Tuesday, November 26, 2002

Why the end of feminism is bad news for men (link via Instapundit). Halley even links to Powerpuff Girls stuff which I love for its feminine/feminist combination attitude. Salon did an article on those "demonic offspring of Shirley Temple and Japansese anime" back this summer. They didn't put such a fine point on why this is dangerous for men as Halley does, but they had some good lines: "Is Lara Croft powerful because she can take you down, or because you'd like her to go down on you?"

Thursday, November 21, 2002

Why do we have such bad security? In tonight's keynote, Bruce Schneier started by assuming that large companies have bad security (products or systems) because it makes business sense. It doesn't make sense to spend money on security until it becomes more expensive not to. There are few consequences for bad security. He suggests increasing liability, which has interesting implications for open source. If open source projects were immune to liability, that would be a killer advantage for open source code in some areas.

On the other hand, if everybody who wrote, shipped or administered insecure systems were liable including open source, you would think large institutions would have an advantage. It's surprising Microsoft doesn't support broad liability for security holes (or maybe this is the next phase after Palladium). Microsoft could just buy insurance against this liability anyway. And this gets to Bruce's real solution: that with insurance and liability for security holes, there will be a free market for security. Companies could sell secure products and agree to accept some liability (currently every software package you buy disclaims liability for anything, even problems they know about). This is a very free market approach. Akin to the carbon market which puts an actual price on pollution of a certain kind, liability and insurance put a price on insecurity.

More security notes from the IETF. A couple responsible people watched all the traffic from people's laptops onto the Internet, and had a couple algorithms looking for password leaks. They found 2223 unique passwords. Some details:

  • 1546 sniffed passwords were from HTTP

  • 183 were from telnet

  • One of the telnet sessions then opened a ssh (secure shell) connection, then used a root password which also got revealed

  • 496 passwords were from email (mostly POP)

  • 75 were from AOL IM

I'm sure many more would be found if a human were looking for passwords - the algorithms probably haven't had much work put into them to really find a lot of passwords.

Security is complicated. Systems are complicated. If IETF people can't get it right, how do we expect others to?

Den Beste lambastes a researcher for publishing a weakness in the American agriculture system. Poonwalla disagrees (and Instapundit reports on the debate). The debate is very familiar to me from experience in the computer industry.

When a security hole exists in a system, and a random person discovers this exploit, they have a few choices.

  • Publish the finding, even though some might use it to exploit the system before the hole is fixed

  • Keep quiet or even suppress the finding, hoping nobody else will discover it

  • Use it to hack into or damage the system.

  • For most people, the third option is ruled out pretty quickly, but there's a lot of attractiveness to number 2 (particularly in the military). Most of the security people I talk to believe that number 2 gives only a weak feeling of security. The usual damning phrase is to call it (with a sneer) "security through obscurity". Many people insist on number 1, publishing the exploit widely and loudly to make sure it gets fixed fast or else.

    Poonawalla mostly explains it well, except he misses a subtle point. Many of the most responsible security experts, the guys who routinely discover holes in protocols or cryptographic algorithms, feel that the most responsible path is to give the information about the hole first to the people who can fix it. It *may* be possible to fix the hole even before a potential hacker discovers it. However, in order to pressure companies to actually fix the holes, the security expert will also publish the information on the exploit to the Internet in a week or a month or two.

    This stuff gets discussed frequently here at the IETF, obviously in the security area. I've seen representatives of large software companies plead with the independent security experts to help keep security holes secret at least for a short while. My opinion is that it takes somebody with a certain amount of resentment against these large companies, and a certain amount of willingness to make trouble and cause chaos, not to agree to keep secrets for a short while.

    Coincidentally, Bruce Schneier just discussed this tonight at the IESG plenary at the IETF. (It's the last day of the 55th IETF conference here in Atlanta, and I've been extremely busy, but it's been good.)

    Sunday, November 17, 2002

    Here's a graph from the Fraser Institute on how bad queues have gotten since 1993.

    "Canada has the best healthcare system on earth – so long as you don’t get sick!" That quote is from David Frum (link thanks to Rob again), who is so right-wing as to have been a speech writer for Bush. Not surprising this article is as much about belittling Gore as about health care. But I did follow his links to the Fraser Institute's study on queues in the Canadian Health Care system.

