Ben Laurie blathering

31 Mar 2007

One Laptop Per Adult

Filed under: General — Ben @ 5:02

I recently attended the security summit for the XO laptop, and one of the things that concerned us was that the dogged insistence that only children, and only in the targetted countries, would get XO laptops is going to create a market for stolen laptops in wealthier countries.

So, I read with great pleasure that Quanta are planning to sell an XO-alike.

29 Mar 2007

Paypal Show How Not To Fight Phishing

Filed under: Crypto,Security — Ben @ 12:07

Apparently, Paypal want mail providers to block mail that is not signed by them, in order to fight phishing. This just makes me tired: why go to all the effort of getting people to sign up to this when it patently isn’t going to help?

So, why doesn’t it help? Because you clearly have to link the signatures to the purported origin of the email – there’s no other handle to bind the key to. But why would the scammer use a Paypal domain in their email? Obviously users don’t check with great care where their email comes from, or phishing wouldn’t be a problem in the first place. In fact, Paypal don’t even own (amazingly), so its not like its hard for phishers to find a plausible domain to send their mail from.

So, if Paypal succeed in this massive waste of time and energy, what will be the result? Yep, Paypal phishing will no longer have “” in the email address of the sender. I can hardly wait.

28 Mar 2007

CO2 and Global Warming Part II

Filed under: Climate — Ben @ 17:46

Somewhat to my surprise, I didn’t get my ass totally handed to me when I posted on this subject last. But there were a couple of things I should respond to. Firstly, Ti’ (hi, Ti’!) rightly takes me to task for poor phrasing

“Causal links are one way”, indeed! Ha! If my house burns down, I shall have that as my epitaph. Ben says there are no chain reactions!

What I was trying to say was that the ice core evidence supports the hypothesis that warming causes an increase in CO2, and it does not support the hypothesis that CO2 increase causes warming. That doesn’t mean that CO2 increase doesn’t cause warming, it just means that you can’t use ice cores to prove it.

So, on that note, Danny points me at an explanation of the ice core data, which appears to explain that I’m right. So, my understanding is that we believe CO2 causes warming because climate models say so. Should I be cynical about climate models on the basis that the models I interact with on a daily basis (weather forecasts) appear to have almost no predictive power? Or is there evidence that climate forecasting is different from weather forecasting?

Dilemmas of Privacy and Surveillance

The Royal Academy of Engineering has published an almost sensible paper on privacy and surveillance. They get off to a good start

There is a challenge to engineers to design products and services which can be enjoyed whilst
their users’ privacy is protected. Just as security features have been incorporated into car design, privacy protecting
features should be incorporated into the design of products and services that rely on divulging personal information.

but then wander off into cuckooland

sensitive personal information stored electronically could potentially be protected from theft or misuse by using digital
rights management technology.

Obviously this is even more loony than trying to protect music with DRM. Another example

Another issue is whether people would wish others to have privacy in this arena – for example, the concern might arise
that anonymous digital cash was used by money launderers or terrorists seeking to hide their identity. Thus this
technology represents another dilemma – should anonymous payment be allowed for those who wish to protect their
privacy, or should it be strictly limited so that it is not available to criminals?

Riiight – because we have these infallible methods for figuring out who is a criminal.

Also, as usual, no mention whatever of zero-knowledge or selective disclosure proofs. But even so, better than most of the policy papers out there. Perhaps next time they might consider consulting engineers with relevant knowledge?

(via ORG)

18 Mar 2007

Statistics Porn

Filed under: General — Ben @ 12:52

Its one of those ideas that seems obvious once you’ve seen it – plot data on a graph, add size and colour, and then animate over time. That’s five dimensions, folks!

So, here’s an example application – income vs. life expectancy vs. population vs. location vs time. Notice the blue dot where life expectancy drops sharply whilst income stays roughly level. That’s South Africa – interesting. And a cool feature I just discovered is you can click on the dot, make sure “Trails” is ticked, and then run the animation…

Here are some more examples.

ObDisclaimer: yes, this is now Google’s. No, that’s not why I blogged it.

