andyblair.com

This is cool.  It isn't really anything new or earth-shattering - friends have been using code speak to convey messages only they know for a very long time.  It is interesting to see it analyzed in the online social network setting though.

As technology changes, you often hear complaints from (usually older) people that "kids these days" are being "dumbed down" by the new brain-dead technologies or something similar.  This is one of those things that bubble up occasionally that weigh pretty substantially against such claims.  Kids are usually a lot smarter than given credit for.  Their intelligence isn't always focused in a direction likely to be understood by older generations, and therefore is easy to overlook.  Just because it isn't understood doesn't mean it isn't there and isn't valuable.

The ABA tech law bulletin has a short article on companies claiming to have "impenetrable" products to protect sensitive data.  According to the article, the company InZero even offered a Harley Davidson to anyone that could break their product.

These sorts of stories come up pretty frequently, but are almost always a lot of marketing smoke and little security substance.  InZero's claim of 100,000 attacks in two months is not exactly proof of perfect security.  Most websites get tens of thousands of attacks a month just by virtue of being on the Internet.  Everyone from script kiddies to organized criminal gangs have constant scans going looking for unpatched systems.  

The major flaw in the claim, however, comes from the fact that even if their product is impenetrable, their marketing is assuming several things that are simply not true.  First, systems can only protect data it is told to protect.  That means firms need to label and keep track of what information is sensitive and what is not.  That takes a lot of work and a lot of resources that many companies find not worth the effort over the long term.  Second, they assume that attacks will come through the system.  If this is some sort of device that sits on a firm's network, it doesn't work when attorneys are out of the office.  If it runs on each computer's browser, an attack could be successful through email, IM, or another attack vector not covered by the product. 

The point is that security is multi-layered and multi-faceted.  It relies on people every bit as much or more than it relies on machines.  Making people believe they are "secure" by selling some guaranteed web product makes it much more likely that they will be lax in other areas of security and a breach will result.  Vigilance and good security policies are likely to be much cheaper and much more effective than any supposedly perfect web security product.

At the end of the day, the fact is that no product is 100% "secure" and no product can offer 100% security.  People who really know security know this, which is why whenever anyone makes such claims they should be taken with a healthy dose of skepticism.  

It is no secret that video games have long been intense digital rights management (DRM) battlefields, with game cracking groups engaging in an endless arms race with game developers. As soon as a new DRM scheme is released it is quickly cracked and released on P2P networks and "warez" group sites. 

Ubisoft has taken this battle to the next level, starting with Assassin's Creed 2 and affecting all future Ubisoft titles. The new DRM scheme requires a constant internet connection in order to play Ubisoft's games on a PC. Yep, you heard that right. If you travel and enjoy playing Ubisoft games on your laptop in-flight you are out of luck. Or in a hotel where you don't want to pay $14.95 for 24 hours of Internet. Or if your Internet connection goes out. Or if their servers go down. Out of luck. 

The new DRM system checks in with a central Ubisoft server when started, preventing the game from running if it cannot connect to the server. Not enough for Ubisoft, the DRM continues to check in during game play. If at any time the DRM system cannot reach Ubisoft's central servers, you are booted out of the game and lose any progress since your last checkpoint. So if your wireless router reboots or for any of a thousand reasons your game can't connect to Ubisoft when it checks in, you lose everything you have done since your last checkpoint and cannot play again until that connection is restored. Ubisoft was asked about the details of this system by CVG, and responded in a nutshell that piracy is "a huge problem" that "all serious companies need to address."

CVG had some legitimate questions for Ubisoft, which were addressed, but not particularly well. If a gamer wants to play back through Assassin's Creed 2 in five years, will the DRM servers still be up? What about maintenance of the update servers? Ubisoft claims that down the road they will "patch-out" the DRM and no longer require the check-in on older games, but if the servers are not available five years after the last time the game was played, how would it patch-out the DRM? Ubisoft essentially says "we plan to keep the servers up and available for a long time." Gamers have no more assurances that the $50-$60 they spend on games is well-spent than "we plan to make it wok." Hm.

More after the break.

Bloomberg is reporting that the FCC is considering requiring Verizon and AT&T to lease fast internet to rival ISPs. The proposal is backed by Cbeyond, a provider of Internet and data services to small businesses, and has the support of the Small Business Administration as a job creation tool.

This is interesting given the recent trend at the FCC to move away from common carrier-type regulation of telecommunications providers. The data services are indistinguishable from those of the cable TV companies, so it seems sort of silly to only require phone companies and not cable providers to share their lines. Cable and telcos are subject to separate regulation regimes because of their differing history and technological evolution, but both are becoming just data service providers with different legacy expertise. Hopefully the FCC starts to regulate them more consistently.

Allowing other companies access to the physical lines is a good idea. Telcos and cable companies insist that they will not have incentives to invest in the lines if they have to share. There is not a lot of evidence either way, but a system where consumers have one or at most two or three choices between effectively identical companies is not competition and is not good for consumers.

Google's release of Buzz earlier this week has turned into quite the hot topic. As very brief background, Google released a Twitter-like addition to Gmail which automatically connects to your frequent contacts, linking in Picasa, Reader, and other Google applications that are tied in with Gmail accounts. Essentially, Buzz exposes your "Google life" to everyone you communicate with whether you intended those links to be seen by everyone or not.

Here is an example of the problem. A woman had information exposed to her abusive ex-husband that she did not want to be shared. Before Buzz, that information was segregated within Google and the ex-husband had no way of seeing it. No longer. There is no indication that this has led to real-life harm coming upon the poster, but this is the scary type of situation that causes privacy advocates break out in hives and makes you want to say "Hey Google: What the hell?"

There were three things that, when combined, make Buzz the worst move Google has made in a long time, hands-down.

• First, there is the lack of any notice as to what Buzz is and exactly what it shares with other people. This ad, for example, gives no indication that once turned on, Buzz will automagically share pretty much every connection in your Google life with everyone else you communicate with in Google. This includes Picasa, Reader, etc... 
• Second, Google set the default to "share everything with everyone" and auto-added frequent contacts. The Buzz ad above says you can "share privately," which certainly doesn't suggest that you are opening Pandora's Box by default. And with the lack of notice people who activate Buzz have to find that out the hard way. Google took a page out of the Facebook's "how to piss off users" strategy guide for this one. Start with opt-in and go from there.
• Third, it is hard to kill once it is enabled. There is a tiny little link at the bottom of the Gmail screen that says "turn Buzz off" but by some accounts it is not that easy. You may have to go through and un-follow each person in your Google Profile (even if you didn't set one up before), then unfollow in Buzz, then turn it off. Way too much work to opt-out.

Putting together no notice, wide-open default settings, and a difficult and kludgy opt-out procedure and you have a recipe for disaster. Google should know better than enabling something like this when so many people put so much sensitive information into Gmail. People expect to be able to control their list of email contacts. 

Expect Google to release some sort of management tool that helps users see what is shared and who can see it. It also wouldn't be surprising to see at least one lawsuit pop up out of this. Especially if someone like the woman in the post above gets hurt. What a mess.

Update: Didn't take long for Google to make changes. The big disconnect seems to be for people (like me) that already had Google profiles. No checkbox or notification that follower lists would be made public was presented. When you automatically add contacts from Gmail as followers/followees, there needs to be some notice for people who already had profiles.

Update2: Google has made additional changes to Buzz. They have addressed the second and third problems described above by not automatically adding frequent contacts to your "follow" list (instead suggesting people to follow) and making it much easier to control who sees things and shut it off. Very responsive of Google, but they really should have known better.