    Queuing is one of only a few ways of rationing a scarce resource. Assuming the supply of angioplastys is not infinite, then a public health care system can ration angioplastys in only a few ways:

    • Queuing
    • Favoritism
    • Bribery
    • Market pricing
    • Central planning

    It seems that Canada uses queuing and favoritism (as Frum alleges), and central planning of course was the original idea of a single-payer health care system. But bribery and market pricing are illegal. Of course if queuing becomes bad enough, it becomes impossible to prevent bribery, as shown in any centrally-planned country after enough years. That leaves market pricing as the only tool not used -- which seems vastly unfair.

    But as Frum says, as long as I was healthy I was perfectly happy living in the Canadian system.

    Thursday, November 14, 2002

    Dave Barry published a mildly funny rant on Modern Art a month and a half ago (but I just got the link last night from my karate instructor). Basically, it's "the emporer has no clothes" -- this art that professional art appreciators pay so much money for, Barry claims, is shit, is nothing, is empty and sterile (or not).What is the public value of a work that can only be appreciated by somebody immersed in the social and historical context of the art world?

    Appreciating minimalist art seems to me to be a very intellectualized endeavor -- if you know how one artist influenced another, you can compare a canvas painted all over in a single colour to a canvas painted in two colours and see the sheer extravagance of the second.

    Terence Spies is the guy who started to introduce me to this extremely intellectualized appreciation of art, and sometimes I can grok it. In his not-recently-updated blog, you can see this tendency in a different realm -- a greater appreciation of certain food from an intellectual understanding of the processes and ingredients that go into it.

    Monday, November 11, 2002

    Emotionally I prefer national health care, but intellectually I have problems with it. Here's one problem: when the government runs out of money as prices go up, they pull the rug out from underneath. Grandmothers wondering if they can buy Christmas presents!

    Thursday, November 07, 2002

    It's not often I see or hear something that makes me wish I had television channels. But now I wish I could see the Daily Show, which this article is mostly about (link found via Volokh). I love the quote from Jon Stewart:

    "CNN has bought the show, I really don't know why. I'm not sure they realize that we're actually making fun of them.".

    Monday, November 04, 2002

    I'm now co-chair of a new IETF working group called XMPP: Extensible Messaging and Presence Protocol. To my surprise, there's already news coverage of this working group.

    XMPP grew out of the Jabber work but many people are now trying to bring it to more formal status as an IETF standard.

    Friday, November 01, 2002

    This morning on the jitney in San Francisco, two obvious tourists got on. I offered directions & public transportation advice to the couple, who turned out to be from BC. I said I was also Canadian, but had been living in the US for seven years. The woman replied sympathetically "Oh, that must be hard."

    I blinked. I hadn't put any negative emotional spin on my statement. What did she mean? Did this random Canadian believe that, living in the US, I must be a victom of vast amounts of crime? Subjected to poor and expensive health care? Suffering from racism? Or simply subjugated by the heavy yoke of capitalism?

    I've never thought of living in the US as "hard". Amusing, yes, especially when elections come around. It's a little extra effort deciding to pronounce Z as 'zee' or 'zed', or choosing to write "colour" or "color". But the office jokes about Canadians are so mild they make me feel like one of the team rather than an outsider. The health care system is mysterious used to at times, but I managed to schedule my regular physical with my regular doctor less than one month away from when I called (that's much easier than scheduling an electrician). I have never been a victim of a crime in this country.

    The benefits of living in the US are nothing to sneeze at either. I get lower taxes and higher wages (which together offset the higher living cost), and most of all I get to work at an exciting small high-tech company that has a chance of success because of the business laws here.

    This isn't intended to try to convince Canadians (or Americans) that living in the US is superior to living in Canada. Canada is cool too, and I'd live there if it worked out that way with my job and my boyfriend. All I want to point out is that it's not so different. If that Canadian tourist has swallowed the demonization of the US and Americans that I've been hearing from north of the border recently, it's from a lack of critical thinking, not because its true.

    Blog Archive

    Creative Commons License
    This work is licensed under a Creative Commons Attribution 3.0 Unported License.