[Most Recent Entries] [Calendar View] [Friends View]
Below are the most recent 50 friends' journal entries.
De-authorizing the Words With Friends app on Facebook. This causes the the iOS app to go into a loop demanding that you re-authorize it.
Deleting and re-installing the iOS app. That stops the auth-loop, but does not stop the "notifications about non-friends" issue, and also makes it nag you daily saying "Hey, you used to log in with Facebook! Log in with Facebook okay??"
- This joke appears to be the closest thing to a non-FAQ support page.
So I go to their Facebook page hoping to message them. There's no option to message them. There's no option to post a question on the wall except as a reply to a previous post from them announcing an new feature in a different game. WTF.
So I waste my time trying to strip my complaint down to 140 characters and ask them on Twitter. To the shock of nobody, I get no reply.
Then on a completely different, unlinked web site, I find this page. I get a brush-off auto-reply saying "update to the latest version of the app, which will direct you to the FAQ instead of letting you actually contact us."
| Monday, May 20th, 2013 | ||
|
jwz |
2:13p | Phrenology works. I can tell because of the pixels. Mike Pelletier: Lucy Skull The model of the skull was generated from a friend's dental tomography scan. The form of the object was created by creating an array of copies of the skull, where each successive copy of the skull is scaled, rotated, and moved. The skull starts at life size at the front and ends up rotated 180 degrees and two times larger than life at the back. Mirrored from jwz.org. |
| bruce_schneier | 11:34a | Security Risks of Too Much Security http://www.schneier.com/blog/archives/20 All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them. The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound. |
|
deponti |
5:16p | Patting the...back At last, LJ opens up for a few minutes...let me rush to post. When it's bottoms up...  and there is a willingness to pat....  Happiness results!  But when I said I was going to put it up on the blog...  Current Mood:  happy |
| Sunday, May 19th, 2013 | ||
|
f1 [ steverogerson ] |
9:31a | Monaco Grand Prix 2013 preview Here's my preview of next weekend's Monaco Grand Prix: http://wizzley.com/monaco-grand-prix-20 |
| Saturday, May 18th, 2013 | ||
|
jwz |
5:54p | Rasputin's daughter on a 1935 Wheaties box "Europe's Sensational Wild Animal Trainer, Fearless Daughter of Russia's Mad Monk."  I learned about this existence of this wonderful artifact and wonderful kook from Bess Lovejoy's Atlas Obscura talk at DNA Lounge last week, which you should surely attend in the future. She also later co-authored a cookbook, which includes recipes for jellied fish heads and her father's favorite, cod soup. She also worked as a cabaret dancer in Bucharest, Romania, and then found work as a circus performer for Ringling Brothers Circus. During the 1930s she toured Europe and America as a lion tamer, billing herself as "the daughter of the famous mad monk whose feats in Russia astonished the world." She was mauled by a bear in Peru, Indiana, but stayed with the circus until it reached Miami, Florida, where she quit and began work as a riveter in a defense shipyard during World War II. Mirrored from jwz.org. |
|
jwz |
2:41p | |
|
jwz |
12:39p | Fucking Zynga  Dear Lazyweb, can anyone tell me how to disconnect my Words With Friends account from my Facebook account? I'm sick to death of it sending me push-notifications that someone I'm friends with on Facebook but have never played Scrabble with has played a word. There seems to be no way to turn this shit off. Things I have tried: So I guess I can't do this myself, since it's stuck in their DB. I'll just mail them and ask them to delete that. Ha ha ha. The fact that they are still nagging me with updates about my Facebook friends when they no longer have authorization on my Facebook account means that they have stored an offline copy of my friends tree, which I'm pretty sure is against Facebook's application terms of service. I'm sure both parties care about this a lot. Yeah yeah, that's what I get for dealing with amoral scumbags like Zynga in the first place. I even paid them money to make the ads go away, so I'm part of the problem. But hey, I like playing scrabble on my phone. Remember when a paying customer could actually email support? Those were the days. Mirrored from jwz.org. |
|
jwz |
2:30a | Picasa Dear Lazyweb: I face-tagged a zillion faces in desktop Picasa while "Store Name Tags in Photo" was unchecked. Now I have checked it and I want it to write all those tags back to the EXIF. How? Alternately: I just want to extract a map of filename → face-names, and then I can take care of business myself. Where's the API? Mirrored from jwz.org. |
| Friday, May 17th, 2013 | ||
| bruce_schneier | 9:57p | Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture http://www.schneier.com/blog/archives/20 Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. |
| bruce_schneier | 7:59p | Applied Cryptography on Elementary http://www.schneier.com/blog/archives/20 In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show. |
| freedomtotinker | 4:49p | Blocking of Google+ Hangouts Android App https://freedom-to-tinker.com/blog/jrex/b Earlier this week, online news sites started reporting the apparent blocking of Google’s Google+ Hangout video-chat application on Android over AT&T’s cellular network [SlashGear, Time, ArsTechnica]. Several of the articles noted the relationship to an earlier controversy concerning AT&T and Apple’s FaceTime application. Our Mobile Broadband Working Group at the FCC’s Open Internet Advisory Committee released an case study on the AT&T’s handling of FaceTime in January of this year. Our report may help inform the new debate on the handling of the Google Hangout video app on cellular networks. |
