Blog Archives

RSA, part 2: static analysis

A continuation of RSA: “It feels like something’s missing”

RSA’s a tough show for static analysis companies, but several were there. Ounce had the largest booth and an excellent message (“listen to your code”); Veracode, Armorize, and Fortify had smaller presence. However, I didn’t actually spend much time at the booths or looking at the details of any specific technology, instead talking with various folks I ran into about the strategic possibilities.

Continue Reading »

Professional

Comments (2)

Permalink

RSA: “It feels like something’s missing”

The last time I was at the RSA conference/expo in 2004, Bill Gates talked about PREfix and PREfast in his keynote — he even went off and started talking about Microsoft’s acquisition of PREfix! Hard to top that … but it’s a great place for shoozing and to get a feel for the market, so I spent a couple of days hanging out there last week. Unsurprisingly, I was largely thinking about strategies related to static analysis products and technologies, and I’ll cover those in my next post. First, though, I wanted to share my more general impressions.

Continue Reading »

Professional
social sciences

Comments (2)

Permalink

Asbestos underwear, fair information principles, and security

Tales from the Net co-author Deborah Pierce’s Into the Lion’s Den — a privacy advocate’s work is never done (on her tribe.net blog) talks about a panel she was just on at ere expo, “the nation’s leading recruiting conference.” She was there for a debate with the CEO of a company whose mission is “to map every business organization on the planet, contact by contact”:

The CEO started by asking how many in the audience had heard of Jigsaw or had used Jigsaw. About half of the people raised their hands. When my turn came, I asked how many people had heard of Fair Information Principles*. There were about a hundred people in the room and about three people raised their hands. With this crowd I wasn’t surprised.

Continue Reading »

privacy
Professional
Tales from the Net

Comments (3)

Permalink

Strategy, security, and static analysis: what’s next for me

Fourteen years ago today was my last day at Digital Equipment Corporation before leaving to work on the technology today became PREfix and the company I started with a few friends that became Intrinsa, so it seems especially appropriate to post about this today …

coverity logoI’m delighted to announce that I’m starting a part-time strategy consulting gig working with San Francisco-based software engineering startup Coverity. My initial focus will be exploring possibilities in the security space, and I’ll be using techniques like community-driven strategy and design, asset-based thinking, and social network analysis. So it’s a very natural followup to each of my last three professional incarnations: static analysis architect, computer security researcher, and grassroots strategist.

Continue Reading »

Personal
Professional

Comments (2)

Permalink

pwn2own: the stakes just got higher

pwn2own picture from CanSecWests site

Update, March 27: Macbook Air pwned and owned — in two minutes!

Update, March 28: Vista laptop pwned via an Adobe Flash vulnerability.

Update, April 16: Apple issues Safari patch.

Props to the winners — and to Ubuntu Linux, which emerged unpwned!

Continue Reading »

Professional
social sciences

Comments (12)

Permalink

Indeed! The Economist on “computer science as a social science”

bugs quaking in fear -- from the Economist's articleThe Economist’s Technology Quarterly has an excellent article on Software bugtraps: software that makes software better. This is something of a followup to an article they did a few years ago; most people quoted think that the situation is improving, although of course as Capers Jones points out it depends on your metrics. And why the improvement?

According to … the chairman of the Standish Group, most of this improvement is the result of better project management, including the use of new tools and techniques that help programmers work together. Indeed, there are those who argue that computer science is really a social science. Jonathan Pincus, an expert on software reliability who recently left Microsoft Research* to become an independent consultant, has observed that “the key issues [in programming] relate to people and the way they communicate and organise themselves.”

Indeed, I have argued that — in keynote talks Analysis is necessary but not sufficient at ISSTA 2000 and Steering the pyramids at ICSM 2002, and then more explicitly in the “BillG thinkweek paper” Computer science is really a social science (draft) from early 2005 and my 2006 Data Devolution keynote with Sarah Blankinship applying this lens to computer security.

Continue Reading »

Professional
social computing
social sciences

Comments (17)

Permalink

Cult of the Dead Cow releases ‘Goolag’ beta

Hactivists Cult of the Dead Cow (cDc) have released a Windows-only beta of Goolag, a rich client for the Google Hacking techniques pioneered by hacker J0hnny I Hack Stuff.

