Darwin's Theories - security tag

Security Theatre, Part n

Thu, 31 Dec 2009 20:35:00 GMT

According to a BBC report on the latest security theatre, airline customers are now to be subject to the following indignities for in-flight entertainment:

Customers to remain seated during final hour of flight;
No access to hand luggage and a ban on leaving possessions or blankets on laps during this hour.

Now I don't know about you, but I don't find this very comforting. The thought of being forced to sit still is inculcated in obedient citizens from kindergarten (a German word meaning roughly "vegetable garden to grow kids"). But at a certain point things like bladder pressure will win out. And what happens if you're in mid-whiz at the one-hour mark? Do you get shot by the air marshall while trying to return to your seat? (Watch the news for this one, folks). The entire process is utterly ridiculous. If the bomber had tried to light his fuse at the 45 minute mark into the flight, who can doubt that they'd ban visiting the toilet between 37 and 52 minutes after takeoff?

Remember the shoe bomber and how airport security made everybody take their shoes off before flight? Didn't stop the next religious fanatic with a fuse to light, did it?

The notion of an allegedly civilized nation dancing its "security" policies in the wind every time there's a real or perceived threat, to so vastly inconvenience its population while at the same time making no difference to the actual terrorists, is so laughable it's earned the term "security theater" - putting on a big show, but doing nothing for actual security.

It's not just me saying so. See Bruce Schnier's many writings on this topic, and his essay The Psychology of Security. Bruce is a well-known cryptology and security researcher; he knows whereof he speaks. TSA, not so much.

OpenMoko and Android

Tue, 21 Apr 2009 17:35:00 GMT

A few people have asked me at various times for a comparison of the OpenMoko and Android cell phone projects. Given that I advocate for the former, and also for Java which is (and is not) the base language of the latter, I am expected to be able to say something intelligible by way of comparison. So here goes.

Android is a project spearheaded by Google to make an open-source phone. It uses Linux and its own Dalvik virtual machine, and applications are written in Java against the Android API and compiled down to Dalvik bytecode. Android does not expose the rest of the Linux services and does not support other programming languages. Android phones are available from a few carriers.

Openmoko, funded by Openmoko.com, is at the other end of the spectrum: it also uses Linux, but exposes all of it to the developer. The "main" stack of phone apps has been re-written several times, using various X-based toolkits. The "official" OM2009 stack is in large part written in Python. C/C++, Java and Perl are all available. Openmoko phones are available from Openmoko.com. However, because it is all open source:

you can run Android on Openmoko hardware;
you could (people have) run Openmoko software on other devices, including Palm PDAs, other Linux phones, and software emulators;
you can probably run Openmoko software on Android hardware;
you can run QTopia on Openmoko hardware;
you can run one of half a dozen Linux distributions on your Openmoko hardware;
you can (eventually) run other OSes such as OpenBSD on Openmoko hardware;
etc.

From one point of view, they are not enemies. Both support the open source model. But as Openmoko developers have pointed out some time back, Android sits on top of Linux, abandoning most of the open source world and reinventing its own universe. Openmoko embraces all existing open source projects and any new open source comers. As a single example, communicating to your Openmoko phone from a desktop/laptop computer consists merly of running the industry-standard ssh and scp programs, included with every *Nix and readily available for those other OSes that need them. Talking to your Android phone requires finding, installing, and figuring out how to use an ad-hoc program called "adb" (at least the third use of this name, after Unix' Algol/Another DeBugger and Apple's Desktop Bus).

From another point of view, of course, they are competing. Competing for market share (neither has made much inroads in the consumer space). Competing for developer mindshare. Android tends to get a lot more press, partly because of the "big G" lineage.

People sometimes ask if I think Openmoko should just fold up and go on to something different, given how far ahead Android has moved? I've never been a fan of quitting while you're behind. Imagine if Linus Torvalds had quit while Unix was ahead; his then-little school project would never have seen the light of day, and we'd all be running BSD and System V. Nothing wrong with those - BSD was already on its way to becoming a full open source *Nix, as represented today by OpenBSD, FreeBSD and NetBSD - but things would be rather different in what is now the Linux community, to say the least. Or if Bill Gates had quit while IBM was ahead. Or if Steve Jobs had quit while MS-Windows was ahead. Or if the U.S. had quit the space race when the Russians launched Sputnik. You get the idea. Don't quit while you're behind, nor when you're ahead. As Nathaniel Branden once put it, "a beating heart is a living heart" - so keep on pumping!

And, at any rate, the "real" release of Openmoko software, OM.2009, is almost upon us; I am running a beta of it on my Freerunner (GTA02), and it's actually usable as a cell phone. Butt-ugly compared to some of the earlier releases, but it "just works". Formal release is expected this summer.

JavaFX: Late to the gate, but sweet

Sat, 27 Dec 2008 16:49:28 GMT

JavaFX is Sun's new Rich Client strategy for Java. If you haven't seen it yet, check out the demos on the JavaFX home page. Unlike Adobe Flash and unlike M$ Silverlight, this technology actually works on "minority" OSes - my OpenBSD laptop with Java 1.6.0 is officially way behind the requirements, but the demos mostly work in FireFox 3 (except you can't tear off the tear-off applet, that requires Update 10). Despite significant glitches on the web site - Sun should know better - on the day of the announcement (December 4, 2008), I'm impressed.

So much so that I've already added this JavaFX section to my Java Resources page.

Protecting Your Castle

Sun, 21 Dec 2008 16:35:00 GMT

SANS.org has a nice white paper showing how to protect your home network using OpenBSD and other free software. According to the abstract:

"It is possible to clean up the back yard with Free Open Source Software and a little design. Using off the shelf components and Open Source software the family geek can deploy a more multilayered security stance that will provide far more visibility and control over the network. This is not to say that large swaths of the Internet can be cleaned up just by plugging in a box, but to say that if anything should be a safe haven on the internet, it should be the family network, the backyard. It makes sense to clean up the backyard before taking on the world’s trash."

Presumably the same techniques would apply to the average small business. Check it out at http://www.sans.org/reading_room/whitepapers/firewalls/32933.php [PDF].

P.S. According to Bartleby, the quotation in my subtitle, while commonly attributed to William Pitt, comes to us in its present wording from a précis done by Lord Henry Peter Brougham some sixty years later.

Less Is More: OpenBSD on the Acer Aspire One

Sun, 19 Oct 2008 19:23:00 GMT

My writeup of the new Acer Aspire One is up on www.undeadly.org.

"We are certainly entering an era of "small is beautiful", at least when it comes to sub-notebooks. Numerous manufacturers are producing these now, as witness this comparison. The Asus EeePC (some models), the Acer Aspire One reviewed here, and the rumoured Lenovo U8 all use the Intel Atom CPU, which is "dual threaded". This looks like a dual-core, and runs GENERIC.MP. Although it's not as powerful as a dual-core, it's close enough that it's faster than many a few-years-old full size laptop. I've been using the Acer for a few weeks, including on a trans-atlantic flight, after several years with a much-heavier full-size industrial-strength notebook...."

Read the full story here.