| freedomtotinker | 1:01a | CALEA II: Risks of wiretap modifications to endpoints https://freedom-to-tinker.com/blog/felte Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder for criminals to evade wiretaps. The FBI argues that the Net is “going dark”—that they are losing their ability to carry out valid wiretap warrants. In fact, this seems to be a golden age of surveillance—more collectable communications are available than ever before, including whole new categories of information such as detailed location tracking. Regardless, the FBI wants Congress to require that voice, video, and text communication tools be (re-)designed so that lawful wiretap orders can be executed quickly and silently. Our report focuses in particular on the drawbacks of mandating wiretappability of endpoint tools—that is, tools that reside on the user’s computer or phone. Traditional wiretaps are executed on a provider’s equipment. That approach works for the traditional phone system (wiretap in the phone company’s switching facility) or a cloud service like GMail (get data from the service provider). But for P2P technologies such as Skype, information can only be captured on the user’s computer, which means that the Skype software would have to be changed to add a virtual “wiretap port” that could be activated remotely without the user’s knowledge. Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss. Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system. Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks. Our report discusses other issues, such as the impact of a wiretappability mandate on the ability of U.S. companies to compete in international markets. The bottom line is that harms that would result from the FBI’s plan vastly outweigh any benefits. The cybersecurity problem is bad enough as it is. Let’s not make it any worse. [Signers of the report are Ben Adida, Collin Anderson, Annie I. Anton (Georgia Institute of Technology), Matt Blaze (University of Pennsylvania), Roger Dingledine (The Tor Project), Edward W. Felten (Princeton University), Matthew D. Green (Johns Hopkins University), J. Alex Halderman (University of Michigan), David R. Jefferson (Lawrence Livermore National Laboratory), Cullen Jennings, Susan Landau (privacyink.org), Navroop Mitter, Peter G. Neumann (SRI International), Eric Rescorla (RTFM, Inc.), Fred B. Schneider (Cornell University), Bruce Schneier (BT Group), Hovav Shacham (University of California, San Diego), Micah Sherr (Georgetown University), David Wagner (University of California, Berkeley), and Philip Zimmermann (Silent Circle, LLC). [Affiliations for identification purposes only. CDT coordinated the creation of the report.] |
| Thursday, May 16th, 2013 | ||
|
jwz |
12:53p | |
| bruce_schneier | 1:45p | Bluetooth-Controlled Door Lock http://www.schneier.com/blog/archives/20 Here is a new lock that you can control via Bluetooth and an iPhone app. That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found last year in hotel electronic locks? Anyone care to guess how long before some researcher finds a way to hack this one? And how well the maker anticipated the need to update the firmware to fix the vulnerability once someone finds it? I'm not saying that you shouldn't use this lock, only that you understand that new technology brings new security risks, and electronic technology brings new kinds of security risks. Security is a trade-off, and the trade-off is particularly stark in this case. |
| Wednesday, May 15th, 2013 | ||
|
jwz |
10:57a | Government coverup continues apace You can't fool me. I know a Chapa'ai when I see one.
Mirrored from jwz.org. |
|
deponti |
7:51a | Home birding When housebound, taking care of a little baby, one can still enjoy a fair amount of bird-watching! This morning, a family of KILDEER delighted me. Here's the mother:  ( more about the KildeerCollapse ) It was great fun watching them. Kildeer are named that, apparently, after their call; but the calls I heard the mother and the babies making today didn't sound anything like it! While this was going on, some NORTHERN MOCKINGBIRDS flew around, and one settled on the Japanese Maple and started trying her various calls. Two COMMON GRACKLES flew in, green-blue feathers shining, and pecked at the worms in the grass. Two AMERICAN ROBINS had a massive, roll-over-each-other fight in our driveway, over some nesting material; they had separated before I could get my camera. And four HOUSEFINCHES came in to try and see if they could nest in the Arbor vitae bushes next to the front porch, and the NORTHERN CARDINAL couple also came visiting. So..quite a variety of visitors, I decided I'd photograph only the Kildeer...but photographing these fast-scuttling birds across the road wasn't easy! Current Mood: delighted |
|
deponti |
12:21a | Every day is Daughter's Day I gave birth to my only child, a daughter, about thirty four and a half years ago. On that winter morning, of the second of November, the pain of childbirth made me a mother...it was Mother's Day for me. As has been every day, since then. The infant began to recognize me, to crawl, to toddle; she exhibited curiousity, got into several scrapes, went to school, got interested in various things....turned into a very independent-minded adolescent. When she was barely out of it, and just into young womanhaood, sheleft home for a destination halfway across the world, at the age of seventeen. Being a stay-at-home mother, I did have a large part to play in her life until then...but the distances of the continents, however much we bridged it with phone calls and (recently introduced) email, made her become a person in her own right. She fought discrimination; worked very hard at both her studies, and in the college cafeteria, and baby-sat to make a few extra dollars. She earned two bachelor's degrees, and then moved to St.Louis, where she earned two master's degrees. Very soon after she landed in America, she met the young man who would become her husband. The process of accepting him, and life in the United States, when she was very keen on returning to her home country, was a difficult one; she brought great maturity to the budding relationship. She went off for a six-month stint to Denmark, and another to Spain, and evaluated how the relationship fared under the state of absence. When the young man in question gave up his job in his country, and came to live in India, taking up a job there, and found living in India quite easy, they decided to get married, and set up home in the States. She wanted a very traditional wedding, and she did get it...and enjoyed every bit of it. Her generous father provided the money, and I provided the organization, and to our great joy, 30 of DS' family and friends flew in for the event, making it one of the most memorable events of our lives. She's dealt, all her life, with health problems...from having a major acid burn at the age of two, surgery for adenoids at the age of 5, a bad fall, a pre-cancerous lump behind her knee, when there was a fear her leg would have to be amputated...with courage, determination, and positivity. She took up a job, then another; she dealt with difficulties at work, with being fired, and rose from the deep trauma of that, to find another one, where she was (and is) very happy, working for public transit in St.Louis. She's so generous with herself, her