Fab Feb Movie Watching: No faking

Just enjoyed a movie that you might not have come across before: Fakers. This is a small budget Brit movie that is a lot of fun, particularly if you like caper-style romantic comedy. There is a snappy sixties feel to the production and a treat for car fans: the first high speed chase in a Smart Car (as far as I know).

And there's plenty here for fans of Matthew Rhys, since he has the male lead (he's the guy we'll soon see playing Dylan Thomas in love with Keira Knightley in The Edge of Love and also seen in Virgin Territory and Love and Other Disasters). And must not forget the strong and amusing female lead, Kate Ashfield, seen in another, better known 2004 Brit comedy, Shaun of the Dead).

Fakers is distributed by Indican Pictures, an indie outfit that seems to be on the rise. Indican also distributes another under-exposed Brit gem, Pure, which, like Fakers, stars a very attractive British actress (although that is possibly a politically incorrect reference these days). Guess who? Keira Knightley.

(Full Disclosure: I'm the producer of Dare Not Walk Alone which is also distributed by Indican Pictures and yes, they gave me a complimentary copy of the film.)

What Profiteth It Google to Know Your Ip Address

A couple of thoughts in light of Google's divergence from the norm as far as PII is concerned (see previous post On IP and PII: Merely the Location of a Computer? Non!). The debate over what exactly constitutes Personally Identifiable Information is not merely academic or a sidebar for policy wonks, it goes to the heart of how data about people should be handled, stored, shared, protected, etc.

To a certain extent I sympathize with Google in that the best definition of PII is a relative or functional one. Even my name, Stephen Cobb, has limited value in identifying me--it identifies me only in limited circumstances--even though "name" is included in most lists of PII identifiers. The reason for this is the popularity of Stephen as a name for Cobbs (you could say "the commonness of Stephen Cobb as a name," but hey, I'm trying to maintain some PPD here--personal pride and dignity).

My wife's name, Chey Cobb, is clearly going to be PII in most situations. The same is true of my friend Michael Miora (there's only one, AFAIK). But even something like "Stephen Cobb in ZIP Code 32084" does not identify me because there are several people who share these identifiers (I know because my friend Bruce Dufresne, who knows more about the history of the automobile that anyone else I know, knows two Stephen Cobbs and sometimes calls me by mistake when he wants a ride to the car auction). So, the extent to which any piece of data can be considered PII depends upon the context and the aggregate.

As for Google and your IP address, it seems like they may be putting too much store in its value. Consider what happened the last time I was visiting my brother in England and Googled a number of different pieces of hardware, some for my him, some for me. Google was a mess. When I Googled from my hotel room, Google assumed I was in the Netherlands (the hotel's Internet service was provided by a Dutch company).

When I Googled from my brother's office in Surrey, Google really didn't want to tell me about product offerings in the US because I was Googling from a UK IP address. And when I am in America I cannot see the ads served up to UK visitors to his web site, School Sports Action TV, because Google is making assumptions based on my IP address.

In other words, my IP address might be of limited relevance with respect to what I want to see on the Internet. It seems like it would be better to have a "focus" option in Google that I could select to shape my results rather than let them be determined by my IP address. Of course, some folks in marketing are then going to want to know where the people live who select UK as their focus. My point is that my IP address does not reliably provide that data. So Google might want to think about how hard it wants to defend its collection and retention of that data.

Facebook Stickiness or Sticky Mess?

Sometimes I read something in the newspaper that makes me feel better, not because it is good news, but because it lets me know I am "not the only one" or "not imagining things." So it was with a recent New York Times article about Facebook focusing on the difficulty people have had deleting their data from Facebooks's computers.

The article plays on the term "stickiness" as in "the amount of time users spend at a web site over a period of time." This can be a major factor in selling ad space on a web site or otherwise monetizing it. But the sticky-ness described in the article is the problem of closing a Facebook account, which basically you cannot do. I found this out when I realized I had two Facebook accounts. Not sure how that happened (but it would seem to be a flaw in the Facebook design that it could happen).

