Ben Laurie blathering

27 Feb 2006

Stefan Brands Podcast

Filed under: Identity Management — Ben @ 13:08

Aldo Castañeda interviews Stefan Brands about digital identity. Informative.

Act Your Avatar

Filed under: Brain Function — Ben @ 11:47

New Scientist, 25th Feb 2006, reports a study by Yee and Bailenson of Stanford University – what they did was get students to negotiate, in VR, with experimenters. If their avatar was taller, then they behaved more aggressively. If it was better-looking, they stood closer – the ugly ones averaged a metre further away.


24 Feb 2006

eBay Scams

Filed under: If You Really Loved Me,Security — Ben @ 13:41

I want an X41 Tablet (if you really loved me, you’d give me one). I bought my wife an X40 last year and got a great price on eBay. So, naturally, I’ve been looking there again.

The prices aren’t so great this time around, but what I am finding is a rather interesting trend. Yesterday there were lots of 1-day auctions for X41s. The sellers had good feedback, but if you investigated you’d find that all of a sudden they were selling a metric fuckload of stuff, all posted at the same time, all 1-day, all relatively expensive stuff (like TVs and computers) – and all not at all like what they usually sell.

Today I’m seeing 10-day auctions, but instead of huge diversity, they’re all laptops. I can’t figure out the 10 day thing, unless they’re after direct email contact (a feature of all of these things is they say “contact me by email”, surprise, surprise).

Anyway, I’m curious – does this go on all the time and I haven’t noticed, or is this a new attack?

(In case it isn’t obvious, I’m assuming the real eBayers have been owned, and this is an attempt by the attacker to make money)

20 Feb 2006

Paypal Weirdness

Filed under: Rants,Security — Ben @ 16:58

Today Paypal won’t let me log in. Because I’ve forgotten my password. Now, I’m damn sure I haven’t but after several attempts I give up and go through the “forgotten password” procedure. One of the features of this procedure is that you must change your password – re-using the existing one is not allowed. Naturally, I can’t set the password I want because its the same as the existing one, thus proving I have not forgotten it.


And this is not the first time its done this to me.

Terminology for Identity Management

Filed under: Anonymity/Privacy,Identity Management — Ben @ 12:17

One of the seemingly endless debates in identity management is exactly what everything is called. Today an update to “Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology” reminded me that people who think about anonymity have been trying to thrash this out for a long time. This document has been evolving for more than 5 years, and I rather like it. Here’s an example:

An identity is any subset of attributes of an individual which identifies this individual within any set of individuals. So usually there is no such thing as “the identity”, but several of them.

Not only does it have well thought out definitions, it also translates them into several languages, currently Czech, French, German, Greek and Italian. What, no Spanish?

19 Feb 2006

Distributed Hash Tables Revisited

Filed under: Anonymity/Privacy,Distributed stuff — Ben @ 22:47

I said it probably wasn’t original, and I was right. Beehive from Cornell is a concrete implementation of something very like the technique I described. It’s been used for various interesting projects, including P2P DNS, something that’s made possible, or even plausible, by DNSSEC.

The cool thing about using P2P for DNS is that it’s DoS resistant. And, apparently, you can get acceptable response speeds out of a P2P system.

I’d like to see more experimentation with P2P for infrastructure. Its certainly one way to improve the preservation of our privacy.

Sleepycat Revisited

Filed under: Open Source — Ben @ 14:38

I hadn’t noticed that Sleepycat’s “open source” license applies to “any accompanying software that uses the DB software”. This is not open in any sense I recognise, and so perhaps Oracle will actually maintain it, since no doubt the most revenue comes from people wanting to use BDB as part of a closed source product – and they’ll have to pay for a commercial license for that.

So, don’t hold you breath for the fork. I certainly wouldn’t be all that likely to work on it with a license like that.

16 Feb 2006

Astonishing Bullshit from the British Video Association

Filed under: Digital Rights,Rants — Ben @ 12:53

I have no idea who the British Video Association are, but the BBC think they are good people to answer questions about DRM, errr, I mean “movies in the digital age”. Their answers are worth a read, if you like a good laugh. Here’s a few selected gems.

Q4. Why do the movie companies still insist on region encoding their DVD offerings?

Lavinia Carey: “…regional coding is still the way the British classification system is implemented to protect children from unsuitable material…”

Yeah, right. You can’t even buy a region-locked DVD player in the UK, as far as I know. Certainly I can’t even remember the last time I saw one. If they are region-locked, do they (somehow?) enforce certificates or is this complete nonsense? I’m genuinely curious.

Q1. Can you envisage a time when there is almost simultaneous release of product in the cinema, through rental outlets, in the high street and online, leaving the customer to choose his preferred way of viewing?

