a lawyer (although ironically, he refused […]


Online Extortion

There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.) The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever […]


Amazon (3 Comments on SteveC)

Something about a post by Steve got to me… Whenever amazon comes up in conversation I tell people how particularly behind they are but I don’t think I get the point across. Who does better? I find that it always works better to say who does well, rather than who does poorly. Let people figure […]


"Getting nothing wrong is for the uninspired"

Nat has a typically insightful post inspired by Muine, a radical re-think of what a music player on your computer should do. Why would those things be there? Because every other music app has those features, and if you’re building a music tool, you’ve got to have them too. Only, somehow, you’ve got to do […]


Bejtlich on Intrusion Data

Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?: Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According […]


Common Criteria

Statistics gleaned from the labs’ Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland. So far, 100 percent of the products evaluated have been approved, she said. The testing […]


DHS Inspector Report

According to a new report from the Department of Homeland Security’s inspector general, airport screeners still Need Improvement. That will not come as a surprise to anyone who travels, but some of the details, as reported by A.P., are still disturbing: -Screeners aren’t tested on when they should pat down passengers and what the passengers’ […]


"Americans stream to Canada for flu shots"

With a US shortage caused by contaminated vaccine and flu season approaching, business has been brisk at Canadian clinics and doctors’ offices along the border from British Columbia to as far east as New Brunswick. A Canadian Internet pharmacy is working with a half-dozen physicians in Montreal to offer weekend flu-shot tours to New Yorkers. […]


Piscitello on Bugtraq

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure: I think that Dave has a valid […]


Query Address

The Little Brother’s Database, an addressbook program, includes a tool, ABQuery, that allows you to look inside the Mac’s address book from the command line. (Via


IPod, so?

Apple announced a new Ipod that shows pictures. What I want to know is, where’s the 8-in-1 media reader to take photos directly from your camera?


Howard Stern vs. Michael Powell

Michael Powell was on the Ronn Owens show. 15 minutes into the show, Howard Stern calls in. Listen here. As Sama says, Stern is an unfortunate advocate for free speech. But its nice to hear someone directly challenge America’s censor. (Via BoingBoing.)


The Curve of Binding Energy

Is the story of Ted Taylor, one of the cleverest of the very clever men who designed nuclear bombs. He designed the largest bomb ever set off by the US, and the smallest. He once used a nuclear bomb to light a cigarette. And in the early 1970s, he was very concerned that terrorists could […]


Sixth Circuit Reverses Lexmark

One of the worse bits of law to come out of the Clinton years was the “Digital Millennium Copyright Act,” (DMCA). The law made it a crime to break any copy protection scheme, even if the data it was protecting was subject to some form of fair use. The law had lots of nasty chilling […]


Some explosives links

But the real issue is that the explosives can be used against civilians and soldiers in Iraq and around the world. Consider that only five grams of RDX, for example, is enough to kill a person when used in an anti-personnel land mine. When 1,000 pounds of explosives were set off by a suicide bomber […]


Mistakes, Incompetence, and Coverup Beyond Fevered Imaginings

Michael Froomkin has a long post on the 350 tons of stolen high explosives, which I’m excerpting at length: If all that matters is our safety and security, then today’s news makes it clear beyond peradventure that the Bush administration is horribly dangerous to our national security. Josh Marshall’s blog today runs an extensive quote […]


Marginal Revolution: Democracy: Theory and Practice

Steven Landsburg makes a very entertaining point about democracy: …It is worth observing that if you really believe in democracy, and if the election is close, then it doesn’t much matter who wins. The theory of democracy (stripped down to bare essentials, and omitting all sorts of caveats that I could list but won’t) is […]


The Security/Security Tradeoff

People trying to infringe our privacy often claim that they’re making a tradeoff between security and privacy. Sometimes they’re even right. But I think today, we’re trading security for “security,” giving up real protection for an illusion. For example, the TSA is spending lots of money to build and connect databases all about travelers. For […]


I wonder what this means?

I’m trying to submit my comments on Secure Flight. When I try to upload my file to, I’m told: An error occured while attempting to upload your comment [Microsoft][ODBC driver for Oracle][Oracle]ORA-01401: inserted value too large for column I’ve submitted a request for help via the provided link.


TSA Wastes More of Your Money

WASHINGTON — The Transportation Security Administration was lax in overseeing a $1.2 billion contract to install and maintain explosives-detection machines at U.S. airports, resulting in excess profit of about $49 million for Boeing Co., a Department of Homeland Security review found. (From a Wall St Journal article, October 19th. (Sorry, subscriber-only link.)


