Benlog

Thoughts on Technology & People

  • degrees of trust: software vs. data hosts

    Overjoyed by all the SSL goodness around me (Twitter offers SSL-only as an option, so does Facebook, Google offers 2-factor auth), I started dutifully upgrading my web browsing experience on Firefox, specifically installing the EFF Add-On that turns on HTTPS everywhere it can, in particular when using Google (it uses encrypted.google.com by default). I googled…

  • benadida@mozilla

    In a few days, I’ll be joining Mozilla. What started as a fun lunch with Sid and Alex quickly turned into passionate brainstorming with Mike, Pascal, and Lloyd on the Mozilla Labs team. I told them I wanted to deeply explore a few ideas I’ve written about and prototyped (here and here, for example) and…

  • Jumpstarting Health IT innovation

    Until last month, I was lead architect on the SMART Project at Harvard Medical School and Children’s Hospital Boston (now I’m an advisor). One key issue that all Health IT folks grapple with is how to make the Health IT ecosystem more dynamic and innovative, because technology in that space moves so slowly. The SMART…

  • everything I know about voting I learned from American Idol

    Tonight, American Idol began online voting. Yes, I’m a fan of American Idol, but don’t let that fool you: I’m still a bitchin’ cryptographer. I suspect that American Idol online voting will give rise to many questions such as “wow, awesome, now when can I vote in US Elections with my Facebook account?” and “Why…

  • a personal update

    Tomorrow (Jan 31st) is my last day on the Research Faculty at Harvard Medical School and Children’s Hospital Boston. It’s been a fantastic ride thanks entirely to the folks with whom I had the pleasure of working, in particular Zak Kohane and Ken Mandl. Ultimately, I finally noticed what was staring me in the face:…

  • the difference between privacy and security

    Facebook today rolled out new security features, both of which are awesome: SSL everywhere, and social re-authentication. True, SSL everywhere should probably be a default, even though I continue to believe that the cost is significantly underestimated by many privacy advocates. Regardless, this announcement is great news. The only nitpick I have, and I point…

  • Facebook, the Control Revolution, and the Failure of Applied Modern Cryptography

    In the late 1990s and early 2000s, it was widely assumed by most tech writers and thinkers, myself included, that the Internet was a “Control Revolution” (to use the words of Andrew Shapiro, author of a book with that very title in 1999). The Internet was going to put people in control, to enable buyers…

  • an answer to John Gruber: Google dropping H.264 is good for everyone

    Google just dropped support for H.264 in Chrome. John Gruber, among others, is not happy. Now, John Gruber is a very smart guy, but his Apple bias is too much even for me, and it’s preventing him from seeing what is fairly obvious. So, allow me to answer John’s questions, even though I have no…

  • privacy icons

    Aza Raskin has posted alpha 1 of the proposed Mozilla Privacy Icons. I was at the Mozilla-sponsored get-together where this was first discussed, and I’m really happy to see this moving forward. A few quick thoughts: the least useful of the icons is the “used only for intended use.” I don’t think that icon can…

  • Crisis in the Java Community… could they have used a secret-ballot election?

    There is a bit of a crisis in the Java community: the Apache Foundation just resigned its seat on the Java Executive Committee, as did two individual members, Doug Lea and Tim Peierls. From what I understand, the central issue appears to be that Oracle, the new Java “owner” since they acquired Sun Microsystems, is…

  • The Health IT report is very good; some opinionated suggestions

    “Oy,” I thought, when I received a copy of “REPORT TO THE PRESIDENT REALIZING THE FULL POTENTIAL OF HEALTH INFORMATION TECHNOLOGY TO IMPROVE HEALTHCARE FOR AMERICANS: THE PATH FORWARD” [PDF]. I worried this would be a lot of vague, easy-to-agree-with advice with little actionable material. I was wrong. Hats off to the team that wrote…

  • Wikileaks — not ideal, but a force for good in the end

    I’ve found myself quite conflicted over the latest Wikileaks “dump”, specifically the hundreds of thousands of US diplomatic cables. On the one hand, there is no doubt that the mainstream press is failing miserably in its role of investigating and breaking stories about illegal secret activities. We’ve seen numerous high-profile publications delay stories for fear…

  • airport privacy

    Today, I opted out of the TSA’s “advanced imaging” system at San Francisco International airport. To the TSA’s credit, they behaved very professionally. As soon as I said I was opting out, a manager came over and asked me why, wrote down my reason, and very politely directed me to a patdown. The TSA agent…

  • OK, let’s work to make SSL easier for everyone

    So in the wake of the FireSheep situation, which I described yesterday, the tech world is filled with people talking past each other on one important topic: should we just switch everything over to SSL? As I stated yesterday, I don’t think that’s going to happen anytime soon. I would love to be wrong, because…

