Your Brain is Bigger Than Your Head
There's been a lot of changes in my life these past few months. Let's dive right in:
I stepped down from my day-to-day responsibilities at CoreStreet. After much soul-searching I decided that, while government-focused security and identity programs have their certain charms, I wanted to do something more mass-market focused. I'm still on the board of CoreStreet and involved as an advisor and general curmudgeon. CoreStreet was an awesome experience and I'm proud of the work we did. The company is in great hands now and I expect big things from it in the future. More on this later.
After nineteen years in Boston, I moved to California. One more year and I would have been officially "from" New England, so it was now or never. We're now living in San Jose in a giant outdoor mall. It's weird, but good. But weird. More on this later.
I became the CEO of EverNote. We make software that's going to let several zillion users capture, recall and share all their memories; basically a high-tech "external brain" that frees your normal brain up to do more interesting things.
There's a nice meme around this developing in the media in recent weeks. Clive Thompson wrote a good feature in last month's Wired and David Brooks picked up the theme in the New York Times a few days ago. Just this morning, Chris Morrison wrote about the "outside brain" in a nice VentureBeat article about us. EverNote is a great company that's been around for a few years and I'm thrilled to be on board for all the big changes coming in the next few months. Much more on this later.
October 29, 2007 | Permalink | Comments (2) | TrackBack
I mumble about Real ID
Jon Udell has posted a podcast interview with me about Real ID. We've both written briefly about it recently. I just listened to the podcast again and must say that Jon is really good at asking the right questions. His questions in the interview are a lot better than my answers.
Plus I don't really sound like that in real life. How do radio people ever get used to hearing their own voice?
April 2, 2007 | Permalink | Comments (2)
Thinking about Real ID
DHS has published the proposed details of the Real ID act and criticism is staring to pour on in from all sides. The Real ID act is supposed to standardize the driver's licenses issued by the states. Supporters say that this is necessary to improve security. Critics usually focus on the weakening of privacy protections. The arguments and counter-arguments usually don't bother to address each other and, lofted on volume not substance, quickly grow heated and dim.
There's a way to have a meaningful debate on this. Any new security proposal must be compared to the status quo on four dimensions: Security, Privacy, Convenience and Cost. If the new proposal is clearly better at all four, then it's a no brainer. If the new program is worse on all four, then, well, it has no brains. What if the new program is better on some dimensions but not on others? Should we weigh the relative merits and compromise? Yes, eventually, but not right away! Since the new proposal enjoys the airy freedom of not actually existing yet, we should go back and rework the proposal until it is overwhelmingly better than the status quo.
What is the status quo that Real ID is aiming to replace? Basically, each state has their own standards for driver's licenses which differ on many of the important details. The status quo sucks in terms of security and privacy and is lackluster in convenience and cost. Is Real ID overwhelmingly better? Not yet, but it can be made so.
Let's.
March 5, 2007 | Permalink | Comments (6) | TrackBack
Best. Organization. Ever.
I've said it before, and I'll say it for the next 10,000 years: The Long Now Foundation is the most awesomely cool thing ever conceived.
When I grow up, I want to work there.
February 25, 2007 | Permalink | Comments (0) | TrackBack
What I don't know about privacy
A post on Steve Hunt's blog has me thinking about privacy again.
A couple of years ago, I was speaking on an international identity and security panel in Rome. At the end of my remarks, a French journalist asked me a long question that seemed to have something to do with privacy but a lot more to do with trying to bait me to agree or disagree with his stated distaste for some aspect of Bush's foreign policy. I say "seemed to" because neither my French nor his English were up to the task at hand. Unfortunately, this kind of game has become routine for traveling Americans and I almost always choose not to play. So instead of answering directly or, the horror, asking him to clarify his question, I decided to use up my time with an impromptu digression on the nature of privacy. I wasn't sure what I was going to say and, when it was said, I wasn't sure if I actually agreed with it. I'm still not sure. It sounded good at the time though and sent the audience a-nodding. Here's more or less what I said, [with my simultaneous inner monologue in brackets].
---
When our founding fathers wrote the Declaration of Independence [good, always start with the Founding Fathers when talking to a French reporter], they put in a curious sentence, "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights," [Uh oh, is that in the Declaration or the Preamble to the Constitution? Crap! Ok, just act confident and the audience won't know.] "...that among these are Life, Liberty and the pursuit of Happiness."
Now there's an interesting thing here: the three rights specified are mentioned in order of decreasing specificity and ease of measurement. The first one, Life, is pretty easy to measure; most people will agree on whether someone is alive or dead. Well, not right now in Washington, but most of the time. [Polite laughter, good, they've heard about the Schiavo thing over here.] The second one, Liberty, is a bit harder to define but still pretty good. You can usually get a pretty good consensus on whether someone is free or a slave.
Now the third one is tough. Happiness? How can you really define it? Or measure it? It seems like a really personal quality that's really hard to pin down. Some people don't even seem to want to be happy. I mean I've seen French movies. [Better laugh line, but have I actually ever seen a French movie? I must have.] Aren't standards of happiness based heavily on the ideas of the time? Plus what if my happiness makes you unhappy? Or vice versa? Don't the Germans even have a word for this? Schadenschnitzel or something? [Big laugh, Europeans love the 'dumb American tries to say something important but gets comically confused with a food item' bit. JFK knew this as well.]
That's why the Declaration doesn't give you a right to happiness, only to the pursuit of happiness. We can't guarantee you happiness, but we can make sure that you can do whatever you think may make you happy - as long as you don't get in the way of the other two rights for others. And this is the real genius of the document: you have a right to pursue. You may never get there, or I may beat you to it, but you can pursue happiness if you want and we won't stand in your way.
[Now here's the part that I'm really not sure about, but it's such a smooth transition.]
So what about Privacy? Is it like Life? Is it like Liberty? [Yes, come to think of it, it probably is like liberty, should have thought this through better before starting.] Or is it more like Happiness? I think privacy is a personal thing. Some people want to be very private, other people post pictures of their vasectomy on their blog. Don't google for this! [Really, don't.] Some people want to hide every step they make on the web, others don't care at all. And is there a corresponding right to know? If I really want to know how much my customers earn, is it really wrong for me to try to find out? What if I want to find out who's giving money to a politician? Does your right to privacy trump my right to happiness?
I think maybe privacy is like happiness, and the "right to privacy" should really be "the right to the pursuit of privacy". If you want to keep certain information private, you should have access to all the tools you need to make that happen. If you choose not to use those tools, either because you don't care or because you agree to some kind of business or social proposition in return, then I have the right to get whatever information about you that I want. And the default setting on your web browser shouldn't be "private" any more than the default setting on your life should be "happy". If you want privacy or happiness, you have the absolute right to work at it, but it's not our responsibility as representatives of government or industry to hand you either one. [Big applause line from the audience, but it's a very business- and government- centric crowd.] Companies should be free to track their customers' actions and people should be free to hide whichever of those actions they want. Each person gets to choose where they want to stand in that marketplace.
---
This got a good very good reaction at the conference, but the "privacy" guys were pretty severely outnumbered so it wasn't a balanced field. I'm still not sure how I feel about this analogy. The biggest danger seems to be the potential arms-race between privacy seeking individuals and information seeking businesses or governments. For instance, is it OK for Google's default search behavior to be set to log your search history? (Nelson Minar and my brother had an interesting discussion about this a couple of weeks ago). If so, would it be OK for Google to change the opt-out settings randomly every few months to force people to "really" care about their privacy? Would it be OK for Google to just lie to you and keep records even you've opted out, claiming that you should be using some third-party anonymizer if you really cared? (I think the answers are "yes", "no" and "no", but where do you draw the line?) Also, are the implications significantly different for government/citizen interactions?
I'm not sure about any of this. I told myself that I'd sort it out before posting, but my little talk was almost two years ago and I still haven't decided. Is "privacy" like "happiness"? Maybe it's not a very useful question. What do you think?
Oh, the picture at the top of this post is a still from "Fireworks", the School House Rock episode on the Declaration of Independence. It's how they chose to illustrate "pursuit of happiness". Note that this kind of pursuit, deemed appropriate educational programming for children in the 1970s, would now land you in jail.
February 23, 2007 | Permalink | Comments (1) | TrackBack
A Realistic Plan For Saving Air Travel
There's recently been a lot of hand-wringing that the air travel experience is on an irreversible spiral to unbearable levels of craptitude. Fear not! By thinking outside the box I have come up with a way to change the paradigm and simultaneously exploit win-win synergies between security and economic stakeholders. Here's how the brave new world of air travel is going to work:
1. RFID chips will be in everything - all your clothes, toiletries, electronics, underwear, etc.2. When you show up at the airport, you'll walk through a scanner which will instantly compile a full catalog of everything you're wearing and carrying using the above mentioned RFID chips. This information will be stored in XML!