15 Mar 2007

CO2 and Global Warming

Filed under: General — Ben @ 14:36

I do not claim to be an expert on the subject, but it has long concerned me that there seems to be entirely too much politics and not enough science around the whole “man causes global warming” theory. Every conversation I’ve had with a zealot has centred around the idea that I must be some crazed, irresponsible loon if I don’t want to reduce CO2 emissions, because clearly I’m risking the future of the world. And, obviously, every responsible person will act to avoid that risk by doing their bit to cut down CO2.

But am I risking the world? How do we know that, say, the extra CO2 we put in the atmosphere is not saving us from the ice age that would otherwise be upon us?
So, in that vein, I am grateful to my dad for pointing me to research into the link between CO2 and temperature. The rather startling conclusion is that, yes, CO2 and temperature are linked, but the CO2 rise lags the temperature rise by 4-800 years. The scientists out there will need no further explanation.
I know I’m going to regret posting this, but what the hell – bring on the flames.

12 Mar 2007

Tor Executive Director Loses The Plot?

Filed under: Crypto,Open Source,Security — Ben @ 13:35

HD Moore wrote a gadget to track down incautious Tor users. Of course, if you don’t anonymise your DNS and you enable Java/Javascript in your browser, then you deserve to get tracked down. So, no news there, really, except that HD has actually gone to the trouble to implement a tool that exploits this foolishness.

More disturbing is the apparent attitude of Tor’s Executive Director, Shava Nerad:

“Mr. Moore’s solution will not solve the problem he is trying to solve, and in the process, he will hurt a lot of people that he should be helping,” Nerad said.

Moreover, Moore’s reliance on keywords to identify potential illegal transactions would likely have a high false positive rate, Nerad said.

The problem he’s trying to solve is, apparently, paedophiles using Tor to cover their tracks. But what is Ms. Nerad on about? Why does she think that HD exploiting this problem and making it public is bad? Surely alerting users to the issue is the important thing? We have to assume the tool exists whether we know about it or not.

Also, if it isn’t going to solve HD’s problem, how’s it going to damage users he should be helping? It either works or it doesn’t!

Furthermore, the “reliance on keywords” attack is lame – clearly false positives can be eliminated by examining the records after the fact.

I am not impressed.

BTW, if anyone finds a link to Torment (for that is what its called), let me know. Oh, and my advice: if you really want to be safe from Tor operators, make sure you use encrypted protocols over Tor, plaintext is clearly going to bite you.

9 Mar 2007

Teriyaki/Ginger/Lime Salmon

Filed under: Food,Recipes — Ben @ 23:44

Faced by conflicting desires this evening, I invented this dish.

Cover a baking dish with enough salmon to feed you (I used 150g per head and I was cooking for 4). Finely chop a bunch of spring onion (3 medium in my case) and cover the salmon with it. Thinly slice ginger and add a layer of that, widely spaced. Add a layer of thin lime slices, also widely spaced. Cover with teriyaki and dark soy, then liberally sprinkle with sesame seeds. Bake at gas mark 6 for about 20 minutes.

I had this with rice and purple sprouting broccoli.

8 Mar 2007

Translation, Please?

Filed under: General,If You Really Loved Me — Ben @ 22:39

I love BoingBoing, but occasionally it gives me indigestion:

my own personal thoughts on postmodernism concerns the fact that it is inches away from finally bridging the gap between western analytical thought and romanticism. postmodernists come to question the fabric of reality enough to allow for a mckenna style archaic revival to be the solution to our ills, entheogens cleansing the doors of perception from all hyper-real simulacra, resurrecting culture and language as the sacred entities they used to be.

Can someone tell me what that means?

7 Mar 2007


Filed under: Open Source — Ben @ 10:55

After a bit of a hiatus, Google is hosting the third Open Source Jam at our offices in Victoria. Anyone with an interest in open source, particularly those wanting to hack, or wanting assistance on their PotM (Project of the Month) should turn up. Here’s the official invite:

Everyone is invited to Google London Open Source Jam 2, which is
actually the third event because we’re zero-based.

This time, we’re going to focus on a specific theme – Linux. Because
we live, love and breathe it.

