Rogue One Sequel already being filmed!
There’s some really interesting leaked photos and analysis by Charles Goodman. “Leaked photos from the Rogue One sequel (Mainly Speculation – Possible Spoilers).”
There’s some really interesting leaked photos and analysis by Charles Goodman. “Leaked photos from the Rogue One sequel (Mainly Speculation – Possible Spoilers).”
Someone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have […]
Image credit: Bill Anders, Apollo 8, launched this day, Dec 21, 1968.
[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian […]
This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company: There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of […]
There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]
Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part […]
There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and back again. There’s a section where they discuss the idea of “think like an attacker,” […]
[Dec 15: Note that there are 4 updates to the post with additional links after writing.] The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump […]
In September, we shared the news that for its 50th year, the people of Gävle paid an extra $100,000 to secure the goat. Sadly, it seems to have not helped. Today, the goat tweeted: Oh no, such a short amount of time with you my friends. The obvious lesson is that the Swedes have a […]
I moved to MacOS X because it offers both a unix command line and graphical interfaces, and I almost exclusively use the command line as I switch between tasks. If you use a terminal and aren’t familiar with the open command, I urge you to take a look. I tend to open documents with open […]
This election has been hard to take on all sorts of levels, and I’m not going to write about the crap. Everything to be said has been said, along which much that never should have been said, and much that should disqualify those who said it from running for President. I thought about endorsing Jill […]
One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they are looking to learn from previous incidents and mistakes: zombies. From “The Zombie Survival Guide: […]
Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of a robust market of services for breach victims. That’s not happened, and I’ve been thinking […]
In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or review, again reducing the odds that they are secure. Of course, because such a system […]
[Update, Feb 20 2017: More reading: Trump and the ‘Society of the Spectacle’.]
“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays standing in its 50th year,” she added to Arbetarbladet. Gävle Council has decided to allocate […]
There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest credit card breaches in history: It provides useful context as we consider this quote: On […]
Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a National Research Council report called for “build[ing] a repository of incident data” and said “one […]
When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]
At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this is not the case with terrorism risk. Even if insurance professionals learn about terrorism in […]
Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and […]
There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are accusations that it was Russia, and then someone leaked an NSA toolkit and threatened to […]
Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]
Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because generally smart consultants don’t comment on the security of their consultees. In this case, it […]
“Better safe than sorry” are the closing words in a NYT story, “A Colorado Town Tests Positive for Marijuana (in Its Water).” Now, I’m in favor of safety, and there’s a tradeoff being made. Shutting down a well reduces safety by limiting the supply of water, and in this case, they closed a pool, which […]
U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? […]
I always get a little frisson of engineering joy when I drive over the Tacoma Narrows bridge. For the non-engineers in the audience, the first Tacoma Narrows bridge famously twisted itself to destruction in a 42-mph wind. The bridge was obviously unstable even during initial construction (as documented in “Catastrophe to Triumph: Bridges of the […]
“My father likes to keep some anonymity. It’s who he is. It’s who he is as a person,” Eric Trump said. It should have been obvious. (Quote from Washington Post, July 6, 2016).
So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes: From the group of 30,000 e-mails returned to the State Department, 110 […]
Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words: When in the Course of human events, it becomes necessary for one people to […]
I’m excited to see the call for papers for Passwords 2016. There are a few exciting elements. First, passwords are in a category of problems that someone recently called “garbage problems.” They’re smelly, messy, and no one really wants to get their hands dirty on them. Second, they’re important. Despite their very well-known disadvantages, and […]
As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,” […]
Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]
C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]
There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]
I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]
This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized: BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have […]
Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]
I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]
Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]
Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]
According to the CBC: “McDonald’s kale salad has more calories than a Double Big Mac” In a quest to reinvent its image, McDonald’s is on a health kick. But some of its nutrient-enhanced meals are actually comparable to junk food, say some health experts. One of new kale salads has more calories, fat and sodium […]
This is a superb owl, but its feathers are ruffled. It is certainly not a metaphor. Speaking of ruffled feathers, apparently there’s a kerfuffle about Super Bowl 1, where the only extant tape is in private hands, and there’s conflict over what to do with it. One aspect I haven’t seen covered is that 50 […]
I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.
I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.
Voting for the 2016 Security Blogger Awards are now open, and this blog is nominated for most entertaining. Please don’t vote for us. Along with our sister blog, we’re aiming to dominate a new category next year, “most nominations without a win.”
Offered up without comment: Star Wars Episode IV.1.d: The Pentesters Strike Back from CyberPoint International on Vimeo.
Happy New Year! The Pogues are Launching their own brand of whiskey, and whatever you think of the band or of drinking, it’s hard to think of a more “on brand” product creation than this.
In “The Galactic Empire Has Terrible Cybersecurity,” Alex Grigsby looks at a number of high-profile failures, covered in “A New Hope” and the rest of the Star Wars canon. Unfortunately, the approach he takes to the Galactic Empire obscures the larger, more dangerous issue is its cybersecurity culture. There are two errors in Grigsby’s analysis, […]
I had not seen this excellent presentation by the engineer who built the Death Star’s exhaust system. In it, he discusses the need to disperse energy from a battle station with the power draw to destroy planets, and the engineering goals he had to balance. I’m reminded again of “The Evolution of Useful Things” and […]
John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]
One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]
Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]
This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information […]
As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]
One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]
A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]
We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity […]
As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]
There’s a great “long read” at CIO, “6 Software Development Lessons From Healthcare.gov’s Failed Launch.” It opens: This article tries to go further than the typical coverage of Healthcare.gov. The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is […]
I was irked to see a tweet “Learned a new word! Pseudoarboricity: the number of pseudoforests needed to cover a graph. Yes, it is actually a word and so is pseudoforest.” The idea that some letter combinations are “actual words” implies that others are “not actual words,” and thus, that there is some authority who […]
Hossein Derakhshan was recently released from jail in Iran. He’s written a long and thoughtful article “The Web We Have to Save.” It’s worth reading in full, but here’s an excerpt: Some of it is visual. Yes, it is true that all my posts on Twitter and Facebook look something similar to a personal blog: […]
For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about […]
I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]
In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]
This was a story back around RSA, but I missed it until RSnake brought it up on Twitter: “[A default password] can hack nearly every credit card machine in the country.” The simple version is that Charles Henderson of Trustwave found that “90% of the terminals of this brand we test for the first time […]
[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]
Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. (Some press coverage.) I did want to pile on with an excerpt from chapter 9 […]
So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside, […]
John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]
The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: “The quality of the threat analysis will depend on a steady stream of data from […]
If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call Ever.” With less than a minute to go in the Superbowl, and the game hanging […]
It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]
Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts: …People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally […]
Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t […]
I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]
Looking for something festive, holiday-like and chaotic for the blog, I came across color-changing cats. The history of color-changing cats is a fascinating one, involving Carl Sagan and accurate predictions of unfathomable chaos over the next ten thousand years. Because while we don’t know what life will be like that far in the future, consider […]
Today’s “the future is cool” entry is the cliffs of insanity: Actually, I’m lying to you, they’re the Cliffs of Comet Churyumov–Gerasimenko, as photographed by the Rosetta spacecraft. I just think its cool similar they look, and how the physical processes which created the Cliffs of Moher may also have been at work on a […]
When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state. So living here in the future, I just wanted to point out how cool it is that you can detect […]
When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (and very subjective) reasons together, and they create a problem that medicine refers to as […]
Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan. Hatewatch. Like it’s a word. It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present […]
At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the […]
I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]
Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because they have information that the computer doesn’t. My favorite example is the Windows “new network” […]
For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]
There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]
This is a lovely little story about pay phones on Whidbey Island. Warning: those who spent too much time with phone systems in their youth may feel inexplicable nostalgia.
Bruce Schneier says nice things about my latest book.
There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say […]
I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to Gastón Hillar for the constructive criticism that “Unluckily, the author has chosen to focus on […]
All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security […]
There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]
July 20, 1969. I’ve blogged about it before. There are people who can write eloquently about events of such significance. I am not one of them. I hope that doesn’t stand in the way of folks remembering the amazing accomplishment that the Apollo program was.
Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in […]
The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update: […]
Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which […]
For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]
I’m planning to be on the East Coast from June 16-27, giving threat modeling book talks. (My very popular “Threat Modeling Lessons from Star Wars.”) I’m reaching out to find venues which would like me to come by and speak. My plan is to arrive in Washington DC on the 16th, and end in Boston, […]
Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]
It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we only had a wheelbarrow, that would be something. Inigo: Where we did we put that […]
I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that […]
George Hulme interviewed me for Devops.com, and the article is at “Q&A: Speaking DevOps and Threat Modeling.” Its obvious that devops is an important trend, andit’s important to understand how to align threat modeling to that world.
A couple of reviewers have commented that they have different perspective on assets. For example, in a review I very much appreciated, Gunnar Peterson says: I have slightly a different perspective on Shostack’s view on assets. The book goes into different views that launch the threat model, the approach advocated for in the book is […]
Via Poynter, we learn that the word “massive” has been banned on Gawker. We want to sound like regular adult human beings, not Buzzfeed writers or Reddit commenters,” new Gawker Editor Max Read says in a memo to the publication’s writers. Words like “epic,” “pwn” and “derp” are no longer welcome on the site. Read […]
“Please note that your password will be stored in clear text in our database which will allow us to send it back to you in case you lost it. Try avoid using the same password as accounts you may have in other systems.” — a security conference’s speaker website This is a silly pattern. At […]
One of the most effective ways to improve your software is to use it early and often. This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready. […]
One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]
When Wiley asked me about a technical editor for Threat Modeling: Designing for Security, I had a long list of requirements. I wanted someone who could consider the various scenarios where threat modeling is important, including software development and operations. I wanted someone who understood the topic deeply, and had the experience of teaching threat […]
I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]
I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]
I fell victim to an interesting attack, which I am recounting here so that others may avoid it. In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did […]
There’s an absolutely fascinating interview with Adam Back: “Let’s Talk Bitcoin Adam Back interview.” For those of you who don’t know Adam, he created Hashcash, which is at the core of Bitcoin proof of work. Two elements I’d like to call attention to in particular are: First, there’s an interesting contrast between Adam’s opinions and […]
Yesterday, I announced that I’ve set up a mailing list. You may have noticed an unusual feature to the announcement: a public commitment to it being low volume, with a defined penalty ($1,000 to charity) for each time I break the rule. You might even be wondering why I did that. In the New School, […]
I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]
Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.
Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame. Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful […]
I’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see […]
The 13th annual Workshop on the Economic of Information Security will be held at Penn State June 23-24, and the call for papers is now open. I’m on the program committee this year, and am looking forward to great submissions.
Rich Mogul over at Securosis (N.B. I’m a contributing analyst there) has a great post on how, due to human error, some of his AWS credentials got nabbed by some miscreants and abused. We here at the New School love it when folks share how they were compromised and what they did about it. It […]
I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday. Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public […]
In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]
The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior). Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be […]
There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]
Emergent Chaos has migrated. It’s a long story, and perhaps better left untold. Please let us know if you see issues with the new site.
Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]
Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures: So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be […]
At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted to help get the word out in my own small way.
Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost. Which, as they say, makes a mockery of that rule. Alternately, “That, as they say, makes a […]
I just re-read “A few words on Doug Engelbart.” If you’ve been reading the news lately, you’re probably seen a headline like “Douglas C. Engelbart, Inventor of the Computer Mouse, Dies at 88,” or seen him referred to as the fellow who gave the “mother of all demos.” But as Bret Victor points out, to […]
I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick […]
Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time. This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New […]
Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]
Please let us know if you see anything strange
I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)
The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.
So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]
The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]
Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is limited by the question of what the human holding the phone thinks is going on. […]
So there’s a working set of plans for the “Liberator.” It’s a working firearm you can print on a 3d printer. You can no longer get the files from the authors, whose site states: “DEFCAD files are being removed from public access at the request of the US Department of Defense Trade Controls. Until further […]
There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]
To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died to bring us this information” sort of persistence. Until members of Comment Crew are going […]
The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]
It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]
An amazing shot by Philipp Schmidli of a cyclist in front of the moon. PetaPixel explains the work involved in getting that shot in “Silhouettes in a Giant Moonrise, Captured Using a 1200mm Lens.” (Thanks to Bob Blakely). Also in the realm of impressive tool use is this: Orangutan from Borneo photographed using a spear […]
As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]
We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, […]
Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such as this screenshot. I have no idea who these folks think they’re protecting by destroying […]
The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]
On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning XP machines (19.61%) is three times that of Windows 7. (As an aside, the XP […]
Thanks to Addison Wesley, who are offering 40% off the book. Apply code NEWSCHOOL40 to get your discounted copy. (You apply the code after proceeding to checkout.)
As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now. The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking […]
Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years. Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain […]
Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]
According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a large scale natural experiment in “does it matter?” Over the next n months, the Pentagon’s […]
(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]
Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]
While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets: […]
So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]
This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even if some companies are on top of the issue, others are not, and without more […]
Here’s a Friday Star Wars video for you. As Austin Hill tweeted, “Conspiracy revealed! 7 min video that will change the way you think about one of the important events of our lifetime”
It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]
One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not available publicly. What if we had solid evidence to use in breach impact estimation? This […]
Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event. As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question. We use the WTP approach in a […]
We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]
The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft. Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this […]
Allan Calhamer, the inventor of the game Diplomacy, has passed away. The NYTimes has an obituary.
…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]
The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]
You are invited to submit nominations to the 2013 PET Award. The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS). The PET Award carries a prize of 3000 […]
So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]
The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you, […]
Law firm Proskauer has published a client alert that “HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations.” Most interesting to me was the breach notice section: Section 13402 of the HITECH Act requires covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery […]
We were hacked again. The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered. Let me dispense […]
I came across a fascinating post at Jon Udell’s blog, “Homicide rates in context ,” which starts out with this graph of 2007 data: Jon’s post says more than I care to on this subject right now, and points out questions worth asking. As I said in my post on “Thoughts on the Tragedies of […]
Facebook’s new Graph search is a fascinating product, and I want to use it. (In fact, I wanted to use it way back when I wrote about “Single Serving Friend” in 2005.) Facebook’s Graph Search will incent Facebook users to “dress” themselves in better meta-data, so as to be properly represented in all those new […]
There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]
So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]
Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of […]
It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]
It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]
In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]
There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]
I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. […]
The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the […]
[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.] On Disclosure of Intrusion Events in a Cyberwar The Nation State’s guide to STFU In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, […]
There’s a giant rubber duck in Sydney Harbor right now: It’s apparently by Florentijn Hofman, who does this sort of thing. My only other comment? Seattle, you’re doing it wrong. Where’s our rubber duckie? Via “Sydney Festival Launches Giant Rubber Duck in the Harbor“, Pedestrian TV. (I believe there’s a typo, and the duck is […]
A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there […]
Absolute zero is often thought to be the coldest temperature possible. But now researchers show they can achieve even lower temperatures for a strange realm of “negative temperatures.” Oddly, another way to look at these negative temperatures is to consider them hotter than infinity, researchers added. (“Atoms Reach Record Temperature, Colder than Absolute Zero“, Charles […]
I was pretty excited to see this: An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption. “We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a […]
What more do you want on a Friday? Ok, here’s details.
In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think […]
Earlier this month, I spoke with Derek Slater: In early 2008, Adam Shostack and Andrew Stewart released the book The New School of Information Security. And they launched a blog in support of the book and its message. I wondered about how Shostack perceives the state of IT risk management now, and whether he thinks […]
Gävlebocken har brunnit: Webbkamerabilder visade hur bocken snabbt blev övertänd och totalförstördes innan brandkåren hann fram. Or you can check the webcam: http://www.merjuligavle.se/Bocken/Bockenkamera/
There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system […]
As I’ve read Kahneman’s “Thinking, Fast and Slow,” I’ve been thinking a lot about “what you see is all there is” and the difference between someone’s state of mind when they’re trying to decide on an action, and once they’ve selected and are executing a plan. I think that as you’re trying to figure out […]
My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec […]
Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.) At the same time, I’m curious to see how […]
There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in […]
Hoff’s blog post “Why Amazon Web Services (AWS) Is the Best Thing To Happen To Security & Why I Desperately Want It To Succeed” is great on a whole bunch of levels. If you haven’t read it, go do that. The first thing I appreciated is that he directly confronts the possibility of his own […]
The Telegraph reports that the Gavle Goat for 2012 is up, and surrounded by guards, cameras, flame retardants, and arsonists. Emergent Chaos has reporters on the ground internet, ready to report on this holiday story of a town, a goat, and an international conspiracy of drunken arsonists. Stay tuned! This years goat is shown in […]
It’s easy to feel sympathy for the many folks impacted by the hacking of South Carolina’s Department of Revenue. With 3.6 million taxpayer social security numbers stolen, those people are the biggest victims, and I’ll come back to them. It’s also easy to feel sympathy for the folks in IT and IT management, all the […]
Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]
Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]
My buddy Curt Hopkins is writing about the Patraeus case, and asked: I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many additional technically- and legally-useless bits of sympathetic magic that people regularly use in the belief that it will save them from intrusion or discovery, either based on the […]
So there’s a pair of stories on choosing good passwords on the New York Times. The first is (as I write this) the most emailed story on the site, “How to Devise Passwords That Drive Hackers Away.” It quotes both Paul Kocher and Jeremiah Grossman, both of whom I respect. There’s also a follow-on story, […]
Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. Muggings, rapes and murders all depend on the actions of unpredictable humans, and we can, […]
So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis of the data that was available. So here’s my question. Who’s making testable predictions of […]
Many times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going to relive that experience, and think about what you can learn from it. But in […]
I’m having a camera issue that’s become more and more noticeable with recent software changes. The raw previews coming out of the camera appear substantially more exposed than when Aperture is finished processing them. The difference is hard to measure (there’s no easy undo for raw processing), but appears to be about a full stop […]
Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another. I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that […]
There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. The cyberthieves broke into an employee’s computer in September 2011 and stole the password for […]
Sebastian Deterding’s Microsoft research talk is now online: “9.5 Theses on the Power and Efficacy of Gamification“. You may recall that this talk inspired me to blog about “Running a game at work.” It’s worth an hour if you’re interested in serious games, persuasive games, or playful design.
Ben Goldacre talks about how physicians are only getting data on tests that come out positive: I look forward to the day when infosec standards are set based on some tests or evidence, and we have to fight to extract more data. The talk is here: here.
Not too long ago, I blogged about “Compliance Lessons from Lance.” And now, there seems to be dramatic evidence of a massive program to fool the compliance system. For example: Team doctors would “provide false declarations of medical need” to use cortisone, a steroid. When Armstrong had a positive corticosteroid test during the 1999 Tour […]
It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]
Something about this story just grabs me. I want to hear him saying “I am the dread pirate Roberts! I am here, but soon you will not be here!” Also, I’m sad that he wasn’t in Galve-ston. Photo by GreyChr
There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]
Friday, I had the pleasure of seeing Sebastian Deterding speak on ‘9.5 Theses About Gamification.’ I don’t want to blog his entire talk, but one of his theses relates to “playful reframing”, and I think it says a lot to how to run a game at work, or a game tournament at a conference. In […]
There is, yet again, someone in the news talking about a cyber Pearl Harbor. I wanted to offer a few points of perspective. First, on December 6th, 1941, the United States was at peace. There were worries about the future, but no belief that a major attack was imminent, and certainly not a sneak attack. […]
In “New System for Patients to Report Medical Mistakes” the New York Times reports: The Obama administration wants consumers to report medical mistakes and unsafe practices by doctors, hospitals, pharmacists and others who provide treatment. Hospitals say they are receptive to the idea, despite concerns about malpractice liability and possible financial penalties for poor performance. […]
Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“) I don’t want to minimize the issue here. Assuming the allegations are correct, the […]
Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end […]
There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]
I got an email recently me asking if I had experience running an Elevation of Privilege tournament. I haven’t, and wanted to ask if anyone out there has done so, please share your experiences and suggestions One element that I thought about is a scoring system to help with the tournament’s goals. For examples, you […]
In Star Wars, the Empire is presented as a monolith. Storm Troopers, TIE Fighters and even Star Destroyers are supposedly just indistinguishable cogs in a massive military machine, single-mindedly pursuing a common goal. This is, of course, a façade – like all humans, the soldiers and Officers of the Imperial Military will each have their […]
At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]
So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]
I was struck by the lead of Kelly Jackson Higgins’ article on the Defcon Social Engineering Contest: Walmart was the toughest nut to crack in last year’s social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the […]
Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the story is the contrast between what might be termed a “compliance” mindset and a “you’re […]
I’ll be at SOURCE Seattle this week. I’m really excited to be speaking on “Security Lessons from Star Wars” at 10AM today.
I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on: I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and […]
I am the very model of an amateur grammarian I have a little knowledge and I am authoritarian But I make no apology for being doctrinarian We must not plummet to the verbal depths of the barbarian I’d sooner break my heart in two than sunder an infinitive And I’d disown my closest family within […]
If someone could suggest a specific way to make the blog title image work to bring you to the home page, that’d be most appreciated. Update, I think I fixed most of it. Thanks in particular to commenter “M”, who got me on the path to the fix, removing the inline CSS that the theme […]
The blog header image is repeating because of something in the stylesheets. I can’t see where the bug is. If someone can help out, I’d be much obliged. Expanded to add: It appears that there’s a computed “repeat” on the bg img which is the header, but why that repeat is being computed is unclear […]
We here at Emergent Chaos have long been frustrated with the Obama Administration. Their failure to close Guantanamo, their failure to prosecute war crimes including torture, their choice to murder American citizens (never mind without due process), their invocation of the state secrets privilege, their persecution of whistleblowers, their TSA running rampant, the list of […]
I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish. I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New […]
Neil Armstrong died August 25, aged 82. It’s difficult to properly memorialize this man, because, to a degree almost unheard of in our media-saturated times, he avoided the limelight. A statement by his family notes: As much as Neil cherished his privacy, he always appreciated the expressions of good will from people around the world […]
A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term. I know you’re all smart and good looking and at least one of you will know the exact author and title.
Over at Lexology.com, there’s a story which starts: Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. (“Hackers demand ransom to keep medical records private“) The trouble with this opening sentence is that it has nothing to do with the story. It’s a […]
There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“: [W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity. They quickly figured out that they could earn one carbon credit by eliminating one ton […]
There’s a very cool story on NPR about “A New Species Discovered … On Flickr“. A entomologist was looking at some photos, and saw a bug he’d never seen. Check out the photographer’s site or Flickr pages. The paper is “A charismatic new species of green lacewing discovered in Malaysia (Neuroptera, Chrysopidae): the confluence of […]
Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts: IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to […]
National Geographic reports “Caffeinated Seas Found off U.S. Pacific Northwest.” The problem, of course, is salinity. They should totally be pumping that caffine into somewhere we can make good use of it.
I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn […]
Someone reached out to me about a job that looks really interesting: The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security […]
Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the […]
I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at […]
Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on this (and mine) are irrelevant. The key question is “Is money spent on security awareness […]
Around the 4th of July, some smart, public minded folks put forth a “Declaration of Internet Freedom“. And while it’s good in a motherhood and apple pie sense of good, wholesome fun for the whole family, it lacks the punch and panache of the Declaration of Independence to which men pledged their lives, fortunes and […]
So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near […]
A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release […]
In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]
In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena. Of […]
Every now and then, a headline helps us see the answer to the question “Will people ever pay for Privacy?” Quoth the Paper of record: The seclusion may be the biggest selling point of the estate belonging to Robert Hurst, a former executive at Goldman Sachs, which was just listed by Debbie Loeffler of the […]
CNET ran a truly ridiculous article last week titled “Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher. ZOMG! A virus that deletes files! Now that is […]
Over at the Proskauer blog, Cecile Martin writes “Is data breach notification compulsory under French law?” On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive […]
Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by […]
I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]
The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third […]
Did you notice exactly how much of my post on Cloudflare was confirmation bias? Here, let me walk you through it. In our continuing series of disclosure doesn’t hurt, Continuing series are always dangerous, doubly so on blogs. I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to […]
The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]
On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would increase potency. Then a method was discovered for separating the ideas–which was to try one […]
RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars # RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN # RT @derekcslater What I learned when I left security http://t.co/AexcK8NN […]
RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. # RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. # Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) # RT […]
Maybe we could just edit attorneys’ memories of copyright laws?
