Trust architecture

Inventing technologies that allow us to change behavior at scale in populations for the better - TED talk Nicholas Christakis

I've been working on an extension of the idea behind the PGP web of trust model for some time, we need to allow user control of anonymity while allowing for reputation and differing levels of identity proofing. Our system of freedoms in speech and thought require that identity not be centrally controlled and monitored by any single entity, not even a trusted government, but the social contract between human beings requires that people have reputation and repercussions for unacceptable actions. In modern cities as well as modern online fora there can be severe negative behaviors because of relative anonymity and lack of repercussions. Some rating services and even some legal systems now encourage deletion of negative records, a "right to have sins forgotten". This is the opposite of the sort of social contract technologies we need to enable to change social behavior in a positive way. Immediate benefit could be seen for security researchers, exploit writers, systems crackers, white, grey, and black hats, users of online dating services, and those purporting to offer opportunities for artistic or professional careers. Benefits to society as a whole could be much greater, if it gains wide currency.

The other meaning of currency brings us around to bitcoin. Adi Shamir recently discussed what interactions absolutely require strong identity proofing for society to work, and what interactions require anonymity. The decision should not be driven by fear of bad actors, "The only thing we can't make is something we can't think about." as Charlie Sorenson so aptly put it, so we can build a system that drives bad actors out, whether they are criminals, attackers, or politicians... while not only allowing but encouraging freedom of thought, expression, and creativity. I'd like to go back to Steven Levy's definition of a hacker as a particularly gifted and creative programmer or maker, the pursuit of elegant hacks and the hacker ethic at MIT in the 50s, the goal is still no less than improving the world.

Travel advisories for Russia

Canada says: exercise a high degree of caution due to crime, explosions on the St Petersburg metro on 3 April 2017. Crime against foreigners is a serious problem. Some victims have died. Kidnapping for ransom is also common. Exercise extreme caution in crowds and places frequented by skinhead groups, including open markets. Violent crime is common. Pickpocketing, assaults and robberies occur frequently and are often committed by groups of children and teenagers. Criminals may also pose as police officers, particularly in St. Petersburg.

US State Dept says: High-profile armed robberies are an almost daily occurrence. Criminal gangs collude with the local police and operate with near impunity. Foreigners have become victims of harassment, mistreatment, and extortion by law-enforcement. Anyone entering Russia who has claim to Russian citizen, regardless of any other citizenship held, is fully accountable to the Russian authorities for all obligations of a citizen, including the required military service.

Anyone have personal, recent experiences traveling there from US?

RSA Conference 2015

The RSA Security Conference has accepted my talk on Rapid Threat Modeling Techniques, April 20 - 24, 2015, in San Francisco! This will be my first time speaking at RSA, but I always enjoyed it back in the days when I used to go as an attendee.

Surveillance and Espionage in a Free Society

We are concerned with the survival of individual freedom in the United States. We are concerned with the freedom of the United States to survive. The problem we address is the maintenance of the two simultaneously and harmoniously, for a critical paradox can exist whereby the effort to maintain the one may jeopardize the other. Today’s threat, which may be tomorrow’s everlasting sorrow, is that there are within our nation, as outside it, those who are acting simultaneously to diminish both our individual freedom and our national security.
It is the purpose of this Report to offer proposals for the conduct of domestic security practices and the intelligence community.  Our goal is explicit: to preserve and enhance the freedom of Americans and America by establishing policies and procedures that protect the citizen from the loss of his privacy, privileges, and constitutional rights through improper security practices at the hands of his own government.

These quotes are from Surveillance and Espionage in a Free Society, a Report by the Planning Group on Intelligence and Security to the Policy Council of the Democratic National Committee, 1972, Richard H. Blum, foreword by Adlai Stevenson. This was an admittedly partisan issue because the FBI under the Nixon administration was actively targeting his opponents.  The Pentagon Papers, proving that LBJ and Nixon had lied about Vietnam, came out the previous year, and then Nixon had his men break into the DNC Watergate offices.

We must be specific, however, in our attention because with burgeoning technology, bureaucracies, and budgets, it is now the case that methods devised for our protection - or claimed to be - threaten this land and us, the American people.