Nielsen on Security

Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions. He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats […]


Mac "Virus"

There’s an alarmist headline at MacSlash about a new mac virus. Its been picked up in a bunch of places. The commenters correctly identify it as a rootkit, not a virus. A rootkit is a program you install, after break in, to hide your tracks. Its not even a sophisticated rootkit. Its stunningly primitive. Reading […]


Organization in the way: how decentralization hobbles …

Another interesting article from Peter Merholz closes with: Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest […]


"Metadata for the masses"

In “Metadata for the masses,” Peter Merholz presents an interesting idea, which is build a classification scheme from free-form data that users apply. He points to Flikr’s “Cameraphone” category, which would probably not exist if there was only a pull-down list. He also points up problems: Many categories for one thing (nyc, NewYork, NewYorkCity), one […]


What a Great Review

NudeCybot sent me a link to an interesting looking book on “Sorting Things Out.” I found this review resonated with how I often feel reading academic work: This tragic book is full of important ideas and significant research, but it’s so poorly written you hardly notice. Other reviews kindly describe its style as “academic,” but […]


2-Fingerprint Border ID System Called Inadequate (

Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system “is no more than 53 percent effective in matching fingerprints with poor image quality against the government’s biometric terrorist watch-list.” Turner said the system falls far short of keeping the country secure. Its not clear to me why […]


Efficient Markets and Prediction

In a post below, I quoted my friend Craig commenting on the differences between election sites and the IEM. Steven Landsburg had previously commented privately that IEM together with TradeSports is inefficient. By playing one against the other you could make money on either likely outcome of the election. So, if these markets were efficient, […]


Security Signaling

Signaling is a term from the study of lemons markets. A lemons market is a market, such as in used cars, where one party (the seller) knows more than the buyer. There are good cars (peaches) and bad ones (lemons). The buyer is willing to pay a fair price, but can’t distinguish between the cars. […]


Notational Velocity

Andrew Stewart pointed me to Notational Velocity, an interesting little note taking app. Its a little disconcerting at first, because you only have one note area, and the way to create a new note is to just overwrite the old title. (There’s a menu item to rename something.) But worth checking out if you’re a […]


"Television cameras captured the moment the Cuban leader fell"

Unfortunately, the BBC is simply reporting on him falling over, not on his 45 year dictatorship being toppled, the Cuban people gaining a measure of self-determination, or the freedom to speak one’s mind: A few blocks away, a 27-year-old man who didn’t want to give his real name, had some advice for the only president […]


Secondary Screening: JetBlue FOIAs

Ryan Singel has a long and worthwhile post at Secondary Screening on the JetBlue FOIAs. I have only one thing to add, which is that his closing line somewhat misses the mark: But this issue is not going away as there is at least one report coming out soon that will further complicate the debate […]


The Tree of Life, COI-ly

The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1] This technique helps settle the question of “Is Astraptes fulgerator […]


So Cynical, I Wish I'd Thought of It.

My friend Craig Sauer wrote: In the spirit of the equal time, here’s what’s keeping me from being optimistic about Kerry’s chances: The Iowa Electronic Markets. You’ll have to read on the site to get the real skinny, but basically, the IEM is a real-money futures market where people make informed “bets” about who is […]


Hackers sabotage Waikato (NZ) food company

Computer hackers have emailed 3000 of the company’s customers, saying a company product – lamb chips – are being recalled due to an infectious agent, and the warning has since been posted on internet message boards. Sad as it is for Erik Arndt and Aria Farm that this has happened, I think this is interesting […]


"What your CEO thinks about security"

Larry Poneman writes: Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals: What is the security return on investment? What is the probability of a catastrophic security failure? What is the cost of self-insuring against security risks? What are the tangible benefits of being an […]


Neal Stephenson at /.

In order to set her straight, I had to let her know that the reason she’d never heard of me was because I was famous. … Mind you, much of the authority and seniority in that world is benevolent, or at least well-intentioned. If you are trying to become a writer by taking expensive classes […]


Powerpoint, usability

I’ve put slides and a pdf from a talk yesterday on my homepage. Making pdf is easy on the mac, making html less so. Since this is the web, I’d like to put up html of the slides, and I think that the HTML that PPT produces is poor. In particular, I’d like smaller files, […]


Must … extend … grasp!

Each aircraft operation … with a MTOW of more than 12,500 pounds, must conduct a search of the aircraft before departure and screen passengers, crew members and other persons, and all accessible property before boarding in accordance with security standards and procedures approved by TSA. … [Seperately, charter aircraft run as clubs…] These clubs transport […]


Thoughts on SB 1386

Looking for a link to SB 1386, I noticed that of the first 10 Google hits, 2 are legislative, 2 are law firms, 3 are information security portals, and 3 are for security companies. Three of the security companies, (Verisign, Threatfocus and Watchfire) are simply adding “SB 1386” to existing products, and claiming to provide […]


1.4 Million Californians Exposed

A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday. (This is all over the web, I found a version at A few questions […]


"I do not approve"

Alex Tabarrok writes: The headline in the Washington Post yesterday read “FDA Approves Artificial Heart for Those Awaiting Transplant.” The language annoys me – it sounds as if the FDA gave a Good Housekeeping Seal of Approval to the artificial heart. Consider how much clearer the tradeoffs of medical policy would be if instead the […]


