Security

David Himmelstein of Cambridge Hospital and Harvard Med School (with co-authors) recently published a paper on the effect of computerization of hospitals.

The results, as Computerworld put it: Computers don't save hospitals money.

This makes sense, especially when you look at the study. They focused on data collected reported by individual hospitals nationwide between 2003 and 2007. Computerization, especially at the clinical level, is incredibly disruptive. Thus, the efficiencies aren't likely to arise soon.

I've been looking at the evolution of electronic funds transfer (EFT) and payment systems recently. My research uncovered a gem: about two years ago, David Stearns completed a dissertation that looks at the early evolution of the Visa card (originally "Bank Americard") in the context of other evolving electronic payment systems. Stearns' work is both readable and filled with interesting information.

What I find most fascinating is that the card systems followed the same security trajectory as cell phones. The first cards, like the early analog cell phones, were  vulnerable to fraud. In fact, the cards were absurdly vulnerable to fraud.

However, the promoters believed that the long term benefits of electronic cash were worth the risks. They also assumed without evidence that they could fix the fraud problems eventually.

Here's a recent posting on "how the web makes money," focusing on the on-line gaming community.

The bottom line: successful game sites rely too much on questionable vendors. Game players like to acquire game currency to improve their experience, especially as new players. They can often either buy game money or they can "earn" it by clicking allegedly "free" links. These sometimes give them game currency for free, but too-often involve scams.

While this Cryptosmith site pays for itself through consulting leads, I've always been interested in  more direct methods (described here). I think it's fair to collect a commission if I directly encourage someone to buy something, and I gave them the link to buy it. The jury is still out on whether this is worth the effort of constructing the links. I'm also curious as to whether this opens me up to various forms of fraud.

When I do provide links with commissions, I limit myself to links that I might use myself. I hope that that provides adequate quality control for my visitors.

If it's public information on paper, is the electronic version also a public record?

As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.

The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.

Apparently someone in the UK has proposed a sort of "three strikes" law - if your household is accused by a copyright holder of illegal downloading multiple times, then the holder can demand removal of the househ0ld's Internet connection.

Cory Doctorow, the author, wrote a polemic about how this reflects on the big media firms it tries to help.

He notes how copyright owners now use "takedown notices" as an extrajudicial form of censorship.

I've always been a fan of graphic presentations. More people understand graphs and diagrams than understand equations. While this is a bad thing in some ways, it remains a fact. So it's always great to see a graphical representation of a really difficult set of concepts.

Jeff Moser Fisher has posted A Stick Figure Guide to the Advanced Encryption Standard (AES). He has wisely structured it in layers.

A SANS Handler Notebook entry by Toby Kohlenberg reports on data leakage in cloud computing, and links to a terrific paper from some UCSD/MIT people: Ristenpart, Tromer, Shacham, and Savage.

If we set the wayback machine to the early 1970s, we find a paper by Butler Lampson about something called the confinement problem. It's the same thing. Ristenpart et al pick up some of the threads (like noninterference) though their paper doesn't point all the way back to Lampson.

This is a hard problem to solve. The only defense right now is if attackers lack the motivation to exploit it.

Troy Davis posted info about a malware ad encountered on NYTimes.com. I always enjoy a good, basic forensic analysis. The location of the ad is disturbing, to say the least, though it reflects a problem with today's on-line commercial culture.

It's so easy to do on-line transactions (you send money, I do an on-line service) that vendors aren't inclined to vet their customers. Vetting costs money: it takes time and it puts the vendor in the position of turning down potential sales.

A reader, GregoryF, has proposed a solution to Boak's puzzle. Many years ago, David G. Boak of the NSA gave lectures to train employees on communications security matters. In one case he presented a written story about insufficiently burned crypto materials (keys, etc.), several tons' worth, that needed disposal.

Boak didn't quite explain how they disposed of the waste. Instead, he coded the answer using an innocent text system and challenged the readers to solve it.

GregoryF's solution is posted as a comment to the earlier article. He actually came up with two different solutions. The "system" behind the second solution gets somewhat complicated, which casts some doubt on its correctness. Also, I haven't quite recovered the same results.

Spoilers ahead!