dilbertdaily Comic for May 25, 2013sinfestfeed "Hand And Penis" - Sat, 25 May 2013hackernewsdaily Daily Hacker News for 2013-05-24http://www.daemonology.net/hn-daily/2013-0
justin_mason Links for 2013-05-24http://taint.org/2013/05/24/235801a.html
Communication costs in real-world networks
Peter Bailis has generated some good real-world data about network performance and latency, measured using EC2 instances, between ec2 regions, between zones, and between hosts in a single AZ. good data (particularly as I was looking for this data in a public source not too long ago).
I wasn’t aware of any datasets describing network behavior both within and across datacenters, so we launched m1.small Amazon EC2 instances in each of the eight geo-distributed “Regions,” across the three us-east “Availability Zones” (three co-located datacenters in Virginia), and within one datacenter (us-east-b). We measured RTTs between hosts for a week at a granularity of one ping per second.Some of the high-percentile measurements are undoubtedly impact of host and VM behaviour, but that is still good data for a typical service built in EC2.
(tags: networks performance measurements benchmarks ops ec2 networking internet az latency)
lightbluepaper Revisiting secure introduction via hyperlinkshttp://www.lightbluetouchpaper.org/2013/0
http://www.lightbluetouchpaper.org/?p=53
Today at W2SP I presented a new paper making the case for distributing security policy in hyperlinks. The basic idea is old, but I think the time is right to re-examine it. After the DigiNotar debacle, the community is getting serious about fixing PKI on the web. It was hot topic at this week’s IEEE Security & Privacy (Oakland), highlighted by Jeremy Clark and Paul van Oorschot’s excellent survey paper. There are a slew of protocols under development like key pinning (HPKP), Certificate Transparency, TACK, and others. To these I add s-links, a complementary mechanism to declare support for new proposals in HTML links.
Though it’s unclear which proposals will take hold, deployment will probably be fragmented: some servers will require HTTPS (using HSTS), some may pin keys or use another new protocol, and many will continue to not support HTTPS at all. Clients must know what the server supports prior to initially connecting, or else a middleperson attacker can simulate a server which only supports insecure HTTP (often called a stripping attack). Thus hardening HTTPS includes an enormous policy distribution problem.
The consensus is that querying a new out-of-band trusted server to learn security policy is a non-starter. OCSP, a protocol to check if certificates are revoked, provides a painful example. It was never reliable enough for browsers to fail closed if OCSP servers couldn’t be reached, so it provided negligible security and Chrome eventually disabled it. This leaves very few channels to distribute security policy prior to initial connections. Browser preloads are great, but can’t scale indefinitely. DNSSEC (via extensions like DANE) is a promising approach, but many deployment issues remain.
This leaves secure introduction: if a user agent is referred to a new domain by an already-trusted domain, the referring domain can indicate a minimum security policy required for the initial connection. S-links are a proposal to enable secure introduction in HTML. A stricter HTTPS policy (such as key pins) can be declared in a new “link-security” attribute, which will apply only to requests caused by that element itself (for example, clicks on a link or loading a JavaScript library).
S-links aren’t a panacea: they can’t protect users who manually type a new URL. Still, compared to the alternatives s-links are an efficient and easy-to-deploy channel for security policy. An important lesson from past PKI failures is to build for robustness: multiple protocols will have to be supported and we should build multiple ways of advertising security upgrades. S-links is still a very early-stage project with important details to get right about the user experience and some subtle interactions with the browser’s same-origin policy. I would greatly appreciate feedback.
