Evernote Screencast
If any of you are wondering what I've been doing at Evernote these past few months, we're officially above the radar now!
YouTube quality is a little poor, so there's a high-rez version at www.evernote.com/video/ . The line to get into the closed beta is already pretty long, but if you write in and say that you one of the six or seven people that reads this blog, I'll see if I can bump you up a bit.
Wish us luck!
February 21, 2008 | Permalink | Comments (2) | TrackBack
Computer Talk with Dave Mason
I'll be Dr.Dave's guest on the radio and the interwebs in about ten minutes, leaking top secret details about the next major release of EverNote.
[Update: That was fun. Dr. Dave and "Evil" Steve had some very kind things to say and I hope I didn't scare away too many people. You can listen to the audio here. I'm on hour 2, segment 7 and segment 8.
If I sound muffled it's because I'm crouching on my stairs, trying to shield the phone from a horde (pinch? mass? lard?) of shrieking Rachel Ray fans right outside my window. I think she's signing her new book, "Cook 30-Minute Meals With No Talent, Taste or Flair" Was that bitter?]
December 15, 2007 | Permalink | Comments (0) | TrackBack
Your Brain is Bigger Than Your Head
There's been a lot of changes in my life these past few months. Let's dive right in:
I stepped down from my day-to-day responsibilities at CoreStreet. After much soul-searching I decided that, while government-focused security and identity programs have their certain charms, I wanted to do something more mass-market focused. I'm still on the board of CoreStreet and involved as an advisor and general curmudgeon. CoreStreet was an awesome experience and I'm proud of the work we did. The company is in great hands now and I expect big things from it in the future. More on this later.
After nineteen years in Boston, I moved to California. One more year and I would have been officially "from" New England, so it was now or never. We're now living in San Jose in a giant outdoor mall. It's weird, but good. But weird. More on this later.
I became the CEO of EverNote. We make software that's going to let several zillion users capture, recall and share all their memories; basically a high-tech "external brain" that frees your normal brain up to do more interesting things.
There's a nice meme around this developing in the media in recent weeks. Clive Thompson wrote a good feature in last month's Wired and David Brooks picked up the theme in the New York Times a few days ago. Just this morning, Chris Morrison wrote about the "outside brain" in a nice VentureBeat article about us. EverNote is a great company that's been around for a few years and I'm thrilled to be on board for all the big changes coming in the next few months. Much more on this later.
October 29, 2007 | Permalink | Comments (2) | TrackBack
Worst description of Apple TV ever
I snapped this picture from my TV screen on a recent JetBlue flight. Truly, The New York Times is a master of all new media.
Changing the quote thusly might make it more true, although no more informative:
"David Pogue reviews Apple TV, which cannot connect your computer to your TV and which includes several wires."
August 29, 2007 | Permalink | Comments (2) | TrackBack
Unboxing the new iMac
August 10, 2007 | Permalink | Comments (2) | TrackBack
On not punting to the user
While I'm getting a bit sick of the new Mac ads, the one about security is exactly on target. I'm not talking about the actual security characteristics of Vista vs. OS X, much of the advantage Macs have in this regard is doubtlessly due to their relative obscurity and will dissipate in direct proportion to the success of these ads, but about the security industry as a whole.
We need to find the right balance. It's somewhere between:
"Off with your shoes because we said so!"
and
"lanpak32.dll is attempting to increment the CX register [allow/deny]?".
I'm not sure exactly where the balance lies, but making the user experience the forefront of every design decision is probably the only reliable way to find it.
February 14, 2007 | Permalink | Comments (1) | TrackBack
A Realistic Plan For Saving Air Travel
There's recently been a lot of hand-wringing that the air travel experience is on an irreversible spiral to unbearable levels of craptitude. Fear not! By thinking outside the box I have come up with a way to change the paradigm and simultaneously exploit win-win synergies between security and economic stakeholders. Here's how the brave new world of air travel is going to work:
1. RFID chips will be in everything - all your clothes, toiletries, electronics, underwear, etc.2. When you show up at the airport, you'll walk through a scanner which will instantly compile a full catalog of everything you're wearing and carrying using the above mentioned RFID chips. This information will be stored in XML!
3. You'll take off your clothes and put on a stylish paper gown. All of your clothes and other possessions will be placed into a box and incinerated.
4. You'll board the plane in your gown. Since everyone on board will be similarly attired, you'll enjoy a relaxed, spa-like atmosphere. Business class seats will offer a complimentary electro-pneumatic massage ($12 in coach).
5. As you fly, the information about your possessions will be electronically sent (via XML!) to a new joint venture between Air Mall and Amazon.com. Assuming all your brand licenses are up to date, an exact duplicate of all your clothes and possessions will be just-in-timed to your final destination.
6. Once you arrive and clear security a second time, you'll be given new copies of all your stuff. An efficient waiting area will be provided for people whose new clothes haven't arrived yet.
Think about it: total security and a big boost to our RFID, XML, PPRM (Physical Possessions Rights Management) and logistics industries! Low cost off-shore manufacturing gets a hand as well and who cares about quality when that Hugo Boss suit only has to survive until your next flight?
As an alternative to incineration, I suppose that your items could be cataloged, sanitized and given out to people traveling in the opposite direction, but that sounds like defeatist tree-huggery to me. The other alternative, low cost air-taxi service using a new generation of affordable light planes that are convenient, efficient and too small to be interesting terrorist targets, is just rampant crazytalk.
XML!
August 11, 2006 | Permalink | Comments (5) | TrackBack
Split the difference
I have a suggestion for how Google can atone for their free speech sin of agreeing to censor results in their Chinese version to comply with Chinese government web rules. Since they'll have to implement algorithms to automatically determine which results to omit in the Chinese version, they can also make a version of the search engine that displays ONLY the stuff censored in China. Of course this version will only be accessible outside of the PRC but, meh, it's a start.
Note to my Chinese business associates: Joke!
January 25, 2006 | Permalink | Comments (2)
A better name
Microsoft announced today that it's new operating system, formerly known by the codename Longhorn, will officially be called "Windows Vista". Early reactions to the new name have been mixed. I'm not sure how I feel about the name, but I do like the fact that Microsoft is finally playing off the whole "windows" theme in their branding while giving users a subtle hint at what to expect from the future OS. Along those same lines, I might have suggested that they go with, "Windows Pane" instead. Maybe there's still time.
[Update: Thank you, I'll be here all week.]
July 22, 2005 | Permalink | Comments (3)
I've been podcasted
I've never listened to a
podcast before; I'm too old, and back in my day we just called them mp3
files. Until today!
InfoWorld's Jon Udell has just podcast (is
this the right tense?) an interview with me talking about the convergence of
physical and IT security. Forty minutes of hard-rockin' talk on FIPS-201
standards is exactly what all the cool kids will be jamming to while waiting
for the, um, ski lift.
Sorry, the air
conditioning in our building is down today. I'm going to have words with my landlord about the convergence of sweaty
programmers and the withholding of the rent.
July 20, 2005 | Permalink | Comments (0)
New version of SpoofStick for Firefox
A new version of SpoofStick is out for Firefox. Version 1.05 addresses two of the most common recent user comments:
- Addresses the recently discovered Mozilla "IDN" vulnerability described at http://www.shmoo.com/idn/ .
- SpoofStick is now a draggable, resizable toolbar button.
As always, you can download the latest version from the SpoofStick home page.
February 10, 2005 | Permalink | Comments (17)
Smart use of cell phones
Bruce Schneier reports on a good idea: using a cell phone to provide two factor authentication for secure websites. For example, when you try to transfer more than $2,500 on an online banking site, the site can send your phone a random code via SMS which you then have to type into the site before the transaction can be processed.