3. You'll take off your clothes and put on a stylish paper gown. All of your clothes and other possessions will be placed into a box and incinerated.
4. You'll board the plane in your gown. Since everyone on board will be similarly attired, you'll enjoy a relaxed, spa-like atmosphere. Business class seats will offer a complimentary electro-pneumatic massage ($12 in coach).
5. As you fly, the information about your possessions will be electronically sent (via XML!) to a new joint venture between Air Mall and Amazon.com. Assuming all your brand licenses are up to date, an exact duplicate of all your clothes and possessions will be just-in-timed to your final destination.
6. Once you arrive and clear security a second time, you'll be given new copies of all your stuff. An efficient waiting area will be provided for people whose new clothes haven't arrived yet.
Think about it: total security and a big boost to our RFID, XML, PPRM (Physical Possessions Rights Management) and logistics industries! Low cost off-shore manufacturing gets a hand as well and who cares about quality when that Hugo Boss suit only has to survive until your next flight?
As an alternative to incineration, I suppose that your items could be cataloged, sanitized and given out to people traveling in the opposite direction, but that sounds like defeatist tree-huggery to me. The other alternative, low cost air-taxi service using a new generation of affordable light planes that are convenient, efficient and too small to be interesting terrorist targets, is just rampant crazytalk.
XML!
August 11, 2006 | Permalink | Comments (5) | TrackBack
Vienna
I had a hankering to start up the blog again. Who knows how long it'll last but here goes.
I'm in Vienna for a couple of days. They're really into some guy (? - hard to tell for sure from the portraits) named Mozart here. You literally can't walk a block without running into something Mozart related. It's like with Starbucks in the US, except they have just as many Starbucks (Starboxen?) here as we do at home, so there's really not much room for anything else. The "anything else" is quite beautiful though. Walking around old European capitals always reminds me that the most historically-significant building in my neighborhood is the art deco Sears-Roebuck store from the 1930s. Apparently it's the 250th anniversary of Mozart founding the city or something, so they're really going all out. Mozart must be some sort of mythical city-creating hero in Vienna, like Paul Bunyan in Brainerd or Benjamin Franklin in Philadelphia.
I'm here to moderate a panel at the Global Security Forum. It's been a worthwhile experience. One of my panelists, Aldo Agostini from Venice, made a fascinating point about the different meanings of "privacy" between the U.S. and Europe. According to Mr. Agostini, the American concept of privacy is rooted in the goal of "freedom", while the European definition centers around "dignity". I'm not entirely sure what "dignity" is, but the Europeans seem quite attached to it. It might somehow be related to the Japanese word, "shame", but that's a concept as strange to Americans as anthropomorphic panda bears riding in giant-panda-shaped fighting robots. Except less cool, like Brainerd.
Anyway, I'll take freedom over dignity any day. I'd take happiness over dignity. I've even been known to take a nice big steak over dignity.
Speaking of which, I've yet to eat any of the famous Viennese meat products so when the conference was over I headed back to the Radisson with the plan of changing clothes and then hitting a restaurant. Once in my room I flipped open the hotel-provided Vienna guide book and read the very first sentence in the "sightseeing" section:
"Even though we are facing an economic slump, terror threats and cost reduction measures: Vienna is still one of the most popular places for outings and holidays."
Way to go for the hard sell! Now I see why our idea of marketing isn't centered around "dignity", either.
Under the guidebook was a brochure for the fancy hotel restaurant. The pictures looked appetizing until I saw this one in the corner:
Ok, seriously, I'm thinking of calling the cops.
Back to the guidebook, randomly flipped open to page 41:
"Would you like to discover Vienna in a special way? Would you like to discover Vienna in a very-special way?"
No. I'm going to bed hungry.
[Update: Two people have already accused me of "name dropping" Brainerd. Yes, I've been there. Any place that has Jello in the all-you-can-eat salad bar is OK in my book.]
July 7, 2006 | Permalink | Comments (3) | TrackBack
Split the difference
I have a suggestion for how Google can atone for their free speech sin of agreeing to censor results in their Chinese version to comply with Chinese government web rules. Since they'll have to implement algorithms to automatically determine which results to omit in the Chinese version, they can also make a version of the search engine that displays ONLY the stuff censored in China. Of course this version will only be accessible outside of the PRC but, meh, it's a start.
Note to my Chinese business associates: Joke!
January 25, 2006 | Permalink | Comments (2)
Important reminder
September 19th is International Talk Like a Pirate Day. That is all.
August 30, 2005 | Permalink | Comments (0)
9-11 brand laser toner
I found this box in the office. Apparently we were returning it to the manufacturer because it was defective. There is no indication of where this product was made, but I kind of hope that it was outside of the U.S. Click on the thumbnails for a bigger image so you can read the text. I don't really have anything else to say.
On second thought, horrible bad taste and shameless marketing aside, asking snarky questions about this kind of thing is my patriotic duty, so here goes:
1. The box claims that this is an "American Spirit Compatible Laser Toner Cartridge". Does this mean that it's compatible with the American spirit or with "American Spirit" brand printers? I've got an HP, so the latter would be a problem for me.
2. The globe cradled in the American flag on the front of the box is centered on the south pole. Why?
3. The back of the box has "9-11-01" written in a very large font, but the numbers are slightly grayed out. Is this a subliminal message or a problem with your box printer toner?
4. The text starts with, "We can never forget the tragedy of September 11, 2001, with the terrorist attacks upon our nation." Is that because we keep being reminded of it by our laser toner boxes? Also, does that sentence helpfully include the year and a brief synopsis of what actually happened on 9-11 just in case someone was beginning to forget?
5. The hyper-cursive text at the bottom says, "Box Design & Concept is an Inspiration and Tribute to all our heroes of 9-11." How many people do you feel were inspired to heroism by your box design? Also, how do you decide which words to capitalize?
6. The box has three direct mentions of 9-11, three American flags, two flag ribbons and one bald eagle. Did you forget to add more bald eagles?
7. The side panel points out that, "Every cartridge that is thrown
away adds more waste to our already overburdened landfills." Do you
think that this is part of the overall terrorist plan, or is
environmentalism a completely separate worthy cause that you aim to
inspire and trivial tributize?
August 24, 2005 | Permalink | Comments (14)
Belated update
I think I've figured out the "DHS smartcards using Bluetooth" flap. Near as I can tell, there was never any plan to make Bluetooth-enabled cards (which doesn't make any technical sense anyway) or Bluetooth-enable badge holders (which would be just strange). There was speculation at a public forum about making Bluetooth-connected card readers so that you could read DHS smartcards with, say, a Blackberry. This is actually not a bad idea. I think you could overcome the security issues in this use case because Bluetooth would basically be an unsecured conduit between two secure participants (much like the Internet is with SSL). Either way, I don't think it ever got much past the "wouldn't it be neat if we could..." public-musing phase.
Bottom line: Bluetooth panic around DHS cards is uninformed and unjustified.
July 6, 2005 | Permalink | Comments (7)
EPIC responds
Bruce Schneier, writing on behalf of the Electronic Privacy Information Center, has put out a well-written refutation of my recent criticisms of EPIC's report on the DHS smart card program. (Links to EPIC's report, my original blog entry, the much-shortened C|net article and EPIC's response).
I'll post a more thorough response when I have a bit of time, but here's where I'm leaning:
1. I'll mostly concede the "ISO/14443 is RFID" point. ISO/14443 clearly is "RFID" in the broad sense of the word, but much scare-hay has been made by applying non-ISO/14443 aspects of RFID to discussions about smart cards. There's more to talk about here, but I was wrong and apologize for it. The word "RFID" has taken on many meanings and I should have been more precise. As I said in the original article, the only real answer is to move to strong, active cryptography on RFID cards which (among other benefits) would make it virtually impossible to an unauthorized third-party to snoop a conversation.
2. I'm glad that EPIC admits their mistake on calling the DAC cards "Bluetooth". However, I'm very puzzled by this "Bluetooth-enabled card holder" business. If, as Bruce suggests, it's a way to rebroadcast card data over Bluetooth... that's just strange. Not necessarily bad, but strange. Ok, probably bad. Maybe he means Bluetooth card readers. That would make a bit more sense. I've never heard any talk at DHS about these things, so I'm going to do a bit more research before commenting further. Still, the cards themselves have nothing to do with Bluetooth and the card program should not be unjustly criticized because some hypothetical peripherals that use the card might be poorly thought out. There will eventually be thousands of hardware and software products that work with government smart cards. Some of them are bound to be dumb. I could make a machine that sucks in your dollar bill and then punches you in the stomach, but my talking about such a machine should not subject the entire system of U.S. Currency to ridicule. Come to think of it, the Vend-o-Punch™ might not be such a bad idea.
