http://www.mamohanraj.com/journal/show-entry.php?Entry_ID=5098

Story here -- thanks to Scalzi for the link.

http://notedinaninstant.blogspot.com/2009/07/xcountry-pt-1.html

http://www.indiegames.com/blog/2009/07/hasatan_the_last_shmup_on_eart.html

Note: Video contains flashing images which may cause photosensitive epileptic seizures.

This Something Awful GameDev Challenge IV competition entry isn't packing a lot of gameplay (only one level, tries to copy cactus a bit too much, ripped sprites etc.) but you can't beat an intro like that when it comes to cooking up a background story for your game under pressure.

Video quality is very poor and the text is hardly readable, although it doesn't matter anyway as the epilepsy-inducing Game Maker release is already available for download and play. (music by AA.Kurtz, screenshots)

http://www.janchipchase.com/blog/archives/2009/07/transaction-transparency.html

A tip-jar in our most excellent local pho restaurant - the Vietnamese proprietor takes credit cards but suggests to customers to tip in cash.

As an artifact this tip jar is so stacked with intrigue, playing off numerous cultural and contextual assumptions: whether tipping is socially acceptable; whether it's acceptable to show or hold money; the likely denominations of money that is used to tip and whether those denominations are considered too dirty to display on a counter; whether the amount of money in the jar should be revealed - is a paying customer more or less likely to tip/tip well if the jar is perceived to be empty/full; and particularly transaction transparency - whether the size of the tip can be seen by proprietor as it travels towards the jar, and once it is placed the jar? Is the covered jar an attempt by the Vietnamese proprietor to be particularly sensitive to his (mostly Asian) cliental? - tipping being less prevalent in Asia than the US.

Simply beautiful.

http://www.janchipchase.com/blog/archives/2009/07/targeted-signs.html

A remarkably detailed 'do not' sign, right down the detailing of the Swiss Army knife. With the ability to identify the person in real time the increasing personalisation of signage, advertising. Or in this future perfect context would taking out a knife bring on the nag-bot?

The future perfect of signs?

http://lifehacker.com/5306482/tips-projects-and-great-eats-for-your-fourth-of-july-weekend

http://www.facilitatingchange.org/2009/07/the-internet-of-things-a-critique-of-ambient-technology-and-the-all-seeing-network-of-rfid/

http://www.facilitatingchange.org/?p=710

Rob van Kranenburg has written a new report for the Institute of Network Cultures.

The Internet of Things is the second issue in the series of Network Notebooks. It’s a critique of ambient technology and the all-seeing network of RFID by Rob van Kranenburg. Rob examines what impact RFID and other systems, will have on our cities and our wider society. He currently works at Waag Society as program leader for the Public Domain and wrote earlier an article about this topic in the Waag magazine and is the co-founder of the DIFR Network. The notebook features an introduction by journalist and writer Sean Dodson.

… Rob van Kranenburg outlines his vision of the future. He tells of his early encounters with the kind of location-based technologies that will soon become commonplace, and what they may mean for us all. He explores the emergence of the “internet of things”, tracing us through its origins in the mundane back-end world of the international supply chain to the domestic applications that already exist in an embryonic stage. He also explains how the adoption of he technologies of the City Control is not inevitable, nor something that we must kindly accept nor sleepwalk into. In van Kranenburg’s account of the creation of the international network of Bricolabs, he also suggests how each of us can help contribute to building technologies of trust and empower ourselves in the age of mass surveillance and ambient technologies.

There’s a launch party in October, if you happen to be in Amsterdam. Kudos to Léon & Loes for the great design.

As you may imagine from my writing lately (here, here), the word “Bricolabs” caught my attention. From their site:

A distributed network for global and local development of generic infrastructures incrementally developed by communities.

A global platform to investigate the new loop of open content, software, and hardware for community applications, bringing people together with new technologies and distributed connectivity, unlike the dominant focus of IT industry on security, surveillance, and monopoly of information and infrastructures.