Polite Technology

Michael Froomkin points to Wired’s article Inventor Rejoices as TVs Go Dark, is enough to make me want a TV-B-Gone. It fits on your keychain, “looks like an automobile remote, has just one button. When activated, it spends over a minute flashing out 209 different codes to turn off televisions, the most popular brands first.” […]


Canadian Privacy Law

Michael Geist’s recent … Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner’s office […]


$103 Million

To date, the government has wasted over $100 million in a flawed effort to improve airport security by identifying passengers and, well, doing something to the naughty ones. Meanwhile, the reality is that airport screeners continue to miss items like knives, guns and bombs. Meanwhile, there’s lots of good work in computer vision systems, which […]


Security and Economics

Household Finance, a unit of HSBC, has sent me a $5,000 check out of the blue. Big verbage on the front indicates that “Signing this check will result in a loan…” at 23%, which over 5 years comes to an estimated $3,500 in finance charges. Most attractive. Now, ignoring Household’s record of fraud, and ignoring […]


Unsecure Flight, Because TSA is Asking For It

The ever-energetic Bill Scannell has set up for you to politely but forcefully register your comments with the TSA on what they’re doing to our privacy. Why use Unsecure Flight over the TSA’s site? It’s easier! There is a public record of your comment, the TSA can’t silently discard it. There’s a plethora of […]


OMB, TSA asking for it.

Ed Hasbrouck points out that Public comments are open through Monday, 25 October 2004, on the Secure Flight airline passenger identification, selection, and surveillance system proposed by the USA Transportation Security Administration (TSA) and its Office of National Risk Assessment (ONRA). My draft comments are here, and I’d love feedback before sending them. [Update: Fixed […]


More on Patches & EULAs

In a comment below, Nudecybot mentions Mark Rasch’s “You Need A Cyber-Lawyer” article in Wired News. I don’t buy this line of reasoning. Making a decent auto-lawyer requires being able to parse legalese, which is a hard problem. Now, legalese is a subset of English, so you might think that the weather parsers, or similar […]


Why Profiling Won't Work

WVLT VOLUNTEER TV Knoxville, TN reports: ” Accused Domestic Terrorist Arrested In Knox County.” According to the criminal complaint, the FBI says that Ivan Braden was planning to enter this Armory Friday, armed with guns and bombs. … The feds say the former 278th soldier planned to take people hostage at the Lenoir City Armory and […]


Obfuscated Voting Contest

There’s a long running contest to write C code that’s hard to understand. Daniel Horn has taken it one step further–the goal is to write a program that looks right, but actually produces bogus counts in on of several ways. It’s brilliant!


Good News from the Courts

“We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over,” Judge Gerald Tjoflat wrote for the panel. “Sept. 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country.” A three judge […]


Good News from the Courts

“We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over,” Judge Gerald Tjoflat wrote for the panel. “Sept. 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country.” A three judge […]


Tied With Alec M.

This site has a Wankometer rating of .58, which is exactly the same level that Alec Muffet got. The white house (1.40) is apparently more wanky than the BBC, but less wanky than Sun. The George Bush and John Kerry for President sites score .63 and 1.83, respectively. I can’t believe Alec is nearly as […]


Bush's Certainty

A few days ago, I commented on Bush’s lack of self doubt. Now Ron Suskind takes on the theme in a 10 page article in The New York Times, entitled “Without A Doubt.”


Google's Imperfections

The ever-entertaining Nat talks about Google’s desktop search (for Windows), and says “Google shocked the world by releasing something highly imperfect.” Really? Google’s been imperfect a lot lately. Have you tried using Gmail with Safari? It pops up three windows every time you click a link. Orkut? Bad server, no donut. (Actually, the issues seem […]


Google and "Privacy"

There’s a critique of Google’s new Desktop Search that it…wait for it…searches your computer! No, really, it does. And so it finds things that are … on your computer! Some of these things, like your email, your spouse’s email, your IM logs, are things that Microsoft hides intra-user are exposed. This is probably a bad […]


RFID passport data won’t be encrypted

Ed Hasbrouck, who in a more perfect world would be paid to be the TSA’s chief privacy officer, writes RFID passport data won’t be encrypted: So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able — without ever having actually seen you or your passport — to […]


Counter-point On ID Cards

The always insightful Michael Froomkin has an article called The Uneasy Case For National ID Cards, which I wanted to link to earlier. I don’t like his arguments, being a believer that privacy invasion is a slippery slope. I expect that laws put in place to protect privacy around a national ID card will be […]


John Gilmore, you have a fan

I was flying home recently from a very quick jaunt out to do a customer install. I went to the back of the plane to stretch, and noticed that (horror of horrors) there were people congregating and talking! Fortunately, they were white Americans, so they weren’t scary. Anyway, I got to talking with them, and […]


Social Software

Chris Allen has a typically long, thoughtful essay on the history of social software, going back to Vannevar Bush and Memex. I think one of the more interesting transformations was that of collaboration to introduction, with services like LinkedIn or Spoke trying to add practical applications to Milgram’s work on connectedness, and I’m surprised that […]


Patches & EULAs

Security patches should not have licenses. There’s no fair re-negotiation under threat. If I bought your software, and am using it, then you find a bug, you should not be allowed to put new terms on the software in order for me to be safe using it. Imagine a hotel which lost a master key […]


Department of Justice to Focus On Key Problems!