Of course, you have to register your cell phone number with the bank, which might be a slight privacy concern. You also have to have your cell phone handy when browsing the site. I don't usually keep my cell phone near my home computer, but I guess getting up off my ass whenever I want to pay someone a couple of grand is not wholly unreasonable.
This is one of those elegant, clever and practical security ideas that I wish I'd though of first. It's not as secure or convenient as having a real smart-credential based system, but it doesn't require any new infrastructure and can easily be implemented right now. Maybe someone that already knows your cell phone number (like the cellular carrier) can map customer numbers to some kind of blind ID and offer the two-factor service as a B2B service to secure website providers. If this was 1999, I'd have a a Powerpoint business plan around that idea by now.
Thanks to Dave Engberg for the link.
November 24, 2004 | Permalink | Comments (5)
Jakob Nielsen's Alertbox
Jakob Nielsen has posted a new alert entitled "User Education Is Not the Answer to Security Problems" (amen). Among other recommendations, Jakob advocates that we:
Digitally sign all information to prevent tampering and develop a simple way to inform users whether something is from a trusted source. This might, say, replace current stupid security warnings that people don't understand because they expose the guts of the technology. ("The security certificate has expired or is not yet valid." Aha. And what does that mean to a normal person?)
I've been saying something like this for years. I'll even go a bit further: there is no good reason, today, that any legitimate email sent out by a serious company should not be digitally signed. A small number of consumers behind email-modifying proxies may get confusing error messages (companies can mitigate this by sending important mail without embedded HTML or JavaScript), but this can be quickly ironed out.
If you're a bank, hospital, or any other company that's worried about consumer confidence in your brand - you should be signing all of your outgoing email. Period.
Jakob's whole article is very good. Read it here.
October 25, 2004 | Permalink | Comments (0)
No dripping!
There are machines outside of hotels and office buildings in Japan into which you stick your wet umbrella and get it instantly wrapped in plastic. This prevents wet floors and makes it look like everyone just bought a new umbrella.
I'm reporting this fact to my loyal readers on a broadband wireless connection, while traveling at 270 kilometers per hour on the bullet train to Kyoto.
In my mind, this raises three fundamental questions about my own home country:
1. Why don't we have magic umbrella-wrapping machines?
2. Why don't we have broadband wireless connections that work at 270 kilometers per hour?
3. Why don't we have trains that work at 270 kilometers per hour?
Write your congressman. It's time for some pork barrel spending.
Mmmm pork barrel.
October 22, 2004 | Permalink | Comments (8)
Back in Japan
I’m back in Japan this week.
The good news about Tokyo cab rides: there’s flawless, high-speed wireless Internet access even at 60 mph.
The bad news: You don’t get to go 60 mph very often and every trip takes an hour.
Net net: Lots of time for blogging.
October 19, 2004 | Permalink | Comments (0)
Google Desktop Search is the best program ever
Ever wonder why you can search the entire World Wide Web instantly, but it takes 20 minutes to find a file on your Windows desktop? Google has just fixed this glaring injustice with the public release of the free Google Desktop Search beta. Once you download the program, it’ll take an hour or so to build a local index on your computer and then your life will be vastly improved. You’ll be able to find any document, email or cached browser page on your computer by filename or internal text, instantly. This is fantastically useful.
I'll never have to sort my email again. Google continues to make good things.
October 14, 2004 | Permalink | Comments (3)
Foo Camp roundup
I got back from O’Reilly’s Foo Camp a few of days ago. It was… what’s the expression the kids used to say…Insanely Great. There were lots of impressive people and keen sessions. Among other things, we figured out how to do electronic voting exactly right. More on that later.
The picture, by James Duncan, is of a working 3D chocolate printer made out of Lego. Click on the thumbnail for a larger view.
Just for the record, I “camped” in the Sebastapol Holiday Inn Express. It didn’t make me any smarter, but at least I could snore without making any permanent enemies among the world’s Alpha Geeks.
Since I’m way late in blogging this event, I’ll take the path of least resistance and just provide a partial (!) list of other blog coverage. This Internet thing is gonna be big some day.
Cameron Marlow (Overstated)
Chris Shiflett
Danyel Fisher (Made of People)
Dav Coleman (AkuAku)
Dave McClure (Master of 500 Hats)
David Hornlik (VentureBlog)
David Weinberger (Joho the Blog)
Don MacAskil (onethumb)
Erik Hatcher
Furzundfeuerstein (Fart and Flintstone)
James Duncan (Whoot!)
Jeff Barr
Jim Winstead (trainedmonkey)
Mark Fletcher (Winged Pig)
Mark Frauenfelder (BoingBoing)
Mie (Kokochi)
Mike Clark
Nan Barber
Paul Jones
Robert Scoble (Scobleizer)
Russel Beattie
Tantek Çelik
Tim Bray
Zak Greant (Polymorph)
Ross Mayfield
September 17, 2004 | Permalink | Comments (2)
Foo Camp
I’m off to Foo Camp, a two day geek-fest in Tim O’Rielly’s parking lot. If a WiFi access point fails in the woods but no one is using it at the time, does it leave an error message?
September 10, 2004 | Permalink | Comments (0) | TrackBack
Best tech rumor ever
It’s possible that Netflix and Tivo are teaming up to allow electronic DVD downloads straight to your TV. If true, this is the most important quality-of-life merger since that chocolate/peanut butter thing in the 1920s.
Of course it’s probably a lie; or worse – just a marketing ploy limited to Top 40 Hollywood hits.
September 7, 2004 | Permalink | Comments (0)
I asked for a debate
There’s a pretty good and lengthy discussion brewing in the comments section on my last post about national IDs. I say this as a service to my RSS and bloglines readers who, as far as I can tell, do not normally get to see comments (and who don’t show up on any of my page view stats). Oh, you’re so smug.
August 23, 2004 | Permalink | Comments (0)
SpoofStick Update
We’ve just released a new version SpoofStick for Internet Explorer (v. 1.02) that addresses a newly discovered IE flaw described by this Secunia advisory. As always, you can download the latest version at the CoreStreet SpoofStick homepage.
The flaw is not present in FireFox, so no update to the FireFox version of SpoofStick is necessary.
For those of you keeping count, we’ve had over 130,000 downloads of SpoofStick since the official release three months ago.
[Update: Oooh, that’s an average of about one download every minute.]
August 18, 2004 | Permalink | Comments (40)
Sir Linksalot
Hearty congratulations to Tim Berners-Lee, the man most qualified to be called the inventor of the World Wide Web, on officially receiving his British knighthood yesterday. If it wasn’t for Sir Tim's work, I’d be maintaining someone’s Foxpro database right now.
July 17, 2004 | Permalink | Comments (0)
An illustrated Excel bug mystery
This is a pretty geeky and technical post. If you don't find software engineering or bugs particularly interesting or funny, you're probably better off just scrolling right past this. You've been warned.
Otherwise...
Ok, here I am working on an important spreadsheet for my board. Typity Type.
Yup, the links work. Oh look, Excel changed the color of the “visited” links to remind me where I’ve been. How thoughtful, just like in IE. Ok, let’s print some copies on my color laser.
Ick, it printed the “visited” links in that reddish color. That’s annoying – I don’t want to give my board members printouts with some of the links a different color. That’s kind of dumb, why would Excel bother to print that?
Ok, I’m sure there’s a perfectly intuitive way to fix this, but I’m a bit rushed today so I’ll just look for a shortcut. 
Hmmm, I bet if I just change the font color of those column headers, Excel will get rid of the “visited” information. Let’s make them all red.
Yup, that worked. Now they’re all the same color. Hmmm, red looks a bit alarming. Let’s try green.
