Category Archives: Technology

Remembering the Old Ways

Or: Making sure you know what to do if technology fails.

The Daily Telegraph in London has a very interesting story today about how the US Navy is re instituting celestial navigation training as part of their training for recruits:

The reason for this is simple and sound: they want to make sure that if computer-based navigation is crippled or compromised, navigators can still navigate.

In my mind this is a brilliant piece of realistic forethought. The fact is that we are becoming so reliant on the Internet and apps and have been for long enough now that people are growing up totally lacking some critical skills to survive if those go away.

Just two years ago we read about how many people under 25 can’t read maps.

Like many security people, my favorite SciFi TV show is Battlestar Galactica because it outlines a very realistic scenario that can come about with too much networking and technological reliance and too little back up and off-line capability.

It’s good to see the US Navy watched the series and got the memo.

Comments on the Stratos Digital Wallet Card

I got to talk with KIRO Radio here in Seattle recently about some of the risks with new, untested digital wallet cards like the new offering from Stratos. Plus, my comments on how cash may make a comeback.

Why Books, CDs, and DVDs are STILL Better

I get some grief from some friends about why I still prefer books and DVDs to subscription and streaming services.

In my inbox I got another reminder why this is the case.

I bought a movie through Target’s streaming service a couple of years ago, to try them out. And now I have a notification that they’re canceling the service.

They’re semi-helpfully providing the option of migrating your purchases to another service when they’re available. But it’s not guaranteed that they’ll have what you bought. In which case, you’ll get a credit (for the full amount you paid, I wonder?).

This highlights why I like books over e-books in particular. E-anything can go away for good. And unless you have your own copy (like I do my digital music library), you’re at the mercy of someone else who may, or may not be there tomorrow.

It’s why I have my own copies of all my digital pictures too.

This relates to security and privacy because this is really about trust and control if your information. And being a good security person I have low levels of trust.

Vint Cert recently highlighted another very real concern with e-everything. The real possibility of a dark age where all information and knowledge is lost in one fell swoop. Likely? Not necessarily. But not impossible. And security is always about thinking in worst case scenarios.

Someone put out what amounts to a handbook on how to rebuild civilization recently: The Knowledge: How to Rebuild Our World from Scratch. Ironically, though, there’s a Kindle version of the book, which would seem to totally defeat the purpose.

Ten Years After Bill Gates’ Trustworthy Computing Memo

Ten years ago yesterday, Bill Gates sent out his Trustworthy Computing memo that marked a significant change in the culture at Microsoft and put security, privacy and reliability at the center of the company as ideals.

I was at Microsoft as part of the Microsoft Security Response Center when that came out. And until I left Microsoft in December 2010, I was involved in security and privacy. So I have a former insider’s long-term view of what that was all like.

As my former colleagues are marking the occasion I’m sharing my own thoughts on what it meant then and what it means for the future.

Here are my comments in Robert X. Cringly’s article “PC security: We’ve come a long way, baby“. And a longer write-up by me over at Betanews “10 years after Bill Gates’ Trustworthy Computing memo: What it meant for Microsoft and why every tech company needs one“.

It was something to be a part of, but the world is different today. Part of my take on it is how this is still relevant in this different world.

Tellme Siri it ain’t so: the do-it-yourself Pepsi Challenge

Some of the tech press are writing about Jason Cartwright of TechAU’s YouTube video here he does a side-by-side test of the voice recognition features in Windows Phone 7 (Tellme) and iPhone 4.5 (Siri).

Anthony James over at TechFlash today notes how some folks are saying how the test may not be a fair one, while the folks at write that the test is fair and fault Microsoft’s Craig Mundie for setting himself up.

Regardless of whether you think the test is fair or not, there is an important lesson here around social media and competitive claims that anyone who’s a public face or counsels them needs to be mindful of. With things like YouTube now, it’s quite easy for third parties to go ahead and conduct their own trials of your claims on video and post them for all to see. Basically, anyone can do their own “Pepsi Challenge” now.

The upshot of this is that you don’t want to make competitive claims unless you’re sure you can win. The better move is to steer clear of these sorts of claims, since someone can always rig the competition against you.