Attorney General John Ashcroft has announced a major new effort to crack down on intellectual property theft, by which he apparently means illegally-copied DVDs, CDs, and software. (I refuse to use the term piracy to refer to illegal copying. Piracy is the violent boarding and theft of property on ships, and is a major problem […]


Financial Cryptography: The Medici Effect

Gramme has a long interview with the author of the Medici Effect over at Financial Cryptography. The book focuses on how the Medicis helped drive the Renaissance by bringing together a slew of people from different cultures and backgrounds. Far too often people become narrowly focused on issues that their peers agree are important. They […]


Perverse Cooperation

A new technique has won the 20th anniversary competition in iterated prisoner’s dilemma. The technique involves a sequence of moves designed to signal other players that they are competing with one of the great many other Southhampton university submissions. When they discover that, one entry will self-sacrifice such that the other can rack up a […]


Perverse Incentives

“It’s O.K. to spend $85 on a hotel, $15 for parking and another $15 for breakfast, but if you spend $90 for a hotel where parking and breakfast are included, you’re over budget,” he said. “And it’s O.K. to drive 400 miles in your own car and to get reimbursed at 34 cents per mile, […]


"A Sign Of The Times?"

A woman said she drove home to San Diego from Denver rather than submit to what she viewed as an intrusive search by airport security screeners. Ava Kingsford, 36, of San Diego said she was flagged down for a pat-down search at Denver International Airport last month as she prepared to board a flight home […]


Federal Anti-terror Money Well Spent

Ok, you know I’m being sarcastic with the title. The New York Times titles its article “Security Grants Still Streaming To Rural States.” And the message is politics remains more important than ensuring that those cities likely to be hit next are well prepared. The article goes on to cite politics as usual as the […]



So it seems that Apple installs /bin/ps setuid root. (Scare #1). It seems also that the last bits emitted by a ‘strings /bin/ps’ is J8 RUSITH? . I have no idea what that is or what it means, but I think it belongs on a tshirt. (Thanks to Dave and Ted for validating those for […]


Bush, Socrates, and Information Security

“Wherin links between a number of disparate ideas are put forth for the amusement of our readers” Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on […]


Secondary Screening

Ryan Singel has a couple of good posts up: Why Privacy Laws and Advocates Matter and Trusty Logo Not Worth The Pixels It Is Printed On. The later explains in detail what economics predicts: Trusty won’t shaft its paying customers to make them actually enforce privacy policies, when people who rely on the trusty seal […]


Afghan Elections

The elections in Afghanistan have apparently gone off with fewer problems than expected, which is outstanding. (And hey, the ink I mentioned to Sama makes an appearance!) I am slightly worried by a line in The New York Times article, ” International organizations, which spent $200 million to finance the election, indicated that they had […]



I listen to a lot of music. When I visit friends, I often invite them to drop random discs they think I’d like into iTunes for a rip. Combine that with my cd habit (“I can quit anytime!”), and I have a fair bit of music that I don’t recognize quickly. So I just found […]


Want to Save American Lives?

Do you want to save American lives? Stop senseless deaths? Here’s some ideas: Require real driver training, and enforce traffic laws. Ration the sale of alcohol to prevent the nasty diseases over-indulgence causes. Ban tobacco. Ban firearms. Require calisthenics in the morning, by neighborhood, and in the afternoon, at work. Ban the use of corn […]


Can Prayers Heal?

There’s an article in today’s The New York Times asking, Can Prayer’s Heal? (Critics Say Studies Go Past Science’s Reach). The article talks about a number of studies that apparently show a correlation between being prayed for and better medical results. The article also talks about how flawed some of the studies are, once you […]


Apple Security UI

I just got a fascinating email. No, not really. It was a simple little email, from someone who’s being very helpful on a project that I’ll speak of in excrutiating detail later. What was fascinating about it was that it was PKCS 7 signed, and Apple’s told me so. It told me so with […]


ACLU vs. Ashcroft

The ACLU has made the TSA explain to the American people some subset of the faulty reasoning, faulty processes, and broken systems behind the so-called “No fly” lists, which have now snared, along with Johnnie Thomas and David Nelson (all of them), 3 members of Congress. Read the articles, Faulty ‘No-Fly’ System Detailed (Washington Post) […]


