Eliot Lear's Ramblings

Happy Independence Day!

fireworks Happy Fourth of July! 232 years ago, descendants of peopel seeking religious freedom declared that they would not be subjugated from afar by a tyrant and his parliament.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.

Thomas Jefferson, The Declaration of Independence, July 4, 1776

Since then nearly every government in the world has recognized the basic right to have a say in how one is governed, excepting of course Iran, Libya, Saudi Arabia, Zimbabwe, North Korea, China, Russia, and the United States. Even as he wrote those words, Jefferson held slaves on his property. It would take another eighty-nine years for black people to be free, and another 92 years for their children to go to the same schools as white people, and another 51 years for them to have the first black national candidate for president on one of the major party tickets.

Put another way, Jefferson lied. He did not hold those truths to be self-evident. People had to fight for them every step of the way, starting with patriots in the American revolution, continuing for the rights of black people during the Civil War. When we do not stand up for their rights of others, we lose our ability to defend our own rights. The examples are shameful. In Germany, nobody stood for others’ rights and the result was a world war and a holocaust that afflicted all of Europe, while back in America we once again jailed our fellow Americans because of the color of their skin.

Now in America we see another group once again fighting for their rights. That a person is gay does not offend my rights as an individual. Even were I to find homosexuality offensive in some way (which I do not), we as Americans have the right to offend. And we do it as early and as often as we can. Only heaven help the person who does it to us. The tyranny of the majority part of human nature, and requires each of us to check ourselves about our beliefs. And so, when Californians go to the polls in November, they will have a choice: indulge their bigotries and impose their will on a minority of people who merely want to the same treatment as others, or stand up for a group who has always held fast that they too are Americans and can and should do their part as patriots.

The tyranny of the majority doesn’t stop at race or sexual orientation, but is rooted in America in religion. George W. Bush is President of the United States in large part because he galvanized a group of people who wished to impose their religious values on all of us, and he and they have been remarkably successful. The Office of Faith-Based and Community Initiatives, an organization that gives money to churches, has been held to be constitutional, while school vouchers have stripped away disparately needed money from improving public education. It is not Muslims who need to fear for their rights, but those of us who want nothing at all to do with religion. Can you imagine a presidential candidate, never mind a president, who did not end every speech with “God Bless America”? Our founders saw this fear and clearly placed freedom of religion in the First Amendment of the Bill of Rights.

Today is not also the anniversary of our founding, but also the 182nd anniversary of the deaths of Thomas Jefferson and John Adams. Those who believe that partisanship is an invention of the late 20th century should take the time to read John Adams, by David McCullough, in which he describes the bitter battle between then opponents in 1800. That particular bit of rivalry led to the historic decision of Marbury v. Madison in 1803. Our rivalries are as the framers intended, meant to spur good government. Whether that goal is met today is an open and fair question.

Good Fences Make Good Neighbors

A Fence When I was about 13 years old, my neighbors put a pool in their back yard. However, they failed to put a fence around it. My sister at the time was only four years old, and there were many people her age in the neighborhood. In our community there was an ordinance that required such fences, but the neighbors ignored it, as they did my parents’ pleas.

While you can question the wisdom of letting a four year old walk around on his or her own, at the time it was the norm for our community, and one day little Donald was on his own, dangling his feet in the neighbor’s unsupervised pool. After running out of our house as fast as she could and pulling Donald away from the pool, my mother filed a complaint, causing the neighbors to have to pay a fine. Donald’s parents could have sued.

Our neighbors created an attractive nuisance and needed to be held accountable. While not exactly the same, regularly updating your software with the latest versions does reduce a computer’s exposure to vulnerabilities. What’s more, there is a well known network effect of doing so. When you patch your software, not only do you protect your computer against attack by others, but you also prevent your computer from being used as a vehicle to attack others. Put another way, not patching your software makes your system a nuisance to others. The bad guys know this. One study by Jianwei Zhuge, et al, shows that exploits often appear in the wild before or very shortly after a patch is released. A position paper written by Ross Anderson, et al., for ENISA will tell you which vendors are better and which are worse at patching.

A new study released this week by people at the ETH, Google, and IBM shows that in the best case with Firefox, no more than 83% of users patch their browsers. The worst case is Internet Explorer, where you are more than likely not to have the latest patch.

What does all this say? First of all it says that Firefox is probably doing a pretty good job. One wonders what is going on with the 17% of individuals who do not patch their browsers. Perhaps we have another case of rational ignorance, as I discussed previously. The study also says that Microsoft could do a better job. Part of Microsoft’s problem is that they have previously released “security” patches that do more than fix security problems. Distribution of Windows Genuine Advantage, which has been called a form of spyware, degraded peoples’ trust in Microsoft.