Hacking the Press: What the bogus IE users are dumb story tells us

It is a rare thing to have my background in online security and dealing with “hackers” and my work in PR and communications come together outside of online security and privacy incidents.

But the “Are Internet Explorer (IE) users dumb” story that broke late last week really brings those two worlds together in very interesting, and enlightening ways.

To recap, late last week we saw a spike in stories claiming that a Canadian company had done research that they believed showed a correlation between IE usage and lower IQ scores. They wrote about it on their blog and managed to get broad, mainstream press pickup pretty quickly. This CNN story is a good example of the coverage we saw.

I’m not surprised at how broadly the story went. It had a nice mixture of scientific authority, average-reader comprehensibility, and taps into a pervasive, latent anti-Microsoft sentiment (I should know about that, I dealt with it when working there).

We have found out now that the “study” that formed the lynchpin of this whole story was bogus. How do we know this? Well, the people that make the fake helpfully came clean and admitted it on their site. To add insult to injury to all those reporters who now have to explain why front page and “most viewed” stories on the CNN and BBC sites (among others) were bogus, the folks behind the fake “helpfully” detail five eight reasons why people should have known this was a hoax.

This is hardly the first time people have gotten hoaxes into the news pipeline. But this is one of the more audacious examples I’ve seen. It’s also one of the more egregious failures on the part of the press to detect fraud. And the authors of this “study” listing five reasons we should have known it was fake really begs the question of how something as fake as this could get out there so widely.

First, it looks to me like a variation of what an online security expert, Rob Rosenberger termed “False Authority Syndrome” back in 1997. That is when someone gives an “expert” a degree of authority that they shouldn’t be entitled to. In the case of this issue, the people creating the fake made it plausible enough to seem like they had the authority that they claimed. They borrowed text from legitimate websites, and gave the site enough depth to look like it had been up for a while when looking at it (you could only figure out it was new if you dug into the internet registration records).

Next, the challenges around time pressures in the press arena really come into play. Reporters often don’t have the time to contact other known, credible sources when they’re dealing with an unknown “expert”. In the case of this story, the time element was exacerbated by the natural sensationalism of the piece, the clear simplicity of the message and the catchiness of the narrative. Any reporter and editor worth his or her salt could see this is a story that would have a lot of immediate pick up. And in the age of “viral” sharing, if you don’t get your story out first, your competition will. That makes it even harder to take time to get it right and do deep and thorough checking. In an era of easy updating with corrections, it’s often OK to just go with what you’ve got now to land the eyeballs, and worry about tidying any errors later.

Another piece of this, which the authors may or may not be aware of, is that they posted later in the week when we start to see major news cycles wrapping up in a way that opens up space for late-in-the-week new stories. That the news in the US had been inundated with debt ceiling stories all week also created a pent-up demand for something, anything different. And with the heavy diet of debt ceiling stories that week, a lighter, snarky story like this is a welcome counterbalance for readers.

A final piece of why this happened is perhaps one of the most maddening of all. It happened just ‘cos. I say you can only assess part of the factors that make a story interesting. There’s always a host of unknown and unknowable factors that come together to set in motion a huge story (or fail to and the story disappears without a trace). Everything from the time of day the posting RSS hits, to what reporter is at his or her desk, to if that reporter still has a story to file for that day, all of these and more play a role. Ultimately, I lump all of these unknowns under the title “luck” and accept the reality of that, frustrating though it is.

Taking all this and putting it together: why did this fake story succeed in getting bigger and broader coverage than most legitimate stories? Because it was a well-crafted hoax that told an interesting and amusing story that successfully exploited weaknesses in the press “system” related to time pressures that ultimately got lucky.

Any of you with a background in online security will recognize that I’ve essentially outlined there a successful “hack”. They found vulnerabilities in a system (time pressures and susceptibility to catchy stories), built a good exploit (the hoax) and got lucky.

Unfortunately, those vulnerabilities aren’t going away anytime soon. Which means we may see more of these in the future.

[Updated to reflect that there were eight reasons why the hoax should have been caught and not five as I originally posted. Because, well, I can’t count.]