In our continuing series of disclosure doesn’t hurt, I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.” Go take a look, it’s worth reading, especially the updates. I take three lessons from this: Disclosing an attack allows you to control the story, and is better […]
Cool Stuff RT @SPACEdotcom SPLASHDOWN! @SpaceX #Dragon Space Capsule Ends Historic Mission with Pacific Ocean Splash http://t.co/3H3J1cXz Cool! IE10 in Win8 Release Preview has "Do Not Track" on by default! http://t.co/HHZv8cBw #privacy # RT @gabrielgironda WE ENCOURAGED PEOPLE TO LEARN TO PROGRAM AND JUST LOOK AT WHAT HAPPENED http://t.co/IE9HeNt3 # New blog: "Washington State Frees […]
I hate to let an increase in liberty go by without a little celebration. For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed […]
Congratulations to the Egyptian people for claiming the right to vote for their President! # The ACLU of WA is looking for a technology & liberty director http://t.co/sUAFuDq7 # Things that shod not surprise me: Koalas smell like eucalyptus. # Powered by Twitter Tools
RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport http://t.co/Id8TKH9r // I feel safer already. # Freedom gropes for all @seatac! /cc @tsastatus. # RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" http://t.co/TnR3n56k #armsrace # Great question for […]
At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars. I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That […]
RT @Ellen_CK It appears that putting a contest in one's internal newsletter leads to people actually reading it #SEingmycoworkers # RT @bfist I like my risk like I like my steak << with blue cheese sauce? # RT @451wendy "Q: How many of the Fortune 500 are hacked right now? A: 500." http://t.co/I090fJmp <- Lovely […]
Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows […]
Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs. […]
RT @netik You program in Rails? Check out Brakeman from our security team & make your code safer. http://t.co/nFPQ3cxx (go @presidentbeef!) # RT @KimZetter Equipment Maker Caught Installing Backdoor Vows to Fix After Public Pressure – http://t.co/EZfe7s27 # Pro tip: "Blackhat talks get lots of publicity" is not a reason *your* submission will make a […]
That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]
Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]
So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup. I know […]
So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and […]
I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which […]
RT @calyxinstitute We've reached over $50,000 in donations and are 44 donors shy of breaking 1,000! Help us keep the momentum going. # RT @deviantollam "It's a sad day in America when you're driving down the road one of these pulls up next to you: http://t.co/1Ksxn5ja " # RT @markrussinovich Debunking of exaggerated cybercrime stats […]
Hey! Jam Jarr has a new album and its free today. They asked for a Facebook link, and since I can’t do that, I figured a blog was in the right spirit. So go check it out: Jam Jarr: Suck My Underground. It’s free. Why not take a listen? PS: When I say free, I […]
You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out. I’ll get my review done shortly, but I wanted to help spread […]
So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]
RT @bruces http://t.co/7BfPuW40 *TSA really keen on putting the electronics border-crunch on dissidents << Worse, add http://t.co/3qTkucub # RT @justintroutman @csoghoian If there's one thing that will identify the right privacy expert, it's the urinalysis and one-year probation. # I bet Facebook is going to start auto-sepia toning everyone's pictures as they age. # New […]
First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit. Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now. I was struck by the nature of this article by the […]
I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple […]
Things I said: Google continues to hobble their services, push accounts/wallet names, now w/ Scholar http://t.co/IIQ7xk15 (cc @rileycrane @tgoetz @skud) # In other words, why not create timelines for every scholar who's published? That would be organizing the worlds info & making it useful. # You need a Google account to get that citation history, […]
On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]
In a widely discussed op-ed, Richard Clarke wrote: It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), […]
Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at […]
That’s what I said: Photographers should check out these awesome lens physics simulations from Stanford http://t.co/hlNrqQT3 # Good article by @elinormills "Why data breach isn't a dirty word anymore" http://t.co/JXtTOTbT # New blog with a TED talk, "Doctors Make Mistakes, can we talk about that?" http://t.co/c00zcvMr # .@RSAConference can we go so far as "highly […]
From “Warned of an Attack on the Internet, and Getting Ready“
Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people […]
Photographers should check out Flash applets on some technical aspects of photography at Stanford. The apps help you understand things like “Variables that Affect Exposure” (the aperture/time/ISO tradeoffs) as well as how lenses work, create depth of field, or how a telephoto lens bends the light. Very cool.
That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?” When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about […]
I’m continuing to tweak in the hopes of balancing useful & overwhelming. This week I’m not only cutting down the chaos a bit, but adding the emergent categories. Also, my tweets precede the Re-Tweets. Comments welcome. Where can I send people new to infosec for security mentoring, confident that they'll get broad, data-centered advice? (#newschool) […]
BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning […]
In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]
RT @curphey amazing how many serial entrepreneurs, visionaries & thought leaders in security are wanting to contract @ $75/hour # MT @GammaCounter Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p via @adam_orbit # I really want @robinsage to RT this: Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: […]
At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became […]
I really like what Adrian Lane had to say about the cars at RSA: I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. […]
This Week in Law is a fascinating podcast on technology law issues, although I’m way behind on listening. Recently, I was listening to Episode #124, and they had a discussion of Kind of Bloop, “An 8-Bit Tribute to Miles Davis’ Kind of Blue.” There was a lawsuit against artist Andy Baio, which he discusses in […]
Photo: "Barcelino Per Donna Welcomes RSA Conference 2012" somehow I perceive a mismatch http://t.co/qlKZIdId # RT @mikko Sony said that they lost Michael Jackson's entire unreleased back catalog in one of the 2011 breaches: http://t.co/KeYM9VyD # I sorta like this print, but I'm not sure I'd pay $12 Trillion for it. http://t.co/dzW8iEEl # RT @normative […]
Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]
See more at How anyone can get anything past the TSA’s Nude body Scanners.
Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, […]
Someone respected wrote on a private mailing list: “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002 To which, verily I say: Doom! Doom! You commit the sin of false comparison! You have angered Furlongeous, […]
RT @tedfrank If you're having trouble getting Sudafed, here's how to make it with more readily available crystal meth. http://t.co/THaQZzov # RT @digiphile "Privacy breaches keep getting worse. Facebook admits reading txt msgs of users who installed phone app" http://t.co/v8CMM222 # RT @threatpost #Microsoft partners w/ Good Technology to bring encrypted email to Windows Phone. […]
Our sincere congratulations to all the winners of the Social Security Blogger awards.
So it’s early Sunday AM, and I’m getting my RSA Schedule together finally. So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday: 8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management. Fun! Monday is also Metricon, […]
RT @internetlibre Twitter Censors Accounts Unfavorable To Nicolas Sarkozy http://t.co/wMGMuifY #netfreedom #internetlibre #sarkoCensure # RT @Dakami Pretty cool: @joncallas looked at all public keys signed by Entrust; none of them had reused RSA primes http://t.co/8JOsYQ9e # New blog: "It's a Lie: Seattle Taxpayers Will Pay for a Stadium" http://t.co/tkg3JxZi (cc @seattletimes) # Help Find the […]
Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had […]
I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members […]
The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word: They have a web site with details in English, German, Polish and Lithuanian: The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 […]
The Seattle Times carries a press release: “Arena plan as solid as it looks?” The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any […]
RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. # New quickie blog: Bismark's Voice http://t.co/zk01Biec # RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues # .@dakami @jeremiahg @tqbf see also […]
A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this According to the press release, the “Collins-Lieberman” bill would: The Department […]
Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now […]
Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence. The cylinders, from 1889 and 1890, include the only known recording of the voice […]
RT @tkeanini Overcoming the fear of disclosure http://t.co/DZdkeyNh << TK is spot on. Our fear blocks feedback loops. # MT @qld_oic ..empowering young people to establish good cyber safety behaviour #oicprivacycomp http://t.co/vkr3VZ3A [$1000 prize for video] # RT @mortman Yet More On Threat Modeling: A Mini-Rant http://t.co/ZPxVa9HE cc @adamshostack @alexhutton #newschool # RT @securityskeptic @mortman […]
A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus […]
Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]
Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]
Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And […]
Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “
RT @Entropologist Passwords should be a mix of letters, numbers, special characters and longer than 8 characters… like "' or 1=1;–" # RT @ioerror Researchers taking a stand against Elsevier: http://t.co/TMZqj2E9 # RT @ashk4n Even experts are having a hard time differentiating between android malware & mobile ads these days http://t.co/t5qAQANP # Tinker, Tailor is […]
On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]
Found on that other bastion of privacy .
Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html
Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a […]
Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]
There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]
I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share Research Data Is Related to the Strength of the Evidence and the Quality of Reporting […]
One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]
I wrote a blog post regarding the BSidesSF/RSA conf dust-up. (If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)
Vincent Brown (@politico_ie) should be given an uninterrupted hour with the ECB execs: https://t.co/SZYOtveo # RT @marciahofmann Supreme Court: government installation & use of a GPS device to monitor a vehicle's movements is a 4th Amendment search. # RT @normative RT @thinkprogress: BREAKING: Rand Paul is being detained by TSA in Nashville (via @moirabagley) < […]
The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as […]
It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]
For @weldpond: Please turn off JavaScript. We don’t require it and it only increases your vulnerability.
You know those random parts of kitchen appliances that break, and the manufacturer is no longer making, and so you buy a new one that breaks after 4 months? Yeah, you know what I’m talking about. Next time, look to Gourmet Depot and see if they have replacement parts. It was easy to find their […]
In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d […]
What's the best history of @Defcon Capture the Flag? (cc @rileycaezar @thedarktangent ) # RT @thedarktangent What's the best history of #DEFCON Capture the Flag? @adamshostack asks, & we need to update the site. Send your links! # RT @jccannon7 My sci fi book launches today. More info at http://t.co/bVd8mUSg # RT @mortman New posts: […]
(Available here.)
There’s been a lot of noise of late because Oracle just released their latest round of patches and there are a total of 78 of them. There’s no doubt that that is a lot of patches. But in and of itself the number of patches is a terrible metric for how secure a product is. […]
(From The Oatmeal.) It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal. We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle […]
I am saddened to pass on the news that Ulf Müller, a colleague at Zero-Knowledge Systems, has died in tragic and violent circumstances. I remember Ulf as quiet, gentle, kind and am tremendously saddened by his loss. The most recent news story is “Computer-Experte in Transporter erschlagen“. Nils Kammenhuber of the Technical University of Munich […]
I got an email from my friend John Johnson who is doing a survey about metrics. If you have some time, please respond… ———————————————————————————————————————————————— I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and […]
From an operations and security perspective, continuous deployment is either the best idea since sliced bread or the worst idea since organic spray pancakes in a can. It’s all of matter of execution. Continuos deployment is the logical extension of the Agile development methodology. Adam recently linked to an study that showed that a 25% […]
Too good not to share (inspired by: Chocolate-Hazelnut Waffles with Frangelico-Brown-Butter Syrup) Ingredients : 6 oz. (1-1/3 cups) fresh ground whole-wheat flour 2 oz. (2/3 cup) natural cocoa powder 1-1/2 tsp. baking powder 1/2 tsp. baking soda 1 tsp. kosher salt 3/4 cup granulated palm sugar 2 large eggs, at room temperature 3 oz. (6 […]
New blog: Shocking News of the Day: Social Security Numbers Suck http://t.co/VuMV3faO # RT @PogoWasRight Does *any* federal govt agency actually respond to FOI requests within 20 days? << Send GAO a FOIA with that question? 🙂 # RT @Digital4rensics On Computer Security Incident Information Sharing: http://t.co/GhGYOOjP – New Post Up! # New worst practice: […]
We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]
We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]
This is a great video about how much of software engineering runs on folk knowledge about how software is built: “Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True” There’s a very strong New School tie here. We need to study what’s being done and how well it […]
Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]
Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question: Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we have is difficult because of the infrastructure required to pull it off. That sucks too. […]
Via Nathan Yau’s awesome Flowing Data blog.
The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]
RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 # RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc # New podcast with @dgwbirch: http://t.co/HKeKOVyW # New short blog: "The irony overfloweth" http://t.co/6VsrF9JO # Wow. The Wikipedia article on Infosec certifications […]
The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s […]
Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this […]
I really enjoyed a conversation with Dave Birch for Consult Hyperion’s “Tomorrow’s Transactions” podcast series. The episode is here. We covered the New School, lessons learned from Zero-Knowledge Systems, and games for security and privacy.
@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?” The irony of using a targeted ad, on Facebook, to ask for more privacy protection…
RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line # RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! # I wonder what Woz thinks of being able to get […]
For your holiday amusement: Thanks, Jeff!
Check out this amazing house by Arquitectura Organica:
Weekend NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) # Really, TSA? The airline isn't allowed to auto-enter my freakin' date of birth? Has anyone calculated lifetimes wasted on red tape? # RT @BillBrenner70 Stop them before they predict again! http://t.co/7qzuTchU # I predict 90% of 2012 infosec predictions […]
Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist. His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1. Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so […]
There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I […]
Bill Brenner started it with “Stop them before they predict again!:” My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious: Mobile malware is gonna be a big deal Social networking will continue to be riddled with security holes Technologies A, B and C will […]
Not my headline, but the New York Times: Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if […]
On Saturday, I discussed how “I bolluxed our blog theme.” “More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not […]
RT @jeremiahg "HBGary not only didnt lose biz customers in the past year, but "got additional business" -Hoglund http://t.co/ap9pP39F # RT @bobblakley @Judgenap "Timid men prefer the calm of despotism to the tempestuous sea of liberty." Thomas Jefferson # Weekend blog "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 # RT […]
If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job” Yeah. Ooops. I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. […]
Last week I did a podcast with Dennis Fisher. In it, we touched on what I might change in the book. Take a listen at: “Adam Shostack on Methods of Compromise, the New School and Learning“
Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial […]
Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]
I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user’s security: My list is slightly different: […]
There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […]
RT @daveaitel Tests Show Most Store Honey Isn't Honey http://t.co/2oI3O6RK << Will anyone go to jail for fraud? # RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat # RT @threatpost $56 Billion Later and Airport #Security Is Still […]
Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]
When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer […]
From Keith Weinbaum, Director of Information Security of Quicken Loans Inc. https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545 From the job posting: WARNING: If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you. ALSO, if your primary method of justifying security solutions […]
It turns out that it’s very hard to subscribe to many podcasts without talking to Podtrac.com servers. (Technical details in the full post, below.) So I took a look at their privacy statement: Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, […]
from Biostatistics Ryan Gosling Including my favorite: Thanks to my friend Bob Rudis for the headsup.
New School blog "'Its Time to Learn Like Experts' by @jayjacobs" http://t.co/lnXTqyp8 # RT @dmolnar Help me shop for furniture http://t.co/rXxLrB4O # RT @moxie__ WhisperSystems has been acquired! http://t.co/M5i1g6D0 < Congratulations! I hope it leads to great things for Twitter privacy # RT @tsastatus A few new features, and a bunch of status updates, at […]
It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick […]
My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over […]
Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]
This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]
Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]
I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops […]
MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers […]
Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]
In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.” This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post. So let’s discuss why Mr. Lacey has no clue […]
Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]
RT @marciahofmann Carrier IQ backpedals on bogus legal threat, apologizes to security researcher. http://t.co/yY5o6JJk < Nice work Marcia! # Powered by Twitter Tools
RT @risktical #riskhose pocast, Episode 14 http://t.co/5hF9YKlZ @adamshostack & 'feedback loops' – great content! @jayjacobs @alexhutton # New "blog" points to Risk Hose podcast #14 with me, @alexhutton, @risktical @jayjacobs http://t.co/8zaBLD8x # RT @CYBERLAWRADIO About to go live on CLBR with CMU Proff @lorrietweet on Why Johnny Can't Opt Out – on webmasterradio.fm # RT […]
I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: Feedback Loops
NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers Say" http://t.co/vlPAH1n0 # New School blog post, "AT&T Hack Attempt" I'm looking for polling software http://t.co/d4YooBv9 # I missed a great opportunity in a recent podcast to say "controls implemented in a way that makes both auditors & attackers happy" # […]
First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.” I’m currently […]
RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # Powered by Twitter Tools
MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # Powered by Twitter Tools
New School blog post "Privacy is Security, Part LXII: The Steakhouse" http://t.co/cEjWix7N # MT @_nomap More on [obvious] Saudi airport fingerprint fail. It was mostly immigrant workers stranded for 12 hours. http://t.co/g3ih69Sk # MT @dgwbirch Heard on BBC that poor people use cash, end up paying up to £185 per annum more for utilities << […]
But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]
RT @alexhutton @adamshostack @bobblakley @threatpost I thought blogging was dead? << apparently! # RT @dostlund: NYPD has sidewalk checkpoints requiring ID to pass down Broadway. Iranian-born co-worker said "they used to do that in Tehran" # New Blog: Emergent Chaos endorses @wimremes for ISC(2) Board http://t.co/oAWTljcC # This post by Steve Bellovin reminded me of […]
Wade Baker has a quick response to my “Thoughts on the 2011 DBIR and APT,” including the data that I was unable to extract. Thanks!
Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]
MT @ashk4n Most [Android?] Phones Ship w/ CarrierIQ "Rootkit" that allows carrier to keylog & record browser history http://t.co/90vYRCHR # MT @bobblakley @threatpost Orgs that ban social networks on company PCs ++more likely to be hacked http://t.co/z7oy4rYF http://t.co/9iIb4BBg # New School blog, "Block Social Media, Get Pwned" http://t.co/dWzuCyzz quick comments on @TELUSBusiness report. (Thanks @bobblakley!) […]
At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]
RT @timoreilly TSA Puts Off Safety Study of X-ray Body Scanners http://t.co/GO4uHLN0 Meanwhile, Europe has banned them http://t.co/rmK3ZSTc # Powered by Twitter Tools
Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London. They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 […]
New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n (cc @moxie__ ) # New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n # Powered by Twitter Tools
Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence […]
RT @exiledsurfer @KforKallisti: Dan Siegel, Mayor Jean Quan's legal adviser quits over #OccupyOakland police raid http://t.co/c5brsq5u #ows # MT @mikko Somebody forgot a vacuum cleaner in a Swedish nuke plant, causing $267M in damages: http://t.co/kLRbV90h << someone tell stuxnet! # RT @dgwbirch was it a Freeman Dyson? (retires to cheers for making first ever physicist/vacuum […]
RT @WC2A_2AE Indian Communist Party General Sectry 'Let's fingerprint all Americans entering the country, like Brazil' http://t.co/GRBoQfYC # Powered by Twitter Tools
Nice of Apple to fix CVE-2011-0997, published in April (http://t.co/kOh6kTvs) # RT @jeremiahg "Steam Web sites hacked, gamer data exposed" http://t.co/daqkExWj < anyone see an attack vector? << Probably social eng 🙂 # RT @josephmenn @daveweigel The winner. RT @KagroX: Why didn't we just make 10/10/10 louder? # RT @WC2A_2AE Anyone interested in border security […]
So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]
MT @normative How Far Will the Government Go in Collecting and Storing Data about us? New FBI Documents Shed Light http://t.co/zylCo3ES # RT @tqbf If the infosec community was a real influencer in crypto, we'd all be using Twofish instead of AES because of http://t.co/e21kDcwM # .@tqbf has the crypto or vuln community given us […]
MT @samablog More States Accept [fail to arrest?] TSA VIPR Teams at Transportation Hubs http://t.co/h3wdaQ3N via @zite # Are others seeing ICMP timeouts for http://t.co/y2uU0Qvt? /cc @moxie__ # RT @arj: @chenxiwang busts out her dog-eared copy of the Orange Book … < I've never seen a dog-eared copy of the Orange Book! # RT @dakami […]
RT @Fiona: Go watch The Muppets hang out on Google+. Me: Thank you: http://t.co/HacZWzBA << Is "Cookie Monster" an approved name? # RT @Jim_Harper When I describe @Cato's argument–"reasonable expectation of #privacy quot; FAIL–lawyers steeped in doctrine get confused. #Jones # New blog: "Slow thoughts on Occupy Seattle" http://t.co/13RTo5NE # RT @csoghoian Jones oral argument […]
I headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. […]
New blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # New School blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # Powered by Twitter Tools
So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]
RT @moxie__ Sarah's reflections on solitary confinement: http://t.co/z46aZjgM # RT @marcan42 RSA keys generated by Ruby didn't actually encrypt anything (e=1). "Oops". http://t.co/9vYNFVlI << I Ruby-encrypted this tweet # RT @ioerror We demand a vapid, condescending, meaningless, politically safe response to this petition: http://t.co/ndtf8tI4 # RT @bratling @mrkoot @adamshostack @ioerror Broken URL, not site. Here's […]
RT @k8em0 Thanks to speakers, attendees, organizers & volunteers for a fantastic & memorable #bluehat ! # RT @bengoldacre I'm leaving journalism for 6 months. Here's what I've learnt from writing about nonsense for 8 years http://t.co/GZlDnQ18 # RT @AdasBooks Book signing with @johncsh tomorrow at 1pm! http://t.co/pHqhbTv3 # RT @normative Profoundly depressed this is […]
RT @StephieShaver They say there's no rest for the wicked but at least there's espresso! FridayWHAT? << friday at BlueHat! # RT @Beaker: Congrats to @mortman on joining @enstratus! First @jamesurquhart then @botchagalupe and now Dave! All good friends together # As I watch @moxie__ give his trust talk at BlueHat, I realize how valuable […]
RT @at1as: Instead of useless Presidential Debates, how about a #wargame where we get to see how candidates respond to crisis situations? # RT @wikidsystems @adamshostack @at1as Kobayashi Maru! << Cyberyashi Maru! # Getting ready to give my #BlueHat talk on "How Computers Are Compromised." # Oooh, @jeremiahg wants us to play a game at […]
MT @samablog TSA Ignored Cancer Risks from TSA Scanners http://t.co/r72RAw2d via @zite # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # RT @k8em0 #bluehat is on! Andrew Cushman reflects on past and future threats. http://t.co/w0GpjTQC # What do the comments from ISS World(http://t.co/51Z5ULNQ) mean for surveillance law in […]
RT @ioerror IEEE Global Humanitarian Technology Conference in Seattle http://t.co/VefGa4yy < Looks very exciting, wish I'd known sooner # Follow @ioerror for reporting of Patrick Ball, @alexvans for London Cyber-security event # New blog because my main email is down: "Email chaos: How to reach Adam Shostack" http://t.co/to9lKHKK # RT @GamingPrivacy reflecting on game design […]
The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon. If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow […]
Short blog: "McWrap Chevre" http://t.co/K1LkXnFU # RT @lorrietweet Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising http://t.co/5DDWfhVd # My personal email server is down because of the snow on the east coast. # RT @STRATFOR If #Anonymous does #OpCartel it will almost certainly lead to deaths for members: […]
The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version: HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually […]
Normally, I like the overlap of cultures, the boundaries of exploration and what comes from that exploration. But this three-way Frankenstien’s combination of French cheese, wraps (not sure where to attribute those–I think the US version is mostly from burritos, but there’s also Arabic pita wraps) and American is somehow best posted on Halloween:
RT @alexhutton Seriously? DHS doesn't *do* threat modeling? My rage is like a 1000 TSA exposed to cancer causing back scatter devices. # RT @ACLU FBI issued 143,074 National Security Letters '03-05 & reported 0 terrorism prosecutions as a result. Zilch. http://t.co/JM8FBFyf # RT @EthanZ Background on @alaa's detention for refusal to accept legitimacy of […]
"Plankytronixx" has a nice blog post on Elevation of Privilege at http://t.co/CFFrWAfF # RT @mattblaze Attention NYPD sign makers: "Just following orders" is not a great slogan. http://t.co/LHBOvQ8f # I'd missed @BillBrenner70 on Security Horror Show http://t.co/5nS0KHOH What can we do to stop the madness? # RT @AudryT Police confirmed: Pepper spray & rubber bullets […]
RT @attackresearch Occupy EIP << occupy system 1! 🙂 # Powered by Twitter Tools
RT @dgwbirch I'm sure talks will be fun, but am looking forward to playing the new version of "Privacy" the card game http://t.co/PZGcFf9l # I accidentally clicked allow Firefox to share my location. Where the hell is the undo and why isn't it in privacy preferences? # ("Location" doesn't bring up anything in help) # […]
RT @PogoWasRight Congressman: Secret Report On #TSA Pat Downs, Body Scanner Failures Will “Knock Your Socks Off” http://t.co/pjFmd0Zz # RT @peterhoneyman i fly DTW where they are testing chat down. i opt out and clam up. they get all dour and nasty. # RT @e3i5: Every picture ULed to Facebook is examined for possible matches […]
RT @georgevhulme RT @msksecurity: The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web http://t.co/817TMklU # Actually, @danphilpott, the best line is "Crews determined the land mines were benign and removed them from the bag." http://t.co/KobPO94k # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # […]
Very short version: Finding a DLNA player that supported the Mac and my new Oppo player was time consuming. Twonky is ok, but I would like something prettier, more reliable, and reasonably secure. I wanted to blog my experience in case it helps other folks. Also, as I posted this, I came across Ed Bott’s […]
New School blog: "Maria Klawe on increasing Women in Technology" http://t.co/NDugVafW # RT @Jim_Harper How Much Homeland Security is Enough? Live now at: http://t.co/XtUXmzp1 << Right question is "how much is too much?" 🙂 # RT @TheOnion American Voices: Should bikers have to register their trips with the government? Tell us #whatdoyouthink http://t.co/1NbLi5Rb # RT […]
I talk a lot about the importance of data in enabling us to bring the scientific method to bear on information security. There’s a reason for that: more data will let us know the falsehoods, and knowing the falsehoods will set us free. But discovering what claims don’t stand up to scrutiny is a matter […]
Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently. While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation. I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s […]
New blog chaos: "CIA Reveals Identity of Bin Laden Hunter" http://t.co/m4oNTyl8 # Powered by Twitter Tools
Reportedly, Seattle police have begun issuing tickets to drivers who honk their horns after 10 PM in support of the Occupy protest there. To the extent that the police are only doing this to those expressing a specific point of view, there seems to be a legitimate issue. I am certain that the police would […]
In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]
RT @stuxnet420 #twitter oh, yeah, it's on now. I'll see your Stuxnet and raise u a predator with an irc server. 🙂 http://t.co/hKpfDMBt # RT @drunkenpredator Phew. Think I kicked that software virus. Was really messing with my DEAR SIR I HAVE FOR YOU LUCRATIVE PROPOSAL # RT @runasand The CCC has reverse engineered, analyzed […]
Thanks to the announcement of Apple’s iCloud, I’ve been forced to answer several inquiries about The Cloud this week. Now, I’m coming out of hiding to subject all of you to some of it… The thing that you must never forget about The Cloud is that once information moves to The Cloud, you’ve inherently ceded […]
RT @ethicalhack3r @floatingatoll: The UNIX time zone database has been destroyed by its authors due to a legal threat. http://t.co/1zQIKZm8 # RT @radleybalko Unreal. CA appeals court upholds warrantless cell phone searches during traffic stops. http://t.co/KnklNSat # If you haven't seen it, @ErrataRob "Independent reporting of #OccupyWallStreet quot; http://t.co/qDYxPdFx is a long thoughtful engagement # […]
I’ve decided to experiment with pushing my Twitter feed onto the blog. What do you think? For non-Twitter users, the RT means “re-tweet,” amplifying things that others have said and MT means modified tweet, where the RT plus comment don’t quite fit. If someone has php code to resolve t.co URLs into real URLs, that […]
Sad to say I can find nothing to say beyond thanks, Steve. # Hey @beaker, if you support http://t.co/ObdJFd79 they have Squirrel t-shirts! # I think that @asteingruebl raises some really good questions in http://t.co/nnbdDNBe # Eric Rachner continues to need to sue for accountability from Seattle police & their videos http://t.co/S3fHkcSM # RT @jilliancyork […]
(I saw this here, would appreciate the right attribution.)
Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort […]
Go read this excellent article by Ed Bellis.
I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim […]
This Sunday I’ll be reading from the New School at 4PM on Sunday at Ada’s Technical Books in Capitol Hill. If you’re in the area, you should come!
On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even […]
For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]
Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt […]
There’s an interesting article over at CIO Insight: The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss […]
Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger. As described[.DOC] by its sponsor’s office, this law: Establishes standard, core content — such as the type of information breached, time […]
As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]
Fifteen years ago, I posted a copy of “Source Code Review Guidelines” to the web. I’d created them for a large bank, because at the time, there was no single document on writing or reviewing for security that was broadly available. (This was a about four years before Michael Howard and Dave LeBlanc published Writing […]
I’ve left Verizon. A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really […]
There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]
The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks. Sounds pretty New School to me! I suggest that you all check it out and participate in the dialog. Should be interesting and thought provoking. [Edit — fixed my […]
From the app store: I hope this doesn’t cause Apple to ban snarky update messages.
It’s occurring to me this morning that in terms of benefit/cost, purely in “damage to society” terms, the decision to put html in emails could be one of the worst ideas in the past 25 years. But that’s just me. Your thoughts on others in the comments?
This is really cool. All Streets is a map of the United States made of nothing but roads. A surprisingly accurate map of the country emerges from the chaos of our roads: All Streets consists of 240 million individual road segments. No other features — no outlines, cities, or types of terrain — are marked, […]
Dear Apple, In the software update, you tell us that we should see http://support.apple.com/kb/HT1222 for the security content of this update: However, on visiting http://support.apple.com/kb/HT1222, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]
Emergent Chaos has a long tradition of posting the American Declaration of Independence here to celebrate the holiday. It’s a good document in many ways. It’s still moving, more than two centuries after it was written. It’s clearly written, and many people can learn from its structured approach to presenting a case. And last but […]
So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]
Over at the Office of Inadequate Security, Pogo was writing about the Lulzsec hacking of Arizona State Police. Her article is “A breach that crosses the line?” I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose […]
On Tuesday in a ceremony in Rome, the United Nations is officially declaring that for only the second time in history, a disease has been wiped off the face of the earth. The disease is rinderpest. Everyone has heard of smallpox. Very few have heard of the runner-up. That’s because rinderpest is an epizootic, an […]
My colleagues Dinei Florencio and Cormac Herley have a new paper out, “Sex, Lies and Cyber-crime Surveys.” Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings. We are not alone in this judgement. Most research teams who have […]
On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on there, and want to unpack it. First, a quick model of getting executives to do […]
Over at Risky.biz, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:” LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any. And […]
Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give […]
In “It’s Time to Start Sharing Attack Details,” Dennis Fisher says: With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile […]
Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.) […]
After I wrote “The future of education is chaotic and fun“, I came across “The Montessori Mafia” about the unusual levels of successfulness that Montessori produces. In my post, I opened discussing how our current system of funding education in the US is to force everything through a government department. That department is constrained by […]
In honor of rapture day, the Flying Spaghetti Monster has chosen to manifest his tentacly goodness in Stanley Park in Vancouver:
I wanted to let people know that Microsoft is making the source files for the Elevation of Privilege game available. They are Adobe Illustrator and InDesign files, and are now on the EoP download site. They’re the 85mb of zipped goodness. They can be used under the same Creative Commons Attribution 3.0 US license under […]
Science fiction author Walter John Williams wants to get his out of print work online so you can read it: To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist […]
First, for those who might have missed it, Google has released Google Refine, a free tool for cleaning dirty data sets. It allows you to pull in disparate data, then organize and clean it for consistency. Next, some interesting thoughts on how “anonymized” data sets aren’t, and some thoughts on the implications of this from […]
Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, […]
In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]
There’s a very interesting discussion on C-SPAN about the consumer’s right to know about breaches and how the individual is best positioned to decide how to react. “Representative Bono Mack Gives Details on Proposed Data Theft Bill.” I’m glad to see how the debate is maturing, and how no one bothered with some of the […]
Lately, I’ve seen three interesting bits on the future of education, and I wanted to share some thoughts on what they mean. The first is a quickie by Don Boudreaux at Cafe Hayek, titled “Grocery School.” It starts “Suppose that we were supplied with groceries in same way that we are supplied with K-12 education.” […]
There’s an excellent column in the old liberal tradition of celebrating liberty in this week’s New Yorker. It’s Memorials by Adam Goptnick, and includes a quote from John Stuart Mill at his rhetorical peak.
Here’s your Friday dose of Star Wars. Leave the volume on, even if you don’t speak French. That way your over-achieving cube neighbors will be distracted, too.
From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, […]
So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]
So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We […]
Seriously. Interesting. Go check this out: http://securityblog.verizonbusiness.com/2011/04/12/veris-community-project-update/ Take a look, impact information!
Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: — Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision […]
Today, April 12, 2011 is the 50th Anniversary of Yuri Gagarin’s historic first flight. Why not join a celebration? Invite to the Kremlin event via Xeni Jardin.
The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != […]
There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security: In court filings, Kaba argued that it had “never advertised or warranted in any way that […]
Via Investors.com
In “Why The New School Is Important,” Alex writes: Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are. So without arguing with the rest of Alex’s post, I’m forced to beg to differ. The New School is […]
I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk – you don’t say). As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently. A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement […]
Hey! Tomorrow at 1pm ET reg now: @joshcorman & I redux our (in)famous ‘Metrics are Bunk!?’ debate from RSAC 2011: http://bit.ly/i6z1BL
Not crazy like Sammy-Hagar-has-clearly-abused-his-brain-and-its-giving-him-bad-information-to-come-out-of-his-mouth crazy, but crazy like, there-are-so-many-good-talks-you-can’t-possibly-not-get-value-out-of-the-conference crazy. For example, I’ll be talking twice. Once with Dan Geer and Greg Shannon about Prediction Markets in InfoSec. Then I’ll be giving one of THE FIRST EVER (!) debriefings of the 2011 DBIR (which is going to be crazy like both of the above). I’m […]
According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For […]
Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan. One element of this is the “VRM” or […]
“Maine Town Declares Food Sovereignty, Nullifies Conflicting Laws.” So reads the headline at the 10th Amendment center blog: The Maine town of Sedgwick took an interesting step that brings a new dynamic to the movement to maintain sovereignty: Town-level nullification. Last Friday, the town passed a proposed ordinance that would empower the local level to […]
Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting. So here go: Rob, Nowhere did I imply you were a bad pen tester. I just said that you should have a salient view of failure in complex systems (which […]
OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet? Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it. And Twitter doesn’t really give you a means to explain why you […]
After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, and look forward to them fulfilling their commitment to share their experiences. Right now we […]
With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces. There are strong calls […]
In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals. Matt concludes: So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse […]
THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security Report. Block off your calendars now! Hello , Alexander Hutton invites you to attend this […]
In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.) The key lesson that I’d like you to take from this […]
Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we should, in large part because some variation of this question is not asked. I’m going […]
In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”. I like the general idea, but I have found some problems in his method. In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the […]
Mike Rothman’s “Firestarter” on “Risk Metrics are Crap“. It’s very difficult to argue with a poorly constructed argument. Especially when I have no idea what a “risk metric” is. But best as I can tell, Mike’s position is that unless you are smart and/or have strong resources allocated to your InfoSec team, things like metrics, […]
Last month, I wrote: But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t […]
The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following? What’s that you say? There isn’t a […]
Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.
I got this in email and wanted to amplify it: Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation […]
HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting. Details, details: SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The […]
If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.
Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.
Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]
Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens: There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. […]
In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did. A new study of a 2009 epidemic at a school in Pennsylvania […]
Hey, I know it’s late notice, but I’ll be speaking at 10:30 EST today on EBRM and the Verizon DBIR: https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1002809&K=CAA1BC&tab=agenda Alex
Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]
Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool. Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting: http://itacidentityblog.com/rsa-podcast-alex-hutton-principal-in-research-and-risk-intelligence-verizon-business
In “TSA shuts door on private airport screening program,” CNN reports that “TSA chief John Pistole said Friday he has decided not to expand the program beyond the current 16 airports, saying he does not see any advantage to it.” The advantage, of course, is that it generates pressure on his agency to do better. […]
I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.
Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by […]
So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that proving the non-existence of god or black swans is impossible. It will always be possible […]
Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.
Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of us in the New School have been saying this for several years, but the idea […]
The people of Tunisia have long been living under an oppressive dictator who’s an ally of the US in our ‘war on terror.’ Yesterday, after substantial loss of life, street protests drove the dictator to abdicate. There’s lots of silly technologists claiming it was twitter. A slightly more nuanced comment is in “Sans URL” Others, […]
It’s MLK Day. Here’s a pdf of the speech. Or watch it online:
Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget). This got me to thinking a bit – What if, instead of in the world of compliance where we […]
The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.
For a great many years, US taxpayers have been able to deduct interest paid on a home mortgage from their taxes. That made owning property cost roughly 20% less than it otherwise would have (estimating a 25% tax rate on interest on 80% of a property). So everyone could afford 20% “more” house, which meant […]
You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security loves to point to insiders as the ultimate threat. I’m tempted to claim this as […]
Event: The Carnegie Institute for Science will be hosting “The Stripping of Freedom: A Careful Scan of TSA Security Procedures” Outrage: “SFO pilot exposes airport security flaws.” Apparently, pilots allowed to carry guns give up their free speech rights “causes the loss of public confidence in TSA…” (does anyone have a copy of the letter?) […]
No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments. Unfortunately, I’m not a very good writer because the majority of readers miss the point. Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. […]
There’s just something about skinny girls in pouffy skirts…and stormtrooper helmets. More at http://redandjonny.tumblr.com/
Back in September, a group of Czech artists called EPOS 257 camouflaged themselves as city-workers, went to the Palackeho square in Prague and installed a fence. The fence was left on the square with no apparent intent or explanation. At first, the city council didn’t know about it, and when there were told, they didn’t […]
Over at We Won’t Fly, George Donnelly writes: I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the […]
Lately there has been quite a bit of noise about the concept of “trust” in information security. This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well […]
Act: Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf Outrage: “Gaping Holes in Airline Security: Loaded Gun Slips Past TSA Screeners” (Matthew Mosk, Angela Hill and Timothy Fleming, ABC News) “TSA + Police + JetBlue Conspire Against Peaceful Individual at JFK” (George Donnelly, WeWontFly.org) “TSA Lies Again Over Capture, Storage Of Body Scanner Images” (Steve Watson, […]
This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler. A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!) The second is that […]
We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for […]
Paul Kedrosky writes: Most of us have heard the story of armoring British bombers, as it’s too good not to share, not to mention being straight from the David Brent school of management motivation. Here is the Wikipedia version: Bomber Command’s Operational Research Section (BC-ORS), analysed a report of a survey carried out by RAF […]
From The Fine Article: Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we […]
But you can still evaluate the quality of the effort Likewise, there’s a lot that you can’t measure about security and risk, but you can still infer something from how the effort is pursued.
Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]
A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC. And poor Frank was working so hard to claim […]
Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets? Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often. So here are some links I thought you might enjoy, probably worth discussion and review even […]
“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]
National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]
National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]
I really enjoyed District 9. Thought I understood some of it. But that was before I read “becoming the alien: apartheid, racism and district 9” by Andries du Toit. Now I need to watch the movie again.
I’d like some feedback on my data analysis, below, from anyone who is an expert on spam or anti-spam technologies. I’ve analyzed data from John Graham-Cumming’s “Spammers’ Compendium” to estimate the technical capabilities of spammers and the evolution path of innovations.
Rachel Tayse over at Hounds In The Kitchen, has an awesome Repeal Day Rant on why repeal day isn’t as good as it sounds. Yet again I feel a lot less free.
Thanks to Chris Eng for making this!
HEY! – At 3pm today Alex (@alexhutton) will be doing an interview over the twitters with Dark Reading’s (@DarkReading) Kelly Jackson Higgins (@kjhiggins). Follow along with the hashtag #verizonDR! We’ll be talking risk, metrics, data, – you know, the new school-y stuff.
“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]
“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]
Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]
Recently, I’ve heard some bits and pieces about how Information Security (InfoSec) can be “threat-centric” or “vulnerability-centric”. This stuck me funny for a number of reasons, mainly it showed a basic bias towards what InfoSec *is*. And to me, InfoSec is too complex to be described as “threat-centric” or “vulnerability-centric” and yet still simple enough […]
A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]
Hey y’all, Please think about getting on twitter and joining Dark Reading on Mon., Nov. 29@2:30pm ET for a twitterview ME! (Verizon’s @alexhutton). The hashtag you wanna use and track is: #VerizonDR
“baseball’s rich in wonderful statistics, but it’s hard to find one more beautiful than Stan Musial’s hitting record.” – George Will “When you first hear about this guy, you say, ‘it can’t be true.’ When you first meet him you say, ‘It must be an act.’ But as you watch him and watch him and […]
I’ll be contributing to a new group blog, “I will opt out“. I think that concentrating and combining resources will help the people who care find all the news they want. My first post is at “More news from around the web”
It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)” Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces. …After calculating things […]
On my work (“Microsoft Security Development Lifecycle”) blog, I’ve posted “Make Your Own Game! (My BlueHat lightning talk).”
Analysis: “‘Strip-or-Grope’ vs. Risk Management” Jim Harper, Cato@Liberty blog. Really solid thinking, although I usually don’t like asset-centric approaches, I think that for the physical world they make more sense than they do in software threat modeling. TSA more likely to kill you than a terrorist. thread at Flyertalk (thanks Doug!) “Has Airport Security Gone […]
Outrage: Transcript: Senate hearing on TSA, full-body scanners (yesterday, not one Senator cared.) Today’s hearing: http://www.c-span.org/Watch/C-SPAN3.aspx TSA Success Story (You can win in line.) If someone had done that to me at a nightclub I’d call the cops. Violated Traveling with scars Search this one for “pump” to learn about a diabetic’s experience. What would […]
In this instance, it’s for science, helping a friend do some work on analyzing web traffic. If you don’t like it, please install software that blocks these 1 pixel images from tracking you. Edit: removed the web bug
You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage. Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and […]
There’s no news roundup today, the stories are flying, unlike people, who are sick and tired of the indignities, the nudeatrons and the groping. If you want to see them, you can follow me on twitter or National Opt Out day Tomorrow, there’s a Transportation Security Administration Oversight Hearing whose only witness is TSA Administrator […]
“‘Naked’ scanners at U.S. airports may be dangerous: scientists” (National Post) The head of the X-ray lab at Johns Hopkins says “statistically, someone is going to get skin cancer from these X-rays.” “DHS chief tells pilot, tourism reps scans and patdowns will continue ” (Infowars.com) includes link to a CNN story “Growing backlash against TSA […]
Earlier this week, the White House responded to the UC San Francisco faculty letter on nudatrons. (We mentioned that here.) National Academy of Sciences member John Sedat says “many misconceptions, and we will write a careful answer pointing out their errors.” TSA has claimed that pictures will have blurred genital areas to “protect privacy.” Except […]
PEOPLE OF EARTH – The VERIS Community Application is out: Announcement here: http://bit.ly/cDAUhy Website here: http://bit.ly/9dZwEJ From Wade’s announcement: If the VERIS framework describes what information should be shared, the VERIS application provides how to actually share it. Anyone wishing to classify and report an incident can do so responsibly and anonymously using the application. In taking […]
“Terror chief tries to board plane with banned liquids” (Mirror, UK) Obviously, the UK needs to get with the TSA program and exempt Ministers from search. Flight attendants union upset over new pat-down procedures “Airport security reaches new levels of absurdity” (Salon’s Ask the Pilot blog) “Know Your Options at the Airport” (ACLU of Massachusetts) […]
Facebook Changes Photo Memories to No Longer Show Your Ex-Boyfriends or Ex-Girlfriends: In response to numerous complaints, Facebook has changed its Photo Memories sidebar module to no longer display friends who a user was formally listed as in a relationship with. [Sic] But it’s not just about selective remembering because “Your Memories Will Be Rewritten.” […]
Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To join the online meeting (Now from iPhones and other Smartphones too!) ——————————————————- 1. Go to […]
Via Boing Boing, where Maggie Koerth-Baker gave a delightful pointer to this film of Feynman explaining for seven-and-a-half minutes why he can’t really explain why magnets repel each other. Or attract, either. And trumping him in time and space, Bierce gave us this in 1906: MAGNET, n. Something acted upon by magnetism. MAGNETISM, n. Something […]
Body scanners that the TSA is basically encouraging use of by threatening to otherwise grope, fondle, or molest you or your children are basically perfectly safe. Well, unless you happen to be any one of the following: a woman at risk to breast cancer a pregnant woman an immunocompromised individual (HIV and cancer patients) a […]
Hey everyone. The Society of Information Risk Analysts (SIRA) would like to invite you to our November meeting this Thursday at 12 noon EST. Here’s a link to a meeting invite: http://bit.ly/d7IHn7 This month, we’ll have Sam Savage, author of the excellent book, The Flaw Of Averages join us. He’ll be talking about the book […]
A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on NPR.org, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.
Thanks, N! (Added link)
Dissent reports “State Department official admits looking at passport files for more than 500 celebrities.” A passport specialist curious about celebrities has admitted she looked into the confidential files of more than 500 famous Americans without authorization. This got me thinking: how does someone peep at 500 files before anyone notices? What’s wrong with the […]
A reminder for those of you who haven’t read or watched “V for Vendetta” one time too many, it’s Guy Fawkes Day today: The plan was to blow up the House of Lords during the State Opening of Parliament on 5 November 1605… …Fawkes, who had 10 years of military experience fighting in the Spanish Netherlands in […]
UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From: Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in […]
First, a quick news roundup: EPIC is suing DHS for improper rulemaking, violations of the fouth ammendment, the privacy act, the religious freedom restoration act, and the video voyerism prevention act. The ACLU has a news roundup and a form to report on TSA behavior. The Airline Pilots Association advises pilots to show resistance. So […]
See what happened when Portishead, England turned off their traffic lights in September 2009 in this video. And don’t miss “Portishead traffic lights set to stay out after trial” in the Bristol Evening Post.
I’m a nerd, yes.
Apparently, the TSA is now protecting us so well that they make women cry by touching them inappropriately. According to (CNN Employee Rosemary) Fitzpatrick, a female screener ran her hands around her breasts, over her stomach, buttocks and her inner thighs, and briefly touched her crotch. “I felt helpless, I felt violated, and I felt […]
Very entertaining video: I love it because curtains are privacy people will pay for, but even more, because, ironically for a privacy-enhancing technology, it generates more attention than not using it.
October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:” On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go […]
Researchers in the United States have found that putting individual geniuses together into a team doesn’t add up to one intelligent whole. Instead, they found, group intelligence is linked to social skills, taking turns, and the proportion of women in the group. […] “We didn’t expect that the proportion of women would be a significant […]
In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something. But it’s a great comment, and I wanted […]
These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches. And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance […]
Information Security.com reports that: [Richard Clarke] controversially declared “that spending more money on technology like anti-virus and IPS is not going to stop us losing cyber-command. Instead, we need to re-architect our networks to create a fortress. Let’s spend money on research to create a whole new architecture, which will cost just a fraction of […]
Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong: Donors for allogeneic stem-cell transplantation are selected based on their […]
In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily […]
Hey everyone. I wanted to mention that Josh Corman of the 451 Group has graciously decided to make a webinar with me on the Data Breach Investigations Report , and has even made the webinar open to the public. So as such, Josh is collecting questions ahead of time. If you want to submit some […]
Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get practical advice on what really works to secure a system. Sorry, dreaming there for a […]
HEY! SIRA Meeting on Thursday – click here for a calendar invite/reminder thingy/.ics file -> http://bit.ly/b5RKl9 In long format: Topic: SIRA RISK OCT – SANS! Date: Thursday, October 14, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 745 433 825 Meeting Password: sira ——————————————————- To join the online meeting (Now from […]
PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]
[via PunditKitchen]
Yesterday, AT&T announced an Encrypted Mobile Voice. As CNet summarizes: AT&T is using One Vault Voice to provide users with an application to control their security. The app integrates into a device’s address book and “standard operation” to give users the option to encrypt any call. AT&T said that when encryption is used, the call […]
Apparently, the Iranian Government has sentenced Hossein “Hoder” Derakhshan to 19.5 years in jail for “collaborating with enemy states, creating propaganda against the Islamic regime, insulting religious sanctity, and creating propaganda for anti-revolutionary groups.” If you think putting bloggers or journalists in jail is wrong, please, please take a moment to sign the petition to […]
Via the Miami Herald: An underwire bra stopped a Miami attorney from seeing her client held at the Miami Federal Detention Center, setting off controversy over the inmate facility’s dress code. The issue here isn’t so much the dress code (though it is problematic) but inconsistent enforcement of previously agreed upon rules. It’s hard to […]
NASA claims that: At least four distinct plumes of water ice spew out from the south polar region of Saturn’s moon Enceladus in this dramatically illuminated image. Light reflected off Saturn is illuminating the surface of the moon while the sun, almost directly behind Enceladus, is backlighting the plumes. See Bursting at the Seams to […]
Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. […]
There seems to be no notification that these files are publicly available and no web page listing all the submissions. Therefore, unless you know they are there, you won’t find them. But you can find them all through Google using this search string “NOI site:http://www.nist.gov/itl/upload/”
In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]
The New York Times has a story, “Fatal Crashes of Airplanes Decline 65% Over 10 Years:” …part of the explanation certainly lies in the payoff from sustained efforts by American and many foreign airlines to identify and eliminate small problems that are common precursors to accidents. If only we did the same for security. This […]
James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full […]
In 6502 visual simulator, Bunnie Huang writes: It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, […]
Hear it at “Adam Shostack on User-Centric Privacy and the Need for Smarter Regulation.”
@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide […]
NPR is talking about fraudulent ID cards and people voting multiple times. What happened to the purple ink solution? How did we end up exporting bad thinking about security to Afghanistan?
The Securosis 2010 Data Security Survey results are out! http://bit.ly/aR4MuY Go, go and be NewSchool! Seriously, don’t spend anymore time here, click the link!
A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]
Some guy recently posted a strangely self-defeating link/troll/flame in an attempt to (I think) argue with Alex and/or myself regarding the relevance or lack thereof of ISACA’s CRISC certification. Now given that I think he might have been doing it to drive traffic to his CRISC training site, I won’t show him any link love […]
@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today. And from a Cloud advocate point of view I like four of the assertions. But his point about Cloud Security is off: “While many are pushing back on cloud computing due to security concerns, cloud computing is, in fact, as safe as or better than most […]
Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security. Richard upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were […]
CSO Online has an article based on an unlinked Forrester study that claims: The survey of 2,803 IT decision-makers worldwide found improving business continuity and disaster recovery capabilities is the number one priority for small and medium businesses and the second highest priority for enterprises. (emphasis mine). The WTF Pie Chart Says:
You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message: In particular, I can’t see the password that I need to see the message.