I figured I would delete one account. I could not. I could close it down, somewhat, but the stuff, the data that was associated with it, remains in the Facebook server farm, ostensibly so I can revive that account at some point in the future. I assumed this difficulty in deleting an account was driven by security concerns, as in: make it hard for people to close accounts they are not unauthorized to close, i.e. one's belonging to other people. Apparently that might not be the case. Could it be they want to keep mining that data forever? Here are a few points to note, from the Times article:

  • Facebook’s terms of use state that “you may remove your user content from the site at any time,” but also that “you acknowledge that the company may retain archived copies of your user content.”

  • Its privacy policy says that after someone deactivates an account, “removed information may persist in backup copies for a reasonable period of time.”

  • Facebook’s Web site does not inform departing users that they must delete information from their account in order to close it fully—meaning that they may unwittingly leave anything from e-mail addresses to credit card numbers sitting on Facebook servers.


Seems to me Facebook is still growing up in terms of understanding data privacy issues. After all, the retention policy in the terms of use is pretty much in direct contravention of the basic principles of data privacy.

Business Continuity: ContingenZ calls it!

A few days ago I called my good friend Michael Miora, president of information assurance and business continuity specialists ContingenZ. I dialed his office number but reached him on his cell phone even though he was in the office. The reason? A system error at Verizon had disrupted voicemail services for Michael--and about 740,000 other land-line customers--for several days. He had diverted his office phone to his cell to avoid missed calls, which can translate into missed business.

Michael's an enterprising guy, so he decided to turn this problem into a lesson in incident management, putting a story on the wire and also offering a discount on ContingenZ's incident management product, IMCD. That was this morning. By this afternoon his words of advice were looking quite prophetic as the wires lit up with this story: a critical Blackberry outage.

The message was clear: even if you are a relatively small company you need plans in place for such contingencies. Furthermore, the greater your dependency on a particular service, product, or supplier, the greater the need to plan for its demise, damage, disruption.

Now I would be the first to admit that preparing and documenting an incident management plan is far from exciting, but that is no reason to put it off. And if you want a reason to get on with it, consider the situation faced by one of the first companies to purchase IMCD, a small but growing shipping company that specialized in transporting art work. A much bigger company was looking to sub-contract them, creating a great new source of revenue. However, the big company wanted to see the smaller company's incident management plan before it signed the contract, a simple matter of due diligence.

Not so simple for the smaller company. Although management had a clear idea of what they would do in a variety of disaster scenarios, and some good lists of people to call, assets to protect, and so on, they didn't have this stuff formally documented. Enter IMCD, which automates and facilitates the process of pulling all that documentation together. Result? Contract signed.

[Disclaimer: For a while I was involved in the development of IMCD. However, I do not have a financial stake in the product.]

Satellite Internet: When broadband isn't

For millions of Americans today the Internet is not what it could be, or should be. While they can watch television adverts show depicting an Internet rich in video, streaming media, and cheap phone calls, the virtual reality for many rural Americans is virtually dead. They are still on dialup. They have no broadband.

Despite the fact that big, fat, high-speed pipes criss-cross rural America to deliver thick, juicy broadband to major metropolitan areas, the locals too often lack a steak in this pie (sorry about the twisted allusions, but these folks that are being short-changed raise the steaks and many of the ingredients for our pies).

Sadly, as urban Internet access speeds soar beyond 1 Megabits per second on stable, 7x24 connections, for under $30 a month, too many country folk are still measuring their web page load times in minutes and their access speeds in baud rates. They can't telecommute over intranets. They can't get Vonage or any other VoIP.

Baud rates? You remember baud rates. Back in the eighties we went from 300 baud to 1200 and then we started talking bit rates, like 19,200 bits per second or 19.2Kbps (the difference between bauds and bit rates being somewhat symbolic, nudge, nudge). Then came the nineties. That's where a lot of people out in the country on dialup still reside, getting about 48Kbps. That's 125 times slower than the city dweller's 6 Mbps. You are not going to watch much video at 48Kbps.

So, why have our agrarian bethren been left behind, despite the fact that their stewardship of the land helps keep fiber optic lines alight? Greed, pure and simple. What profiteth it a communications company to install a switch in a valley or a village where only 300 souls reside? Apparently not enough. And whenever a state thinks about making "universal service" a prerequisite of doing communication business therein, the lobbyists come forth in great number.

