" /> net.wars: December 2007 Archives

« November 2007 | Main | January 2008 »

December 28, 2007

2007 by numbers

April: Month when DRM on music began to fall.

235: Number of patents Microsoft claimed it owns that Linux violates.

8,000: Number of "diggs" a Big Spring, teenager's detention letter got while hordes of angry Firefox defenders from all over the world phoned and emailed his school. The letter had been doctored to make it look as though he was given detention for using Firefox.

24: Number of days from the time Facebook announced Beacon, the advertising partnership that publishes users' purchases at 44 partner sites to their friends lists to the time it announced it had modified the program to allow users to opt out. Facebook planned to expand Beacon to allow users to publish their eBay listings to their friends network.

9: Number of days later that Coca-Cola, Overstock.com, and Travelocity were reported to have pulled out of the program.

7: Number of additional days it took Facebook to allow users to turn off the program entirely, amid speculation that Blockbusters involvement with Beacon may have contravened the US Video Privacy Protection Act, passed after a newspaper disclosed Robert Bork's video rental records when he was a Supreme Court nominee.

1: female winner of the Alan Turing award – Frances Allen.

6: Percentage of BCS Fellows who are female.

5: Upper bound of the percentage of music on the average iPod that was bought on iTunes.

8: Number of times digital preservation can be more expensive than paper (PDF, see p4).

17 per second: the rate at which Amazon.com sold Wiis.

74: Days it took Apple to sell 1 million iPhones. We still don't get it.

£100: Likely cost of the ID card to individuals if/when it is launched in 2009. Exactly as predicted in 2002.

29,000: Number of identified sex offenders whose profiles were deleted by MySpace.

$12 million: amount SCO spent in 2006 on its licensing program, whose revenues were $116,000.

$30 million: SCO's estimated liability to Novell et al after an August court judgment went against it.

September 27: Date on which Darl McBride, CEO of SCO, announced SCO was filing for Chapter 11 bankruptcy protection: "Other companies such as Delta Airlines, Texaco, Dow Corning, K-Mart, United Airlines, Toys R’ Us, Macy’s Department Stores and others have emerged from Chapter 11 protection after restructuring themselves for success. We intend to do the same."

December 27: Date SCO was officially delisted from the NASDAQ.

$3.1 billion: Cost of Google's takeover of DoubleClick, which received FTC approval last week. The merger will mean not only that Google gets a huge, new database of individuals' surfing habits but that two of the biggest ad platforms will now belong to the same company.

140,000: Votes discarded by electronic counting machines in Scotland during the May evoting trial. Reports attribute the problem to ballot design. But the key problem was the lack of comeback for voters whose ballots are marked spoiled by machines with no human oversight.

August 2: Date the UK Electoral Commission recommended against pursuing electronic voting any further until security can be improved. The bad news: the government seems unlikely to take this or any other sane advice.

September 29: Date on which Linden Labs advised EU users that VAT is being applied to Second Life bills, including premium registration, land ownership, and maintenance fees. Paying taxes? Sounds like my first life.

25 million: number of UK households whose personal details were contained in two CDs "lost in the post" on the way to the General Audit Office.

3 million: number of UK driving test candidates whose details have been lost on a hard disk in the US, now believed to be touring Iowa.

$1 billion: Amount the FBI has allocated for building a biometric database, to include iris scans, facial images, and other physical characteristics. "Bigger. Faster. Better." Have they learned nothing from Facebook, Google, and MySpace? The bigger the database, the greater the number of connections, the more of it is garbage.

September 4: Date of dissolution of MUSE, the company set up to commercialize the early MUD virtual gaming world. The big beneficiary of that effort: CompuServe. And the original CEO, who went mad, stole the money, and shot himself.

$1.43 billion: the amount eBay overpaid for Skype in 2005.

October 5: Date on which the Bragg v. Linden Labs lawsuit was settled, with terms remaining confidential. This was the court action that lawyers were watching eagerly to see what precedents it might set for the legal status of virtual property. Bragg's Second Life account has been reinstated, and the SL Terms of Service have been amended after a judge's decision in the case found them invalid.

