Resources for National Opt Out Day

Wednesday, November 24, is National Opt Out Day. We Won’t Fly, a grassroots organization that’s taken the lead in organizing, describes the goals

The goal of National Opt Out Day is (1) to educate the traveling public about airport naked-body scanners and the new “enhanced” TSA groping so they can make an informed decision; (2) force positive change on the TSA by slowing down their security theater with creative protest; and (3) show the airlines our consumer power so that they will lobby the government on our behalf to get the naked-body scanners removed and the TSA abolished. The government has failed us. We’re taking our message of real security, dignity and privacy to the airlines until they get on our side.

An important clarification on point #2: the goal is not to interfere with other passengers getting to their destinations. As AP’s Ray Henry describes in TSA chief: Resisting scanners just means delays, the government is trying to convince travelers not to exercise their rights. But as We Won’t Fly’s George Donnelly discusses, Opt Out Day could make security lines move faster by reducing the number of people flying and giving travelers better information than the TSA is providing.

Whether or not you’re planning on opting out, it’s important to know your rights — and to know what your options are if something goes wrong. Fortunately, there are a lot of great resources out there. Here’s a quick guide:
Continue Reading »

political

Comments (2)

Permalink

Security alert: bots using Facebook chat

If somebody starts chatting with you and asks you to try a link, be wary …

2010-11-22_0905

No, I didn’t click on the link. I do my best to keep up with security patches, but why take the chance of visiting a site that’s likely to be filled with malware?

Uncategorized

Comments (2)

Permalink

What can Diaspora learn about security from Microsoft? (REVISED DRAFT)

See the final version here

Thanks to Adam, Jason, and Alem for the initial list; Sarah, tptacek, Locke1689, mahmud, Wayne, PeterH, Steve, and SonyaLynn for comments on the previous draft, and Damon for the wording on #7.

Continue Reading »

privacy
Professional

Comments (6)

Permalink

What can Diaspora learn about security from Microsoft? (FIRST DRAFT)

It’s counter-intuitive to think of Microsoft as a poster child for security.  But the progress they’ve made since 2001 along with the challenges they continue to face have a lot of lessons for anybody in this space — including Diaspora, the “privacy-aware, personally-controlled, open-source, do-it-all social network”.

Several of the comments on my previous post Diaspora: what next? were from former colleagues at Microsoft, and they made excellent points.  Here’s my attempt to build on the list that Adam, Jason, and Alem started off.
Continue Reading »

Uncategorized

Comments (6)

Permalink

Is Facebook subject to breach notification laws for revealing phone numbers?

Security warning: If you don’t intend to share your phone number on Facebook, ask a friend to check their Phonebookand see if it’s there.  And it’s a good time to check to your privacy settings — my brother Greg has instructions on The Happy Accident.

Update, October 7: See the Twitter discussion in the first comment.

Continue Reading »

Uncategorized

Comments (1)

Permalink

Packing and the friendly skies: Deviant Ollam on how to be able to really lock your luggage and avoid those horrible “TSA-approved locks”

Another Shakacon presentation, this one from Deviant Ollam.  The short answer: fly with firearms.

Continue Reading »

social sciences

Comments (7)

Permalink

Pyr0 on “the art of espionage” at Shakacon

Sarah Blankinship and I are presented Securing with the Enemy: Social strategy and team of rivals at Shakacon today.  More about our talk later; this post has notes from the keynote presentation on The Art of Espionage, by Luke McOmie (aka Pyr0) of British Telecom.

Luke’s consulting includes “real world risk assessments”, which sometimes involves breaking into his clients’ companies to test their security.  So it’s a great opportunity to hear about the kinds of techniques the real bad guys use.  Fascinating stuff!

Continue Reading »

entertainment
meta
Professional
Tales from the Net
Uncategorized

Comments Off on Pyr0 on “the art of espionage” at Shakacon

Permalink

A proposal for Obama’s new CTO: Require independent review by technical experts

Yesterday my former Microsoft colleague Matt Lerner, now at FrontSeat (“software for civic life”) sent out mail about the new ObamaCTO.org site, a user-powered forum for gathering and prioritizing ideas for Obama’s new CTO.  Anybody can register, vote on ideas, or submit your own; in a twist from digg-style rating, each person is limited to ten votes, and you can apply up to three on any given topic.  Unsurprisingly, I immediately voted for Ensure reliable & trustworthy election technologies.🙂

The site’s very well done, powered by UserVoice, with a straighforward interface.  Micah Sifry’s Never Mind Who; What Should S/he Do? on techPresident has more details on this site (as well as a new report on the role of the CTO from the 21st Century Right to Know Project).

