terriko: (Default)
2012-07-12 02:46 pm

Web Insecurity: Should you really change your re-used passwords after a breach? Maybe not.

Cross-posted from my security blog, Web Insecurity.


Should you really change your re-used passwords after a breach? Maybe not.




DiceThe news is reporting that 453,000 credentials were allegedly taken from Yahoo, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can search for your username/email here on a sanitized list that doesn't include the passwords.

Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, 59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.

What I'd really like to know is how many of those people actually suffered from this password re-use. Did anyone bother to try re-using their credentials?

I'm reminded of one of my favourite security papers, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved.

So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach.  That's a lot of people.

Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing.  In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.

So, should you change your password after a breach? It depends on how much you feel like rolling the dice. Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future.  Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.
terriko: Evil Soup (evil soup)
2012-03-28 12:13 pm

Web Insecurity: Apparently consumers do care about privacy

Cross-posted from Web Insecurity

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:


The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.


The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.
terriko: (Default)
2012-03-02 04:13 pm

"[Being different] over a whole lifetime, adds up to an enormous amount of needless trouble."

I'm re-reading Richard Hamming's talk on You and Your Research because I felt like I needed the kick in the pants to do great work this month after some very busy months of doing necessary but not necessarily great things.

In this reading, I was struck by this anecdote:

John Tukey almost always dressed very casually. He would go into an important office and it would take a long time before the other fellow realized that this is a first-class man and he had better listen. For a long time John has had to overcome this kind of hostility. It's wasted effort! I didn't say you should conform; I said ``The appearance of conforming gets you a long way.'' If you chose to assert your ego in any number of ways, ``I am going to do it my way,'' you pay a small steady price throughout the whole of your professional career. And this, over a whole lifetime, adds up to an enormous amount of needless trouble.


On a surface level, I've long believed this is true. I've been long primed in the art of social hacking, first by my father and more recently as a security researcher/hacker. Anyone can watch the subtle variations on how I dress on teaching days or days when I'm going to the bank and you'll note that I pay attention to fitting in to the environment and manipulating the way in which I'm perceived. But as a child of the Internet, more or less, my experimentation hasn't limited to physical presentation. Especially as a teenager, I spent a lot of time grossly mis-representing my age and gender as well and watching how that changed my interactions with folk.

But what gets me this time is the end of that quote: "[If you don't appear to conform,] you pay a small steady price throughout the whole of your professional career. And this, over a whole lifetime, adds up to an enormous amount of needless trouble." Sometimes it's important to change the system, but sometimes you just want to get stuff done.

I can dress the part, but I don't generally change my gender presentation in real life. Is my female-ness adding up to an enormous amount of needless trouble over my lifetime given that I work in a field where that's going to make me non-conforming? I suspect it is, although I'm fortunate enough that my gender presentation is often canceled out by my racial makeup (Asian girls are totally good at math, don'tcha know?) so I can console myself by saying maybe it's not as enormous as it might have been. But not every person who doesn't fit the norm for their field has that consolation prize. Are we all paying the price of being different?

It's easy to get a little saddened by this. All that time explaining that no, I really am a techie, has added up to a lot of time I'm not having amazing conversations and doing great work. But before you get too saddened about how your hard-to-hide features like race/age/gender are affecting your ability to Do Great Things, you should stop and listen to Duy Loan Le's excellent 2010 Grace Hopper Celebration Keynote. In it, she talks about what she does to fit in to environments where she felt that letting go of her ego made it possible for her to get more good work done. I think it's really worth a listen, especially if fitting in isn't just a choice of what suit to wear for you.

terriko: (Pi)
2011-11-15 12:24 am

Trying to use my post-GHC energy wisely

Honestly, I think I make more resolutions after GHC than I do at new year's. I'm always so inspired!

Thing 1: Pushing the development of the GNU Mailman UI



Two things came together for me at the conference:

1. One thing I heard frequently while working the free and open source software booth is that there are plenty of folk interested in getting involved with open source, but they're not sure where to start.

