Problems with ID cards

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. …

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. …

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. …

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.

Errol Morris on film noir

From Errol Morris’s “Film Legend Errol Morris Salutes New Graduates At 2010 Commencement” (Berkeley Graduate School of Journalism: 10 May 2010):

There are many things I liked about noir. But in particular, there are images of one benighted character after another struggling to make sense of the world – and sometimes failing in the effort. [Their failure could be chalked up to many things. But most severe among the possibilities, was the thought that the world might be intractable. That you can never figure out how it works, what makes it tick. A terribly, sad thought. There has to be, there just has to be the presumption that you can figure things out.]

A story of failed biometrics at a gym

Creative Commons License photo credit: kevindooley

From Jake Vinson’s “Cracking your Fingers” (The Daily WTF: 28 April 2009):

A few days later, Ross stood proudly in the reception area, hands on his hips. A high-tech fingerprint scanner sat at the reception area near the turnstile and register, as the same scanner would be used for each, though the register system wasn’t quite ready for rollout yet. Another scanner sat on the opposite side of the turnstile, for gym members to sign out. … The receptionist looked almost as pleased as Ross that morning as well, excited that this meant they were working toward a system that necessitated less manual member ID lookups.

After signing a few people up, the new system was going swimmingly. Some users declined to use the new system, instead walking to the far side of the counter to use the old touchscreen system. Then Johnny tried to leave after his workout.

… He scanned his finger on his way out, but the turnstile wouldn’t budge.

“Uh, just a second,” the receptionist furiously typed and clicked, while Johnny removed one of his earbuds out and stared. “I’ll just have to manually override it…” but it was useless. There was no manual override option. Somehow, it was never considered that the scanner would malfunction. After several seconds of searching and having Johnny try to scan his finger again, the receptionist instructed him just to jump over the turnstile.

It was later discovered that the system required a “sign in” and a “sign out,” and if a member was recognized as someone else when attempting to sign out, the system rejected the input, and the turnstile remained locked in position. This was not good.

The scene repeated itself several times that day. Worse, the fingerprint scanner at the exit was getting kind of disgusting. Dozens of sweaty fingerprints required the scanner to be cleaned hourly, and even after it was freshly cleaned, it sometimes still couldn’t read fingerprints right. The latticed patterns on the barbell grips would leave indented patterns temporarily on the members’ fingers, there could be small cuts or folds on fingertips just from carrying weights or scrapes on the concrete coming out of the pool, fingers were wrinkly after a long swim, or sometimes the system just misidentified the person for no apparent reason.

Fingerprint Scanning

In much the same way that it’s not a good idea to store passwords in plaintext, it’s not a good idea to store raw fingerprint data. Instead, it should be hashed, so that the same input will consistently give the same output, but said output can’t be used to determine what the input was. In biometry, there are many complex algorithms that can analyze a fingerprint via several points on the finger. This system was set up to record seven points.

After a few hours of rollout, though, it became clear that the real world doesn’t conform to how it should’ve worked in theory. There were simply too many variables, too many activities in the gym that could cause fingerprints to become altered. As such, the installers did what they thought was the reasonable thing to do – reduce the precision from seven points down to something substantially lower.

The updated system was in place for a few days, and it seemed to be working better; no more people being held up trying to leave.


… [The monitor] showed Ray as coming in several times that week, often twice on the same day, just hours apart. For each day listed, Ray had only come the later of the two times.

Reducing the precision of the fingerprint scanning resulted in the system identifying two people as one person. Reviewing the log, they saw that some regulars weren’t showing up in the system, and many members had two or three people being identified by the scanner as them.

What happens to IP when it’s easy to copy anything?

From Bruce Sterling’s “2009 Will Be a Year of Panic” (Seed: 29 January 2009):

Let’s consider seven other massive reservoirs of potential popular dread. Any one of these could erupt, shattering the fragile social compact we maintain with one another in order to believe things contrary to fact.

2. Intellectual property. More specifically, the fiat declaration that properties that are easy to reproduce shouldn’t be reproduced.

Declaring that “information wants to be free” is an ideological stance. A real-world situation where information can’t be anything but free, where digital information cannot be monetized, is bizarre and deeply scary. No banker or economist anywhere has the ghost of clue what to do under such conditions.

Intellectual property made sense and used to work rather well when conditions of production favored it. Now they don’t. If it’s simple to copy just one single movie, some gray area of fair use can be tolerated. If it becomes easy to copy a million movies with one single button-push, this vast economic superstructure is reduced to rags. Our belief in this kind of “property” becomes absurd.