Linux topics that we’re interested in hearing about include:

* One Laptop Per Child (
* Linux TV (e.g. MythTV, Freevo, DemocracyTV)
* Virtualization (e.g. Xen, KVM)
* Wibbly Window Managers (e.g. XGL, AIGLX, Compiz, Beryl)
* Linux Telephony (e.g. Asterisk)


———————* What is it?In a nutshell, it’s a pretty informal evening, we ask developers who
have ideas or are already working on them to come and engage others to
collaborate and code for your open source project. In a way, it will
be like what goes on in the corridors, between sessions at a
conference, except without the sessions. So you get to tell others
about your idea and get new interested folks to work on your projects.

* Who is it for?

Anyone who wants to work on a fun project. You may have an idea and
need more help or are already working on an open source project and
want to work with others, or you’d like to get involved in a new open
source project and meet like minded developers. Or perhaps you’ve got
nothing better to be doing on a Thursday night than hanging around
with a flock of opensourcerers and hack.

* What will be there?

Other interesting people to code with. A space to hang around in.
Computers and wifi. Oh, and lots of delicious pizza.

* What will happen?

Some people may choose to present a 5 minute lightning talk on what
they’re doing. Then little groups will form and people will work
together on code! We’ll encourage contributing good things back to
open source projects, or maybe the launch of new projects.

* What shall I bring?

The only thing you really need to bring is yourself. If you have a
laptop you like to develop on, please bring that too.

* Why is it in the evening?

It’s intentionally on a school-night as that allows many people to
attend who would struggle during the day because of their job

* What kind of talk should I give?

Five mins lightning talk. If you want to bring slides or a demo, please
do, but don’t feel you need to – talking and/or whiteboards is just as
good. Remember your audience are techy open source geeks. If you
feel like giving a talk (and we’d love you if you did), please let us know.


Important details :

* If you want to come, please RSVP by signing up on the Wiki at:

* We have a LIMITED number of spaces available. We’ll be closing reservations as
soon as we hit that limit – sign up now!

* Please let us know if you’ve signed up but can no longer attend as
this will free up your space for someone else.

* If you know of someone else you think we should be inviting in the
London area, please email us at

When : Thursday 15th March 2007. 6pm – 9:30pm.
Where: Google, Belgrave House 76, Buckingham Palace, Victoria, London SW1W 9TQ

See you then!

5 Mar 2007

Delegation and Identity Management

Filed under: Capabilities,Crypto,Identity Management,Security — Ben @ 9:27

Kim Cameron has written two pieces about delegation. The only thing I have to add is when you delegate authority, in an ideal world you should also be able to restrict what you delegate – I’ll agree that we could have a long discussion about that, but the only thing I have to say right now is “capabilities“.

2 Mar 2007

Scalable Internet Architectures

Filed under: Distributed stuff,Open Source — Ben @ 15:22

My friend Theo Schlossnagle has for many years run one of the most popular tutorials at ApacheCon, Scalable Internet Architectures. In this tutorial he covers the ways he has built successful, resilient and very large-scale server farms.

Theo doesn’t believe in the traditional big-iron, expensive-database scheme for making these things, preferring tools like Spread, Backhand and Wackamole. Anyway, to cut to the chase, he has, at long last, written a book about it – which I’ve just finished reading. If you’ve ever built a server farm, you’ll find the first few chapters easy going, but after that he dives into the technical details rapidly and lucidly. I recommend it highly.

1 Mar 2007

Government Consultation on Information Assurance

The government is running a consultation on its e–Government framework for Information Assurance. The thing I find most disappointing about it is the complete inability to see beyond identification as a means of access control. I believe it was at PET 2005 that someone claimed that an analysis of citizens’ interactions with government in Australia showed that in over 90% of cases there was no need for the individual to be identified – all that was needed was a proof of entitilement. This can be achieved quite easily even using the kind of conventional cryptography the framework advocates, though this will still allow a citizen’s interactions to be linked with each other – which we all know is not desirable. Even better to use zero knowledge or selective disclosure proofs, as discussed ad nauseam in this blog. Yet, despite this, there is not a single mention of any access control method other than complete identification.
If you do nothing else, I encourage you to make this point in any submission you make.

Powered by WordPress