waxyo Jay Silver's TED talk on turning everyday objects into computer interfaceshttp://www.ted.com/talks/jay_silver_hack
http://www.waxy.org/links/archive/2013/0
waxyo Steven Universe pilothttps://www.youtube.com/watch?v=MSwVPryb
http://www.waxy.org/links/archive/2013/0
waxyo The Lonely Island's "Semicolon"waxyo The Girl Who Turned to Bonehttp://www.waxy.org/links/archive/2013/0
open_rights_grp ORG parliamentary and policy update 24 May 2013open_rights_grp Capitalising on tragedyhttps://www.openrightsgroup.org/blog/201
open_rights_grp A Quick Look at some Mobile Providers' Customer Data Policieshttps://www.openrightsgroup.org/blog/201
open_rights_grp ORG parliamentary and policy update 17 May 2013open_rights_grp Taking the privacy message to MEPsopen_rights_grp Shakespeare: on the mark for open data, misses on privacy and transparencyhttps://www.openrightsgroup.org/blog/201
open_rights_grp Naked Citizens: Protect your Privacy!https://www.openrightsgroup.org/blog/201
open_rights_grp EE and sale of user data: does Anonymisation work?https://www.openrightsgroup.org/blog/201
open_rights_grp EE selling your data to pollsters and policehttps://www.openrightsgroup.org/blog/201
bruce_schneier Friday Squid Blogging: Eating Giant Squidhttp://www.schneier.com/blog/archives/20
How does he know this?
Chris Cosentino, the Bay Area’s "Offal Chef" at Incanto in San Francisco and PIGG at Umamicatessen in Los Angeles, opted for the most intimidating choice of all -- giant squid. "When it comes to underutilized fish, I wish the public wasn't so afraid of different shapes and sizes outside of the standard fillet," he said."I think the giant squid is a perfect example of an undervalued ocean creature. Everyone isn't afraid of squid but the size and flavor of the giant squid scares people because it has a very intense flavor but it is quite delicious."
I am surprised he has tasted giant squid?
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
andyduckerlinks How to get a bra that fits you.andyduckerlinks I need context for this photo!andyduckerlinks Everything Non-Europeans Need To Know About Eurovisionandyduckerlinks What, let gays get married? We must be bonkers!andyduckerlinks Hayao Miyazaki on the flawed concept of Good versus Evildotaturls History of zero.http://www.ams.org/samplings/feature-col
dotaturls Improving the security of your SSH private key files.http://martin.kleppmann.com/2013/05/24/i
dotaturls Log-shuttle delivers messages to log routers and processors via https.git_blame Git 1.8.3 and even more leftover bitshttp://feedproxy.google.com/~r/GitBlame/
krebsonsecurity Skype Beta Plugs IP Resolver Privacy Leakhttp://krebsonsecurity.com/2013/05/skype-b
http://krebsonsecurity.com/?p=20707
A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only.
A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4
As I wrote on March 21, 2013, number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.
The resolvers can look up the IP address of any Skype user — whether or not that user is in your contacts list or even online at the time of the lookup. What’s more, resolver services frequently are offered in tandem with “booter” or “stresser” services, essentially sites that will launch denial-of-service attacks against a target of your choosing.
Apparently in response to this problem, Microsoft has added a new option to its Skype 6.5 Beta, released April 30, that allows users to allow direct connections to your contacts only. The information tab on this option, found under Skype->Options->Connection, says “When you call someone who isn’t a contact, we’ll keep your IP address hidden.”
I pinged Microsoft for an answer as to whether this feature was designed to plug the privacy leak exposed by resolver services. The company declined to say specifically what it may have changed about the Skype network and/or its software to address this problem, but it attributed the following emailed statement to a “Skype spokesperson;”
“Skype for Windows Beta 6.5 and Mac 6.4 now offer the option to prevent people not on your contact list from viewing your IP address. With this beta program, only your contacts will be able to access this information. We are allowing users to test this new security function and welcome any feedback as we continue to improve the communication experiences on Skype.”
I tested this beta version of Skype against a free Skype resolver service that has been reliable in the past at looking up IP addresses tied to specific Skype accounts. When I ran it against my everyday account using and older version of Skype, it successfully found my home IP. When I created a new Skype account with the Skype 6.5 beta on a separate machine, enabled the privacy feature and then tried the lookup again, it failed to locate my IP.