To imagine that real estate is worthless is strange, though we’ve somehow managed to do that. But our society is also built on the supposed monetary worth of unreal estate. In fact, the planet’s most advanced economies are optimized to create pretty much nothing else. The ultimate global consequences of this situation’s abject failure would rank with the collapse of Communism.

A single medium, with a single search engine, & a single info source

From Nicholas Carr’s “All hail the information triumvirate!” (Rough Type: 22 January 2009):

Today, another year having passed, I did the searches [on Google] again. And guess what:

World War II: #1
Israel: #1
George Washington: #1
Genome: #1
Agriculture: #1
Herman Melville: #1
Internet: #1
Magna Carta: #1
Evolution: #1
Epilepsy: #1

Yes, it’s a clean sweep for Wikipedia.

The first thing to be said is: Congratulations, Wikipedians. You rule. Seriously, it’s a remarkable achievement. Who would have thought that a rag-tag band of anonymous volunteers could achieve what amounts to hegemony over the results of the most popular search engine, at least when it comes to searches for common topics.

The next thing to be said is: what we seem to have here is evidence of a fundamental failure of the Web as an information-delivery service. Three things have happened, in a blink of history’s eye: (1) a single medium, the Web, has come to dominate the storage and supply of information, (2) a single search engine, Google, has come to dominate the navigation of that medium, and (3) a single information source, Wikipedia, has come to dominate the results served up by that search engine. Even if you adore the Web, Google, and Wikipedia – and I admit there’s much to adore – you have to wonder if the transformation of the Net from a radically heterogeneous information source to a radically homogeneous one is a good thing. Is culture best served by an information triumvirate?

It’s hard to imagine that Wikipedia articles are actually the very best source of information for all of the many thousands of topics on which they now appear as the top Google search result. What’s much more likely is that the Web, through its links, and Google, through its search algorithms, have inadvertently set into motion a very strong feedback loop that amplifies popularity and, in the end, leads us all, lemminglike, down the same well-trod path – the path of least resistance. You might call this the triumph of the wisdom of the crowd. I would suggest that it would be more accurately described as the triumph of the wisdom of the mob. The former sounds benign; the latter, less so.

Trusted insiders and how to protect against them

From Bruce Schneier’s “Basketball Referees and Single Points of Failure” (Crypto-Gram: 15 September 2007):

What sorts of systems — IT, financial, NBA games, or whatever — are most at risk of being manipulated? The ones where the smallest change can have the greatest impact, and the ones where trusted insiders can make that change.

It’s not just that basketball referees are single points of failure, it’s that they’re both trusted insiders and single points of catastrophic failure.

All systems have trusted insiders. All systems have catastrophic points of failure. The key is recognizing them, and building monitoring and audit systems to secure them.

Do’s and don’ts for open source software development

From Jono DiCarlo’s “Ten Ways to Make More Humane Open Source Software” (5 October 2007):


  1. Get a Benevolent Dictator
    Someone who has a vision for the UI. Someone who can and will say “no” to features that don’t fit the vision.
  2. Make the Program Usable In Its Default State
    Don’t rely on configurable behavior. It adds complexity, solves little, and most users will never touch it anyway. Usable default behavior is required.
  3. Design Around Tasks
    Figure out the tasks that people want to do with your software. Make those tasks as easy as possible. Kill any feature that gets in the way.
  4. Write a Plug-In Architecture
    It’s the only good solution I’ve seen to the dilemma of providing a complete feature set without bloating the application.
  5. User Testing, User Testing, User Testing!!
    Without user testing, you are designing by guesswork and superstition.

Do Not

  1. Develop Without A Vision
    “When someone suggests another feature, we’ll find a place to cram it in!”
  2. Join the Clone Wars
    “Closed-source program X is popular. Let’s just duplicate its interface!”
  3. Leave the UI Design Up To The End User
    “I’m not sure how that should work. I’ll make it a check box on the preferences screen.”
  4. Make the Interface a Thin Veneer over the Underlying Implementation
    “But it’s got a GUI now! That makes it user-friendly, right?”
  5. Treat UI Design as Babysitting Idiots
    “They should all quit whining and read the manual already.”