The FBI and Library Subpoenas

Orin Kerr discusses (deep breath!) Michael Froomkin links (via Proof Through the Night) to this story from a Seattle TV station about a local library that has fought off an FBI subpoena for a list of names and addresses of who took out a book on Osama bin Laden. Kerr does a good job of […]


Virginia Misses Point, Over-reacts

In response to 9 hijackers getting fraudulently issued ID cards from the state DMV, Virginia is considering issuing harder-to-fake ID cards that will broadcast your identity. As long as the value of an id card keeps going up, the reward for breaking the system will go up as well. If you want to rely on […]


Use Blogger, Be Ignored

Every now and then, I come across a blog I want to skim regularly. When its easy to do so, I add it to my list. Which is to say I drop the RSS feed at NetNewswire, and I then at least see the headlines. Blogspot/Blogger doesn’t make it easy to add RSS to your […]


How Banning Wireless Reduces Security

IDC’s research director, Lars Vestergaard, said their research found interest by businesses in WLAN usage was widespread, but not many of them were particularly interested. “Unfortunately IT managers are being uncertain about using this technology, but they use a lot of bad excuses,” he said. “This is because they often fear a lack of security […]


Electronic Voting Machines Will Destroy American Democracy

If you somehow missed it, AP released a “test article” claiming Bush had won re-election. BoingBoing has the story, and screen captures of a web site that carried it. We all know that computers don’t make mistakes, and that software is bug-free. More seriously, we need to take a lesson from Florida, and understand that […]


Taxonomic Software

A small window into a large world, with its own software: biological software, including DELTA, a DEscription Language for TAxonomy, database software, ecology software, morphometric, paleontologic, and phylogentics software. (Hey, I need a taxonomy just to keep the breakdowns straight!) Or DMOZ has a page, but it doesn’t seem as comprehensive. What I want to […]



Biological taxonomy is not fixed, and opinions about the correct status of taxa at all levels, and their correct placement, are constantly revised as a result of new research, and many aspects of classification will always remain a matter of judgement. The ITIS database is updated to take account of new research as it becomes […], the story

As anyone who takes advice from the Vice President now knows, he didn’t really mean to tell you to go to, but, whose article still doesn’t fully support his point. This little glitch lead the owners of, a small site that lists sellers of dictionaries and encyclopedias, to suffer a massive denial […]


Editing MacOS X menus

There’s useful instructions here as to how to add a “Paste as Plaintext” option to iChat. If you’re reasonably technical, you can go off and do all sorts of neat stuff here.


Cool maps

Christopher Allen has a cool post about a map mash up, along with some analysis of what makes it work.


Calls for Papers

There’s a set of interesting conferences looking for papers: Privacy Enhancing Technologies Economics of Information Security Codecon [update: closed html list tag]


Ranum on the root of the problem

Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can […]


Economics of Information Security

Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press. (It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the […]


Schneier blogging

Bruce Schneier has a blog:


How about "Align with the business?"

I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts: Ellyn believes that companies should strive for a […]


0wned in 60 seconds

0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability. Less than 60 […]


"What's The Cybersecurity Czar's Job?"

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place. says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly […]


Spaceship One Lands!

Watching the NASA video, SpaceshipOne just won the X-Prize, having made space twice in under 14 days. Congratulations to Burt Rutan and his whole team.


Cherishing the Customer, Redmond Style

My 12-year-old at home doesn’t want to hear that he can’t put all the music that he wants in all of the places that he would like … says Steve Ballmer. It’s good to see Microsoft, like the health care industry, catering to people other than end-users. If they were as smart collectively as they […]


Cool Mac Utility

That said: my home directory is now encrypted which should make any further hardware maintenance a doddle (no more erase/flood before mailing) and I’ve blown-away the old UFS partition which although useful was tying up a few too many Gb. Alas the rebuild doesn’t seem to have fixed the lack-of-sleep-on-lid-closure problem. One more for Applecare. […]


Why Is Private Health Insurance Such A Disaster?

Why cannot markets allocate this function to the least cost decider? Why does the usual solution — intermediation — appear to be working so badly? Asks Tyler Cowen over at Marginal Revolution. I believe that a large part of the problem comes from a side effect of the employer subsidy. Because health insurers are selling […]


More on Amit Yoran

The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office. … The new proposal would create […]


The Blog That Broke the Bank of England

You have to respect a man who can take on a central bank and win. The Motley Fool did a nice bio piece with background. And now, he’s blogging. [Update: Oops! Via BoingBoing]


Secondary Screening

Ryan Singel has a great post on the watch lists, and the keystone-cops fumbling behind the scenes.