2. I came home with a suitcase full of paper prototypes and pictures from the Mailman 3.0 part of the codeathon for humanity on Saturday. I was looking at spending my evenings digitizing them and turning them into functional prototypes.

So... I asked for help! Transcribing paper prototypes isn't the most glamorous of work, but it's a great place for a beginner to start, and given that we're hoping to have a Mailman 3.0 release as soon as possible, new contributors would have a chance to ramp up to doing real code commits very quickly. Plus they'd be able to see their code go out and be used in the real world sooner rather than later!

I posted to the Systers list knowing I wasn't the only one feeling the post GHC rush, and I posted to the Mailman list knowing we had a would-be contributor who wanted to help.

What I wasn't expecting was that I'd have talked to NINE volunteers in less than 24 hours. How awesome is that? And most of them are women as well!

Now I have the problem of making sure I have enough for everyone to do, but with a variety of skill levels I'm sure we won't have any trouble finding stuff for everyone. I'm so excited, and I hope they are too!

Associated goals:
- Allocating more of my time to serious Mailman development.
- Getting more women involved in open source.
- Improving the usability of Mailman 3.0
- Speeding up development of the Mailman 3.0 UI.
- Doing some teaching/mentoring since I love it but won't be doing it at work this year.

Thing 2: e-textiles



The first thing I did after I got home from GHC11 was sleep. But when I woke up in the middle of the night, the second thing I did was order stuff from SparkFun. :)

I've ordered a couple of simple e-textiles kits and the goal will be to play with them. I made an awesome monster at the GHC e-textiles workshop and I was eager to do more. The end goal is to build a set of lights into my new coat that respond to my movement in some way (See the tentative wishlist), but for now I'm going to make a lit cuff/armband for walking at night and experiment with the neat little aniomagic chip 'cause it looks like so much fun!

Associated goals:
- meeting more people in the local community
- actually becoming a member of a hacklab to support my projects
- making it safer for me to walk home in my beautiful-but-not-visible new black coat
- experimenting with e-textiles
- doing some more hardware-oriented projects
- making sure I had a project that would take me away from the computer

Not-quite-a-Thing 3: Not biting off more than I can chew



A common theme at GHC is reminding people that we have to really be careful about time management so that we don't get overloaded, so I'm choosing those two things that cover lots of my personal goals, and I'll aim to do them well and save the other things I want to try for later. Wish me luck!

I'd love to hear how other people are using what they learned at GHC11!
terriko: (Default)
2011-10-08 02:33 am
Entry tags:

In case you were wondering why you haven't seen an Ada Lovelace Day post from me...

In the past few days, I have wrapped up whatever I could, flown something like three thousand kilometers and changed countries and time zones, got woken up repeatedly by an alarm clock that appeared to be switched off (and thus couldn't be turned off, either), dealt with my insurance company and two banks, obtained new credit cards and a new driver's license, looked at some of my water-damaged stuff, failed to finish my thesis defense slides, caught up with half of my family who I haven't seen in a month...

Needless to say, I have not written a post for Ada Lovelace Day. But you can click on that link and read other people's posts, and you can still write your own post about someone awesome. I mean, you don't need a special day for that, you know?

I, meanwhile, have unplugged the haunted alarm clock and am going to try to actually get some sleep.
terriko: (Default)
2011-10-03 05:46 pm

How can we make electronic lending better for libraries?

I got an audiobook to play on my MP3 player today, and it was a chore and a half with around 5 hours worth of upgrades. I could write a post about the procedure, but that's been done.

Brad Colbow's comic pretty much sums up the DRM problem best, I think. Getting DRM-protected content sucks, but libraries often have such systems in place to allow lending. I hate DRM, but I like my library, and I really like the idea of libraries being able to lend electronic content in a way that makes sense.

What I want to know is "what we are doing about it?" I know plenty of folk interested in open technology/culture... do any of you know of alternative software available to libraries? Resources they could use that would be more awesome and still enable lending?

(Related reading: Across the Digital Divide talks about why the whole "print is dead" thing leaves a lot of people in the dust. If you think about it in that context, making it easier to lend electronic resources in the future could be a bigger deal than you'd think.)

