Friday, May 30, 2003

Juxtaposition rockets to top of Google results

Juxtaposition has rocketed to the top of the Google search results for the word 'juxtaposition'! Strange, given that Juxtaposition is nary a few months old.

Sadly, a link search (for returns no hits though.

Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes

The paper is 81 pages long but based on the abstract, it appears like important work. I hope that this will be taken to heart by policy shapers.

Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes

This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably na�. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.

Thursday, May 29, 2003

Reflections on DRM

Article on the restrictions imposed by the DRM inherent in Apple's AAC file format.

From my perspective, $1 per song is way too expensive, especially when the product you get is inferior to a track of a physical CD. A short list of the problems:

  1. It is in a lossy format. For most people this is not an issue from a quality perspective, but converting to another format is very likely to be necessary in the future and would either not be possible or would be suboptimal without the original. That is supposed to be the beauty of digital music--you can keep migrating it to the latest technology without having to pay for the "license" to listen again.
  2. It does not include liner notes or artwork. I point this out because from a value perspective, you are not getting the same deal as it is made out to be (you cannot simply divide the total CD cost by the average number of tracks to come up with the value of a single digital music file).
  3. It is encumbered by DRM. It is said that the real meaning of DRM is Digital Restriction Management. DRM-encumbered songs are surely not valued in the resale marketplace because many (these AAC files seem to be no exception) won't even let you resell them because of the platform restrictions. You can resell your CD just fine however.

None of these disadvantages appear to be reflected in the cost of much online music that I see.

I would think that the true value of a single digital, lossless-encoded, non-DRM-encumbered track to be more like $0.50/track. You do not have to pay for distribution costs or manufacturing costs or artwork costs, etc. The value of these new digital distribution models should lead to savings for the consumer, not less value for more money.

And don't get me started on how absurd paying $1-2 for monotonic ringtones is. Why don't labels give those away for free as a promotional tool, ala radio? They just don't get it.

TidBITS: Apple Changes the Face of Digital Music

e-voting interview reveals serious risks to election integrity

This scares me as a security professional. This especially scares me as a resident of Washington State.

Some gems from this interview with representatives from Sequoia systems:

Miller: "On the touch screen -- we do have the hand recounts of close races too."

Harris: "On a machine with no voter-verified paper trail?"

Miller: "Well, there's no way to do a hand recount on a DRE."


Harris: "But the positive, which can be proved, is that every election system that's ever been used in the USA has, at one time or another, been tampered with. And what we do know is that $800 million has gone toward contributions to candidates. So certainly we can predict that someone will try to tamper with a programmer. And therefore, what I'm asking, is what safeguards do we have in place to make sure that, if someone tampers with a program or a CD update --"

Miller: "I think we've gone as far as we can go."

Black Box Voting: Ballot - Tampering in the 21st Century - Interview with Paul Miller & Kathryn Ferguson (Sequoia)

Another ill-conceived set of tax refunds

1. Companies fraudulently overstate earnings
2. Companies pay tax on those fake earnings
3. Companies get caught, restate earnings
4. Companies want refunds of taxes paid on those earnings
5. Unbelievably, they get the refunds!

Firms Want Refunds Of Tax on Fake Profit (

Sunday, May 25, 2003

BMW 7 series WindowsCE crash traps driver inside

A post to the IP and Risks lists is a harbinger of things to come as more and more complexity and computer-controlled systems get added to everyday devices without ensuring the same kind of quality and safety engineering. We can only hope that Ford and other car companies will not be successful in overturning laws requiring mechanical connections for safety-critical systems like steering, braking, etc.


Date: Tue, 13 May 2003 17:31:11 -0700
From: "Robert J. Berger"
Subject: MS Windows crash traps Thai politician in car (From Dave
Farber's IP)

Crashed Computer Traps Thai Politician, 14 May 2003

Thailand's Finance Minister Suchart Jaovisidha had to be rescued today
inside his expensive BMW limousine after the onboard computer crashed,
leaving the vehicle immobilized.

Once the computer failed, neither the door locks, power windows nor air
conditioning systems would function, leaving the Minister and his driver
trapped inside the rapidly heating vehicle.

Despite the pair's best efforts, it took a full ten minutes before they
able to summon the attention of a nearby guard who freed the two men by
smashing one of the vehicle's windows with a sledgehammer.

A report (
published in the *Bangkok Post* indicates that the vehicle was Mr
Jaovisidha's own BMW 520 which was being used while his state-supplied
Mercedes, was being repaired.

BMW's more up-market 7-series range uses a computer system called
which has Microsoft's WindowsCE at its core.