Unclear: which will cost more, the Galileo constellation of global navigation satellites being built by the EU, or the UK national ID card.

Happy New Year!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 21, 2007

Enter password

Some things, you just can't fake.

A few years ago, a friend of mine got a letter from an old girlfriend of her son's bearing news: my friend had, unknown to both her and his father, a 15-year-old grandson in Australia. The mother had married someone else, that marriage had broken up, and now the son was asking questions about his biological father.

I saw the kid, visiting his grandparents, out playing tennis the other day. It wasn't just the resemblance of face, head shape, and hair; the entire way his body moved as he ran and hit the ball was eerily and precisely like his father.

"You wouldn't need a DNA test," I said, aside, to my friend. She laughed and nodded, and then said, "We did one, though."

Biology: the ultimate identifier.

A few weeks ago, I did a piece on the many problems with passwords. Briefly: there are too many of them. They're hard to think up (at least if they're good ones), remember, and manage, and even when you have those things right you can be screwed by a third-party software supplier who makes the mistakes for you. The immediate precipitating incident for the piece was the Cambridge computer security group's discovery that Google makes a fine password cracker if your software, like Wordpress, stores passwords as MD5 hashes

Some topics you write about draw Pavlovian responses. Anything involving even a tiny threat to Firefox, for example, gets a huge response, as some school officials near where I'm staying have just discovered (kid doctors a detention letter to say he's being punished for not using Firefox and posts it on Digg; school becomes the target of international outrage). Passwords draw PRs for companies with better ideas.

I think the last time I wrote about passwords, the company that called was selling the technology to do those picklists you see on, for example, the Barclaycard site. You don't type in the password; instead, you pick two letters from picklists offered to you. There are a couple of problems with this, as it turns out now. First of all, if your password is a dictionary word the system doesn't really protect all that well against attacks that capture the letters, because it's so easy to plug two letters into a crossword solving program. But the big thing, as usual, is the memory problem. We learn things by using them repeatedly. It's a lot harder to remember the password if you never type the whole thing. I say picklists make it even more likely the password gets written down.

This time round, I got a call from Biopassword, which depends on behavioral biometrics: your personal typing pattern, which is as distinctive to your computer as my friend's grandson's style of movement is to a human. You still don't get to lose the password entirely; the system records the way you type it and your user name and uses that extra identifier to verify that it's you. The technology runs on the server side for Internet applications and enterprise computer systems, so in theory it works no matter where you're logging in from.

Ever used a French keyboard?

"A dramatic change does affect its ability," Biopassword's vice-president of marketing, Doug Wheeler, admitted. "But there are ways to mitigate the risk of failing if you want to provide the capability." These include the usual suspects: asking the person questions no one else is likely to be able to answer correctly, issuing a one-time password (via, for example, a known personal device such as a mobile phone), and so on. But, as he says, the thing companies like about Biopassword is that it identifies you specifically, not your cell phone or your bank statement. "No technology is perfect."

Biopassword starts by collecting nine samples, either all at once or over time, from which it generates a template. Wheeler says the company is working on reducing the number of samples as well as the number of applications and clients the system works with. He also notes that you can have your login rejected for matching too perfectly – to avoid replay attacks.

It's an intriguing idea, certainly. A big selling point is that unlike other ideas in the general move to two-factor identification it doesn't require you to learn or remember anything – or carry anything extra.

But it doesn't solve the key issue: passwords are an intractable problem located at the nexus of security, privacy, human psychology, and computer usability. A password that's easy to remember is often easy to crack. A password that's hard to crack is usually impossible to remember. Authenticating who you are when you type it will help – but these systems still have to have a fallback for when users are grappling with unfamiliar keyboards, broken arms, or unpredictable illness. And no user-facing system will solve the kind of hack that was used against the Cambridge group's installation of Wordpress (though this hole is fixed, now), which involved running a stored password through an MD5 hash and presenting the results to the Web site as a cookie indicating a successful login..