Hey everyone! Pete Lindstrom will be giving us his “Risk 2.0” presentation tomorrow via webex at 10:30 EST. I’ve seen the deck, and it will be a great preso. Topic: Risk Analysis Date: Thursday, September 9, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 748 861 569 Meeting Password: risk?whatrisk? ——————————————————- […]
The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.) I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the […]
Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP. Ignoring the hindsight bias of the article here… “This oil spill is a classic example of a black swan (events with the potential for severe impact […]
Well, following on Arthur’s post on baking bread, I wanted to follow up with “how to bake corn:” Please go read “Baked Buttered Corn” A way to bring some happiness to the end of summer is to take this corn and simply bake it with butter. It’s fabulous. The starchy corn juices create a virtual […]
A few folks have asked, so here’s my general bread recipe in bakers percentages. In bakers percentages everything is based on a ratio compared to the weight of the flour. The formula for my bread is: 100% Whole wheat flour (I’m a geek, I grind my own) 72% Water (or whey) 2% Salt 1% Yeast […]
As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive […]
Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]
“I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester. Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration […]
The folks running the Open Security Foundation’s DataLossDB are asking for some fully tax-deuctible help meeting expenses. I’ve blogged repeatedly about the value of this work, and hope that interested EC readers can assist in supporting it. With new FOIA-able sources of information becoming available, now seems to be a great time to help out.
India’s EVMs are Vulnerable to Fraud. And for pointing that out, Hari Prasad has been arrested by the police in India, who wanted to threaten and intimidate him question him about where he got the machine that he studied. That’s a shame. The correct response is to fund Hari Prasad’s work, not use the police […]
Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.” I think that was the wrong warning. Wikileaks is poking at a very […]
These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.
There’s been a lot of discussion about the paper written by mathematician Vinay Deolalikar on this interesting problem. The P!=NP problem is so interesting that there’s a million-dollar prize for solving it. It might even be interesting because there’s a million-dollar prize for solving it. It might also have some applicability to computer science and […]
From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]
(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]
So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is: the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the […]
I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]
If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “: Thanks, N!
Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]
It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall. While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?” You can get the “Application Security Trends report for Q1-Q2 2010” from […]
In “Feds Save Thousands of Body Scan Images,” EPIC reports: In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of […]
Last we learned, Peter Coffee was Director of Platform Research for salesforce.com. He also blogs on their corporate weblog, CloudBlog, a blog that promises “Insights on the Future of Cloud Computing”. He has a post up from last week that called “Private Clouds, Flat Earths, and Unicorns” within which he tries to “bust some myths” […]
Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.
My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.
Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]
Breath mints Ricola Purell Advil Gatorade.
Cisco has their security report up – find it here. My favorite part? “The Artichoke of Attack”
Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]
This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]
Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex. This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes. It’s going to be seriously useful. Join SOIRA here: http://groups.google.com/group/InfoRiskSociety?hl=en for the invite.
First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out. I especially appreciate the feedback from the person who took the time to write in: “Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places […]
Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]
Hi, I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here: http://www.surveymonkey.com/s/GCSXZ2Q”
Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture […]
adapted from the t-shirt seen in the anton corbijn work here. With all apologies to both Paul Morely and Katherine Hamnett. And that’s about all I have to say on the subject.
In looking at Frank Pasquale’s very interesting blog post “Secrecy & the Spill,” a phrase jumped out at me: I have tried to give the Obama Administration the benefit of the doubt during the Gulf/BP oil disaster. There was a “grand ole party” at Interior for at least eight years. Many Republicans in Congress would […]
This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction. Their recommendations (p22) aren’t earth-shaking: “…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and […]
In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]
In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts. Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not […]
[The ACLU has a new] report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade. The survey provides an outline of, and links to, dozens of examples of Cold War-era […]
When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions. And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an […]
It’s hard not to be impressed by an ad like this.
Just to pile on a bit…. You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it? That someone much smarter than you had already thought about the subject a whole lot […]
Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself: Not that it matters. CRISC is proving itself irrelevant by failing to make anyone care. By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public […]
PREFACE: You might interpret this blog post as being negative about risk management here, dear readers. Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why I don’t like the idea of CRISC has long-term stickiness. Just today, Philip writes in […]
So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]
Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit […]
Using a dish full of marshmallows. We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]
Alex Hutton has an excellent post on his work blog: Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of […]
Perry Metzger recently drew this to my attention: The title of my talk is, “You and Your Research.” It is not about managing research, it is about how you individually do your research. I could give a talk on the other subject – but it’s not, it’s about you. I’m not talking about ordinary run-of-the-mill […]
In “Jon Stewart on Obama’s executive power record” Glenn Greenwald writes: When ACLU Executive Director Anthony Romero last week addressed the progressive conference America’s Future Now, he began by saying: “I’m going to start provocatively . . . I’m disgusted with this president.” Last night, after Obama’s Oval Office speech, Jon Stewart began his show […]
Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]
Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis: The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small […]
I like this one a lot. Go vote for your favorite at BP Logo Redesign contest.
This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]
http://raffy.ch/blog/2010/06/07/maturity-scale-for-log-management-and-analysis/ Raffael Marty’s great post on how to measure the maturity level for your log management program. Excellent as always.
Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]
Andrew and I want to say thank you to Dave Marsh. His review of our book includes this: I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read It’s really […]
There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a […]
Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings
For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:” INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 […]
Friend of the blog and TV’s own <grin> Chris Nickerson has firmed up B-Sides for Las Vegas and is looking for a few good people to submit a few good presos. I spoke last year with David Mortman and it was awesome. Chris put on some real good event/space for us all. I encourage you […]
I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too […]
Today will be remembered along with the landing on the moon and the creation of the internet: Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a […]
Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]
The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]
In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes: Blanching fries does a lot for you – such as: killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying. gelatinizing the starch. During frying, pre-cooked […]
[Update: See Barry’s comments, I seem to misunderstand the proposal.] The New York Times headlines “ Britain’s New Leaders Aim to Set Parliament Term at 5 Years.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament. As I understand things, the […]
I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]
As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable. Unfortunately, that contribution was […]
If you haven’t seen http://mattmckeon.com/facebook-privacy/‘s graphic of how Facebook’s default privacy settings have evolved, it’s worth a look:
If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.
We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]
Let me tell you how it will be There’s one for you, nineteen for me Chorus: If privacy appear too small Be grateful I don’t take it all Thanks to Jim Harper for the link.
This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities. One of the three themes is “Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.”
Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer […]
I really love these redesigns of the US Dollar: There’s a contest, and I like these designs by Michael Tyznik the most. On a graphical level, they look like money. He’s integrated micro-printing, aligned printing (that $5 in the upper left corner, it’s really hard to print so it works when you look at light) […]
I will be entering the PhD program in Computational Social Science (with certificates in InfoSec and Economic Systems Design) at George Mason University, Fairfax VA, starting in the Fall of 2010.
There’s a notion that government can ‘nudge’ people to do the right thing. Big examples include letting people opt-out of organ donorship, rather than opting in (rates of organ donorship go from 10-20% to 80-90%, which is pretty clearly a better thing than putting those organs in the ground or crematoria). Another classic example was […]
This is the first image ever taken of Earth from the surface of a planet beyond the Moon. It was taken by the Mars Exploration Rover Spirit one hour before sunrise on the 63rd Martian day, or sol, of its mission. (March 8, 2004) Credit: NASA Goadard’s flickr stream.
There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.” Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important […]
Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work. However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than […]
According to new research at Duke University, identifying an easy-to-spot prohibited item such as a water bottle may hinder the discovery of other, harder-to-spot items in the same scan. Missing items in a complex visual search is not a new idea: in the medical field, it has been known since the 1960s that radiologists tend […]
…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their […]
Dominic Deville stalks young victims for a week, sending chilling texts, making prank phone calls and setting traps in letterboxes. He posts notes warning children they are being watched, telling them they will be attacked. But Deville is not an escaped lunatic or some demonic monster. He is a birthday treat, hired by mum and […]
I could pretend to tie this to information security, talking about risk and information sharing, but really, it’s just beautiful to watch these folks learn to play:
In the “things you don’t want said of your work” department, Ars Technica finds these gems in a GAO report: This estimate was contained in a 2002 FBI press release, but FBI officials told us that it has no record of source data or methodology for generating the estimate and that it cannot be corroborated…when […]
The New York Times reports that “As a Hiring Filter, Credit Checks Draw Questions:” In defending employers’ use of credit checks as part of the hiring process, Eric Rosenberg of the TransUnion credit bureau paints a sobering picture. […] Screening the backgrounds of employees “is critical to protect the safety of Connecticut residents in their […]
JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]
Please check back, we may have sarcasm available in the future. Emergent Chaos apologizes for any inconvenience.
I’ve seen some cool Walmart visualizations before, and this one at FlowingData is no exception. The one thing I wondered about as I watched was if it captured store closings–despite the seemingly inevitable march in the visualization, there have been more than a few.
Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy: “Meeting of the Minds” with Andy Jaquith and myself in either text or audio. Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video
One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours. Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate […]
Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities. He writes: My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to […]
For you football fans, from Advanced NFL Stats we get the equation for Surplus Coach Value! That couldn’t be more brilliant if it tried.
This just came past my inbox: The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. […]
Since it seems like I spent all of last week pronouncing that ZOMG! SSL and Certificate Authorities is Teh Doomed!, I guess that this week I should consider the alternatives. Fortunately, the Tor Project Blog, we learn what life is like without CA’s Browse to a secure website, like https://torproject.org/. You should get the intentionally […]
The European Digital Rights Initiative mentions that “Bits of Freedom starts campaign for data breach notification law:” A data breach notification obligation on telecom providers is already to be implemented on the basis of the ePrivacy Directive, but Bits of Freedom insisted that this obligation should be extended also to other corporations and organisations. It […]
…so important that we didn’t even proofread our rivacy policy. I’m hopeful that they apply more due care to how they administer their policy, but fear it’s like a dirty restaurant bathroom. If they don’t bother to take care of what the public sees, what are they doing in the kitchen? From “Commercial Terms of […]
I haven’t read the paper yet, but Schneier has a post up which points to a paper “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang.about a new side-channel attack which allows an eavesdropper to infer information about the contents of an SSL […]
There’s a bunch of folks out there who are advocating for publishing all SSNs, and so wanted to point out (courtesy of Michael Froomkin’s new article on Government Data Breaches ) that it would be illegal to do so. 42 USC § 405(c)(2)(C)(viii) reads: (viii)(I) Social security account numbers and related records that are obtained […]
Where there’s smoke, there’s fire, goes the adage. And in the case of an allegedly-theoretical exploit outlined in a new paper by Chris Soghoian and Sid Stamm (the compelled certificate creation attack), the presence of a product whose only use it to exploit it probably indicates that there’s more going on than one would like […]
The Guardian has reported the first official incident of misuse of full-body scanner information The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 […]
Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, Andrew and I want to thank Jessica Goldstein, our editor at Addison Wesley. Without her encouragement, feedback and championing, we never would have published the New School. The first proposal we […]
The sweet interactive version is here: http://www.weforum.org/documents/riskbrowser2010/risks/# Beyond the cool visualization, I’m really interested in the likelihood/impact of data fraud/data loss over on the left there…
Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]
Over in the Securosis blog, Rich Mogull wrote a post “There is No Market for Security Innovation.” Rich is right that there’s currently no market, but that doesn’t mean there’s no demand. I think there are a couple of inhibitors to the market, but the key one is that transaction costs are kept high by […]
In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes: As for his priorities, Schmidt says education, information sharing and better defense systems rank high. That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side. “One thing we […]
Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US […]
A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.” Now, before I get into the lessons here, I want to point out that Maley is the sort of […]
A burglar who spent about five hours on a store’s computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time […]
Pretty much how my last NCUA 748 pre-audit went.
Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that […]
I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular: Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a […]
Industry ‘experts’ misfired when they criticized Microsoft’s Scott Chareney’s “Internet Security Tax” idea. Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero. Thus, they aren’t really qualified to comment. This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.
Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge […]
In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports […]
Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:” The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of […]
In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once. […]
A Gartner blog post points out the lack of data reported by vendors or customers regarding the false positive rates for anti-spam solutions. This is part of a general problem in the security industry that is a major obstical to rational analysis of effectiveness, cost-effectiveness, risk, and the rest
Previously, Russell wrote “Everybody complains about lack of information security research, but nobody does anything about it.” In that post, he argues for a model where Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this […]
In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them. I can’t help but notice one […]
There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.
David Bratzer is a police officer in Victoria, British Columbia. He’s a member of “Law Enforcement Against Prohibition,” and was going to address a conference this week. There’s a news video at “VicPD Officer Ordered to Stay Quiet.” In an article in the Huffington Post, “The Muzzling of a Cop” former Seattle Police Chief Norm […]
Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, […]
In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
I’ll be in the RSA bookstore today at noon, signing books. Please drop on by. PS: I’m now signing Kindles, too.
In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]
The New York Times has a short article by Markoff, “U.S. to Reveal Rules on Internet Security.” The article focuses first on declassification, and goes on to say: In his first public speaking engagement at the RSA Conference, which is scheduled to open Tuesday, Mr. Schmidt said he would focus on two themes: partnerships and […]
In “New rules for big data,” the Economist seems to advocate for more disclosure of security problems: The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected. One way to deal with that is to disclose more information. A […]
Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer. A law enacted by Puerto Rico in December mainly to combat identity […]
As something of a follow-up to my last post on Aviation Safety, I heard this story about Toyota’s now very public quality concerns on NPR while driving my not-Prius to work last week. Driving a Toyota may seem like a pretty risky idea these days. For weeks now, weve been hearing scary stories about sudden […]
That’s the key message of Ethan Zuckerman’s post “Internet Freedom: Beyond Circumvention.” I’ll repeat it: “We can’t circumvent our way around internet censorship.” It’s a long, complex post, and very much worth reading. It starts from the economics of running an ISP that can provide circumvention to all of China, goes to the side effects […]
In his ongoing role of “person who finds things that I will find interesting,” Adam recently sent me a link to a paper titled “THE HUMAN FACTORS ANALYSIS AND CLASSIFICATION SYSTEM–HFACS,” which discusses the role of people in aviation accidents. From the abstract: Human error has been implicated in 70 to 80% of all civil […]
In a comment, Wade says “I’ll be the contrarian here and take the position that using pie charts is not always bad.” And he’s right. Pie charts are not always bad. There are times when they’re ok. As Wade says “If you have 3-4 datapoints, a pie can effectively convey what one is intending to […]
http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf Thanks to big yellow for not making us register! Oh, and Adam thanks you for not using pie charts…
Nasty psychiatrissstss! Hates them, my precious! They locks uss up in padded cell! They makes uss look at inkblotsss! Tricksy, sly inkblotsss! Nasty Elvish pills burnsss our throat! … Yesss We Hatesss themsss Evil oness yess my preciousss we hatess themsss But They Helpsss us! No they hurtsss usss, hurtsss usss sore! NCBI ROFL: Did […]
Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]
In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see: Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”? I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small […]
The language of Facebook’s iPhone app is fascinating: If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information. So first off, I don’t consent to you using that feature and providing my mobile phone number to […]
In December, Andy Jaquith and I had a fun conversation about info security with Bill Brenner listening in. The transcript is at “Meeting of the Minds,” and the audio is here.
The New School approach to information security promotes the idea that we can make better security decisions if we can measure the effectiveness of alternatives. Critics argue that so much of information security is unmeasurable, especially factors that shape risk, that quantitative approaches are futile. In my opinion, that is just a critique of our current methods […]
They say that Y equals m-x plus b (well, when you remove the uncertainty). So let me reveal a secret confession: You’re the solution to my least squares obsession. stolen from the applied statistics blog
Open Security Foundation – Advisory Board – Call for Nominations: The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future […]
When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]
I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?“ But people keep using it. Worse, my co-workers are now using it just to watch […]
Twenty years ago today, Nelson Mandela was released from prison on Robben Island, where he was imprisoned for 27 years for considering violence after his rights to free speech and free association were revoked by the government. I learned a lot about the stories when I visited South Africa, and then more when my mom […]
There’s an elephant of a story over at the New York Times, “Musician Apologizes for Advertising Track That Upset the White Stripes.” It’s all about this guy who wrote a song that ended up sounding an awful lot like a song that this other guy had written. And how this other guy (that being Mr. […]
Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript. It was fun, and the podcast is short and to the point. […]
Water, water everywhere, and not a drop to drink.
As best as I can describe the characteristics of the threat agents that would fit the label of APT, that threat community is very, very real. It’s been around forever (someone mentioned first use of the term being 1993 or something) – we dealt with threat agents you would describe as “APT” at MicroSovled when […]
From Less Wrong: http://lesswrong.com/lw/1qk/applying_utility_functions_to_humans_considered/ I’m at The Open Group Security Forum this week in Seattle, speaking about risk and stuff. Adam gave a great talk about Security: From Art to Science. One recurring theme all week was the need to borrow from disciplines outside of Comp Sci and Engineering. When we think about the […]
In a private conversation, someone said “has anyone in company‘s IT staff been fired for letting people do use that software?” I did some searching for “firing offenses” and I found a bunch of interesting random things. I’d like to quote one, “How can I fire a non-performer in today’s environment:” You may have some […]
Metrics seem to be yet another way in which Angry Bear noticed that the V-22 Osprey program has hidden from its failure to deliver on its promises: Generally, mission capability runs 20% higher than availability, but availability is hidden on new stuff, while shouted about on older stuff, because there would be severe embarrassment if you […]
We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability. But, really, there’s no reason for this to be a fair fight. So we’re asking our […]
Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue […]
There is no better illustration of the institutional and social taboos surrounding data breach reporting and information security in general than the Google-Adobe-China affair. While the Big Thinkers at the World Economic Forum discussed every other idea under the sun, this one was taboo.
There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]
So last night the family and I sat down and watched a little TV together for the first time in ages. We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping. Basically, these guys get on snowmobiles, jump them in […]
On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants. The story of how John Cooke built his arguments against that claim is […]
Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]
Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable. — Thucydides
You should go read The Lost Books of the Odyssey. You’ll be glad you did. I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, […]
The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds. Before you go, why not estimate what fraction of users have the same transmitted/discoverable browser settings as you, and then check your accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.
Thank you for all the feedback in email & comments. Testing a new font size, feedback is again invited and welcome.
Tried to embed, didn’t work. Here’s the link: http://www.brighttalk.com/webcasts/8093/attend
Hi, If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST: Gleaning Risk Management Data From Incidents http://www.brighttalk.com/webcasts/8093/attend
After more than 5 years, nearly 3,300 posts, and 6,300 comments on Movable Type, we’re migrating the blog to WordPress on a new host. Please let us know if I broke something. This is the new machine. Photo: Face the World with a Peaceful Mind, by Ting Hay.
The CBC Quirks and Quarks podcast on “The 10% Solar System Solution” is a really interesting 9 minutes with Scott Gaudi on how to find small planets far away: We have to rely on nature to give us the microlensing events. That means we can’t actually pick and choose which stars to look at, and […]
Apparently, corporations and unions can now spend unlimited funds on campaign advertisements. I’m hopeful that soon the Supreme Court will recognize that people are people too, and have the same free speech rights as corporations. Maybe, too, the Court will recognize that Congress may not limit the right of people to freely associate, and perhaps […]
A vivid image of Fear, Uncertainty, and Doubt (FUD), from an email promotion by NetWitness.
Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk. Today I want to mention why I think this CRISCy stuff is dangerous. What if how we’re approaching the subject is wrong? What if it’s mostly wrong and horribly expensive? I’m going to offer that […]
Recently, ISACA announced the CRISC certification. There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification: We’re not mature enough for a certification in risk management. Don’t believe me? Good for you, […]
To improve threat intelligence, it’s most important to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us.
So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc. What’s most fascinating to me is that: Google’s customers don’t seem to be fleeing Google stock fell approximately 4% on the news they were hacked, while the market was down 2% […]
The New York Times is reporting that there’s a “Deep Discount on Space Shuttles ,” they’re down to $28.8 million. But even more exciting than getting one of the 3 surviving monstrosities is that the main engines are free: As for the space shuttle main engines, those are now free. NASA advertised them in December […]
Yesterday, Russell posted in our amusements category about the avoidance of data sharing. He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote. Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some […]
“Meta-taboo”: The topic itself is not taboo, but any discussion about how to actually get there or deal with the topic is taboo.
Dan Lohrmann’s “Why Do Security Professionals Fail?” So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you. I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need […]
Ed Hasbrouck on “Lessons from the case of the man who set his underpants on fire” A Canadian woman who’s been through the new process is too scared to fly. “Woman, 85, ‘terrified’ after airport search.” Peter Arnett reported “‘It became necessary to destroy the town to save it,’ a TSA major said today. He […]
Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]
The lead of this story caught my eye: (CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1. That’s an average of 753 laws passed in each of those jurisdictions. […]
Courtesy of the BBC.
I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines: I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can […]
The paper is here. The very sane opening paragraph is: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for […]
On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m […]
There’s a great line attributed to Darwin: “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.” The trouble is, he never said it. Background here. Original sources are important and fun.
Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!
This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment. Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology. But it’s OK, because according to the […]
Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security. The first is that security experts are […]
A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.
Street with a View is an art project in Google Street View, with a variety of scenes enacted for the camera, either to be discovered in Street View, or discovered via the project web site. via David Fraser.
We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.
That is all.
I expect that there will be senseless acts of violence, planes destroyed and perhaps a city attacked with effective biological weapons. There will be crazy people with more power than we want to comprehend. There will be a billion malnourished, undereducated folks whose lives don’t improve. The first world will continue to be saddled with […]
I’m just off a flight from London back to the United States and I’m hesitant to attempt to think while jet-lagged. I’ll have some more thoughts and first-hand observations once my head clears, however. In the meantime, Nate Silver has broken down the risk of terror attacks on airplanes so I don’t have to. Summarizing […]
As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]
This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe: FBI FINALLY MAKES AN ARREST OVER ‘WOLVERINE’ LEAK The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.” … […]
Air Canada is canceling US flights because of security. (Thanks, @nselby!) The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link. ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight […]
Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]
The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.” Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President […]
The back does explain that it’s 76% organic petite sirah, and 24% non-organic grapes. I just thought it was a pretty funny thing to put on the front label, and wonder which consumers are going to be more likely to buy it, knowing that it’s 76% organic.
@Stepto has asked to make #tsaslogans a trending topic. I know you won’t let me down.
Apparently, in the wake of thousands of deaths from idiots paying more attention to GPS, cell phones, GameBoys, iPods and other such electronic devices, TSA has announced a ban on all use of such devices for the last hour of your commute. No, just kidding. Apparently, they may be imposing new secret restrictions on use […]
I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. […]
41 years ago: Story: BBC Photo: NASA/Bill Anders
USA Today informs us that: Despite surveillance cameras and heavy security, vandals in a small Swedish town have burned down a giant Yuletide straw goat for the 24th time since 1966, the Associated Press reports. Here at Emergent Chaos, we’re deeply concerned that the goat ended up with neither privacy nor even temporary safety. Photo: […]
Dear Howard, Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but […]
Is over on the New School blog. “An open Letter to the New Cyber-Security Czar.”
Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]
I posted this also to the securitymetrics.org mailing list. Sorry if discussing in multiple venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact. From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]
I’ll give you a topic, eh, no I won’t. Have at it, but not at each other.
Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]
Secretly stolen from Joy of Tech.
For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well. The major reason for my thinking is that I never heard […]
On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year? (I posted this on Emergent Chaos, but forgot to post it […]
So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]
There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports: georgevhulme: I’m glad we […]
We have a comments feed. I suppose we should add that to somewhere sane. In the meanwhile, you should click here. We have smart commenters, and what they say is usually worthwhile.
We think of botnets as networks of computing devices slaved to some command & control system. But what about human-in-the-loop botnets, where humans are either participants or prime actors? I’m coining this label: “social botnets”. Recent example: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill”.
Next week, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?
The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.
According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:” We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a […]
(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to. Do go read their blog post, I’ll wait here. Back? Great. Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]
The widespread and often mandatory use of client scripts in websites (e.g., JavaScript) are like CDOs [Collateralized Debt Obligations}. They both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy.
If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another network
Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]
America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of […]
Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.” The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from […]
So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house. The email explains that the display was taken down after two days in large part […]
A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.
From the awesome Understanding Uncertainty blog: 2845 ways to spin the Risk
According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]
A while back I wrote an article on reusable code for ThreatPost. Today’s Dilbert, has an alternate, equally useful take on reusable code.
George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period). My take? Anytime someone says that […]
A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.