Did Mr Jaovisidha narrowly miss being killed by the blue windscreen of

Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868

IP Archives at:

[At least 33 readers have noted this one thus far. TNX! PGN]

Making Telemarketers Cry

A great Telemarketer Suing HOWTO by attorney Mark Eckenwiler from Washington D.C.

How To Make A Telemarketer Cry (or, Suing Bozos for Fun & Profit)

"In November 2002, a telemarketer called my home in D.C. at 5:24 a.m. This is the story of how that call cost him $500."

Friday, May 23, 2003

"If You Want To Win An Election, Just Control The Voting Machines"

A couple more sites working against all-electronic voting machines:

Also, an article discussing a situation that, if true, is truly egregious:

The senator who won the election in Nebraska allegedly "was the head of, and continues to own part interest in, the company that owns the company that installed, programmed, and largely ran the voting machines that were used by most of the citizens of Nebraska."

The bigger issue, in my opinion, is not whether the senator had rigged his election but the fact that we are entirely unable to verify whether this occurred or not. With a voter verifiable and recountable audit trail, we could.

Can Microsoft Be Secure?

I sure hope so. I have high expectations for Windows 2003. We'll see how things progress.

I want to know who the companies are that were surveyed... I assure you mine wasn't one of them.

Commentary: Can Microsoft be secure? | CNET

Customers worry about Microsoft's security: Seventy-seven percent of respondents to a Forrester survey cited security as their top concern about deploying Windows. Despite those concerns, 89 percent of users are still deploying sensitive applications like financial transaction systems and medical records databases on Windows.

Horrible precedent: Guantanamo detainees have no US legal recourse

[IP] Stuart Taylor's column today --"Falsely Accused 'Enemies' Deserve Due Process

Couldn't say it better myself. And regarding those lists of "known or suspected terrorists", Bruce Schneier said it best, "there is an incentive for law enforcement to put people on this list, but no incentive for them to take people off. So the harrassment continues."

"It ought to be unnecessary to say this, but even *correctly* accused
enemies of the state deserve due process -- not least because due
process is the best way of determining whether they were, in fact,
correctly accused."

Facial recognition systems "improve"

[IP] NIST rates facial recognition systems

"The three top-rated systems verified identities correctly 87 percent to 90 percent of the time with a false-alarm rate of 1 percent. When NIST specified a false-alarm rate of 0.1 percent, the success rate dropped to between 79 percent and 82 percent."

From the report itself:

"Typically, the watch list task is more difficult than the identification or verification tasks
alone. Figure 8 shows detection and identification rates for varying watch list sizes at a false alarm rate of 1%. For the best system using a watch list of 25 people, the detection and identification rate is 77%. Increasing the size watch list to 3,000 people, decreases the detection and identification rate to 56%."

This means that such systems would still result in fingering plenty of innocent people as terrorists.

A practical, statistical look at the civil rights implications of this problem, endemic to the NCIC database as well, can be found in the April 2003 Crypto-Gram

In related news, from an earlier Crypto-Gram:

"The SmartGate facial recognition trial at Sydney Airport has suffered
an embarrassing setback, when two Japanese visitors fooled the system
simply by swapping passports."

Handset security flaws on the horizon

Software quality, especially data input filtering, is critical for mobile devices; especially devices that do not typically have user-updateable software.

News: Mobile phone hacking expected to spread

United States-based security company @stake has released a security advisory detailing a Denial of Service (DoS) vulnerability in the Nokia 6210 GSM mobile phone, and although the flaw isn't serious it could be a sign of worse things to come.

DRM threat analysis shows futility in DRM mechanisms

This analysis shows how DRM solutions are ineffective because they [attempt to] address the wrong threat model.

"Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model -- they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don�t solve the problem they complain about."

Freedom To Tinker: DRM, and the First Rule of Security Analysis

Catching up...

I've been so busy with work and other things that I have amassed a large queue of articles and little nuggets over the past few months. You'll probably see some old news come through that I still wanted to share or comment on.



Insider attack nails shut Janteknology's coffin

Evidence of the damage that insider attacks can wreak. Ironically, this was a security software distributor.

It's unbelievable how often I hear things like:

"Well you have to trust your employees/administrator/etc!"
"But we're behind the firewall!"

I even noticed Microsoft's STRIDE threat model does not include the threat:

Misuse of granted privileges.

Whoops. People all too often don't look inside their own organizations at the threats all around you. Insider attackers are a difficult, and perhaps not entirely solveable problem. It is much easier for someone to attack your network when they are already on it than through your firewall over the Internet. Your firewall rejects access, but then your HR department allows it. They will even give a potential adversary a computer, cubicle, network access, badge, etc.!

