I’ve already seen a couple of references to this less-than brilliant plan to RFID-tag tourists, but I can’t let it slide any longer.

How does putting an RFID tag on people improve security? It does not. It’s not like the government is trying to track ducks or bears or other creatures who can’t take their tags off without human assistance. This adds zero incremental security.
(more…)

A few weeks ago, since I felt like the available tools don’t really do it for me, I suggested I might develop my own traffic analyzer. I’ve been working slowly but steadily since then and have created something I’ve now titled “Stats++.”

Basically, what I discovered is that the most commonly-available tools such as awstats and Webalizer weren’t capable of answering the questions I have in a dynamic-page world. For example, unless I’m serving static html pages those tools can’t tell me things like:

1. Which postings are people reading?
   It’s a lot of work to write an article and while I do it primarily for my own enjoyment, I’d still like to prioritize which drafts get attention based on estimates of which articles people find the most interesting.
2. Which links bring people in?
   Most of my traffic comes when I link to sites with lots of readers, like BoingBoing or Bruce Schneier’s Weblog. If I’m building a readership, then I probably want to write on the topics which bring in not only the most readers, but the most readers who then return. Thus:

3. Which articles do people return to?
   If I write an article that that produces a significant amount of return traffic, then I must have done something right the first time. This gives me a chance to look and see.

4. Which articles do people mostly look at and never come back?

I’m now getting pretty close to initial release. I’m pretty much feature-complete with a tool that can answer those questions pretty well. I don’t have as much time-series data display yet, but that may happen this weekend (I’ve got some serious waiting room time tomorrow which means no Net access procrastinating unless I decide to read a book (currently reading L4yercake, which I highly recommend).

Maybe I’ll even post some sample pages if the mood strikes me.

There’s been a LOT going on at work and once I decide how much of it I can relate, I’ll probably have posting material for weeks. Bear with me–18-hour days and my style of blogging don’t really get along very well.

-the Bing

This article about Carl Hutzler, Postmaster for AOL showed up on Slashdot yesterday and it brought back a lot of old memories about a time when I got to (had to?) deal personally with Carl. My employer at the time (to remain nameless) had a contractual right to send his employer (AOL) somewhere in the neighborhood of 1,000,000 emails per day. Needless to say, we weren’t his favorite folks, and there were several occasions where AOL’s email system blacklisted us for one reason or another. Eventually, we reached a sort of detente. I cleaned up our mailing practices, he accepted our mail. AOL definitely set the terms of the relationship, but had they not done so, my employer never would have cleaned up its act.

In some cases, the blacklisting was legitimate–when I started working there, the email operations group was a pair of corporate Exchange admins–amazing for a place that send out well over 100,000,000 (that’s 100 million) emails/month using Linux servers. We made no efforts to filter bad addresses (i.e. remove bounces from our lists or process unsubscribe requests sent to the Postmaster), were bad about sending to old addresses, and generally failed to take any responsibility for our actions. About they only thing we weren’t doing wrong was that our relays weren’t open, but people still found plenty of ways to abuse our system.
(more…)

There’s an article over at Many-To-Many, “ The Innovator’s Lemma“, which caught my attention this morning.

There, Jay Fienberg wrote in a comment (emphasis mine):

I would argue that, ironically, the usefulness of the tagging systems in Flickr, del.icio.us, and Technorati is that these systems remove the “same freedom to classifying” already available on the web, and constrain tagging within a more traditionally controlled system.

Hmm…this sounds to me like maybe the problem isn’t that people can’t tag or otherwise describetheir data accurately enough, but rather that for the Average User, the tools have been largely non-existent until now.

Even if Flickr, del.icio.us, et. al. all eventually collapse under the weight of their own chaos, they will be remembered in much the same way that Lotus 1-2-3 is still remembered as the Original Spreadsheet–it wasn’t the first (That was SuperCalc), but it was still the first one to produce an accessible accounting tool and, as a result, awareness of spreadsheets to the masses.

Gopher may have been the first attempt at an Internet-scale hierarchical classification system, but these days, outside of fora like this no one has ever heard of it. The population of the Internet was only about 1% of what it is now when Gopher effectively died. Flickr, del.icio.us and even Wikipedia will have the honor of being remembered as the “first” in the public’s eyes, not because they were actually the first but because they were the first to offer it as a tool which was grok-able to the Average User.