Ok, they’re all green. That’s better, but still a bit strange. I guess people are just used to seeing hyperlinks be blue, so I’ll just make them all blue. This is more work than I anticipated.
Hmmm, I think that’s the wrong shade of blue. Let me squint at the color picker and try to find the blue color that’s closest to the normal hyperlink color. I really wish I hadn’t started this in the first place, but if I can find the right color I'll be all done. Ah, I think this might be it...
AAAAARRRRGGGGGHHHHH!
So I ask: What’s going on under the hood of Excel on this one? Do you think there’s something hard coded to check for that particular hex color value and display “visited” colors only if you choose that particular shade of blue? Or maybe it detects the “default” link color and activates “visited” mode then. Dave Engberg, our CTO, insists that style garbage collection is responsible - basically Excel realizes the back-to-where-you-started nature of my color changing operations and optimizes them right out of existence.
I wonder if any of the Microsoft bloggers knows the real story here. Anyone? Scoble?
Anyway, I think the source of this bug might have some interesting architecture implications. I told you this post was geeky.
July 8, 2004 | Permalink | Comments (12)
World Technology Digest 1 – Big and small
There’s an infinite number (well, I counted six before getting distracted) of on-line sources for gadget and technology news. How are you supposed to piece together all the information without being overwhelmed? How can you see the big picture? In this irregular new feature of Vastly Important Notes, I’ll pull together disparate technology trends into a cohesive vision of the future. I wouldn’t be a pundit otherwise.
Without further ado:
Miniaturization is a passing fad. I have proof. I forgot to snap this myself the last time I was in Tokyo, but the photo above is a picture of the world’s largest cell phone. Notice the antenna.
It’s so big, you have to stand inside it. Thanks to Anne Sullivan for taking the picture.
These cell phone booths are a great idea, but they will never succeed in the U.S. until we have an appropriate technical means to pay for the calls. Some say the answer is micropayments, but that may prove too complicated. Luckily, Gizmodo reports that Toshiba, Hitachi and other Japanese manufactures are quickly ramping up the production of giant quarters:
You might recall that IBM invented giant quarters in the late nineties, but the Japanese are really pushing the envelope. It’s hard to be precise, but assuming that those reference hard drives are the same size, the Toshiba quarter (right) looks at least 33% bigger than the IBM quarter (left), and it probably costs less as well.
IBM is rumored to have a secret research program underway to engineer something even better than giant quarters, but I’m not sure that they’ve thought this through all the way. Once again, the hard drive is shown for scale:
Giant cell phones? Check. Giant quarters? Check. Everything is adding up so far, but how do these really cool and tiny Sony Ericsson remote control Bluetooth cars (reported by Jonathan Schwartz) fit into the grand scheme of things?
Think of them as a pilot program; if an old fashioned pocked-sized cell phone can pump out enough Bluetooth to control one of these little cars, imagine what the walk-in type can control. Defensetech might have the answer:
Of course, remote control robot attack helicopters will cost more than giant quarters to operate. That’s why I predict that we’ll see someone develop novelty giant sized million dollar bills sometime soon.
So there you have it. Invest in big wallets and leave it to World Technology Digest to keep connecting the dots.
[Nonsense blogging is a surprisingly good way to unwind from a week of staring at contracts. Note to the Peppercoin guys: just kidding, your solution is really much more elegant than the giant quarters.]
July 7, 2004 | Permalink | Comments (1)
SpoofStick on TV
A few days ago, PC World columnist Steve Bass demoed SpoofStick on G4TechTV’s “The Screen Savers”. Everyone who has come to my house since then has been forced to watch it on Tivo.
Other recent SpoofStick coverage is on the CoreStreet SpoofStick homepage.
June 27, 2004 | Permalink | Comments (0)
Don’t [expletive deleted] where you eat, my friend
You’d think with corporate email becoming virtually useless as a customer communication medium due to spamming and phishing, serious companies would be a little more careful to preserve the customer-trust level of written letters.
You'd be wrong.
Here’s an important looking envelope from United (airlines) with one of those telegraph-delivery stickers attached to the outside. Open it and... Oho! It’s just a trick to get you to subscribe to another unwanted credit card. The telegraph sticker is a printed-on fake.
How exceedingly clever of United! Now I’ll be extra-certain to give their next piece of communication all the critical attention it deserves. I’ll especially treasure their emails. After all, if they’re so fastidious about keeping costly paper mailings honest just imagine the care they must put into their bulk email.
If anyone from the United marketing team is in the audience, I recommend two additional pieces of reading: One and two.
And you wonder where the scammers learned their tricks.
[Update: Where do I send the bailout check?]
June 23, 2004 | Permalink | Comments (1)
A better tomorrow
Remember how disappointed you were when the year 2001 came and went and we still didn’t have jetpacks or instant-turkey-dinner pills? You’d be less disappointed if you lived in Japan.
The taxicabs in Tokyo have passenger doors that automatically open and close, and big GPS systems that display real time traffic levels on the map. For all these years, I’ve been opening cab doors with my own hands. Like a sucker.
Carwashes are fully automated and only about the length of a single car. You park under it, and the carwash moves back and forth over your car bristling with nozzles and brushes and wipers and other, less identifiable, cleaning apparatus. At subway and garage exits, there are machines that suck up your paper tickets or cash at impressive speeds and regardless of the input angle; then they bow at you. The forced-air hand driers in public bathrooms actually manage to dry your hands with a speed and efficiency that show severe disrespect to the ornamental driers found in American bathrooms.
Don’t even get me started on the unforgivable lack of heated water jets on our toilets.
A Japanese visitor to the US must feel like I feel while walking through the Neanderthal man dioramas in the Museum of Natural History.
[This blog entry was filed during a Tokyo cab ride where the ubiquity of wireless broadband doesn’t quite make up for the oppressive distance and traffic.]
June 17, 2004 | Permalink | Comments (4)
Earning electric karma
The life of my average gadget is not a particularly dignified one. Many of my electronic purchases lie neglected at the bottom of random home and office drawers, dinged through careless handling, with missing accessories and batteries slowly leaking in their springs.
This was the fate of a Garmin hand-held GPS unit that I bought three or four years ago. When I first took it out of the UPS box and popped in a fresh set of batteries, it blinked awake and displayed a world map with the cursor centered on Japan. “How cute”, I remember thinking, “it thinks it’s still home.” A few seconds later, as the Garmin started to receive satellite signals, it realized that it was somewhere else. It took a minute or two for the precise truth to sink in: It was far from its carefree birth and testing lab; it was on the other side of the world in Cambridge, Massachusetts. It might have been quietly sad.
Over the next few years, the Garmin has been driven across the United States, left forgotten under stacks of paper, wearily fingered by airport security guards, dropped into puddles in Stockholm and down stairs in Hong Kong. Throughout it all, the GPS carried out its duties with stoic honor and never mentioned home again.
Yesterday, I finally turned it on outside my hotel in Tokyo. The Garmin took some time to catch up with the months and miles since it was last awake, but it soon displayed the exact same map that had never appeared since the first few seconds of its professional life. There was no happy animation or other outward indication, but I’d like to think that somewhere inside, a fuzzy-logic chip grew warm for a while.
June 14, 2004 | Permalink | Comments (0)
Washington Post reviews SpoofStick
Rebecca Rohan has written a quick and positive review of SpoofStick, CoreStreet’s free anti-phishing utility, for today’s Washington Post. Her conclusion:
SpoofStick is reassuring to have around, but it can't replace common-sense skepticism.
This is exactly right. We never intended SpoofStick to be a comprehensive solution for all the possible bad things that can happen while using your computer. SpoofStick is a straightforward tool that does one thing well: it cuts through the clutter of confusing, malicious or mislabeled URLs to tell you what web site you’re actually on. We were trying for simple and useful, and I think that’s what we got.
