Category Archives: Distributed Participation

Web Panopticons: China and U.S.

panopticon.gif Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People’s Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

University Researchers Analyze China’s Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

Continue reading

What It Will Take to Win

gp.jpg IT and Internet security people and companies act mostly as an aftermarket. Meanwhile, the black hats are a well-integrated economy of coders, bot herders, and entrepeneurs. This is what it will take for the white hats to win:
It can seem overwhelming for security people who are typically housed in a separate organization, to begin to engage with software developers and architects to implement secure coding practices in an enterprise. While the security team may know that there are security vulnerabilities in the systems, they have to be able to articulate the specific issues and communicate some ideas on resolutions. This can be a daunting task especially if the security team does not have a prior workign relationship with the development staff, and understand their environment.

The task seems daunting also because there are so many developers compared to security people. I am here to tell you though that you don’t have to win over every last developer to make some major improvements. In my experience a small percentage of developers write the majority of code that actually goes live. The lead developers (who may be buried deep in the org charts) are the ones you need to engage, in many cases they really don’t want to write insecure code, they just lack the knowledge of how to build better. Once you have a relationship (i.e. that you are not just there to audit and report on them, but are there to help *build* more secure code) it is surprisingly easy to get security improvements into a system, especially if the design is well thought and clearly articulated. You don’t have get the proverbial stardotstar, each and every developer on board to make positive improvements, it can be incremental. See some more specific ideas on phasing security in the SD! LC here. In meantime, with security budgets increasing 20% a year, use some of that money to take your top developers out to lunch.

Secure Coding – Getting Buy In, Gunnar Peterson, 1Raindrop, 17 Sep 2007

The start of what it will take.

-jsq

Online Crime Pays

dollarsign.jpg Why Internet security professionals are losing:

Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you’ve ever bought anything online, buying from them may be disconcertingly familiar. If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase.

You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you. As in many other industries, money has given rise to professionalism.

Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market. "We’re in a world where these guys might as well just incorporate," says David Parry, Trend Micro’s Global Director of Security Education. "There’s certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we’re talking about hundreds of billions of dollars."

Computer crime is slicker than you think, By David Raikow, CRN, 16 August 2007 08:04AM

Makes you wonder how long until traditional security companies get bought out by newly-IPOed offshore malware corps.

-jsq

Brass Leaks

usacio.png We already observed that military information security is a bit of an oxymoron and over in Peerflow that the U.S. military thinks its soldiers in Iraq are likely leaks.

Well, it turns out that:

For years, members of the military brass have been warning that soldiers’ blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

Army Audits: Official Sites, Not Blogs, Breach Security, By Noah Shachtman, Danger Room, August 17, 2007, 12:29:00 PM

Is there a psychologist in the house? Is the military blaming it’s own incompetent leaks on the troops projection, or is it just plain old CYA?

I’m pretty sure hiding this report until the EFF filed a FOI lawsuit to get it is CYA.

I don’t think it’s good risk management for the troops, or the Iraqis, or even for the brass.

-jsq

Interactive Fact

gibson.jpg William Gibson talking about a shoe that appears in his latest novel, Spook Country:
Wired: One of the details that leaped out at me was the Adidas GSG9, named for the German counterterrorism squad. I felt certain you’d invented the shoe, but then I Googled it.

Gibson: The Adidas GSG9s were the obvious choice for the thinking man’s ninja. Nothing I could make up could resonate in the same way. There’s code in name-checking the GSG9 history — esoteric meaning. Something that started with Pattern Recognition was that I†discovered I could Google the world of the novel. I began to regard it as a sort of extended text — hypertext pages hovering just outside the printed page. There have been threads on my Web site — readers Googling and finding my footprints. I still get people asking me about “the possibilities of interactive fiction,” and they seem to have no clue how we’re already so there.

Q&A: William Gibson Discusses Spook Country and Interactive Fiction, Warren Ellis, Wired, Email 07.24.07 | 2:00 AM

So true.

And not just for fiction. As blogs and the Daily Show have made clear, it’s silly for any political candidate or appointee to think any longer that they can like on video or the witness stand about documented facts, because it’s getting easier all the time to just google them. As YouTube has already demonstrated, such interactive reality can tip elections.

I wonder if this has anything to do with why some big companies are working on suppressing the Internet and Google has put its money where its mouth is in promoting open access.