You have to consider this angle in designs and in how you manage privileges and maintain audit trails.

"Security software distributor, Janteknology, has shutdown amidst dramatic circumstances, its battle to survive tough market conditions ended by industrial sabotage."

News: Security firm shuttered by sabotage

Museum of Unworkable Devices

" This museum is a celebration of fascinating devices that don't work. It houses diverse examples of the perverse genius of inventors who refused to let their thinking be intimidated by the laws of nature, remaining optimistic in the face of repeated failures."

A truly fascinating site.

The Museum of Unworkable Devices RPC error fix

You may have seen this error crop up in your movabletype blog:

Ping '' failed: HTTP error: 500 read timeout

I found plenty of sites through google where people were asking about this but nobody offered a solution that I saw. Well, I found a solution that was posted on the MT support forum just an hour or so ago: : Support Forum

below is a unified diff so that you can patch your site. The patch seems to work most of the time, although I have had at least one of the same errors crop up. That could have been due to something else though.

--- Tue Feb 11 16:15:03 2003
+++ lib/MT/ Fri May 23 16:29:04 2003
@@ -68,8 +68,12 @@
"HTTP error: [_1]", $res->status_line ));
my $content = $res->content;
- my($error, $msg) = $content =~
- m!flerror.*?(\d+).*message.*?(.+?)!s;
+# quick fix to RPC error in activity log. See blog entry for details.
+# my($error, $msg) = $content =~
+# m!flerror.*?(\d+).*message.*?(.+?)!s;
+ my($error) = $content =~ m!flerror.*?(d+)!s;
+ my($msg) = $content =~ m!message.*?(.+?)!s;
if ($error) {
return $class->error(MT->translate(
"Ping error: [_1]", $msg ));

Creationist debunking at your fingertips

An Index to Creationist Claims

An online Index to Creationist Claims that debunks many of them, with references.

ACM Testimony to Congress against DMCA's chilling effect

USACM co-chair Barbara Simons spoke out against sections of the DMCA during recent Congressional review of the DMCA's anti-circumvention provisions.

ACM MemberNet

You can also read the transcript of Simons' testimony

"During a time when our nation is devoting unprecedented resources to homeland security, we should be eliminating laws such as the DMCA that encourage insecurity,"

Voter Confidence and Increased Accessibility Act

Voter Verification Newsletter -- Vol 1, Number 3

"Federal Legislation Introduced!

Rep. Rush Holt of New Jersey has introduced a bill requiring a voter-verifiable paper trail.

The Voter Confidence and Increased Accessibility Act of 2003.

"We cannot afford nor can we permit another major assault on the integrity of the American electoral process," said Rep. Rush Holt. "Imagine it's Election Day 2004. You enter your local polling place and go to cast your vote on a brand new 'touch screen' voting machine. The screen says your vote has been counted. As you exit the voting booth, however, you begin to wonder. How do I know if the machine actually recorded my vote? The fact is, you don't."

Folks, this is what we've been waiting for! Please contact your U.S. Representative ASAP and ask them to support this bill and consider co-sponsoring it.

Let everyone know about this pending legislation."

Thursday, May 22, 2003

'E-mail-wrap' license

Like 'click-through' or 'clickwrap' licenses before, Lawrence Lessig publishes what may be described as an 'e-mail through' or 'e-mail wrap' license:

welcome spammers

Illogical rantings on "under God" issue

I couldn't pass this one up.

Miami News-Record - Gerald Stone Column

" At a time when we need God and religion in our lives more than ever, the U.S. Supreme Court is poised to strike down the words �under God� from the Pledge of Allegiance."

I'll add some clarification to this statement:

"we" = you and those who believe as you do
"our lives" = the lives of you and those who believe as you do.

It was a bit unclear. It sounded like you are representing non-Judeo-Christians.

And more God in your life requires "under God" in the national pledge of allegiance? Does not follow...

"This poor excuse for a human must have been off his medication for a long time."

I can hardly begin to respond to this fallaciousness. Now I really know that you never read the court decision text.

"the Supreme Court will probably hear the case sometime this year and you can expect �under God� to be taken out of the pledge.

The Bush administration, in its petition to the high court, argues that the Pledge is not like a prayer or invocation. They're the only ones making sense. But, the atheist-inclined liberals will probably get their way."

So, anyone who agrees with the court's decision, for whatever reason, is painted as "atheist-inclined" and a "liberal". That is such an enlightened viewpoint.

