Sunday, January 28, 2007

Clemons on Iran

Steven Clemons writes that Iran made a mistake in threatening to bar nuclear inspectors from the country since this provides an opening for the US to engage diplomatically with Russia and China to bring pressure to bear to end the nuclear program.

While I agree with his analysis I disagree with his description of this as a mistake. On the contrary, this is exactly the type of diplomatic engagement that Iran has been seeking for five years.

Whether you classify this as a mistake depends on what you consider the objectives of the Iranians to be. So far they have emerged stronger and more secure from each engagement they have initiated with the Bush administration. Since the Axis of Evil speech the constant aim of Iranian foreign policy has been to avoid a US attack on Iran. Obtaining nuclear weapons should be seen as a means to this end rather than an end in itself.

Speculation that the invasion of Iraq was directed by an AIPAC cabal misses the fact that the CIA identified the Iraqi National Congress and Chalabai himself as Iranian proxies in the 1990s. AIPAC was not the only agent of a foreign power with an interest in starting that particular war. Iran gained from the attack in three ways, first by eliminating Saddam as a threat, second by preventing the US attacking Iran for the duration, third because it was always likely to emerge from the conflict as the regional superpower.

For the past six months the story I have been hearing from everyone who might know is that the Bush Administration has already decided to invade Iran, the only question is how to justify the decision already taken.

Undoubtedly the Iranians believe something similar. In this context it makes perfect sense for them to deliberately re-enact the run up to the invasion of Iraq as closely as possible, including turning the international inspectors away before allowing them to enter the country under UN pressure.

The Bush administration would clearly prefer that Iran attack. If Iran does not respond to clear and deliberate provocation such as the abduction of it's consular staff a Gulf of Tonkin stratagem will be attempted. As the credibility of the Bush administration crumbles the window of opportunity for such an attack narrows. The weakness of the administration increases rather than decreases the probability of another war.

The game the Iranians should be playing at this point is to make it appear that they are just crazy enough for the Bush administration to expect them to respond so as to make a Tonkin gambit unnecessary. Their current actions are entirely compatible with such a strategy, including reports of division within the leadership.

US political reaction to any attack will almost certainly be identical to the reaction to the invasion of Iraq which is to say that Congress will back whatever position turned out to be correct the last time. Democrats supported the 2002 Iraq resolution because hindsight considered that to be the right reaction to the 1991 Gulf War. This time round any Democratic candidate who does not oppose the attack should forget about their Presidential ambitions and worry about winning their next primary instead.

AIPAC is certainly beating the drums for a war with Iran, they need not bother. Neither the Bush Administration nor the Democrats are going to listen. The Administration needs no encouragement. The Democrats know that another Bush war will inevitably be yet another fiasco that further weakens US power in the region and cripples the career of any politician who supported it. Attempting to make Democrats choose between AIPAC and the netroots is a foolish political choice. If they don't learn some sense quickly AIPAC will quickly be reduced to the level that the Christian Right is in the GOP with successive Presidents arranging their schedule so that they can phone in their address rather than risk an embarrasing personal appearance.

A Paradox

The US has successfully argued for the extradition of a Dutch national to the US for crimes allegedly committed in Iraq.

How does this claim to extrateritorial jurisdiction of the US courts fit with the claim that there is no such jurisdiction of US law in Guantanamo and elsewhere?

Thursday, January 25, 2007

Black Ice

Pretty cool stuff.

The idea is you spray the stuff on the ground surrounding a military base. Attackers who try to enter are sliding around while the defenders have special spray on release agent on their boots.

My immediate reaction was 'what about wearing ice skates'. But getting from point A to point B on skates is a rather easier than firing an automatic weapon while doing so.

Wednesday, January 24, 2007

Bogus Science

Slate weighs in on the State of the Union skutnick to Angier-Clark, founder of Baby Einstein.

All the usual attacks on Baby education videos are trotted out, that they are based on junk science, that the American Association of Pediatrics recomends that children under 2 not watch TV and so on.

What is striking about these attacks is that they utterly lack any evidence themselves. The evidence that the videos provide an educational benefit is not very good. But there is certainly no evidence that the videos cause harm.