I should note that some Skype resolvers will cache previous lookups. That means if your Skype username has previously been looked up at a Skype resolver service, that service may show the correct IP for your Skype username if your IP address hasn’t changed since the last lookup.
freedom2tinker Arlington v. FCC: What it Means for Net Neutralityhttps://freedom-to-tinker.com/blog/sjs/a
[Cross-posted on my blog, Managing Miracles]
On Monday, the Supreme Court handed down a decision in Arlington v. FCC. At issue was a very abstract legal question: whether the FCC has the right to interpret the scope of its own authority in cases in which congress has left the contours of their jurisdiction ambiguous. In short, can the FCC decide to regulate a specific activity if the statute could reasonably be read to give them that authority? The so-called Chevron doctrine gives deference to administrative agencies’ interpretation of of their statutory powers, and the court decided that this deference extends to interpretations of their own jurisdiction. It’s all very meta, but it turns out that it could be a very big deal indeed for one of those hot-button tech policy issues: net neutrality.
Scalia wrote the majority opinion, which is significant for reasons I will describe below. The opinion demonstrated a general skepticism of the telecom industry claims, and with classic Scalia snark, he couldn’t resist this footnote about the petitioners, “CTIA—The Wireless Association”:
This is not a typographical error. CTIA—The Wireless Association was the name of the petitioner. CTIA is presumably an (unpronounceable) acronym, but even the organization’s website does not say what it stands for. That secret, known only to wireless-service-provider insiders, we will not disclose here.
Ha. Ok, on to the merits of the case and why this matters for net neutrality.
Verizon v. FCC is a long-running case currently in DC Circuit court, arising out of Verizon’s challenge to the FCC’s “Open Internet Order.” It all started in 2010, but for a variety of reasons it has moved at a snail’s pace. They haven’t even scheduled oral arguments yet. On one side, Verizon claims that the FCC does not have the authority to implement the non-discrimination rules contained in the order, and that they as a company have a First Amendment right to discriminate. On the other side, the FCC has asserted a patchwork of statutory theories for why they can enforce the order. The Commission also claims that the free speech arguments by Verizon are bogus because the company is merely a carrier of speech and, if anything, the free speech obligations should counsel in favor of non-discrimination.
These arguments are largely untested ground for both sides. Although Verizon’s free speech argument may seem rather dubious, it might nevertheless turn out to be a legal winner in light of cases like Citizens United. The FCC’s “carrier of speech” argument fits a common-sense notion of what telecommunications companies do. Unfortunately for the Commission, it has already chosen to “deregulate” internet communications by stating that they are not “common carriers” — that is, entities that are traditionally obliged to deliver communications without discrimination. Instead, they articulated the patchwork of other statutory theories — the so-called “ancillary jurisdiction” approach.
As others have observed, the decision in Arlington gives the FCC a much better shot at winning the ancillary jurisdiction argument in the Verizon case. Tim Lee thinks that on balance this is a bad thing for public policy, because it contributes to regulatory jurisdiction creep. I can appreciate his position.
Let’s assume for a moment that the FCC loses the Verizon case in the DC Circuit. If the Supreme Court hears the case, it would be quite entertaining indeed. That’s because Scalia has some strong views on how broadband should be classified and what jurisdiction the FCC should have. This takes us back to a case in 2005, NCTA v. Brand X. In that case, a company named Brand X Internet Services claimed that cable-based broadband internet service was indeed a “common carrier” service. The FCC was at the time proceeding with its novel approach to “deregulating” broadband internet by stating that it was not a common carrier but instead subject to ancillary jurisdiction. The logical and legal acrobatics of this approach were quite impressive. The Supreme court, in a 6 to 3 vote applied Chevron deference to the FCC’s interpretation of the statute, and let it stand. Scalia dissented vociferously. He simply didn’t think that the statute was ambiguous. Broadband internet was a a common carrier service, rather than some new “information service” under the FCC’s “deregulated” scheme (see his extended pizzeria metaphor). He also noted that the Court’s decision (and the other dissenting opinions) would permit the FCC to change its mind and reclassify broadband as a common carrier under the Chevron doctrine. As he said:
“In other words, what the Commission hath given, the Commission may well take away–unless it doesn’t.”
The FCC actually considered relying on this so-called “Title II” reclassification approach initially, but rejected it at the time because it was too politically sensitive (telcos/cablecos have friends in Congress). So, even if Verizon wins the case at the DC Circuit, and even if the Supreme Court does not reverse the DC Circuit, the FCC could take the significant (and, logical, to Scalia) approach of common-carrier classification.
