Archive for the ‘ESSAYS’ Category.

NY STAR: An accident waiting to happen

The New York State School Tax Relief (STAR) program is an identity theft “accident” waiting to happen. Homeowners apply for property exemptions on their primary residence, and file with their local tax assessors. (In the first year or so of this program, total chaos ensued in assessor’s offices all over the state.) Extra tax exemptions for senior citizens are means-tested, and require homeowners to submit their SSN or a copy of their income tax returns to the local assessor.

  • In New York City, they want SSNs from everybody. Just because it’s authorized by law (in the NYC Administrative Code) doesn’t mean it’s a good idea. Everywhere else, they’re only collecting SSNs or income tax returns from low-income seniors.
  • It’s hard to justify leaving so much personal financial information sloshing around assessor’s offices all over the state. And which is worse: copies of tax returns in piles in sleepy small-town assessor’s messy offices, or huge indifferent big-city assessor’s chaotic offices? Need to know? Mind your own business.
  • As their normal traffic is public information, assessors are not necessarily tuned to protecting private personal information. For a recent example of a public record agency handling private data, see the story of how the Suffolk County (NY) clerk’s normal processes put a few thousand SSN’s in the public record [via Emergent Chaos].
  • Perhaps all these violations of “don’t ask for information you don’t need” and “don’t store information you don’t need again” were less serious even a few years ago, but the consequences of these old ways are getting worse every day.
  • Though it’s hard to patch the process perfectly, one simple fix would be to direct the flow of sensitive information away from local offices, e.g. create a state tax return checkoff that allows the income tax people to inform the assessors about eligibility and primary residence status without revealing any income information.
  • Well, the politics is irritating too. Creating yet another “take with one hand, give back with another” program is inefficient, and clearly its primary purpose is to create an opportunity for attaching a politician’s name to a tax cut, with extra discrimination making the program harder to kill.

Update 3/7/2006 see also: The public servants at the Ohio secretary of state insist on treating documents that pass through their hands as public despite embedded SSNs.

Update 4/11/2006 see also: Broward County (FL).


Here are two books that I’m enjoying right now. Neither of them is hot off the presses, but I thought I’d put a good word for each nonetheless.

Astronomical nonce sense

Ed Felten discusses an interesting dispute among astronomers regarding how long scholars should withhold discoveries so they can retain exclusive access and get credit for more original papers. (Aside: As I note in his comments, while this is largely self-governing because everybody has incentives to publish, there are occasional extreme examples of scholarly hoarding, such as the decades-long embargo on publication of some Dead Sea Scroll materials.)

The security angle on this is that the dispute is about whether the Spaniards scooped the Americans by reverse-engineering a temporary name published in an advance abstract of a paper. The temporary name contained a date that could have served as an index into a telescope activity log, revealing the position of the newly-discovered object.

The lesson is that a cookies or nonces (temporary data values to be used only once) should usually, in security applications, be content-free (long, random, unpredictable, and generated with a random number generator not prone to reverse engineering itself). Structured or predictable nonces can lead to information leaks or to vulnerability to forgery. Short nonces fall to brute-force search.

GMail fronts for other domains

I just happily discovered that GMail settings support non-GMail “From:” addresses. It’s a welcome feature for me, as I had no intention of binding to a vendor domain name ever again.

Perhaps it has been a feature for quite some time, and I just wasn’t aware of it. GMail is predisposed toward pleasant surprises without fanfare (e.g. “plus addresses” are supported too).

Linear combinations are not just for obfuscation any more

Network coding applied to P2P content distribution, as seen in Microsoft’s Avalanche research paper, is motivated by network performance improvement: it makes good use of available network throughput by filling the pipes with data that is useful to others, while avoiding the difficult problem of selecting what your downstream peers will need. Nodes send linear combinations of everything they’ve got, and receivers can reconstruct what they need from that.

There are interesting implications for content filterers. Previously one could argue that transmitting combined blocks (e.g. XOR a file with the U.S. Declaration of Independence, the Constitution, and today’s Dilbert) is purely an obfuscation technique for easily evading content recognizers. Now those techniques will be a basic component of efficiently using available bandwidth, with a side effect of making content recognition and filtering more dynamic and more difficult.

Blog moved

My blog and all of its content has moved from to
RSS. Now the world can stop

making fun of my URL.

It looks like BlogLines subscribers will get carried along for the ride automatically, though possibly continuing to use the old redirected feed URL. I don’t know if other RSS aggregators will need to be manually updated to follow the permanent redirects from the old site.

The move from MovableType to WordPress was even easier than my previous move from Userland Radio to MovableType.

Policy Metaphors

  • Do not open the thermostat. Call Facilities to adjust. A mechanic will visit twice a year to adjust it, to secure the Allen screws, and to scold you about opening it. (Note: those unsolicited visits don’t happen any more.)
  • Wave arms periodically to turn lights back on. (Note: Many creative mobiles and lightweight origami figures have been invented, with the common feature of being light enough to catch ambient airflow.)

Raw, rare, or well-done?

I haven’t posted a blog entry here in four months. Here is my revised blogging strategy:

  • Raw:
    My personal link-blogging has shifted to
    my Furl archive
    which continues to be my frequently-updated repository of interesting links, annotated with clips, tags, and brief remarks.
    Though I dislike Furl’s default rendering into both HTML and RSS ( is much more pleasant), its archiving feature is indispensable to me, and the Furl folks have listened to some of my suggestions, so I see hope for improvement.

  • Rare, and well-done:
    Stay tuned, I am still planning to post occasional articles to this site. I am saving up links to content that is overlooked and deserves more attention. In other cases I’m chewing on my own thoughts and will have something original to say.

I’ve noticed that quite a few sites that I read have followed a similar trend, toward less frequent but meatier posting. There are only two high-volume bloggers that I read, plus I follow the Furl / / DashLog blogs of two esteemed colleagues. Everyone else gets my attention only with low quantity and high quality.

GMail implements “plus addresses”

I had the opportunity to join GMail [beta]. My first piece of feedback to them was a request for user-defined recipient sub-addresses (e.g. using the sendmail “username+anything@domain” convention. Having that available for recipient filtering is more reliable than trying to parse numerous styles of correspondence (some list software inserts List-ID, some doesn’t, etc).

It turns out that GMail already implements the sendmail ‘+’ convention.
It works, but as far as I can tell, it’s not documented anywhere — or at least I didn’t think of the right search terms for it.

I hope that this creates new incentives for web sites and other email addressing processing software to
stop violating RFC2822 by excessively restricting the character set of email addresses.

P.S. If anyone else wants to try GMail [beta] also,
let me know;
I now have a ration of invitations too.

Infernal spyware redux

My home PC running Windows 2000 is finally free of Look2Me spyware.
It’s very aggressive at staying alive.
It creates an ever-changing series of DLL files.
Removing or changing its registry entries causes it to immediately rewrite them.

As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.

The tools at sysinternals
were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.

The removal instructions that finally worked were found at at the bottom of
Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode.
Once you search for the right things it looks like there are a few ways to skin this cat.

I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.

The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.

The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.

Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to
a John Battelle article:

Looking at the top downloads at is always interesting – typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.

I think the proportions are reversed now.