I cover security, but it takes a real expert to make a convincing case against the proponents of fake security. Bruce Schneier has made a powerful case in his latest Wired blog post. The most important point he makes — and this is critical — is that the "choice" so often offered between security and privacy is not a choice that need be made. In most cases, the acts and systems that provide security don’t impinge on freedom and privacy.

We haven’t seen candidates asked questions about this in any meaningful way, but perhaps it’s past time for that to change. The way the next administration views privacy and security will have a significant impact on our lives for years to come.

Technorati Tags: security, internet

Powered by ScribeFire.

Now, before I get too far into this, let me say that the system she ran into is several years old: it’s entirely possible that the company has come to its senses in subsequent releases. If so, and if the company contacts me to tell me about it, I’ll post information here. Until then, on with a cautionary tale…

You need to know that Carol is superb with all things having to do with fiber, fabric, and sewing. A friend purchased a sewing machine with embroidry attachments many years ago, but had never really used the attachments. She asked Carol to see if it could be figured out and put to use. The sewing machine and attachments were made by Husqvarna — a top brand. When Carol began installing the software, she found that it required a printer-port dongle as part of its copy-protection scheme. Fortunately, her laptop has a printer port, so she installed the dongle and proceeded with the install. She next found that the application she was installing (one of three separate applications required in order to do the sort of embroidery she wanted to try) also required a special key for the dongle–a key shaped roughly like a large watch battery. She installed the key and moved on. Each of the applications, in turn, required its own key to be placed in the dongle during the software installation process. Now, things get really fun.

Once the programs are installed, they each must be used if you want to make custom designs. Each time a program is invoked, its key must be inserted into the dongle. Since creating and saving a custom design isn’t a straight-through-the-applications sequence, there are more than three key changes required for the creation of each design. Get this image in your head: The process of creating an embroidered design isn’t just an excercise in graphical design–it’s now part of your aerobic excercise program as you get up and down, twist around to the back of the computer, stretch your arms to the dongle, reverse and repeat.

I don’t know whether the Husqvarna folks had “irritate the living daylights out of legitimate users” as an item on their design criteria list, but they nailed this feature. It’s hard to imagine a more annoying system that doesn’t involve physical mutilation.

Now, as I said at the top, it’s possible I’m ranting about a system that’s no longer sold. Lordy, I hope so. Whether it’s been relegated to the waste-bin of history or not, this is a product of the thinking that’s typical of copy-protection schemes. The thinking? Our customers don’t matter at all. The appropriate response? A decision to buy someone else’s product. I absolutely believe that developers (and all those who work in creative endeavours) should be compensated for their work. I’m not advocating intellectual property theft or a system in which no one is allowed to profit from their work. I am saying that these creative folks should respect their customers enough to figure out how to profit by making their legitimate products desirable–not by abusing the people who keep them in business by actually buying their wares.

OK, the lecture is over, and a tough week is done. More regular posting next week and news from a regional SPJ conference over the weekend…

hello friend

    first,i am sorry i am not a good man,I am a computer hacker,so when you seeing this email,your computer Already infected my virus.

    i want nothing,i just want a few money,so you must send 150 US dollar to my e-gold  (http://www.e-gold.com) account.

    if you dont do this, I will activate my virus in a week, then your computer will be able to be paralysed and to appear the pornographic procedure.

    this is not a joke,think about it.

    check this link to send money to me:   http://XXXXXXXXX.com

    i just can only wait you 5 days

          when you send money to me,call me at: jznglskq@gmail.com

              see you very soon

I’ve redacted the link to send money, but I’ve left the poor schmuck’s e-mail address. This sort of e-mail should forever put to rest the “all computer criminals are geniuses” meme. Needless to say, there was no malicious payload (unless you count bad grammar), and no one should ever respond to something like this.

I have left a message for the eGold security team–it should be interesting to see if they get back in touch with me. If they do, I’ll let you know.

I tend to come down on the side of “more information is better” in most cases. The information on how to build bombs, put together a boost bag, defeat an alarm system, or construct and SQL Injection attack is out there anyway–none of this involves a deep, dark secret. Trying to keep citizens from understanding these things is not only self-defeating, it diminished the opportunity to enlist the help of thousands (or millions) of intelligent men and women of good will.