More on Fordlandia

From Mary A. Dempsey’s “Fordlandia” (Michigan History: July/August 1994):

Screens were just one of the Yankee customs transported to Fordlandia and Belterra. Detroit physician L. S. Fallis, Sr., the first doctor sent from Henry Ford Hospital to run the Fordlandia medical center, attempted to eradicate malaria and hookworm among Brazilian seringueiros (rubber gatherers) by distributing quinine and shoes. The quinine was accepted but shoes were an unwelcome novelty. It is an exceptional photo that shows the shirtless seringueiros, machetes in hand, shod only with floppy rubber-soled sandals; their children went shoeless. The jungle dwellers also found Fordlandia’s two-family homes hopelessly hot and ugly and the idea of bathrooms repulsive. Even today, plumbing is a rarity in the jungle.

At the same time, Ford’s 6:00 A.M. to 3:00 P.M. work schedule was unpopular with plantation employees accustomed to slashing trees several hours before dawn, then resuming the work at sunset for piecemeal pay. But the promise of free housing and food, top-notch health care for the workers and their families, and a salary of thirty-seven cents a day—double the regular wage—kept the seringueiros on the job. …

Generally, the company-imposed routine met hit-and-miss compliance. Children wore uniforms to school and workers responded favorably to suggestions they grow their own vegetables. But most ignored Ford’s no liquor rule and, on paydays, boats filled with potent cachaca—the local sugar-can brew—pulled up at the dock. Poetry readings, weekend dances and English sing-alongs were among the disputed cultural activities. …

Former Kalamazoo sheriff Curtis Pringle, a manager at Belterra, boosted labor relations when he eased off the Dearborn-style routine and deferred to local customs, especially when it came to meals and entertainment. Under Pringle, Belterra buildings did not contain the glass that made the powerhouse at Fordlandia unbearably hot, and weekend square dancing was optional. Alexander said Henry Ford balked at building a Catholic church at Fordlandia—even though Catholicism was the predominant Christian religion in Brazil. The Catholic chapel was erected right away at Belterra. …

Alexander said of the long-closed but impeccably maintained facility that once boasted separate wards for men and women, thirty nurses, a dentist, three physicians and a pharmacist, who also administered anesthesia during surgery.

Henry Ford’s debacle in the jungle

From Alan Bellows’s “The Ruins of Fordlândia” (Damn Interesting: 3 August 2006):

On Villares’ advice, [Henry] Ford purchased a 25,000 square kilometer tract of land along the Amazon river, and immediately began to develop the area. …

Scores of Ford employees were relocated to the site, and over the first few months an American-as-apple-pie community sprung up from what was once a jungle wilderness. It included a power plant, a modern hospital, a library, a golf course, a hotel, and rows of white clapboard houses with wicker patio furniture. As the town’s population grew, all manner of businesses followed, including tailors, shops, bakeries, butcher shops, restaurants, and shoemakers. It grew into a thriving community with Model T Fords frequenting the neatly paved streets. …

But Ford’s effort to transplant America– what he called “the healthy lifestyle”– was not limited to American buildings, but also included mandatory “American” lifestyle and values. The plantation’s cafeterias were self-serve, which was not the local custom, and they provided only American fare such as hamburgers. Workers had to live in American-style houses, and they were each assigned a number which they had to wear on a badge– the cost of which was deducted from their first paycheck. Brazilian laborers were also required to attend squeaky-clean American festivities on weekends, such as poetry readings, square-dancing, and English-language sing-alongs.

One of the more jarring cultural differences was Henry Ford’s mini-prohibition. Alcohol was strictly forbidden inside Fordlândia, even within the workers’ homes, on pain of immediate termination. This led some industrious locals to establish businesses-of-ill-repute beyond the outskirts of town, allowing workers to exchange their generous pay for the comforts of rum and women. …

Workers’ discontent grew as the unproductive months passed. Brazilian workers – accustomed to working before sunrise and after sunset to avoid the heat of the day – were forced to work proper “American” nine-to-five shifts under the hot Amazon sun, using Ford’s assembly-line philosophies. And malaria became a serious problem due to the hilly terrain’s tendency to pool water, providing the perfect breeding ground for mosquitoes.

In December of 1930, after about a year of working in a harsh environment with a strict and disagreeable “healthy lifestyle”, the laborers’ agitation reached a critical mass in the workers’ cafeteria. Having suffered one too many episodes of indigestion and degradation, a Brazilian man stood and shouted that he would no longer tolerate the conditions. A chorus of voices joined his, and the cacophony was soon joined by an orchestra of banging cups and shattering dishes. Members of Fordlândia’s American management fled swiftly to their homes or into the woods, some of them chased by machete-wielding workers. A group of managers scrambled to the docks and boarded the boats there, which they moved to the center of the river and out of reach of the escalating riots.