Consider New York state, a prime example of a state that is essentially rural, apart from a huge great population center in the lower right. Despite Manhattan, New York State is, for the most part, farm country and timber country (and also hunting country, home to over a million deer, and more than 4,000 Black Bear.) And despite the fact that the state is criss-crossed by broadband infrastructure to feed Manhattan and the other high density population centers, a lot of farms and rural residences do not have broadband.

Or do they? There is one technology that can claim to deliver broadband to just about anywhere, without wires: satellite. But let me tell you folks, satellite is not broadband. It is more like broad bucket. (Note: opinions expressed herein are derived from my ongoing experience with HughesNet in upstate New York, dating back to when it was DirecPC).

Wachovia the Wicked? Yikes what a stunningly bad way to run a bank

Okay, this post will probably reduce to nil my chances of getting hired as a computer security or data privacy consultant to Wachovia Bank, but it's hard to let this story pass without comment. According to a report in the New York Times, Wachovia Bank kept doing business with rip-off artists long after it was clear that doing so was aiding and abetting them. In short, Wachovia:
"solicited business from companies it knew had been accused of telemarketing crimes....high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts.... Documents also show that Wachovia was alerted by other banks and federal agencies about ongoing deceptions, but that it continued to provide banking services to multiple companies that helped steal as much as $400 million from unsuspecting victims."

Now, obviously I don't have the time and resources to watch all the news that appears on television, but I haven't seen this latest development in the story on either CNN or NBC. True, it doesn't have the same urgency as an election or a killer storm. But right now the blogosphere is the only place it seems to be kept alive, by bloggers who are making sure it doesn't get swept under the rug (along by some good old-fashioned, old-media leg work).

Consider the words I italicised. A major American bank, a Main Street retail bank, provided banking services to multiple companies that helped steal as much as $400 million from unsuspecting victims.

Shouldn't that be a major, ongoing news story until justice is served? The fourth largest US bank deeply-entangled in a $400 million consumer rip-off?

3 Smart Choices in One Cute Picture

As some of my friends already know, we are in beta mode at our place in the hills between the Adirondacks and the Catskills, testing the feasibility of year-round residence.

The Arctic Cat ATV you see here was an early purchase, mainly for pleasure, but also for utility (the miniature pickup-bed behind the driver actually tilts--very useful for hauling and dumping firewood, dirt, etc.). The rack on the front is a handy place to strap tools, axe, chainsaw, shotgun, and so on.

We have had great use of this 4x4 on the trails around the property, but in terms of mileage the main use has been dog walking: our Springer Spaniel loves to run ahead of it.

But we don't just drive the ATV around to exercise the dog while we conserve human calories sitting in the driver's seat. No-o-o. We drive to previously unexplored locations, park, then head off on our own two feet, weather permitting.

And speaking of weather, smart choice number two in this picture is the Warn snow plow. Installed by Dan Beebe, a.k.a. "Dan the ATV Man," of Performance Recreation, this plow really gets the job done. Following Dan's advice, we installed chains on the rear tires and we always plow in Low gear with 4-wheel drive engaged. Haven't got stuck yet. Raising and lowering the plow is handled by the Warn winch (barely visible just above the plow). The winch came pre-installed on the ATV and the fingertip controls are fully integrated on the handlebar.

Thanks to a simple but effective design the winch can still be used with the plow installed, like when I had to haul a fallen tree off the trail to get back to base camp (in fact the plow worked well as an anchor when the winch started to exert serious tension on the dead weight of the tree trunk).

And of course the third smart choice in the picture is the lady at the controls, my amazing partner Chey (as in: I chose her and she, thankfully, chose me). Who knew she would be a talented and enthusiastic plower of snow. That simply wasn't on my radar when I spotted her, over twenty years ago, amid San Francisco's ultra-cool coffee-house scene.

The Happiness Life Cycle: An Open Letter to NBC's Brian Williams

Dude...I just wanted to have a few words with you about the Happiness Life Cycle that you featured on NBC Nightly News last night.

(I'm assuming you're cool with the whole "Dude" salutation, what with you being a frequent and much applauded guest on The Daily Show and now heading up a very slick, video-rich, blog-enabled web site.)