From BoingBoing: Somali nautical pirates have established a stock-market where guns and cash are invested in upcoming hijackings, with shares of the proceeds returned to investors Emergent Chaos strikes again…
But in New York, a city that has become almost synonymous with high security, where office employees wear picture IDs and surveillance cameras are on the rise, some officers don’t wear their badges on patrol. Instead, they wear fakes. Called “dupes,” these phony badges are often just a trifle smaller than real ones but otherwise […]
I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”. Yeah, I’m a sucker like that. This is what I read: …a practical maturity model with illustrative use cases that can be […]
I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million […]
Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US. Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of […]
This is cool. Visualization of relative storage capacities in terms of media and format. Notice that it goes all the way back into pre-digital forms, a subtle tweak that I’ll bet a lot of people miss on first inspection. Too bad, too, since the ability to seamlessly compare seemingly-different things is a valuable skill when […]
Just saw where Symantec has released their 2010 Security Trends to watch. Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$. For example: 8. Mac and Mobile Malware Will Increase […]
“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.” … “Keeping your head in the sand on filing a report means that the bad guys are out there hitting […]
The BBC reports that “Indonesia minister says immorality causes disasters:” A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur. His comments came as he […]
Thanks, Nicko!
I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]
Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]
Great post today over on SecureThinking about a customer who used a very limited signature set for their IDS. Truth of the matter was that our customer knew exactly what he was doing. He only wanted to see a handful of signatures that were generic and could indicate that “something” was amiss that REALLY needed […]
There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]
This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI. According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than […]
I’m starting on an academic-oriented research project on the arms race between attackers and defenders from the perspective innovation rates and “evolutionary success” – The Red Queen problem. I’m looking for collaborators, contributors, reviewers, etc.
It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]
Contrary to popular belief, hackers are not credible sources of information that they themselves have stolen and leaked. Maybe they weren’t “hackers” at all. News organizations and bloggers should think more critically and do more investigation before they add to the “echo chamber effect” for such reports.
In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]
Lessons for information security from recent public health pronouncements on mammographs and Pap tests.
Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]
According to BoingBoing, “Leaked UK government plan to create “Pirate Finder General” with power to appoint militias, create laws:” What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright. Mandelson elaborates on this, giving three […]
Threatlevel (aka 27B/6) reported yesterday that Richard Schaeffer, the NSA’s information assurance director testified to the Senate Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security on the issue of computer based attacks. If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could […]
According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]
I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers. Similarly, the American Institute […]
In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]
You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Virscan.org. Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?
The Royal Fleet Auxiliary ship Wave Knight watched a yacht be hijacked for fear of harming its passengers. All stand for a rousing round of “Ain’t gonna study war no more.”
Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“. In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions. And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action. […]
What’s on your mind?
Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than […]
The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.
In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, […]
After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all […]
I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it out.
I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]
Asked about the timing, the unbriefed propaganda minister mumbled: “As far as I know, effective immediately.” When that was reported on television, the Berliners were off. Baffled border guards who would have shot their “comrades” a week earlier let the crowd through—and a barrier that had divided the world was soon being gleefully dismantled. West […]
[Posting this here to help get the word out – Chris ] Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the […]
Margret Ann Hutton: Congratulations to Alex & Ms. Alex!
See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609.” Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.” […]
Unicorns (of some sort) are not impossible in principle, only non-existent in recent times. As evidence, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. Though we may be comfortable with our current “smelly, ugly goat” practices, including the ethically questionable FUD tactic, they only perpetuate the problems and, at worst, are like peeing in the swimming pool.
The previous blog post, “Just say ‘no’ to FUD”, described Richard Bejtlich’s post at Tao of Security as “FUD in other clothing”. That was over-reaching. I apologize. There was an element of FUD, but my main objection to Richard’s post was due to other reasons.
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees […]
Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“: Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions […]
At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]
For the opportunity to do this:
I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]
Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]
I don’t usually say a lot about local issues, but as readers know, I’m concerned about how arbitrary ID checking is seeping into our society. It turns out my friend Eric Rachner is also concerned about this, and was excited when a Washington “Judge said showing ID to cops not required.” So when Eric was […]
“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.
Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. […]
Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as […]
Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to […]
Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]
Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is bolded in the context below: Unquestionably, zero-day vulnerabilities have an increasing real-world value to many […]
Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard. I heard about them because of […]
What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.
It’s the probabilistic decision making tool for baseball managers. On the iPhone. It’s like a business intelligence application in the palm of your hand 🙂 Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, […]
There are apparently many people being held without charges by Iranian government. But as far as I know, I’ve only ever met one of them, and so wanted to draw attention to his case: During this entire time, our son has had just two short meetings with us for only a few minutes. Please imagine […]
Bruce Schneier points in his blog to an article in The Telegraph in which Steve Ballmer blames the failure of Vista on security. Every security person around should clear their throat loudly. Security is not what made Vista unpalatable. Many people liked Vista. My tech reporter friends not only adored it, but flat couldn’t understand […]
ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized […]
If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.
or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]
Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.
In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]
Wired has a First Look: Dyson’s Blade-Free Wonder Fan Blows Our Minds: Future generations will have no idea why the shit hitting the fan is any worse than it hitting anything else.
Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.
Anton Chuvakin’s been going old school. Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past. Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”. We do these things because our forefathers do them, […]
Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep. At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was […]
Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list. Think. Thank you.
Yesterday, Luis Armando Peña Soltren was arrested after forty years on run for hijacking a plane to Cuba. Soltren “will finally face the American justice system that he has been evading for more than four decades,” said U.S. Attorney Preet Bharara. I understand that Woody Allen, Martin Scorsese and David Lynch are already circulating a […]
With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]
VisualComplexity.com intends to be a unified resource space for anyone interested in the visualization of complex networks. While it may not contain any examples specific to information security, there may be some methods and ideas that can be adapted to InfoSec.
Have at it. Please stay civil to the other commenters.
So the Lunar Crater Observation and Sensing Satellite has one last sensing task which it will carry out tomorrow morning at 4:30 AM Pacific. That is to dig a big hole in Cabeus (proper) and see if there’s water there. Unfortunately for LCROSS, it doesn’t really have landing jets, which means it will dig a […]
Hal Finney has posted some news to LessWrong: A man goes in to see his doctor, and after some tests, the doctor says, “I’m sorry, but you have a fatal disease.” Man: “That’s terrible! How long have I got?” Doctor: “Ten.” Man: “Ten? What kind of answer is that? Ten months? Ten years? Ten what?” […]
I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve. It’s a highly readable first novel by Ari Juels, who is Chief Scientist […]
I want to congratulate the folks at the FTC, who’ve decided we all need to follow some rules about what bloggers can say. See for example, “ Epicenter The Business of Tech FTC Tells Amateur Bloggers to Disclose Freebies or Be Fined” at Wired. These new rules are documented in an easy to read 81 […]
Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.
Rob Lemos has a new article up on the MIT Technology Review, about some researchers from UC Santa Barbara who spent several months studying the Mebroot Botnet. They found some fascinating stuff and I’m looking forward to reading the paper when it’s finally published. While the vast majority of infected machines were Windows based (64% […]
I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon. From her post (which I quoted in mine as well) It is my experience that unless you push […]
Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:” According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses […]
Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK. Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control […]
Click for the original.
So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been […]
So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to have access to more raw data to test my own theories, it just isn’t realistic […]
Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]
So awhile back, I posted the following to twitter: Thought of the Day: We don’t need to share raw data if we can share meta-data generated using uniform analytical methodologies. Adam, disagreed: @mortman You can’t test & refine models without raw data, & you can’t ask people with the same orientation to bring diverse perspectives. […]
There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the […]
Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]
I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!
We can all learn from this great role model, aimed at personal nutrition awareness and education: Nutritiondata.com. If only security awareness web sites were this good.
So I saw this ad on the back of the Economist. (Click for a larger PDF). In reading it, I noticed this exhortation to “support the STANDUP act of 2009:” The STANDUP Act* (H.R. 1895) creates a National Graduated Driver Licensing (GDL) law that [limits nighttime driving, reduces in-car distractions, puts a cap on the […]
Politics and power can manipulate the “ground truth data” we depend upon. Case in point: the VP residence image on Google Earth is still blurred, even though VP Dick Cheney has been out of office for almost a year. Could similar things happen in InfoSec data if it were more visible and public? You bet.
Statistically speaking, 6 out of 7 dwarves are not happy. [via zem42]
I believe these are the final deliverables: National Cyber Leap Year Summit 2009 Co-Chairs Report — main discussion of metrics is p 26-28 National Cyber Leap Year Summit 2009 Participants’ Ideas Report – main discussion of metrics is p 44-46, p 50-51, and p 106; with related discussion on p 53-54. Also worth noting is […]
That on the first day of January in the year of our Lord, one thousand eight hundred and sixty-three, all persons held as slaves within any state, or designated part of a state, the people whereof thenceforward, and forever free; and the executive government of the United States [including the military and naval authority thereof] […]
The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.
So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]
We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.
If you try searching the App store for photo apps, you find all sorts of things to make your photos sepia. Or blurry. Or to draw on them. Which is great, but if you want apps to help you take photographs, they’re sorta hard to find. So here are some links: First up, a reference […]
Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as […]
Over on his Guerilla CISO blog, Rybolov suggests that we ask the Data.gov folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests […]
The pictures, soon to be published in the journal Physical Review B, show the detailed images of a single carbon atom’s electron cloud, taken by Ukrainian researchers at the Kharkov Institute for Physics and Technology in Kharkov, Ukraine….To create these images, the researchers used a field-emission electron microscope, or FEEM. They placed a rigid chain […]
An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.
The BBC has some really scary video “Detonation of Liquid Explosives.” However, as I thought about it, I grow increasingly confused by what it purports to show, and the implications. At the end of the day, I think there are two possibilities: It’s a fair representation, or it’s not. I’m leaning slightly towards the second. […]
We need more cross-disciplinary research and collaboration in InfoSec. We start on a small scale, starting with people in our professional network. One fertile area of research and collaboration is to apply the latest research in non-standard logic and formal reasoning (a.k.a. AI) to InfoSec risk management problems. The problem is that most of that research reads like Sanskrit unless you are a specialist. Rather than simply post links to academic papers and ask you to read them, let’s use these papers as a vehicle to start a dialog with an academic friend, or a friend-of-friends. Maybe there are some breakthrough ideas in here. Maybe not. Either way, you will have an interesting experience in cross-discipline collaboration on a small scale.
Luther Martin, blogger with Voltage Security, has advised caution about using of risk risk management methods for information security, saying it’s “too complicated and subtle” and may lead decision-makers astray. To backup his point, he uses the example of the Two Envelopes Problem in Bayesian (subjectivist) probability, which can lead to paradoxes. Then he posed an analogous problem in information security, with the claim that probabilistic analysis would show that new security investments are unjustified. However, Luther made some mistakes in formulating the InfoSec problem and thus the lessons from Two Envelopes Problem don’t apply. Either way, a reframing into a “possible worlds” analysis resolves the paradoxes and accurately evaluates the decision alternatives for both problems. Conclusion: risk management for InfoSec is complicated and subtle, but that only means it should be done with care and with the appropriate tools, methods, and frameworks. Unsolved research problems remain, but the Two Envelopes Problem and similar are not among them.
South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]
The National Cyber Leap Year (NCLY) report coming out in a few weeks might lead to more US government research funding for security metrics in coming years. But that depends on whether the report is compelling to the Feds and Congress. Given the flawed process leading up to the Summit, I have my doubts. Clearly, this NCLY process is not a good model for public-private collaboration going forward.
Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]
The Telegraph reports: More than half of all Britons have been injured by biscuits ranging from scalding from hot tea or coffee while dunking or breaking a tooth eating during a morning tea break, a survey has revealed. Who knew that cookies could be so dangerous? So forget worrying about AV or even seat belts, […]
IT’S A TAB DUMP Hey, because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then […]
He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]
Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]
If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]
There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting […]
Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]
Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]
Which I’m not — but if I were, now would be the time. ‘Unbreakable’ quantum cryptography hacked without detection using lasers
A relevant tale of medical survival over at The Reality-Based Community: Three years ago a 39-year-old American man arrived at the haematology clinic of Berlin’s sprawling Charité hospital. (The venerable Charité, one of the great names in the history of medicine, used to be in East Berlin, but it’s now the brand for the merged […]
——————————— UPDATE: @lbhuston gives us the dirty low down here: http://stateofsecurity.com/?p=766 ——————————— This was a test of the emergency broadcast system. This was only a test, had this been a real change in the Threat Landscape….. You may have read in various media outlets about a little incident that happened yesterday concerning the mailing of […]
Hey all, sorry it’s been so long since I put up some eye candy. Today’s posts come from the usual sources (flowing data and other various information design blogs) but I also wanted to point you to a new source of cool: http://www.informationisbeautiful.net/ So without futher adieu, your Visualization Friday Posts (some pertinent to the […]
It’s opening in New York this weekend, and the New York Times has a review.
So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.” Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal […]
So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign […]
And I couldn’t agree more. Capability and Maturity Model Creation in Information Security — PS – sorry for using “NewSchool” as a verb.
Quick follow up to Adam’s Monday post New on SSRN. Rob Westervelt over at SearchSecurity.com tells us about a social network privacy study finds identity link to cookies. Turns out that passing unique identifiers in referring URLs isn’t such a smart idea after all. Color me shocked. The full paper is linked to from Rob’s […]
I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]
A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here. At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.
In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:” JR: And I don’t […]
There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]
Todays New York Times has an interesting article “A Lawsuit Tries to Get at Hackers Through the Banks They Attack” about the folks over at Unspam who are suing under the Can-Spam Act in an attempt to get the names of miscreants who have been attacking banks. More interestingly, they are hoping to force the […]
Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for […]
Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]
Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? My three: De-stigmatize failure. Today, we see the same failures we […]
I’ve been busy and haven’t had a lot of time to dig in, but Rich Mogull has some really good articles, “Heartland Hackers Caught; Answers and Questions,” and “Recent Breaches- We May Have All the Answers.” I have two questions: Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI […]
Hey y’all, happy Monday morning. I’ve put Dave & my presentation for Security BSides up on slideshare: http://www.slideshare.net/alexhutton/mortmanhutton-security-bsides-presentation Mortman/Hutton Security B-Sides Presentation View more presentations from alexhutton. Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model. I hope you will enjoy! PS – There’s probably audio available for […]
One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]
There’s a cute little story in the NYTimes, “Lego Rejects a Bit Part in a Spinal Tap DVD.” I read it as I was listening to a podcast on Shepard Fairey vs The Associated Press that Dan Solove pointed out. In that podcast, Dale Cendali (the attorney representing the AP) asserts that licensing is easy, […]
Click for JWZ’s image. Not sure of origin.
Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]
There’s been lots of discussion here and elsewhere about what’s wrong with GRC as a market and that discussion is pretty spot on. However, last week, I was chatting with Alex and it suddenly hit me that while GRC doesn’t work, the very concept is even more broken then we had previously thought. I briefly […]
Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan […]
Missouri adds a law with a “risk of harm trigger” aka the full-employment provision for lawyers and consultants. Texas adds health data to their notification list. Most importantly, North Carolina requires notice to their attorney general for breaches smaller than 1,000 people. I think Proskauer here is being a little inaccurate when they characterize this […]
So-called clinical-strength antiperspirants …come with instructions that they be applied before bed for “maximum” protection from wetness and odor. … Even regular-strength antiperspirants work best when applied to underarms at night, experts told us. Bedtime application “really is the best way to use an antiperspirant,” says Daivd Pariser, M.D., president of the American Academy of […]
Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database: During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, […]
RSA 2010 Call for Speaking Proposals. You know you want to.
John Viega recently published a new book: The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know. It’s a great read, especially if you are new to or are interested in the security industry as a whole. However, even if you are a long term security veteran, you will find it […]
Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]
The amazing (in both quality and quantity of blog post production) Lori MacVittie of f5 has a blog post up on their corporate blog called, “A Formula for Quantifying Productivity of Web Applications.” Basically, Lori proposes that we study web server processes and the time to complete them over a period of time rather than […]
So I’m not sure if Michael Pollan’s “Out of the Kitchen, Onto the Couch” is supposed to be a movie review, but it’s definitely worth reading if you think about what you eat. I really like this line: The historical drift of cooking programs — from a genuine interest in producing food yourself to the […]
It might seem, to the average person, that the “Birthers” must have a tough time proving their case. After all, Barack Obama has released his Certification of Live Birth (pictured above), which meets all the requirements for proving one’s citizenship to the State Department. The authenticity of the certificate has been verified by Hawaii state […]
Information anyone gives to Facebook can be used by Facebook to do things Faceook wants to do. Like use your face in a personals ad. Even if Facebook knows you’re married. Facebook used Cheryl Smith’s face this way in an ad that it showed her husband. (“oops”) So go read more in Wife’s face used […]
A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]
The last post on the Mortman/Hutton model today is the most important. You see, the primary idea (to me) behind the Mortman/Hutton model was never really to come to a strict or broadly accepted model for discussing what factors drive the creation and adoption of exploit code. That was and is a vehicle for what […]
One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that. As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon: Not only does the cost of putting a […]
Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…
It was built to be impenetrable, from its “super rugged transparent polycarbonate housing” to its intricate double-tabbed lid… Just go read the story. Anything else I say will spoil the punchline.
I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from […]
A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.” I think PHB’s comment on Michael Froomkin’s post is quite interesting: You are all missing a rather significant fact, this is the […]
Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at www.medievalsoldier.org, exposing them to the chance of identity theft after nearly 500 years. They soldiers […]
So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the […]
The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology […]
New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it. The main stream of commentary is comparisons to Windows and how this means that Google is in the OS […]
In “Kindling a Consumer Revolt,” I quoted the New York Times: But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.” What […]
In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]
Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]
We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.
Following up on my previous post, here’s Part 2, “The Factors that Drive Probable Use”. This is the meat of our model. Follow up posts will dig deeper into Parts 1 and 2. At Black Hat we’ll be applying this model to the vulnerabilities that are going to be released at the show. But before […]
Forty years ago today, Apollo 11 lifted off for the moon, carrying Buzz Aldrin, Neil Armstrong and Michael Collins. The Boston Globe has a great selection of photos, “Remembering Apollo 11.” (Thanks to Deb for the link.)
It’s hard not to like a holiday which celebrates the storming of a prison and the end of a monarchy. Photo: Vytenis Benetis .
I wanted to throw it out here as an example of how you would the model from my earlier post in real life. So let’s take the recently released Internet Explorer security vulnerability and see how it fits. Now this is a pretty brain-dead example and hardly requires a special tool, but I think it […]
Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception. In his most recent post, How many rotten apples will spoil the barrel, he asks: So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are […]
You can’t expect a bank that is dumb enough to sue itself to know why it is suing itself. Yet I could not resist asking Wells Fargo Bank NA why it filed a civil complaint against itself in a mortgage foreclosure case in Hillsborough County, Fla. “Due to state foreclosure laws, lenders are obligated to […]
Robin Hanson has an interesting article, “Desert Errors:” His findings stayed secret until 1947, when he was allowed to publish his pioneering Physiology of Man in the Desert. It went almost entirely unnoticed. In the late 1960s, marathon runners were still advised not to drink during races and until 1977, runners in international competitions were […]
Not much to add, but a good article in Business Week on Lessons from the Data Breach at Heartland. Well worth reading…
In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]
The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]
Alex and I will be on a panel, A Black Hat Vulnerability Risk Assessment, at this year’s Black Hat. We’ll be discussing the need to perform a risk assessment of vulnerabilities as you become aware of them in a deeper context then just looking at the CVSS scores. Things to consider are what compensating controls […]
Bob Blakely has a thought-provoking blog post which starts: The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling: Question […]
My usual celebration of Independence day is to post, in its entirety, the Declaration of Independence. It’s very much worth reading, but this year, there’s a little twist, from a delightful story starring Lawren Smithline and Robert Patterson, with a cameo by Thomas Jefferson. Patterson sent Jefferson a letter which read, in part: “I shall […]
Our love affair with the Iranian Tweetolution has worn off. The thugs declared their election valid, told their armed representatives to Sorry, next tweet: go impose some law or order or something, and it was done. Well, as it often turns out, there was more to it than fits in 140 characters, and the real […]
The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. Risky.biz gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the […]
What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of […]
“Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the […]
It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused […]
Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble […]
In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.” Thanks!
Paul Kedrosky has an amazing video: As described in the New Scientist: Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video). They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in […]
Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic h/t BoingBoing
I’m cleaning out my pending link list with couple morbidly-thematic links. Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack. For example… You are 1048 times more likely to die from a car accident than from a terrorist attack You are 12 times more likely to die from […]
OK, so this week for Visualization Friday, I’m going to point you to just one thing: At Last, a Scientific Approach to Infographics A blog post by the awesome visualization expert Stephen Few that praises: Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed OK, I’ll also mention that I […]
Rich Mogull has a great post on “Science, Skepticism and Security” In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” […]
The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]
Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.
HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking. The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng […]
So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]
The Economist’s Bagehot writes about his idea of “The chemistry of revolution,” while admitting he’s generalizing from two. Ethan Zuckerman on “Iran, citizen media and media attention.” “Unfortunately, unlike positive online gestures of solidarity (retweeting reports from Iran, turning Twitter or Facebook pictures green), this one does little more than piss off sysadmins, helps Iranian […]
Via CNN: Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them. On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to […]
Joseph Carnevale, 21, was nabbed Wednesday after a Raleigh Police Department investigation determined that he was responsible for the work (seen below) constructed May 31 on a roadway adjacent to North Carolina State University. Carnevale, pictured in the mug shot at right, was charged with misdemeanor larceny for allegedly building his orange monster from materials […]
Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen. And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study. So given the quality of the GRC apps […]
Celebrate Juneteenth, but remember that we have not eliminated the scrouge of slavery.
Is that they can be gamed. See “ Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian: Thousands of people are being stopped and searched by the police under their counter-terrorism powers – simply to provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed. […]
The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]
Millions of people in Iran are in the streets, protesting a stolen election. Nate Silver, who did a great job on US election statistics has this: However, given the absolutely bizarre figures that have been given for several provinces, given qualitative knowledge – for example, that Mahdi Karroubi earned almost negligible vote totals in his […]
Paul Nylander has some amazingly beautiful mathematical constructs which he’s ray-tracing. Via Aleks Jakulin.
Update 26 June 2009: The status of Green Dam’s optionality is still up in the air. See, for example, this news story on PC makers’ efforts to comply, which points out that Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam […]
(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.) So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an […]
Tyler Moore chaired the privacy session. Alessandro Acquisti, CMU. (Suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification.) It’s not that people act irrationally, it’s that we need deeper models of their privacy choices. Illusion of control, over-confidence, in privacy people seek ambiguity, people […]
Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]
Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]
David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]
Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]
The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]
Julie Downs studied users who were going through an email inbox full of phishing emails, while doing a talk-aloud. They also did interviews afterwards. People with incidents get very sensitive to risks, but don’t get any better at identifying phishing emails. What really helps is contextualized understanding. Do they know what a URL is? Do […]
Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]
I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.
I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.
From Chandler, who is in China: Adam sent along to the authors of this blog a link to the http://www.nytimes.com/2009/06/08/business/08bernstein.html?_r=1&hpw New York Times obituary for Peter Bernstein yesterday Peter L. Bernstein, an economic historian and a widely read popularizer of the efficient market theory, which changed trading behavior on Wall Street, died Friday at NewYork-Presbyterian/Weill […]
“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” […]
I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there. 1.) Threat and Risk Mapping Analysis in Sudan Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless: http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/ 2.) I thought Gunnar did a great job […]
As I’ve said before, all non-trivial privacy warnings are mocked and then come true. Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual. Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s […]
The crowd for the premiere seemed pleased. It wasn’t your typical Broadway musical audience, to judge from the number of smart-looking young people with interesting haircuts. A “lively counterpoint to Hollywood productions like ‘Valkyrie’ and ‘Defiance,’ with their impeccable Resistance heroes and clichés,” decided the reviewer for Spiegel Online. “The New York triumph was repeated […]
There was an interesting segement on NPR this morning, “Economy Got You Down? Many Blame Rating Firms” that covered amongst other things the risk model that Standard and Poors used to rate bonds and in specific mortgage backed ones. There are a few choice quotes in the story about how the organizations approached the models […]
I haven’t had a chance to read it, but I’ll probably pick up “Absinthe and Flamethrowers: Projects and Ruminations on the Art of Living Dangerously” at some point, if only because of the author’s writing on the relationship between risk and happiness says something I’ve always suspected, that risk takers are happier than risk avoiders […]
I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the […]
From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education […]
Hey everyone. I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project called “Quant”. They currently have a survey up on survey monkey about Patch Management that they’d like participation in. If you can, please give thoughtful contribution to the survey. http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d There’s something about a registration […]
I just saw a link to someone who had broken Wolfram Alpha. Their breaking question was, “when is 5 trillion days from now?” The broken result is: {DateString[{13689537044,5,13,16,57,18.5796},Hour12Short],:,DateString[{13689537044,5,13,16,57,18.5796},Minute],:,DateString[{13689537044,5,13,16,57,18.5796},Second], ,DateString[{13689537044,5,13,16,57,18.5796},AMPMLowerCase]} | {DateString[{13689537044,5,13,16,57,18.5796},DayName],, ,DateString[{13689537044,5,13,16,57,18.5796},MonthName], ,DateString[{13689537044,5,13,16,57,18.5796},DayShort],, ,13689537044} Which is certainly amusing. A quick check shows that even one trillion days gives a similar error. A bit of the […]
Just for Adam, because I know he’ll *love* this. Was reading the “How to transform your ETL tool into a data quality toolkit” post on the data quality blog when I noticed something. In the graphic they’re presenting there: The.Pie.Chart.Spins. Which could be one of the most awesome data visualization abuses. ever.
