September 29, 2009

Send In The Clowns (RIAA's Embarrassing Pursuits)

Have you ever sat yourself down and wondered: Hey, just how lame is RIAA's ability to do technical detection of 'copyright infringement' or whatever it is they're calling it these days?

Well, it turns out there is good evidence that the lameness goes even deeper than the already low expectations we have become accustomed to from this group.

It's not like RIAA's lameness is any news, really... Some of the most sober and respected leaders of the information security community have called RIAA out for their wayward ways. No less than Dr. Eugene Schultz, not known for being overly hyperbolic in his word choice, spoke of the RIAA:

"Clearly, clowns rule the circus when it comes to at least some of the RIAA’s witch hunts."

How can I top that kind of piledriver-by-blog? I'm nowhere near as smart nor eloquent as Dr. Schultz.

So why do I add to this criticism of RIAA, after all these years of silence?

Because, dear readers, the technical evidence is really starting to get to me (I know it's almost 2010... ok, ok...)

Previously, I posted about ridiculous RIAA letters coming to University of Washington researchers (

The last straw came recently, when I sat through a lecture at a Dartmouth infosec conference and had to keep picking my jaw up off the floor, time after time, as a computer science professor and law professor described in detail how they toiled to save a poor soul from the cold, unrelenting wrath of RIAA's legal attack dogs.

The poor soul in question had no computer in her home at the time of the alleged infringement...

Here it is, the evidence (as if we needed more of it), just so you too can say "Now I know" the answer to the question above (the one about the depths of RIAA's lameness):

Summary of victory against RIAA by Professor Embree from Franklin Pierce Law School:

The letter from Ms. Mavis Roy, the would-be-victim of RIAA's ridiculous behavior, thanking the staff of the law clinic run by Professor Embree:

The expert report by Professor Bratus (techies, get a snack and a comfy chair, this is good stuff):

Bio of the heroic Professor Embree

And so, in the tradition of legislating from the blog bench (yes I can do that)...

Previously, I brought you Shpantzer's Law of Endpoint Security (

Today, I bring you Shpantzer's Law of RIAA Law(suits):

I propose that from now on, anytime you post anything about RIAA going after obviously innocent people, then you must type/sing/hum a legally correct snippet of Send In The Clowns. Maybe just a bar or two, check with your favorite entertainment lawyer.

It'll be like our little inside joke. Only you and the eight people who read this blog will know! It's like being a part of an elite secret society, just without the hazing!

My personal favorite is Grace Jones' disco version, cuz hey, go cheesy or go home! Streisand, Judy Dench, Mel Torme, Frank Sinatra, or any such personality will do in a pinch. It's all there on the intertubes to enjoy.

For now.

Send In The Clowns...

Or SEND IN ZEE CLOWNS! (Frau Farbissina from Austin Powers style)

PS MediaSentry, whose technical failures are described in the technical report, is not doing RIAA's dirty work any longer, last time I checked.

PPS For a list of many people who performed and recorded this song:

(Krusty The Klown, shoulda known)

September 16, 2009

DRM Watch now CopyrightandTechnology Blog

The DRMWatch website is now (for some time)

Bill Rosenblatt compiles stories and commentary about Copyright, Digital Rights Management, Watermarking and other copyright-related technology and the strategic moves made by tech companies, copyright holders and enforces, congresscritters, ISPs and other players in the crazy copyright scene.

June 01, 2009

Word of the Day: Life Password

Help your friends and family avoid using a Life Password...

Life Password
May 19, 2009 Urban Word of the Day from

The password that you use for every website, email account, facebook, twitter, everything. Having a 'life password' is not a good idea, but everyone does it.

My friend found out my life password and wrecked my facebook account, stole all my paypal money and emailed offensive images to my mother.

April 17, 2009

Professionalism in the Security Community, Part Deux (Clever Talkers)

In this post, I will try to be clever and use the word 'clever' and its variations as much as reasonably possible. It might make me seem clever, or just obviously annoyed at the would-be clever cynics, you decide... As I've posted before, in the first installment of Professionalism, there are people (Marcus Ranum being one) who are both clever AND have a framework in which they discuss and enumerate specific arguments, definitions, etc.

This post is aimed not at them, as I don't have an issue with being clever, in fact I love to laugh and humor gets me through the day. I just have an issue with being clever as a complete substitute for real thinking. I mention no names and link to no specific articles, to avoid flame wars and to protect the guilty. :-) Here goes...