About 30,000 downloads so far. If anyone’s got suggestions for improvements, I’m all ears. All the other SpoofStick news can be found here.
June 7, 2004 | Permalink | Comments (1)
Latest SpoofStick coverage and version
SpoofStick continues to make a mark on the net. The latest mentions are from Network World, the Kansas City Star, the St. Petersburg Times (the one in Florida, not Russia, but see below) and the Newark Star Ledger. PC World contributing editor Steve Bass gave SpoofStick a good mention in his June 2nd newsletter, but it’s not on-line yet. Steve called me a “forthright” guy, which will have to do until I can upgrade my title to at least “honorable” by getting elected mayor of something.
International mentions of SpoofStick include IT Union in Russian and ITP Technology in Arabic. I can’t read the Arabic article, but it has this screenshot of SpoofStick looking at the "it's only a flesh wound" scene from Monty Python and the Holy Grail. I don’t find this strange at all.
We also released a minor upgrade to the IE version of SpoofStick today. Version 1.01 has the following improvements:
- The installer is signed by an official CoreStreet digital certificate. This is one of those eat-our-own-dogfood type of features since we like to promote certificate use.
- There is a new option in the configuration menu that lets you display the whole hostname of a site, rather than just the domain name.
- The installer will now refuse to install on an operating system earlier than Win2k. I expect this to take care of most of our support requests. We’ll be adding Windows 95, 98 and ME support in an upcoming release.
- SpoofStick will now pop up a warning (often more than one) if it encounters a URL trying to take advantage of the ‘@’ flaw found in unpatched versions of IE. Since this is a well known (and corrected) Microsoft bug, SpoofStick will only issue a warning and reminder to install the latest IE patch.
As always, you can get the latest version of SpoofStick at the CoreStreet SpoofStick home page.
Finally, I have made a ‘SpoofStick’ category on Vastly Important Notes, so you can see all the posts about SpoofStick on one page. Some of you have made snide insinuations about SpoofStick elbowing out all other topics on this blog (I’m looking at you, “gavin”), so I’d like to direct your attention to the diverse bounty of vastly important content in the archives.
June 4, 2004 | Permalink | Comments (3)
First ISLAND inhabitants
Mark has taken ISLAND, my proposed rating system for deceptive software, and measured four popular software downloads: WinZip, the Google Toolbar, Yahoo! Messenger and AOL Instant Messenger. The results are interesting.
Looks like I’ll have to recalibrate my prediction that “a fairly clean piece of shareware would come in at 94.” Ouch.
June 2, 2004 | Permalink | Comments (0)
A suboptimal use of default passwords
In his February 11th column, Bruce Blair from the Center for Defense Information gives a rather horrifying first-hand account of the traditionally framed conflict between safety and convenience. In this case, it's the convenience of being able to annihilate our geopolitical enemies on short notice versus the safety of not starting a nuclear war by accident.
In the 1960's each of the thousand-odd Minuteman nuclear missiles were fitted with special locks which would prevent launch unless the "secret unlock code" was received from high-authority - presumably the president or secretary of defense. The purpose of the locks was to prevent unauthorized launch either by accident or through a deliberate subversion of the chain of command. The problem was that this extra step was seen as a cumbersome process which had the potential to delay our nuclear response and thereby dampen the retaliation we could mete out in the case of an actual attack. The solution was the equivalent of writing your windows password on a sticky-note attached to your monitor:
The Strategic Air Command (SAC) in Omaha quietly decided to set the "locks" to all zeros in order to circumvent this safeguard. During the early to mid-1970s, during my stint as a Minuteman launch officer, they still had not been changed. Our launch checklist in fact instructed us, the firing crew, to double-check the locking panel in our underground launch bunker to ensure that no digits other than zero had been inadvertently dialed into the panel. SAC remained far less concerned about unauthorized launches than about the potential of these safeguards to interfere with the implementation of wartime launch orders. And so the "secret unlock code" during the height of the nuclear crises of the Cold War remained constant at OOOOOOOO.
Nice.
What's worse, according to Blair, is that the civilian authorities from the president on down were not informed that this precaution was being completely ignored. Robert McNamara, the secretary of defense for Kennedy and Johnson, was apparently unaware until just this year!
I take away three lessons from this episode:
1. We are really, really, really lucky that the world didn't get all blown up before the end of the cold war. Sure, the professionalism and relative cool-headedness of many individuals on both sides of the conflict helped a lot, but there was a scary number of close calls. Let's try not to do this again.
2. Passwords suck. They're pretty much good for nothing. It’s not sufficient to lecture users on proper password etiquette – passwords must die. If Strategic Air Command couldn’t be bothered with passwords for world-shattering missiles, what hope is there that the average HR department will correctly use passwords for their Windows login or WiFi access? Finally moving away from passwords has got to be near the top of every IT organization's to-do list – or at the bottom, if they clicked twice and got it sorted backwards somehow.
3. Security vendors rarely have an interest in making sure that their products and recommendations are actually being used correctly. Proper use is often unpleasant and displeased customers usually mean fewer sales. Likewise, it's often physiologically easier for customers to seek out new technological solutions for security problems rather than admit that they may not be using their existing products to full capacity. Fixing this willful miscommunication is crucial to making security practical and affordable.
Ok, the third point is just a hobbyhorse of mine and not really derived at all from the preceding article. Also, I'd give up #2 if we could be promised #1. Deal?
[Thanks to Dave Engberg for the link.]
June 1, 2004 | Permalink | Comments (1) | TrackBack
The Phisher King
Proving the adage that the simple wheel get the worm (err, that’s not right), the past three days have seen SpoofStick featured in The New York Times, Business Week and The Boston Globe. The Times even included a nice screenshot in the print version. We’ve had to increase our server bandwidth to handle the demand – around 20,000 copies have been downloaded so far.
I’m running dangerously low on “Phish” puns. Do the tech-media community a favor and send some in. Thanks to everyone who’s tried SpoofStick.
May 27, 2004 | Permalink | Comments (3)
Deceptive Software ISLAND
Last week, the Google Blog started soliciting comments on Google’s “Proposal to help fight deceptive Internet software.” The proposal is directed against spyware, adware and other annoying and/or dangerous practices often found in “free” programs. Google’s recommendations consist of basic standards of notification and behavior that vendors ought to implement when distributing software over the internet. I wholeheartedly agree.
I’d like to propose a rating system to help users identify dirty software. It works like this:
Each program is given a score of “0” to “5” in six categories of annoying or deceptive practices. A score of “0” in any category means that the program does not engage in the practice at all, a score of “1” indicates fairly benign activity, while “5” connotes significant perfidy. To help you remember the six categories, I consulted the Internet Anagram Server and realized that they spell ISLAND. Here are the six categories along with what installers would say in an honest world:
In the Walls
This software installs uninvited guests which will scurry around your system's innards to be only occasionally glimpsed when a program crashes or you move a window suddenly out of the way.
(1 = Installs a discreet shortcut for a helpful utility or company catalog in the main software's program menu. 5 = Installs multiple, unrelated programs that hook into the registry, run in the background, and are difficult to uninstall.)
Spy
This program watches your actions and sends them back to the mother ship. It's just our way of looking out for you.
(1 = Actions directly related to software operations are anonymized, kept in aggregate form only and never shared with third parties. 5 = Wide ranging data, including personal information, is collected, linked to your identity and sold to third parties.)
Limited
We've removed some features from this free version of the software, so you won't get to where you want to go without buying the full version. Don't think about this until you've already put in half the driving time.
(1 = Some advanced features, which only power-users would need have been eliminated. 5 = Fundamental features, such as the ability to save your work, are missing.)