time, her effort, and her money. She's always volunteered for social causes; she always helps out people in trouble. She's a great runner...she's run several half-marathons, all to raise money for the education of poor children in India. She is a good citizen (even though she's not an American citizen); she takes an active part in the community that she lives in. She's become more than a daughter; I've depended on her so much for emotional support, which she has unstintingly, and unjudgmentally, given me. She's become a mother, too....and she's shared her children with me. The children of my child are very great sources of joy to me; she's done, and is doing, a great job as a mother. She's articulate, artistic, and a great achiever...very warm-hearted, and I just wish I could take credit for all that...but I think that's the way she's always been! Here's the Mother's Day card she made for me:  And the message inside:  Every day, for the rest of my life, will be Mother's Day...I give thanks for the wonderful child I have. I am the luckiest mother alive! Current Mood: happy |
| Tuesday, May 14th, 2013 | ||
|
deponti |
6:47p | Punctuation of life As one grows up, one discovers the discovery power of the question mark, then the exciting power of the exclamation mark. Then...the slower power of the comma...the sedate power of the semi-colon...and finally, the restful power of the full stop. Current Mood:  pensive |
| bruce_schneier | 10:48a | Transparency and Accountability http://www.schneier.com/blog/archives/20 As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing personal freedoms for security, it's hard for politicians to say no to the FBI right now, and it's politically expedient to demand that something be done. If our leaders can't say no -- and there's no reason to believe they can -- there are two concepts that need to be part of any new counterterrorism laws, and investigative laws in general: transparency and accountability. Long ago, we realized that simply trusting people and government agencies to always do the right thing doesn't work, so we need to check up on them. In a democracy, transparency and accountability are how we do that. It's how we ensure that we get both effective and cost-effective government. It's how we prevent those we trust from abusing that trust, and protect ourselves when they do. And it's especially important when security is concerned. First, we need to ensure that the stuff we're paying money for actually works and has a measureable impact. Law-enforcement organizations regularly invest in technologies that don't make us any safer. The TSA, for example, could devote an entire museum to expensive but ineffective systems: puffer machines, body scanners, FAST behavioral screening, and so on. Local police departments have been wasting lots of post-9/11 money on unnecessary high-tech weaponry and equipment. The occasional high-profile success aside, police surveillance cameras have been shown to be a largely ineffective police tool. Sometimes honest mistakes led organizations to invest in these technologies. Sometimes there's self-deception and mismanagement—and far too often lobbyists are involved. Given the enormous amount of security money post-9/11, you inevitably end up with an enormous amount of waste. Transparency and accountability are how we keep all of this in check. Second, we need to ensure that law enforcement does what we expect it to do and nothing more. Police powers are invariably abused. Mission creep is inevitable, and it results in laws designed to combat one particular type of crime being used for an ever-widening array of crimes. Transparency is the only way we have of knowing when this is going on. For example, that's how we learned that the FBI is abusing National Security Letters. Traditionally, we use the warrant process to protect ourselves from police overreach. It's not enough for the police to want to conduct a search; they also need to convince a neutral third party -- a judge -- that the search is in the public interest and will respect the rights of those searched. That's accountability, and it's the very mechanism that NSLs were exempted from. When laws are broken, accountability is how we punish those who abused their power. It's how, for example, we correct racial profiling by police departments. And it's a lack of accountability that permits the FBI to get away with massive data collection until exposed by a whistleblower or noticed by a judge. Third, transparency and accountability keep both law enforcement and politicians from lying to us. The Bush Administration lied about the extent of the NSA's warrantless wiretapping program. The TSA lied about the ability of full-body scanners to save naked images of people. We've been lied to about the lethality of tasers, when and how the FBI eavesdrops on cell-phone calls, and about the existence of surveillance records. Without transparency, we would never know. A decade ago, the FBI was heavily lobbying Congress for a law to give it new wiretapping powers: a law known as CALEA. One of its key justifications was that existing law didn't allow it to perform speedy wiretaps during kidnapping investigations. It sounded plausible -- and who wouldn't feel sympathy for kidnapping victims? -- but when civil-liberties organizations analyzed the actual data, they found that it was just a story; there were no instances of wiretapping in kidnapping investigations. Without transparency, we would never have known that the FBI was making up stories to scare Congress. If we're going to give the government any new powers, we need to ensure that there's oversight. Sometimes this oversight is before action occurs. Warrants are a great example. Sometimes they're after action occurs: public reporting, audits by inspector generals, open hearings, notice to those affected, or some other mechanism. Too often, law enforcement tries to exempt itself from this principle by supporting laws that are specifically excused from oversight...or by establishing secret courts that just rubber-stamp government wiretapping requests. Furthermore, we need to ensure that mechanisms for accountability have teeth and are used. As we respond to the threat of terrorism, we must remember that there are other threats as well. A society without transparency and accountability is the very definition of a police state. And while a police state might have a low crime rate -- especially if you don't define police corruption and other abuses of power as crime -- and an even lower terrorism rate, it's not a society that most of us would willingly choose to live in. We already give law enforcement enormous power to intrude into our lives. We do this because we know they need this power to catch criminals, and we're all safer thereby. But because we recognize that a powerful police force is itself a danger to society, we must temper this power with transparency and accountability. This essay previously appeared on TheAtlantic.com. |