This reminds me of Mike’s work with Ile Sans Fil, and some of the stuff I’ve read on this ex-blog. See especially his infrastructure posts and interview with John Udell.

Once you look at it as a problem of infrastructure, you realize the problem isn’t going to be solved with everyone having their own server. It’s about having the connections between us (bridges and roads) being free and open.

Back to the book. You can go to the Institute of Network Cultures blog to download a copy and learn more about it.

Via Karl.

http://inoveryourhead.net/proving-your-worth/

The attitude of the average 9-to-5′er goes like this: If I do this boring job long enough and well enough, I’ll be promoted to the job that’s fast-paced and exciting. That’s the job I really want.

The problem is, showing people you can only do boring work will only consist in more boring work.

When I was very young, I spent a lot of time on touch typing programs, and learned how to type over 100 words per minute. Proud of myself, I would tell my bosses this over the years. What would they inevitably do? Give me the most boring jobs ever, of course.

There has to be a path for those who want the fast-paced exciting job NOW. A different way to prove themselves. What do you think?

http://feedproxy.google.com/~r/Techcrunch/~3/bYpyCb0tGEc/

http://www.techcrunch.com/?p=79323

Recently, I’ve noticed something. If you send me an email, the likelihood that I’m going to respond is pretty small. But if you send me a message on Twitter, the likelihood that I’ll respond is much higher. Certainly, part of it is that I get fewer messages on Twitter. But you might be surprised at how close it’s getting in volume when you add @replies to direct messages. The bigger factor for me, is the length of the messages.

If I open up an email and see it filled with paragraphs of information, guaranteed my eyes are going to glaze over. Certainly sometimes it’s an important message that I do need to read, but most of the time it’s just a core message filled with paragraphs of bloat. I don’t want or need the bloat, I need the core message. And that’s why I love Twitter. You simply cannot go over 140 characters. And more often than you may imagine, that’s enough.

Now, on the face of it, plenty of people will disagree with me on that point. But think about it. In an age where we’re bombarded by tons of information, from multiple angles, all day long, there is something beautiful about brevity.

I used to read screenplays for a living. Trust me when I say that there is no shortage of people who can blather on about something to seemingly no end. But the skill in writing a screenplay often came down to if you could convey what you needed to convey in just a few lines. It’s not an easy thing to do — at all. And while it’s not quite the same because it’s even more compact, Twitter forces you do to a similar thing in its own way. And Twitter is hardly the only form of communication that has done this.

Most users know by now that the 140 character limit of Twitter is actually tied to the limits of text messaging. Text messages can only be 160 characters long (Twitter needed to reserve the extra 20 characters for usernames). But do you know where the 160 character limit comes from?

The LA Times ran an excellent piece a few months ago about Friedhelm Hillebrand, the father of the modern text message. He dreamed up the 160 character limit while working at a typewriter in the mid-1980s, trying to see how long sentences needed to be to convey something. He found 160 characters was the magic number he kept arriving at. But the deciding committee for SMS still wasn’t sure until they looked at postcards and found that most of those had messages of 150 characters or less.

And so you see, while you may think Twitter’s character limit is silly or frustrating, it’s actually born out of two other forms of communication that are widely accepted and used the world over. You may not think of Twitter being just like a postcard, but in some ways it is — one that you can instantaneously send to many friends or acquaintances at the same time. And minus the cost of a stamp.

Even with the rise of technology, the lure of the short message remains. And that was the key reason why I found Twitter compelling when I first started using it over two years ago. I never thought of the limitation in a negative sense, but rather as something that could inspire creativity in messages. And could even spur communication.

It’s liberating to know that you only have 140 characters or less to respond to something. For a lot of messages, that removes a huge burden of trying to say enough to the person you’re talking to so that they don’t think you’re being rude. With a 140 character limit, a correlation between briefness and rudeness doesn’t exist.

And that’s why more and more I’m finding myself telling people, “Just message me on Twitter.” It’s a two-way street. I don’t want to have to read you go on and on about something that could be said in one line, and you won’t have to listen to me go on and on about something in response. Again, it won’t work for all messages, which is why Twitter or something like it will never kill email, but for a lot of messages, it works just fine.