Rant Mode ON:

Dear Readers, Cyberwarriors, Those-Who-Follow-The-Cyberwar-on-"What-Is-Cyberwar," and of course Those-Who-Just-Like-Clever-Articles-About-Cyberwar:

There is a lot of discussion about cyberwar these days, which is probably a good thing, because we STILL need to figure out exactly what it is and isn't. Perhaps parallel to that effort (sigh...) we might be able to formulate a (reasonably) realistic strategy that will mitigate the effects of cyberwar on our side, allow our cyberwar practitioners to exploit the other side's networked weaknesses (war is about sides at some point, sorry) and be nimble enough to change with the speed of the network.

Cyberwar discussions are difficult for many reasons. One of them is the notion that we must not only prosecute said cyberwar properly on the strategic and tactical levels, to achieve certain results and avoid others, we must also strictly adhere, of course, to the laws of war (which ones again?) and we must be highly pundit-and-lawyer aware.

According to some, the tools and rules of cyberwar must be approved by multiple and conflicting interests, including, but not limited to: The Red Cross, John Yoo, the ACLU, Karl Rove, Katrina vanden Heuvel, EFF, current DoJ lawyers, EPIC, former DoJ lawyers (did I mention Yoo yet?), Pat Buchanan, Arianna Huffington, Ms. XXXXXXXXXXXXXX, General Jack D. Ripper, the ghost of General Curtis LeMay (via the Ouija board) and of course, the highly esteemed and indefatigable cyberwarrior, Dr. XXXXXXXXXXXXXXXXX.

See, I wasn't being TOO clever in that last paragraph, was I? OK, maybe too clever, but perhaps, and sadly so, not clever enough to qualify for the bevy of (cleverly) sarcastic and cynical articles about the supposed exploitation of the cyberwar issue by the various powers that be (are these powers 'the gummint' or 'the mainstream media' or are they think-tank thinker types?)

Apparently, some people think it's good enough to just be clever (or better yet, cynically clever), about the "cynical exploitation" alleged in their articles. These cynical mentions of cynical exploitation of cyberwar as a topic are sometimes explicit and sometimes more implicit (which is always more clever than actually being explicit).

For some people, being clever seems to be the main thing to strive for. Interestingly, some of these same people are the ones who deride FUD in the vendor space and yet fail to see the irony of their wayward ways. Are they falling into that trap of logical fallacy, you know the one that makes people think that making fun of someone or something (or both) is in and of itself the argument, or boosts the argument? Sorry folks, you can't just be clever and create an argument that's that implicit, not well articulated, or at times not even mentioned at all, strictly by means of making fun of people and concepts.

Argue by argument, not just cleverness. Derision is not discussion.

Are we trying to audition for the Daily Show correspondent position or are we talking about strategic warfare in cyberspace? Oh, both, I see...

Allow me to throw this thought-grenade onto the tinderbox of the cyberwar ABOUT cyberwar:

Being clever is great, and perhaps necessary, when discussing such amorphous topics. It is not helpful, however, to stop at being clever, to fail to continue with what you actually think cyberwar is, what it is not, and what you think is a good way to advance the discussion.

I will cleverly, but not cynically, stop now, having pointed out the clever fact that being clever about cyberwar is necessary but not sufficient to advance the discussion about cyberwar.

It is just the beginning. It might even be good to end with being clever. It is not, however, the end and should not even be the sole means to that end.

Read that as a promise that I'll discuss it further, and not rest on my clever laurels.

Rant Mode Off. Clever hammer back in toolbox. For now.

April 07, 2009

Shpantzer's Law of Endpoint Security (Grand Belated Unveiling!)

Just going through some old emails this morning and I found this little unpublished gem. Revealed to the public for the first time, right here, right now (drumroll please...)

Title: Shpantzer's Law of Endpoint Security

Body: "The security of your endpoint (hence your network) is inversely proportional to the square of the number of applications installed on the endpoint."


This was from April 28, 2007. Hey, that's two years ago! Why didn't I publish this? I guess I'm just kinda shy that way sometimes...

Basically the issue emphasized here (did I mention this was two years ago, all the way back in April of 2007?) is that application security matters, on the client side too, and not just the OS.

Browsers, PDF readers, media players, apps for presentation, email, spreadsheets, you name it. They're all individually dangerous and can add vulnerabilities really quickly when combined. I surmised that the relationship between the number of apps and security is most likely nonlinear. Inverse square sounded good at the time!

I wonder what other buried treasure is in those old emails...


April 05, 2009

Correlation is not Causation

Clever post by blogger Megan McArdle:

"I'm forced to conclude that (the import of) Mexican lemons have improved highway safety a great deal. The vitamin C, maybe? The fragrance? Bioflavanoids?"

