.Net demystified: What you must know Privacy from Companies3/20/2001; 8:52:06 AM 'Suppose, for a moment, that everything could talk to everything else. Your calendar could get information from and supply data to your documents, or your cell phone, or someone else's calendar and cell phone. Your computer's desktop could tell you that your dry cleaning is ready or your bank account is overdrawn....''To do this, Microsoft wants to know everything: the information in your user profile, address, and application settings; what devices you use; what's in all your documents; your favorite Web sites; where you are at any given moment; your credit card numbers and payment information; the contents of your personal calendar, contact list, and e-mail inbox; and probably a few things I've left out.'The article discusses the possibility that somebody will hack this datastore because it's a tempting target. Do the basic analysis: "How hard is it to get into?" and "How tempting is the target?" Remember, security is never perfect, so this analysis is based on the idea that you need enough to make what's being protected not worth breaking the protection.The answers aren't encouraging. "How hard is it to get into?" Not to bash Microsoft, but security has never been on their priority list. Granted, there are exploits for every system, but at least the BSDs care about security, and the Linux people do on some level as well. Microsoft does not really have a track record for caring. I'd guess security will be relatively easy to crack, at least at first. (Actually, this would be sort of fun. Maybe I should learn more and do some white-hat work for .Net. Then again, my plate's full as it is.) How good they can make it will be an interesting to watch. Also note that it's not just Microsoft's security that can be breached. Depending on the software being run against Microsoft's services, you might be able to crack that somehow. If enough people are using some third party solution, that third party solution could open holes, even if Microsoft does their job perfectly. It's an awfully large system, with an awful lot of ways into the primary datastore... surely one of those ways will end up being insecure."How tempting is the target?" Let me ask it another way. "Can you imagine a more tempting target?" I can... Microsoft's servers probably don't have your social security number... but that's about it! Credit cards, buying history (if you're going to commit credit card fraud, buying histories are a great help; you can try to fit into the pattern of spending on the card so nobody notices anything amiss), e-mail (which isn't always just saying hi to friends; think industrial spying), what more could you ask? With a target this tempting, .Net will be the target of every cracker worthy of the title. What are the odds Microsoft will stop every last one of them?With a target this tempting, rock-solid security will be necessary, security to challenge the likes of the NSA and CIA. I for one definately won't trust anything important to Microsoft.I must admit I'm surprised at this centralization business. When you can buy a 40 GB hard drive for 100$ and have it on site, with the extremely high bandwidth and great low latency that only a hard drive stuck in your actual computer can provide, why move so the data off the desktop machine? It's great that you can, there's power and flexibility in this architecture, but there's nothing in the architecture that necessarily implies that the data has to be housed by a central repository. You should be able to set up a net-connected desktop as your data-store, and tell any .Net component to use it. Maybe you can and I just haven't heard about it. I sure hope so.
Human Justice for Human Beings
Essays
3/19/2001; 12:41:45 PM 'The 1950's science fiction authors were half-right. We will be enslaved to machines, but it won't be because they rose up and overthrew their creators. We will voluntarily enslave ourselves to the machines because it is cheaper in the short term.'
Glenn Fleishman on Gilmore and Censorship
Censorship
3/18/2001; 12:28:38 AM
Glenn Fleishman saves me the effort of writing that essay 
Suffice it to say I agree wholeheartedly.
'Crying 
Defeating E-mail bugs and Spyware on Windows
Protecting Yourself
3/17/2001; 7:28:09 PM
You can't quite eliminate spy-ware with these techniques, but you can make a massive dent in them.
About a year ago I found a product called Zone Alarm, which bills itself as a free personal computer firewall program. It's not quite what I'd call a firewall, though, in that it takes a decidely non-traditional approach to the problem. Basically, it grants and denies permission to access the internet on a per-program basis, independantly for home networks and the Internet. For instance, you can tell this program to allow your browser full access to the Internet, yet some internal corporate program access only to the local net. Or you can allow programs to go out to the net, but not accept connections (or vice versa).
Spam Laws, 107th Congress
Spam & E-Mail
3/17/2001; 6:50:55 PM Slashdot has an article today on yet another spam law proposed in Congress. Rather then make a news article out of that, I'd rather take this opportunity to point you at the Junk Email pages at the Center for Democracy and Technology.