Characters and time are saved. It’s a limitation that is liberating.

[photos: flickr/pink sherbert photography & inlaterdays]

Crunch Network: CrunchBoard because it’s time for you to find a new Job2.0

http://survivingtheworld.net/Lesson382.html

http://www.urbanphoto.net/blog/2009/07/04/moving-day/

http://www.urbanphoto.net/blog/?p=4740

Another July 1st, another year I breathe a sigh of relief that I didn’t have to move on Moving Day. I must be exceptionally lucky: I’ve never had to move on the same day as more than 100,000 other Montrealers. Instead, I have been able to wander the streets and watch, with voyeuristic glee, as the curtain that normally hangs between us and our neighbours is ripped away.

That’s exactly what I told a journalist from La Presse when she called to ask what I thought of the odd way that Montrealers spend Canada’s national holiday. (Unfortunately, she somehow misspelled my name, adding a “v” and an “e” where they really shouldn’t exist.) As perplexing as it is to have most residential leases end on the same day, it’s also one of those charmingly illogical things that make Montreal such an admirably eccentric city.

The fact that so many people live on the upper floors of buildings with winding outdoor staircases means that it’s a huge challenge to simply move furniture onto the street. The complications of parking make it a hassle to then move that stuff to a new apartment. On the few occasions when we had move over a distance larger than two blocks, my girlfriend and I paid some guys $50 to shove our stuff into the back of their old camping van and drive it uptown from the Latin Quarter to Mile End.

I’ve seen similarly precarious setups involving pickup trucks and even shopping carts, so I’m not surprised to hear that a moving company that schleps stuff by bike is getting a lot of attention. It’s reminiscent of cities in China, where bicycles are used for the same purpose. In Saigon and Seoul, I saw motorcycles employed for much the same purpose, including one that was being used to transport a fridge, without any kind of strap to secure it to the bike.

Even more intriguing that Moving Day itself are the days after, when piles of unwanted junk are left in the streets and laneways. This is usually seen as a big problem but, as I wrote last year, it turns the city into a giant flea market. People sift through the remnants of July 1st and often come up with enough good finds that they can furnish their own apartment. There’s an unspoken agreement among Montrealers that if you abandon something on the sidewalk or in a back alley, you’re inviting others to take it.

Here in Hong Kong, people move just as often as in Montreal, though not always on the same day — and nobody leaves anything in the street unless they intend to keep it there. To a large extent, the reason for this is cultural difference: Hong Kongers are much less enthusiastic than Montrealers about second-hand objects; they’re also a lot more entrepreneurial, so if they have something to get rid of, they’ll sell it a second-hand specialist who will resell it or dismantle it for scrap.

http://www.mamohanraj.com/journal/show-entry.php?Entry_ID=5097

Jarmila's on vacation, so no nanny for a few days. It would have been a week, but I coaxed Simone into coming Tues/Wed morning. I think I can survive until then. So yesterday morning was mostly hanging out with Kavi, although I did manage to get the writing workshops set up. My timing is perhaps not the best, though -- right before a holiday weekend means most people are offline 'til Monday, I think. Ah well. A few people registered already, and hopefully more to come next week. Mama wants furniture. :-) It'd be lovely to be able to put our guests on an actual bed instead of an air mattress! It'll be a sofa bed, since the room is going to do double duty as a hangout space most of the time, but still, that's a step up, I think. Kevin claims that sofa bed technology has significantly improved in the last decade, and it no longer means annoying springs poking you in the back in the middle of the night. We'll see.

In the afternoon I went to Target, because both Kavi and Kevin were in sad need of summer pyjamas. And then I sat in the Starbucks there and worked on reading stories and writing up critiques. If I'd had more time, I'd have tried to write some fiction, and I have to say, it's a little surreal in concept, writing at Target, but in practice, I think it'd work fine. At our Target, the Starbucks has a back area that's pretty sheltered from the rest of the store, so it just feels like you're in a coffeeshop, not a megastore. Odd, but works fine. Would probably work even better if I ever remembered to pack headphones. (To be fair to me, Kavi managed to smash one pair, and the other pair is in the storage unit at the moment. Ah well.)

