Monthly Archives: November 2006

Elastigirl’s Seven Powers

Kim Cameron has posted seven very sensible Laws of Identity. Numbers 2 and 3 add up to more or less Need to Know:

2. Limited Disclosure for Limited Use

    The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.

3. The Law of Fewest Parties

    Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.

Kim Cameron’s Laws of Identity

But user identities have aspects that go beyond traditional spook security.

Continue reading

IT vs. Big Pharma

It’s IT vs. Big Pharma in the patent arena:

Canada-based KSR manufactures gas pedals for General Motors Corp. It made a pedal that can be adjusted for the height of the driver and uses electronic signals rather than a mechanical cable to accelerate when the pedal is pushed.

Both features were developed separately _ the adjustable pedal over 25 years ago _ but Teleflex, a manufacturer based in Limerick, Pa., sued KSR in 2002, claiming that KSR’s combination of the two features infringed on a patent it was issued in May 2001.

KSR argued that the patent should be invalidated because the combination of the two features is obvious.

Businesses Split on Patent Case, By Christopher S. Rugaber, The Associated Press, Friday, November 24, 2006; 8:29 PM

In the patent reform corner, Microsoft, Cisco, Intel and others. In the no-reform corner: Johnson & Johnson, GE, DuPont, etc.

This case is expected by many parties to produce some sort of landmark ruling, probably with some sort of change to existing patent law. We’ll see.

-jsq

PS: Thanks, Johnny.

Outsourced Blog Spam

After outsourcing call centers, rote financial work, and programming, why not comment spam? This reporter’s blog comment filter was working, yet:
…so far it’s stopped 10,000 spams while allowing 377 human comments. So why had this got through? The electronic trail explained: the “captcha” (Completely Automated Public Turing test to tell Computers and Humans Apart) had been filled in.

The captcha is the junk filter’s last resort. Because it’s easy and cheap to program machines to post any sort of junk on blogs, a captcha (which puts numbers or letters in an image, which a machine in theory can’t read) shows whether you’ve got a real live person giving their thoughts, or just a dumb machine trying to up some spammer’s search-engine ranking.

If the captcha was filled in, it must have been done by a person; if it had been done by a machine, the spammers would have cracked the problem of solving captchas and would be busily spamming every blog they could find.

The price of humans who’ll spam blogs is falling to zero, Charles Arthur, The Guardian Thursday November 23, 2006

Who dunnit? Continue reading

Evolving Risk

Gunnar has a good post about evolving risk. A small startup company has high business risk (easy to fail) and low security risk (not much to steal), while a big successful company has low business risk and high security risk. Pretending those different kinds of risk don’t change, or that they change in the same direction, leads to problems:

When the business reality is dynamic and the security model is static, then errors creep in.

Paul Madsen on Evolving Risk, Gunnar Peterson, 1 Raindrop, 20 Nov 2006

Continue reading

SOX Redux

What do U.S. Treasury Secretary Henry Paulson and Barney Frank, D-Mass., the incoming chair of the House Financial Services Committee agree on?

U.S. Treasury Secretary Henry Paulson said the implementation of Sarbanes-Oxley corporate-governance regulations may pose a risk to the U.S. economy, advocating changes that fall short of introducing legislative adjustments.

"While necessary," the Sarbanes-Oxley accounting rules "are being implemented in a way that may be creating unnecessary costs and introducing new risks to our economy," Paulson, former head of Goldman Sachs Group Inc., said in a speech Monday to the Economic Club of New York.

Share sales have declined since the introduction of the law in 2002, and a "significant" amount of the time and cost taken complying with Sarbanes-Oxley might better have been spent creating jobs and rewarding shareholders, Paulson said.

Sarbanes-Oxley costs of compliance may threaten economy, official says BLOOMBERG NEWS, 11/21/2006

Paulson seems to be saying many euphemisms.

Continue reading

Pro Status Quo Ante

About the new UK RFID passports:
Fatally, however, the ICAO suggested that the key needed to access the data on the chips should be comprised of, in the following order, the passport number, the holder’s date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a “machine readable zone.”

Cracked it! Steve Boggan, The Guardian, Friday November 17, 2006

The UK Home Office says not to worry. Continue reading

Telephone Monoculture Considered Harmful

Kevin Hogan of Symantec says:
“If Windows CE is taken up in a big way in a large market we may see some increased malware activity,” he warned.

“There is not a lot of functionality built in that will stop attacks on that platform, so there could be a problem if it takes off. As for other operating systems there has been very little new activity.”

Windows use could boost mobile malware Increasing use of Windows CE could leave mobile users vulnerable, Iain Thomson, vnunet.com 15 Nov 2006

Continue reading

APWG eCrime @NCSF

Thursday and Friday I spent at the APWG 2006 eCrime Researchers Summit at the National Center for Forensic Science, Orlando, Florida. It was a fascinating mix of law enforcement from a local sheriff to the National Institute of Justice, of researchers from academic grant-funded to big-company in-house, and of commercial from tiny startups to the biggest banks. Continue reading

Security Clerks

Bruce Schneier reports on a report:
Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for security

Why Management Doesn’t Get IT Security, Bruce Schneier, 8 Nov 2006

Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. “Security directors appear to be politically isolated within their companies,” Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don’t have many allies in getting their message across to upper management.

Kicking Some Brass, Tim Wilson, DarkReading, NOVEMBER 2, 2006

Why should executives get involved with directly managing a bunch of clerks over a bunch of stuff? Continue reading