| freedomtotinker | 9:00a | Who Owns the Future? Not the Middle Class https://freedom-to-tinker.com/blog/gneff/w Jaron Lanier, in the latest contribution to the public conversation about how we live with technology, blames the Internet for the fall of the middle class. Only the problem is he’s wrong. In his new book Who Owns the Future? Lanier–often described with the word visionary–argues that the information economy in general and network technologies in particular are to blame for the plight of the middle class. I haven’t read the entire book yet (that will have to wait until after my team puts in our proposal to NSF’s Smart and Connected Health ). I suspect I will agree the political spirit of much of what Lanier writes, but on this point I have to push back now, even at the risk of missing the subtlety of his full argument. We probably agree on many points, but this one is crucial to tease out because of it’s political implications. In Venture Labor I traced why seemingly rational, well-educated young people rushed to be a part of the first wave of dot-coms in the 1990s and early 2000s. My point was the entrepreneurial spirit of the dot-com era was a response to growing job insecurity, not the cause of it. Young graduates of the 1990s found that risky Internet startups offered the best options in an economy that increasingly felt (and was) closed off to them. They acted as “venture labor,” risking layoffs in the hopes of a future stock payout because they had, relatively speaking, few other choices. Technology itself was not the cause for the disruption in the U.S. labor market that limited entry-level jobs and made work in general less secure and more contingent. Tech giants Kodak and IBM once offered stable long-term careers with the best benefits in America. The layoffs there and elsewhere that reshaped corporate America and eliminated hundreds of thousands of middle-class jobs began before there was even a commercial World Wide Web. The blustery rhetoric of Internet innovation saving a tired, weakened American economy was not possible without the tropes and metaphors that Ronald Reagan introduced into political speech in the 1980s. The challenges the middle class faced then and continue to struggle with are not the result of technological change but broad economic and political shifts that began well before html. Tom Streeter has called the spirit of the dot-com era “Romantic” (as in Henry David Thoreau, not Match.com; a dialogue on Streeter’s book edited by yours truly is over at Culture Digitally). The romantic individualism that pervades the culture of the Internet means that that these responses to economic change were talked about in terms of rugged individualism and self-fulfillment, not in terms collective or social. That’s not accidental. A generation of layoffs, political rhetoric about the virtues of good ol’ American risk-taking, fatally weakened labor unions, and permanently slowed job growth. In other words, social responses to economic problems lost traction and a cultural vision of rugged individualism and entrepreneurial pluck saving the economy won. This brings us back to the point of Lanier’s book. We have many reasons to be politically suspicious of Big Data and Moore’s Law. But hanging the collapse of middle class wages on these phenomena, as Lanier does, hides the fact that the problem has been with us longer than the Internet has. Take this passage from Lanier in an interview in Salon with the very smart Scott Timberg who writes on jobs in cultural industries:
In the book, Lanier writes that because “Networks need a great number of people to participate in them to generate significant value. But then, when you have them only a small number of people get paid. That has the net effect of centralizing wealth and limiting overall economic growth” (p 2). I applaud Lanier for pointing us to the woes of the economy as a dark side of the Silicon economy. But his blame for it on technology is very much misplaced. As Janet Maslin pointed out in her New York Times review of Who Owns the Future?, the book “may not provide many answers, but it does articulate a desperate need for them.” I, for one, am glad to see we’re finally talking about them. |
| Monday, May 13th, 2013 | ||
|
jwz |
10:29p | Vigilant Citizen was not immediately available for comment.  Peaches Geldof has signed up to Aleister Crowley's sex cult Ordo Templi Orientis Is this, by any chance, a stupid cult? No, actually it's a respected school of academic thought known for its rigorous system of peer-reviewed publishing and many seminal contributions to the philosophy of mind, ethics and epistemology. Previously, previously, previously. Mirrored from jwz.org. |
|
jwz |
10:14p | |
|
jwz |
11:35a | The Canberra Skywhale More Breasts means More Mammal.     $300,000. 23 meters. 10 breasts. Previously, previously, previously, previously, previously, previously. Mirrored from jwz.org. |
|
jwz |
11:06a | |
|
jwz |
10:41a | Dear Safari, what part of "reopen windows from last session" is so hard to understand? So I've got ten windows iconified, and another ten open on my desktop. Safari crashes, as it so often does. I re-launch it. I get back the two frontmost non-iconified windows, and the two oldest iconified windows. What the fucking fuck. Then I do "reopen windows from last session", and they all come back, including duplicates of the ones I already have open. Come on. And to insult my injury, the icons in the dock are all blank until after I wait for them all to load in the background, then uniconify and reiconify them, because updating the dock icon at the completion of the background page-load would apparently be too much effort. I tried an extension that purported to auto-save sessions, but it did some confusing and complicated thing that was not even remotely what I wanted. Is there a sane solution to this? (No, I don't want to switch browsers, STFU. No I don't use tabs, STFU.) Mirrored from jwz.org. |
| freedomtotinker | 1:51p | Design is a poor guide to authorization https://freedom-to-tinker.com/blog/felte James Grimmelmann has a great post on the ambiguity of the concept of “circumvention” in the law. He writes about the Computer Fraud and Abuse Act (CFAA) language banning “exceeding authorized access” to a system.