Nothing firm on the housing front, but our realtor called and made reassuring noises from their realtor on the probability of their coming back with a counteroffer soon that we can accept. I'm giving up on being totally mysterious -- it's the Beautiful Gunderson we're negotiating for at the moment. We're currently about $30K apart, and it's their move, so we'll see what happens. Hopefully they get their new house super-cheap at some point this weekend! I am crossing my fingers for them! Kevin pointed out that it would be sort of funny if they were trying to buy the Mad Hatter house, and that's actually not so improbable, since I think they're planning to stay in Oak Park (again, according to realtor rumor) and they like to renovate. If we were skilled renovators, who knew contractors who were reliable and would give us good rates, the Mad Hatter house would totally be a great deal. Plus, they have three kids, so they could probably use the extra space in that house. But I don't know if they want to renovate Victorians, or if they're strictly Craftsman folk. Ah well -- no real point in speculating.

In the evening, I went to Lori and Greg's adorable house (also somewhat Arts and Crafts-ish, I think) for a holiday barbecue shindig. I love the way they renovated the kitchen -- dark cherry cabinets with a complementary medium wood (not sure what kind) for the countertops. I'm not sure I could be careful enough with my kitchen countertops to get away with wood, but it was surely beautiful. And I saw the Craftsman-style bookcase that Greg built for Lori -- totally gorgeous. I need to talk Kevin into learning woodworking. (I would say that I need to learn woodworking, which sounds totally cool, but I already have enough hobbies. :-) Also, I'd totally cut off a finger or two on the table saw. I almost did in college theatre, building sets.) Much fun was had by all, although when Scott (new director of creative writing at Roosevelt) and Tommi showed up with their three-year-old Ava, I felt guilty for not bringing Kevin and Kavi. Ah well. We'll have to have them over here sometime -- or over to the new place.

Just sent out invites to a combination housecooling / birthday party here on the 25th. May be a bit chaotic with boxes everywhere, but I think our friends can cope. I want to say goodbye to this place properly. Plus, birthday! On July 26th, I'll be thirty-eight years old and seven months pregnant. Eep.

Okay, now I have to go research moving companies. Hmm....there's some chance that we'll end up having to leave everything in storage for a few days or weeks. Is there some sort of mover/storage combo that would help with that? I'd like to avoid having them unload everything into a storage facility and then reload it, if possible -- just seems to be asking for expense and more breakages.

http://www.montrealfoodie.com/reviews-and-opinion/2009/7/2/la-maison-du-nord.html

LUNCH June 25, 2009

Like many Canadians, I find Canadian-Chinese food evocative: chow mein and pineapple chicken are as much a part of my childhood memories as burgers or pizza. Once in a while I really crave the classics of the Canadian-Chinese pantheon but I have to admit that while those plates of General Tao chicken and Singapore noodles can be immensely satisfying, they rarely impress when viewed critically. Although there are exceptions, there is rarely much finesse in this type of cooking. Sweetness and acidity are used with abandon and everything is deep fried and served with some sickeningly sweet bottled sauce.

Arriving in Taipei in 1998 was a huge eye opener for me. Heat, humidity, pollution, crowding and odd smells marked my first evening in the city along with a bowl of beef noodle soup eaten in a  makeshift shanty near my dorm. I didn't expect the food in Taiwan to be like Chinese food at home, but I was surprised that the two seemed to have almost nothing in common. I fell in love with the dumpling (boiled or panfried), with gao bao (a puffy mantou filled with braised pork belly, peanut and coriander), with real Kung Pao chicken (which is nothing like the Canadian dish of the same name) and with Cantonese fried noodles smothered with squid and shrimp. I ate a lot of vegetables I hadn't known existed, my first fish head, my first chicken feet, my first of many things. I discovered that tofu didn't need to taste like a brick of crap (although it could be OK if it smelled that way), that frogs cooked in a claypot are amazing, that all kinds of flowers are edible and that questionable hygiene can go hand in hand with great food.

http://aliceandkev.wordpress.com/2009/07/04/midnight/

http://aliceandkev.wordpress.com/?p=580

To be continued.
Check back tomorrow for the next update, subscribe to the RSS feed, or follow the twitter.