A Million Deaths Is A Statistic

Matt Cordes modified the Zombie simulators to give humans a chance to fight back. Its fascinating, because with some small mods to the source, you get a much more interesting simulation. (Unfortunately, I don’t see Matt’s source anywhere, so I can’t say how long it might have taken.) The simulation makes viscerally clear how chains […]


Shaun of the Dead

I saw the excellent Shaun of The Dead last night. (Or see Quicktime trailers or the official site. Or heck, just buy it from where it’s already available on DVD, but only if you have a free-world DVD player. Ok, really this post is an excuse to link to the Zombie Infection Simulation in […]


That settles it

One of the best signs that things are going down the tubes is that officialdom tries to control information flow. I now know that things in Iraq are officially going to hell, because the security situation is bad enough that they’re trying to prevent people from learning about it. Kroll, a large physical and investigative […]


Amit Yoran resigns

Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single’s day notice of his intentions to leave. Yoran said Friday he ”felt the timing was […]


Why Is Air Travel So Cheap?

The cost of last minute ticket doesn’t seem to be enough for airlines to break even. How much of this is due to a lingering fear of flying? How much of it is the extra cost to travelers, in inconvenience and hassle, of being bit players on the security stage? As long as a carrier […]


"TSA cannot be trusted"

Writes Bill Scannell in a piece for USA Today. Not new, but a good intro as to why.



I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation. The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. […]


Nevada Gaming Commission vs. Diebold

It’s always good to see our best resources being applied to the most important things in society, like voting. The “independant” validation, paid for by the software creators, is closed to the public. But when the Nevada Gaming Commission gets into the act, it seems they know a scam when they see one. (Disclaimer: I […]


A message from God?

Bob Morris maps hurricanes Ivan, Charley, and Frances against voter maps. (No mention of Jeanne, which seems to have taken the same path as Frances. Enquiring minds want to know, is this that Bob Morris?


Travel, Speaking Plans in October

I’m speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a “Privacy Industry View of Reducing Cybercrime.” This is an extended version of Zero-Knowledge’s talk we gave to law enforcement. I’m speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on “Beyond Penetrate, Patch and […]


"A Roadmap for Forgers"

Ed Felten has a great post over at Freedom To Tinker about Rather-Gate: In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, […]


Cultural Imperialism At Its Best

Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just “practising his basic rights, namely free speech”. […]


"Tomorrow is Zero Hour"

More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday. The problems, unsurprisingly, are […]


The Two 9/11 Commisson Reports

I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.) One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique […]


Appreciating Shakespeare

Recently, I found myself wondering why Hamlet had never gotten a proper treatment in Powerpoint. After another drink, I took it apon myself to remedy the situation.


"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual […]


Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file! Firefox 1.0PR now includes code to deal with this. Here’s how […]


Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not. Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland […]


Verisign's Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which […]


What's In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.” Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said. How can you argue with messing […]


"Post-Totalitarian Stress Disorder"

This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking […]


Acceptable ID

Virginia Postrel writes about flying without ID: Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked […]

So when Google Mail started up, I managed to register “” I didn’t have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time […]


"All Persons Held As Slaves Shall Be Forever Free"

Happy Emancipation Proclamation Day! On Sept 22, 1862, President Lincoln issued the Emancipation Proclamation: “…all persons held as slaves within any State or designated part of a State the people whereof shall then be in rebellion against the United States shall be then, thenceforward, and forever free; Now, like many government proclamations, there was more […]


Testing Airline Data for …what?

The New York Times reports that “The Transportation Security Administration said Tuesday that it planned to require all airlines to turn over records on every passenger carried domestically in June, so the agency could test a new system to match passenger names against lists of known or suspected terrorists.” The data will vary by airline. […]


Iraqis Target Forigners

Omar writes about A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side. According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in […]


CAPPS as Corporate Welfare

I’ve written in the past about how government-validated ID acts as a subsidy to privacy invasion. In the absence of such a card, I can give you whatever name I want, protecting my privacy. With such a card, it becomes easy to invade people’s privacy. Under CAPPS-2, the government would like the airlines to collect […]


Testing Airline Customers

Ed Hasbrouck has another pair of good posts (1, 2) on the “Free Wheelchairs” program. In the first one, he quotes from “Department of Homeland Security Appropriations Act, 2005”, H.R. 4567: (2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk […]


New York Protests

Eugene Volokh rightly criticizes a corespondent for his ad-hominum attacks on NYC Mayor Bloomberg, who said (I’m quoting Volokh): But Bloomberg insisted that there’s no proof that the NYPD did anything wrong. “There is absolutely no evidence whatsoever that there was any intent by any law-enforcement official to hold people any longer than was absolutely […]


AT&T Wireless time service

I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It’s great when you land in a new city. It hasn’t been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. […]


Jefferson Nickels

Samablog points to the new nickel design which will have either a buffalo or a depiction of the pacific coast on the back. The buffalo refers to the Louisiana Purchase, while the pacific coast refers to Lewis and Clark’s expedition . Despite his careers as a lawyer, diplomat, Secretary of State, and President of the […]


Free gropes for travellers

Over at BoingBoing, Cory points to a USA Today story at NewsIsFree about more screening. There seem to be four components: Explosives Detection Secondary screening will now always include nitrate detection swabbing. This is a fine step, but why has it taken 3 years to come in? (In fact, every time I’ve been thrown into […]


Qui Custodes Custodiat?