He goes on to explain the conventional wisdom that basing CFAA liability on word-based restrictions such as website Terms of Use is indeed problematic. But the alternative, as James points out, is perhaps even worse: defining authorization in terms of the technical functioning of the system. The problem is that everything that the attacker gets the system to do will be something that the system as actually constructed could do.
The only way out of this trap—short of giving up altogether the notion of “authorization” by technology—is to say that the designer’s intent that matters.
But even this underestimates the difficulty of relying on behavior. To see why, consider one of James’s examples: an ATM that was programmed so that when it did not have a network connection, it would dispense $200 cash to anyone, whether or not they even had an account at the bank. An Australian court convicted a Mr. Kennison who withdrew money without having a valid account. Notice that everything about the system’s behavior conveys the message that cash should be dispensed to anyone when there is not a network connection. This behavior of the system was pretty clearly not an error but a deliberate choice by the designers. If the system’s behavior conveyed anything to Kennison, it was that cash was supposed to be dispensed, and that the designers had chosen to make it behave that way. If you conclude Kennison’s use was unauthorized, then you have to get there by arguing that there was an understanding, not expressed in any words or behavior, that spoke more loudly than the system’s behavior. The lack of authorization did not stem from code, and it did not stem from words. Kennison was just supposed to know that the act was unauthorized. This seems plausible for ATM withdrawals, but it can’t extend very far into less settled technical areas. Why did the ATM’s designers choose to make it dispense money? Presumably they figured that almost all of the users who asked for $200 would in fact have valid accounts of at least $200, and they wanted to serve those customers even at the risk of dispensing some cash that they wouldn’t have dispensed under normal circumstances. But this design decision seems to assume that people won’t do what Kennison did—that people will not take advantage of the behavior. It’s tempting to argue, then, that it is precisely the lack of technical barriers to Kennison’s act that conveys the designers’ belief that acts of that type were not authorized. But this argument would prove too much—if the existence of a fence conveys lack of authorization, then the non-existence of a fence cannot also prove lack of authorization. The conclusion must be that a system’s behavior is not a very reliable signpost for authorization. Is there any case where a system’s behavior is a reliable guide to authorization? One possibility is where the system is clearly designed with a particular behavior in mind, but there was an obvious engineering error that created a loophole. For example, if a system requires passwords for account access, but the implementation treats a zero-length password as valid to access every account. Contentious CFAA cases are rarely like this. Text-based definitions of authorization may be problematic; but behavior-based restrictions are often worse. |
|
jwz |
10:12a | I resemble this remark @shyhoof: An ode to the journey of ó on a shipping label.  Converting the whole poem to pixels was probably the right move. Mirrored from jwz.org. |
| bruce_schneier | 1:15p | |
|
deponti |
5:44p | In memory of Akash My friends Sujata and Ravi Dube's son Akash passed away exactly a year ago, to leukemia. Akash had fought back spiritedly, and even organized a Terry Fox Run in Chennai. I think he conquered the illness with his outlook. I made friends with Sharbari Lahiri through Facebook, as a mutual friend. She lives in Ontario, Canada. We've become firm friends now..and I've been enjoying getting to know her family as well. In memory of Akash Dube, Daniel Presta, her 16-year-old son, has written this: AKASH I am the morning The sunrise at dawn A calming reminder All dark skies are gone I am a tulip On a snow-covered hill A symbol of nature My presence there still I am an eagle Soaring over the fields My spirit held tightly My smile it does wield I am the ocean So vast and composed Yet bold and courageous No fear will I show I am the watchman The guardian of dreams An unafraid leader With a kind-hearted gleam I am bright laughter Pure pleasure and joy An uplifting man An inspiring boy I am the reason The sun burns so bright That sadness is shattered That darkness is light I am a dreamer Tears I do not cry I am a champion I am the sky -Daniel Presta Current Mood: tears |
| Sunday, May 12th, 2013 | ||
|
jwz |
11:46p | |
|
jwz |
7:38p | |
|
jwz |
4:10p | |
|
jwz |
3:54p | [Citation Needed] [Citation Needed] - Citation needed "Citation needed", most commonly rendered as [citation needed], is a common editorial remark on Wikipedia, which has become used to refer to Wikipedia in wider popular culture. [citation needed] Previously, previously, previously. Mirrored from jwz.org. |
|
jwz |
2:18p | Today in Killdozer news Four homes were demolished and thousands were left without power after Barry Swegle started smashing homes with his bulldozer. Neighbor Keith Haynes said that the man "just went nuts." "He took a skidder and took out two houses," Haynes told the Peninsula Daily News. "I mean demolished. It was like a war zone."     And that article contained this sidebar: RELATED: NAKED, HIGH DALLAS MAN DRIVES THROUGH A SHOPPING MALL AND STEALS CLOTHES Yes. Highly relevant. Mirrored from jwz.org. |
|
jwz |
11:30a | |
| Friday, May 10th, 2013 | ||
|
jwz |
3:30p | |
|
jwz |
3:16p | |
|
jwz |
2:53p | |
