Send As SMS

Wednesday, September 27, 2006

Did I remember to...

A lengthy checklist of things to check when completing an application, particularly suited to Windows GUI apps, but a lot of the ideas are generally applicable.


Wednesday, September 20, 2006

Risks to privacy of using pseudonyms in public

Frankowski et. al. have performed an interesting investigation into the Privacy Risks of Public Mentions in which they examine means of determining whether a user in one context is the same person as a user in another context by comparing what they choose talk about in the two contexts (what movies they rate in a ratings database and mention in a public forum in this case). The entire paper is worth a read if you're interested in this sort of thing, but I took away in particular that:
  • there is a substantial re-identification risk to users who mention items that few others mention (you're more likely to identify yourself if you talk about Manual of Arms than if you talk about Titanic); so acting to maintain privacy will mean not talking about non-mainstream topics both in your own name and under an alias; here is another means by which surveillance will tend to chill speech, even if it's anonymous/pseudonymous,
  • in a particularly sparse relation space, you'll have to suppress an awful lot of what you might otherwise talk about (88% of mentions in this case!) to remain free from identification,
  • misdirection (inserting red herrings) is somewhat effective, but may require many red herrings (an anonymous blogger wishing to remain anonymous may need to weave in mentions of lots of irrelevant stuff, perhaps turning off his/her audience) and/or co-ordination.
The corollary of the increasingly unusual subject matter leading to an increasing risk of re-identification strikes me as being particularly interesting. It means that people who want/need to communicate about something that they can't/don't-wish-to be caught discussing need not only hide their trails with great care, but they also need to very carefully segment what they talk about in such a situation, and/or not talk about it at all.

I don't see that there's any fault here, it's just a little sad. I believe that anonymous/pseudonymous public communication ("speech") has value; such communication is difficult and becoming more so.

(via Schneier on Security)

On-Card displays

A problem that has bothered me for a long time with smart cards is what I refer to as the "trusted terminal problem"; that you (the card-holder) must trust that a terminal owned and largely controlled by a merchant is doing what it claims to be doing; that the merchant has not subverted the device. One solution is to have a UI (display and buttons) on the card/token in your possession. Several vendors now appear to be offering exactly this on credit cards.

I first encountered a variant of this problem a little over twenty years ago when I was doing work experience at a Burroughs (now Unisys) warehouse in Sydney. Most of my time that week was spent preparing French-made EFTPOS machines for delivery to Australian customers (supermarkets, I think). The task was to unpack each machine, fit an Australian power plug, perform basic functional tests and, assuming that all of that passed, set the machine up in the soak-test shelves for a day or two. Some fraction of the machines had problems that needed corrective actions (screens damaged in transit and screens mis-fitted were the most common, although occasionally EPROMs were fried and we had to replace them). This was generally pretty routine electronics, but there was a special consideration in the design of the keypad on which a customer would enter their PIN. The DES key used by the settlement provider was stored in SRAM in the keypad itself (so the PIN crossed the wire to the body of the terminal already encrypted); the SRAM was powered by a supercap so it could hold the key for months on end without external power and there was a normally-closed pushbutton connected inside the casing such that as soon as the casing started to open, the power pins on the SRAM would be shorted out and the key thereby destroyed. For any machines on which we had to replace the screen on the keypad, we had to re-enter the DES key into the keypad at first power up. The theory was that while the manufacturer did have access to the key, the merchants did not, so even if someone in a supermarket spent some time fitting an electronic surveillance device to the terminal, it wouldn't get them the PINs because (a) the PIN was only ever available unencrypted in the keypad and (b) the keypad couldn't be opened without destroying the key, thereby at least exposing any tampering merchant to investigation by the banks. (Clearly there remains an issue with a merchant's use of surveillance cameras in its own premises to gather the same information, but at least an alert customer has a reasonable chance of dealing with that possibility himself.)

I assume (well, I hope) that other manufacturers have incorporated such measures into their terminals but, of course, like any customer I have no way of knowing whether or not this is the case for any particular merchant, and even whether or not there has been collusion between a technician working for the manufacturer and a merchant.