3. I do not agree at all with EPIC's response on the biometrics points. There's still a lot of confusion over the issues. More on this later.
4. We've met about half-way on the PIN discussion. A global and mandatory-override short (4 or 6 number) PIN is probably a bad idea, although not for the reasons stated in the original report. I think the DAC use of PINs is mostly fine.
5. The disclaimer about my indirect involvement with DHS appears on my blog but not on the C|net article because the editors at C|Net asked me to cut the originally submitted 1,700 words down to 700. The blog is linked to from the article.
As an aside, Bruce Schneier is a demigod of sorts in the security industry. His Crypto-Gram newsletter has been worth reading for a long time now. I'm glad to see him engaged in this discussion.
May 30, 2005 | Permalink | Comments (4)
I buy a jelly doughnut
Here’s a blurry camera phone picture of me in front of “Snack Point Charlie” - which is about fifteen feet away from Check Point Charlie - in Berlin. The city is now so seamlessly integrated, that it took me a minute to puzzle out east from west. May this be the fate of all divided countries.
May 21, 2005 | Permalink | Comments (2)
I don't write my own headlines on News.com
A few weeks back, C|Net's News.com asked me to shorten my previous post about the faulty EPIC report for publication on their site. I pretty much rewrote it from scratch to condense the same points into 700 words. They published it yesterday in the "Perspectives" section. There are already some great, substantive comments at the bottom of the story. My flippant answers are forthcoming in place.
The photo at the head of the story is kind of creeping me out. I must have been thinking of pie when it was taken.
May 18, 2005 | Permalink | Comments (2)
Security makes me hungry
From the Associated Press: School Mistakes Huge Burrito for a Weapon
The drama ended two hours later when the suspicious item was identified as a 30-inch burrito filled with steak, guacamole, lettuce, salsa and jalapenos and wrapped inside tin foil and a white T-shirt.
April 29, 2005 | Permalink | Comments (6)
EPIC report is not so good
A couple of days ago, the Electronic Privacy Information Center (EPIC) issued a scathing analysis of the Department of Homeland Security's upcoming smart card program. Our country (indeed, much of the world) is currently struggling with the concepts of secure identity documents, and watchdog organizations such as the EFF, the ACLU and EPIC play a vital role shaping the debate. I am completely in favor of holding every government security program to unyielding standards of efficiency, effectiveness and privacy (see here and here, especially in the comments). Unfortunately, this particular report is muddled in many places and simply wrong in others.
Full disclosure: although I am not directly involved in the DHS card program, DHS is a customer of ours and we are working on several products that will make use of the card. In other words, I may be biased but I kind of know what I'm talking about.
Even the first sentence of the report is inauspicious for a security document:
President Bush's proposed $2.57 trillion federal budget for Fiscal Year 2006 greatly increases the amount of money spent on surveillance technology and programs while cutting about 150 programs—most of them from the Department of Education.
Why is the source of the funding relevant to the security analysis of the program? Would the technology be better if it were funded by, say, increased taxes on oil company profits?
EPIC quickly launched into the heart of their grievances:
The Department of Homeland Security Access Card (DAC) has vulnerabilities associated with its use of radio frequency identification (RFID) and Bluetooth technologies, biometric identifiers and PIN backup system. But there are also risks that come from the DAC's "mission creep"; the Department also wants the card to be used as a payment device for everyday items.
This is a good executive summary - five specific identified problems. Unfortunately the analysis of each one is pretty weak. I'm going to leave the "mission creep" stuff aside because there are legitimate policy and design questions there that have nothing to do with technology. The other four claims are fair game. Let's look at them in order:
"RFID"
Here's an easy defense against the RFID claim: The DAC does not use RFID. The DAC uses a standard called ISO/14443 for contactless (wireless) communication between the card and a reader. RFID is designed for tracking physical items. It has a long read range (about four feet) and is not encrypted. ISO/14443 is designed to identify people. It has a much shorter read range (about 5 inches) and weak encryption. The two standards are very different but they're frequently confused even by allegedly authoritative speakers. I don't get too worked up about this mistake because even though it's much harder to snoop ISO/14443 than RFID, the vulnerabilities are of the same type. Still, it doesn't help EPIC's credibility to conflate the two standards, especially since exactly this mistake was the center of much teeth-gnashing last month. The real answer is to eventually move to contactless cards with strong cryptography. Such cards are currently available but are not yet in common use.
Bluetooth??
The vulnerabilities of Bluetooth technology have also been well documented. Bluetooth technology enables wireless communication among electronic devices in close proximity. For example, a Bluetooth-enabled computer could work with a wireless keyboard or mouse. In August, security flaws in Bluetooth-enabled mobile phones allowed criminals to access the information in the phones including contact information and text messages.
This would be damming stuff, if it wasn't crazytalk. The DHS card has nothing to do with Bluetooth. Unlike the "RFID" claim in the paragraph above, there isn't even anything close to Bluetooth that the DAC uses. Nothing. No Bluetooth. Nuh-uh. Bluetooth has nothing to do with identity cards. I don't even think you could put Bluetooth onto a card if you tried; I believe (though I could be wrong) that Bluetooth requires an active power source and contactless cards are all passive. I have no idea what EPIC is talking about, other than maybe DHS said that they would test Bluetooth as a way to hook up computers to phones or something. Also, all the "Bluetooth flaws" that are so breathlessly reported in the EPIC report aren't really flaws with Bluetooth at all, but with specific phones and devices that happen to use Bluetooth. This is an important distinction but I don't want to dwell on it here because THE DHS CARDS DO NOT USE BLUETOOTH.
Biometrics
The DAC identifies the cardholder and her level of access through the use of a biometric identifier—a fingerprint. A recent report by National Institute of Standards and Technology (NIST) showed that one-fingerprint identification systems had an accuracy rate of 98.6 percent, while the accuracy rate rose to 99.6 when two fingerprints were used and 99.9 when four, eight and ten fingerprints were used.
This makes it sound like unauthorized individuals will be getting in all the time while legitimate users will often be locked out of their doors and computers! Fortunately, it doesn't work like that. The accuracy of most biometrics systems can be tuned by balancing two competing types of errors: false positives and false negatives. A false positive error occurs when a bad guy's fingerprint gets mistakenly matched for a good guy's fingerprint. A false negative error occurs when a good guy's fingerprint doesn't get recognized at all. Since fingerprint scanning produces slightly different results each time, the system must be configured with a certain tolerance level. If the tolerance level is very loose, you can virtually eliminate false negatives at the cost of greatly increasing false positives. The system basically says, "Meh, it looks kindda like a fingerprint - go on in." If the tolerance level is very strict, you get the opposite effect: "Your fingerprint is off by 0.00001 millimeters - no access for you!"
The accuracy rate is also heavily influenced by how many possible fingerprint matches the system has to consider. If the system has to match your scan against a large database of enrolled fingerprints (called a "one-to-many" match), it's far more likely to come up with a false positive ("hmmm, it kindda looks like user #7654231") and somewhat more likely to come up with a false negative ("it could be this guy or that guy, I better just punt"). The DHS card avoids this problem by matching your fingerprint against only one possible user - the user stored in the card - so the chances of a false positive are very low because someone trying to trick the system can't just match *anyone's* fingerprint, they have to match *your* fingerprint. Also, the match tolerance can be set very high thereby further reducing the chances of a false positive but increasing the chances of a false negative.
So you can virtually eliminate the false positives (and therefore security risks associated with biometric access), but doesn't the relatively high false negative rate still mean that legitimate users will be locked out? Not really. If you get a false negative, you just have to scan your finger a second time. Let's say it takes you 2 seconds to scan your finger and the false negative error rate is 5%. Most of the time (95%) you'll get access in two seconds. Most of the rest of the time (4.75%) you'll get in with two swipes and four seconds. Every 400 tries or so, you'll have to wait six seconds. If you stay at your job for 20 years, you might have a chance of waiting eight seconds for access once. I use a biometric reader to log onto my laptop and (once I figured out how to hold my finger) it takes me about two seconds to get a good match.
EPIC then proceed to quote out-of-context one of their own (earlier, better) reports:
Once a biometric identifier has been compromised, there can be severe consequences for the individual whose identity has been affected. It is possible to replace a credit card or Social Security numbers, but how does one replace a fingerprint, voiceprint, or retina scan?