| bruce_schneier | 9:26p | Friday Squid Blogging: Squid Festival in Monterey http://www.schneier.com/blog/archives/20 It's at the end of May. Note that it's being put on by the Calamari Entertainment Group. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. |
|
jwz |
2:41p | Wine tasting is bullshit.  Fuck io9 a lot, but this is funny: It bears repeating that the judges Hodgson surveyed were no ordinary taste-testers. These were judges at California State Fair wine competition -- the oldest and most prestigious in North America. If you think you can consistently rate the "quality" of wine, it means two things: My personal wine Venn Diagram consists of a large outer circle labelled "something my companions thought was a good idea" enclosing smaller almost-equally-sized circles labelled "something that gives me a headache before a buzz" and "something that would be better with bubbles and OJ in it". Also, liver-flavored butter? Who eats that on purpose? Mirrored from jwz.org. |
|
jwz |
2:26p | I was swallowed by a hippo  I was aware that my legs were surrounded by water, but my top half was almost dry. I seemed to be trapped in something slimy. There was a terrible, sulphurous smell, like rotten eggs, and a tremendous pressure against my chest. My arms were trapped but I managed to free one hand and felt around -- my palm passed through the wiry bristles of the hippo's snout. It was only then that I realised I was underwater, trapped up to my waist in his mouth. Previously, previously, previously. Mirrored from jwz.org. |
| bruce_schneier | 6:49p | The Onion on Browser Security http://www.schneier.com/blog/archives/20 Wise advice: At Chase Bank, we recognize the value of online banking -- it’s quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. That’s why, when you’re finished with your online banking session, we recommend three simple steps to protect your personal information: log out of your account, close your web browser, and then charter a seafaring vessel to take you 30 miles out into the open ocean and throw your computer overboard. And while we're talking about the Onion, they were recently hacked by Syria (either the government or someone on their side). They responded in their own way. EDITED TO ADD (5/11): How The Onion got hacked. |
| bruce_schneier | 11:47a | Mail Cover http://www.schneier.com/blog/archives/20 From a FOIAed Department of Transportation document on investigative techniques: A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law. This "rnail cover" is done to obtain information in the interest of protecting national security, locating a fugitive, or obtaining evidence of commission or attempted commission of a felony crime, or assist in the identification of property, proceeds, or assets forfeitable under law. Seems to be the paper mail equivalent of a pen register. I'd never heard of the term before. EDITED TO ADD (5/11): Here is a 2002 NPR interview on mail cover, based on [Error: Irreparable invalid markup ('<a href"http://www.law.com/jsp/article.jsp?id>') in entry. Owner must fix manually. Raw contents below.] <p class="ljsyndicationlink"><a href="http://www.schneier.com/blog/archives/2013/05/mail_cover.html">http://www.schneier.com/blog/archives/2013/05/mail_cover.html</a></p><p>From a FOIAed Department of Transportation <a href="https://antipolygraph.org/documents/dot-oig-special-investigative-techniques.pdf">document</a> on investigative techniques:</p>
<blockquote>A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law. This "rnail cover" is done to obtain information in the interest of protecting national security, locating a fugitive, or obtaining evidence of commission or attempted commission of a felony crime, or assist in the identification of property, proceeds, or assets forfeitable under law.</blockquote>
<p>Seems to be the paper mail equivalent of a pen register. I'd never heard of the term before.</p>
<p>EDITED TO ADD (5/11): <a href="http://www.npr.org/templates/story/story.php?storyId=1140959">Here</a> is a 2002 NPR interview on mail cover, based on <a href"http://www.law.com/jsp/article.jsp?id=900005529986">these</a> <a href="http://www.law.com/jsp/article.jsp?id=900005529705">two</a> articles.</p> |
| Thursday, May 9th, 2013 | ||
| bruce_schneier | 10:16a | The Economist on Guantanamo http://www.schneier.com/blog/archives/20 Maybe the tide is turning: America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle East or even in America itself. That risk can be lessened by surveillance. But even if another outrage were to happen, the evil of "Gitmo" has recruited far more people to terrorism than a mere 166. Mr Obama should think about America's founding principles, take out his pen and end this stain on its history. I agree 100%. This isn't the first time people have pointed out that our politics are creating more terrorists than they're killing -- especially our drone strikes -- but I don't expect this sort of security trade-off analysis from the Economist. |
| Wednesday, May 8th, 2013 | ||
| bruce_schneier | 6:54p | Reidentifying Anonymous Data http://www.schneier.com/blog/archives/20 Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results. Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three key pieces of information she needs to identify anonymous people combined with information from voter rolls or other public records. Of these, Sweeney succeeded in naming 241, or 42% of the total. The Personal Genome Project confirmed that 97% of the names matched those in its database if nicknames and first name variations were included. Her results are described here. |