Advertising
This software will display advertisements on your screen. It may be "free", but you'll pay with your eyeballs and your attention span.
(1 = Displays a single, small, not-animated ad as part of the program UI.
5 = Pops up ads disguised to look like error messages in new windows all over the place with no indication of what's causing them.)
Nag
This free software will periodically nag you to spend money on the full commercial version. If you were a good person, you'd send us money.
(1 = Discreet button in the UI that accepts a voluntary donation. 5 = Modal dialog box with an increasing delay that demands payment before you can continue with the program, eventually totally disabling all use.)
All Your Default Are Belong To Us
We know that you've been too busy to get around to changing your homepage, media player and download manager settings. We'll take care of that for you. You're welcome!
(1 = Program makes itself the default viewer for only the type of file its primarily meant to handle. 5 = Any settings that can be changed to make you see more of the vendor's products, will be changed.)
After scoring each category, the total points are added up, multiplied by three and subtracted from 100. So the best possible score is 100 and a program that commits egregious acts in all ISLAND categories will score a 10.
For example, SpoofStick, which doesn’t have any ISLAND misfeatures, scores 100.
I’d guess that a fairly clean piece of shareware would come in at 94, and scores below 82 are pretty lousy. Now all we need is for somebody to rate every single piece of Internet software and establish a trusted registry.
Who's got free time next weekend?
[My friend Igor Rivilis recently wrote about his experience with software annoyances here. I think there’s plenty of great free software out there, but the bad stuff seems to be getting out of hand.]
May 25, 2004 | Permalink | Comments (0)
I’ve been called strange things
In perhaps the most latitudinarian use of the word in recent memory, InfoWorld magazine has named me one of “This year’s heroes of IT.”
The award article, titled “CoreStreet targets massively scalable validation”, is a great description of our goals and work. Surprisingly, it has nothing to do with SpoofStick or this blog. The article points out the pioneering work done by Dr. Silvio Micali, but each member of the CoreStreet team has also made indivisible contributions to our accomplishments. In particular our CTO, Dave Engberg, should be singled out for doing the work of ten men - ten men not entirely unaccustomed to work, either.
The other eleven winners are extremely impressive and, while thankful for the recognition, I’m trying to find a reason why I’m included in their company. For example, Miguel de Icaza created Gnome; I once installed it.
Now if you’ll excuse me, I’m going to make a “Hero of IT” costume and maybe go wrestle a bear.
May 23, 2004 | Permalink | Comments (1)
Wireless Access Pointless
Mark Ayzenshtat has written about his adventures leeching wireless internet connectivity while driving through the pre-apocalyptic landscape of suburban California. I'm not sure if this is a good or bad thing.
Setting up Wireless Access Point (WAP) security is pretty cumbersome and the results are brittle. Wireless devices randomly stop working and need to have their encryption keys re-entered. What's worse, different manufacturers seem to use different passphrase hashing algorithms, so you pretty much always wind up manually typing in hex strings. To make the process extra-tragic, some confused product designers have tried to "add security" to the process by making the GUI key entry boxes display only blanks (like most password fields) and/or disabling cut-n-paste functionality. This guarantees that you'll have to type in a long string of numbers and letters several times, and still never be exactly sure of why your WiFi doodad isn't working. Whenever I see such design, I am tempted to violence.
Not only is securing a wireless LAN difficult for most mortals, but there's very little motivation to actually make the attempt. You probably won't notice the bandwidth drain of someone leeching from you, and virus and worms are best combated at the firewall and PC level. You and your neighbor might actually be better off sharing the same access point and not having two separately encrypted networks fighting for the radio spectrum.
When something is both difficult and unrewarding, the masses will eschew it. That’s why most people don't read the fine print on medical forms and why they don't secure their wireless networks. My own 802.11b access point recently gave up the ghost host, and I haven’t bothered to replace it because I can usually see three or four unprotected wireless networks just sitting in my living room.
Of course, if you keep your wireless network unsecured, you never know who might get on it. That’s a little disconcerting, but the physical network has always been a weak security link because it’s hard to know who’s listening in; and that goes double for wireless. You need to secure each computer and the important data regardless of whether you turn on encryption on your WAP or not.
Who suffers from this furtive air sharing? I suppose the WAP manufacturers would sell more hardware if everyone had to buy their own access point, but that doesn’t seem like a good enough reason. After all, the pump lobby doesn’t get to force all of us to dig our own water wells. Internet Service Providers (ISPs) suffer some economic damage, because they typically charge a flat monthly fee for unlimited data usage and freeloaders, err, cause more load. For free. ISPs can try switching to a metered rate, but that approach hasn’t worked well in the U.S. market. A couple of years ago most service providers solved this problem by restricting access to just one or two specific computers registered to each account. That cost too much money in tech support calls when stymied customers tried to hook up new computers, so the practice has been mostly dropped. Either way, economic damage to the ISPs is a business issue, not a security problem. The companies should figure out how to fairly charge for their services, not lecture consumers on sloppy prevention. There are enough real security issues vying for consumer attention as is.
I’m looking forward to the day where I can reliably get wireless data service everywhere, without having to build my own private piece of infrastructure. A crisper understanding of who we’re trying to protect, better adherence to standards and some smart new technology will get us there. A chicken in every pot, not a mini broadcast tower under every desk.
Mmmmmmm, potted chicken.
[Brant Chamberlain wins the impromptu, "Quick, i need a geeky euphemism for a piece of hardware dying" office contest. His first suggestion was even funnier but, alas, not suitable for general audiences.]
May 13, 2004 | Permalink | Comments (3)
Peek, Poke
If that title brings back squinty memories of typing in hex code from the back of a borrowed computer magazine, check out this little ditty. [Thanks Gizmodo.]
For the rest of you, move along. There’s nothing to see here.
May 11, 2004 | Permalink | Comments (0)
SpoofStick 1.0 is here
[Update June 04: If you came directly to this page from Brian’s Buzz, Brian Livingston’s newsletter, welcome! Please see my quick reply to Brian’s comments here. SpoofStick now has its own category where you can see all the latest news and coverage. If you feel like browsing my other articles, here’s the front page.]
The general release version (1.0) of SpoofStick is now available for download for both Internet Explorer and Firefox. The 1.0 version includes a standardized UI across both platforms and a much smaller installer for the IE version.
Many thanks to the over three thousand of you who tried out the beta versions, to the dozens that gave useful feedback, and to the handful of bottom-phishers that harvested the "spoofstick" email address and clogged up my mailbox with pr0n and important information about my eBay account. This last category of people, in particular, reminds me of why we do this.
Thanks also to the bloggers and journalists – amateur and professional – who helped spread the world. I'm especially gratified to see that some of them have screenshots of SpoofStick running on their browsers. It's always good to see proof that your software actually installs.
Here’s some of what the web had to say:
Jon Udell - InfoWorld (screenshot, great write-up and first external mention of SpoofStick!)
Chris Lindquist - CIO.com(nice article, and the title makes SpoofStick sound downright superheroic)
Adam Gaffin - NetworkWorldFusion
Mark Ayzenshtat - Marked for Dearth (also did the programming)
Asa Dotzler - Adot's Notblog* (Asa drives big traffic)
Under The Sun (first Bible quote associated with SpoofStick)
Tara Calishan - ResearchBuzz (helped debug the press release)
Robin Bloor - Bloor Research (SpoofStick made him switch to Firefox from IE)
Nick Codignotto - Primordial Ooze (screenshot)
Mozdev extension room
Mozilla News
Chris Walken - talkaboutshareware.com (I'm pretending it's Christopher Walken)
inetinfo (with phish stick joke!)