Dan Glickman, MPAA: Maybe.

Lavinia Carey, BVA: Yes.

John Fithian, NATO (I couldn’t resist, but actually its the National Association of Theatre Owners): No.

Gotta work on that messaging, dudes.

Q7. What’s the point of DRM?

Dan Glickman, MPAA: “Without the use of DRMs, honest consumers would have no guidelines and might eventually come to totally disregard copyright and therefore become a pirate”

Right, because honest consumers are incapable of reading and have no sources of information other than that graciously provided by the entertainment industry. I do hope they’re going to figure out how to apply this technology to other laws, or we’ll all become murderers, terrorists and child pornographers. We’ll know no better.

Curt Marvis, CinemaNow: “As far as I know, no CinemaNow movies have appeared on P2P networks … so I would say that DRM is actually working”

I did try to check on this unlikely assertion, but their website is “down for maintenance”. Rocking. I suspect, however, that we can conclude that Curt doesn’t know much.

Here’s my favourite, though:

Q8. Was the video recorder damaging? At the time of its release, it was declared to be the death toll for the movie industry. Would you say that declaration was accurate?

Dan Glickman: No.

Lavinia Carey: No.

John Fithian: No.

OK, so we’re all on-message here, it seems. What a shame they didn’t follow this up with the obvious question. But I can predict the response:

Q9. Given that the VCR actually turned out to be beneficial despite the lack of protection against illegal copying, wouldn’t you agree that DRM is a pointless burden on users?

DG: “I’m not listening”

LC: “La la la la la”

JF: “What’s that over there? Look!”

Oracle and Sleepycat

Filed under: Open Source — Ben @ 12:16

As everyone knows, Oracle bought Sleepycat. I was a little surprised by Sleepycat taking expo space at ApacheCon – now all is explained.

But the interesting question for me is this: will Oracle close BDB or just drop it? Because I find it impossible to believe that Oracle’s business model includes “give away high quality embeddable database software for free”.

In either case there will be a fork, of course – and luckily BDB has a license that is pretty good for forking: it is essentially BSD with a clause added requiring that source is made available if redistributed. Unlike the GPL it isn’t viral – but unfortunately the source requirement makes it incompatible with the Apache License. Somehow I can’t quite see Oracle fixing that!

I wonder how long before the fork happens?

12 Feb 2006

Distributed Hash Tables and the Long Tail

Filed under: Distributed stuff — Ben @ 18:04

I spent some time with my friend Ben Hyde recently, and we got talking about distributed hash tables, and his favourite topic, power law distributions. Apparently if you are part of, say, a file-sharing network, and you happen to be the node that has the hash for some fantastically popular file, then you suffer a lot of pain: everyone requesting that file has to talk to you to find out where to get it from and this kills your ‘net connection.

So, I had this idea, which was probably not original, but since Ben thought it might work and the blogosphere is the new peer-reviewed journal, here it is.

At each node that is “responsible” for a hash, measure the traffic to that hash (i.e. number of requests). Take the log of the traffic and combine it with the hash, giving a new hash. Then the nodes that serve that hash should be determined by the new hash. The higher the log of the traffic, the more nodes should serve it. When participating nodes detect that the traffic has changed sufficiently, they should (obviously) hand off to the resulting new hash.

To search for a hash in this scheme, clients should start with the highest possible traffic and pick a random node (or two or three) to query that would serve the hash at that traffic level. If this fails, decrease the log and try again.

This should (at the cost of more global load) reduce local load.

It adds some complication, of course, and probably increases the chances of a false negative.

3 Feb 2006

Abuse Resistant Publishing

Filed under: Anonymity/Privacy,Crypto — Ben @ 14:38

George Danezis and I wrote a paper describing a technique for private, yet abuse-resistant, publishing. Here’s the abstract:

We present the problem of abusive, off-topic or repetitive
postings on open publishing websites, and the difficulties
associated with filtering them out. We propose a scheme
that extracts enough information to allow for filtering, based
on users being embedded in a social network. Our system
maintains the privacy of the poster, and does not require
full identification to work well. We present a concrete realization
using constructions based on discrete logarithms,
and a sketch of how our scheme could be implemented in a
centralized fashion.

In the good old days we’d have tried to get this published somewhere peer-reviewed, but the blogosphere is the new peer-reviewed journal, right?

1 Feb 2006

Boston and San Francisco

Filed under: Where I'm At — Ben @ 14:33

I’ll be in Boston from Tuesday the 7th Feb to Friday the 10th, for an “identity summit” at the Berkman Center for Internet and Society, then in San Francisco for Codecon, until Monday the 13th.

I really must travel less.

Powered by WordPress