Usually I see people recommend you donate to the EFF or somesuch. And that's a good idea in general, but... I mean, I know I'd like to just have a world that was DRM-free. But apparently this is not a solution that works for my library, or more to the point it's not a solution that works for the places where my library obtains content. I want DRM to be dead, but I also would like to be able to borrow electronic resources a little sooner than never, thanks. Surely there are folk out there who are willing to sideline the ideology for now and just try to make something that's actually good?

So... what *are* we doing to make it easier for libraries to lend us electronic stuff?
terriko: I am a serious academic (Twlight Sparkle looking confused) (Serious Academic)
2011-09-26 09:12 pm
Entry tags:

Pseudonymity enables my creative relaxation

It is incredibly relaxing for me to be working on new art projects and posting them under a completely new identity.

I'm working in a style and media in which I'm not proficient, and it's kinda fun to do it risk-free. No one's going to search one of my existing ids and find my first tries at stuff. "She" can experiment and squee over pretty creations and no one will use it as leverage about how I'm not a Serious Academic or Real Programmer or whatever because I'm playing around with some art.

As an incredibly surprising bonus fun thing for me, My alternate identity's already got some fans! Complete strangers are actually excited about seeing more of what she can do!

There's a lot of good reasons to care about pseudonymity. Many of those apply to me; sometimes I use my "real name" or derivatives thereof anyhow. But I'm really digging this playful use of a pseudonymous account to gain access to some extra creative freedom without being totally introverted about it. Fun!
terriko: (Default)
2011-06-24 03:54 am

The Ada Initiative

One last blog post for today, I promise!

The Ada Initiative Seed 100 campaign: donate in June to support women in open technology and culture

Donate to the Ada Initiative’s Seed 100 campaign to support women in open tech and culture!



I've been completely remiss in mentioning this. (I blame thesis, as usual.) My friends Mary and Valerie have started the Ada Initiative to support women in open technology and culture, and they're looking for a few more donors to round out their initial funding round.

I regret that right now I don't have money to support them financially or time to be a bigger part of what they're building, but what I can do right now is tell you why those of you who can donate should do so.

Some of you may already know one or both of them. If you don't, you should know that Valerie and Mary are both awesome at getting things done.

When Mary was running Linuxchix, not only did she keep things in basic working order, but she also had a great vision for driving things ahead and doing more. While the new coordinators have done a good job of keeping things going, I'm really sad that when she left we lost that extra push to go beyond our original mission. After a women-in-tech BoF Valerie organized (and I attended) at the Linux Symposium, she went on to write the HOWTO Encourage Women in Linux, making sure that the things we'd discussed could be brought to a wider audience. They go beyond the level of keeping afloat as non-stereotypical geek, and towards making things better.

There's a lot of frustrating things that come up as a geeky woman, some big, some small. I'm trying to do my part by writing for geek feminism and bringing attention both to the good and bad. But Valerie and Mary believe they could have an even bigger impact on the problems if they worked on this full time rather than relying on all of us already busy people to work that second shift.

These are women who can recruit teams of top-notch volunteers, build networks, and seriously make a difference in the world, so if you're interested in supporting women in open tech and culture and want to know your dollar's going to have an impact, The Ada Initiative is a great cause.
terriko: (Default)
2011-06-13 01:37 am

Why I don't like to be called docile

Some time ago, my sister and I raised a stink with my online gaming friends after one of the guys said that the Japanese were docile. Half Japanese ourselves, we reacted by being anything but docile, and in the end the dude left the group (permanently). Despite our attempts to educate, I doubt if he ever really understood why we were so upset by his casual racism or even that it was casual racism.

I read this article today that really resonated with me about the historical reasons why calling Asian women docile is so offensive, and I want to share this quote which puts the problem in some crude but clear focus.


Much of the concept of Asian women as sexually submissive comes from the victimized condition in which American soldiers found these women when they arrived in combat zones throughout the Pacific.

[...]