The advice from the American Association of Pediatrics is similarly bogus:
'Until more research is done about the effects of TV on very young children, the American Academy of Pediatrics (AAP) does not recommend television for children younger than two years of age.'

In other words 'we don't have the slightest idea what we are talking about but we will give some advice because to not do so might attract criticism'.

Update: If one was to criticize the Baby Einstein gang for anything it should be for their rapacious pricing, $90 for a box of eight 30 minute DVDs. I know tots have short attention spans but that is no excuse for short changing them. A $14 DVD should have a minimum of 2 hours material, particularly material as cheap to produce as theirs.

The other criminal practice is their use of the DVD navigation lockout feature to force watching of a commercial for other Disney content. While the tots are screaming for their baby movie this is the last thing either of you wants.

Tuesday, January 23, 2007

Connecticut teacher jailed in pop-up porn miscarriage of justice.

Looks like a clear case of a miscarriage of justice, A substitute teacher was told to use a computer that had been infected with malware. A popup ads program bombarded the children with porn links.

Idiot prosecutor does not bother to talk to a competent foresnic expert. Resulting sentence 40 years.

Agenda Denial

The most effective tactic in politics is not to win the argument but instead stop opponents from making their case at all. This comes up frequently in standards discussions. When someone says 'it is too early to discuss X' they may mean it or they may mean 'I don't ever want to discuss X and when you attempt to raise the question later on I am going to say it is too late'.

So planting markers to ensure that the agenda denial fails becomes vital. When someone says 'now is not the time' the next question should be 'when will it be the time'.

Agenda denial strategies are routinely used in US politics where the mainstream media has aggressively asserted its exclusive right to decide on what is news. The Web has challenged this claim. The political agenda is no longer set by the New York Times alone, it is set by Google News. A similar change took place in the UK in the 1980s in the wake of the year long Times newspapers strike. By the end of the strike the British establishement had discovered other newspapers. Many returned to The Times after the strike but the monopoly on agenda setting had been ceeded to the BBC.

The blogosphere is active in the US precisely because of the widespread use of agenda denial tactics. When the Iraq war began the mainstream media accepted the administration claim that anti-war protests were marginal, not news and should be ignored. As a result the anti-war protesters created an alternative media infrastructure where the issues and points of view they thought important were the agenda.

When Bill Kristol states that anti-war protesters should simply stop protesting for six to nine months he is essentially employing an agenda denial tactic. What he is saying is in effect 'I don't have a case so I am going to criticize you for arguing against my position'. He has in effect been making the same argument for five years and he will continue to make it as long as he is allowed to.

This is why the recent question asked in a Whitehouse press briefing is so significant, 'what is an appropriate way to show dissent'. Predicatably the Press Secretary had no answer.

Friday, January 19, 2007

Chip and no PIN?

In an announcement I missed last year Visa announced that they would be issuing Visa Cash cards in the chip and pin format. The idea is to support low value transactions, paying for a newspaper, coffee or the like.

The idea is not new of course, Mondex tried the same thing ten years ago. The big difference is that today there is a chip and pin terminal on every merchant's till.

The press release talks about 'wave and pay'. Presumably this means that there is some small value purchase that can be made without inputting the PIN.

If they could print the remaining balance on the card with electronic ink!

Now consider an OATH OTP token. It has a microprocessor, a display and in the future one would expect a bluetooth connection. I think we might be starting to see the emergence of the payment systems we will be using in the mid 2010s.

Tuesday, January 16, 2007

Obama files for Vice President

It is not of course possible to file to run for Vice President in the US system but when a one term or more precisely one Congress Senator files papers to run for President that is what they are in effect doing. Although Kennedy was technically a one term Senator in 1960 he had six years experience in the House before running for the Senate.

As such it is a risky move unless the idea is to put down a marker for 2012 or even 2016. The only notable success Obama has achieved so far is to get himself elected in what was otherwise a bad year for Democratic candidates.

The Obama candidacy is really a demonstration of the power of the media. A black man running for election is a good story for them so they build up his chances and overlook his lack of qualifications, at least until either he is nominated or he drops out of the race when they will gleefully seize upon the statement of the obvious.