While there's a "hey what's this on my statement?" recovery path for EFTPOS cheating, there's no such recourse for stored value cards. This has bothered me ever since stored value cards became available. Clearly, the system's greatest risk is to the card provider from card-holders tampering with the cards, but in situations where third-party merchants can accept payment and then bill the system-provider, there is a strong incentive for the merchant to tamper with the machine as it would be very difficult to prove after the fact that a merchant was cheating. Indeed, it would often be difficult even to notice; bear in mind that existing stored-value card systems work much like a blind person paying for groceries at the checkout by handing their wallet to the checkout operator and hoping that they remove the right money.

The solution has always seemed to me to be that the card-holder should not have to trust the merchant's terminal, but this would essentially require that the card-holder lug about his own secure terminal and that the merchant be able to cope with that. Interestingly, I've seen a Vasco device about the size of a small calculator which purports to do exactly this. Suppose that you're buying on the web something which won't be delivered to you physically (e.g. you're buying an e-book), so the merchant doesn't need to know your address.
  • you enter your order
  • the merchant website generates a "challenge" number
  • you slip your card into the device and enter the number
  • the device tells you how much money the transaction is for
  • perhaps you select which of your several accounts to pay from
  • you press "yes"
  • the device gives you a "response" code for this one transaction
  • you enter it into the merchant website
  • the merchant's website forwards the transaction details plus the challenge and your response to the payment processor
  • the payment processor gives the OK
  • the merchant website makes the download available
The nett result is that
  • the merchant and payment processor know for certain (and the latter can prove) that whoever entered the transaction was in possession of the actual card at the time, even though you weren't in the same room as the merchant['s employee]
  • you've not disclosed your credit card number to the merchant, so there is no risk of a leak of the merchant's database, or compromise of their webserver, leading to subsequent fraudulent use of your credit card number
  • you know, for certain, how much money has been debited to your account (note that with web merchants this is not a huge risk; any merchant who was regularly telling customers one price and the bank a higher price would quickly generate enough complaints to get shut down)
  • you've not disclosed your address, nor even neccessarily your name, to the merchant, thus enhancing your own privacy. (Note the qualifier at the beginning "so the merchant doesn't need to know your address". If you're buying a washing machine they have to know, at least, where to deliver it. This degree of privacy protection is, in principle, only available for transactions that don't require a courier or service provier to visit your home.)
So, Bruce Schneier has spotted an article announcing that displays and keypads are now available for credit cards! The article deals primarily with the bank's half of the problem (proof that you have the card at the time that a transaction occurs) so they're talking about implementing two-factor authentication ala SecureID in which a "random" number which has to be provided as a part of the transaction is displayed on the card, but Bruce points out, and the manfuacturer's samples suggest, that more involved "terminal on the card" applications (e.g. electronic wallet) are already being developed.

(Note that the "Subscribe to access articles more than sixty days old" at the bottom of the article suggests that the article will quickly expire, so for reference, the named manufacturers are InCard with their OTP DisplayCard, SmartDisplayer with their Display IC Card, and Aveso with their Display-enabled Smart Cards.)

Thursday, September 07, 2006

The Joel Test: Rating your development process/environment in 60 seconds

Most things in life can't be adequately evaluated with a checklist. Some things, however, can be subjected to a quick litmus test with a few well chosen questions. Joel provides such a "how well are you doing?" checklist for software development processes in The Joel Test: 12 Steps to Better Code which, as he points out is no CMM-replacement but, it seems to me, is of more use to most small scale development efforts where "which ball park are we in?" is a more interesting question than "was that three sigmas, or four?".

UPDATE 2006-09-08: (chuckle) On re-reading it appears that I dashed the article out too quickly and even appeared to be saying that his test was not useful, which is the reverse of what I meant. I've now corrected and expanded on that.

Why is Blair still PM?

Despite living in the UK for a few years, I still have difficulty making sense of some of the ins and outs of what goes on here. I do suspect that I now have a slightly better theory - than the one that I had yesterday - to explain why Blair is still PM; that Brown wishes to avoid giving the electorate time to see him for what he is.