And why is it that many Republicans want the government to be involved in actively furthering a particular faith but in most other aspects of life (e.g. gun control) they want to be left alone?

Logic error in Texas DPS record destruction "rationale"

Talking Points Memo: by Joshua Micah Marshall

"The DPS [Department of Public Safety] appears to have violated Texas state law by destroying the records. To justify this, they point to a federal regulation which a legal expert says is plainly inapplicable. And the very regulation they're trying to hang their hat on seems to bar the original conduct itself."

This whole story is unbelievable. I'm still waiting for what assistance they requested and perhaps received from the department of Homeland Security... There is a possible criminal investigation ensuing.

Taxed logic...

Warren Buffet writes:

Dividend Voodoo (

Putting $1,000 in the pockets of 310,000 families with urgent needs is going to provide far more stimulus to the economy than putting the same $310 million in my pockets.

When you listen to tax-cut rhetoric, remember that giving one class of taxpayer a "break" requires -- now or down the line -- that an equivalent burden be imposed on other parties. In other words, if I get a break, someone else pays. Government can't deliver a free lunch to the country as a whole. It can, however, determine who pays for lunch. And last week the Senate handed the bill to the wrong party.

Supporters of making dividends tax-free like to paint critics as promoters of class warfare. The fact is, however, that their proposal promotes class welfare. For my class.

Questions of Mass Distruction

"Look, if there are no WMDs in Iraq, it means either our government lied us to us in order to get us into an unnecessary war, or the government itself was disastrously misinformed by an incompetent intelligence apparatus. In either case, it's a terribly serious situation." - Questions Of Mass Destruction

Monday, May 19, 2003

RHP livejournal web board

Check out a new place to discuss the Red House Painters and get news.

a red house painters & mark kozelek community's Journal


Here is a 176-page PDF paper on the fallacy of polygraph exams (a.k.a. "lie" detectors). I have not read up on this subject in some time but this looks to be a good read.

Lie Behind the Lie Detector

Stupid Security

Found out about this great site through this month's Crypto-Gram newsletter. It posts articles on -- you guessed it -- all the stupid security measures people come across.

Stupid Security: Exposing Fake Security Since 2003

Tuesday, May 6, 2003

e-voting systems assailed

A great article with some perfect quotes from leading advocates and experts for voter verifiable audit trails. Also, there are some documented cases of voting machine errors in the article.

New Voting Systems Assailed

New Voting Systems Assailed
Computer Experts Cite Fraud Potential

By Dan Keating
Washington Post Staff Writer
Friday, March 28, 2003; Page A12

As election officials rush to spend billions to update the country's
voting machines with electronic systems, computer scientists are
mounting a challenge to the new devices, saying they are less reliable
and less secure from fraud than the equipment they are replacing.


"These systems, because of the level of testing they go through, are
the most reliable systems available," said Michael Barnes, who oversaw
Georgia's statewide upgrade. "People were happy with how they


But the scientists' campaign, which began in California's Silicon
Valley in January, has gathered signatures from more than 300 experts,
and the pressure has induced the industry to begin changing course.


Critics of such systems say that they are vulnerable to tampering, to
human error and to computer malfunctions -- and that they lack the
most obvious protection, a separate, paper receipt that a voter can
confirm after voting and that can be recounted if problems are

Officials who have worked with touch-screen systems say these concerns
are unfounded and, in certain cases, somewhat paranoid.

David Dill, the Stanford University professor of computer science who
launched the petition drive, said, "What people have learned
repeatedly, the hard way, is that the prudent practice -- if you want
to escape with your data intact -- is what other people would perceive
as paranoia."

Other computer scientists, including Rebecca Mercuri of Bryn Mawr
College, say that problems are so likely that they are virtually
guaranteed to occur -- and already have.


"If the only way you know that it's working incorrectly is when
there's four votes instead of 1,200 votes, then how do you know that
if it's 1,100 votes instead of 1,200 votes? You'll never know," said

Because humans are imperfect and computers are complicated, said Ben
Bederson, a professor of computer science at the University of
Maryland, mistakes will always be made. With no backup to test, the
scientists say, mistakes will go undetected.

"I'm not concerned about elections that are a mess," Dill said. "I'm
concerned about elections that appear to go smoothly, and no one knows
that it was all messed up inside the machine."

"We're not paranoid," said Mercuri. "They're avoiding computational
realities. That's the computer science part of it. We can't avoid it
any more than physical scientists can avoid gravity."

Seattle-area volleyball site

Scott Marlow maintains a very cool site on Seattle-area Volleyball programs, gyms, groups.