| bruce_schneier | 11:32a | Evacuation Alerts at the Airport http://www.schneier.com/blog/archives/20 Last week, an employee error caused the monitors at LAX to display a building evacuation order: At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport spokeswoman said it was an honest mistake. I think the real news has nothing to do with how susceptible those systems are to hacking. It's this line: Castles said there were no reports of passengers evacuating the terminal and the problem was fixed within about 10 minutes. So now we know: building evacuation announcements on computer screens are ineffective. She said airport officials are looking into ways to ensure a similar problem does not occur again. That probably means that they're going to make sure an erroneous evacuation message doesn't appear on the computer screens again, not that everyone doesn't ignore the evacuation message when there is an actual emergency. |
| Tuesday, May 7th, 2013 | ||
|
jwz |
10:43p | |
| freedomtotinker | 9:38p | A Response to Jerry: Craig Should Still Dismiss https://freedom-to-tinker.com/blog/sjs/a-r [Cross-posted on my blog, Managing Miracles] Jerry Brito, a sometimes contributor to this blog, has a new post on the Reason blog arguing that I and others have been too harsh on Craigslist for their recent lawsuit. As I wrote in my earlier post, Craigslist should give up the lawsuit not just because it’s unlikely to prevail, but also because it risks setting bad precedents and is downright distasteful. Jerry argues that what the startups that scrape Craigslist data are doing doesn’t “sit well,” and that there are a several reasons to temper criticism of Craigslist. I remain unconvinced. To begin with, the notion that something doesn’t “sit well” is not necessarily a good indicator that one can or should prevail in legal action. To be sure, tort law (and common law more generally) develops in part out of our collective notion of what does or doesn’t seem right. Jerry concedes that the copyright claims are bogus, and that the CFAA claims are ill-advised, so we’re left with doctrines like misappropriation and trespass to chattels. I’ll get to those in a moment. First, there is a bit of confusion around the copyright claims, so it’s worth revisiting them. The court held that Craigslist unambiguously does not hold copyright in user-created postings, except for those three ill-fated weeks last summer when they instituted that horrible terms of service. At all other times, they do not own the posts. However, Jerry’s claim–which has been made by others–that no copyright exists in these posts whatsoever, seems weak. As the court noted, at this stage of the proceedings it portrays Craigslist’s claim of copyrightability in the “most favorable light” and concludes that the claim:
It seems likely that the court will ultimately hold that these are not Feist-style facts, but instead creative works. I don’t necessarily think that this is a great policy outcome, but it is consistent with copyright jurisprudence generally (as ill-founded as that may be). It’s just that (other than during those three weeks) the copyright resided with the poster, not Craigslist. The court did not dismiss Craigslist’s claim of copyright over the compilation of posts. The way in which Craigslist organizes and presents posts may well be copyrightable. I didn’t see that the order specifically spoke to the complaint’s allegation that the 3taps “craiggers” site imitated the “visual fashion” of the Craigslist posts, but perhaps this survives. It is somewhere between a copyright and trademark claim (maybe “trade dress”?). This is all to say that the copyright On the CFAA claims, Jerry says that, “one can understand why it might have thrown the kitchen sink into its lawsuit.” Well yes, I can understand why one might do that, particularly if one were a litigator interested solely in winning the case. However, the lawyers are not adequately representing the interests of their client here–I think that the client includes Craig, and the Craig I’ve met would not have agreed. If that’s the case, the “kitchen sink” approach is wildly inappropriate. It has the potential to do collateral damage to internet-related jurisprudence, and goes against principles of tolerance and freedom. Jerry then argues that maybe this is the right case to test out some novel approaches to applying physical-world torts to online things that feel kinda like property. The tort of Misappropriation is about property. The tort of trespass to chattels is about property (“chattels” are, roughly speaking, “your stuff”). Jerry is suggesting that this case is a good opportunity to further propertize the digital world. First of all, this is not the right case. It’s a messy fact pattern, and the conflicting interests of the Craigslist ethos and intellectual property make it more ugly. Second, moving law in this direction is bad policy. Jerry has written extensively about the problems with propertization creep, so I don’t know why he would think that this makes sense. Jerry also turns to the economics of network effects to support his “it doesn’t feel right” hypothesis. As his argument goes, Craigslist built the network effects that it now enjoys, so competitors should have to do the same. I suppose that this satisfies a visceral sense of fairness, but it doesn’t say much about what is optimal for the market and for innovation. Jerry says that what Craigslist did was to disrupt the newspaper market for classifieds via, “true innovation: taking command of the network effect by offering a superior product.” I agree that Craigslist innovated. However, their innovation contributed to their network effect, which then (as network effects tend to do) fed itself. Once you have a network effect in a market, your incentives to innovate decrease because of lock-in. Others, however, are strongly motivated to try to break into that market. Padmapper and others innovated–in a way that is no less “true” than Craigslist’s original innovation. Craigslist saw the value of that innovation and even tried to imitate it by creating its own mapping tool (arguably innovation in and of itself). No doubt, some Paleo-Schumpeterian will argue that these incentives are necessary in order to motivate innovation. They will argue that without them, creative destruction will be halted and all of us will trade in our riding boots for birkenstocks. Of course, I’m not sure that Craig ever had the incentive to become the greatest horseman in San Francisco. He had a different incentive. It all sounds more like a shift from incentive to excess to me. |