Arlington supports this approach, and the FCC filed a letter with the court yesterday noting this fact. Verizon, for what it’s worth, filed a letter citing a recent DC Circuit opinion upholding the free speech rights of corporate conveyors of speech against control by others.
For Verizon, there is no going back now. They have staked out their position and will defend it to the hilt. Many other broadband internet providers (including the cable companies) decided not to take part in this battle. MetroPCS, the other appellant, pulled out last week. Intervenor “CTIA—The Wireless Association”, represented by Jonathan Nuechterlein of WilmerHale, pulled out last summer. I, for one, am looking forward to oral arguments.
circleid_all Who Has Helped the Internet? May 31 Deadline for Nominations for 2013 Jonathan Postel Service Awardhttp://www.circleid.com/posts/20130524_w
Do you know of a person or organization who has made a great contribution to the Internet community? If so, have you considered nominating that person or organization for the 2013 Jonathan B. Postel Service Award? The nomination deadline of May 31 is fast approaching! From the description of the award:
Each year, the Internet Society awards the Jonathan B. Postel Service Award. This award is presented to an individual or an organization that has made outstanding contributions in service to the data communications community. The award includes a presentation crystal and a prize of US$20,000.
The award is focused on sustained and substantial technical contributions, service to the community, and leadership. The committee places particular emphasis on candidates who have supported and enabled others in addition to their own specific actions.
The award includes a $20,000 USD prize and will be presented at the 87th meeting of the Internet Engineering Task Force (IETF) in Berlin, Germany, in July. Anyone can nominate a person or organization for consideration.
To understand more about the award, you can view the list of past Postel Service Award recipients and also read more about Jon Postel and his many contributions to the Internet.
Full disclosure: I am employed the Internet Society but have nothing whatsoever to do with this award. I am posting this here on CircleID purely because I figure that people within the CircleID community of readers are highly likely to know of candidates who should be considered for the award.
Written by Dan York, Author and Speaker on Internet technologies
Follow CircleID on Twitter
More under: Web
ecnmst_babbage Fit, fit, hooray!http://www.economist.com/blogs/babbage/2
A CYNIC might dismiss the "quantified self" movement, whose adherents use an array of gizmos to record all aspects of their physical existence, as gimmicky navel-gazing by geeky workout nuts, eager to gamify ever bigger chunks of life. That, as Babbage has recently come to realise, is unfair. Better information about your actual exertions makes for more informed decisions. This is as true of exercise as it is of personal spending, say. Little wonder that, as monitoring devices become smaller, cheaper and better integrated with smartphones, more people are embracing their quantified selves.
For your correspondent, the conversion began a year and a half ago, when he moved his office from rented space into his basement, purchased an adjustable standing desk and, shortly afterwards, a flat treadmill designed to work at low speeds underneath the desk while displaying miles walked. He has become, in other words, a walking worker of the sort described by Susan Orlean in a recent New Yorker story. (Standing turned out easy—and a nice change; learning to type and focus on two computer screens while trundling proved a bigger challenge.)
To keep himself motivated, Babbage recently purchased a self-tracker made by Fitbit, a Californian company. Fitbit's devices (similarly to the Nike Fuelband, the Jawbone UP and others) use an accelerometer to track steps. Fancier models include an altimeter to capture ascending stairs and inclines. Smartphone apps pair with these devices, naturally. (Software developers have also created software that relies on the built-in GPS and other sensors in mobiles, with varying accuracy.) Most of the standalone trackers are designed as wristbands, others (like Babbage's Fitbit One) are smaller than a pack of gum and can be slipped into a clip or strapped around a wrist inside a pouch.
As the data streams from the sensors to smartphones or computers and on to the device-makers' central servers, the associated apps offer feedback and encouragement based on targets set or reached. The Fitbit app, for example, tells you that a few more steps will take you past the daily target, or give you a pat on the back for exceeding a goal or setting a new all-time high. Small targets, reminders, stretch goals and awards all help nudge you towards personal betterment.
The systems increasingly welcome data from other hardware and software. Wi-Fi scales, popular a few years ago, can be linked up to some systems. (Babbage added his to a new Fitbit account.) Smartphone apps like Runkeeper, which use GPS to plot routes and measure distance and altitude changes, can be integrated, too. For a more detailed picture, you can enter food consumed and describe other activities that the devices are unable to capture.