Err. That's exactly why you need to link the biometric identifier to a card - just like DHS is doing. You can't revoke a fingerprint, but you can revoke a card. The fingerprint itself doesn't do you any good and, if you lose your card, you can always re-scan your finger and associate it with the replacement card. The criticism quoted above is perfectly legitimate when levied against ill-conceived attempts to use biometrics as identifiers by themselves, but is ironically inappropriate in discussing the DHS program.
PIN
The Department has a backup system built into the card—if the fingerprint identification fails, then the employee can gain access by using a 6- to 8- digit PIN. By allowing alternate access through the PIN, Homeland Security creates all of the vulnerabilities associated with allowing complete access to secure areas and information through one password.
The PIN is not inherently a way to bypass the biometrics, it's just another factor of authentication. The DHS card provides applications with three factors to choose from: physical possession of the card (which is always required), fingerprint biometrics and a PIN. Each door lock or computer program that uses the card can determine to use one, two or all three of these factors depending on the level of authentication security required. For example, getting into the front door of a busy, low-security area may require only the physical possession of the card. Logging into a computer may require the card and either the biometric or the PIN. Accessing a very high-security file may require all three. Giving applications designers more options does not reduce security. Of course, some designers may make dumb choices about authentication, but that's not the fault of the card program. Also, keep in mind that the lambasted "card and second factor" system is much better in almost every security and convenience regard than the "password only" systems it's designed to replace.
Wrapping it up
In the fall, hundreds of thousands of personnel will have access cards equipped with personal information, biometric and wireless technologies, and the security risks associated with their use.
Exactly. That's why we need coherent debate to distill some clarity about the risks and rewards. This EPIC report - by combining one part gross technology misidentification (RFID), one part random gibberish (Bluetooth), two parts common misunderstanding (biometric accuracy and PINs) and stewing in politics thinly-disguised as security analysis - just makes mud.
April 11, 2005 | Permalink | Comments (3)
Mr. Driver's License
I've used the phrase "security theatre" a few times in this blog. It's a term, usually credited to Bruce Schneier, that describes highly visible but ineffectual security measures designed to placate the public that "something is being done". The taking-off-your-shoes ceremony performed at most U.S. airports is a prime example. Security theatre is usually tedious and unenlightening (it shares these characteristics with regular theatre), but occasionally a certain mixture of rules-following and stupidity can make for fine absurdist entertainment.
Example:
A colleague of mine is a high-level officer at a multi-billion dollar Swedish public company. On a recent investor/analyst tour through New York City, he had a meeting with one of the top U.S. financial services firms in their Manhattan headquarters. Security being high, all visitors were required to show a picture ID before being admitted through the lobby. My friend offered a Swedish driver's license to the uniformed desk guard. All EU driver's licenses are pretty much the same, with the main difference being the bold-lettered title at the very top of the card. This particular card read, "KÖRKORT SVERIGE", which (in the charming way that written Swedish has of being more or less comprehendible to an English-speaker if you squint long enough), means "Swedish Driver's License". All the other information (name, issue date, etc.) were clearly written in the same predetermined and obvious sequence followed by every other European license.
The guard took the license, checked and photograph and typed the name into a computer to (presumably) check for prior warning. Then he solemnly printed a name badge for "Mr. Sverige Korkort". Mr. Driver's License.
This is funny and sad, but mostly just embarrassing for us American security types. The problems with such broken security are obvious and manifold. Keep in mind that there are tens (soon, quite possibly hundreds) of millions of EU driver's licenses in the world. Even if only 2,000 people go in and out of such a building every day and only 1% are non-UK Europeans, that still leaves 20 "Mr. Driver's Licenses" walking around at any given time. I'm sure that this wasn't the first such card that this guard saw.
It gets better. Later in the day, my friend went to a second meeting with another large Manhattan financial services company and exactly the same thing happened again. At least he didn't get mixed up with the infamous criminal mastermind "Carte D. Identite". I hear that guy is on all sorts of watch lists.
February 9, 2005 | Permalink | Comments (2)
Bad Idea Jeans
A few weeks ago I bought a green laser pointer from ThinkGeek for no good reason. It's really very impressive and I played with it intently for 45 minutes before losing it in a desk drawer somewhere. During that time, I performed a little thought experiment: "I wonder what would happen", I thought, "if I pointed it at a passing airplane?"
It seems that somebody has actually run the experiment and the results are exactly as I'd imagined.
January 5, 2005 | Permalink | Comments (2)
411 is a joke in this town
Yesterday i experienced what must surely be one of the minor signs of the apocalypse.
Needful of the phone number to a local pizza place and finding myself uncharacteristically removed from any networked device, I dialed 411 on my Verizon phone to get directory assistance. It had been years since I last dialed 411 and my hopes for an efficient transaction were low. James Earl Jones came on the line and artfully asked me for the city and state. So far, so good. I told him "Cambridge, Massachusetts" at which point he transferred me (busy man, I understand) to someone else who inquired about the name of the listing. I said, "Harvard House of Pizza." Then some hold music. Then a mechanical, "we are connecting your call..."
Then the horrible thing happened: I was subjected to a recorded advertisement before my call went through. I don't remember the exact nature or length of the ad because my eyes had caught on fire and started to boil at the sheer audacity of 411 charging me money, wasting my time and making me sit through an unwanted ad. To the best of my memory, it was a movie ad and it lasted for 18 minutes.
Oh, then it said, "We're sorry, your call cannot be connected as dialed" and hung up. Also, I probably paid $2.50 for this experience.
Questions:
1. When did 411 get this screwed up? I've heard bad things about the state of the industry, but never thought it'd come to this. I bet "outsourcing" is the standard excuse, but there's something more sinister going on.
2. Do advertisers really get their money's worth generating this much ill will with the public?
3. Since this is clearly the most evil thing James Earl Jones has headed up since that giant-snake worshiping death cult in Conan the Barbarian, and that movie ends with Arnold Schwarzenegger becoming a head of state (look it up) after defeating Earl's minions, wouldn't it be cool if - stay with me now - as the real-life governor of the largest state, Arnold did battle with the evil Earl-headed 411 cult and restored honor and decency to directory assistance? At least in California? I urge my west coast readers to start a ballot initiative. The witty campaign posters would Photoshop themselves!
December 13, 2004 | Permalink | Comments (0)
More cool cartograms
This is not a squished butterfly or a rampaging elephant. It's a cartogram by Michael Gastner and colleagues from the University of Michigan showing a county-level election map of the United States where the relative sizes of the counties are based on population, not geographic area. Check out the entire page which starts with the familiar red/blue election map and iteratively deforms it to show the voting patterns of individual voters.
Are these types of cartograms useful, other than for making democrats feel slightly better? Probably not, but they're neat to look at and they represent the continuum of political belief in this country far better than geographic maps.
I guess it really is a rampaging elephant, after all.
Thanks to Lee Wright for the link.
November 12, 2004 | Permalink | Comments (3)
Election day
The top headline on every single major US news site right now is something to the effect of, "LONG LINES AT THE POLLS - Voters Wait for Hours to Cast Ballots". Reading the stories, I half-expected to see a callout quote such as:
"It wasn't worth it", said a thirsty and dispirited voter.
Nice job, mainstream media. Way to keep people at home. For what it's worth, my wait to vote was exactly 45 seconds.
November 2, 2004 | Permalink | Comments (4)
What's taking so long in that voting booth?
Edward Felten over at Freedom to Tinker has two amazing posts (one, two) about bugs in popular electronic voting machines that, if true, make it possible for just about anyone with a $50 smart card kit to vote multiple times and otherwise seriously tamper with the election. Actually “bugs” is not the right word. The problems stem from a design so stupid that it’s hard to spot the specific error. Like someone once said, “This so far off it’s not even wrong.” Google thinks that someone was Wolfgang Pauli.
I’ve put together the following technical illustration to explain the problem:
Here’s a slight variation on the “conversation” from Edward’s first post. It won’t make sense until you’ve read the original.
terminal to card: "My password is 1234"
card to terminal: "la la la la la la la la la la"
terminal to card: "Are you a valid card?"
card to terminal: "No. I mean yes!"
terminal to card: "Please deactivate yourself."
card to terminal: "Whatever you say, spaceman."
For the record, I cannot verify that Edward’s description of the problem in Diebold machines is accurate. However, the allegations are well documented and wholly consistent with the track record of electronic voting machines in this country. I can verify that “programming” smart cards is as easy as claimed; we do it all the time. Of course you can make smart cards (or, more accurately, smart card based systems) that don’t have such flaws (again, we do it all the time), but just because something could be done correctly, doesn’t mean that it has been done correctly.