There’s a brilliant post over at Orcinus about the 9/11 commission, whose (outstanding) report I’m just getting around to reading. Really, if the Kerry campaign is serious about persuading the American public that Bush is a serious liability when it comes to securing the nation from the terrorist threat, this should be Exhibit A: Bush […]


Ian Grigg on Verisign

Ian Grigg has some very interesting comments on Verisign’s certificate business and what it means for privacy, over at Financial Cryptography


Bin Laden Unit downsided?

The New York Times reports: he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress. A senior […]


Mozilla Patches

The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!


Microsoft JPG Bug, Patch, Tool

Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps. I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their […]


Apple Security Updates

Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make. […]


Holy Lousy Security, Batman!

Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon. From the New York Times story. Or, Google News has more. The […]


With so many planes, it had to happen

This is a remarkably cool shot, which SteveC asserts is a plane flying in front of “The ULO telescope as it observes the transit of Venus.” I started asking what are the odds, and then ended up at a back of the envelope, why are these so rare?


"Want more Secure Software?"

SecurityFocus points to a nice short article over at suggests that Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give […]


Mathematical Classifications

Mathematicians use a scheme called the Mathematics Subject Classification, (MSC) which includes a “how to use“, as well as a long history of being revised to reflect changes in the field, and I would guess, practice in how to effectively classify things. It has a General and Miscellaneous Topics section, too. Articles must be given […]


Canadian Health Care

The New York Times reports on a lack of doctors in Canada, along with a rise in Canadians using emergency rooms to replace family doctors. (Use BugMeNot if you don’t want to register.) The basic problem is economic. Doctors are much better paid in the US than in Canada, and doctors can easily move. Its […]


Shih shih…

The great linguist Chao Yuen-Ren once wrote an essay in Chinese using only words which (in Mandarin) would be transliterated as shih (using Wade-Giles; shi in pinyin). You can see the text in characters and two transliterations, read the translation (“A poet by the name of Shih Shih living in a stone den was fond […]


Bluetooth and phone security

Some Singaporean students have figured out how to use Bluetooth to turn off the cameras in Nokia’s phones, according to an article in Gizmodo, via a long chain to a now deleted newspaper article. I wonder if they turn it back on when you leave the area? However, Loosewire, the earliest still working link, implies […]


Airline "security"

The Webflyer points to a great David Rowell column, including: An argument ensued. Ms O’Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested […]


Swire on Disclosure

Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical […]


"Four More Pretzels?"

Over at American Spectator, Shawn Macomber writes about being arrested in New York this week, and suggests a reality TV show is in order: It could be called POWDERKEG! Each week, I’ll be arrested without my rights being read to me and held for 14 hours while police refuse to tell me what charges I’m […]


Taxonomies are hard

Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin’s have moved to email.) “Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own […]


Free Wheelchairs for Paraplegic Children

If you ever saw Julia Child or Jacques Pepin take apart a chicken, you’ll remember how easy they made it look. It’s a level of skill that we can all aspire to. Watching Ed Hasbrouck take apart the latest incarnation of free wheelchairs for paraplegic children is like watching Julia Child take apart a chicken. […]


Wikipedia vs Britannica tested

In Wikipedia vs. Britannica Smackdown, Ed Felten takes my challenge. In the meanwhile, I’d done some hypothesizing, here. So how’d I do? Hypothesis 1 is spot on. #2 is more challenging to assess: The errors in Britannica are smaller, and I think I’ll judge myself wrong. #3 I think is accurate, if only because of […]


Wikipedia vs Britannica

A few days ago, I challenged Ed Felten to do some more comparison work. In the spirit of Milgram, I didn’t propose a theory. (This was mostly because I was trying to make a good joke about assigning the professor homework, but couldn’t come up with one.) However, on consideration, I think that I should […]


Science is easier from the outside

As part of a larger project on security configuration issues, I’m doing a lot of learning about taxonomies and typographies right now. (A taxonomy is a hierarchical typography.) I am often jealous of the world of biology, where there are underlying realities that can be used for categorization purposes. (A taxonomy needs a decision tree. […]


Volokh commentary

this post by Todd Zywicki clearly illustrates the difference between law professors and economics professors.


Airline Security

In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria. The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale […]



Over at Freedom To Tinker, Ed Felten writes about the Wikipedia quality debate. He takes a sampling of six entries where he’s competent to judge their quality, and assesses them. Two were excellent, one was slightly inaccurate, two were more in depth, but perhaps less accessible than a standard encyclopedia, and one (on the US […]


Lock 'em up!