  • keep your hands off my session cookies

    For years, security folks — myself included — have warned about the risk of personalized web sites such as Google, Facebook, Twitter, etc. being served over plain HTTP, as opposed to the more secure HTTPS, especially given the proliferation of open wifi networks. But warnings from security freaks rarely get people’s attention. A demonstration is…

  • Facebook can and should do more to proactively protect users

    A few days ago, the Wall Street Journal revealed that Facebook apps were leaking user information to ad networks. Today, Facebook proposed a scheme to address this issue. This is good news, but I’m concerned that Facebook’s proposal doesn’t address the underlying issue fully. Facebook could be doing a lot more to protect its users,…

  • faulty logic, even for good, is still faulty

    So Alex Halderman and team hacked the DC Internet Voting pilot. The voting system they attacked was not particularly well secured, and the type of attack used is a fairly simple web input corruption attack with little novelty. This hack, however, performs a very useful task: educating election officials and the public about what hacks…

  • Fort Knox vs. the Barking Dog

    Over the last few days, Alex Halderman and his team at the University of Michigan hacked an Internet Voting System being field-tested by the DC Board of Elections. First, we need to commend both Alex’s team for their dutiful analysis of this system, and, more importantly, the DC Board of Elections for running an open…

  • defending against your own stupidity

    When thinking about security, it is tempting to determine the worst-case attacker and focus defenses against it. (Of course, by worst-case, I mean within the bounds of a reasonable threat model: the NSA is not a reasonable worst-case attacker for every problem.) A corollary to this reasoning goes something like this: well, I’ve already implemented…

  • an unwarranted bashing of Twitter’s oAuth

    Ryan Paul over at ArsTechnica claims a compromise of Twitter’s oAuth system, but fails to demonstrate such a compromise. It’s unfortunate, because some of his comments are indeed worthwhile, and there are a few interesting recommendations that Twitter should follow (hah, no pun intended). But what we have here is not a “compromise”, and the…

  • Usenix Security, voting and health security

    I’m at Usenix Security 2010 in DC, starting with the EVT/WOTE Workshop on voting where I’ll be presenting an update on Helios, then the HealthSec workshop where I’ll be on a panel discussing my paper with Zak Kohane and Ken Mandl on using a Personally Controlled Health Record for health-information exchange [PDF]. The voting crowd…

  • Hello world!

    Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

  • browser extensions = user freedom

    The web browser has become the universal trusted client. That can be good: users can mostly rely on their browsers to isolate their banking site from the other web sites they visit. It can also be bad for users’ freedom: Facebook can encourage the world to add “Like” buttons everywhere, and suddenly users are being…

  • devices, payload data, and why Kim is (in part) right.

    A few days ago, I wrote about privacy advocacy theater and lamented how some folks, including EPIC and Kim Cameron, are attacking Google in a needlessly harsh way for what was an accidental collection of data. Kim Cameron responded, and he is right to point out that my argument, in the Google case, missed an…

  • Privacy Advocacy Theater

    Ed Felten recently used the very nice term Privacy Theater in describing the insanity of 6,000-word privacy agreements that we pretend to understand. The term, inspired by Bruce Schneier’s “security theater” description of US airport security, may have been introduced by Rohit Khare in December 2009 on TechCrunch, where he described how “social networks only…

  • if you’re outraged by accidental breaches, you’d better sit down

    A few days ago, a security bug was discovered on Facebook, whereby users could see the chat transcripts of their friends talking to other friends. Then, another security hole was discovered where a problem at Yelp revealed email addresses of Facebook users. And today, Google realized that they accidentally collected network traffic from open wi-fi…

  • the genius of Steve Jobs: he makes you want the lock-in

    Steve Jobs is a genius for many reasons, but one reason that may be under-appreciated is his unparalleled ability to convince users that he’s locking them into his platforms for their own good. Consider Jobs’s latest letter explaining why he won’t accept Flash on the iPhone/iPad. Most of the letter is right on: Adobe’s Flash…

  • distributed innovation

    A few years ago, a small group of folks (Mark Birbeck, Steven Pemberton, Ralph Swick, Shane McCarron, me, and more recently Ivan Herman, Manu Sporny, and a lot of great new folks) started with the simple idea that, if web pages contained a bit of structured data in addition to their haphazard content, we could…

  • What Nick Carr doesn’t get: hobbyists are the canary in the coal mine

    I told myself I wouldn’t write about the iPad anymore, but I have to. Nick Carr has joined the John Gruber club, by calling us Luddites: What these folks are ranting against, or at least gnashing their teeth over, is progress – or, more precisely, progress that goes down a path they don’t approve of.…

  • Myth: the app store will protect you and prevent user confusion

    An interesting thing happened with the Apple AppStore this weekend: This weekend, as hundreds of thousands of people explored their iPads […] they found […] an application called Facebook Ultimate, featuring a sleek version of the familiar ‘f’ logo. The application quickly rose through the ranks to become one of the App Store’s top selling…