If you are tempted to buy The Sims 3 after reading this, consider supporting this blog by buying through these links to amazon.com or amazon.co.uk

If you’ve found this tale of homelessness affecting, you might want to consider helping a real-world charity.

http://blog.hamstu.com/2009/07/04/wp-typogrify-becomes-wp-typography/

http://blog.hamstu.com/?p=90

The wp-Typogrify plugin has merged with the wp-Hyphenate plugin to become wp-Typography! wp-Typography is now a one-stop-shop for improved WordPress typography. It features the following capabilities (including granular control):

• Hyphenation
• Spacing control, including: gluing values to units, widow protection, and forced internal wrapping of long URLs & email addresses.
• Intelligent character replacement, including smart handling of: quote marks, dashes, ellipses, trademarks, multiplication symbols, fractions, and ordinal suffixes (i.e. 1^st, 2^nd, 3^rd)
• CSS hooks for styling: ampersands (class “amp”), acronyms (class “caps”), numbers (class “numbers”), initial single quotes (class “quo”), and initial double quotes & guillemets (class “dquo”).

Please update your bookmarks.

http://www.schneier.com/blog/archives/2009/07/friday-squid-bl-186.html

Office squid.

http://www.schneier.com/blog/archives/2009/07/the-pros-and-co.html

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

The cost is accuracy. When users don't get visual feedback from what they're typing, they're more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:

• Users get pissed off.
• Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they'll become easier to memorize and easier to use.

The benefits of password masking are more obvious:

• Security from shoulder surfing. If people can't look over your shoulder and see what you're typing, they're much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that's much harder than looking at the screen. Surveillance cameras are also an issue: it's easier to watch someone's fingers on recorded video, but reading a cleartext password off a screen is trivial.

  In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.

• Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you've got all sorts of problems.

• A security "signal." Password masking alerts users, and I'm thinking users who aren't particularly security savvy, that passwords are a secret.

I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

Password masking is definitely important on public terminals with short PINs. (I'm thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.

And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There's a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.

One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.

A reader mentioned BlackBerry's solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."

So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.

http://www.schneier.com/blog/archives/2009/07/the-insecurity.html

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy.

Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that's "not toxic or anything?" It's not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn't take terrorists to make this happen.

Blocking the release of this information doesn't protect the citizens of the United States in any way. It's just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that "blurs" national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack -- the shoe bombers of the world -- above our right to know what's going on around us so that we can make informed decisions. The same secrecy that defends torturers.

http://www.schneier.com/blog/archives/2009/07/information-lea-1.html

Can anyone guess the entry codes for these door locks?

There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234.

http://www.schneier.com/blog/archives/2009/07/more-security-c.html

The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it.

She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten most of the leaves' nutrients.

Cabbage aphids arm themselves with chemical bombs:

Its body carries two reactive chemicals that only mix when a predator attacks it. The injured aphid dies. But in the process, the chemicals in its body react and trigger an explosion that delivers lethal amounts of poison to the predator, saving the rest of the colony.

The dark-footed ant spider mimics an ant so that it's not eaten by other spiders, and so it can eat spiders itself:

M.melanotarsa is a jumping spider that protects itself from predators (like other jumping spiders) by resembling an ant. Earlier this month, Ximena Nelson and Robert Jackson showed that they bolster this illusion by living in silken apartment complexes and travelling in groups, mimicking not just the bodies of ants but their social lives too.