The new vocabulary

One of the more irritating features of Identity 2.0 is the apparent determination to rename every concept in the field regardless of whether the existing nomenclature serves the intended purpose.

Specialized vocabulary plays an important part in any field, it serves as a shorthand for arguments that we do not wish to have to repeat every time. But specialized vocabulary is also potentially a trap, in particular it may contain assumptions which we need to examine.

I don't think we need to introduce nebulous terms such as 'Identity' into the mix. But some apparently minor changes in vocabulary represent a major change in viewpoint. For example:

User Experience, not User Interface. Despite sounding like an exercise in marketting the difference is important. Using the term user interface concentrates our attention on the code and implies that the user is just another machine for the computer to interact with. The term experience is much broader and includes code, documentation, graphical layout and installation. The term experience encourages us to think about psychology and whether the user's expectations from the product will be met.

Trustworthy not Trusted. As I pointed out at the first meeting of the Trusted Computing Group, almost every computer system we have today is trusted. The challenge we need to solve is that they are not trustworthy. Since then others (notably Microsoft) have made the same observation independently.

Least Risk not Least Privilege. As pointed out earlier today the Least Privilege 'principle' is really a mechanism rather than a governing principle. Talking about least privilege encourages us to think only in terms of setting ACLs on system resources. We need to think about reducing risk in other ways. The Default Deny principle is essentially another instance of least risk as is the idea of concentrating all security sensitive operations in a TCB.

Least Risk

Over the weekend I spent a good bit of time working on the 'Secure Platforms' chapter of my book The dotCrime Manifesto.

This chapter presents a particular challenge since I want to condense material that could easily fill another book into 5,000 words or so. Another problem is explaining that the security defects in current operating systems are not a failure of architecture so much as implementation compromises.

So we have a Trusted Computing Base where security decisions are concentrated but the TCB can be bypassed because it runs in the same process space as device drivers allowing a malicious device driver to clobber it. Once the TCB is compromised the least privilege principle is lost.

While working on these themes I realized that the least privilege principle is actually misstated. Least Privilege is a mechanism, not a principle. The principle is least risk. Once stated in these terms Least Risk becomes a unifying principle: Default Deny, Reference Monitor, TCB, Least Privilege all represent different ways to realize the least risk principle.

Turning to Google to find out if anyone else had made the connection I found a 1998 paper that I wrote on Key Escrow which may be of historical interest for those who followed the fight to legalize use of strong cryptography.

Saturday, January 13, 2007


I spent some time looking into the UNIX setuid scheme. Like null terminated strings I have always considered setuid to be an eggregious hack, something that sensible people would avoid using at all costs. Unfortunately like many eggregious hacks there are always people who see them as proof of genius rather than for what they really are.

The problem with setuid though is that it weakens your security foundation even if you try to avoid it. Setuid takes the reference monitor principle and throws it in the trash can. Every executable that has setuid bit set to root has the ability to bypass the reference monitor, as can anyone who can mount a file system or for that matter the file system itself.

Instead of having the security sensitive code concentrated in one place - the reference monitor it is diffused throughout the system. Instead of there being one piece of code to audit there are many.

It is often claimed that UNIX would achieve a B2 rating under the Orange Book. Like the claim that Jules Verne would have been the first person on the moon if he had managed to build a rocket such statements are complete nonsense. The setuid feature should certainly disqualify it.

Does anyone know of a UNIX build without this broken hack?

Friday, January 12, 2007

An International Truth and Reconciliation Commission

It is clear from Wednesday's performance that few people believe that there is a plan and of those who believe a plan exists most expect it to fail. Some like myself and Steve Clemens suspect that the administrations real plan is not to try to cover up the mess in Iraq by provoking Iran to make an attack. While nobody would expect us to be greeted with flowers this time round they might hope to use air power to bomb Iran into a swift capitulation allowing them to declare victory. If Iran won't oblige, try Syria, if neither will oblige then use the Tokin gambit and pretend that there was an attack.