Record Industry Plays Both Sides
Music & MP3
3/17/2001; 6:35:59 PM '...Record labels are poised to conquer cyberspace with their own streaming and downloading services.
'Ironically, only one thing stands in the way: copyright.
'Record companies aren't the only ones that hold copyright on music recordings. Music publishers, who represent lyricists and composers, do too -- owning the rights to the piece of music itself. For every copy a record company distributes, the publisher gets a small cut. That's how the people who write the songs get paid....
Better Business Bureau tries to stop Web links
Free Speech
3/14/2001; 9:09:35 PM 'The Better Business Bureau is demanding that an Israeli company's Web site take down its link to the consumer protection organization.
'The demand raises new intellectual property questions about how companies protect their names and logos online. A trademark expert said that the group has little chance to enforce its demand in court....'
'Zialcita said the bureau allows links from the news media, government agencies, schools and bureau members. She said the organization also allows links to search engine sites because ``we can't stop them.'''
High-tech titans put the squeeze on privacy regs Privacy from Companies3/14/2001; 11:45:29 AM 'Aiming to halt the advance of dozens of privacy bills in Congress and in state legislatures across the country, the group Monday went public with four industry-funded studies asserting that privacy legislation would cost consumers billions of dollars annually.' 'Led by the Online Privacy Alliance in Washington, the loosely organized campaign is attacking legislative proposals on three fronts: identifying expensive regulatory burdens, raising questions about how any U.S. Internet law would apply to non-Internet industries, and assuring lawmakers that privacy is best guarded by new technology, not new laws.'I won't simply claim these studies are fallacious (though the people conducting the study clearly said they had not considered all factors (specifically, the increase in spending due to increase in confidence, though who knows what else they left out?)), but I can't imagine taking them at face value. Aside from the fact that these studies were bought (why does anyone bother reporting on studies that reflect exactly what the people buying them wanted them to say? Only the opposite would be newsworthy), the results may still not mean anything. Regulation is always expensive. Cars would be thousands of dollars cheaper without regulation. This is not speculation, this is an observation; I've seen a car being produced for China that can be made and sold for a few hundred dollars. It's made out of wood and canvas and has the cheapest imaginable engine in it. The windshield wipers are used by hand. In a crash at an significant speed, it would provide no protection whatsoever. You can even make a case that the majority of a car's price is due to regulation (though it depends a lot on how you draw the lines). So... should we deregulate cars just because it's expensive? No, because the benefits of safe cars outweight the costs.The argument that "Privacy is too expensive" assumes that there is some definition of "too" expensive. Simply tossing about billions of dollars in expenses (chump change, really) is not sufficient to prove "too-expensiveness", especially in a study that doesn't consider all the variables. The real question is, "Is privacy worth the cost?", and I personally would say yes (assuming there is a cost, which I do not necessarily concede). (Granted, privacy isn't as directly a live-or-death matter as car safety... nevertheless we are talking about real harm to people.)Oh, and of course, to look at it another way, "If we aren't allowed to abuse our customer's sensibilities and privacy, then we may not be able to make as much money" is an extraordinarily greedy and childish argument.
Banner Ads Now Themselves Have Banner Ads
Humor/Amusing
3/13/2001; 11:28:50 AM 'The basic problem," says Marcos, "is that banner ads are expensive to run. Organizations like DoubleClick whose business is to provide the public with banner ads are hemorrhaging cash. It just can't be done by hobbyists anymore. That's why we're stepping in and providing commercial sponsorship for banner ads, in the form of banner ads."'
Copy This! Can 'Military' Technology Beat Digital Piracy?
Misc.
3/13/2001; 11:05:44 AM
'A small Austin start-up run by intelligence community alums is parachuting into the burgeoning, post-Napster, copy-protection market with a remarkably thin, invisible software product that claims to offer nearly invincible armor for music, video, film and e-books alike....'
'The InTether system consists of a packager, used by the originator of a file, and a receiver, used by the recipient. The packager enables a publisher, record label, movie studio -- or, for that matter, a law firm, doctor's office, bank or anyone else who wants information security -- to impose a set of restrictions on almost any digital file. InTether, Friedman says, works equally well with, for instance, Word, Adobe Acrobat, Lotus or Excel documents, e-books, music, video or photographic files....'