Over at TaoSecurity, Richard writes: Remember that one of the best ways to prevent intrusions is to help put criminals behind bars by collecting evidence and supporting the prosecution of offenders. The only way to ensure a specific Internet-based threat never bothers your organization is to separate him from his keyboard! Firstly, I’m very glad […]


The Man Who Shocked the World

I’ve recently finished The Man Who Shocked the World, a biography of Stanley Milgram. The book’s title refers to the “Authority Experiments,” wherein a researcher pressured a subject to deliver shocks to a victim. The subjects of the experiments, despite expressing feelings that what they were doing was wrong, were generally willing to continue. Other […]


Unrecoverable Damage?

I’m reading through NIST SP-800-70 (pdf), the NIST guide to producing security configuration guides. Let me get more coffee before I continue. Thanks for waiting. “If home users and other users without deep security expertise attempt to apply High Security checklists to their systems, they would typically experience unwanted limitations on system functionality and possibly […]


Lewis Carroll

Or, if you prefer, the original can be found elsewhere. It’s always nice when things I want to abuse like that are in the public domain. (Obligatory Lessig link.) But beyond that, think how much poorer literature in the computer science field would be if we didn’t have Alice In Wonderland to freely quote from, […]


Self-referential nonsense

“The time has come,” the Walrus said, “To talk of many things: Of shoes–and ships–and sealing-wax– Of cabbages–and kings– And why the sea is boiling hot– And whether pigs have wings.” “But wait a bit,” the Oysters cried, “Before we have our chat; For some of us are out of breath, And all of us […]


Olympic Security

Bruce Schneier has written insightfully about Olympic security. They’ve spent $1.5 billion, and today’s marathon race was marred by some idiot leaping into the path of the front-runner, and dragging him into the crowd. Its always tempting, and usually wrong, to say that any failure of security could be prevented. However, this Olympics has seen […]


In memory of Frank Sanache

Frank Sanache was one of eight Meswaski code talkers. He served in North Africa, and was captured by the Germans. I’m fairly interested in the history of code talkers, and had missed the Army’s use of them. It turns out that there were codetalkers in the First World War, that German civilains had travelled to […]


Bea Arthur, Terrorist

Beatrice Arthur, who apparently enjoys a little politics along with her fame, got irked at the airport police: “She started yelling that it wasn’t hers and said ‘The terrorists put it there,’ ” a fellow passenger said. “She kept yelling about the ‘terrorists, the terrorists, the terrorists.’ ” After the blade was confiscated, Arthur took […]


About those insiders

Over at TaoSecurity, Richard writes about a new report from CERT/CC and the Secret Service, studying “23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002.” I’m very glad that they’re doing this. I think that actually studying how bad guys carry out attacks is critical for defending […]


Hands off my bag!

The fine folks at have the first set of their tote bags emblazoned with the 4th ammendment, and are shipping! Get yours before they’re outlawed!


Is Disabling Javascript a Win?

(Dave asked in a comment.) Yes, disabling Javascript is a win. Here’s an IE issue, and here’s one for Mozilla. Now, using Javascript, when its on, to reduce the number of clicks a user needs to make is a fine thing. I’m in favor of it. (Although I often find myself in misselect hell, when […]


Shut down these shadowy groups?

“The president said he wanted to work together (with McCain) to pursue court action to shut down all the ads and activity by the shadowy … groups,” White House spokesman Scott McClellan told reporters Shadowy? What’s shadowy about free speech? There’s a very bad law in place which restricts your ability to spend your money […]



So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain. A […]


Patch Management

Alec Muffet comments on sysadmin resistance to applying patches. As Steve Beattie and a bunch of others of us wrote about the issue is that there’s a tradeoff to be made to find the optimal uptime for a system. Its a tradeoff between a security risk and an operational risk. Organizationally, different teams are often […]


That exalted state

“The Central Intelligence Agency is committed to protecting your privacy and will collect no personal information about you unless you choose to provide that information to us.” Of course, this just goes to show that “We’re committed to protecting your privacy” has finally made it to the exalted and hard-to-reach level of “Of course I’ll […]


Secret Laws Work So Well

So it seems that two members of Congress have now been added to “watch lists.” “[Representative John] Lewis contacted the Department of Transportation, the Department of Homeland Security and executives at various airlines in a so-far fruitless effort to get his name off the list, said spokeswoman Brenda Jones.” It seems that this sort of […]


Time for DES to go?

In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day. NIST […]


Why did Google pop? (II)

According to David Garrity, a technology analyst in New York with Caris & Co.: It was supposed to democratize the process and let people buy in at just a few shares, but it was a miserable failure because the organizers didn’t realize the securities regulations that require people who bid to have a certain net […]


Why did Google pop?

So Google popped 18% today. That shouldn’t have happened. The goal of their much-discussed auction was to ensure that they made money. The typical bubble IPO involved a “pop” of as much as 100-300% on opening day. This put huge sums in the hands of bankers and the bankers friends, sometimes illegally. Ideally, Google’s trading […]


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004