This particular form of racism has myriad consequences for Asian-American women. A significant amount of the attention we receive from non-Asian men is in the form of creepy, excessive enthusiasm… as if they grew up at Pappy’s knee listening to legends of how Asian women will do anything to your penis that you want them to. Then there is the offensive assumption that anyone who is half Asian is the product of an American GI and an Asian woman he met standing on the corner saying “me love you long time.”

-- "Asian Women, American GIs, and Modern Rape Culture"


I have other, more personal and Canadian-context-sensitive reasons for disliking the stereotype too. As if the reasons above weren't enough!

The saddest part of my online gaming story is that the guy is married to a Japanese woman and has kids. His daughter(s) will be exposed to this kind of crud regularly as she grows up. I certainly hit terrible variations of this stuff as a young teenager (amplified by the "geeks love Asian women" meme). I hope by then he's a little bit more understanding as to how an offhand generalization can be part of a pattern of internalized racism.
terriko: (Default)
2011-02-28 02:00 am

The advantage of being me

From The Advantage Of Dual-Identities (A Case Study of Nabokov), I bring you this quote:

It’s also important to note that the advantage of having a “dual-identity” – being both a novelist and a scientist, for instance – isn’t limited to Nabokov. According to a study led by Jeffrey Sanchez-Burks, a psychologist at the University of Michigan, people who describe themselves as both Asian and American, or see themselves as a female engineer (and not just an engineer), consistently display higher levels of creativity.


So as a female, half-asian all-canadian researcher, I'm clearly better at creativity than all those boring white dude researchers?

Angela Montenegro from Bones... I don't even know exactly where to begin on this. So I'm going talk about Bones for a minute. I've been watching it with my sister lately while we do other things (crochet, do mending, wander around looking for things in an mmo, eat dinner, etc.) and the other day she pointed out that she loves how the show deals with Angela, or really, how it doesn't. See, Angela Montenegro is the team's artist: she does sketches of the victims. But she doesn't stop there: she also coaxes data off broken camcorders and swallowed flash drives doing digital forensic work. She's an adept computer programmer who writes software that helps visualize and model what happened during a crime. What's cool about Bones is that it's totally taken for granted that she can be an artist and a coder. (And really, pretty much whatever else she wants to be.)

So I guess while I fundamentally agree that having multiple "identities" is a huge asset to my work and creative abilities, I sort of feel like... why are they making such a big deal about this, as if it's some hugely abnormal thing. Why can't they just accept that Angela can draw and code? Why do people insist on compartmentalizing people into single skill sets? I can drive a car and code and no one thinks that's weird, but plenty of people have commented with surprise that I can edit a magazine (yes, I used to do this) and write code. Hello, world?

The article just makes me a little uncomfortable. This worst part is the paragraph about how the US will be overrun by mixed-race folk like me with superior creative skills -- awkward racial superiority with a different spin -- but even the study methodology doesn't quite sit right with me at a first reading. But maybe the article is simply a journalistic reflection of research into of a real logical fallacy that people often employ: the assumption that one must specialize in only one skill to be the best person one can be. That's one of those things that might be true for programs, but I really haven't seen much evidence of it being true for people.

Despite my issues with the article, I think it's got a nice take-away message: it's a-ok, normal, and maybe even superior to have and use your multiple identities. And don't let incredulous folk tell you otherwise.
terriko: (Default)
2011-02-17 01:24 am
Entry tags:

Jonathan Blow on why social games are evil

If you haven't read this interview with Jonathan Blow (creator of Braid), you really should.

Some choice quotes:
A game like World of Warcraft or Counter-Strike or whatever is way more social. Because you actually meet new people in clans or guilds. You go do activities together and help each other out, right?

[With certain social games] it’s about the game exploiting your friends list that you already made, so it’s not really about meeting people. And it’s not really about doing things with them because you’re never playing at the same time. It’s about using your friends as resources to progress in the game, which is the opposite of actual sociality or friendship.


I've always said the really addictive part of games, for me, was the people. Now I'm just disturbed by that interpretation of the use of people in fb games...