The problems with electronic voting machines should be front page news. These aren’t slight theoretical flaws. They’re a clear and present danger to the foundations of our democracy. Note, that I don’t believe the allegations that these flaws are deliberately engineered to throw the election. Occam’s razor digs up carelessness and incompetence long before it gets to malice. Either way, the problems are inexcusable. Secure electronic systems are a well known area. For example, Dielbold also makes perfectly good ATM machines. They should know how to build a secure box.
October 16, 2004 | Permalink | Comments (5)
e-Passport problems
There’s a good write-up in the EETimes about recently discovered flaws with the Department of Homeland Security’s proposed electronic passports. The new passports have an embedded contactless (ISO 14443) “smart-card” chip that stores personal information and (sometimes) a biometric template. The problems come in two flavors: reliability and privacy.
The reliability issues are what you’d expect from a fairly new technology with mandated cross-vendor interoperability: some readers were not able to properly read some passports placed on them. I have no reason to believe that this is a serious problem. Like other standards before it, ISO 14443 will take a few generations to work out the kinks. We at CoreStreet work with many cards and readers and I expect that the number we have to smash (run over, shoot, microwave) out of frustration will decline over the coming months. Remember how hard it was to get Ethernet cards to work correctly in the late eighties? No? Sometimes I think I missed out on some fun in that decade.
The privacy issues are more serious. Basically, since the current standards don’t call for any encryption between the passports and the readers, it’s possible to build a clandestine reader and read passports from a distance:
Using a reader equipped with an antenna, NIST testers were able to lift "an exact copy of digitally signed private data" from a contactless e-passport chip 30 feet away, said Neville Pattinson, director of business development technology and government affairs for smart-card provider Axalto Americas.
Two government officials are quoted with reassurances:
An ICAO spokesman said the organization specifies a contactless "proximity" chip that can be read only within a distance of a few inches. He said he didn't know which chips had been used in the tests but called it "extremely unlikely" that proximity chips could read information from more than 4 inches away.
Unfortunately, the distance limitation on the read has more to do with the antenna on the reader than with the chip on the passport. Four inches is the maximum range for a regular antenna and a fast read time, but significantly greater distance can be achieved with larger antennas and multiple attempts. Radio wave stuff is a black art to me, so I can’t say for certain whether or not it’s possible to restrict the read range on the actual chip, but i doubt it.
Another misleading quote follows:
A Homeland Security spokeswoman confirmed the tests had "demonstrated that if the readers are not designed with appropriate shielding, the data transmitted from the chip to the reader could be detected several feet away."
Once again, the problem has nothing to do with the legitimate readers. You can shield the readers in the finest dwarven mithril, but that won’t stop a rogue reader from getting at your passport data.
The only long term solution is to add encryption to the cards. This can’t be done in any meaningful way with most current ISO 14443 chips because those cards are not capable of storing a secure private key. The finer points of public key cryptography are beyond the scope of this blog entry, but suffice it to say that the only way you can have meaningful encryption for tens of millions of individual passports is to have individual private keys. There are cards that can do real public/private key stuff on a proximity interface, but this “dual interface” technology (so called because the cards can be typically be used in contact or contactless mode), is probably a year or two away from widespread use. Maybe these kinds of findings can spur the industry forward.
In the meantime, the article suggests that it would be extremely impractical for bad guys to build giant covert readers, and that metal-lined passport wallets can minimize opportunities for unauthorized reading. Both statements are true, so there’s no cause for near-term concern. The chips are good enough for now, and “dual interface” cards will clean up the remaining problems over the next few years.
One quote near the end really caught my attention:
Kefauver also speculated that at some point, the contactless chip and passport could be eliminated altogether. Instead, a person's biometric data would be measured at the point of contact and compared with information stored in a central database. That would shift the security concerns from the chip to the network.
Now that seems like a really dangerous idea. The privacy, reliability, performance, cost and security implications of a central database approach are all potentially catastrophic at the scale we’re talking about. Proving this is left as an exercise to the reader.
(But if you have the answers and want a job, drop me a note.)
October 12, 2004 | Permalink | Comments (4)
A suggestion for either candidate
There’s one presidential debate left, but the space I’ve set aside in my head for repetitive bumperstickerism is all filled up and no more spin will fit through my ears. I’d like to see something new. Therefore, even though I’ve otherwise made up my mind, I promise to vote for whichever candidate looks directly into the camera and, punctuated by the loose-fist-with-semi-extended-thumb gesture, delivers the following closing statement:
My fellow Americans,
I like pie.
I like cherry pie.
I like apple pie.
I even like...
Strawberry-rhubarb pie.But my fellow Americans,
Let me tell you:Shepard’s pie.
Is. Not. A. Pie.Thank you and god bless.
I’ve timed myself doing this speech, and it can be forcefully delivered in thirty-seven seconds. A strong appeal to deep-rooted values and no worries about the two-minute blinkenlights; how could you go wrong?
October 9, 2004 | Permalink | Comments (5)
I register to vote
I’ve been putting off updating my voter registration until just a few minutes ago, when I decided to put off an even more boring task by updating my voter registration.
First stop, www.chooseorlose.com. Flash animations, cheering teens, techno music. “Drew Barrymore Hunts the Elusive Young Voter.” Forget voting, I wouldn’t register to receive free ringtones from this site.
Next stop, www.rockthevote.com. This is even worse. The scrolling banners are making me nauseous and every flash-animated screen has photos of painfully cool youth emoting what I can only assume is a mixture of ridicule and resentment towards my out-of-the-demographic, insufficiently-eXtreme self. I’ve never been so depressed about voting. Someone must have an online “register to vote” site for people who don’t know what a Lil’ Kim is.
Thank the boring gods for the Electronic Frontier Foundation. The EFF’s voter registration page is quick and painless; you put your name and address into a web page and it gives you a filled-in, pre-addressed PDF form that you can print out and stick in the mail. Many thanks to Wendy Seltzer for providing the link. Oh, you can win $200,000 or something.
Done and done, and with ten whole days to go, I can be proud of not having waited till literally the last possible minute. Democracy is just that important! Well, I live in Massachusetts, so my vote has no real meaning anyway. Still, it’s better to be depressed about Electoral College inequity than about being too old for MTV.
September 21, 2004 | Permalink | Comments (1)
Important reminder!
Tomorrow, Sunday September 19th is International Talk Like a Pirate Day. Savvy?
September 18, 2004 | Permalink | Comments (0)
You can so fight that
You know what I hate? Besides people who doubt my robot-reviewing integrity? I hate quasi-profound philosophical arguments that are just plain wrong on their face. This year’s commonly seen example is used as an argument against the “War on Terror” and usually attributed to Michael Moore or Gore Vidal (although I’ve heard this particular chestnut for at least a decade): “You can’t fight a noun.”
You can so.
You can fight an addiction. You can fight a war. You can fight a dog. You can fight a fat man.
You can’t fight City Hall, but that’s just a bad example.
Here’s video proof of me fighting a noun.
Sometimes, the phrase is rendered, "You can't fight an abstract noun.” That’s a little better, but still incorrect, because you can fight, say, depression. I think “depression” is an abstract noun by this definition:
An abstract noun refers to states, events, concepts, feelings, qualities, etc., that have no physical existence. eg: Freedom; happiness; idea; music are all Abstract Nouns that have no physical existence.
Now, maybe Mr. Moore or Mr. Vidal mean that you can’t *physically* fight an abstract noun. As in, "you can’t fight depression by punching." Even this doesn’t seem to be the right because (1) it’s such an obviously narrow statement that it’s not worth making, and (2) if you punch a depressed person, you probably could snap him out of depression at least for a bit. Or maybe you could punch a mime in front of a depressed person. That would probably cheer him up (the depressed person, not the mime), and if your goal was to get rid of the depression then you can’t really be said to be “fighting the mime.”
Occasionally, the person using this argument starts to feel the linguistic thin ice cracking under their mixed-metaphorical feet, so they try to button up the phraseology: “You can’t fight a war against an abstract noun.”
Better still, but gibberish nonetheless. The accuracy of that phrase hangs on your definition of “war”. If you only mean literally blowing things up with tanks, then I guess that statement could be technically correct. On the other hand, we did pretty well fighting a war against the abstract nouniness of “fascism” in WWII and I believe that blowing things up with tanks was a cornerstone of our persuasive arguments. More recently, a “cold war” against hyper-abstract “communism” also produced some results. Then there’s always the expression, “war of words”. What do we make of that?
Anyhoo, the point is that while you may be able to find plenty of arguments against the specifics or generalities of the “War on Terror”, you ain’t gonna find them in your Strunk and White.