By the time the Brazilian military arrived three days later, the rioters had spent most of their anger. Windows were broken and trucks were overturned, but Fordlândia survived. …

In 1933, after three years with no appreciable quantity of rubber to show for the investment, Henry Ford finally hired a botanist to assess the situation. The botanist tried to coax some fertile rubber trees from the pitiful soil, but he was ultimately forced to conclude that the land was simply unequal to the task. The damp, hilly terrain was terrible for the trees, but excellent for the blight. Unfortunately no one had paid attention to the fact that the land’s previous owner was a man named Villares– the same man Henry Ford had hired to choose the plantation’s site. Henry Ford had been sold a lame portion of land, and Fordlândia was an unadulterated failure. …

Be that as it may, Ford’s perseverance might have eventually paid off if it were not for the fact that scientists developed economical synthetic rubber just as Belterra was establishing itself. In 1945, Ford retired from the rubbering trade, having lost over $20 million in Brazil without ever having set foot there.

A coup in Equatorial Guinea for fun

From Laura Miller’s “Rent-a-coup” (Salon: 17 August 2006):

In March 2004, a group of men with a hired army of about 70 mercenary soldiers set out to topple the government of the tiny West African nation of Equatorial Guinea and install a new one. Ostensibly led by a political opposition leader but actually controlled by the white mercenary officers, this new regime would plunder the recently discovered oil wealth of Equatorial Guinea, enriching the coup’s architects by billions of dollars.

The Wonga Coup never came off, but not because of the kind of double-crossing anticipated in that early planning document. … One of the strangest aspects of the story is that the Wonga Coup nearly replicated an earlier failed attempt to take over Equatorial Guinea in 1973. And that coup had since been fictionalized in a bestselling book, popular with the mercenary crowd, by Frederick Forsyth, “The Dogs of War.” A case of life imitating art imitating life? The truth is even more bizarrely convoluted: Roberts has found evidence that Forsyth himself financed the 1973 coup. (And Forsyth has more or less admitted as much.)

The 2004 coup plotters made noises about installing a better leader, but their real motives were “wonga” — British slang for money — and something less tangible. “It’s fun,” said one observer. “Some of the guys did it for kicks, because life is boring.” …

Arrayed against rent-a-coup schemers like Mann is a breed that Roberts calls the “rag-and-bone intelligence dealer,” a kind of freelance spy who “darts about Africa with a laptop and satellite phone, lingering in hotel bars, picking up scraps of information where he can, selling them to willing buyers, whether corporate or government. The more sophisticated use electronic, online or other surveillance.”

How DVD encryption (CSS) works … or doesn’t

From Nate Anderson’s “Hacking Digital Rights Management” (Ars Technica: 18 July 2006):

DVD players are factory-built with a set of keys. When a DVD is inserted, the player runs through every key it knows until one unlocks the disc. Once this disc key is known, the player uses it to retrieve a title key from the disc. This title key actually allows the player to unscramble the disc’s contents.

The decryption process might have been formidable when first drawn up, but it had begun to look weak even by 1999. Frank Stevenson, who published a good breakdown of the technology, estimated at that time that a 450Mhz Pentium III could crack the code in only 18 seconds – and that’s without even having a player key in the first place. In other, words a simple brute force attack could crack the code at runtime, assuming that users were patient enough to wait up to 18 seconds. With today’s technology, of course, the same crack would be trivial.

Once the code was cracked, the genie was out of the bottle. CSS descramblers proliferated …

Because the CSS system could not be updated once in the field, the entire system was all but broken. Attempts to patch the system (such as Macrovision’s “RipGuard”) met with limited success, and DVDs today remain easy to copy using a multitude of freely available tools.

How to get 1 million MySpace friends

From Nate Mook’s “Cross-Site Scripting Worm Hits MySpace” (Beta News: 13 October 2005):

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.

How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.

First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user profile page. But MySpace stripped out the word “javascript” from any text, which would be needed to execute code.

With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code within a Cascading Style Sheet tag.

The next step was to simply instruct the Web browser to load a MySpace URL that would automatically invite Samy as a friend, and later add him as a “hero” to the visitor’s own profile page. To do this without a user’s knowledge, the code utilized XMLHTTPRequest – a JavaScript object used in AJAX, or Web 2.0, applications such as Google Maps.