-jsq

Bill Gates Considered as Evil Primitive Bacterium

archaea-tree-woese.jpg Has Freeman Dyson become an evolution denier?

Whatever Carl Woese writes, even in a speculative vein, needs to be taken seriously. In his "New Biology" article, he is postulating a golden age of pre-Darwinian life, when horizontal gene transfer was universal and separate species did not yet exist. Life was then a community of cells of various kinds, sharing their genetic information so that clever chemical tricks and catalytic processes invented by one creature could be inherited by all of them. Evolution was a communal affair, the whole community advancing in metabolic and reproductive efficiency as the genes of the most efficient cells were shared. Evolution could be rapid, as new chemical devices could be evolved simultaneously by cells of different kinds working in parallel and then reassembled in a single cell by horizontal gene transfer.

But then, one evil day, a cell resembling a primitive bacterium happened to find itself one jump ahead of its neighbors in efficiency. That cell, anticipating Bill Gates by three billion years, separated itself from the community and refused to share. Its offspring became the first species of bacteria—and the first species of any kind—reserving their intellectual property for their own private use. With their superior efficiency, the bacteria continued to prosper and to evolve separately, while the rest of the community continued its communal life. Some millions of years later, another cell separated itself from the community and became the ancestor of the archea. Some time after that, a third cell separated itself and became the ancestor of the eukaryotes. And so it went on, until nothing was left of the community and all life was divided into species. The Darwinian interlude had begun.

Our Biotech Future, By Freeman Dyson, New York Review of Books, Volume 54, Number 12 · July 19, 2007

Has he sold out for an admittedly very fetching simile?

Continue reading

Connectivity: Engulf or Participate?

circulo_xavante.jpg Can’t pass up an article with “Peril” in its title:
“I don’t think it’s a good thing, because it’s a threat to our culture,” said Tsereptse, who carries a bow and arrow with him at all times as a symbol of his position.

Some of the tribe’s younger members have been trying to convince Tsereptse that computers will have the exact opposite effect — that they can be tools to record and preserve Xavante folklore and traditions, and to disseminate them all over the world.

Awaiting Internet Access, Remote Brazilian Tribes Debate Its Promise, Peril,By Monte Reel, Washington Post Foreign Service, Friday, July 6, 2007; Page A08

These are members of the Xavante tribe in Mato Grosso state in Brazil. They don’t have electricity yet, but they’ve decided to get Internet access. Why? Continue reading

WS-Anasazi

pueblo_bonito_aerial_chaco_canyon.jpg Gunnar usually says it better than I did:
Coordinated detection and response is the logical conclusion to defense in depth security architecture. I think the reason that we have standards for authentication, authorization, and encryption is because these are the things that people typically focus on at design time. Monitoring and auditing are seen as runtime operational acitivities, but if there were standards based ways to communicate security information and events, then there would be an opportunity for the tooling and processes to improve, which is ultimately what we need.

Building Coordinated Response In – Learning from the Anasazis, Gunnar Peterson, 1 Raindrop, 14 June 2007

Security shouldn’t be a bag of uncoordinated aftermarket tricks. It should be a process that starts with design and continues through operations.

-jsq

Public Public Domain

malamud2006.jpg
James Duncan Davidson/O’Reilly Media

In March, Carl Malamud finished organizing release on the Internet of videos of Congressional subcommittee hearings. Back in November 2006 Malamud was lobbying the Smithsonian Institution to rescind its exclusive contract with Showtime. Now he’s teamed up with others to multiplex such projects and get more done:

When you buy content, we get the material from the U.S. government and then upload the data to places like the Internet Archive, Google Video, and other fine content sources. Because this data is public domain, anybody can use the material without restriction!

How Do We Do It? public.resource.org, accessed 9 June 2007

Already he says:

Per Lessig’s agreement with CNN, we’ve uploaded both Presidential Debates to the Internet Archive:

Continue reading

Long Tail Field

longtailfield.gif Why long tail graphs are usually shown on a log scale:

Unfortunately, the illustration works only as a large graph, because graphed out on small paper gives us only two discernable lines, one on each axis.

A practical model for analyzing long tails, by Kalevi Kilkki First Monday, volume 12, number 5 (May 2007)

The sports field graph is a clever way of showing how the fat head of a long tail distribution can be extremely higher than the long tail; this is normally not so clear on log scale graphs.

Continue reading