Are there exceptions? Of course there are. I think you have to give serious consideration to publishing the details of an on-going operation, and if the subject of the article might endanger human life then a writer must weigh the consequenced very, very carefully before proceeding. I don’t write details like IP addresses in my articles, and I’ll tend to fuzz out the details of an individual’s vulnerabilities when writing about case studies. It’s not that I won’t write about the issues, including details of what’s possible–I just won’t put the key into the lock for someone who might be trying to decide which network will host their next cyber-joyride.

Some of the folks who operate in the political blogosphere talk about groups of citizens as “a pack, not a herd.” I like that. I think that most groups will form themselves into a pack and not a herd if given the opportunity. Part of that opportunity consists in being informed about what the Bad Guys are doing, or are capable of doing. Security Through Obscurity is, in the long run, an unsuccessful strategy and I don’t feel I violate my responsibilities either as a journalist or as a citizen when I make a security issue a bit less obscure. I strongly believe that a well-educated citizenry (whether of a nation or of the world) is best capable to defend himself and help defend other citizens.

Gear up–get educated.

As problems go, this one isn’t earth-shattering, and in many instances it wouldn’t even be a problem. It’s the sort of thing that’s easily corrected in the editing and production work-flow of a print publication, but “web time” tends to leave publications open to these little issues. The question, of course, is how to solve the problem without invoking a process that will make everyone long for the days when we could all file different takes on the same story and just laugh about it.

The whole work-process issue is fascinating. I’ve been on the team starting at least three magazines, and work flow discussions tended to involve minor tweaks to a system that apparently originated with Gutenberg. The web changed things in dramatic fashion because of the speed that has come to be associated with web publishing, the differences in the understanding of article length, and the very basic differences in how readers experience the material. The staff size is also a huge factor.

A blog like this is, generally, a one-person operation. Right now, I’m the only one posting here so the process is whatever lets me get something onto the web. I’ve had discussions with colleagues about their participation, and when they begin contributing we’ll have to work out a more significant process. If you have 20 editors, 36 writers, and an art department, you’re in a different world of process altogether.

You’ll notice that I haven’t said anything about the whole editorial oversight that’s supposed to be such a huge differentiator between Real Publications and blogs. There’s a reason I haven’t talked about it–there’s no standard to talk about on either side. I’ve written for huge print publications where my articles ran exactly as I submitted them, and I’ve written for blogs and on-line pubs where editors went over every word. Here? You, my friends, are my editorial review and so far you’re doing a good job. I liken this most to a good newsletter–there’s an on-going relationship between writer and reader that keeps things vital.

The broader point around the column is that there are times and places to be on the bleeding edge of technology. Projects that involve securing the lives and personal information of, oh, everyone are in neither. I love new stuff as much as the next guy, but there have been far too many utter disasters around big projects built on new technology for me to suggest that Real ID should have anything that isn’t highly secure and thoroughly experienced as part of the spec.

You know, though, a lot of the very complicated things we worry about can be broken down into very simple rules. I’ve had to mandate–and take–sexual harassment classes in various jobs. All the words, examples, and legal precedents can be summed up very neatly: Be a gentleman; be a lady; don’t be an ass. There–I’ve just saved you thousands of dollars on harassment training. In the same way, I run across so many IT problems that could have been solved if someone–anyone, actually–had applied Thomas Watson’s famous word: Think.

We’ve built such a cult around speed that thinking about the problem we’re trying to solve and the consequences of our solution gets short shrift. I’m sure you can supply your own example here; anyone who’s been in business for more than 38 minutes can. It’s time to bring thinking back into fashion. Security is a good place to start, but it’s starting that’s the key.

Think.

I’m not excited about a culture built on cowardice and secrecy. This kind of thing makes no one more secure, and contributes to an atmosphere that leads to more bad surprises, rather than fewer. Let sales reps know that you don’t like this sort of thing, and that it will figure into future purchasing decisions. It’s the only real way to get the attention of the execs who think they’re doing their company a favor.