Please don’t write in to explain what these people meant to say. I’m not making a political statement here, only pointing out that what they did say is stupid. Social debate would be better served if both sides stayed away from this kind of bumper-sticker sloganeering in the first place. This is not Mr. Moore’s first warning, either.
And don’t get me started on the current right-wing and pseudo-scientific favorite, “You can’t prove a negative!”
You can so!
September 8, 2004 | Permalink | Comments (12)
Balanced ticket
Everyone knows that “one person, one vote” is both the bedrock principle of democracy and totally inapplicable to US presidential elections. That’s common knowledge, but I was curious about just how uneven the process is, so I did a bit of Electoral College arithmetic to figure out the difference in “voting power” between voters in different states. (For my international readers, here is the official FEC explanation of how US presidential elections really work - and I’m glad to see that not too many tax dollars are being spent on web design there.)
To find the “voting power” of each voter by state, I divided the total number of eligible voters in each state by the number of that state’s electoral votes. By this (admittedly flawed – see the disclaimer) math, the Bush/Cheney ticket represents both sides of the electoral power spectrum. Somehow, I don’t think we’ll see any bragging.
The most “powerful” voters are in Vice President Cheney’s home state of Wyoming (123,473 eligible voters per electoral vote). President Bush’s state of Texas has the third “weakest” voters (467,091 eligible voters per electoral vote). The only two states with weaker ratios are more-populous California (469,040:1) and more-geriatric Florida (486,619:1).
This means that George Bush would have to vote 3.78 times to get the same electoral effect as one vote cast by Dick Cheney. This just might be possible with them newfangled closed-source, paperless e-voting machines.
By contrast, John Edwards’ vote is only worth 1.03 Kerry votes. Here’s a quick spreadsheet I made of all the states: (HTML or .xls, .csv) All data is from the US Census Bureau.
I’m not sure how to feel about all this. On the one hand, the Electoral College bias in favor of small states seems statistically unfair. On the other hand, it encourages particularly politicaly active people to move to less populated areas – and away from me.
This brings us to our next Vastly Important Poll:
[Disclaimer: This analysis is flawed for at least three reasons.
1. Population data is from the latest July 2003 estimate, but demographic data for 18+ percentages is from the 2000 census. This is probably a very small error.
2. Immigration data is not included. Non-naturalized immigrants (legal and illegal) count towards the population total but are not eligible to vote and will therefore skew the given ratios. This is probably a small error.
3. The “winner takes all” nature of most state electoral delegations is probably a bigger contributing factor to voter influence than the ratios presented here.]
September 1, 2004 | Permalink | Comments (7)
Common ID mandate
Last Friday, the White House issued a presidential directive calling for a “Policy for a Common Identification Standard for Federal Employees and Contractors”. The policy is mandated to be completed by March, 2005 and by November 2005:
“… the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.”
This is big news: a common standard for identification credentials to be used for both physical and logical access for the roughly 60 million US government employees and contractors. The contactors have a very important role to play. Once big contractors like Boeing, SAIC, Raytheon, etc. start giving smart cards to all their employees for use on government work, they’ll naturally want to leverage the investment on the commercial side as well. I’ve often said that real credentials and validation are the only ways to solve common problems such as phishing and identity theft. Just as with the development of the Internet, the federal government is once again the main initial catalyst for new technology that’s going to change the foundations of mainstream business transactions in the near future.
The big question: If this grows past government employees, can we do it without infringing on people’s rights? I think we can.
[The small question: Is the “near future” near enough for my investors to make a healthy return? I think it is.]
August 30, 2004 | Permalink | Comments (0)
I asked for a debate
There’s a pretty good and lengthy discussion brewing in the comments section on my last post about national IDs. I say this as a service to my RSS and bloglines readers who, as far as I can tell, do not normally get to see comments (and who don’t show up on any of my page view stats). Oh, you’re so smug.
August 23, 2004 | Permalink | Comments (0)
E-Voting radio link
The Viewpoints Radio e-voting interview I did last month is up on the web. Here’s the audio clip (Windows Media, 2:32 minutes) and my blog entry from when it happened.
Viewpoints Radio bills itself as, “Compliancy-based public affairs” and runs weekly on 250 radio stations. According to my calculations, that means there’s a 6% chance that my rambling about public disclosure of voting machine innards is interrupting somebody’s smooth-jazz marathon right now.
August 21, 2004 | Permalink | Comments (0)
Report or publish or shut up?
I saw a CNN reporter make a nontrivial on-air security flub while small talking at the start of last week’s Democratic convention. The reporter and morning anchor were speculating whether or not John Edwards would run for president in 2008 or 2012, and the reporter said something like, “Elizabeth Edwards refused to say if her husband was considering a run, but she told me that she just found out that the two of them were staying in hotel room 2012 during the convention and she thought that that room number was a good omen.” “Har har”, said the anchor, “and now for these messages.”
Broadcasting the vice presidential candidate’s room number on live TV is an innocent mistake, but a pretty bad idea. Of course knowing the room number by itself is not sufficient to mount an attack, but it’s a sensitive part of the multi-layered security policy. There are certain conditions, for example a terrorist having infiltrated the hotel maintenance staff and having access to the VIP floor, where the room number might be the last piece of the puzzle. It may be far-fetched, but there’s a good reason that hotels don’t disclose this kind of information. Elizabeth Edwards should know better, but so should CNN.
I wasn’t sure what to do after seeing the broadcast. Eventually, and rather sheepishly, I decided to send an email to the Secret Service and the FBI and to hold off writing about it in the blog until after the convention was over. The odds that this slip could have had an impact on convention security were very small, and I suspect that the authorities picked it up before hearing from me. Still, it didn’t seem right to publicize it at the time. I never heard back from either agency.
Speaking of security flaws, I think I spotted a fairly big procedural one at an airport just now. I’ll go through my list of TSA contacts before posting it here, but I wonder if that’s the best approach. Is the increased chance of corrective action due to a public airing of the problem worth the tiny chance that some attacker will learn about and exploit the flaw from the publicity?
August 5, 2004 | Permalink | Comments (1)
Convention Eve
If somebody had told me four years ago that all protesters at the Democratic convention in 2004 would be corralled into a razor-wire enclosed holding pen un-ironically called the “Free Speech Zone”, well, I would have probably thought that they were more or less correct. It’s still mighty creepy though. I’m no student of architecture, but from seeing the place a couple of days ago I’m pretty sure it’s done up in early Camp X-Ray style. The design seems to be as much intended to keep potential protesters at home as to keep the people who actually manage to show up well behaved. This might all be necessary – it’s hard to know right now.
I think I’ll try to get down to the convention site in the next day or two just to see what the scene is like live and in person. I’m especially curious if the “free speech” area is only for protestors or for all demonstrators (pro and anti-convention alike). Some of the security arguments seem to get pretty weak if mobs of supporters are subjected to less supervision than mobs of protesters. Will a “Kerry / Edwards” sign really get someone closer to the action? We’ll see.
July 25, 2004 | Permalink | Comments (0)
Planning ahead
"When I was a child, people used to talk about what would happen by the year 2000. For the next thirty years they kept talking about what would happen by the year 2000, and now no one mentions a future date at all. The future has been shrinking by one year per year for my entire life. I think it is time for us to start a long-term project that gets people thinking past the mental barrier of an ever-shortening future.”
Daniel Hillis, The Long Now Foundation
With plans to build a 10,000 year clock, a site for placing centuries-long bets and other keen long-term projects, the Long Now Foundation is worth a look.
July 18, 2004 | Permalink | Comments (2)
Sir Linksalot
Hearty congratulations to Tim Berners-Lee, the man most qualified to be called the inventor of the World Wide Web, on officially receiving his British knighthood yesterday. If it wasn’t for Sir Tim's work, I’d be maintaining someone’s Foxpro database right now.
July 17, 2004 | Permalink | Comments (0)
E-Voting interview
I did a pre-taped radio interview on the topic of electronic voting today. It should air in the next few weeks. My two main points were:
1. Full public disclosure and strong auditing of the source code and all other details of an electronic voting system are necessary for public trust. No voting system that relies on obfuscation for security should be placed into service.
2. A paper trail is absolutely necessary, for now, to validate election results. In a few years, it may be possible to phase out paper completely once a strong digital-certificate based credential (like the U.S. Military’s Common Access Card) makes it into the hands of voters.
Much of my views on electronic voting have been informed by Edward Felten over at Freedom to Tinker.
July 12, 2004 | Permalink | Comments (2)
Let's put some science into the terror alert debate
Is the U.S. government playing politics with recent terror warnings? I don’t really care. What I care about a lot more is: are those warnings effective? Fortunately, while people arguing the first question are probably not really interested in finding an answer, the second question should yield fairly well to dispassionate analysis.