John Ludwig - a little ludwig goes a long way
ExecTechNews
beaglebot - linkfilter.net
kayodeok
[expletive deleted]happens
Of course, nothing can top the comment from Carol Baraoudi that I wrote about on May 3rd.
Download SpoofStick 1.0 for Microsoft Internet Explorer and Mozilla Firefox here.
May 10, 2004 | Permalink | Comments (7)
Companies on the verge of losing contact
Gartner has just published a report about the scope and effects of “phishing” scams. The numbers are staggering. Up to 92 million adults in the U.S. have received phishing attacks – malicious email pretending to be from a real company – in the past twelve months. The real shocker is that out of the 57 million people who suspected that they had received such an email (the other 35 million in the 92 million total were not sure), 11 million followed a malicious link and 1.78 million self-reported giving the fake websites sensitive information such as credit card numbers.
Wow!
That's a “click through” rate of 19% and a “conversion” rate of 3%. Legitimate (ahem) direct marketers would chew off their own fingers to get that kind of performance. Whoever’s writing those emails has some serious social engineering skills. They know how to push all the right buttons; well constructed phishing scams are way more clever than “Nigerian” spam and email attachment viruses. It’s almost as if some cabal of unemployed psychology, literature and web-design majors is exacting their revenge on the post-bubble Internet industry that spurned them.
The potential impact of the phishing problem on consumer confidence, brand loyalty and identity security have been much discussed though not yet fully appreciated. Another consequence is a bit more subtle: companies are rapidly losing all means of communicating important information to customers.
Think about it, how is Citibank going to *really* tell me if there’s a medium to high importance issue that requires my attention? They can’t use email because I don’t trust it due to spoofing. They can’t use snail mail because that’s 90% likely to go straight into the shredder. Their web site can be spoofed. They can try to call, but that’s expensive, inconvenient, and only marginally more likely to get my attention.
Of course, this unsettling blackout of company to consumer communications is at least partly self-inflicted. If private industry hadn’t been so eager to deluge consumers with promotional junk at every opportunity for the past twenty years (I never really needed shampoo coupons in my phone bills), people might now hold corporate communications in higher esteem and be more willing to put in the effort to discriminate between the real and the fake. As it stands, there’s almost no incentive: an unsolicited email from American Airlines - or most other Big Brands - is pretty much either going to be phish or foul, so I may as well just delete it. One percent of the time, it’s actually going to be important. That’s the rub.
Let’s hope that once the worst of the current danger has passed (SpoofStick will help, as will accelerated adoption of digitally signed emails, mutual authentication, increased use of RSS for “real” announcements, etc), companies will use the temporary reprieve until the next malspelled crisis to reconsider how they maintain the attention-value of their customer communications. Otherwise…
Sow. Reap. Repeat.
May 5, 2004 | Permalink | Comments (0)
If Wishes Were Phishes
CoreStreet has officially released SpoofStick, a free anti-phishing utility for IE and Firefox today. Here’s the press release and previous discussion on this blog. The quote from Carol Baraoudi, super-perceptive author of the multi-million selling Harry Potter The Internet for Dummies books says it all:
“I love SpoofStick,” said Carol Baraoudi, CEO of Baroudi Bloor International and author of the Internet for Dummies. “E-mail fraud is on the rise—innocent people are being duped every day— it makes me crazy. SpoofStick lets you see just where you're being taken - in every sense of the word. I want the world to be using SpoofStick. I want everybody using SpoofStick today!”
Some great press and blog coverage so far. I’ll round up the best in the next few days.
There isn’t anything new, so if you’ve got the latest beta versions (0.06), you don’t need to reinstall. Otherwise, download SpoofStick.
Enjoy.
May 3, 2004 | Permalink | Comments (2)
I get unexpected visitors
A couple of years ago my Chief Financial Officer and I found ourselves quite unintentionally stranded at 9773 feet on top of the Schilthorn mountain in Switzerland after the last cable car had descended for the evening. The resulting five hour walk (him) and crawl (me) back to civilization contained many a humbling experience. A lifetime flat-city dweller, I simply had no appreciation of the otherworldliness of high places until I found myself stuck on a mostly vertical plane, holding on to a stunted tree, being suspiciously eyed by a bearded goat.
I was reminded of this tonight when I checked the traffic graph for my blog.
Glenn Reynolds of Instapundit.com linked to the second part of the post on my recent travels and observations about airline security, and in one sentence managed to drive over 1,100 visitors to this site in just a few hours. That’s a lot of influence. If the U.S. government is still unsure about the best organization to receive our June 30th transfer of authority in Iraq, perhaps we should consider Mr. Reynolds for the job. He’d certainly be efficient at reading through the daily ministry reports.
Many of the readers who came here from Instapundit left insightful comments. I thought I’d answer some of them here:
Nick points out that the hijacking risk is still real for cargo planes and that armed pilots would help for both types of flights. I tentatively, but not wholeheartedly, agree. Opposition to arming pilots seems to come in three flavors (1) placing a gun in the cockpit makes it more likely that that gun can be used by a terrorist, (2) pilots do not have adequate training/background checks to be trusted with a gun, and (3) pilots should focus on safely flying the airplane – especially in an emergency – not on fighting terrorists.
The first objection is fair – and hard to get around. Training and procedures will help, but ultimately it’s a tradeoff. I don’t honestly know if we’re better of with a controlled gun or no gun onboard. I’m leaning toward controlled gun. The solution to the second objection is easy: more training, better checks.
The third objection seems to stem from an action-movie view of a lone pilot in hand to hand combat with an assailant, with pauses in punching for just long enough to right the controls. This may actually be close to the truth on both flight 93 and EgyptAir 900, but neither of those flights had a secure cockpit door. I think the “shoot vs. fly” procedures for armed pilots would be pretty straightforward: If there’s no terrorist smashing through the cockpit door, fly the plane. If there is a terrorist smashing through the cockpit door, shoot the terrorist, then fly the plane. Also, the vast majority of flights will have at least one co-pilot and autopilot.
Roosevelt, TomK and Dave wrote about the threat of shoulder-fired surface-to-air missiles, otherwise known as MANPADS. I’ve written about MANPADS here and here. The gist: we should invest in technology to limit the risk from existing, unsophisticated, designs and mandate smart “kill-switches” for new, much more lethal designs produced by the U.S. and cooperative allies.
Researcher pointed out that “the metal detector with gain cranked way up would pick up the metal wires and metal detonator components necessary for a hidden bomb?” True, but I wouldn’t put any of that stuff through the metal detector. Even the shoe-bomber got around that, and he’s not the swiftest Taliban on the monkey bars, if you know what I mean. Also, as Stef comments, metal detector tolerances are pretty much random.
Finally, Toren says, “The overwhelming and useless airport security is here to stay, because of the very simple reason that government jobs never go away.”
I’ve finally met someone more cynical than myself. It’s an honor to make your acquaintance, sir.
April 28, 2004 | Permalink | Comments (6)
SpoofStick for IE is out
SpoofStick for Microsoft Internet Explorer is now available. SpoofStick is a simple, free browser plug-in that help keep users safe from spoofed websites and “phishing” scams by prominently displaying the actual domain name of whatever site you’re on.
SpoofStick has been available for the Mozilla Firefox browser for the past few weeks and has made a splash in the community. This version should work on IE 6 running on Microsoft Windows XP and 2000. The Firefox version will run on Windows, OS X and Linux.
These are beta versions, and we’d love to get your feedback. Please post your comments here, or send email to “spoofstick AT corestreet DOT com”.
See my introduction of SpoofStick: part 1 and part 2.
Download SpoofStick v. 0.06 BETA for Internet Explorer or Mozilla Firefox here.