Taking the hack even further, Samy realized that he could simply insert the entire script into the visiting user’s profile, creating a replicating worm. “So if 5 people viewed my profile, that’s 5 new friends. If 5 people viewed each of their profiles, that’s 25 more new friends,” Samy explained.

It didn’t take long for friend requests to start rolling in – first in the hundreds, then thousands. By 9:30pm that night, requests topped one million and continued arriving at a rate of 1,000 every few seconds. Less than an hour later, MySpace was taken offline while the worm was removed from all user profiles.

California’s wide-open educational software reveals personal info

From Nanette Asimov’s “Software glitch reveals private data for thousands of state’s students” (San Francisco Chronicle: 21 October 2005):

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.

Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.

The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox. …

San Francisco administrators immediately shut down access to the service, called OARS — Online Assessment Reporting System — after a reporter phoned and said she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords. …

Most of the 96 districts statewide that use the system are in Southern California and the Central Valley. …

“We have confidence in the professionalism of our teachers” not to share their passwords, Bradshaw said.

But told how simple it was to gain access to the student records of any teacher who had not yet changed to a unique password, the administrators said they planned to make sure teachers did so.

“We will definitely monitor that,” Quinn said. “We don’t want anyone getting into student information.”

It’s alright to fail at a startup when you’re young

From Paul Graham’s “Hiring is Obsolete” (May 2005):

The math is brutal. While perhaps 9 out of 10 startups fail, the one that succeeds will pay the founders more than 10 times what they would have made in an ordinary job. That’s the sense in which startups pay better “on average.”

Remember that. If you start a startup, you’ll probably fail. Most startups fail. It’s the nature of the business. But it’s not necessarily a mistake to try something that has a 90% chance of failing, if you can afford the risk. Failing at 40, when you have a family to support, could be serious. But if you fail at 22, so what? If you try to start a startup right out of college and it tanks, you’ll end up at 23 broke and a lot smarter. Which, if you think about it, is roughly what you hope to get from a graduate program.

Why airport security fails constantly

From Bruce Schneier’s “Airport Passenger Screening” (Crypto-Gram Newsletter: 15 April 2006):

It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. …

The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it’s going to slip past the screeners pretty easily. The explosive material won’t show up on the metal detector, and the associated electronics can look benign when disassembled. This isn’t even a new problem. It’s widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces. …

Airport screeners have a difficult job, primarily because the human brain isn’t naturally adapted to the task. We’re wired for visual pattern matching, and are great at picking out something we know to look for — for example, a lion in a sea of tall grass.

But we’re much less adept at detecting random exceptions in uniform data. Faced with an endless stream of identical objects, the brain quickly concludes that everything is identical and there’s no point in paying attention. By the time the exception comes around, the brain simply doesn’t notice it. This psychological phenomenon isn’t just a problem in airport screening: It’s been identified in inspections of all kinds, and is why casinos move their dealers around so often. The tasks are simply mind-numbing.

Failure every 30 years produces better design

From The New York Times‘ “Form Follows Function. Now Go Out and Cut the Grass.“:

Failure, [Henry] Petroski shows, works. Or rather, engineers only learn from things that fail: bridges that collapse, software that crashes, spacecraft that explode. Everything that is designed fails, and everything that fails leads to better design. Next time at least that mistake won’t be made: Aleve won’t be packed in child-proof bottles so difficult to open that they stymie the arthritic patients seeking the pills inside; narrow suspension bridges won’t be built without “stay cables” like the ill-fated Tacoma Narrows Bridge, which was twisted to its destruction by strong winds in 1940.

Successes have fewer lessons to teach. This is one reason, Mr. Petroski points out, that there has been a major bridge disaster every 30 years. Gradually the techniques and knowledge of one generation become taken for granted; premises are no longer scrutinized. So they are re-applied in ambitious projects by creators who no longer recognize these hidden flaws and assumptions.

Mr. Petroski suggests that 30 years – an implicit marker of generational time – is the period between disasters in many specialized human enterprises, the period between, say, the beginning of manned space travel and the Challenger disaster, or the beginnings of nuclear energy and the 1979 accident at Three Mile Island. …

Mr. Petroski cites an epigram of Epictetus: “Everything has two handles – by one of which it ought to be carried and by the other not.”