Apple isn’t all that much better than Microsoft. For one, their patch rates are actually slower than that of Microsoft. For another, Safari 3 broke stuff, which is precisely why many people do not upgrade. Sun and HP are even worse.

Much as we like to blame vendors, in some cases we have nobody to blame but ourselves. Here is something to do. Check that you are running the latest version of the software you use. If you use anything more than the standard application suite for your computer, there is a very good chance you are out of date.

No Evidence That Data Breach Privacy Laws Work

Have you ever received a notice that your data privacy has been breached? What the heck does that mean anyway? Most of the time what it means is that some piece of information that you wouldn’t normally disclose to others, like a credit card or your social security number, has been released unintentionally, and perhaps maliciously (e.g., stolen). About five years ago states began passing data breach privacy laws that required authorized possessors of such information to report to victims when a breach occurred. There were basically two goals for such laws:

Provide individuals warning that they may have suffered identity theft, so that they can take some steps to prevent it, like blocking a credit card or monitoring their credit reports; and
Provide a more general deterrent by embarrassing companies into behaving better. “Sunlight as a disinfectant,” as Justice Brandeis wrote.[1]

A study conducted by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti at CMU found that as of yet there can be no correlation found between these laws and identity theft rates. This could be for many reasons why the correlation isn’t there. First, actual usage of the stolen information seems to be only a small percentage. Second, it may be that just because a light has been shined doesn’t mean that there is anything the consumer will be capable or willing to do. For instance, suppose you buy something at your-local-favorite-website.com. They use a credit card or billing aggregation service that has its data stolen, and so that service reports to you that your data has been stolen. You might not even understand what that service has to do with you. Even if you do, what are the chances that you would be willing to not use your-local-favorite-website.com again? And if you hear about such a break-in from someone else, would it matter to you? Economists call that last one rational ignorance. In other words, hear no evil, see no evil.

Add to all of this that some people have said that there are huge loopholes in some of the laws. At WEIS and elsewhere several not-so-innovative approaches were discussed about how some firms are getting around the need to disclose.

This paper is not the final word on the subject, but clearly work needs to be done to improve these laws so that they have more impact. As longitudinal studies go, this one isn’t very long. It’s possible we’ll see benefits further down the road.

[1] The Brandeis quote could be found in the paper I cited (which is why I used it).

Time to Takedown: Successes and Failures

Takedown is a term used by Internet service providers and law enforcement officials that means the involuntary removal of a computer from the Internet. For instance, if a computer has been compromised and is attacking other computers, a takedown is seemingly appropriate. Tyler Moore and Richard Clayton have done some analysis on how long it takes to get a site off the net when it is doing something anti-social. They look at about six different circumstances: phishing, defamation, child pornography, copyright violation, spam and bot sites, and generally fraudulent web sites.

Not surprisingly, firms such as banks that actively defend their brand are able to expunge hosts serving bogus content the fastest, and service providers are the most cooperative (the numbers cross jurisdictional boundaries). Sites harboring material that exploit of children takes 10-100 times longer than banks. That’s an enormous difference. There are several likely reasons for this difference. First, banks are acting in their clear best interest and do not mind shouting at whoever they need to shout at to get rid of material. They’ve also likely developed strong relationships with service providers to speed the process.

The data on child protection is somewhat skewed by a single source, and that source had substantial jurisdictional issues, in as much as they did not feel empowered to deal directly with certain governments and service providers outside the UK, and in particular in the United States. Worse, images that were removed had a tendency to re-appear on the very same web sites, indicating that either the site was re-compromised or it was poorly managed or both.

The data points to a clear need for stronger coordination by service providers throughout the world to protect children. The fact that banks are able to be more successful in removing content that offends them demonstrates that it is possible when self-interest is a factor.

In the area of copyright violation, the RIAA has had success in removing sites that are clearly violating copyrights. By injecting themselves into P2P networks the RIAA has been able to determine many sources of copyright violation. The paper does not have a data source to analyze takedown periods.

Courting Disaster: Supreme Court lets guns into DC

I have yet to read the opinion of the Court as to the reasoning of this week’s 2nd amendment ruling, but let’s discuss just one point. Four justices earlier were upset that the court upheld Habeus Corpus, and the clear basis of their argument was not strict construction, but rather fear of attack. Those same four justices plus Justice Kennedy made use of strict construction in the DC opinion. That to me says that at least those four justices are perfectly comfortable with our government “defending” us against others, but they’re not comfortable with the government defending us against each other. Put another way, we can abuse others as much as we want, but heaven forbid we wish to assert government authority against our own citizenry.