Basically, Goolag makes it easy to use Google to search out security vulnerabilities related to your web site — or, presumably, others.  From cDc’s blog:

SECURITY ADVISORY: The following program may screw a large Internet search engine and make the Web a safer place.

Continue Reading »

Professional

Comments (5)

Permalink

“Double Bubble Trouble”: Massive voter disenfranchisement in California — and Washington?

The LA Registrar of Voters says it may not be possible to determine voter intent! Please sign Courage Campaign’s “Count every vote” petition asking for a full recount! 25,000 signatures so far; latest update and some discussion about “intent” on Courage Campaign’s page here. PeteTV has a video and transcript at So this is what it feels like to be disenfranchised. Please help spread the word!Elsewhere: Brad Friedman has a detailed update on the Washington State Republican caucuses; they’ve once again been called for McCain with 96% reporting — the state party chair says they may not be able to count all 100%. TPM reports that the Huckabee campaign is threatening legal action. There were major problems in Louisiana; the New Mexico Democratic recount is proceeding with 2,800 provisional ballots qualified so far; John Gideon’s Daily Voting News has links.More details and updates in What democracy looks like in the US, February, 2008.

Update on March 4: democracy largely (albeit imperfectly) prevailed in the LA County mess; 47,153 “double bubble” votes were counted in Los Angeles County.

Update at 6:30 p.m., February 8: Possible issues with Santa Clara mail-in voters as well? And it seems like there’s a double-standard where some voters get second chances, and others might not. More in a comment …

Continue Reading »

political

Comments (21)

Permalink

How’d it get through QA — and why didn’t they fix it?

Over on Tales from the Net, I’ve been discussing Kevin Poulsen’s articles about a MySpace security bug that allowed access to photos in profiles that had been marked as “private”. It had been well known for months, but MySpace didn’t fix it until the day after Kevin’s first article. In the interim, somebody wrote an automated script to download photos, and released 500,000 of them on the BitTorrent p2p network.

Since it’s social network-related, I posted about over there, but it’s on topic here as well, so I figured I’d mention it …

Professional
social sciences

Comments (0)

Permalink

Privacy and civil liberties: showdown time on the “Protect” America Act

Update on February 12: Final votes were today. Barack Obama voted against telecom immunity — as did Harry Reid and 29 other Democrats. John McCain along with every single Republican Senator, Joe Lieberman, and 19 Democrats voted for. More here.

Update on Super Tuesday: Ari Melber’s Nation article gives the current snapshot; read the thread for more.

Russ Feingold’s video on YouTube sums it up perfectly:

Continue Reading »

political
Professional
social sciences

Comments (14)

Permalink

Is *that* why they make you wait till you’re at 10,000 feet to turn computers on?

Boeing just announced another delay for the 787, its second or third so far depending on who you believe, so I wanted to go back to a story Kim Zetter reported a few weeks ago on the Wired Threat Level blog:

Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration.

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

Wow. This is a really basic mistake — and a great example of the kinds of risks we discuss in the National Academies/CSTB report Software for Dependable Systems: Sufficient Evidence? Of course one of the excellent things about the avionics certification process is that the FAA does an analysis of the “special conditions” for new designs and publishes its findings (in the Federal Register, no less; a good example of the transparency we call for). According to Kim’s article, they’ll deny certification to the 787 until this is fixed – and well they should.

Continue Reading »

Professional

Comments (7)

Permalink

Five-year olds as national security threats

Boing Boing has stories on not one but two five-year-olds whose names are on the no-fly list and so get treated by the TSA as a security threat.  Cory Doctorow comments

You know, if you wanted to systematically discredit the idea of a Department of Homeland Security, if you wanted to make an utter mockery of aviation safety, you could not do a better job than this.

although I think that’s not giving the TSA enough credit: DHS continuing to employ the company that wrote the TSA web site filled with vulnerabilities asking for traveller’s social security numbers and other personal information is equally effective at discrediting themselves.

political
privacy

Comments (1)

Permalink