Clay Shirky on why the Semantic Web will fail

From Clay Shirky’s “The Semantic Web, Syllogism, and Worldview“:

What is the Semantic Web good for?

The simple answer is this: The Semantic Web is a machine for creating syllogisms. A syllogism is a form of logic, first described by Aristotle, where “…certain things being stated, something other than what is stated follows of necessity from their being so.” [Organon]

The canonical syllogism is:

Humans are mortal
Greeks are human
Therefore, Greeks are mortal

with the third statement derived from the previous two.

The Semantic Web is made up of assertions, e.g. “The creator of is Clay Shirky.” Given the two statements

– Clay Shirky is the creator of
– The creator of lives in Brooklyn

you can conclude that I live in Brooklyn, something you couldn’t know from either statement on its own. From there, other expressions that include Clay Shirky,, or Brooklyn can be further coupled.

The Semantic Web specifies ways of exposing these kinds of assertions on the Web, so that third parties can combine them to discover things that are true but not specified directly. This is the promise of the Semantic Web — it will improve all the areas of your life where you currently use syllogisms.

Which is to say, almost nowhere. …

Despite their appealing simplicity, syllogisms don’t work well in the real world, because most of the data we use is not amenable to such effortless recombination. As a result, the Semantic Web will not be very useful either. …

In the real world, we are usually operating with partial, inconclusive or context-sensitive information. When we have to make a decision based on this information, we guess, extrapolate, intuit, we do what we did last time, we do what we think our friends would do or what Jesus or Joan Jett would have done, we do all of those things and more, but we almost never use actual deductive logic. …

Syllogisms sound stilted in part because they traffic in absurd absolutes. …

There is a list of technologies that are actually political philosophy masquerading as code, a list that includes Xanadu, Freenet, and now the Semantic Web. The Semantic Web’s philosophical argument — the world should make more sense than it does — is hard to argue with. The Semantic Web, with its neat ontologies and its syllogistic logic, is a nice vision. However, like many visions that project future benefits but ignore present costs, it requires too much coordination and too much energy to effect in the real world, where deductive logic is less effective and shared worldview is harder to create than we often want to admit.

The difficulty of recovering from identity theft

From TechWeb News’s “One In Four Identity-Theft Victims Never Fully Recover“:

Making things right after a stolen identity can take months and cost thousands, a survey of identity theft victims released Tuesday said. Worse, in more than one in four cases, victims haven’t been able to completely restore their good name.

The survey, conducted by Nationwide Mutual Insurance Co., found that 28 percent of identity thieves’ marks aren’t able to reconstruct their identities even after more than a year of work. On average, victims spent 81 hours trying to resolve their case.

According to the poll, the average amount of total charges made using a victim’s identity was $3,968. Fortunately, most were not held responsible for the fraudulent charges; 16 percent, however, reported that they had to pay for some or all of the bogus purchases.

Other results posted by the survey were just as dispiriting. More than half of the victims discovered the theft on their own by noticing unusual charges on credit cards or depleted bank accounts, but that took time: on average, five and a half months passed between when the theft occurred and when it was spotted.

Only 17 percent were notified by a creditor or financial institution of suspicious activity, a figure that’s certain to fuel federal lawmakers pondering legislation that would require public disclosure of large data breaches.

John the Ripper makes password cracking easy

From Federico Biancuzzi’s “John the Ripper 1.7, by Solar Designer“:

John the Ripper 1.7 also improves on the use of MMX on x86 and starts to use AltiVec on PowerPC processors when cracking DES-based hashes (that is, both Unix crypt(3) and Windows LM hashes). To my knowledge, John 1.7 (or rather, one of the development snapshots leading to this release) is the first program to cross the 1 million Unix crypts per second (c/s) boundary on a general-purpose CPU. Currently, John 1.7 achieves up to 1.6M c/s raw performance (that is, with no matching salts) on a PowerPC G5 at 2.7 GHz (or 1.1M c/s on a 1.8 GHz) and touches 1M c/s on the fastest AMD CPUs currently available. Intel P4s reach up to 800k c/s. (A non-public development version making use of SSE also reaches 1M c/s on an Intel P4 at 3.4 and 3.6 GHz. I intend to include that code into a post-1.7 version.)

Most expensive computer error ever

From Computerworld (13 October 1997), page 76:

A computer glitch at a New York brokerage causes a half-million customer accounts to be credited with $19 million each for a brief period. At $9.975 trillion ($19 million times 525,000 accounts), it’s a record for a computer error.