And far be it from me to pass an opportunity for grassroots activism by.  Here’s my submission:

Require independent review of projects by technical experts

Over the last 8 years, many governmental projects have failed to take into account basic principles of systems and software engineering, design, computer security, and privacy.  The REAL ID proposal, for example, stored personal data in unencrypted form, relied on databases which didn’t yet exist, and ignored the questions of false positives due to inaccurate data.  Independent review by experts can detect these issues early in the process, which either gives time for them to be addressed or allows the project to be rethought far more cheaply.

If you think it’s reasonable, please vote it up!

jon

political
Professional
Uncategorized

Comments Off on A proposal for Obama’s new CTO: Require independent review by technical experts

Permalink

Obama’s YouTube video page hacked!?!?!!?

Just saw this in a thread in the One Million Strong for Barack Facebook group: the Barack Obama Keating Economics page on YouTube appears to have been hacked. It’s fixed now … but here’s a screenshot:

Snapshot of Obama YouTube page

The Part of: link at the bottom apparently went to the McCain ad “The One.” (No, I didn’t click on it myself.)

political
Professional

Comments Off on Obama’s YouTube video page hacked!?!?!!?

Permalink

Vegas, baby! Iron Chef Black Hat

Draft posted August 14. Substantially revised August 17.

The second of a two-part series on the Black Hat USA 2008 security conference.

Image of Caeser's Palace from Black Hat site

Back when we lived in San Francisco in the 1990s, we were huge fans of Fuji TV’s Iron Chef, then shown with subtitles on a local cable station. When local chef Ron Siegel repeated his winning “lobster confront” menu at Charles Nob Hill, word got leaked to the Iron Chef mailing list and we managed to get seats … wow! And I’ll never forget the time that Bobby Flay in his exuberance jumped on the sushi board; so of course when I was at Caesar’s I had to have lunch at his Mesa Grill.

Iron Chef is also a good lens to looking at Black Hat from the perspective of the consulting I’m doing for San Francisco-based startup Coverity. This gives a completely different picture of the conference than the political and front-page-news of Vegas Baby! Black Hat, glitter, and pwnies. It’s just as interesting though, thanks in no small part to Fortify’s Iron Chef Black Hat.

Continue Reading »

Professional
social sciences

Comments (4)

Permalink

Vegas, baby! Black Hat, glitter, and pwnies

The first of a two-part series on the Black Hat USA 2008 security conference.

Image of Caeser's Palace from Black Hat site

Vegas, baby!

Continuing my tradition, I was in Las Vegas for Black Hat but didn’t attend the conference proper. My brother was able to come up from LA to meet me, so I decided to hang out with him instead — Vegas, baby!

This meant my Black Hat “attendance” was mostly networking at a couple of parties. Which certainly gives an interesting perspective on the conference ... in these more social settings, discussions are wide-ranging and informal, and there are opportunities for all kinds of different connections. Sites like Infoworld, Wired’sThreat Level , and Microsoft’s Ecostrat blog have great coverage of what happened during the sessions at Black Hat and Defcon, and are well worth checking out. Here’s my idiosyncratic view.

Kevin McLaughlin’s Learn From Lincoln, Says U.S. Cyber Chief on ChannelWeb is a particularly interesting lens for Black Hat, describing a talk by Rod Beckstrom (Director of the National Cyber Security Center in the U.S. Department of Homeland Security).

Continue Reading »

political
Professional
social computing
social sciences

Comments (2)

Permalink

A bumper crop o’ Slashdot security threads

In RSA: “It feels like something’s missing” earlier this week, I mentioned that I found myself wondering whether what I was seeing at the show responded to security problems as experienced by users. Coincidentally enough, when I checked Slashdot today there were several of interesting security-related threads. So while it’s far from a statistically-valid sample, it’s still agreat chance to ask: is the industry successfully addressing these kinds of problems?

Let’s start with Oklahoma Leaks 10,000 Social Security Numbers, which is by far the most serious single issue:

“By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list.”

Continue Reading »

Professional

Comments Off on A bumper crop o’ Slashdot security threads

Permalink