Ben Laurie blathering

25 Jun 2006

ApacheCon and PET

Filed under: Where I'm At — Ben @ 12:52

I’m at ApacheCon in Dublin for Monday and Tuesday, followed by PET in Cambridge for the rest of the week.

Why Johnny Can’t Authenticate

Filed under: Crypto,Identity Management,Security — Ben @ 11:17

Lately I’ve been thinking a fair amount about authentication, both because of identity management and the related problem of phishing. Eric Rescorla has written a really good taxonomy of web authentication functionality, which I recommend reading.

But this is only half the problem, and in many ways it is the easy half. So long as people (or their computers) can be fooled into giving away their personal information, no amount of cunningness at the protocol level is going to help.

I often hear it argued that using something better than passwords will fix the problem, for example, public/private key pairs. There’s actually two fundamental reasons why this ain’t so…

  • So long as its possible for users to recover from losing their keys (or passwords, or whatever it is they use to authenticate) in a way that can be imitated by phishers, they will not be helped by these protocols. Phishers currently concentrate on getting people’s passwords simply because that’s the low-hanging fruit. Pluck that fruit and they’ll move on to recovery (which obviously cannot use anything the user can’t hold in their head).
  • Computers aren’t secure and users can’t be trusted to make good decisions about what to run. Start using public/private key pairs and they’ll be stolen by viruses and worms instead of fake websites and spam. Indeed, trojans that log keys in order to steal passwords already exist.

(The title of this post, in case it ain’t obvious, is stolen from Alma Whitten, who I work with at Google.)

21 Jun 2006

Wendy Seltzer Kicks MPAA Arse

Filed under: Digital Rights,Rants — Ben @ 16:46

My friend Wendy Seltzer recently debated Fritz Attaway of the MPAA on DRM. She argues very coherently against DRM, perhaps best summarised by this quote

Along with the broader doctrine of noninfringing use, fair use also leaves room for unanticipated uses — the “time-shifting” of the VCR, the “pause” button on a TiVo video recorder, the “time-stretch” function of my home-built MythTV. None of those innovators needed to ask permission before offering their products. Under DMCA and proposed legislation, they would need to ask before working with DVDs, digital television, or digital radio broadcasts.

Fritz, on the other hand, demonstrates that he totally doesn’t get it

…the DMCA has been an incredible stimulus to both technology and marketing innovation. Just look at some of the new viewing opportunities that have become available to consumers in the past few months:

• Warner Brothers partners with Free Record Shop using P2P distribution

• Disney offers feature length film on iTunes

• CBS delivers college basketball “March Madness” online

• ABC offers free downloads at

• Google Video beta launched — essentially going with a wholesale reseller model — creating an iTunes-like store.

I might buy marketing innovation (though even that’s a stretch – ooo, innovative, sell stuff online, wow!), but technology? What’s technologically innovative in any of these things?

20 Jun 2006

The Shape of Things to Come

Filed under: Anonymity/Privacy,Civil Liberties,Security — Ben @ 9:24

The Times has an article about Operation Ore, a huge child porn investigation which turns out to be based on lies. This investigation has led to thousands of arrests and dozens of suicides, at least one of whom was innocent.

Just think how much more efficiently the justice system will be able to abuse innocent people if we continue to permit the erosion of our privacy that is so popular with politicians at the moment.

14 Jun 2006


Filed under: Open Source — Ben @ 19:51

My friends David Reid and Rich Bowen have started Feathercast, a podcast about Apache.

I’m interview #3. As always, I can’t quite bring myself to listen to it, but I’m told its OK.

9 Jun 2006

More Chip & PIN Insecurity

Filed under: Security — Ben @ 12:21

The Daily Mail has an article about how easy it is to clone Chip & PIN cards.

The £1.1billion switch to chip and pin – the biggest change on the high street since decimalisation in 1971 – was billed as the answer to Britain’s card fraud crisis.

But last month, at a secret meeting, card experts showed the big bank’s security experts just how easy it is to clone the new cards.

What a surprise.

7 Jun 2006

DRM Is A Crime!

Filed under: Digital Rights,Security — Ben @ 10:24

One of the first things I did for the Open Rights Group was to help write evidence on DRM for the All Party Internet Group (APIG). APIG released their report yesterday. Although I think it doesn’t go far enough, it certainly has taken into account many of the concerns that we, and others, have raised.

I particularly like this bullet point from their summary:

A recommendation that OFCOM publish guidance to make it clear that companies distributing Technical Protection Measures systems in the UK would, if they have features such as those in Sony-BMG’s MediaMax and XCP systems, run a significant risk of being prosecuted for criminal actions.

6 Jun 2006

Just a Touch of Criminal Behaviour

Filed under: Security — Ben @ 12:10

Oracle’s CSO, Mary Ann Davidson, said

… that the British are particularly good at hacking as they have “the perfect temperament to be hackers–technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior.”

I love that. Somebody needs to make a t-shirt.

5 Jun 2006

A Trivial DRM Example

Filed under: Digital Rights — Ben @ 18:51

Andrew Hearst writes about oddities with the clock in 24. It occurred to me that if the DRM loonies had their way, he would have had a much harder time illustrating his story with graphics like:

Annotated Clock.

Instead of being able to frame-grab them, he’d have had to have drawn them himself. This is clearly silly, and entirely negates the advantages of using computers to handle media.

4 Jun 2006

Computing Want Big Brother

Sarah Arnott writes

Computing has argued consistently that a government-centred, crime-focused who-goes-there scheme would be to miss an opportunity so gargantuan as to make the Millennium Dome look like Disney World. That view remains.

The government has a choice. It can spend vast sums on a public sector ID card scheme that promises little beyond a civil liberties row, an extremely nebulous impression of improved security, and a large white elephant joining the troupe at the media circus.

Or it can pursue a broader concept with infinitely broader benefits: a government-endorsed identity management scheme, for use by everyone – citizens, businesses and government.

The anonymity of cyberspace is holding back the internet’s revolutionary potential. Imagine a world with a guaranteed electronic identification. No more passwords to forget, no more phishing, no more grooming in chatrooms. And what about online payment methods, personalised content, computing on demand?

Seems to me she missed a bit

no more privacy, no more whistleblowers. And what about the rise of the police state?

Back in London

Filed under: Where I'm At — Ben @ 16:18

Finally back from Mountain View.

Buy me beer!

Powered by WordPress