April 23, 2004 | Permalink | Comments (0)
Why do we need electronic voting?
For a while, after the 2000 election mess, I remember being convinced that we needed electronic voting machines. Then I remember being dismayed by the apparent lack of quality and security found in many new and existing designs. Now that it’s almost time for the next big election, I can’t seem to remember why I thought we needed electronic voting in the first place.
The problems in Florida were mostly caused by poor ballot design and questionable adherence to procedure. Do electronic voting machines fix either of those problems? Can’t we just have less awkward paper ballots and better training for voting officials?
Total public transparency is absolutely crucial to election security, so any electronic machine that relies on obfuscation and secrecy for “security” should be automatically disqualified. If I can’t know the exact path of every single electron or scrap of paper through the voting process, how am I supposed to have any confidence in the results? Sure, there are plenty of ways to design a computerized voting system that doesn’t keep any secrets (although you wouldn’t know it by looking at the current crop) and real cryptographers have come up with some monstrously cool concepts for e-voting receipts and authentication, but is it really worth it? If the machine is going to wind up printing out a paper trail anyway, why not start with the paper in the first place. A good “old-fashioned” optical scan system with penciled in bubbles seems to be good enough in just about every category that’s important for voting. Hire someone with a design and layout sense to put the ballots together and invest a third of your new-machine budget on training the staff, and you’ve probably got a pretty good system for 2004.
I’m a big fan of unnecessary technology in every other aspect of life, so this realization comes as something of a shock to me; but I really can’t remember why I ever thought the country should invest in computerized voting gizmos. Somebody please remind me before my geek self-image suffers irreparable harm.
[Thanks to Freedom to Tinker for keeping this fresh in my mind.]
April 22, 2004 | Permalink | Comments (4)
Too-Frequent Flyer Part 2 – Counting Threats
[See part one of this series on air travel and security.]
Let me propose a heuristic: it may be a good time to reevaluate the effectiveness of a national security institution when it becomes the subject of a Playmobil play set.
”Airport Security Check-in” has reached that point.
Don’t get me wrong, getting playmobiled isn’t an automatic demerit; there are plenty of realistic, practical things in play land. Still, it's worth some hard thinking just to make certain that on the scale of practical reality, our airline security processes are closer to “Rescue Equipment Trailer” than to “Bunny with Wheelbarrow”.
I think we might be somewhere in the middle.
Please pardon the sudden shift from absurdist humor to serious and unpleasant realities in this post. I think it mirrors the experience of modern air travel.
Before discussing the effectiveness or practicality of new security measures, it’s useful to understand what threats they’re designed to prevent. There are basically four broad categories of attacks which can be directed against the air travel system:
1. Hijacking – to use the airplane as a weapon or for hostages or safe passage
2. Bombing – to blow up the plane with a stowed device or suicide attack
3. Infiltration – to transport dangerous individuals into or out of the country
4. Smuggling – to transport or disseminate hazardous materials such as chemical or biological agents using the air travel infrastructure
Each of these threats has important national security repercussions. However, the vast majority of the new publicly visible security measures implemented at U.S. airports are focused on preventing only the first one. This is an understandable political and psychological reaction, since preventing a 9/11 style hijacking is at the top of everyone’s immediate demands. Unfortunately, anti-hijacking measures are some of the most costly and burdensome to implement. They may also be the least necessary – maybe even counterproductive.
Only two changes were necessary to virtually guarantee that a hijacking intended to crash a passenger plane into a building could never happen again. One of them - unbreachable cockpit doors – was relatively cheap and implemented within months of the attacks. The other one was excruciatingly expensive, but the price was paid in full before the day ended and implementation was immediate and ubiquitous: everyone became painfully aware of the possible cost of losing control of an airplane.
Someone attempting an exact replay of the 9/11 attacks today would likely be beaten to within an inch of death - and I wouldn’t take that inch for granted - by passengers with nothing to lose. Even if the terrorists managed get to the cockpit, physical locks and airline policy would make it impossible to take control of the plane. They could kill everyone on board and blow up the airplane, but that makes this kind of attack identical in effect to the “bombing” type. The “hijacking” category, at least for commercial passenger flights, has been largely negated. “Never again” is not just a solemn vow here. It is a statement of fact.
Why, then, do I still have to surrender my nail clippers, take off my belt and wait three quarters of an hour to go through a metal detector honed to such a level of sensitivity that the steak taco I had for lunch sets it wailing? What harm could I inflict with a one inch piece of flimsy metal on a hundred instant air marshals, a bank-vault quality door and pilots specifically trained to never give up control of the airplane? Why is our still-recovering economy being subjected to this level of delay and inefficiency? More importantly, why are our dramatically finite security dollars being spent here as opposed to on other, largely unsolved, problems - like the other three types of threats outlined above? Are these measures effective security, or are they primarily meant to comfort us? There's nothing wrong with comfort, as long as it's not the fuzzy, anthropomorphic-rabbit type.
Also, can I have my nail clippers back?
Next Up: The Other Shoe
[Update: The Playmobil site is not very link friendly. If you get errors following the links in IE, just ignore them and the pages should open fine. Also, I just remembered where I saw the Playmobil link originally – thanks Boing Boing.
Update 2: I replaced the Playmobil links to direct links to the right product images. That seems to be the only way their website wants me do it. Who doesn't love JavaScript?
Update 3: Yikes, this post got a link from Instapundit, lots of great comments here, and my answers in a new post.]
April 19, 2004 | Permalink | Comments (18)
If you insist security
It happened again. An article on Active Security which I wrote for ZDNet last week got translated into Japanese and published on IT Media. Here is the Babelfish reverse-translation back into English. The results aren’t as funny as last time, but it does translate “Salman Rushdie” as “Monkey man.”
In at least one instance, the computer translation seems to cut right through my human attempt at suggestive obfuscation and says:
Example of the large-scale positive security program, Common Access Card by the American Defense Department (abbreviation CAC, is bad designation, but here will not touch) is.
The central point of the article comes through intact, if a little worse for wear:
Positive security, the villain is not is obstructed just simply. It means also the fact that direction it makes promote daily life of the good man.
I couldn’t have said it better myself.
[The original, uncut version of the article (with snide asides which didn’t survive the ZD editorial process) is here.]
April 13, 2004 | Permalink | Comments (0)
Google as muse
If I ever run out of ideas to write about (unlikely, time is the scarcer commodity), all I have to do is look at the search words people used to find my site. This is also a good way to measure how well my posts are satisfying the world’s random information needs. I think of it as an impromptu “reader’s request” mail bag, with an opportunity to fill gaps in my reporting.
Let’s see. Two people searched for, "visitors interested in strengthening america". Check, I wrote about that particular version of the VISA act here.
One person searched for, "golf boxers" funny. Yup, golf boxers are funny. That’s why I wrote about them in a strange little rant. Although I originally used another clothing item which my PR instincts made me tone down.
Another accidental reader wanted to know, why is medicine important? That’s a good question, um, Timmy. Medicine is important because it keeps many people healthy - healthy enough to become grandparents. Before Google, grandparents were the most efficient method of information storage and retrieval. So a hundred years ago (in the age of “client/server”) you couldn’t have gotten your question answered without medicine. Also medicine is important because it helps medical school graduates pay off their student loans.
Lastly, someone sat in front of a Google search box and typed in: explain why the internet is important to many businesses and discuss brie. I probably shouldn’t do this, since it looks like someone is trying to cheat on their school assignment (third year at BU, if memory serves), but here goes:
The Internet is important to many businesses because it gives them a way to advertise their product, which, in the case of artisan brie makers is a delicious mold-ripened whole-milk cheese with a whitish rind and a soft, yellow center. Also, the Internet can help businesses keep a watchful eye on their competitors. Like those artless philistines in Wisconsin.