Designers know what they are doing. They know when they show up in the office – “My goal is to degrade the player’s quality of life”. They probably won’t think about that exact phrase. But [will think], “My goal is to get people to think about my game and to put more money into my game and get other friends to play my game to the exclusion of all other games and all other things that they might do with their free time.” That is the job description of those designers. And that’s evil. It’s not about giving people anything. It’s about taking from people.


Now go read the interview: Jonathan Blow interview: Do you believe social games are evil? “Yes. Absolutely.”
terriko: (Default)
2010-12-20 11:18 am
Entry tags:

Wishmas list (aka things where I could use some help!)

A friend pointed out this sort of fun take on wishlists. I like especially that there's no need for the request to be physical items so much as help with something, so I've been thinking about things I want that maybe other people could help with...

1. A new web design for http://list.org. I've been promised near-complete creative control if and when I'd like to redo it, but haven't had the time, and if someone could hash out a design or two for me to start with it'd save a lot of trouble. Or you could do the whole thing including reorganizing the content -- that's even more time I don't need to spend! It'll have to be highly standards compliant, and preferably fairly simple/minimal/clean -- absolutely no flash, probably no JavaScript even. I can sit down with someone and explain my vision for this project and known issues with the existing site in more detail if necessary.

2. Beautiful demos and/or integration of my students' code into Mailman 3. I have some students who did some lovely work on the archives of Mailman (you can read their summer of code blogs here and here) but haven't had time to integrate it. I really want to do this myself, but if I wait for me to have time it may not get done 'till summer of code starts up again... The code is in python, and even if you're not a coder doing some nice web design for the UI to show off the functionality the students have built would also be amazing.

3. Someone to drive Now We Must Fight forwards. This means someone who can organize a location to start shooting with sufficient light and space, as well as coordinate the schedules of a handful of fighters, choreographers and crew. In a similar vein, someone to coordinate readers and recording for HL. I just haven't sat down to get people over for a recording session and could use someone to set a date in mid-January and possibly edit the resulting audio recordings. I have new project books and can host, I just need a nudge to set up a time (likely mid-january).

4. I *was* going to say find me the perfect job when I started writing this list, but since I currently have an offer in hand, I think perhaps that would not be a tactful request. However, I do have a few friends who are job hunting and would love leads. Three who might be able to find help here: a highly experienced DBA (esp. Oracle) who would like to stay in Ottawa, a (mostly windows) system admin who would prefer to stay in Ottawa (but might be more flexible for the perfect job), and finally a senior(?) software developer who is more mobile.

5. I'm looking for a miniature figure for my current role-playing character in our d&d 3.5 campaign. She's human, a favoured soul of Kord, and will probably be wearing heavy armour and wielding a greatsword. I hate stupid fantasy armour (e.g. must protect the boobs, not display them), and I don't like minis that look angry. Bonus if you can also find a mini for my sister's character, who is a rogue/swashbuckler who likes to use atypical weapons (I think she's currently using a halberd?). Again, no stupid armour. You don't have to buy said figure: pointing out models that might work would be awesome. :) Painted would be nice, since I haven't had much time for detail work myself. Sketches of the two characters adventuring together would also be fun for our (private) game website!

6. I could use some coding help with my thesis work (currently using webkit/chromium). I actually *can* delegate some of my code to someone else if you'd like to be an unpaid (but credited) research assistant, but what I really could use right now is pointers to good tutorials and documentation for my own edification. I'm currently interested in modifying CSS and co-opting the HTML5 iframe sandbox implementation. I'll likely be interested in creating chrome/chromium plugins too. By the time I get back to this from the theory work I'm doing now, I'll probably have forgotten all I know, so even lower-level tutorials would be awesome.

7. Recommendations of graphic novels/manga that are neither too dark nor too inane. Think of stuff like Girl Genius, Meridian, early Elfquest (wow, their site is irritating), even Ex Machina (which is actually somewhat dark, but with a lot of light shining through). I periodically get good recommendations for darker stuff, but I've been craving sweeter stories with happier endings and less angst and gore of late.

