Monday, November 29

A place for your ideas

While prowling Matt Blaze's crypto webpage I came across the Halfbakery, "a communal database of original, fictitious inventions". My favorite one so far is the Custard-Filled Speed Bump.

Apparently, you're welcome to add your own ideas, if you register. I just may do that — I've always wanted a place to publicize my improvements to the outdated Aluminum Foil Deflector Beanie.


Saturday, November 27

Bad Security = Bad UI?

While poking around on the website for CMU's Usable Privacy and Security Laboratory, I came across some interesting papers from July's DIMACS Workshop on Usable Privacy and Security Software. I enjoyed several of the papers, including:

  • Matt Blaze's Toward a Broader View of Security Protocols where he advocates attention towards what he calls "Human Scale Security". His agenda is twofold: 1) apply lessons from folk process design to computer systems, potentially aligning the security intuition of laypeople with future computer security systems; and 2) apply computer security protocol design and analysis to traditional manual processes and so discover flaws in them. A cute analysis of restaurant-to-diner bill presentation protocol is included where he suggests improving the protocol (reducing six round trips to five) by handing the credit card over to the waiter when asking for the bill. This "optimization" ignores the possibility that the diner's choice of payment mechanism may depend on the amount of the bill.
  • Simson Garfinkel's Best Practices for Usable Security In Desktop Software has a nice payoff slide: The Pure Software Act of 2006 which has truth-in-labeling icons for "self-installs", "monitors", "unremovable", and so on.
  • Chris Long's Chameleon: Towards Usable RBAC describes a role-oriented shell, which I think is only a half-measure, but absolutely nails the top-level problem statement: what permissions are reasonable to grant depends on the user's context. Long uses an example I've used myself for ten years — the disk format program, signed by Microsoft or not, is malware if it is sent to you in the guise of a (say) screensaver. I call this "obtaining informed consent" and I think it may be the final security frontier.
  • Angela Sasse's Usable Security: Beyond the Interface piles on the observations until you cry uncle: we know perfectly well people don't do what security people tell them to do. She has a few suggestions on what to do about this.

Workshops like these, emphasizing human factors and economics in security (rather than, say, cryptography) show the field is coming to grips with its manifold failures. Maybe there's hope!


Saturday, November 20

Catch them if you can; if not, file a 1099

Frank Abagnale, famously portrayed in Catch Me If You Can, has been a consultant and lecturer on fraud prevention ever since...well, you know. He's got a website where he sells products such as his $75 Document Verification & Currency Transaction Manual containing, among other things, "authentic full color specimens of all U.S. and Canadian driver's licenses and license plates".

Rob Rodin turned me on to a document Abagnale authored, sponsored by the Union Bank of California, imposingly titled Check Fraud, Identity Theft and Embezzlement. It's full of good, prosaic advice (interspersed with pitches for UCB services) on preventing the named frauds, such as to avoid using polymer film typewriter ribbon when writing manual checks — easily lifted by a forger with scotch tape.

Mostly prosaic advice, as I said. But there is one amusing suggestion:

If an embezzlement or check fraud loss does occur, whenever possible, file a 1099 on the perpetrators and let them deal with the IRS of the rest of their natural lives.

Sunday, November 14

I'd prefer not to.

I know I haven't been blogging. Sorry to disappoint you. I'll be back soon, I promise.

Wednesday, November 3

Top Ten Reasons to be Glad He Won

  1. No need for expensive wedding presents for gay friends.
  2. Impoverished elderly means cheaper domestic help.
  3. $4/gallon gas makes roads less crowded.
  4. Investment strategy a no-brainer: short the dollar.
  5. Heating bills should go down as globe warms.
  6. Ends sleepless nights worrying about IVF clinic zygotes.
  7. "Left Behind" will make a great mini-series.
  8. Islamic youth have something to be enthusiastic about.
  9. Fewer drug side-effects for millions of Americans.

....and the #1 reason to be glad he won:

  1. French more pissed-off at us than ever.

I figured out who to blame...

John McCain.

The people have spoken, goddamn them.

Charles Pierce quoting Mo Udall on Altercation.