I guess with this domain name, comes a certain responsibility. Want to know why other stuff is important? Just search for it, stumble on to Vastly Important Notes and wait a month or two for me to remember to check my referrer logs. Google is a muse as well as a beacon.
April 10, 2004 | Permalink | Comments (0)
More SpoofStick
A new version of the SpoofStick beta for FireFox has been released. SpoofStick is a free utility that helps fight spoofed websites and identity “phishing”. See the original post for more details.
This version (0.05) tweaks the size display settings to make the small size smaller, the large size larger and the medium size more medium. It’s also smarter about handling multiple-name URLs (like https://web.da-us.citibank.com/signin/citifi/scripts/login2/user_setup.jsp) and international domains (like http://www.ox.ac.uk/).
We’ve gotten some good feedback on SpoofStick in the past couple of days. To answer the most common question: yes, SpoofStick does work on a Mac with Firefox for OS X. Here’s proof:
Although, I thought you Mac users had too many post graduate degrees to be fooled by fake websites.
Thanks for all the feedback, and keep it coming.
Download SpoofStick v. 0.05 BETA for Mozilla Firefox here.
April 8, 2004 | Permalink | Comments (3)
Getting the definition right
[Yesterday, ZDNet published a short commentary I wrote called “Getting the definition right”. I’m very grateful to ZDNet for giving me a forum with a few orders of magnitude more readers than this fine blog. In order to make the article suitable for the mainstream, the ZD editors stripped out most of the jokes from the original piece and altered the ending a bit. They were probably right to do so – security is no laughing subject. Still, for the “benefit” of my original reader(s), I’ve decided to post the “controversial”, err, “uncut”, um, “eXtreme” version here.]
Getting the Definition Right (the director's cut)
“Security”, like other vaguely defined segments stalked by industry analysts, is subjected to cyclical patterns of fashion and scorn. Are we in a security-fueled investment bubble, or are organizations still sitting on their IT wallets? Much of the answer depends on your assumptions and definitions.
In his now (in)famous January 2000 essay, “Terror Versus Security”, Salman Rushdie offers a working definition:
Security is, after all, the art of making sure certain things don’t happen: a thankless task, because when they don’t happen, there will always be someone to say the security was excessive and unnecessary.
This and others pieces are republished in Rushdie’s newish book, Step Across This Line: Collected Nonfiction 1992-2002. Mr. Rushdie is something of an unwitting expert on security matters, at least at the receiving end. Compelling snapshots throughout the book recall a decade of fighting (and dodging) the Iranian fatwa placed on his head after publication of The Satanic Verses. While his insights are keen, this definition is part of the problem.
If you think of security in purely negative and restrictive terms – preventing attacks, denying access – it’s hard to be optimistic about the industry. After all, restrictive security places a burden on the many legitimate transactions in an attempt to prevent the few unauthorized ones. This is practically a Sisyphean undertaking (heh, “Sysyphean Undertakings for Dummies” – I’m gonna write that book). Too much restrictive security and the economy grinds to a halt while people proclaim that “the terrorists have already won”. Too little and you’re accused of being negligent. Rushdie’s punch line is that any security you decide on is by definition the wrong amount. What fun.
However, there’s a different way to look at the industry. Instead of thinking about security as just negative and restrictive, think of it as active and enabling. Active security is not just about stopping the bad guys; it’s about making the normal lives of the good guys better. Instead of just intercepting a few illegal transactions, active security aims to make the vast majority of legal transaction faster and more efficient. There are new security technologies that allow people to do more and to do it quicker. Think of ATM machines, trusted traveler documents and digitally signed mortgage forms. All of these applications make life easier for legal users and, by extension, make it easy to catch the illegal ones. Also, since active security deployments focus on speeding legitimate transactions, they can have a net positive effect on the economy. The more active security you have, the more it pays for itself. This is the exact opposite of the negative feedback cycle of restrictive security economics.
A great example of a large active security program is the Common Access Card (CAC – bad name, different topic) of the U.S. Department of Defense. The CAC is a smart card issued to every member of the DoD and is intended to be used for many applications including logical and physical access, secure email, document signing and payments. These are applications that people want and that were largely unavailable before the CAC program. Of course the system is built on cryptographically strong technology, so even though people will use their cards for convenience, they’ll be getting security.
I wrote a chapter on “Active Security” in Inside the Minds: Security Matters. If you like this blog, but not the pesky attempts at humor, the chapter may be more your speed. From what I’ve seen in the past two years, spending on active security technology is growing in both government and commercial sectors.
Towards the end of his essay, Salman Rushdie adds a cautionary note:
In the past, security didn’t save President Reagan, or the pope. Luck did that. So we need to understand that even maximum security guarantees nobody’s safety.
Certainly this conclusion is correct. Security isn’t about guaranteeing absolute safety. It’s about letting people undertake both important and pedestrian actions with a reasonable expectation of a speedy, safe and correct outcome. Still, I can’t quite agree with the first two sentences. If you watch the video of either assassination attempt, you’ll see that, even though security couldn’t prevent the initial shots, each attacker was frustrated in his attempt to finish the job by a massive bodyguard pile-on, while the injured principal was quickly and efficiently whisked away from danger and towards medical care. So maybe it’s more accurate to say that President Reagan and the pope were saved by security and luck. And by “luck” I mean eight hours of surgery.
It’s easy to make a case for security if you get the definition right.
April 6, 2004 | Permalink | Comments (2)
Smack web spoofers with SpoofStick
Identity “phishing” and spoofed websites are a big problem for IT security and brand management these days. There are several heavyweight technical proposals to make it harder for attackers to steal identity information by faking websites and emails, but the problem will continue to grow until the industry coalesces around some standards. CoreStreet has come up with a simple way for users to detect when they might be on a spoofed website, and we’re making it available for free. We call it SpoofStick™
SpoofStick is a small browser extension that prominently displays the domain name of the website you’re currently visiting. That’s it. Most current “spoofing” attacks entail tricking a user into following a mislabled link (like this one to http://www.cnn.com/) and then hoping that some percentage of visitors won’t decipher the complex URL to figure out that they’re not in Kansas anymore. SpoofStick makes it easy to foil this type of attack because it clearly shows you only the most important information about where you are. Like this:
Instead of trying to figure out if this is a real eBay url:
Just let SpoofStick do the work for you.
Spoofstick isn’t a very high-tech, comprehensive solution, but it’s a good start. The goal was to solve 50% of the problem. I’m going to install it on my parents’ computer and sleep a bit easier at night. Instead of learning how to pattern recognize HTTP syntax, all they’ll have to do is check SpoofStick every time they enter any information into a website.
SpoofStick is currently available in BETA form, and only for Mozilla Firefox. An IE version is around the corner. SpoofStick is free and currently unsupported. Nobody at CoreStreet is responsible if anything bad happens while you’re using SpoofStick – or at most other times, for that matter. Please email comments or suggestions to spoofstick@corestreet.com.
Download SpoofStick v. 0.04 BETA for Firefox here.
[Thanks to my brother, Mark Ayzenshtat for doing most of the heavy lifting on this release.]
April 5, 2004 | Permalink | Comments (13)
Too-Frequent Flyer Part 1 – Intro
As I lowered my tray table to accommodate the proffered bag of mini pretzels on the last leg of my latest month-long travel circuit, an unexpected advance in airplane technology caught me by surprise. The entire inside of the tray table was covered by a vivid, full-bleed photo advertisement of a ski-shod lower torso sitting on a chair lift. The optical illusion was almost perfect: exactly where my real legs disappeared into the circulation stopping confines of a coach class seat, my new virtual legs dangled unencumbered over trees