8. http://planeteria.org/wfs/ seems to be down, and I miss the aggregator of women in free/libre open source software that used to be there. Can someone tell me what happened? Anyone want to start a new one? I'd like it to use software that can do the aggregation and let users sign up and edit their own feeds, with a few folk having editorial control to keep spammers from taking over. I can volunteer to help with the editorial control if needed.

9.Help understanding US medical insurance and other minutiae about moving to the US as a foreign national. I have an offer that I'm really excited about, but I feel barely qualified to understand the benefits package, let alone what the conditions on my working in the US will likely be, or even how I go about paying taxes (and who gets what?). Are there good "immigrating to america as a tech worker" resources I should be perusing?

10. And just so there's one thing that fits the stereotypical consumerist mould for wish lists... I really want this necklace of pi to 35 decimals. Really really want it. Wouldn't turn down the excellent Fibonacci necklace either. ;)

If you can help with any of those, I would very much appreciate it! And I'd love to see your wishlists too!
terriko: (Default)
2010-12-14 01:14 am

Web Insecurity: A brutally honest privacy policy

Short post up on Web Insecurity about a hilariously, brutally honest privacy policy. An excerpt from the policy:


So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.


You can read the whole policy here or you can read my summary and commentary on Web Insecurity.
terriko: (Default)
2010-12-03 01:34 pm
Entry tags:

6 reasons event organizers should adopt the Conference Anti-Harassment Policy

Valerie and a number of my feminist friends have been working on a generic Conference anti-harassment policy which can be adapted to suit specific events. This is a response to quite a number of incidents that seem to crop up in geekdom. (And those are just the ones we know about and have recorded -- many people prefer not to talk about problems publicly for various reasons.)

You can read about the conference anti-harassment policy on geek feminism, and even hacker news has picked it up with the free link to the article on LWN.

I want to urge conference organizers to take a look at the policy and consider adapting it, even if you don't know of any problems at your event. Here's a few reasons:


  1. It's a signal that you're serious about the safety of the folk at your event. How can that possibly be a bad thing?

  2. It helps your staff recognize when there may be a problem. This makes it easier for them to do their jobs!

  3. It gives your staff a starting point for what to do if something happens. That also makes it easier for them know how to respond appropriately.

  4. It makes it clearer to attendees what constitutes appropriate behaviour at your event. This is a courtesy since explicit rules are much easier to follow than implicit ones!

  5. Remember that a number of geeky folk have particular trouble sussing out unspoken rules, whether that's due to being non-neurotypical, just being so focussed on geekery that other more social rules get missed, or any other reason. It's easier if people don't have to guess the rules.

  6. The point of the policy is to prevent problems from occurring in the future. Implementing it isn't going to imply to anyone that you've been hiding incidents, and being asked to implement it doesn't mean that people think you've been inviting skeezy, scary folk to your events. It's probably just an explicit statement of rules that you thought were obvious.



Think of it like a seatbelt: hopefully you'll never need it, and maybe it'll make a few folk uncomfortable, but you'll be happy it was there if you have to slam on the brakes. Wearing your seatbelt isn't an admission that you're a bad driver, it's just an admission that you can't control the behaviour of other people, so you might as well do your best to stay safe.
terriko: (Default)
2010-11-03 12:22 pm

Web Insecurity: Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?

Yesterday, I talked about why end-users don't care about security and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.

However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.

While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even environmentally costly due to the supposed need for extra electricity and machines.

But who's been looking at what those costs actually are?


Read the rest at Web Insecurity
terriko: (Default)
2010-11-02 01:49 pm

Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?


Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.




He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.

You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?
terriko: (Default)
2010-10-29 01:25 am

WebInsecurity:Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

Originally posted on Web Insecurity, but it's short so this is a full cross-post.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws



This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.


It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.


Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.
terriko: (Default)
2010-10-10 12:24 am

Meritocracy? Might want to re-think how you define merit.

This has been cross-posted from Geek Feminism, but I found this research really fascinating so you're getting a full copy here too.

Rock on!
You might think if you put together a lot of smart people, you'd get a smart group, but new research into group intelligence shows that's not always the case. (For those of you who don't have access to online journal subscriptions through your local library or university, there are more details in the Carnegie Mellon University press release.)