Hype and political considerations aside, the two most frequently heard arguments in the debate over the value of periodic but vague terror alerts by the U.S. government are:
Con: The alerts make people apprehensive and afraid. This hurts our society (the “terrorists have already won” argument) and diminishes the impact of future alerts (the “boy who cried wolf” argument).
Pro: Even though the alerts may make people nervous, they also remind people to be vigilant. Since information is the most important weapon in the fight against terrorism, an attentive citizenry is worth some disruption to daily life (the “price of freedom is eternal vigilance” argument).
Both points are plausible, but are they true? I’m not sure, but there’s probably some useful behavioral data out there that could be used to evaluate the competing claims.
For example, is the “boy who cried wolf” phenomena measurable in the real world? Surprisingly, not everything named after a fairy tale is completely reliable. In other words, are people who are repeatedly subjected to false alarms actually less likely to effectively react to a real emergency situation? After all, most military and emergency workers are constantly drilling with “false” alarms and no one seems to feel that this compromises their readiness. Of course these teams are repetitively practicing specific skills, not just being repetitively told to be anxious. Maybe that’s the difference.
Similarly, is the “vigilance” claim accurate? Are people who are repeatedly told to be on guard actually better able to identify and respond to emergency threats than people who are more relaxed? Many skydiving or SCUBA instructors go to great lengths to teach their students how to be physically relaxed in dangerous situations; the justification being that an attentive but at-ease mind is more effective at coping with unexpected circumstances. Does this logic apply to national terror alerts?
These are fairly narrow questions which are well suited to scientific investigation. Much of this investigation has almost certainly already been carried out in the past half a century. I’d like to see the media focus on reviewing relevant data from commercial, government and academic sources before bringing on the next set of political experts to fling unverifiable mud at each other. Ain’t my naïve idealism cute?
July 10, 2004 | Permalink | Comments (0)
Ask a softball question…
My brother Mark pointed me to a recent New York Times interview with Arnold Schwarzenegger. When asked to describe his governing philosophy after unseating Gray Davis in the California recall, Schwarzenegger reached back for a quote from his days in the arts:
"Crush your enemies, see them driven before you and hear the lamentations of their women." (Conan the Barbarian, 1982)
That’s funny!
Of course, I’m jealous because my governor doesn’t say anything cool. Also because the fine state of California can look forward to an endless supply of such answers. For example, here are some other ways that question could have played out:
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "You should not drink and bake!" (Raw Deal, 1986)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "I'm not into politics. I'm into survival." (The Running Man, 1987)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "I don't know what the problem is, but I'm sure it can be solved without resorting to violence." (Twins, 1988)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "I just had a terrible thought: what if this is a dream?" (Total Recall, 1990)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "I'm the party pooper." (Kindergarten Cop, 1990)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "My mission is to protect you." (Terminator 2, 1991)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "If I break it, they can take it outta my pay." (True Lies, 1994)
NYT: Governor, what is your governing philosophy seven months after toppling Gray Davis in the California recall election?
A.S.: "That's enough philosophy for now." (The 6th Day, 2000)
It’s a speechwriter’s dream. As a side note, I just noticed that “Schwarzenegger” is a built-in word in the standard Microsoft Office spellchecker. That may be his most impressive achievement yet.
[All the quotes are from IMDB. How much work did you think I was going to put into this?]
July 1, 2004 | Permalink | Comments (5)
The other shoe
[This is the third, and longest (yikes) part of my “Too Frequent Traveler” series. See parts one and two.]
Many flight attendants are so practiced at constantly repeating the same things at the same times that their body language subtly changes when they’re about to say something new. I saw this happen a few days ago while struggling to simultaneously tie my shoe and buckle my seatbelt after a clumsy sprint from airport security to the gate. At the conclusion of a stiffly rendered pre-flight safety video, the lead flight attendant paused oddly before announcing:
“What our new safety video didn’t mention is that if you have to put on your life jacket in the event of a water landing, please inflate only one side inside the cabin and wait until you’re outside to inflate the other side. That’s not going to happen today since we’re going to have a great, landlocked, flight from Chicago to San Jose.”
This must be a fairly new policy since I distinctly remember snickering at past safety brochures and videos that clearly depicted eerily calm people dutifully blowing into their air vests while the voice-over admonished real-life passengers NOT to inflate their vests inside the plane. Here’s my completely uneducated guess about how this happened: Once there were two panels of industry experts. One panel argued that obese people with inflated vests might get stuck in the emergency doors. The other panel argued that poor swimmers might panic upon hitting the water and lack the presence of mind to inflate their vests. They commissioned a study to determine the ratio of obese people to poor swimmers on domestic and international flights. After much debate, a compromise was reached: tell passengers to inflate only half the vest. A number of routes were selected to participate in a pilot study of the newly revised announcements. Naturally, to minimize risk, they were all completely over-land routes. The follow-up study to determine the optimal half to inflate first is still in progress.
Perhaps I’m being unfairly pessimistic about this new “half-full” policy, but common sense is not the strong suit of the American air travel security system. Neither is openness to questions. This is a shame because arbitrary, opaque and confusing procedures are exactly what’s wrong with flying today. Opaque security slows down the process, strains already overworked personnel and leads to passenger resentment and disenfranchisement. This last side effect blunts the industry’s best anti-terror weapon: The vast majority of travelers would be more than willing to help with security if they only understood the reasons behind the policies. There is a big difference between actual help and the type of passive-aggressive “cooperation” that we’re habitually being thanked for when subjected to inconveniences and delays. Passengers can’t help the system if they’re kept in a perpetual state of surreal resentment and confusion. Who even knows what’s normal in airports these days? That guy running around with no pants? Maybe he just had to remove his belt for the metal detector and is about to miss his plane.
Let’s get rid of the arbitrary stuff, the confusing stuff, the misleading stuff and the silly stuff. Instead of fear and bemusement, let’s earn the useful respect of the public. What do I mean by arbitrary and misleading? Everyone’s got their favorite illustrations:
I was once granted an extra-thorough search for simply asking why my flimsy cardboard poster tube couldn’t be brought as a carry-on (it was “club-like”), and I’m nearly paralyzed with fear at the sight of those “No Joking!” signs present at many screening checkpoints. What if I only look funny? When I asked a high-ranking member of the TSA why my friend was subjected to extra searching on each of his last dozen flights, I was assured that it was purely “random.” There’s “flips a coin” random and then there’s “moves in mysterious ways” random. The government is not an institution that ought to be permitted the latter definition.
Another problem with arbitrary policies is that security personnel don’t understand them either. Poor understanding often leads to poor execution, which often leads to funny results. Unfortunately, funny isn’t the goal.
For example, when my wife and I were returning from Alaska, we brought four suitcases to the check-in counter. The ticket agent punched in some numbers and told us that while my bags were cleared for check-in, my wife’s had been selected for a random hand-inspection. The agent wanted to know which bags were my wife’s. I tried, “Um, they’re all mine”, but she dutifully informed me that we were allowed only two bags per person and so would I please select which two were mine – and would therefore go straight on the plane, and which two were my spouse’s – which we would have to take back and carry to another line for hand-searching. Had I hypothetically stashed a box of Cuban cigars in one of the bags, that would have been a hypothetically good time to remember which one. At least I didn’t make a joke!
This is making us safe?
Ralph “Where’s” Waldo Emerson famously wrote, “A foolish consistency is the hobgoblin of little minds…” I used to love that quote in junior high school because (1) it justified the state of my room and (2) I knew what a hobgoblin was. Thing is, I didn’t do a lot of business travel in junior high. Now I think a bit of consistency is just what good and lawful security should have.
Take the selection of cutlery that gets served with in-flight meals. On domestic flights, I always get plastic butter knives, but in international business class I often get metal ones – even when departing from a U.S. airport. The dull two-inch blades are completely non-threatening and someone attempting to wield one in a melee would find themselves at a severe tactical disadvantage against any sufficiently blunt object. But why allow the knives on some flights and not on others? Why make such a transparent mockery of security procedures? Much of the time, the plastic knife comes with a sharp metal fork. Did someone decide that it was less dangerous to get forked than buttered? I smell a committee compromise.
On a recent flight from Japan I was actually given five knives – three for dinner and two for breakfast. By TSA logic, that would have been enough to fight off a whole ninja clan, should one have stowed onboard. Also, do they allow women’s stiletto heels on-board? Hang on while I look… they do!