The folks over at Voltage have released a really cool interactive map of breaches from around the world. Tools like this show how important having data is, just imagine how much more impressive and useful something like this could be if more people were willing to share data about breaches or other information security issues […]
What’s on your mind? Extra points for mocking other members of the combo for not posting. Me? I’m wondering why the opening of the Parliament of South Africa involves so many bagpipes.
Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community. As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side). […]
In an important sense, privacy is a modern invention. Medieval people had no concept of privacy. They also had no actual privacy. Nobody was ever alone. No ordinary person had private space. Houses were tiny and crowded. Everyone was embedded in a face-to-face community. Privacy, as idea and reality, is the creation of a modern […]
“He had set his features into the expression of quiet optimism which it was advisable to wear when facing the telescreen…” Photo: “Under surveillance,” Toban Black, in the 1984 Flickr pool.
As I get ready to go to South Africa, I’m thinking a lot about presentations. I’ll be delivering a keynote and a technical/managerial talk at the ITWeb Security Summit. The keynote will be on ‘The Crisis in Information Security’ and the technical talk on Microsoft’s Security Development Lifecycle. As I think about how to deliver […]
The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]
This looks interesting, especially in light of the launch of data.gov: The Obama campaign—and now the Obama administration—blazed new trail in the use of Web 2.0 technology, featuring videos, social networking tools, and new forms of participatory and interactive technology. This event will feature government, technology, and new media leaders in addressing the special challenges […]
There was an interesting story on NPR the other day about “giving circles.” It’s about groups of people getting together, pooling their money, investigating charities together, and then giving money. The story mentions how the increasing bureaucratization* of fund-raising leads to groups whose involvement is “I write them a cheque each year.” It also mentions […]
Congratulations to Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University). Their paper, “It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions” has been Slashdotted. It’s really good research, which Rob Lemos covered in “Are Your “Secret Questions” Too Easily Answered?”
We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities […]
Just Landed: Processing, Twitter, MetaCarta & Hidden Data: This got me thinking about the data that is hidden in various social network information streams – Facebook & Twitter updates in particular. People share a lot of information in their tweets – some of it shared intentionally, and some of it which could be uncovered with […]
A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing: Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID. It’s probably a bad idea to present a novelty version of a DHS document to law enforcement. […]
cloudenfreude — Feeling of happiness at watching the discomfort of others, especially senior management, as they accept in aggregate for *aaS the same risks which were easily accepted piecemeal over time for the analgous service internally.
Thinking security can not be done without adopting a preferential mode of thought of the attacker. A system cannot be defended if we do not know how to attack it. If the theory is still an interesting approach to formalize things, the operational approach must be the ultimate goal: to talk about security is meaningless […]
Interesting information was made available today from VISA about PCI Compliance status for Level 1, 2, and 3 merchants. Find it as a .pdf >>here<< (thanks to Mike Dahn for bringing it to our notice). **UPDATE** You may want to check out what Pete Lindstrom has done with that data, in his Blog Post, “Is […]
Is Statistically Mixed? Richard Bejtlich (whom I do admire greatly in most all of his work) just dug up a dead horse and started beating it with the shovel, and I just happen to have this baseball bat in my hands, and we seem to be entangled together on this subject, so here goes: I […]
If you’re not familiar with the term email bankruptcy, it’s admitting publicly that you can’t handle your email, and people should just send it to you again. A few weeks ago, I had to declare twitter bankruptcy. It just became too, too much. I’ve been meaning to blog about it since, but things have just […]
I hadn’t seen this article by Peter Hustinix when it came out, but it’s important. He says that “All data breaches must be made public:” The good news is that Europe’s lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions […]
An enourmous thank you to everyone who offered advice on what camera to get. I ended up with a Canon Rebel after heading to a local camera store and having a chance to play with the stabilization features. It may end up on ebay, but I’m confident I’ll get high quality pictures. If they’re great, […]
There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]
I got the opportunity a couple days ago to get a demo of Wolfram Alpha from Stephen Wolfram himself. It’s an impressive thing, and I can sympathize a bit with them on the overblown publicity. Wolfram said that they didn’t expect the press reaction, which I both empathize with and cast a raised eyebrow at. […]
I’m thinking about maybe getting a new camera. Before I say anything else let me say that I understand that sensor size and lens rule all else, and that size does matter, except when it’s megapixel count, which is a glamour for the foolish. That said, I’m off to South Africa in a few weeks, […]
OR TEXAS HB1830S IS SWINEFLU LEGISLATION, IT’S BEEN INFECTED BY PORK! **UPDATE: It looks like the “vendor language” around Section Six has been struck! Given Bejtlich’s recent promises, I thought we’d take a quick but pragmatic look at why risk assessments, even dumb, back-of-the-envelope assessments, might just be a beneficial thing. As you probably know, […]
Congressman Jason Chaffetz has introduced legislation seeking a ban on Whole-Body Imaging machines installed by the Transportation Security Administration in various airports across America. Describing the method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to “balance the dual virtues of safety and privacy.” The TSA recently announced plans […]
Seattle’s King5 TV reports on “Parking enforcement’s powerful new weapon:” An unassuming white sedan is the Seattle Police Department’s new weapon against parking violators. Just by driving down the street, George Murray, supervisor of SPD’s parking enforcement unit, can make a record of every parked car he passes. “What we’re doing here is we’re actually […]
Recently, a quote from Qualys CTO Wolfgang Kandek struck me kind of weird when I was reading Chris Hoff yet again push our hot buttons on cloud definitions and the concepts of information security survivability. Wolfgang says (and IIRC, this was presented at Jericho in SF a couple of weeks ago, too): In five years, […]
As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]
Many at RSA commented on the lack of content in Melissa Hathaway’s RSA keynote. The Wall St Journal has an interesting article which may explain why, “Cybersecurity Review Sets Turf Battle:” President Barack Obama’s cybersecurity review has ignited turf battles inside the White House, with economic adviser Lawrence Summers weighing in to prevent what he […]
aka it’s not nearly as funny when you are the subject of the probe. At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,” Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on […]
According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]
According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]
I’ll go ahead and promote David. He’s interviewed over at Threat Post. Pod/Talk cast it up! In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether we’ve become too reliant on compliance, the changing nature of the CSO’s job and how […]
So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]
I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.
I took the latest DataLossDB.org breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz. This was done more for fun than for insight, but […]
In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we […]
In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on: Increased speculation, coupled with a spike in Twitter activity. Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this […]
The Open Security Foundation, creators of OSVDB and DataLossDB have won SC Magazine’s Editor’s Choice award for 2009. It’s well deserved. In other Open Security Foundation News, about a dozen people asked me how to get a stylin’ DataLossDB t-shirt. It’s pretty easy-donate. I think you get one at the $100 level.
A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman […]
Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open. The deadline for the Early Bird registration is 1 June 2009. We’ve written here often (and favorably) about WEIS, and about papers delivered there.
Following up on Ben’s comment to s/green/secure/g, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. I’ll argue it’s even worse than that. Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind. One of […]
So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?
Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this: It isn’t immediately obvious why such studies are necessary or even valuable. Indeed, in the United States scientific community, where nearly all dollars for climate investigation are […]
“Data Breach Noti?cation Law Across the World from California to Australia” by Alana Maurushat. From the abstract: The following article and table examine the specifics of data breach notification frameworks in multiple jurisdictions. Over the year of 2008, Alana Maurushat of the Cyberspace Law and Policy Centre, with research assistance from David Vaile and student […]
Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by. I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as […]
Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.” They’re calling it (for now) Project Quant. As you can probably guess, I’m all for transparent metrics projects, and I hope you’ll at […]
Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]
Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!” Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you […]
I came across an interesting take on Nassim Taleb’s “Black Swan” article for the Financial Times via JP Rangaswami‘s blog “Confused in Calcutta“. Friends and folks who know me are probably tired of my rants about what I think of Taleb’s work and what I think he’s gotten wrong. But really, I find his FT […]
I’ve given Vz’s DBIR a quick perusal. The data are interesting indeed and the recommendations are obvious. There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both). Regardless, I have a few items that confuse and irritate me a […]
Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.
Last night, the fine folks at Verizon posted the 2009 version of the DBIR. I haven’t had time to do a full deep dive yet, but I thought I’d share my initial notes in the meantime. Stuff in italics is from the DBIR, regular text is me: 81 percent of organizations subject to PCI DSS […]
The intersection of cime and technology is a fascinating place. Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing. Unfortunately, the noise coming from journalists in this space is so […]
Several commenters on yesterday’s post brought up the excellent point that its hard to talk about outcomes when you think you haven’t had any incidents. (“Consider the bank that had no attempted robberies this year”) Are you right? With a bank, it’s pretty easy to see most robberies. What’s more, we have the FBI showing […]
I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew? Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end […]
In some migration or another, this post was duplicated; the real post is at https://adam.shostack.org/blog/2009/04/security-is-about-outcomes-not-about-process/. Editing to avoid linkrot
Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]
So while Statebook is a pretty entertaining demo, “Database State” is a disturbing look at how real the underlying data collection is in the U.K. Via Boingboing.
This is quite possibly the DEA’s greatest success in disrupting the supply of a major illicit substance. The focus on disrupting the supply of inputs rather than of the drug itself proved extremely successful. This success was the result of a highly concentrated input supply market and consequently may be difficult to replicate for drugs […]
Make your own at http://jamesholden.net/billboard/. I was gonna wait for the weekend, but…via @alecmuffet
The Microsoft SIR was released 4/8 and is available for download here. Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database (http://datalossdb.org). Among the interesting things in the Microsoft SIR: Good old theft and losing equipment, when combined, still beats the sexier categories hands down. […]
Freeway Drivers Grab Money as Suspects Toss Thousands During Police Chase:” Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways. Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on […]
So I apologize for short notice. Hopefully the webmaster will get in gear and put up an event calendar or something, but here are a couple of events you might want to attend today that New School Bloggers are speaking at. First, David Mortman is giving “The Mortman Briefing: Metrics for the Real World”over at […]
The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid. What I thought was more interesting was the graph they used (which is only mildly related to the article itself). If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches […]
Thanks for stopping by The New School of Information Security Blog. We’re very “beta” right now, and anticipate having everything ready by the RSA conference (the week of the 17th). If you’d like to see some recent content by our authors, I had a recent post on the Verizon/Cybertrust blog about the PCI DSS and […]
For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together […]
While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]
This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more […]
Effects shop fulfills amputee’s mermaid dream:
and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the […]
A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law. As reported in the St. Louis Business Journal on April 1: Missouri businesses would be required to notify consumers when their personal or financial information is […]
I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way. The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the […]
British newspaper announces all-tweet format. Hilarity ensues.
Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:” Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s […]
This picture was taken by 4 high school kids with no budget: The Telegraph has the story at Teens capture images of space with £56 camera and balloon. You can click the photo for their amazing Flickr page. It’s a good thing they were in Spain. In the UK, they’d probably have been arrested for […]
I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11. Metricon 4 – The Importance of Context MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable […]
A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers. So why am I happy with […]
Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items: Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back […]
The BBC reports that the UK Local Government Association has a new banned words list, including our favorite, “best practices.” Andrew asked me in email if this was a best practice, and I wrote back: Does it pass the seven whys test? Why did they ban the phrase? Because it’s meaningless business speak Why is […]
The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read: The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….” […]
So when someone sent me a link to “The Mother of all Funk Chords,” they didn’t explain it, and I didn’t quite get what I was watching. What I was watching: …is a mash up of videos found on YouTube, turned into an entire album by an Israeli artist, Kutiman.
I posted last month about Bob Blakely’s podcast with Phil Windley. Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence. Now that I’ve actually read the paper, I’d like to remix the ideas […]
March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know. The […]
Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]
According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]
My smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well. I’ve always accused my cats of playing the stereo when I’m not there, and it […]
Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]
In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to. I’d like to talk about why I see it as a tremendous positive, and will be doing it again. First, it engages the audience. There’s a motive to pay close attention and […]
The 110-story Sears Tower, tallest office building in the Western Hemisphere, will be renamed the Willis Tower, global insurance broker Willis Group Holdings said on Thursday. Willis said it was leasing multiple floors in the 1,451-foot (442-meter) structure in downtown Chicago to consolidate offices. As part of the deal, it will become the Willis Tower […]
A few weeks back, Pistachio twittered about How to Present While People are Twittering. I picked it up, and with the help of Quine, was getting comments from Twitter as I spoke. It was a fun experiment, and it’s pretty cool to be able to go back and look at the back channel. [Update: I […]
The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here. I have to ask what was wrong with the old FISA? It wasn’t a bad system, […]
If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re […]
I’d give you a topic, but I’m taking Hilzoy’s advice and going Galt. I’ve taken ads off the blog, given up my lucrative contract for Harry Potter and the Half-Baked Firewall, and so turn this thread over to you with but a single request: civility. So what’s on your mind?
Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here. To “get it right”, let me suggest that we need: One law that covers all spying Require warrants when the […]
So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? […]
CSO Online has a good article on data destruction, Why Information Must Be Destroyed.” It’s mostly about physical documents, not data, but I can still make a few quibbles. The author, Ben Rothke, gives an example of a financial institution that did not live up to its regulatory requirements for properly disposing documents, and was […]
If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!
This and other less subtle Star Wars/classical art mashups are at Star Wars as Classic Art. (Originally.) Thanks, Stepto!
A few years back, I gave a talk titled “Will People Ever Pay for Privacy.” As they say, a picture is worth a thousand words: Tiger Woods’s Boat, Privacy, Attracts Plenty of Onlookers. Photo: Tiger Woods’ Yacht, TheLastMinute.
Robert Scoble, discussing Facebook founder Mark Zuckerberg: He also said that his system looks for “outlying” behavior. He said if you behave like an average user you should never trigger the algorithms that will get you kicked off. Let’s be specific here: if you behave like the system’s Harvard undergraduate founders and primarily-male engineering staff […]
On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]
Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:” A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what […]
Law Prof Dan Solove took the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality: Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach […]
Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger. I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was […]
Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]
In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]
The BBC tells the tale of a Polish immigrant flouting traffic regulations across the emerald isle: He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines. However, each time the serial offender was stopped he managed to evade justice by giving a different address. As it […]
In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004. But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any […]
First, the Economist, “Everybody Does It:” WHY is a beer better than a woman? Because a beer won’t complain if you buy a second beer. Oops. There go your correspondent’s chances of working for Barack Obama, America’s president-elect. (Ironically, the Economist’s articles are all anonymous.) Second, Fraser Speirs, “On the Flickr support in iPhoto ‘09:” […]
The BBC reports: A former head of MI5 has accused the government of exploiting the fear of terrorism to restrict civil liberties. Dame Stella Rimington, 73, stood down as the director general of the security service in 1996…”Furthermore it has achieved the opposite effect – there are more and more suicide terrorists finding a greater […]
Salon reports “Identity theft up, but costs fall sharply:” In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to […]
There’s a very interesting annotated presentation at “Closing the ‘Collapse Gap’: the USSR was better prepared for collapse than the US.” In it, Dmitry Orlov lays out his comparison between the USSR and the USA of 2006. Posting this now because a talk he gave at Long Now is getting lots of attention. In closely […]
Lernert Engelberts and Sander Plug have taken the AOL search data which AOL released “anonymously,” and made a movie with the searchs of user #711391. I Love Alaska, via Guerrilla Innovation. Worth checking out, but be warned, it’s a little on the languid side, using pacing and the voice to build the story. Also, note […]
Okay, this is a rant. Cut and paste is broken in most apps today. More specifically, it is paste that is broken. There are two choices in just about every application: “Paste” and “Paste correctly.” Sometimes the latter one is labeled “Paste and Match Style” (Apple) and sometimes “Paste Special” (Microsoft). However, they have it […]
Happy 200th Birthday, Charles Darwin.
(h/t to Concurring Opinions) The Daily Show With Jon StewartM – Th 11p / 10c Bill O’Reilly’s Right to Privacy Daily Show Full EpisodesImportant Things With Demetri Martin Funny Political NewsJoke of the Day
Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below: Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis? No. Not one, not even a single one! Yet, the basic […]
So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]
Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki). It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, […]
The Washington Technology Industry Association has released a very cool map of the Puget Sound Tech Universe. Here’s an excerpt:
The 9th Privacy Enhancing Technologies Symposium will be in Seattle August 5-7. Papers are due March 2nd. The call for papers is here.
So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]
So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.” This is the report’s figure 3: Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, […]
Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]
I’m listening to this really interesting podcast by Bob Blakley and Phil Windley. What really struck me was where Bob said “thinking of identity as an artifact all by itself is unsatisfactory because we can talk about an identity and the attributes of an identity leaves out important details about how identities are created and […]
Jackson Pollock.org. [Update: Click the picture. It’s only funny if you click the picture with Flash enabled. The site requires Flash.]
I just wanted to draw attention to the comments in Michael Froomkin’s blog post on “Cabinet Confirmation Mechanics.” I am delighted to have had ‘Jim’ concur with my Constitutional analysis by quoting the closing lines of Ulysses. I’m in awe of your commenters, Michael.
(Or, the presentation of self in everyday donations) So I’ve had a series of fairly political posts about election finance, and in one of them, I said “I’d prefer that the rules avoidance be minimized, and I think transparency is the most promising approach there.” Well, in the interests of transparency, I need to comment […]
In the Cryptography mailing list, John Gilmore recently brought up and interesting point. One of the oft-debated ways to fight spam is to put a form of proof-of-work postage on it. Spam is an emergent property of the very low cost of email combined with the effect that most of the cost is pushed to […]
I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]
They’ve added a blotter to add news that isn’t quite breaches, and they’re looking for funds to help with their FOIA requests. Please join me in donating.
Speaking of how you’re presented and perceived…”How to request your travel records,” by Ed Hasbrouck. By popular demand, I’m posting updated forms to request your PNR’s and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS)… If you […]
Chris Hoff pointed to an interesting blog post from Peter Shankman. Someone* tweeted “True confession but I’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!’” Well it turns out that… Not only did an employee find it, they were totally offended by […]
So what do you do with the million photos everyone took of the inauguration? Here at Emergent Chaos, we believe that we should throw them all in a massive blender, and see what emerges. A massive blender isn’t a very technical description of Photosynth, but it’s not a bad analogy. The project cleverly figures out […]
I am surprised I hadn’t heard about the book Nudge, by Cass Sunstein and Richard Thaler. I haven’t read it yet, but from the web page it seems to be about how policymakers can take into account the heuristics and biases characteristic of human decision-makers and create a choice architecture which yields “proper” decision-making. I […]
The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative). This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has […]
This photograph was taken at 11:19 AM on January 20th. It’s very cool that we can get 1 meter resolution photographs from space. What really struck me about this photo was.. well, take a look as you scroll down… What really struck me about this is the open space. What’s up with that? Reports were […]
Quoting first from Obama’s inaugural address: The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move […]
The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on […]
Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]
While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]
Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”: The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable […]
During a chat I had this afternoon, someone brought up an interesting situation to contemplate. The Presidency of George Bush fils ended today at noon EST, but Mr. Obama wasn’t sworn in until 12:10. Who then, the question was, President during those ten minutes. One mildly unsatisfactory answer is Ms. Pelosi. If there is neither […]
From (the new) Whitehouse.gov: Except where otherwise noted, third-party content on this site is licensed under a Creative Commons Attribution 3.0 License. Visitors to this website agree to grant a non-exclusive, irrevocable, royalty-free license to the rest of the world for their submissions to Whitehouse.gov under the Creative Commons Attribution 3.0 License. http://www.whitehouse.gov/copyright/
The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama. I’m excited to have an educated, […]
There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]
Moving Forest is a park on wheels. The park is made of trees in shopping carts that allow the public to rearrange their own little park. The forest is created by Dutch architect firm NL architects in response to the lack of green nature in contemporary urban environments – which in the case of the […]
It’s appetizing news for anyone who’s ever wanted the savory taste of meats and cheeses without actually having to eat them: chemists have identified molecular mechanisms underlying the sensation of umami, also known as the fifth taste. … The umami receptor’s shape is similar to that of sweetness receptors, he said, and his team’s research […]
One of the dirty little secrets of bad privacy law is that it kills. People who are not comfortable with the privacy of their medical care may avoid getting needed care. That’s why privacy features in the Hippocratic oath. But few people want to study this issue, and studying it is hard–people are likely to […]
[Update: This got to #5 on change.org’s list, and they’re now working to draw attention to the issue on change.gov.] Jon Pincus has asked me for help in drawing attention to his “Get FISA Right” campaign to get votes on change.org. When I’ve tried to look at this, it’s crashed my browser. YMMV–I use a […]
In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages. There are many interesting bits in those four pages, but the two that really jumped out […]
In “The Social Security Blogger Awards,” Alan Shimel asks for nominations for blogs. Ironically, to even see the site at http://www.socialsecurityawards.com/, you need to accept Javascript. I think we should have an award for “best vuln in the voting system.” But anyway, please take a minute to go vote. I’ll ask for your vote for […]
..or, Spaf‘s DVD players get bricked. In which, lies a tale…
Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker. Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling […]
Normally, this would be something for Twitter, but…well…. Officiating at the NY v. Philadelphia game has been poor. Not biased, I don’t think, but poor.
Chris Anderson via Paul Kedrosky.
All from the Strange Maps blog. You could click on the pictures, but this blog is perfect Saturday afternoon “hey look at this” material.
Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]
Larry Lessig has a very interesting article in Newsweek, “Reboot the FCC.” The essence is that the FCC is inevitably bound by regulatory capture. He proposes a new agency with three tasks: “The iEPA’s first task would thus be to reverse the unrestrained growth of these monopolies.” “The iEPA’s second task should be to assure […]
Stooges guitarist Ron Asheton, dead at 60.
The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]
Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]
(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]
Silver has devised a pair of glasses which rely on the principle that the fatter a lens the more powerful it becomes. Inside the device’s tough plastic lenses are two clear circular sacs filled with fluid, each of which is connected to a small syringe attached to either arm of the spectacles. The wearer adjusts […]
…or, antique car collectors are an honest lot. According to the Times (of London, dear chap), a recently-deceased British surgeon has left his heirs a rather significant bequest: a super-rare, super-fast, antique Bugatti which hasn’t been driven since 1960 and is expected to fetch several million at auction. This is the fabled “Imagine their surprise, […]
A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday… During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South […]
Our new year’s resolution is to show a sense of childlike wonder at and acceptance of everything we come across, especially this year’s leap second. Incidentally, this post is scheduled to go live at 2008-12-31 23:59:60. Let’s see what happens! Update: Movable Type complained when I tried to save the post: “Invalid date ‘2008-12-31 23:59:60’; […]
I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]
In honor of Newton’s Birthday festival, I therefore propose the following song, to be sung to the tune of “The Twelve Days of Christmas.” For brevity, I include only the final verse. All together now! On the tenth day of Newton, My true love gave to me, Ten drops of genius, Nine silver co-oins, Eight […]
The Gavle goat survived until the 27th this year, but as the BBC reports, “ Festive goat up in flames again.” Previously: “Goat Security,” “13 Meter Straw Goat Met His Match.”
When Seattle is covered in snow, it’s easy to miss Montreal. Now, folks in areas that get lots of snow like to make fun of Seattlites for being unable to handle a little snow, but it turns out that there’s another reason (beyond the steep hills) the city has a (ahem) unique approach: “Seattle refuses […]
Originating from Wootton High School, the parent said, students duplic ate the license plates by printing plate numbers on glossy photo paper, using fonts from certain websites that “mimic” those on Maryland license plates. They tape the duplicate plate over the existing plate on the back of their car and purposefully speed through a speed […]
40 years ago, NASA released this first [human-taken] photo of the Earth from far away: [Update: The BBC has a nice story.]
