Tuesday, November 26, 2002
Thursday, November 21, 2002
On the other hand, if everybody who wrote, shipped or administered insecure systems were liable including open source, you would think large institutions would have an advantage. It's surprising Microsoft doesn't support broad liability for security holes (or maybe this is the next phase after Palladium). Microsoft could just buy insurance against this liability anyway. And this gets to Bruce's real solution: that with insurance and liability for security holes, there will be a free market for security. Companies could sell secure products and agree to accept some liability (currently every software package you buy disclaims liability for anything, even problems they know about). This is a very free market approach. Akin to the carbon market which puts an actual price on pollution of a certain kind, liability and insurance put a price on insecurity.
- 1546 sniffed passwords were from HTTP
- 183 were from telnet
- One of the telnet sessions then opened a ssh (secure shell) connection, then used a root password which also got revealed
- 496 passwords were from email (mostly POP)
- 75 were from AOL IM
I'm sure many more would be found if a human were looking for passwords - the algorithms probably haven't had much work put into them to really find a lot of passwords.
Security is complicated. Systems are complicated. If IETF people can't get it right, how do we expect others to?
When a security hole exists in a system, and a random person discovers this exploit, they have a few choices.
For most people, the third option is ruled out pretty quickly, but there's a lot of attractiveness to number 2 (particularly in the military). Most of the security people I talk to believe that number 2 gives only a weak feeling of security. The usual damning phrase is to call it (with a sneer) "security through obscurity". Many people insist on number 1, publishing the exploit widely and loudly to make sure it gets fixed fast or else.
Poonawalla mostly explains it well, except he misses a subtle point. Many of the most responsible security experts, the guys who routinely discover holes in protocols or cryptographic algorithms, feel that the most responsible path is to give the information about the hole first to the people who can fix it. It *may* be possible to fix the hole even before a potential hacker discovers it. However, in order to pressure companies to actually fix the holes, the security expert will also publish the information on the exploit to the Internet in a week or a month or two.
This stuff gets discussed frequently here at the IETF, obviously in the security area. I've seen representatives of large software companies plead with the independent security experts to help keep security holes secret at least for a short while. My opinion is that it takes somebody with a certain amount of resentment against these large companies, and a certain amount of willingness to make trouble and cause chaos, not to agree to keep secrets for a short while.
Coincidentally, Bruce Schneier just discussed this tonight at the IESG plenary at the IETF. (It's the last day of the 55th IETF conference here in Atlanta, and I've been extremely busy, but it's been good.)
Sunday, November 17, 2002
Queuing is one of only a few ways of rationing a scarce resource. Assuming the supply of angioplastys is not infinite, then a public health care system can ration angioplastys in only a few ways:
- Market pricing
- Central planning
It seems that Canada uses queuing and favoritism (as Frum alleges), and central planning of course was the original idea of a single-payer health care system. But bribery and market pricing are illegal. Of course if queuing becomes bad enough, it becomes impossible to prevent bribery, as shown in any centrally-planned country after enough years. That leaves market pricing as the only tool not used -- which seems vastly unfair.
But as Frum says, as long as I was healthy I was perfectly happy living in the Canadian system.
Thursday, November 14, 2002
Appreciating minimalist art seems to me to be a very intellectualized endeavor -- if you know how one artist influenced another, you can compare a canvas painted all over in a single colour to a canvas painted in two colours and see the sheer extravagance of the second.
Terence Spies is the guy who started to introduce me to this extremely intellectualized appreciation of art, and sometimes I can grok it. In his not-recently-updated blog, you can see this tendency in a different realm -- a greater appreciation of certain food from an intellectual understanding of the processes and ingredients that go into it.
Monday, November 11, 2002
Thursday, November 07, 2002
"CNN has bought the show, I really don't know why. I'm not sure they realize that we're actually making fun of them.".
Monday, November 04, 2002
XMPP grew out of the Jabber work but many people are now trying to bring it to more formal status as an IETF standard.
Friday, November 01, 2002
This morning on the jitney in San Francisco, two obvious tourists got on. I offered directions & public transportation advice to the couple, who turned out to be from BC. I said I was also Canadian, but had been living in the US for seven years. The woman replied sympathetically "Oh, that must be hard."
I blinked. I hadn't put any negative emotional spin on my statement. What did she mean? Did this random Canadian believe that, living in the US, I must be a victom of vast amounts of crime? Subjected to poor and expensive health care? Suffering from racism? Or simply subjugated by the heavy yoke of capitalism?
I've never thought of living in the US as "hard". Amusing, yes, especially when elections come around. It's a little extra effort deciding to pronounce Z as 'zee' or 'zed', or choosing to write "colour" or "color". But the office jokes about Canadians are so mild they make me feel like one of the team rather than an outsider. The health care system is mysterious used to at times, but I managed to schedule my regular physical with my regular doctor less than one month away from when I called (that's much easier than scheduling an electrician). I have never been a victim of a crime in this country.
The benefits of living in the US are nothing to sneeze at either. I get lower taxes and higher wages (which together offset the higher living cost), and most of all I get to work at an exciting small high-tech company that has a chance of success because of the business laws here.
This isn't intended to try to convince Canadians (or Americans) that living in the US is superior to living in Canada. Canada is cool too, and I'd live there if it worked out that way with my job and my boyfriend. All I want to point out is that it's not so different. If that Canadian tourist has swallowed the demonization of the US and Americans that I've been hearing from north of the border recently, it's from a lack of critical thinking, not because its true.
- ► 2011 (15)
- ► 2008 (53)
- ► 2007 (15)
- ► 2006 (34)
- ► 2005 (38)
- ► 2004 (65)
- ► 2003 (163)
- Why the end of feminism is bad news for men (link ...
- Why do we have such bad security? In tonight's ke...
- More security notes from the IETF. A couple respon...
- Den Beste lambastes a researcher for publishing a ...
- Here's a graph from the Fraser Institute on how ba...
- "Canada has the best healthcare system on earth – ...
- Dave Barry published a mildly funny rant on Modern...
- Emotionally I prefer national health care, but int...
- It's not often I see or hear something that makes ...
- I'm now co-chair of a new IETF working group calle...
- This morning on the jitney in San Francisco, two o...
- ▼ November (11)