Which brings me full circle to my favorite example of pseudoscientific and counterproductive airport security: the shoe removal ceremony. This started immediately after the “shoebomber” incident and many people think it’s done so the shoes can be checked for explosives. This is patently not true – the shoes are simply run through the x-ray machine so they don’t set off the main metal detector. The fact that shoes don’t set off metal detectors in any other country just proves that the sensitivity on US metal detectors is jacked up to 11. A couple of times, I’ve seen a TSA employee will walk up and down the security line and scan shoes with a wand so as to warn people in advance if their shoes had metal in them. I’m fairly certain that the wand was set to detect homeopathic amounts of metal, because it went off on literally every single shoe he scanned – including the “airport friendly: contains no metal” shoes I had just purchased for the trip. Of course everybody knows that sneakers don’t have metal, so he didn’t bother scanning those.
Taking off shoes and belts is not just frustrating. It actively hurts security by creating a mass of disorderly, irritable and partially disrobed passengers clogging up the line. That kind of confusion is exactly what a patient terrorist needs to better his chances of exploiting the system. Some expert panel really ought to study this carefully. Of course should it come to that, I’ve got the perfect compromise: hold your pants up with one hand and hop through on only one shoe.
[The TSA and airline security folks have a very tough job. Despite my criticism in the last two parts, there's a lot that they're doing right. The next and final part will be about the stuff that works today, the stuff that'll work soon, and how to get there from here.]
June 28, 2004 | Permalink | Comments (1)
Don’t [expletive deleted] where you eat, my friend
You’d think with corporate email becoming virtually useless as a customer communication medium due to spamming and phishing, serious companies would be a little more careful to preserve the customer-trust level of written letters.
You'd be wrong.
Here’s an important looking envelope from United (airlines) with one of those telegraph-delivery stickers attached to the outside. Open it and... Oho! It’s just a trick to get you to subscribe to another unwanted credit card. The telegraph sticker is a printed-on fake.
How exceedingly clever of United! Now I’ll be extra-certain to give their next piece of communication all the critical attention it deserves. I’ll especially treasure their emails. After all, if they’re so fastidious about keeping costly paper mailings honest just imagine the care they must put into their bulk email.
If anyone from the United marketing team is in the audience, I recommend two additional pieces of reading: One and two.
And you wonder where the scammers learned their tricks.
[Update: Where do I send the bailout check?]
June 23, 2004 | Permalink | Comments (1)
The law won
Looking out for the disadvantaged is a longstanding, if somewhat unevenly applied, veneer on the American legal tradition. Even our symbol of justice is a blind lady (I know she's only pretending - just go with it). While much of the time, this outlook is a welcome assurance that we live in a civilized society, sometimes it’s a bit too earnest and silly. While doing some research into European commercial office regulations (as a service to my readers, I will not provide the link), I was reminded of an interesting run-in with the corresponding U.S. rules.
About two years ago, when CoreStreet was just over a dozen people, our offices were two adjacent rooms in a (not very recently) renovated 19th century commercial horse stable. It was an inconvenient setup because even though the two rooms shared an interior wall, to walk from one to the other required going out one door, down the long hallway and in through the other door. This added a couple of hundred feet to the walk and required fumbling with keys two times per trip. Among our neighbors on the floor was some sort of “training” center. We never figured out what they taught, but judging by the condition of the single common bathroom, it may well have been toilet training. We kept our doors locked at all times.
When I finally got tired of the constant locking and unlocking, I asked the landlord if we could just punch an opening through the interior wall and connect the two rooms. We would even be willing to prolong our lease. The landlord agreed.
A few days later, we ran into a snag. The floor layout permitted only a single place where an opening could be constructed, and the space would be a tad too narrow to comply with ADA (Americans with Disabilities Act) standards. The landlord couldn’t put in the door because it would not be wheelchair accessible. I proposed that we leave off the door and just make it a hole. That wasn’t good enough. I pointed out that the new plan would actually improve wheelchair accessibility because it’s easier to drive a wheelchair though a narrow doorframe than through the current configuration which, I reminded the landlord, was a SOLID WALL. Plus, anyone who couldn’t get through the new opening could always use the existing hallway doors. The landlord agreed that this was plausible, but upon consulting with the experts decided that it was still not legal to punch a hole through an interior wall of his own building.
In the end, everything worked out for the best. We were forced to relocate to our current and much swankier digs. Now, in addition to wide open spaces, big doors and spotless bathrooms, we actually pay less rent per square foot due to the drop in prices from when we signed our first lease to when we signed our second.
Who says that government regulation hurts small business? Well, our first landlord does, but what does he know?
May 31, 2004 | Permalink | Comments (1)
Lame Name
There are many security related bills, acts, resolutions and laws being bandied around on Capitol Hill. The serious implications of most of them have been debated at length. I’d like to pick up the slack on discussing the least-serious aspect of lawmaking in America. The dumb names. I hate bill names that are obtuse, strained acronyms – especially ones that are blatant attempts to influence support by sounding patriotic, cute, catchy, innocuous or self-praising. Here is a brief selection of recent bill names which show the level of respect our lawmakers have for our reasoning skills:
USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001)
The undisputed champion of bloated, unnecessary names. Apparently there was no existing adequate expansion of “U.S.A.”, so a new one had to be invented. Also, due to a failure of linguistic dexterity on the part of some congressional staffer, the US (“United, Strengthened”) government is not authorized to Stop or Prevent terrorism, only to Intercept and Obstruct. While the law itself is a complex issue, the name is clearly mock-worthy.
SAFE (The Security and Freedom Ensured Act of 2003)
This is supposed to be a way to “rein in” the USA PATRIOT Act, but the name is even more Orwellian.
VISA (Visa Information Security Act of 2001)
An early forerunner of the current VISA act, mostly focused on biometrics. Gets bonus points for being a recursive acronym. Good job!
VISA (Visitor Information and Security Accountability Act of 2003)
Generally makes it harder for certain classes of foreign visitors to enter the U.S. Some of the proposed ideas are clever. Some are too clever. Then there’s the stuff about the bounty hunters.
VISA (Visitors Interested in Strengthening America Act of 2003)
Generally makes it easier for certain classes of foreign visitors (Mexican children and accompanying adults) to enter the U.S. Pretty much the opposite of the other VISA acts. Take that already apathetic and confused American voting public!
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003)
Least. Effective. Act. Ever. Plus, wouldn’t it have been better to call it CAN’T-SPAM?
---
Now is the time on "Vastly Important Notes" where we help the reader(s) with their careers. Answer this interview question for a shot at a job with a high-power Washington lobbyist firm:
We want to advocate a bill which calls for unbridled evil to be loosed upon the land. We want to call it the KITTENS Act of 2004, because no one will be against KITTENS in an election year. Think of what KITTENS can stand for.
Bonus interview question for a geek job at CoreStreet (we’re hiring):
What is the word for these kinds of bill names anyway? They’re not really acronyms or backronyms (because it isn't unintentional) or bacronyms (because I don’t think the staffers try to get to a particular word, just a general theme), perhaps we need a new word. How about "Crapronym”?
February 6, 2004 | Permalink | Comments (0)
Patent Medicine
Apparently IBM has patented a method of paying programmers to work on open source software. This is a fantastic development for those of us under doctor’s orders to get more irony in our diet. The new patent is U.S. No. 6,658,642. Actually, I’m willing to give IBM the benefit of the doubt on this one. The idea itself seems reasonably novel. Maybe they intend to offer free licenses to this patent to all open source software workers as a way of protecting the community. That would be swell.
Now, I’m the last person on the planet who should be complaining about U.S. patent law, but sometimes an application gets through that seems - bear with me while I search for the right word… ah, here we go – unsound. As a service to my readers, I’d like to offer a guaranteed (“guarantee not guaranteed”) way of protecting yourself from being unreasonably sued for patent infringement in the future:
Step 1: Obtain a business process patent on the idea of “Making Money by Suing Other Companies and/or Individuals for Patent Infringement.” (You’re thinking this won’t work because only one person can own such a patent – you’re overestimating my audience.)
Step 2: Wait until someone sues you for patent infringement, then BAM! You got ‘em for violating your patent from step 1.
Legal scholars and fans of recursion may note that many currently litigious companies may claim “prior art” on your patent since they’ve been suing people for years before you filed your application. You’d probably settle out of court long before this comes up, but if you insist on even more devious protection…
Step 3 (advanced): After obtaining the patent from step 1, obtain another patent called, “Defending Against the Patent From Step 1 By Claiming to Have Prior Art Based On Having Sued People in the Past.” Aha! Now you've got ‘em coming and going.
NB: Before following any legal advice from me, please remember that I am not a licensed attorney and may not always place your best interests above having a good laugh.
January 27, 2004 | Permalink | Comments (0)
Can't put your finger on it
The recent example of