Now Nelson and Robert are back with another side to the ant-spider's tale - it also uses its impersonation for attack as well as defence. It also feasts on the eggs and youngsters of the very same spiders that its ant-like form protects it from. It is, essentially, a spider that looks like an ant to avoid being eaten by spiders so that it itself can eat spiders.

My previous post about security stories from the insect world.

http://www.schneier.com/blog/2009/07/friday_squid_bl_186.html

Office squid.

http://www.schneier.com/blog/2009/07/the_pros_and_co.html

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

The cost is accuracy. When users don't get visual feedback from what they're typing, they're more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:

• Users get pissed off.
• Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they'll become easier to memorize and easier to use.

The benefits of password masking are more obvious:

• Security from shoulder surfing. If people can't look over your shoulder and see what you're typing, they're much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that's much harder than looking at the screen. Surveillance cameras are also an issue: it's easier to watch someone's fingers on recorded video, but reading a cleartext password off a screen is trivial.

  In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.

• Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you've got all sorts of problems.

• A security "signal." Password masking alerts users, and I'm thinking users who aren't particularly security savvy, that passwords are a secret.

I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

Password masking is definitely important on public terminals with short PINs. (I'm thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.

And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There's a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.

One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.

A reader mentioned BlackBerry's solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."

So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.

http://www.schneier.com/blog/2009/07/the_insecurity.html

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy.

Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that's "not toxic or anything?" It's not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn't take terrorists to make this happen.

Blocking the release of this information doesn't protect the citizens of the United States in any way. It's just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that "blurs" national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack -- the shoe bombers of the world -- above our right to know what's going on around us so that we can make informed decisions. The same secrecy that defends torturers.

http://www.schneier.com/blog/2009/07/information_lea_1.html

Can anyone guess the entry codes for these door locks?

There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234.

http://www.schneier.com/blog/2009/07/more_security_c.html

The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it.

She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten most of the leaves' nutrients.

Cabbage aphids arm themselves with chemical bombs:

Its body carries two reactive chemicals that only mix when a predator attacks it. The injured aphid dies. But in the process, the chemicals in its body react and trigger an explosion that delivers lethal amounts of poison to the predator, saving the rest of the colony.

The dark-footed ant spider mimics an ant so that it's not eaten by other spiders, and so it can eat spiders itself:

M.melanotarsa is a jumping spider that protects itself from predators (like other jumping spiders) by resembling an ant. Earlier this month, Ximena Nelson and Robert Jackson showed that they bolster this illusion by living in silken apartment complexes and travelling in groups, mimicking not just the bodies of ants but their social lives too.

Now Nelson and Robert are back with another side to the ant-spider's tale - it also uses its impersonation for attack as well as defence. It also feasts on the eggs and youngsters of the very same spiders that its ant-like form protects it from. It is, essentially, a spider that looks like an ant to avoid being eaten by spiders so that it itself can eat spiders.

My previous post about security stories from the insect world.

http://feedproxy.google.com/~r/Techcrunch/~3/L8BNfXcYfPY/

http://www.techcrunch.com/?p=79191

Like most things on the Internet, there’s a good side and a dark side to where the media business is headed.

The good side is very good: thousands of layers of mostly needless middlemen and processes are being eliminated as journalists get a direct channel to their readers. And, because it’s a two way medium, readers get that channel right back. And in the cases where the subject of an article has been wronged, the Web gives them powerful megaphones to fight back. In short, the more everyone has a voice, the more reporters are challenged to make sure they are right, because they will be called out.

Look at what happened with the plagiarism scandal around Chris Anderson’s new book. Anderson says it was a mistake around a change in how they were going to use citations, and I take him at his word. But it’s safe to say any author who’d considered borrowing heavily from Wikipedia won’t now. We like to think that we act virtuously because of personal or professional pride, but nothing enforces those ethics like the real possibility of getting caught and hugely embarrassed.

But the bad side is also very bad. The elimination of those layers – typically fact checkers, editors, lawyers and just time to make sure a work is fully baked—also allows mistakes, lazy reporting, a dependence on rumors, and hot-headed, unfair treatment to subjects. Worse: The metrics around the Web make it crystal clear which kinds of stories drive the most traffic. That leads to salacious reporting for the sake of clicks and comments.