What we found is that the intelligence of the team members was not significantly related to the collective intelligence, either positively or negatively.

[...]

Our first observation and the one that surprised us the most was that the proportion of females in the group seemed to be strongly predictive of the collective intelligence of the group.


However, when they looked more closely they realised that it wasn't the gender that mattered, but rather the social sensitivity of the group members (previous studies had shown that women tend to score more highly in social sensitivity).

It's not the intelligence of the group members that matters; it's their social sensitivity.

So the more your group members were socially sensitive, the better the group performed in measures of collective intelligence. The key here was that group members need to collaborate, and to do that they needed those social skills to help them work together. This includes some different conversational patterns: groups where one or two people dominated conversations exhibited low collective intelligence, while groups where more people contributed had higher collective intelligence.

This scientific research is potentially a big blow to the standard "meritocracy works" theory often espoused in open source and computing groups. Standard meritocracy rules say you do clever things and you get accepted, and this will make for perfectly good teams. But given that there's often bias that dismisses "soft skills," it turns out that folk may actually be using typical geek meritocracy rules to weed out some of the people we need to make the group most effective as a whole.


Some of my female colleagues would like to conclude that you simply just need to hire more women. While that might be easier, what it really suggests is that you need to pay attention to what people refer to as these "softer skills" and thinking about who's going to be a good team player, not necessarily focused solely on individual achievement, individual accomplishments.


So if you want to claim that the best way to build tech teams is meritocracy... you might want to think more carefully about how you define merit.


Rock show DS



The quotes in this article are drawn from Bob McDonald's conversation with Dr. Anita Williams Woolley, the lead author, on the Quirks and Quarks interview aired October 9. You can download the podcast of the segment on collective intelligence here.
terriko: (Default)
2010-09-22 01:50 pm

CompSci Woman: How I Quit Computer Science (And What Drew Me Back)

I know, I know, I don't really need to be writing for another blog; I need to be writing my thesis. But my friend Cate and her friend Maggie started this cool project trying to make it easier for women to find real women in computer science when they hit up google trying to get a sense for what things are like. Their subject for Sept/Oct is "how I got into computer science" and I joined the group by sending in my story.

I suspect many readers of this blog have heard this story (some of you lived through it with me!) but here's a teaser anyhow:

How I Quit Computer Science (And What Drew Me Back)

To explain how I ended up in computer science, you have to understand the story of how I quit.

(…)

First year computer science was geared towards students who had little to no experience with computers, and I realised that I’d be wasting several years of my life waiting for my peers to catch up. On top of that, it was boom times and CS was being viewed a shorter path to a 6-figure salary than the more education-intensive med school or law school. The people who were there weren’t really in love with the discipline; many were just in love with the idea of being rich. I wasn’t interested in paying thousands of dollars per term to waste my time with peers I didn’t respect in a program that was boring me to tears.

I was disappointed, disillusioned, and wanted a challenge that was clearly going to be a long time coming in CS. So I dropped out.

Read the rest here.


(Those of you who are women in computer science are also welcome to join! the bottom of this page has more details.)
terriko: (Default)
2010-06-23 12:37 pm

I am not...

I really enjoyed this post titled Manifesto: I Am Not a Brand.

It makes me sort of want to make a list of all the other things I'm not that I keep getting suggested to me.

#1. I am not an entrepreneur. Yes, I have great ideas. Yes, some of them could make money. No, I'm not interested in sacrificing my life and sanity to push them. Some people really get a kick out of that sort of thing, but the idea of doing that stuff makes me feel vaguely ill. I know, there's all these studies touting the awesomeness of women entrepreneurs, and that's lovely, but I'm Not One Of Them. Thank you very much.

#2. I am not Japanese. No matter how much you want me to be, no matter how small my eyes are and dark my hair is, no matter how much genetically came from that country if you go back far enough, it's just not true. When I tell you I'm Canadian, I mean it, and it's the only ethnicity that really tells you anything useful about me. Accept it and move on.

I'll bet I'll think of more throughout the day, but those are the two that get shoved in my face most often of late.