Still, it's good to know they're still out there trying.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 14, 2007

Nativity plays

Last night I was involved in recording a segment of an edition of the regional ITV show London Calling that I'm told will be broadcast next week (by which time I will have avoided embarrassment by leaving the country). I was there as a skeptic, not an Internet commentator. But it was annoying enough that I'm going to pretend the experience is a suitable subject for net.wars.

I've said before now that in general the skeptics do not take a position on matters of faith: we think about things that can be tested and how to test them. If you want to tell me that you believe that a little pink cloud is up there guiding your way through life there really isn't much I can say. If, however, you tell me that every year that little pink cloud impregnates a virgin, we might start talking about how to test this phenomenon under proper observing conditions. The rise of the religious right in the US and the increasing fight over teaching creationism in the schools and Bush's disregard for science mean that many American skeptics are being forced to modify this long-held policy.

I was told the show would be a lively debate; it was more of a free-for-all, in which I, along with three humanists and the atheist stand-up comedian Robin Ince, found ourselves arguing about the threat to Christianity posed by the disappearance of school nativity plays. The show was fronted by a quintet of I guess bigger-league journalists and TV people: Vanessa Feltz, Eve Pollard, Nick Ferrari, a guy from the Evening Standard whose name I didn't catch. (They were all far too grand to consort in the green room with us lower-level invited guests, who were in turn kept away from the hoi polloi of the nondescript audience. Such is the role of hierarchy in television. I would point out that I, too, have a Wikipedia entry; so there.)

The bottom line of the discussion: almost everyone, be they Indian, Muslim, Christian, or Jew, loves Christmas. But – said Keith Porteous Wood, head of the National Secular Society – only 30 percent of the population celebrate it as a religious festival. For most of us, religious or agnostic, atheist or Jedi Knight, Christmas is about decorating trees, giving and receiving presents, organising travel schedules and accommodation for family members, and enjoying a lot of good food. The people who aren't doing the cooking and the airport runs may even have a pretty good time.

Of course, last night was primarily about whipping people into a frenzy. Ferrari, who does a show on LBC radio that I was previously unaware of, in particular fulminated at the moral injustice of "taking the Christ out of Christmas". Well, folks, this is the price you pay for success. Your holiday – which of course you largely stole from the pagans - has been adopted by a lot of people who do not care about your reasons for celebrating it. I'm sorry you don't get royalties for this the way Microsoft does on copies of Windows, but there it is.

One of the main guests' most important contentions: Christianity is under attack. Please. This is an idea you've imported from the US. You have not only a dominant religion but an established one. Granted, the planned reforms to the makeup of the House of Lords will remove some of the bishops. Granted, church attendance has been dropping for decades now. But a few schools deciding they live in a multicultural society is small beer. British Christians still have the Queen, the Parliament, and the country's entire structure of holidays on their side.

The claim that Christianity is the subject of attack isn't even all that sound in the US, where Christians are much shakier in their claim that "This is a Christian country". They may feel this way, sure – but so does every religious or non-religious group at one time or another. It's a good tactic, though, for fostering group bonding, a nice thing to have in an election year.

A lot of last night's complaints played on nostalgia for the way things were when they were children. Vanessa Feltz in particular hammered on this one: according to her the country is now awash in such ghastly characters as Christmas lobsters, apple pies, and so on. We're supposed to be horrified. (Apparently the apple pie character was to promote healthy eating, which sounds dire even for a school play.)

I'd bet that today's children themselves do not share their parents' horror at playing a lobster instead of a virgin miraculously impregnated by an invisible spirit. Probably Feltz was right that whatever that lobster is up to isn't as good a story or told in as attractive language as the story of the shepherds. My school didn't have nativity players that I remember, but the language of that story is engraved in my brain, too. Tempora mutantur, et nos mutamur in illis.

OK, OK, I know the show was trash. The next segment (in which I was mercifully not involved) is "Golddiggers: is marrying for money wrong – or just practical?" Faugh. I feel better now.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 7, 2007

Data hogs

If a data point falls in the forest and there's no database to pick it up, is it still private?

