"In the end, the debate over TIA, if it comes, may hang on this point: Are the rules good enough? For some people, no number of safeguards may be OK. Lee Tien, of the Electronic Frontier Foundation, for example, says that "I can't possibly say yes based on what I know now. I'd have to be convinced there would be a commitment to privacy from the get-go, and we just don't see that now. This administration is known for its secrecy. They are as bad as Nixon, maybe worse. We certainly cannot trust them with this system."

He added that "one of my biggest fears is that they are working on this stuff and they have some breakthroughs, and then something happens -- an attack -- and all of a sudden TIA's riding the white horse to the rescue. And then it's, 'Gee we haven't worked out the privacy,' and 'We haven't had new legal protections, but the exigencies are such that we need it now.'"

That's probably a valid fear. But so is the fear of terrorism, says Ramakrishnan. "You know, not to make its sound grandiose, but I think there is a battle here, and we're facing the kinds of things the people who invented the atom bomb were thinking. It's probably not whether we should -- I don't think we have a choice. I would rather that we understood this and took the time to enforce reasonable safeguards. To the extent that we do this in the open and have in place an array of legal legislative guidelines, I'd be much happier with that." "

A very good article on Salon about the pro's and con's of Total Information Awareness. As a info security nerd, I understand the usefulness of mining databases to protect infrastructure and predict events, but the leftish libertarian in me doesn't trust the government, let alone the cops, to use such capabilities ethically. I'm honestly very conflicted on this matter.  People let supermarkets track everything they buy to save a few cents on a can of soup.  Amazon keeps track of everything you buy and in return we get very occasionally useful recommendations (what ever became of the Firefly Agent stuff from MIT, it was great!).  Is giving up some privacy for a potentially safer world tantamount to Ben Franklin's admonition against giving up liberty for security?  Does TIA really collect any information that isn't already collected by corporations, an entity that I tend to distrust as much as the government?  If the TIA data were held by the judicial branch, and only released after proper consideration, would this be satisfactory? 

Don't get me wrong, the whole thing makes me queasy.  But why is it that folks have no problems letting corporations track their information but not the government - when in the same breath they'll claim the government is being run by corporations?

"With all the activity, Hartford stands as a test case for America's "forgotten" cities - those that even the '90s boom couldn't resurrect. While many rust-belt cities - St. Louis, Cleveland, Detroit, even Gary, Ind. - made gains, some urban areas in the Northeast didn't. Now, with the economy weak, a revival here would be particularly poignant and symbolic."

A good article in the Christian Science Monitor about attempts to revitalize my childhood hometown, Hartford.

Permalink  comment []  

"The security of any computer system that is configured or operated by human beings critically depends on the information conveyed by the user interface, the decisions of the users, and the interpretation of their actions. This paper establishes some starting points for reasoning about security from a user-centred point of view: it proposes to model systems in terms of actors and actions, and introduces the concept of the subjective actor-ability state. Ten key principles for secure interaction design are identified; case studies illustrate and justify the principles, describing real-world problems and possible solutions. It is hoped that this work will help guide the design and evaluation of secure systems."

Its good to see someone thinking about these issues.  How many times have you been presented with a dialog-box telling you an SSL certificate is invalid?  How many times did you click yes on that dialog box, thereby acknowledging that you don't care if who you're talking to is who they say they are?  How many of you realize that was what you were acknowledging? 

The ten principles for secure interaction presented are:

"Path of Least Resistance. The most natural way to do any task should also be the most secure way.

Appropriate Boundaries. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.

Explicit Authorization. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.

Visibility. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.

Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.

Expected Ability. The interface must not give the user the impression that it is possible to do something that cannot actually be done.

Trusted Path. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.

Identifiability. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.

Expressiveness. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.

Clarity. The effect of any security-relevant action must be clearly apparent to the user before the action is taken. "