Many of the gizmos link directly to an online social network, inviting you to compete with friends. Babbage's long-shinned chum regularly racks up over 125,000 steps in a week. (Your correspondent managed briefly to pass him with about 95,000 after the rival had spent a day away from his own treadmill and another day in transit to Australia; the advantage did not last long.)
Goaded, envious or proud—perhaps all three—Babbage has walked about 40 miles each of the past two weeks, a fourfold improvement on pre-tracking times by his reckoning. He has also shed a few pounds and, by slipping the Fitbit inside its wrist strap overnight, has learned how well, or poorly, he sleeps. The system responds to fidgeting and can thus tell deep slumber from light, or from waking. Your correspondent sleeps deeply, it turns out. But the data make one thing clear: he ought to hit the sack a bit earlier.
open_rights_grp Test-newbruce_schneier Training Baggage Screenershttp://www.schneier.com/blog/archives/20
The research in G. Giguère and B.C. Love, "Limits in decision making arise from limits in memory retrieval," Proceedings of the National Academy of Sciences v. 19 (2013) has applications in training airport baggage screeners.
Abstract: Some decisions, such as predicting the winner of a baseball game, are challenging in part because outcomes are probabilistic. When making such decisions, one view is that humans stochastically and selectively retrieve a small set of relevant memories that provides evidence for competing options. We show that optimal performance at test is impossible when retrieving information in this fashion, no matter how extensive training is, because limited retrieval introduces noise into the decision process that cannot be overcome. One implication is that people should be more accurate in predicting future events when trained on idealized rather than on the actual distributions of items. In other words, we predict the best way to convey information to people is to present it in a distorted, idealized form. Idealization of training distributions is predicted to reduce the harmful noise induced by immutable bottlenecks in people’s memory retrieval processes. In contrast, machine learning systems that selectively weight (i.e., retrieve) all training examples at test should not benefit from idealization. These conjectures are strongly supported by several studies and supporting analyses. Unlike machine systems, people’s test performance on a target distribution is higher when they are trained on an idealized version of the distribution rather than on the actual target distribution. Optimal machine classifiers modified to selectively and stochastically sample from memory match the pattern of human performance. These results suggest firm limits on human rationality and have broad implications for how to train humans tasked with important classification decisions, such as radiologists, baggage screeners, intelligence analysts, and gamblers.
f_secure Twitter's 2FA: SMS Double-Dutyhttp://www.f-secure.com/weblog/archives/0
On 24/05/13 At 12:40 PM
andyduckerlinks Closing hospital windows 'increases infection risk'andyduckerlinks Kinect 2's visual DRM could prevent you watching content with "too many people".andyduckerlinks Everything I Know About Project Management, I Learned from Game of Thrones (spoilers for TV, but no open_rights_grp ORG parliamentary and policy update 24 May 2013open_rights_grp Capitalising on tragedyhttps://www.openrightsgroup.org/https://w
open_rights_grp A Quick Look at some Mobile Providers' Customer Data Policiesopen_rights_grp ORG parliamentary and policy update 17 May 2013open_rights_grp Taking the privacy message to MEPshttps://www.openrightsgroup.org/https://w
open_rights_grp Shakespeare: on the mark for open data, misses on privacy and transparencyopen_rights_grp Naked Citizens: Protect your Privacy!open_rights_grp EE and sale of user data: does Anonymisation work?open_rights_grp EE selling your data to pollsters and policeecono_johnson Portuguese for the perplexedhttp://www.economist.com/blogs/johnson/2
Inspired by a popular guide to Understanding the British, I've put together a few entries in a Foreigners' Guide to Understanding Brazilians. Portuguese speakers and Brazilianists are invited to add more in the comments. Hat tip to Brazil-based journalists Andrew Downie and Dom Phillips, who contributed items, and Olivier Teboul, a Frenchman living in Belo Horizonte whose list of "Brazilian curiosities" (in Portuguese) has generated a huge response from amused, and sometimes bemused, locals.
