Should all locks have keys? Phones, Castles, Encryption, and You.

Passing a law that requires companies to build devices with digital keyholes which only good-guys can use, is the same as passing a law that says the value of π (pi) must be exactly 3.

Here's an excellent short video about the literal impossibility of such laws, and the enormous risks of going ahead anyway.  Because unlike real-world keyholes where the bad-guy must be physically present at each keyhole they want to break through, in the digital world each bad-guy can simultaneously attack millions of digital keyholes from the other side of the world.  The end of the video says it best: "Anyone who says otherwise [that digital keyholes can be built which allow only angel good-guys while blocking demon bad-guys] is either ignorant of the mathematics, or less of an angel then they appear."

There's no math in the video, just really good explanation.

Eli Pariser: Beware online "filter bubbles"

Google, Facebook, and others are trying to be helpful, and show content that is customized just for you. But this can trap you in a "filter bubble". Information used to be filtered by mass-media gatekeepers like newspapers & television, and was also filtered by where you lived. Is the automatic personalization and customization by Google, Facebook, and others any better than the old filtering?

Kind of a close call

Heather & I are in Charleston, SC with Heather's family for the holidays.  We flew out of Denver on a 2:30pm Continental flight to Houston, then on to Charleston.  Later that day, Continental #1404 crashed on takeoff leaving Denver for Houston at 6:18pm, injuring around 40, but no deaths.  Continental regularly flies from Denver to Houston, so #1404 was probably not the next flight of the day.  Still, it feels a little like a "close call" for us.  On our flight they were asking for volunteers to take a later flight since they had overbooked.  I wonder how many of the passengers on #1404 had voluntarily taken it as a later flight?

Yellow Dots of Mystery: Is Your Printer Spying on You?

Did you know your color printer is probably spying on you?  Most pages printed in color include "secret" yellow dots.  Groups like EFF have "decoded" some of these, and found in every case that the dots include the serial number of the printer, and the time the document was printed.

Most likely, the US government secretly asked printer companies to include this tracking data in a misguided attempt to fight currency counterfeiting.  But the problem is that anyone, not just the US government, who knows the secret code can use it against others.  For example, the Chinese government could track dissidents who unknowingly print flyers on these printers, thinking they were anonymous.

The threat to anonymous free speech posed by these secret dots is too large to let the US government and the printer companies off the hook for their secret agreement.  Yes, there may be risks to currency counterfeiting, but the solution is not to put anonymous free-speech at risk.  The solution is to design currency to resist copying.  In fact, most currency now cannot be copied due to watermarks, and very very tiny details.  So even if these yellow dots made sense 10 years ago, the no longer help reduce currency counterfeiting, but they continue to put at risk those who need anonymous free-speech.

Harrassment does not improve Security

Most of the changes you see at airports since 9/11 do very little to improve security, considering the cost and hassle.  Take for example having to show ID — most of the 9/11 hijackers had perfectly valid US-issued IDs, and were not on any list.  Or the futility of the TSA's belief that their watch list (which contains hundreds of thousands of names) will catch terrorists.  Once again, most of the 9/11 hijackers weren't on any watch list, and even if they were they simply would have used different names.  All the watch list accomplishes is to delay a 4-year old from boarding the plane with his parents.

Amos Shapir made a sad but true observation on the RISKS mailing list:

The newly formed U.S. TSA has a serious problem: they have to supply Security, but they have no idea how (and it seems that they are unaware that nobody else does, either). But they do know that Security causes Harassment, and they do know how to do Harassment. So the obvious logic is, the more Harassment they'd do, the more Security will be produced. QED

Spot the speeder

Automatic speeding cameras sound good on paper — automatically catch the speeders and send them a ticket via mail, without tying up police officers. But even with people in the loop, you get problems like this hatchback "driver" in South Africa who was ticketed for exceeding the 60 km/h limit:

You can

One commenter said the "speeder" should consider himself lucky that he was not also ticketed for tailgating.

Electronic voting is much harder then electronic banking

A common misconception about the challenges of electronic voting goes like this:

If we can secure all-electronic financial transactions worth millions of dollars, why can't we secure all-electronic voting?

The problem with voting is that everything needs to be anonymous, but still fraud-proof. Electronic financial transactions are secure because names are attached to all transactions. If fraud is suspected, the banks can track down the customers. When customers use false IDs, the banks go after the merchants for not doing enough to verify the customers name. Unless you are willing to give up anonymity when you vote, electronic voting will always be much harder than financial transactions.

Security guru Bruce Schneier talked about these differences in more depth in 2001.

Killed by his own golf club

Crazy, but true:

In 1994, 16-year-old Jeremy Brenno of Gloversville, New York, was killed when he struck a bench with a golf club, and the shaft broke, bounced back at him, and pierced his heart. Brenno had missed a shot on the sixth hole at the Kingsboro Golf Club and looked to vent his frustration by giving the nearby bench a good whack in retaliation. The fatal club was a No. 3 wood. specializes in debunking urban legends, so if they say it's true, then it probably is. The article also talks about 3 other known killed-by-own-club fatalities (in 1951, 2005, and 2005), but they are not quite as dramatic as poor Jeremy.