| bruce_schneier | 5:57p | Is the U.S. Government Recording and Saving All Domestic Telephone Calls? http://www.schneier.com/blog/archives/20 I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here: More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. I'm very skeptical about Clemente's comments. He left the FBI shortly after 9/11, and he didn't have any special security clearances. My guess is that he is speaking more about what the NSA and FBI could potentially do, and not about what they are doing right now. And I don't believe that the NSA could save every domestic phone call, not at this time. Possibly after the Utah data center is finished, but not now. They could be saving the all the metadata now, but I'm skeptical about that too. EDITED TO ADD (5/7): Interesting comments. I think it's worth going through the math. There are two possible ways to do this. The first is to collect, compress, transport, and store. The second is to collect, convert to text, transport, and store. So, what data rates, processing requirements, and storage sizes are we talking about? |
| bruce_schneier | 11:10a | Intelligence Analysis and the Connect-the-Dots Metaphor http://www.schneier.com/blog/archives/20 The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn't happen again? It's an old song by now, one we heard after the 9/11 attacks in 2001 and after the Underwear Bomber's failed attack in 2009. The problem is that connecting the dots is a bad metaphor, and focusing on it makes us more likely to implement useless reforms. Connecting the dots in a coloring book is easy and fun. They're right there on the page, and they're all numbered. All you have to do is move your pencil from one dot to the next, and when you're done, you've drawn a sailboat. Or a tiger. It's so simple that 5-year-olds can do it. But in real life, the dots can only be numbered after the fact. With the benefit of hindsight, it's easy to draw lines from a Russian request for information to a foreign visit to some other piece of information that might have been collected. In hindsight, we know who the bad guys are. Before the fact, there are an enormous number of potential bad guys. How many? We don't know. But we know that the no-fly list had 21,000 people on it last year. The Terrorist Identities Datamart Environment, also known as the watch list, has 700,000 names on it. We have no idea how many potential "dots" the FBI, CIA, NSA and other agencies collect, but it's easily in the millions. It's easy to work backwards through the data and see all the obvious warning signs. But before a terrorist attack, when there are millions of dots -- some important but the vast majority unimportant -- uncovering plots is a lot harder. Rather than thinking of intelligence as a simple connect-the-dots picture, think of it as a million unnumbered pictures superimposed on top of each other. Or a random-dot stereogram. Is it a sailboat, a puppy, two guys with pressure-cooker bombs, or just an unintelligible mess of dots? You try to figure it out. It's not a matter of not enough data, either. Piling more data onto the mix makes it harder, not easier. The best way to think of it is a needle-in-a-haystack problem; the last thing you want to do is increase the amount of hay you have to search through. The television show Person of Interest is fiction, not fact. There's a name for this sort of logical fallacy: hindsight bias. First explained by psychologists Daniel Kahneman and Amos Tversky, it's surprisingly common. Since what actually happened is so obvious once it happens, we overestimate how obvious it was before it happened. We actually misremember what we once thought, believing that we knew all along that what happened would happen. It's a surprisingly strong tendency, one that has been observed in countless laboratory experiments and real-world examples of behavior. And it's what all the post-Boston-Marathon bombing dot-connectors are doing. Before we start blaming agencies for failing to stop the Boston bombers, and before we push "intelligence reforms" that will shred civil liberties without making us any safer, we need to stop seeing the past as a bunch of obvious dots that need connecting. Kahneman, a Nobel prize winner, wisely noted: "Actions that seemed prudent in foresight can look irresponsibly negligent in hindsight." Kahneman calls it "the illusion of understanding," explaining that the past is only so understandable because we have cast it as simple inevitable stories and leave out the rest. Nassim Taleb, an expert on risk engineering, calls this tendency the "narrative fallacy." We humans are natural storytellers, and the world of stories is much more tidy, predictable and coherent than the real world. Millions of people behave strangely enough to warrant the FBI's notice, and almost all of them are harmless. It is simply not possible to find every plot beforehand, especially when the perpetrators act alone and on impulse. We have to accept that there always will be a risk of terrorism, and that when the occasional plot succeeds, it's not necessarily because our law enforcement systems have failed. This essay previously appeared on CNN. EDITED TO ADD (5/7): The hindsight bias was actually first discovered by Baruch Fischhoff: "Hindsight is not equal to foresight: The effect of outcome knowledge on judgment under uncertainty," Journal of Experimental Psychology: Human Perception and Performance, 1(3), 1975, pp. 288-299. |