The only argument left in favor of Congress continuing to fund the war is that unless the Iraq fiasco is seen as a Neo Conservative failure, a direct result of their foreign policy fantasies it will not be long till they start yet another war. Ford's pardon of Nixon did not as the Washington bobbleheads claim 'help the nation's healing', instead it allowed the neo-cons to live in denial for the next three decades and cook up their own version of the German officer corps 'stabbed in the back' theory.

It is clear that the mess in Iraq will not be solved by this administration. What should the next administration do?

The answer as I see it is a complete break with the past. Nixon was elected in 1968 offering to do just that. He made the mistake of listening to Kissinger tell him he could win the war instead.

The only interest that the US should attempt to secure in Iraq at this point is to stop the bloodshed. All and any plans to establish long term military bases, control exploitation of Iraqi oil or even to encourage the emergence of Western friendly democracies must be repudiated as dangerous Neo Con nonsense.

Stopping the bloodshed is the objective of most of the Iraqis and certainly all of Iraq's neighbors. The problem is that it is not their only objective. First the Shi'a have to make the point about how they have been horribly oppressed by the Sunnis, the Sunnis want to complain about the insults they have received since the fall of Saddam. Iran wants to complain about the US coup that overthrew their democracy in favor of the Shah. And so it goes on.

South Africa's Truth and Reconciliation Commission may be a model that could be adopted. If what the parties really want is for someone to listen to their long littany of injustices they have suffered then put it all out on display. Show the proceedings on cable, the Internet. Let everyone have their say. Groups that perform new attrocities during the proceedings would hurt their own cause.

Such a commission might not bring a final peace to the region but it would certainly allow the US to forever bury the neo-con fiction that the US is somehow possessed of a unique moral virtue and thus a unique responsibility to dominate the rest of the world.

Wednesday, January 10, 2007

More home fab

Following on from the carvewright fab@home, described in New Scientist.

iPhone hype

The hype surrounding iPhone overlooks the fact that without exception all the phones produced by computer companies to date have sucked.

The original HP iPaq phone sucks, I have one and its practically unusable as either a phone, a Web browser or a computer.

The Palm Treo sucks, the browser is crap, the reliability is terrible, the phone is mediocre at best. It is less bulky than the HP but it is still large

So what are the prospects for the iPhone? Possibly better but to call this game over just because Apple has entered the market is more than a little premature.

Global Warming: The wrong debate

The media only has room for one thought at a time.

At the moment that thought is climate change. The fact that the planet is becoming warmer is indisputable. Virtually every credible expert believes that the cause is greenhouse gas emissions. The CEO of Exxon funds Potemkin 'research' institutes to dispute the claim. The media portrays Global Warming as a debate.

In the process the media pays almost no attention to its major concern in the 1970s and 1980s: that oil supplies are finite and at some point recoverable reserves will have been exhausted. Even if new reserves are found the increased demand for energy means that if current trends continue it is a question of when not if supply fails to meet demand.

We have to move away from fossil fuels regardless. So why have the wrong debate? We do not need to debate the need for change we need to debate what changes are to be made.

Tuesday, January 09, 2007

The Shorter Matrix

Morpheus: All I offer is the truth, you can take the Blue Pill and remain as you are or you can take the Red Pill and find truth.

George W. Bush: Blue

Morpheus: We are so screwed.


Sunday, January 07, 2007

Third Bush War

The appointment of a Navy Admiral to head CENTCOM is leading to speculation about an iminent attack on Iran.

Just for the record this would be yet another crass blunder by an administration that has shown no competence for winning wars to date. Afghanistan started well but the US pulled resources out too soon because Bush was more interested in starting a war of choice against Iraq. Now it appears that the solution being considered to the two separate unfinished wars either side of Iran is to launch a third war in the middle so that from now on there is only one war to worry about.

This is a very very bad idea. The Iranians control the Straits of Hormuz. Without the oil that flows through the straits the economy of the West grinds to a halt. Last time Iran closed the straits the West quickly told Saddam to offer peace terms.

This time is unlikely to be different. A supertanker is a slow, fragile beast that is not designed for military combat. The Iranians have surface to ship missiles. They have the means to retaliate. Any attempt to bonb Iran would be met in kind, Iran has the capability to take reprisals against civilians in Israel.