The Average User doesn’t want a good tool–he probably lacks the sophistication to know if his tool is good or bad. What the Average User wants is the same tool as his friends are using. That way, when one of his friends figures out something clever, he can leverage that discovery with a minimum of effort.

So now that the tools are out of the box, the Kayak Metaphor is the only one that’s left (unless I want to come up with some lame metaphor about a car with a stuck accelerator, no brakes, and broken tie rods, and the only working feature being the Hi-Beam switch for the headlights, but I think that one’s been used too much already).

I tend to laugh at people who fret about people being able to Do As TheyPlease with technology for two reasons. First, because I used to be one of them; and second, because if people didn’t keep creating new problems, no one would pay us to solve them.

“There are business solutions to technical problems, but there are no technical solutions to business problems.”

Clay Shirky, a very smart guy, predicted back in December, 2003 that Peer-to-Peer would be the killer app for crypto. Unfortuately, the “attacker” that crypto would protect the users from wasn’t scary enough–the RIAA and MPAA just cant file enough lawsuits to make it a credible threat against 60 million users. If anything, by shifting their activities into encrypted and anonymized architectures, Peer-to-Peer developers and users would be playing into the RIAA’s and MPAA’s hands, effectively demonstrating Intent to infringe. This is the, “If you have nothing to hide, then why do you want to?” argument which would hand a legislative win to the Content Industries.

As I already said, I firmly believe that Clay Shirky is a very smart guy, but he missed one key issue: the nature of the threat. In the case of P2p, the threat was a lawsuit–a business and legal problem–so the mitigation would need to be legal & business solutions. We’re seeing this play out now as the Grokster Case gets ready to go to the Supreme Court of the US. If the Supreme Court decides against Grokster, then Clay will be right. If, on the other hand, they side with Grokster (and I personally suspect they will), then I’m going to nominate Voice Over IP (VOIP) as the next Killer App for crypto.

Usually I just sit on the technology sidelines and throw rocks, attempt to connect dots or just try to summarize the risks in a given situation and how they are or aren’t being mitigated. This time, though, I’m going to go out on a limb and actually Make a Prediction: VOIP will be the killer app for bringing widespread awareness and acceptance of cryptographic tools to the end user.
(more…)

So Cory Doctorow wants to know, after learning The Hard Way, why is American Airlines gathering written dossiers on fliers’ friends?

What’s the point of having passengers write down whom they’re visiting? And why is the Transportation Security Administration (Assuming this really was a TSA thing) outsourcing responsibility for collecting this information to an airline?

Is the TSA trying to build some sort of “Friendster-for-Terrorists?” Social networking for Bad Guys. We can call it “Badster.” It’s catchy, short enough to type, and you could probably turn it into an acronym. “Better Automated Detection System for Terrorists and Evil Ragamuffins,” anyone?

UPDATE: Now Bruce Schneier has picked this up in his blog

It’s funny how companies like Apple and HP are only too happy to globalize when it benefits them, but don’t like it nearly so much when others try to leverage gobal cost differences as an end user.

This all begain when the Wall Street Journal ran an article about how HP and other technology companies have begun implementing methods of preventing sales of their products in curreny zones other than where they were sold. Some, such as HP, put explicit technological barriers such as “region coding,” similar to DVD’s into their printer cartridges. Others, such as Apple and Nintendo, simply ship their products with A/C adapters that only work on the “local” current of the intended country of sale, trying to drive up the effective cost of buying a “grey-market” device.

An unofficial, anonymous non-spokesperson for HP offers an explanation that their price gouging policies are driven by fears of currency fluctuations impacting profitability of overseas sales. If this is the case, then HP needs to fire their entire financial management team, since they obviously are not qualified to run a business with cross-currency operations. This has now showed up on boing-boing few times, most recently with a reader’s excellent explanation of why HP’s region coding excuse is bogus.

Take a minute to go read the explanation, then I’ll tear it apart even more.
(more…)

So Microsoft has once again made an Amateur Hour Security Mistake at the tactical level. Bruce Schneier has a more detailed summary, but the key thing to know is that if you have two different revisions of an encrypted MS Office document, “you can easily recover the two plaintexts using letter frequency analysis and other basic techniques.”

This comes out at almost the same time as some questions by Mark Rasch over at SecurityFocus about how committed Microsoft is to security at the strategic level, as well.