{{ Advance warning to the strong supporters of one party or another: I'm not advocating Blair's removal, nor his not being removed, I don't have a strong preference either way. This analysis is merely an attempt to make sense of what is actually happening. The analysis would be the same if the UK had a Conservative government with a PM who was increasingly unpopular, even amongst fellow Conservative MPs who were saying so in public, but who was being allowed to continue serving. }}

For some time it has seemed peculiar to me that sitting Labour MPs have publically voiced opposition to Blair's continuing as PM, but that there has been no attempt to force him out. Instead the talk appears to be along the lines of politely waiting until Blair gets around to stepping down and, perhaps, if it's not too inconvenient, perhaps he could consider doing so sometime soon. This is something of a stereotype of British behaviour, and yet it appears to be exactly how many local pundits are portraying the situation.

I tried thinking this through from the perspective of dissenting MPs. In their situation, my decision tree would be simple:
  • If I were one of a group of like-minded MPs with a plausible contender and the numbers to make it happen, I'd participate in forcing Blair out, through whatever procedural means are available. A further refinement that might be of interest if a resignation and endorsement from the outed leader were seen to be of value in smoothing a transition would be to prepare the procedural means quietly and then offer Blair, at an hour's notice, the opportunity to resign and endorse, rather than be forced out.
  • Alternately, lacking a plausible contender, the numbers or both, I'd quietly bide my time in order to avoid diminishing support for the party as a whole.
Is my surprise an Australian thing? I don't know. Perhaps it is unthinkable for UK Labour MPs to engage in power-plays, or to use their powers as elected representatives without the explicit consent of the wider party machine. This might perhaps suggest a third option:
  • Express public dissent in the hope that, if enough others do it often enough, it'll become a self-fulfilling prophecy, without having to get my hands "dirty" with the exercise of political power.
Although I'm not entirely happy with that third option, that's pretty much where I'd let my thinking settle until earlier today when I read Labour MP Gerald Kaufman's letter to the Guardian in which he provides, unintentionally, a far better explanation. What he actually says is:
If Brown takes over too soon, or in an atmosphere of turmoil, he is in danger of becoming shopworn goods before an election several years away. He needs to be fresh, innovatory, ...
Well, yes, nothing worsens a candidate's appeal more than not having appealing ideas, but Kaufman structures his words to suggest that lack of appeal is an unavoidable consequence of long exposure, in the sense that inventory sitting on a shop's shelf for too long becomes "shopworn". This seems an inappropriate metaphor for ideas which tend to gain more regard over time, not less, except when they are poor ideas, of course. Perhaps Kaufman is unaware of the relevance to appeal of how good an idea actually is? Apparently not, the rest of the quoted paragraph is:
... ready to call an election pretty soon after reaching No 10, and fighting a campaign against a Cameron by then exposed for what he is: as someone once put it about another Tory, "Don't be deceived; beneath his superficial tinsel lies the real tinsel". Such a strategy points to a later Blair departure from Downing Street.
In other words, Kaufman is all too aware of the risk of allowing poor ideas to be exposed to the public for too long, Brown's or Cameron's. Kaufman has unwittingly answered my question for me; those who support's Brown's replacing Blair are keeping their mouths firmly shut until somewhat closer to election time in order to avoid Brown's having time to be "exposed for what he is" (Kaufman's exact words, if not his intent), which also explains Brown's resolute silence in the face of the events of the last few days.

This also allows the occasional public voices of dissent from Labour MPs to be explained as frustrated expressions from those who feel that they have no input in shaping events.

I wonder what UK politics might look like if any of the players actually believed that their ideas were good ones?

Friday, September 01, 2006

Using the home directory as Nautilus' desktop

This is apparently in the "too hard to get consensus on" category, so it's a hidden option for Nautilus.

gconftool-2 -s /apps/nautilus/preferences/desktop_is_home_dir true -t bool

UPDATE 2006-09-27: Hmm, this was still showing as a draft, now published...