The rapid (initial) success of the Afghan and two gulf wars are probably unrepresentative of the cost of a campaign against Iran. In the first gulf war Iraq was fighting for territory it had only held for a few months. In the second the Iraqi army had been bled by a decade of sanctions. The Afghan campaign was won through politics and large sums of money rather than boots on the ground. A campaign against Iran would be very different, not least because the US land army is now the one that is stretched to the limit.

12 month government, 30 year contracts

The Independent reports that the Maliki government in Iraq is soliciting bids on '30 year' contracts to exploit Iraq's oil.

In doing so the government is almost certainly guaranteeing the fall of both the government and the constitution.

The long lease on the rights to exploit natural resources has long been the favored prize of colonial occupation. It has also been a prime causus belli. The UK and the US replaced the democratically elected government in Iran with the bloody dictatorship of the Shah, a tyrant who was despised by his people as much as Saddam who eventually replaced him with the Mullahs. The dispute began when the democratically elected government demanded an audit of the oil royalties to determine whether they were being paid even the pittance due under the unequal contracts imposed during the collonial era.

The Maliki government is facing a civil war. It is a weak force both politicaly and militarily. Any bidders for the leases have to take into account a substantial probability that the leases will be repudiated by a future government. The terms of the deal will not be favorable.

The pressure on future governments to repudiate the deal will be enormous. But this would inevitably bring protest from the US as the US companies were robed of their prize in the same way that French companies did after the fall of Saddam.

The justification given for the repudiation of the French contracts was force of arms. The US is creating an incentive for factions on both sides in the civil war to repudiate the constitution. Even if the terms of the deal are fair the opposite will be assumed by most Iraqis. Insurgents have a new incentive to fulminate.

This will not be seen as a sign of confidence in the Iraqi government, rather the reverse. At the beginning of the war it was widely assumed that the real war aims of the Bush administration were to control Iraq's oil, establish permanent military bases to protect Israeli and US interests and revenge. Signing a 30 year deal at this time looks like a last gasp attempt to grab the oil even if nobody seriously expects the attempt to succeed.

Saturday, January 06, 2007

Phishing and Countermeasures

Friday morning I ordered some Semantic Web books on Amazon. A few minutes after I clicked 'Buy' a UPS truck pulled up outside and delivered a package.

Turns out that Bezos has not managed to turbopower the Amazon supply chain, the package was a review copy of Phishing and Countermeasures, an edited volume on the topics in the title.

Its a big book with a lot of information in it. My main complaint is that the font size is way too small. Its an edited volume with many authors writing on the topic of their own specialties. So far I have only browsed through a few of the sections. The quality of the editing is certainly very high.

This is certainly a book that belongs on the shelf of any practitioner in the field. It is the best description of the state of the art in phishing countermeasures I have seen to date.

Friday, January 05, 2007

The 1Tb Disk Drive

Hot on the news of the 32Gb solid state drive, the 1 Tb magnetic drive.

Assuming Moore's Law holds that means we get to the drive holding a LOC (Library of Congress) in about 2015. Although at this point a LOC is rather less important perhaps than the ability to soak up all the content from those DVRs, Camcorders and so on.

Two weeks after Dish finaly installed our new DVR we have only filled about 50 Gb of a 100 Gb disk. At $400 the 1 Tb drive would mean we could probably go for two years without changing our viewing habbits or having to purge the disk (less if we went HD).

The price of the drive will come down but even today it is competative with the $0.10 per Gb that DVD recordable discs cost.

Stopping blogspam

My corporate blog is getting hammered by blogspam. Fortunately for the readers I have moderation turned on. But this means that I end up reading all the linkspam.

98% of the blogspam I get is not trying to contact my readers, it is trying to manipulate the Google PageRank algorithm. At this point I don't know whether it is an attempt to boost or suppress rankings. One could easily imagine that if Google started to penalize for suspected blogspamming that people would start to look at ways they might use this to attack competitors and we have seen many examples of this in spam blacklists.

The key observation is that the spammers are attacking the search engine through my blog. I want the search engine to index my blog but not the comments.