Read the short article, featuring a great graph, with near perfect correlation of increasing lemon imports and a reduction in US highway fatalities

A great reminder to ask the right questions about some of those problematic security surveys and studies that are being churned out at high rates with low integrity.

"What's the mechanism?" is one good question to ask.

PS I'm not partisan when it comes to information security, so McArdle's political spin is her own.

March 11, 2009

Professionalism in the Security Community

Marcus Ranum recently started discussing CyberWar and its basis in reality (or lack thereof). He first presented the Cyberwar is BS talk at HackInTheBox in Singapore and more recently at DojoSec in Columbia, MD.

The talk was naturally controversial because, hey, that's Ranum's style and it's also the subject matter itself. Some people have resorted to delighting in Ranum's alleged '0wn@ge' since his talk supposedly got some nasty feedback, including some people calling him an idiot or saying that he doesn't know what he's talking about, etc. (more on that later...)

I welcome a sober discussion on cyberwar (what it is, why it's real or not, etc) and while I don't agree with everything he said at DojoSec, , I would never call Marcus Ranum an idiot. Why not?

A few reasons just off the top of my head:

1. He is clearly not "an idiot." He's been around the infosec block for a long time, on both the technical and business side and he has the experience and technical skills to match any young ankle-biter I know who wants to take Ranum down a notch by calling him names.

2. Even if I thought he was wrong about some, most or even ALL of his points, he'd still not be "an idiot," he'd just be wrong. It would be my responsibility to say why I thought so, privately and/or publicly, but in a respectful manner.

3. He owns a very accurate rifle and knows how to use it...

But seriously... Let's stop calling each other names and trying to take people down in order to make ourselves look good... and let's get back to contributing CONSTRUCTIVELY to the community.

A community where, I might add, Marcus Ranum is a longstanding, honorable member and leader. There are plenty of people who disagree with some of the content in the "Cyberwar is BS" talk, but there are those in our community who can disagree with someone and still display professionalism and respect.

Like, say, Richard Bejtlich, who blogs at TaoSecurity and himself is fully qualified to discuss cyberwar and its implications:

Guess what? I too disagree with some of Ranum's points in the "Cyberwar is BS" talk and I found myself occasionally squirming in my seat at DojoSec during his talk. I emailed him to tell him so instead of calling him names, telling him that I'd try to formulate a cogent argument for modifying some of these points (coming soon). Ranum will take good points and revise his thinking and presentation if it makes sense to him.

With that said, I couldn't agree more with what Ranum asked of his audience at DojoSec on March 5th:

"I am totally OK with people who say I don't know what I'm talking about, but what really makes me happy is if you tell me WHY I don't know what I'm talking about.

You can sit there until you're purple in the face and say 'ah he's an idiot' but if you tell me WHY I'm an idiot, you've got my undivided attention. So if you wanna argue with me about this, I am yours until hell freezes over, but don't just say I'm stupid, cuz I'll just say you're stupid back"

Please, people, don't fall into the the cynicism/namecalling trap: It's counterproductive, unprofessional and makes you look disrespectful to fellow security people and possibly others outside the community. It will never elevate your status long-term, even if you happen to be right about a certain part of an argument. Keep it cool and calm: We're expected to be graceful under fire, after all.

BTW, if you think I'm an idiot for saying this, re-read the above quotes and let me know WHY...

February 23, 2009

How terrorist groups end (RAND)

This has some interesting implications to hacking groups, both financially and politically motivated. While sending a Hellfire-equipped Predator drone after hacktivists is typically regarded in polite society as "a bit much," the lessons learned here can be grafted to the online world with some modification.

The list is certainly not exhaustive in terms of case studies, but it is valuable for the framework of tracking a tango group from cradle-to-grave, with time and cause of death available. project site at UMaryland

This is an interesting project that seeks to exploit the capabilities of the web to enable better communications between citizens and government during a crisis (ideally a two-way street...)

This is rife with possibilities and of course security challenges, well worth a look.

RAND on the prospect of a Domestic Intelligence Agency for the US

RAND studies western European experience with domestic intelligence agencies and gives US policymakers some pointers.

(relevant to infosec since a lot of surveillance/prosecution these days is digital...)

Vulnerabilities in the Terrorist Attack Cycle (Stratfor)

DHS, Infragard and other such organizations that work to mitigate infrastructure threats have constituents that seek their advice on where to spend scarce resources on preventing attacks.

Where are the best places for defenders to disrupt the attacks before it's too late?

Some thoughts here (still relevant from 2005):

It's official, I'm a twit...

As if you didn't know THAT.

But seriously, I'm on Twitter now... Sad but true.