Chart of average happiness by age and sexAnd the first word I want to have is Dude! As in Dude! Did you look at this thing? It's going to drive people crazy.

Take me, for example. I'm a 55-year old guy and the chart is right! I am unhappy. Very unhappy. About rock bottom in fact, just like the chart says I should be. The thing is, Dude, I thought it was because the real estate crash just wiped out most of my net worth.

So much that I worked for has gone, poof, disappeared! Talk about depressing! But no, the real reason I'm unhappy, according to the chart, is because I'm at the bottom of the happiness curve.

Furthermore it looks like I'm about to start heading back up to happiness. This is great news, but so confusing. Does it mean I'm going to come to terms with being poorer than I was eight years ago? Eight years of hard toil, all for nought, yet I'm going to be happy? Maybe I am going to win the lottery just like the lady with the crystal ball said. Or perhaps an up-turn in the housing market is just around the corner (maybe you could start talking about it, pretty much like you talked us into bursting the bubble?). The thing is...

On IP and PII: Merely the Location of a Computer? Non!

A recent AP article entitled "EU Official: IP Is Personal" shows that some people still don't understand, or are prepared to willfully misconstrue, one of the basic privacy concepts: personally identifiable information or PII.

On the one hand you have the head of the European Union's group of data privacy regulators stating that "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information." He is correct.

On the other hand you have Google insisting that "an IP address merely identifies the location of a computer, not who the individual user is." Google is incorrect.

An IP address does not merely identify the location of a computer, just as your street address does not merely identify a physical location and your year of birth does not not merely identify a year. All someone needs is a few 'mere' facts about you and your identity can be established. That's why it is called personally identifiable information.

There are plenty of simple experiments you can conduct to prove this.

Once More Unto the Breach Dear Friends?

I think that I speak for a number of my colleagues in the information security and data privacy communities when I say that "breach burn-out" is a recurring occupational hazard.

Here's how it goes. After some period of time spent working on projects to improve security and privacy you hear about a rash of incidents, a string of security breaches, that elicit weary groans. You find yourself asking, "Why do I bother?"

Sometimes the still small voice of calm will answer, "For the money." You remind yourself of the payments that are due, the mortgage, the doctor bills and the health insurance (which may well be bigger than the mortgage). And you decide to keep going.

Sometimes you find yourself in a position to ease back on the earnings and take some time to smell the roses, and you say to yourself "Them roses, they sure smell good." But then you hear about a rash of breaches that elicit groans of a different kind, groans of anger and frustration, tinged with regret. And sometimes you decide it's time to rejoin the fray.

Speaking for myself, I've been groaning a lot lately. There was Facebook, valued at billions, either failing to get a clue about privacy or arrogantly flaunting privacy conventions to see if it could make a buck. There was the year-end count of private data exposures that topped 160 million records. There was Boeing and its hackable Dreamliner (after the FAA intimated the 787 could be hacked because "it allows new kinds of passenger connectivity to previously isolated data networks," Boeing said that "the plane's networks don't completely connect" as though partial connection was somehow not connection). Now we have CIA statements at SANS about hacking utilities and other SCADA systems, reminding everyone that folks in several sectors have continued to develop and deploy mission critical systems under various false assumptions about security.


(Which part of War Games did these people sleep through? BTW, there is a good primer on SCADA on Wikipedia and here is a well-balanced set of slides--in .pdf--put together by D. Maynor and R. Graham at ISS. Their experience parallels what my colleagues found in the nineties: zero systems they could not penetrate, and many that could be hacked with skills rated 3 or less on a scale of 1 to 5.)


Even cool companies like Aptera seem to be forgetting simple things, like not letting other people sign you up for their email. Hardly on the same scale as diddling with the spent fuel rods at a nuclear power plant, but one more reminder that when it comes to security and privacy, most people just forget this stuff. Which is not so much a criticism of "most people" but a reminder that most people don't have an innate talent for "security-think."


Indeed, this truism is so well-established that the folks in charge should have put well-established mechanism in place to compensate some time ago, like security input at the design stage and security review during development and deployment. With all the other problems the world faces, it would be nice to think that by now we had routed the insecurity dragon or at least chained it up in its cave. Apparently we have not. Darn it!


[Exeunt. Alarum, and chambers go off]