It’s easy to point the finger at blogs, especially by certain members of old media losing money quarter-after-quarter. (Cough, cough.) But this is not just a technology change as most corners of media are fighting for survival, it’s become a cultural change. And this week, I’ve been struck by two non-blog examples that reflect the tension.

Right about now most people reading this probably have guessed the example of salacious reporting and unfair treatment I’m driving at is Ben Mezrich’s new book on Facebook. I’ll say upfront I haven’t read it. Galleys have been very closely guarded. Once I do read it, if everything everyone who has read it has told me is wrong, I’ll apologize for what I’m about to say. But, on a professional level, I find the ethics behind this project disgusting.

It’s essentially a book based on talking to one source who had a falling out with the company just as it was moving to California and becoming more than a dorm room project. That’s like someone writing a book about you based solely on what your old college ex-girlfriend or ex-boyfriend said.

Mezrich has been clear to say he’s never met or talked to Mark Zuckerberg in the intro and in interviews, but that doesn’t stop him from drawing potentially damaging conclusions about his character and selling it as a non-fiction book that’s getting made into a movie that people will take as fact.

In contrast, I spent years and hundreds of hours interviewing and following the subjects of my last book, which as most people know, included Zuckerberg amid other Web 2.0 figures. And I’m about one-third of the way through research for my next book, which includes spending 40 weeks in other countries following entrepreneurs. It’d be a lot easier to write a narrative without that whole burden of actual reporting. If I could sit in Silicon Valley and make up what I think entrepreneurs in Africa are like, that’d sure help out on my bank account, my health and my neglected personal relationships.

To be clear, I have no doubt Mezrich’s book will sell better than mine and make a juicier movie. But I wouldn’t swap the karma points. I don’t know how you call yourself a non-fiction writer and publish a book about a living person that’s based on you “imagining” what they are like. And let me tell you, having first interviewed him when he was 19 and spent countless hours with him since, the idea that Zuckerberg is some kind of sexed-up lethario is laughable fiction.

Why didn’t Mezrich write a novel or a different non-fiction book that he actually knew something about? It just seems like a cheap way to get a film deal and sales since the “imagined” subject is also leading the hottest private tech company in the world right now. (Indeed, the film rights were reportedly sold before the book was written.)

Even Mezrich’s publicist admits as much, according to a New York Times Blog post where he said, “The book isn’t reportage. It’s big juicy fun.” I’m guessing it’s not fun for the people trying to build a company who Mezrich essentially calls womanizers, drug addicts and backstabbers. Probably not fun for their families, employees and investors either. If this is where media is going on a book level, magazine level or blog level—I want out.

Contrast that to what’s playing out with another hot non-fiction book that was also optioned for a film: Moneyball. Some people accuse Michael Lewis of taking some liberties with facts here or there, but I’ve never met one of his subjects who felt he was treated unfairly, including the subject of Moneyball, Billy Beane. Like his style or not, Lewis did his job: He invested countless hours reporting and wrote a book that told a dramatic story that also happened to be true.

Recently, that book was also being made into a movie, to star Brad Pitt and be directed by Steven Soderbergh. The plug unexpectedly got pulled. It seemed Soderbergh reworked the script to be less a feature film version of things and more a real-life reenactment with some of the actual people playing themselves. Quippy anecdotes and funny lines were cut because they weren’t actually said in real life.

I’ve not been a huge fan of some of Soderbergh’s more experimental work, and I don’t know if his treatment would have made a better movie. But imagine: The people who are allowed to take the most liberties with a “true story”—the filmmakers—hewing more to the truth than an author who ostensibly gets paid to write the truth.

The media world is upside down these days, and I hope when all the volatility is done we wind up on the Soderbergh side of things.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

http://feedproxy.google.com/~r/Techcrunch/~3/Ua1lrWMMD1w/

http://www.techcrunch.com/?p=79332