There is a general view that people do not care about privacy, particularly younger people. They blog the names of all their favorite bands and best friends, post their drunken photographs on Facebook, and tell all of MySpace who they slept with last night. No one, the argument goes – actually 22 percent – reads the privacy policies Web sites pay their lawyers to draw up so unreadably.

And yet the perception is wrong. People do, clearly, care about privacy – when the issues are made visible to them. Unfortunately, the privacy-invasiveness of a service, policy, or Web site usually only becomes visible after the horse has escaped and is comfortably grazing in the field of three-leaf clover.

A lot of this is, as Charles Arthur blogged recently in relation to the loss of the HMRC discs holding the Child Benefit database, an education issue: if we taught kids important principles of computer science, like security, privacy, and the value of data, instead of boring things like how to format an Excel spreadsheet, some of the most casual data violations wouldn't happen.

A lot of recent privacy failures seem to have happened in just this same unconscious way. Google's various privacy invasions, for example, seem to be a peculiarly geeky failure to connect with the general public's view of things. You can just imagine the techies at the Googleplex saying, "Oh, cool! Look, you can see right into the windows of those houses!" and utterly failing at simple empathy.

The continuing Facebook privacy meltdown seems to include the worst aspects of both the HMRC incident and Google's blind spot. If you haven't been following it, the story in brief is that Facebook created a new advertising program it calls Beacon, which collects tracking data from a variety of partner sites such as Blockbuster.com. Beacon then uses the data to display your latest purchases so your friends can see them.

The blind spot is, of course, the utter surprise with which the company greeted the discovery that people have all sorts of reasons why they don't want their purchase history displayed to their friends. They might be gifts for said friends. The friends, as so often on Facebook and the other social networks, may not be really friends but acquaintances chosen to make you look well-connected, or relatives you assiduously avoid in real life. And even your closest real friends may prefer not to know too much about the porn DVDs you rent. American librarians are militant about protecting the reading lists of library patrons; but Facebook would gleefully expose the books you buy. Are you kidding me? Facebook CEO Mark Zuckerberg can apologize all he wants, but his apparent surprise at the size of the fuss suggests that he's as inexperienced at shopping as those women in front of you in the grocery checkout who seem not to know they'll need to pay until after everything's been bagged up.

What Facebook shares with HMRC, though, is the underlying principle that it's cheaper to send the full set of data and let the recipients delete what they don't want than to be selective. And so, as the story has developed, it turns out that all sorts of data is being sent to Facebook, some of it even relating to non-users. They just delete what they don't want, so they say.

Facebook was briefly defensive, then allowed users to opt out, and then finally allowed users to delete the thing entirely. But the whole thing highlights one of the very real problems with social network sites that net.wars first wrote about in connection with (the now more responsibly designed) Plaxo: they grow by getting people to invade their own and their friends' privacy. The Australian computer scientist and privacy advocate Roger Clarke, whose paper Very Black "Little Black Boooks" is the seminal work in this area, predicted in 2003 that the social networks' business models would force them to become extremely invasive. And so it has proved.

How do we make privacy a choice? We know people care about privacy when they can see its loss: the reactions to the Facebook and HMRC incidents have made this plain. We know theyRecent research by Lorrie Cranor at Carnegie-Mellon (PDF) suggests, for example, that people's purchasing habits will change if you give them an easy-to-understand graphical representation of how well an ecommerce site's practices match their privacy preferences.

But visibility to users, helpful though it would be, is not the root of the problem. What privacy advocates need going forward is a way to persuade companies and governments to make privacy choices easy and visible when their mindset is to collect and keep all data, all the time? These organisations do not perceive giving users control over their privacy as being in their own best interests. Maybe plummeting stock prices and forced resignations, however brief, will get through to them. But to keep their attention focused on building better systems that put the user in control, we need to make the consequences of getting it wrong constantly visible and easily interpretable to the data hogs themselves.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).