 A group calling themselves The Citizens' Commission to Investigate the FBI (never caught) had just broken into an FBI office and discovered that era's version of the Snowden papers, proof that the FBI worked 40% on political surveillance of the DNC, attacks on Black Panthers, antiwar groups, and the like, 30% bureaucratic and procedural stuff, 14% chasing draft dodgers, 1% organized crime, and 15% real crime that the average citizen would have thought the FBI was working on.

Domestic security includes much of the work of the FBI... it includes the central computer files that hold information on millions of citizens. It affects the classification of governmental documents including those which hold no information of use to a foreign power but can be useful to, but are denied, to U.S. citizens themselves... "no more than one half of one percent of the classified documents in the Department of Defense contain information requiring security protection."
Because the security cloak is cast so wide and embraces that vital stuff on which democracies depend for life - information by which citizens may make judgments about the world they live in and their government's work in that world - it is inevitable that the cost of any security system is a less well-informed press and public. The cost of the expanding apparatus which is now under development is a stifled press and citizens and political leaders unable to make reasoned decisions.

Marcus Ranum's take on Mein Kloudf

I asked you if it was SECURE! You told me we could save a lot of money but I asked if it was SECURE! You said, 'even Mussolini is going to the cloud with his MP3 collection'. Risk Assessment... your 'Risk Assessment' is toilet paper! Your 'compensating controls' couldn't even stop Stalin's script kiddies! You said there was a '.4 risk'!! What does that even mean?!

Cloud Computing killed the Reich. I wish we had kept the mainframe. Goering and I used to code in COBOL... we were good programmers, once. I could be coding this 'Web2.0' stuff in a weekend. I have to go update my Facebook page....
beware - tresspassers will be sacrificed

Adventures in Contentment

Theology possesses a vain-gloriousness which places its faith in human theories; but science, at its best, is humble before nature herself. It has no thesis to defend: it is content to kneel upon the earth, in the way of my friend, the old professor, and ask the simplest questions, hoping for some true reply.

...[the professor quotes Job 11:7-8] "Canst thou by searching find God? Canst thou find out the Almighty unto perfection? It is as high as heaven: what canst thou do? deeper than hell, what canst thou know?"

I have been a botanist for fifty-four years. When I was a boy I believed implicitly in God. I prayed to him, having a vision of him—a person—before my eyes. As I grew older I concluded that there was no God. I dismissed him from the universe. I believed only in what I could see, or hear, or feel. I talked about Nature and Reality.
And now — it seems to me — there is nothing but God.

My son the chicken

Looking at the Detroit Science Center website to decide if the dinosaur exhibit will be any good, read "Ask your young child what they want to be when they grow up. Although this may seem a silly question to ask a 3 year old, reinforcing the expression of individual interests helps your child develop a healthy sense of self."

So, what do you want to be when you grow up?

- A chicken.

Questions you can ask:
Do you know anyone right now who does this job?

- (silence)

What are some things you think a person who does this job has to do?

- Lay eggs!

What would you wear if you were going to do this job?

- (more silence)

Okay, this is just too good, I have to share this with the world... (type type type)

- What are you doing, daddy?

I'm telling everyone you want to be a chicken.

- Oh no no no I want to be a rooster!

Sears Grills for Cannibals

Last August Sears was using URL data to define categories on their website (explanation for web programmers and security geeks here) and some customers who were probably trying to figure out ways to game the cart/checkout system and get cheap prices (a very common attack) figured out that they could get it to show a page with a funny category title... and whether the customers knew it or not, the Sears website cache was badly implemented, so it would show it to other customers in order to speed up website response time. Worse yet, if a large number of amused Internet geeks went to an example URL link to see a funny title, I'm guessing it would appear as a "top pick" for all customers to see.

The result: Baby-roasting BBQ pulled from Sears site

I wouldn't call the people who messed with the Sears website hackers, crackers, or even script kiddies, any curious user who edited the "address" line on their web browser could do it, whether accidentally or in the course of trying to do something malicious.

Manage sexy projects

- Seek out projects with any of the following words in its description:

o Multimedia, Worldwide, Advance, Strategic, Revenue, Market, Technology, Rapid, Competitive.

- Avoid projects with any of the following words in its description:

o Accounting, Operations, Reduction, Budget, Quality, Analysis.

The worth of any project is based on how it will sound on your resume. Don't get caught up in the propaganda about how important something is for the stockholders. The stockholdders are people you'll never meet. And since most projects fail or turn into something you never intended, the only lasting impact of your work is the impact on your resume. Keep your priorities straight.

- Scott Adams