So solution #1 (a variation of a scheme I think was due to Dan Boneh)

<h1>The blogspam problem</h1>
<p>I get lots of blogspam</p>
<p>3 Comments</p>
<p>Alice says: Yeah me too</p>
<p>Bob says: And me!</p>
<p>Carol says: Nice post, have you considered how <a href="">would solve your problem?

More on this tommorow

Thursday, January 04, 2007

32Gb Flash Drive

San Disk have launched a 32Gb solid state drive that is a direct replacement for a notebook drive.

The only thing that is currently worse than a hard drive is the price ($600 more) but that will soon come down.

32Gb is a pretty good size, more is better but its more than a good enough start. Halving the cost would be a bigger priority for me than doubling the capacity.

In addition to laptops this drive could be used to create a solid state camcorder.

Dual format, too little, too late

So Toshiba has produced a dual format HD-DVU/Blu-Ray player in an attempt to bypass the format wars.

Its too little too late. At this point the whole idea of next-generation DVD is obsolete. Consumers are unlikely to buy either until there is a supply of content and the studios are unlikely to supply more than a token quantity of content until there is a sufficient market base and they will charge super-premium prices for doing so.

Consumers want HD quality at the DVD price. The costs of doing the remastering right are significant. At this point a studio would probably loose money ebven bringing out content like the Star-Wars collection in HD where fans would buy it before they owned a player or an HD TV set.

Before critical mass is achieved the network effect is the chicken and egg problem.

The whole concept of physical distribution media is becomming obsolete. Online distribution has already made the CD Single obsolete. It will not be long before Internet video on demand becomes routine. At that point the convenience factor of the Internet channel plus the lower overheads dominate.

Wednesday, January 03, 2007

MSNBC underestimates prospects for bipartisan Congress

Before the 110th Congress has even met MSNBC and others are already dismissing the chances of bipartisanship in Congress.

I think they underestimate the prospects of members working with each other. Open warfare with the Whitehouse is inevitable. Support for an unpopular lame duck President from Republican members of Congress is not.

In the wake of the disastrous 2006 midsessionals the attention of Republicans is firmly focused on 2008. The chances of regaining either house are slim. The 2002 election was a disaster for the Democrats who were handed a 21 to 12 drubbing. As a result the Republicans have at most two serious chances of picking up a seat in the Senate while the Democrats have up to eight. When the conservative pundits rate the possibility of picking up John Kerry's seat in Massachusetts as being amongst their best chances they are blowing smoke that even the stupidest reader should spot.

Another reason to expect bipartisanship is that the Democrats now control the agenda. Nothing can pass Congress without them. Republicans who engage in trench warfare will return to their district with little or nothing to show for their efforts. Those who play ball get the goodies.

Conversely there is little for the Democrats to gain by engaging in open warfare with other members of Congress. They already have both houses, the less that is heard from the minority in either house the better as far as they are concerned. Oversight is going to be directed squarely at the Whitehouse.

You the Diet

As people who know me know for the past couple of months I have been on something of a diet. So far I have lost 17lbs in 49 days and at my current rate of progress I will reach my target weight at 8:28am on the 27th August this year.

The rather clever authors of You the Owners manual have figured out that getting a diet book on the shelves of Costco in time for the New Year would be good for business. I only bought the book after loosing the first 15 lbs so at most 2 lbs of the loss are attributable to the book at most.

The good part about the book is that it provides a lot of useful information in a non faddish way. The bad part is that it is written in what Mrs dotFuture calls 'Attention Defficit Disorder style'. Every key point made has a 'You-reka' icon, the diagrams are cartoonish. This is fun at first but after a short time it is like watching a 24 hour South Park marathon from start to finish without a break.

The part of the book worth reading is the first part where they explain the biology of dieting. You probably know why starvation diets don't work (our bodies sense a famine and shut down the metabolic furnace as much as possible). The bits that I have not seen in other books is the schemes to trick the body into thinking its full when it isn't by eating foods which cause the right saitiety hormones to be released at the right time.

There are also the obligatory pages with exercises and diet recipies. I skipped these, they are done better elsewhere. The recipies themselves tend to be of the nut cutlet, tofu and humus variety. If you can eat that stuff you don't need the book.