Early last month Microsoft announced that it would permit downloads of a beta version of its anti-spyware software from its website. However, users attempting to download the software are informed that “[t]his download is available to customers running genuine Microsoft Windows. Please click Continue to begin Windows validation.” The website then uploads an executable file called “GenuineCheck.exe” to the users computer.

The executable presumably scans the OS for the license key, and generates a key code that the user is directed to send to Microsoft. If the key code is for an unlicensed version of the OS, the user is directed to purchase the software online, and is denied the opportunity to download the anti-spyware software.

Now on some levels, this isn’t any different than what MS did by preventing XP Service Pack 1 from being applied to installations with certain Select license keys. They backed down from doing this for Service Pack 2, but I think that decision was based on the bad publicity and damage to their corporate image from having a large number of hosts reminding everyone on a regular basis about the Blaster Worm and various Outlook and Internet Explorer exploits.

The real shame here is that I know (via mailing lists, but that’s better than nothing) some former MS Security people, and they are all smart, dedicated, respected Information Security practitioners. They are, to a one, proud to be associated with Microsoft. It has to be painful for them to watch their company deliberately refusing to help its users with a problem that it created.

So does Microsoft have an obligation to implicitly provide support for a problem it created to people who have stolen its products? Honestly, I can’t fault them for not wanting to do so. I realize that companies, especially publically traded companies, are in business to make money, and Microsoft has historically proven itself to be more focused on that than most. I also know that I would be hard-pressed to do it if I were in their boat.

Given that this is a solution to a serious problem that Microsoft was wholly responsible for creating, however, I think they need to realize that not supplying fixes to all of their users, legitimate or not, increases the risk to legitimate users as well. By denying security fixes to legitimate users, they are creating a guaranteed population of vulnerable hosts. This, in turn, ensures malware authors that there will continue to be a significant pool of victims for their software. So long as that number of vulnerable hosts remains above some threshold, the expected economic benefit from commercially malicious malware will remain high enough that people will take advantage of it.

Only by reducing the expected benefit to malware authors can MS hope to help their users’ plight, especially in the short-term, and the only way they can do that is to provide the band-aid free to as many of their users–not just “customers”–as possible.

In Part I, I talked about the general problem of outsourcing and why it often doesn’t make sense from an operational perspective.

Now, I’m going to outline two situations where I believe it does make sense to outsource an operation. The first scenario is when the need for the outsourced skillset is only occasional or if the need is only applicable in exceptional circumstances. For example, as an individual I would put my relationship with various specialized tradesmen such as plumbers, electricians, or locksmiths in this category. Depending on my relative capability in a particular area, I might take on the task myself. I can change a lightbulb and even hang a light fixture, but when I need a new circuit run, I’m calling a professional.

Most small (and even some medium) businesses run their IT in this same manner. There’s probably someone in-house who handles day-to-day IT issues such as changing the tape in the backup system (assuming they have a backup system) or installing a new workstation for an employee, but when it’s time to buy and configure a new server or recover from a major failure, it’s probably money well-spent to call a specialist. Even though the business is paying a premium for the specialist’s high-value time, they are still saving significant amounts of money compared to trying to maintain that skillset in-house.

The other scenario where outsourcing makes sense is when the function is so far outside the realm of expertise that the business doesn’t even want to “change the lightbulbs” themselves. The obvious functions I put in this area are Accounting, Legal, and Human Resources since the cost of a significant mistake in these areas could easily end in bankruptcy, civil liability or worse.

In these cases, the view of Outsourcing as risk insurance is quite valid. Outsourcing the function to a trained professional significantly reduces the risk of an audit, lawsuit, or even criminal investigation brought on by ignorance of the law. There still exist risks in this relationship–the business is at the mercy of the specialist and must trust them to be doing their job diligently. Nevertheless, I would say that the risk is still less than if the function were in-house since a credible outsourcer will typically carry some sort of bonding or Errors and Omissions Insurance of their own.

There is one final factor implicit in the nature of the relationships that I’ve described here–the relative lack of “friction” created by outsourcing the function. Yes, it may take longer to drive to the accountant’s office than if they were right across the hall, but that can be controlled to a certain extent by choosing an accountant (or lawyer or HR Agency, etc.) who’s in your neighborhood, whom you communicate well with, and who’s honest.

So when all is said and done, Outsourcing is still a business decision just like any other. There are costs and risks associated. They key is to not get so focused on any one aspect that the decisionmakers fail to see the forest for the trees.