What Brazilians say: Yes (Sim)
What foreigners hear: Yes
What Brazilians mean: Anything from yes through perhaps to no
What Brazilians say: Perhaps (Talvez)
What foreigners hear: Perhaps
What Brazilians mean: No
What Brazilians say: No (Não)
What foreigners hear (on the very rare occasion a Brazilian says it): No
What Brazilians mean: Absolutely never, not in a million years, this is the craziest thing I've ever been asked
What Brazilians say: I'm nearly there (Tô chegando)
What foreigners hear: He's nearly here
What Brazilians mean: I've set out
What Brazilians say: I'll be there in ten minutes (Vou chegar em dez minutinhos)
What foreigners hear: He'll be here soon
What Brazilians mean: Some time in the next half-hour I'll get up off the sofa and start looking for my car keys
What Brazilians say: I'll show up later (Vou aparecer mais tarde)
What foreigners hear: He'll be here later
What Brazilians mean: I won't be coming
What Brazilians say: Let's stay in touch, ok? (A gente se vê, vamos combinar, ta?)
What foreigners hear: He'd like to stay in touch (though, puzzlingly, we don't seem to have swapped contact details)
What Brazilians mean: No more than a Briton means by: "Nice weather, isn't it?"
What Brazilians say: I'm going to tell you something/ Let me tell you something/ It's the following/ Just look and you'll see (Vou te falar uma coisa/ Deixa te falar uma coisa/ É o seguinte/ Olha só pra você ver)
What foreigners hear (especially after many repetitions): He thinks I'm totally inattentive or perhaps mentally deficient
What Brazilians mean: Ahem (it's just a verbal throat-clear)
What Brazilians say: A hug! A kiss! (Um abraço! Um beijo!)
What foreigners hear: I've clearly made quite an impression—we've just met but he/she really likes me!
Waht Brazilians mean: Take care, cheers, bye
What Brazilians say: You speak Portuguese really, really well! (Você fala português super-bem!)
What foreigners hear: How great! My grammar and accent must be coming on a lot better than I thought
What Brazilians mean: How great! A foreigner is trying to learn Portuguese! Admittedly, the grammar and accent are so awful I can barely understand a word... but anyway! A foreigner is trying to learn Portuguese!
bruce_schneier New Report on Teens, Social Media, and Privacyhttp://www.schneier.com/blog/archives/20
Interesting report from the From the Pew Internet and American Life Project:
Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006:
- 91% post a photo of themselves, up from 79% in 2006.
- 71% post their school name, up from 49%.
- 71% post the city or town where they live, up from 61%.
- 53% post their email address, up from 29%.
- 20% post their cell phone number, up from 2%.
60% of teen Facebook users set their Facebook profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings.
danah boyd points out something interesting in the data:
My favorite finding of Pew's is that 58% of teens cloak their messages either through inside jokes or other obscure references, with more older teens (62%) engaging in this practice than younger teens (46%)....While adults are often anxious about shared data that might be used by government agencies, advertisers, or evil older men, teens are much more attentive to those who hold immediate power over them -- parents, teachers, college admissions officers, army recruiters, etc. To adults, services like Facebook that may seem "private" because you can use privacy tools, but they don't feel that way to youth who feel like their privacy is invaded on a daily basis. (This, btw, is part of why teens feel like Twitter is more intimate than Facebook. And why you see data like Pew's that show that teens on Facebook have, on average 300 friends while, on Twitter, they have 79 friends.) Most teens aren't worried about strangers; they're worried about getting in trouble.
Over the last few years, I've watched as teens have given up on controlling access to content. It's too hard, too frustrating, and technology simply can't fix the power issues. Instead, what they've been doing is focusing on controlling access to meaning. A comment might look like it means one thing, when in fact it means something quite different. By cloaking their accessible content, teens reclaim power over those who they know who are surveilling them. This practice is still only really emerging en masse, so I was delighted that Pew could put numbers to it. I should note that, as Instagram grows, I'm seeing more and more of this. A picture of a donut may not be about a donut. While adults worry about how teens' demographic data might be used, teens are becoming much more savvy at finding ways to encode their content and achieve privacy in public.
andyduckerlinks Tolkien and Magic