“There are no hot segments,” said George Pipas, Ford’s market analyst. “And there really are no hot products.” So closes an article, “Automakers Report Grim October Sales.” GM, sales down 45%. Ford, -30%. Chrysler, -34.9%. Toyota, -23%. Honda -25%, Nissan -33%. MINI Cooper: Up 56.4%. Soon, Ford will be caring about MINI’s market of “only” […]
I was struck by this quote in “Edgy, Yet Still Aerodynamic” an article in the New York Times about how new cars are being designed and tested: , To his surprise, in hundreds of tests at Ford’s Wind Tunnel 8 southwest of Detroit the original edges produced less drag than curved substitutes, Mr. Koester said. […]
It was even more exciting on a black and white Zenith. Image: Nasa photo 6871798
Bloomberg is reporting that “Shoe Hurled at Bush Flies Off Turkish Maker’s Shelves : Baydan has received orders for 300,000 pairs of the shoes since the attack, more than four times the number his company sold each year since the model was introduced in 1999. The company plans to employ 100 more staff to meet […]
Stratfor’s podcast on the seizure of that Saudi oil tanker contained a fascinating tidbit: merchant ships are no longer allowed to carry arms at all, which, of course, makes piracy far easier. This is a dramatic transformation of the rights of merchant ships. Historically, private ships carried weapons when sailing far out of their own […]
Following on my post on Parliaments, Dukes and Queens, I’d like to talk about other checks on the power of government, besides throwing tea into the harbor. In Britian, “a jury has failed to clear police in the death of Jean Charles de Menezes.” The jury is the first group who, frankly, has not whitewashed […]
According to Ananova, a Swiss watch-ring has been found covered in dirt in a four-hundred year old Ming dynasty tomb. The watch was found, covered in dirt. It was stopped at the time 10:06 and has the word, “Swiss” engraved on the back. The archaeologists on the dig have requested archaeologists from Beijing to help […]
It was 235 years ago today that the Sons of Liberty threw tea into Boston harbor, and they still haven’t been able to clean the place up. Please join me in celebrating this most American response to taxation.
Four interesting stories recently, all having to do with the ancient relationship between a sovereign and a parliament, or the relationship of hereditary rulership to democracy. I secretly admire the emergent forms of government which have proven stable despite their chaotic origins. I’m fascinated by these imperfectly republican nations like Canada and the United Kingdom, […]
People often make the claim that something is “as intuitive as dialing the phone.” As I was listening to “Dave Birch interviewing Ben Laurie,” I was reminded of this 1927 silent film: Ben commented on people having difficulty with the CardSpace user interface, and it not being as intuitive as having your email address being […]
Jacob Burghardt has a very interesting new ebook, “Working Through Screens.” If one was to summarize the status quo, it might sound something like this: when it comes to interactive applications for knowledge work, products that are considered essential are not always satisfactory. In fact, they may be deeply flawed in ways that we commonly […]
Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]
First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]
So the New York Times is breathless that “Obama Hauls in Record $750 Million for Campaign.” A lot of people are astounded at the scale of the money, and I am too. In a long, hard campaign, he raised roughly $2.50 per American, and spent slightly less than that. Unusually, he ended his campaign not […]
At Metamodern.com. Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]
The Data Loss Database, run by the Open Security Foundation, now has a significant new feature: the inclusion of scanned primary source documents. This means that in addition to being able to determine “the numbers” on an incident, one can also see the exact notification letter used, the reporting form submitted to state government, cover […]
Today is the 75th anniversary of the repeal of the blanket prohibition of alcohol sales in the United States. Go pour some Champagne, Cava, or fine California bubbly and read Radley Balko’s excellent “Lessons of Prohibition.” Photo: Jensen.Pernille. Thanks to Sama.
The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]
I enjoyed reading Heather Gerkin’s article: “The Invisible Election.” I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama’s election protection team, I spent […]
In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with […]
I flew Virgin Atlantic for the first time recently, for a day trip to San Francisco. I enjoyed it. I can’t remember the last time I actually enjoyed getting on a plane. The first really standout bit was when the Seattle ground folks put on music and a name that song contest. They handed out […]
Via Paul Kedrosky. Feel free to use this as an open thread.
Some days the snark just writes itself: The group that created Smokey Bear and McGruff the Crime Dog has a new potential icon: Stephanie the airport screener. A $1.3 million ad campaign launched this month teams the Ad Council and the Transportation Security Administration trying to change behavior of passengers who no longer automatically accept […]
NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should […]
While having a wonderful time in Barcelona, I took the metro a fair amount. Over the course of 8 days, I saw 2 turnstile jumpers, (40€ fine) 3 smokers (30€ fine) and didn’t see as one friend got pick-pocketed (reported fine, one beating). So which crime annoyed me most? The apparently worthless invasion of privacy. […]
There have been a couple of interesting stories over the last week that I wanted to link together. Verizon Employees Snoop on Obama’s Cellphone Records (followed shortly by “Verizon fires workers over Obama cell phone records breach“) and “4 more Ohio officials punished in ‘Joe’ data search.” There’s a couple of things happening here. The […]
In “Tidying up Art” Ursus Wehrli tells the TED audience about not only how to tidy up art, but has a great example of how apparently simple instructions can very quickly lead chaos to emerge. And it’s pretty darn funny after the audience doesn’t know how to respond to his first couple of jokes.
There’s a list, maintained by the UN security council, of people who can’t have their money. Once you’re on the list, there’s no way to get off. The global blacklisting system for financiers of al-Qaeda and other terrorist groups is at risk of collapse, undermined by legal challenges and waning political support in many countries, […]
Yesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date. That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The […]
A Wide Diversity of Consumer Attitudes about Online Privacy shows this picture of Flickr users setting privacy preferences: green is public (default) and red is private. I hope Flickr shares some of the underlying data. I don’t know what anyone would do with it, and there’s two ways to find out. One is to talk, […]
Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin. I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard […]
And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight […]
I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]
…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School. The more […]
Obama gave his first press conference as President-elect last Saturday. Pundits have noted his humor in responding to the urgent canine matter, but I was struck by a particular phrase used in response to a question regarding whether he’d be moving quickly to fill key cabinet positions: When we have an announcement about cabinet appointments, […]
So Obama wants a CTO for the United States. The job description: Obama will appoint the nation’s first Chief Technology Officer (CTO) to ensure that our government and all its agencies have the right infrastructure, policies and services for the 21st century. The CTO will ensure the safety of our networks and will lead an […]
The Wall St Journal covers the latest management fad in “Neatness Counts at Kyocera and at Others in the 5S Club:” 5S is a key concept of the lean manufacturing techniques that have made makers of everything from cars to candy bars more efficient. The S’s stand for sort, straighten, shine, standardize and sustain. Lately, […]
Okay so for a long time now, I’ve been blogging as Arthur. It all started as an excuse to blog without the company I worked for at the time having to worry about anything I said being a reflection on them. Almost three years ago they were acquired by Oracle and I have long since […]
We’ve been talking a lot lately about confirmation bias. It turns out that newspaper endorsements are more influential when they are unexpected. The degree of this influence, however, depends upon the credibility of the endorsement. In this way, endorsements for the Democratic candidate from left-leaning newspapers are less influential than are endorsements from neutral or […]
I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that […]
It’s hard to know what to say after an election that feels so momentous in so many different ways. So, I’ll start from the simple: congratulations to Obama on being elected the 44th President of the United States. Next, let’s add some chaos here and see what emerges. So what’s on your mind? And please, […]
MSNBC’s live streaming internet election coverage looks like it was filmed from within Second Life. Yuck.
As we go into what may well be another very long day of elections for the Presidency of the United States, I wanted to reprise two images from 2004: Click on either for more details and the context four years ago. Despite the electoral college, America isn’t a red country or a blue country, and […]
This is interesting. Not sure how robust the finding is, but according to an analysis of LendingClub data on all past loans, including descriptions of the use for the money, applicants using certain words in their descriptions are much more likely to default. For our purposes define a Delinquency as either being late in your […]
There’s a place in de Tocqueville where he talks about America’s civic strength coming from the way we organize: those voluntary organizations which come together to solve a problem as a community. He pointed out that what we got from that was not merely that particular problem solved, but a sense of community and a […]
It was twenty years ago today Sgt. Morris taught the worms to play They’ve been going in and out of style But they’re guaranteed to last a while So may I introduce to you… the bug you’ve known for all these years Sgt. Morris Lonely worm club band We’re Sgt. Morris’ lonely worm club band, […]
You forget all the bits in the old one. Via JWZ, who has links which will explain the irony if you don’t remember Exodus.
The night of September 29th, I had a room at the Renaissance Amsterdam hotel on Kattengat street. Actually I had two rooms, not that I slept in either of them. The first had too much street noise, and windows that didn’t block out the sound. The second, well, I woke up at 7.30 AM from […]
From Dissent. Click for full size.
A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed. I would like to be able to link to the full story, […]
No Chicagoan stood up for the common man like Studs Terkel, although Nelson Algren was probably in the running. A security-related anecdote, courtesy of the Chicago Tribune: In 1997 he went to the White House to receive the National Humanities Medal and the National Medal of Arts with a group including Jason Robards, Angela Lansbury, […]
Following on our satirical endorsement of McCain-Palin yesterday, I’d like to talk a little about the experience argument, that is, that Obama lacks the experience to be President. This may well be true. I’d prefer someone with extensive executive experience, ideally running a state, experience matters in one very specific way: it may help you […]
As we come to the close of the longest campaign in American history, it is time to make a call on who to vote for. In these turbulent and chaotic times, America needs a candidate who will cause more chaos to emerge. Now is not the time for calm and reasoned leadership. Now is not […]
An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]
In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]
Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them. Debix now has a blog, which will be covering issues around identity theft, breaches and privacy. Debix also released a new research study examining child identity theft. The most recent […]
Government agents should not have the right to stop and question Americans anywhere without suspicion within 100 miles of the border, the American Civil Liberties Union said Wednesday, pointing attention to the little known power of the federal government to set up immigration checkpoints far from the nation’s border lines. The government has long been […]
A group of soldiers with the US Army’s 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft. Realizing that mentioning the word “terrorist” can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter. […]
“It’s been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?” federal Judge William Pauley III asked. Sachs, from West Babylon, said cops just laughed as he passed through the Queens Midtown Tunnel on his way into the city Sept. 8. Sachs […]
There was a very interesting article in the New York Times, “Fish Tale has DNA Hook,” in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors: Dr. Stoeckle was willing to divulge the name […]
We welcome the Bush administration’s continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying: In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the […]
In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant […]
One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in James P. Anderson’s Computer Security Technology Planning Study: The code performing this function does not check the source and […]
Stephan Bugaj has a fascinating article up, “Steve Kurtz: Tactical Art.” I wanted to tie this to my post “The Discipline of ‘think like an attacker’” Kurtz only briefly mentioned his four year ordeal with the Department of Justice (this is also a good article about it), and only as a single exemplar of his […]
By ZevoPhoto on photobucket.
I was listening to Joseph Stiglitz on NPR this morning, and he had a very interesting comparison. (Quoting from an op-ed in the Guardian): For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital […]
Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]
The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs […]
Forty Percent of California voters are “permanent absentee” voters. Oregon runs entirely by mail-in votes. Other US states have some sort of mail-in or absentee status that people can assign themselves to. For those people, including me, elections are a slice of time that ends on election day. This isn’t new, until relatively recently, it […]
In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment: It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.” Firstly, security is almost always an outcome […]
What’s on your mind in October?
Metal plates send messages to airport x-ray screeners. I want one with the 4th amendment on it.
This paper, “More Really is Different,” may be one of the most important papers of the last half-millenium. It argues that P.W. Anderson’s concept of “emergence” is provable. It may have even proved it. The idea of emergence, from whence this blog gets its name is the opposite of reductionism. It is the idea that […]
The Washington Post reports upon the further cheapening of the word “terrorism” in, “Md. Police Put Activists’ Names On Terror Lists.” The fifty-three people with “no evidence whatsoever of any involvement in violent crime” who were put on a list of terrorists include anti-death-penanty protestors. It’s really hard to keep from laughing about this. Are […]
It was Dopplr that drove me over the edge on this rant. I almost feel bad for starting off with them, because as you will see, they’re just the bale of hay that broke the camel’s back. I was updating my travel schedule, which included a trip to St. Louis. It told me that by […]
A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!
The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it. Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected […]
[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]
Me! I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security” Check it out. Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has […]
The New Scientist reports that researchers Vadim Makarov, Andrey Anisimov, and Sebastien Sauge have broken quantum key distribution. The attack is described in their paper, “Can Eve control PerkinElmer actively-quenched single-photon detector?” Spoiler Warning: Yes. She can. The attack is brilliant in its elegance. They essentially jam the receiver. A bright pulse of laser light […]
…team to be renamed Manila Folders. (I’m here all week. Go Sox!)
This is the window of a Louis Vuitton store. I found it tremendously striking, and so took some pictures. Setting aside the direct message of “everyone will look at this bag,” I thought what’s interesting is the technological replacement of self with avatar. As if the designer is saying “we no longer want to be […]
GraphJam, via Information Aesthetics
Works for me. (Image via cs.colorado.edu, who sell T-shirts)
According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]
For those who haven’t been listening closely to their NPR, it turns out that there are at least eight Barack Obamas running for election in Brazil this year. Yes, you heard that right. Under Brazilian law, it turns out, candidates are allowed to run for office under any name, as long as it’s not offensive. […]
I added Bank Lawyer’s Blog to my set of RSS feeds some time ago, after I came across a decent post about ID theft there. I provide — without comment — the following quotation from a banking industry lawyer, as posted yesterday: Near the end of the Oscar-winning movie “Unforgiven,” the young assassin who calls […]
There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]
I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now: link to the show Welcome to another CSTechcast.com podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to […]
While Babs’ vocal stylings may be an “acquired taste”, today I have a new appreciation for the Streisand Effect. Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management […]
John Timmer of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.” The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, […]
Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for […]
John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]
9Wants to Know has uncovered a new policy that allows airport screeners at Denver International Airport to bypass the same security screening checkpoints that passengers have to go through. … The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed. … At DIA, […]
If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not […]
Spaf has an excellent post up about Purdue’s decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that “excellence” loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum […]
You might not be able to think like one, but today you should certainly talk like a pirate. Yo ho ho, shiver me timbers, etc. etc. Image credit: charliekwalker
One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]
Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]
Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. […]
Devan Desai has a really interesting post, Baffled By Community Organizing: First, it appears that hardcore left-wing and hardcore right-wing folks don’t process new data. An fMRI study found that confirmation bias — “whereby we seek and find confirmatory evidence in support of already existing beliefs and ignore or reinterpret disconfirmatory evidence” — is real. […]
Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]
Dear Mr Harper, In general people do not care for the government to be tracking their religious affiliation. In particular however, there are few groups who care less for this sort of tracking than Jews. Seriously, you’re not going to get votes by sending Rosh Hashanah cards to your Jewish constituents. It freaks us out, […]
Or is that vice-versa? A few weeks ago, Security Retentive posted about an article in the Economist: “Confessions of a Risk Manager”. Both his analysis and the original story are quite interesting and I encourage you to read them as well as a letter to the editor that was published in last week’s print edition […]
Over at the Burton Identity and Privacy Strategies blog, there’s a post from Ian Glazer, “Trip report from the Privacy Symposium,” in which he repeats claims from Jeff Rosen: I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 […]
There’s a really funny post on a blog titled “Affordable Indian Astrology & Vedic Horoscope Provider:” Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making. This is […]
Via Alex Hutton.
Zimran links to an excellent long article on Hans Monderman and then says: When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly […]
File this under “Posts I Wish I’d Written”. Amrit Williams’ “ The 7 Greatest Ideas in Security,” really highlights a lot of my basic thoughts on how security should work. His conclusion sums things up cogently, but go read the entire post: Some may argue that something has been forgotten or that the order is […]
Passing through Portland’s PDX Airport, I was struck by this ad for SeaPort Airlines: Things are pretty bad for TSA when right after “faster travel,” a company lists “No TSA” as its second value proposition. (Bottom left corner.) It’s actually sort of impressive how much hate and resentment the TSA has built in the few […]
Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It’s worth reading in full: Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. […]
RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won’t use globally. They get used for private networks, NAT ranges and so on. There are three ranges: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 They are thus the Internet equivalent of the American phone system not […]
There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]
Wonderful graffiti art by Mau Mau at the Cans Festival II. Photo taken by Alan Bee.
Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues: While this may be terrifying on a number of levels, […]
Alan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us. One of the themes of […]
A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges. The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is […]
GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]
I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you […]
The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting: Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning […]
A Christian Science church near the White House filed suit against the city on Thursday, accusing it of trammeling religious freedom by declaring the church a historic landmark and refusing to allow church leaders to tear it down. The building, a stark structure with walls that soar toward the sky, is an eyesore or a […]
Ryan Singel reports at 27B/6: The TSA was keeping the names of people who lost their wallets and needed to fly — even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won’t store […]
So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker: Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation […]
Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]
His book, Applied Security Visualization, is now out: Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work […]
Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]
Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]
The Paper of Record has a hilarious article, “Literacy Debate: Online, R U Really Reading?” which asks important questions about what Those Darn Kids are doing — spending their time using a mixture of hot media and cold media delivered to them over the internets. I’ll get right to the point before I start ridiculing […]
The German Bundespolizei have announced what the BBC are calling a “bullet-proof bra“. It may sound like a joke, but this is a serious matter – the policewoman who came up with the idea said normal bras can be dangerous when worn in combination with a bullet-proof vest. “The impact of a bullet can push […]
Science reports in, “The Year the World Froze Over:” It sounds like the stuff of science fiction, but nearly 13 millennia ago Europe was plunged suddenly into a deep freeze that lasted 1300 years–and the change happened in little more than a year, according to new data. The evidence also suggests that strong winds, not […]
Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways. An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid […]
According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.) This adds up to a nice round €100 billion. The Telegraph didn’t say whether that is American billions (thousand million, 109) or English billions (million million, […]
Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not […]
Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how […]
Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, […]
The author of The Gulag Archipelago and other important works on the barbarity of the Soviet Union passed away today. Aleksandr Solzhenitsyn was 89. My sympathies to his family and friends.
Via JWZ.
I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]
Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]
There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]
I know there’s a lot of people who prefer text to audio. You can skim text much faster. But there are also places where paper or screens are a pain (like on a bus, or while driving). So I’m excited that the Silver Bullet Podcast does both. It’s a huge investment in addressing a variety […]
Congratulations to Arvind Narayanan and Vitaly Shmatikov! Their paper, “Robust De-Anonymization of Large Sparse Datasets,” has been awarded the 2008 Award for Outstanding Research in Privacy Enhancing Technologies. My employer has a press release which explains how they re-identified data which had been stripped of identifiers in the Netflix dataset. In their acceptance remarks, they […]
Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper — and theoretically easier to use — than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is […]
What made this particular work different was that the packets we captured came through a Tor node. Because of this difference, we took extreme caution in managing these traces and have not and will not plan to share them with other researchers. Response to Tor Study I won’t get into parsing what “have not and […]
Several weeks ago, in “A Question of Ethics“, I asked EC readers whether it would be ethical “to deliberately seek out files containing PII as made available via P2P networks”. I had recently read an academic research paper that did just that, and was left conflicted. Part of me wondered whether a review board would […]
Vox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, “I think I understand the FISA bill. Do I?” Vox Libertas has taken an approach that I can appreciate. On the one hand, many people are unhappy with the telecom immunity. I’m one of […]
What’s on your mind?
The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights. The Court made its ruling based on Article 8 of the European Convention […]
I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability. I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing […]
I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:” My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable […]
To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell […]
Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line. I responded thusly (links added for this blog post): I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ […]
There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”
The New York Times has in an editorial, “The Government and Your Laptop” a plea for Congress to pass a law to ensure that laptops (along with phones, etc.) are not seized at borders without reasonable suspicion. The have the interesting statistic that in a survey by the Association of Corporate Travel Executives, 7 of […]
TechCrunch, via Jim Harper.
Via Michael Froomkin
The Freakonomics blog pretty much says it all: The latest: importgenius.com, the brainchild of brothers Ryan and David Petersen, with Michael Kanko. They exploit customs reporting obligations and Freedom of Information requests to organize and publish — in real-time — the contents of every shipping container entering the United States. From importgenius.com. There’s a neat […]
Dave Birch has a really interesting post about The future of the future of cash: The report also identifies three key attributes of cash that make it — still — the dominant payment system. Universality, trust and anonymity. I’m curious about the location of anonymity in the customer mindset and I’m going to post some […]
There’s a fascinating article at The Long Now Foundation, “Richard Feynman and The Connection Machine,” by Danny Hillis. It’s a fun look into the interactions of two of the most interesting scientist/engineers of the last 40 years.
Dan “Doxpara” Kaminsky today released information about a fundamental design flaw in the architecture of DNS which if properly exploited would allow a malicious party to impersonate any website they wanted to. This issue effects every single version of DNS. The flaw primarily effects the DNS server but it can also effect clients as well […]
When Andrew and I started writing The New School, we both lived in Atlanta, only a few miles apart. We regularly met for beer or coffee to review drafts. After I moved to Seattle, our working process changed a lot. I wanted to talk both about the tools we used, and our writing process. We […]
Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]
There’s a really interesting article in the New Republic, “Freaks and Geeks:” In 2000, a Harvard professor named Caroline Hoxby discovered that streams had often formed boundaries to nineteenth-century school districts, so that cities with more streams historically had more school districts, even if some districts had later merged. The discovery allowed Hoxby to show […]
Back in March, we wrote about unauthorized access to Barack Obama’s passport file. At the time, a Washington Post article quoted a State Department spokesman: “The State Department has strict policies and controls on access to passport records by government and contract employees” The idea was that, while snooping might occur, it would be caught […]
In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]
Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens. Since I have the ability to comment here, I shall. This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues. […]
All around cool guy, and former provost of the University of Chicago, Geoffrey Stone (the Edward H. Levi Distinguished Service Professor at the University of Chicago Law School), posted earlier this week proposed that “The next president should create a brand new position, which should become a permanent part of the Executive Branch in the […]
Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]
The New Scientist reports that “Charades reveals a universal sentence structure.” Susan Golden-Meadow, a linguistic psychologist at the University of Chicago, led a team that found that speakers of most languages use the same simple sentence structure when miming, regardless of the structure of the language they speak. A demonstration movie is here. That structure […]
A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers. The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were […]
After having seen some footage of Amy Winehouse’s performance at Glastonbury, I think she needs to immediately marry Shane Macgowan, preferably as part of a reality TV show.
2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could. Really? This is a really creepy image. Does anyone know if […]
I love these boots, via “BoingBoing gadgets.” They’re transgressive on so many levels. Star Wars geek versus fashion. Military versus sexy. I’m glad George Lucas isn’t an obsessive control freak who hunts down anyone who adopts the visual language that he created.
What do you listen to and why?
I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]
Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle: Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game? The paper discusses a game that Poe describes in The Purloined […]
In his own blog, Michael Cloppert writes: Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn’t be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies. I’m glad my readers […]
Slyck News has a story, “SSL Encrpytion Coming to The Pirate Bay” a good summary of which is in the headline. However, may not help, and may hurt. Slyck says: The level of protection offered likely varies on the individual’s geographical location. Since The Pirate Bay isn’t actually situated in Sweden, a user in the […]
An amusing comic from POPsickleSTRIP.
Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]
Mars Phoenix Tweets: “We Have ICE!” And yes, they really did announce on Twitter and a press release.
Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]
The TSA apparently is issuing itself badges in its continuing search for authority. The attire aims to convey an image of authority to passengers, who have harassed, pushed and in a few instances punched screeners. “Some of our officers aren’t respected,” TSA spokeswoman Ellen Howe said. … A.J. Castilla, a screener at Boston’s Logan Airport […]
In “The Pros and Cons of LifeLock,” Bruce Schneier writes: In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information […]
There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit: I can’t tell you how many times I asked […]
On May 10, Iowa became the 42nd U.S. state (counting D.C. as a state) with a breach notification law. The law itself is not remarkable. If anything, it is notably weaker than many other states’ laws. When can we expect to see the last stragglers finally pass their laws? Here’s a plot of each state’s […]
Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]
One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.” It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum […]
Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]
There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification: Several bills now before Congress […]
What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when […]
The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]
So having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School. There’s a new copy for 46.43. A mere 54% premium over […]
Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud […]
The Telegraph reports in “Hats banned from Yorkshire pubs over CCTV fears” that Pubs in Yorkshire have been ordered to ban people from wearing flat caps or other hats so troublemakers can be more easily recognised. And in other news this weekend, MPs have stamped their little feet insisting that Britain is not a surveillance […]
There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]
We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports. The People’s Anonymous Commissar announced: This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining […]
Some very smart people at the University of Washington figured out how to leverage the bittorrent protocol to cause the RIAA and MPAA to generate takedown notices. From the website: * Practically any Internet user can be framed for copyright infringement today. By profiling copyright enforcement in the popular BitTorrent file sharing system, we were […]
Some time ago, I wrote about the absurdity of email disclaimers. It is therefore with great amusement I pass on the “Terms & conditions for acceptance of email messages by Andrews & Arnold Ltd” by a small ISP and IT company in Bracknell. The best part of it is the last term. Check out their […]
In our first open thread, Michael Cloppert asked: Considering the contributors to this blog often discuss security in terms of economics, I’m curious what you (and any readers educated on the topic) think about the utility of using prediction markets to forecast compromises. So I’m generally a big fan of markets. I think markets are, […]
First, congratulations to Barack Obama. His organization and victory were impressive. Competing with a former President and First Lady who was the shoo-in candidate is an impressive feat. I’d like to talk about the Obama strategies and a long chaotic campaign in two ways. First in fund-raising and second, on the effects of a long […]
The Supreme Court narrowed the application of the federal money-laundering statute on Monday, ruling for criminal defendants in two cases in which prosecutors had employed broad definitions of two of the law’s major provisions. The two rulings are likely to crimp the government’s ability to bring money-laundering cases, although not necessarily to the degree that […]
Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground. The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane. And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. […]
We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]
What the heck. Let’s see what happens. Comment on what you will.
Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice
I was on a business commuter flight the other day, which was also the maiden voyage of my MacBook Air. I had it out before takeoff. This was an international flight and I was in bulkhead. On international flights, they’re not as strict about not having your laptop on your lap during takeoff. This flight […]
“Introducing FUD Watch:” Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – […]
El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give. The India times says: BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as […]
Chris Pounder has an article on the subject: In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals […]
I really like this picture from Jack Jones, “Communicating about risk – part 2:” Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this […]
Walkscore.com. Calculates a location’s “walkability” by using Google Maps to figure out how close various amenities (such as grocery stores, public transit, parks, etc.) are. Not a perfect service, but a great idea.
A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce The folks at Bank […]
Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective: In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned […]
You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days. The gist of the article is that the Indian Government has told RIM that if […]
I was struck by this quote in the Economist special report on international banking: There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your […]
Don Morrill, IT Toolbox: If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of “The new school of […]
A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:” In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to […]
In name only, but NASA will be sending a database of names to the moon on the forthcoming Lunar Reconnaissance Orbiter. You can add yours. Oh, the name? seemed right when I wanted one with a quote in it. [Update: Securology posted “ Sending Bobby Tables to the Moon,” which is funnier, if more likely […]
The Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean. About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about […]
The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book […]
Delightful!
Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this: “The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and […]
Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust […]
I’m excited and grateful to the Industry Standard for including us in their “Top 25 B-to-Z list blogs.” There’s some great stuff in there which I read, like “Information Aesthetics
If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]
A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]
From the article: The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. It’s about time […]
I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.” I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a […]
There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]
The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]
Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. “CCTV was originally seen as a preventative measure,” Neville told the Security Document World Conference in London. “Billions of pounds has been spent on kit, but […]
PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm. Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee […]
There’s a story in the New York Times about a bike rental program in Washington DC. It’s targeted at residents, not tourists, and has a subscription-based model. Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting […]
Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing […]
Dear Mr. Banks, Much as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible. Thank you for your future attention to this matter. I remain, etc, etc.
I would estimate that 2/3 of the calls I get are from people trying to sell me things I neither need nor want. Of those, over half are outsourcing services. Of the remainder, recruiters are over half. There are also people who call me for their services once a week. There’s one particular outsourcing firm […]
How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from […]
The debate about Shor’s Algorithm (which I blogged about a couple days ago) continues. Rod Van Meter has a good blog post about it here. While there are plenty of people who have just wholesale dismissed the Hill/Viamontes paper outright, apparently because they know Shor’s algorithm works and that building a working quantum computer is […]
I’d like to review two recent books on the war on terror: “Bush’s Law: The Remaking of American Justice” by by Eric Lichtblau, and “Less Safe, Less Free: Why America Is Losing the War on Terror” by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration […]
My buddy, collaborator and co-worker Crispin Cowan has started a blog. The first post is “Security Is Simple: Only Use Perfect Software.” [Update: Added a link to Crispin’s home page, because some readers apparently have trouble with a search engine.]
Technology Review has a pair of articles on D-Wave‘s adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in “Riding D-Wave” about quantum computing in general, adiabatic quantum computing, and D-Wave’s efforts to show that they’ve actually built a quantum computer. Linked to that is Scott Aaronson’s article, “Desultory D-Wave,” in which Lloyd’s nail-biting is made […]
In a blog post entitled “Lending Tree A Little Late In Cutting Off Network Access?“, I read that in the recent Lending Tree breach: several former employees may have helped a handful of mortgage lenders gain access to Lending Tree’s customer information by sharing confidential passwords with the lenders. Later, the author describes “an obvious […]
The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]
The ACM has a list of classic computer science works put together based on responses to a survey of the membership. I’m no computer scientist (though I’ve lived with my share…) but I’m shocked that none of Knuth’s works is on this list, even if it is basically a beauty contest.
Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]
You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while […]
The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes. The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial […]
The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the “screen test” wherein the volunteer Keanus […]
You see, the CIA apparently uses the less dangerous version of “waterboarding” — not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge — involving the placing of a cloth or plastic wrap over or in the person’s mouth, and pouring or dripping water onto the […]
Microsoft Security Intelligence Report (July – December 2007) This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest […]
Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership). The announcement says: Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen […]
I’m somewhat sure this is a real AP story, “Al-Qaida No. 2 says 9/11 theory propagated by Iran.” The Onion scooped them, with “9/11 Conspiracy Theories ‘Ridiculous,’ Al Qaeda Says.” Unfortunately, no progress on the “fake tape” issue: The authenticity of the two-hour audio recording posted on an Islamic Web site could not be independently […]
I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.” The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format […]
Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008 The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth […]
Gary McGraw says buy it for the cover: The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become […]
Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund: And yet it’s the bold ideas that generate the biggest returns. Any really good new […]
Edward Lorenz, most famous for research concerning the sensitivity of high-level outcomes to seemingly insubstantial variations in initial conditions (the so-called “butterfly effect“), died April 16 in Cambridge, Massachusetts. Much more information concerning Lorenz’s life and work is available via Wikipedia.
The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a […]
Congratulations to Berkeley on setting up a “Center for Innovative Financial Technology“, but I wonder why their mission is so conservative? The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system. The information people […]
In his inimitable way, Illiad has hi-lighted that the miscreants have moved from the operating system to the applications.
[…]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Virginia’s […]
Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance. Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, […]
We all know that ID theft and extortion bots are ubiquitous. Perhaps it is some consolation that a modicum of technical skill is needed to construct such things. That has changed. I (a complete non-programmer) have just built not one but two “bots” using materials available here and here! With these templates, any 8 year-old […]
Jonathan Zittrain, a professor at Oxford, has a new book, “The Future of The Internet.” He’s adapted some of the ideas into a long and worthwhile essay, “Protecting the Internet Without Wrecking It.” In that essay, he uses the term “generativity” to refer to a system which has what I would call ’emergent chaos.’ A […]
Taken while in San Francisco: What more needs to be said?
Lauren Gelman writes: I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, […]
UPDATE: This was a belated April Fools’ from the Attrition people, which clearly suckered me in. Attrition.org’s Lyger has announced the end of Attrition’s Dataloss project (presumably including both the DLDOS and Dataloss mailing list). In the past few weeks, it has come to our attention that too many people are more concerned with making […]
Schneier is probably busy at RSA, so I’ll handle this one, which comes courtesy of the Manitowoc Herald Times Reporter of April 9: About 450 employees of Point Beach Nuclear Plant were evacuated Tuesday morning after a convenience store clerk reported a man had asked for directions to Nuclear Road, where the plant is located, […]
Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]
I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore. PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and […]
Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says: Because of their set-up, Amazon has been taking longer to get a book available for shipping. As you can see this causes problems when they list the pub […]
I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale. I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two […]
The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]
“LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :” MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed. “A surprising 94 percent favored the imposition by law of [an] obligation upon […]
As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”. Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a […]
…straining upon the start. The game’s afoot! Follow your spirit; and upon this charge Cry ‘God for Harry, England, and Saint George!’ So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem […]
Black Hat USA News: We’re very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August – delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. […]
At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond. Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. […]
There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.” “I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor […]
Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free. I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many […]
The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter. Interesting comments: The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put […]
The New Scientist reports in, “Have peacock tails lost their sexual allure?” A controversial study has found no evidence for the traditional view – practically enshrined in evolutionary lore – that peahens choose their partners depending on the quality of the peacocks’ tails. Obviously, traditionalists have many things to say about the quality of the […]
Thanks to infosec expert (and Indiana resident) Chris Soghoian, and a receptive state legislator who listened to an informed constituent, Indiana now has a much improved breach notification law , closing a loophole we discussed previously. We’ve written about expert involvement in crafting improved state laws before, most recently here. BTW, the loophole Indiana has […]
There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed: “In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will […]
Or something like that. You have to know how to use a Mac and be British. Her Majesty needs you.
I’ve noticed that every time there’s a new message from Osama bin Laden, the press very carefully calls into question its authenticity. For example, CNN’s article “Purported bin Laden message: Iraq is ‘perfect base’” opens: Al-Jazeera broadcast on Thursday an audiotape on which a voice identified as Osama bin Laden declares “Iraq is the perfect […]
A year ago, I discussed stupid email disclaimers in, “If I Screw Up, It’s Your Fault!” This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his “They Told You Not To Reply.” Krebs tells the story of Chet Faliszek, who owns the domain donotreply.com, which he bought in 2000 […]
The Washington Post reports: The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file. Obama’s presidential campaign immediately called for a “complete investigation.” State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, […]
Andre Gironda writes “Implications of The New School:” Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly […]
Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that. Each category is analyzed to determine patterns […]
Chess masters will sometimes play chess against a dozen or more competitors at once, walking from board to board and making a move. The way they do this isn’t to remember the games, but to look at the board, and make a decent (to a master) move each time. They look at the board, get […]
Hannaford says the security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company puts the number of unique credit and debit card numbers that were potentially exposed to fraud at 4.2 million. The company is currently […]
Our editor says that the Safari e-book edition of The New School is now available. Hardcopies should be out in a week or so. Jon Pincus gives us a mention in his long article “Indeed! The Economist on “computer science as a social science”” and comments that we “explicitly include discussions of diversity in the […]
Dan Geer is fond of saying that financial risk management works because everyone knows who owns what risks. Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday’s closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns […]
Is the recent wave of reporting on British data breaches similar to what we’ve been seeing in the US? A couple of things seem true: the US has way more reported breaches per capita, but both locations have seen greatly accelerated reporting. Here’s a plot of all US (Country = ‘US’) and British (Country = […]
The New York Times had a story, “Tax Inquiry? Principality Is Offended:” After weathering days of criticism from Germany over a spectacular tax evasion case, Liechtenstein — sometimes seen as the inspiration for the satirical novel from the 1950s about a tiny Alpine principality that declared war on the United States — is digging in […]
I was dismayed to learn that footage of Spitzer’s (alleged) rent-a-babe “Kristin” performing in a class play while in elementary school has been featured at various web sites — among them serious sites that should know better. One could argue that this woman made her bed, and now she can lie in it (puns intended). […]
Eliot Spitzer made a name for himself attacking banks. Setting aside the legitimacy of those attacks, I find it shocking that he didn’t realize how much banks know about each one of us. It’s doubly shocking that he didn’t expect revenge. The New York Times claimed that the “Revelations Began in [a] Routine Tax Inquiry.” […]
After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk: Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy […]
I’m delighted to report that USENIX, probably the most important technical society at which I publish (and on whose board I serve), has taken a long-overdue lead toward openly disseminating scientific research. Effective immediately, all USENIX proceedings and papers will be freely available on the USENIX web site as soon as they are published. (Previously, […]
What is it about the word “quantum” that sucks the brains out of otherwise reasonable people? There has to be some sort of Heisenberg-Schödinger Credulity Principle that makes all the ideons in their brains go spin-up at the same time, and I’m quite sure that the Many Worlds Interpretation of it has the most merit. […]
By now, you’ve probably seen the news that “A Heart Device Is Found Vulnerable to Hacker Attacks.” Bruce Schneier has some good analysis, “Hacking Medical Devices.” I just wanted to shock Jerry Lee Lewis fans.
Speaking of books: This book explores the dramatic shift from infrastructure protection to information protection, explaining why data security is critical to business today. It describes how implementing successful data security solutions across sophisticated global organizations requires a new data-centric, risk based and strategic approach, and defines the concepts and economics of a sound data […]
A big thank you to those of you who picked up the New school in your blogs and mailing lists. Ryan Hurst says: This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can’t wait to get my copy to see […]
Ken Belva has a new blog at http://www.bloginfosec.com/. Looks like it is more “formal” and magazine-like than the typical blog, which many people will appreciate. There seems to be a pretty solid collection of contributors, and the hunt is on for additional qualified writers. There’s even a raffle for an iPod (but I already have […]
A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley. My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make […]
One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures “on time departures.” The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the […]
Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications. 2nd USENIX Workshop on […]
I forgot exactly where I saw the link to Ben Neumann’s Views from the Trenches, but the opening lines of his post “Network Outage” are great, doubly for what he’s just gone through: Today was a NIGHTMARE-DAY! Globat.com just emerged from a major outage – the worst in company history and everybody – customers and […]
The New York Times has a great story about Cai Gou-Qiang, an artist who works in gunpowder. “The Pyrotechnic Imagination.” It’s pretty cool stuff for a lazy weekend afternoon read. [I forgot to mention, he has a show at the Guggenheim, and their press release states, “For publicity images go to http://www.guggenheim.org/press_office.html User ID = […]
I saw the Pogues’ show at Chicago’s Riviera Theatre last night, exactly 22 years minus one day since the last time I saw them. Spider Stacy seems to have fared a tad better than Shane :^). The show was good, but of course nothing can compare to nostalgia. A particularly enjoyable feature for me was […]
I am tremendously pleased to say that Microsoft has closed an acquisition of Credentica‘s U-Prove technology. This technology adds a new and important set of choices in how we as a society deal with identity and properties of people. Kim Cameron has the official announcement, “Microsoft to adopt Stefan Brands’ Technology” and Stefan Brands has […]
In Things Are Looking Up For TJX, or, Javelin Research – Credibility Issues?, Alex takes a look at research released by Javelin, and compares it to some SEC filings. Javelin is making the argument that companies that suffer massive breaches will lose market share. As do these folks at Response Source: “LATEST NATIONAL RESEARCH REVEALS […]
Last week, I talked about consumer credit in “The real problem in ID theft.” Yesterday, the New York Times had a story, “States and Cities Start Rebelling on Bond Ratings:” A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many […]
The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. … “My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university […]
[via DocBug]
In “Reckoning day for ChoicePoint, “Rich Stiennon writes: The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they […]
Yesterday Hoff blogged about McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security” and added ten more of his own. I’m particularly annoyed at him for #4: Awareness initiatives are good for sexual harassment and copier training, not security. Why? Because, damn that really sums it up. I wish that I had thought […]
Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution. Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed […]
Over on my work blog, I just wrapped up a series on threat modeling. Because blogs display the content backwards, I’ve put the entire series up as a Word doc: The Trouble With Threat Modeling. [Update: If you want to see all the threat modeling posts, they’re at Threat Modeling SDL blog posts. They’re displayed […]
Diebold Accidentally Leaks Results Of 2008 Election Early
Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly: OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become. There you have it. It has long been […]
Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become: Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead” According to government paperwork, Laura Todd has been dead […]
“Let’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching. In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate […]
Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled. Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008): Dubai-based banks are recruiting former […]
Explanation and more pictures here.
Cat Le-Huy is a friend of friends who has been “detained” entering Dubai. I put detained in quotes, because he’s been thrown into prison, where he’s now spent a few weeks. He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of […]
As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full […]
Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”. Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our […]
Experian sues Lifelock. I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism. I’d like to see some numbers showing the efficacy of […]
Last week, Siva Vaidhyanathan, of Sivacracy, released a new column in the Chronicle of Higher Education, Naked in the ‘Nonopticon’ has some refreshing thoughts on privacy and surveillance that I wish more of us on the security side understood better. His main themes are (in his own words): 1) Anyone who claims “young people don’t […]
In “Crowd control at eBay,” Nick Carr writes: EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to […]
As I was driving home, listening to the radio, I heard this: We’ve been really astonished by how some of the most high-profile situations actually resulted in increased consumer confidence, because sometimes high-profile issues give us an opportunity to talk about what we do, and that has actually encouraged consumers. No, it’s not a TJX […]
We’ve made frequent calls here at EC for improved breach breach reporting. In particular, we’ve said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that […]
Because Baltimore police officer Salvatore Rivieri seemingly was unable to tell he was being filmed. Pity. There’s some infosec relevance to obsessing and overreacting to one thing, while being oblivious to another that could prove far more damaging.
Via Michael Froomkin.
As he was winning contests in Iowa and South Carolina, Senator Barack Obama raised $32 million in January for his presidential bid, tapping 170,000 new contributors to rake in nearly double the highest previous one-month total for any candidate in this election cycle. The New York TImes, “Enlisting New Donors, Obama Reaped $32 Million in […]
Unfortunately, this was easy to see coming.
A while back, I posted a list of breach laws. I’ve now added the CSO map, which is pretty cool. Scott and Scott, one page reference chart Perkins, Coie summary of laws Proskauer Rose listing of laws (Updated 1 December 2007) Julie Brill, Assistant Attorney General, Vermont (not online). CSO Magazine has an interactive chart […]
Apparently we need not one, but two national ID cards. Illinois Reps. Mark Kirk and Peter Roskam (may they not get re-elected in November) are introducing legislation that would mandate that Social Security cards have “a photograph and fingerprint, as well as a computer chip, bar code and magnetic strip.” The cards would be modeled […]
A lot of people think of calls for diversity as fuzzy headed liberalism at its worst. If you’re one of them, please keep reading. Or you could click here and just
First, I’d like to thank everyone for keeping the comments civil and constructive. Second, I’d like to respond to Philll’s comment, “You sure do pick the strangest issues to make non-negotiable.” I picked this because it struck me that the rules in question were being accepted and treated in the various discussions as fixed and […]
Raymond Chen has an amusing blog post, “When computer programmers dabble in economics: Paying parking tickets.” This is further dabbling in economics, and I hope you find it amusing. I believe that parking meters–the old fashioned kind where you put coins in and hope to not get a ticket–are precisely the opposite of slot machines. […]
I was listening to the radio yesterday, a show about Super Tuesday. First, a big thank you to all the Democrats who voted
The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]
Recently, a group of passengers on the London Underground performed the dance from Michael Jackson’s “Thriller” in front of an unsuspecting audience. Shockingly, no one panicked. You can see one passenger move out of the way, but people otherwise just sat there and watched. When the performance was done, the fellow-passengers applauded. Security was not […]
Well, Super Tuesday is here in the United States, and some millions of people will stand up and vote or caucus for the candidate of their choice. We here at Emergent Chaos have spent tremendous amounts of time watching the election, and we wanted to offer up some of the least-awaited endorsements in the bloggosphere. […]
The Macquarie Dictionary of Australia has an annual contest for Word of the Year. The People’s Choice Award goes to the term that is the title of this post: password fatigue noun a level of frustration reached by having too many different passwords to remember, resulting in an inability to remember even those most commonly […]
We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside. What, might you ask, can we learn from a 30 year old text? Nothing has changed. Except, for some of the names. Donn Parker is in there, as are a melange of […]
Giants. 17-14.
Those geeks and their crazy jargon. Context here.
And in closely related news, “US Office of Personnel Management says not to use SSN as primary identifier.”
Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston […]
On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]
Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel. Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can […]
Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed: I think the key is that it’s hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it’s possible. I think this […]
Hence, we imprison and deport American citizens for immigration violations. Thomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia. Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he’s […]
Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”? Kudos to the first person who puts such a […]
The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, “on Internet time”. Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog’s title. Anyway, Adam, EC’s bandleader, is away from […]
Ekinoderm writes in “Who did Kill the Software Engineer?” that schools today are ruining software engineering by teaching people Java. He references Joel Spolsky’s rant on the same. I agree completely, except neither went far enough! Java is just the replacement for Pascal, a pedagogical language designed because it was more fun and understandable than […]
Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.” “In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the […]
2008, for us, is a big change because up to now we have been more like a terrorist group, threatening to do something and making big claims. Nicholas Negroponte, of the One Laptop Per Child program, speaking on his own web site. Wow. There’s a stunning analogy for you. Maybe “we’ve been more like a […]
Michael Howard has broken the news: “Crispin Cowan joins Windows Security: I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain […]
Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.) Most of the whining comes because Office 2008 does not include Visual […]
In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it […]
It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:” The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data: Attrition.org, the […]
DOYLESTOWN, Pennsylvania (AP) — A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him. David Binner sent the check after receiving a $5 parking ticket. He calls it “a […]
Every now and then, an “Astronomy Picture of the Day” is just breathtaking. Today’s is Hurricane Ivan from the Space Station. Click for the larger view.
First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report: TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services […]
The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper: The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs. He wanted to prove the story was a fuss […]
Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s […]
At WD-50 I saw something done to the potatoes that makes a cook scream, “yes!” A method of cooking the potatoes with an explanation using true understanding of the molecules inside the potatoes and the effects of heat on them. The potatoes are peeled, sliced, and cooked in a water bath at 65 degrees celsius […]
Andy Olmsted, who posted as G’Kar on Obsidian Wings, was killed yesterday in Iraq. I always enjoyed his posts, especially when I disagreed with them, because he was so clearly thoughtful. I find myself terribly sad for the death of a man who I only knew through his words. He asked that we not politicize […]
Ohio Secretary or State Jennifer Brunner announced yesterday that paper ballots must be provided on request. Poll workers won’t be told to offer the option to voters but must provide a ballot if requested to help “avoid any loss of confidence by voters that their ballot has been accurately cast or recorded,” a directive from […]
Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank’s ATM machines in […]
In “Data breach officials could be sent to the big house,” we learn: In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. “These will take account of the need not […]
Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition. As I looked at it, I had a couple of thoughts. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was […]
Opponents of Australia’s controversial Access Card received an early Christmas present earlier this month when the incoming Rudd Labor Government finally axed the controversial ID program. Had it been implemented, the Access Card program would have required Australians to present the smart card anytime they dealt with certain federal departments, including Medicare, Centrelink, the Child […]
My co-workers in SWI have a new blog up, “Security Vulnerability Research & Defense.” They’re planning to…well, I’ll let them speak for themselves: …share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities… The two posts below are examples of the type of […]
On December 19th, Denebola, the student run newspaper of Newton South High School, broke the news that video cameras had been secretly installed in their school. Not only were students and parents not notified of the cameras but apparently neither were any of the teachers. From the student article: According to Salzer, only he, Superintendent […]
Orin Kerr has a fascinating tidbit at Volokh, “Encryption, the Fifth Ammendment, and Aaron Burr:” Following my posts last week on encryption and the Fifth Amendment, a few readers asked about how courts have dealt with such issues before. As far as I know, there is only one other judicial decision specifically addressing the Fifth […]
A surgeon who allegedly took a photo of a patient’s penis during an operation at a US hospital is no longer working there, it has been announced. Dr Adam Hansen, of Arizona’s Mayo Clinic Hospital, is accused of taking the snap while conducting gallbladder surgery earlier in December. (BBC, “US ‘penis photo doctor’ loses job.”) […]
Not much naughtier than other retailers: I’d say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to […]
“Anger as NHS patient records lost” “Patient data loss affects 168,000” “Post Office sends wrong details” “Discs ‘worth £1.5bn’ to criminals” “£20,000 reward offered for discs“* “More firms ‘admit disc failings’” * Readers are invited to comment on the contrast. Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.
A pint of the black stuff a day may work as well as an aspirin to prevent heart clots that raise the risk of heart attacks. Drinking lager does not yield the same benefits, experts from University of Wisconsin told a conference in the US. … The researchers told a meeting of the American Heart […]
Here at Emergent Chaos, we’re big fans of large objects hitting other large objects at high speed. Which is why it’s important to tell you that 2007-WD5 is a 50 meter asteroid that’s set to pass within 48,000 kilometers of Mars next month. “We estimate such impacts occur on Mars every thousand years or so,” […]
It becomes a tree pub. See “Fancy a pint in the world’s only bar that’s INSIDE a tree?” in the Daily Mail for more. Thanks, C!
Check out this amazing video from TED.
In Dissent’s weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off. Newly reported incidents in the U.K. and Ireland: In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. […]
I think the NFL’s handling of spying by the New England Patriots is poor. Of course, I expect retrograde, authoritarian, clumsy behavior from the NFL, and I haven’t been disappointed in the few decades I’ve been paying attention. The New York Times covered this issue (the spying, not the decades). In their December 16 article, […]
My eyes feel better now. Calla Lily macro 3, by Edwin Bartlett.
I’m way to lazy to take the time in Photoshop to make this look good, so just use your imagination and pretend I put Beaker’s head on this. Y’all should just be grateful that I didn’t use this animated gif instead….
There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there. Many of the founding fathers’ letters have been transcribed and made […]
According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:” According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months. Sixty-three percent […]
Normally, it’s not news when someone takes aim at TSA policies like this: If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems […]
There’s a bunch of press around Ask.com’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “Ask.com Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the […]
‘Good Times Bad Times’ ‘Ramble On’ ‘Black Dog’ ‘In My Time Of Dying’ (full version) ‘For Your Life’ ‘Trampled Under Foot’ ‘Nobody’s Fault But Mine’ ‘No Quarter’ ‘Since I’ve Been Loving You’ ‘Dazed And Confused’ ‘Stairway To Heaven’ ‘The Song Remains The Same’ ‘Misty Mountain Hop’ ‘Kashmir’ ‘Whole Lotta Love’ ‘Rock And Roll’ Playlist via: […]
So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles: I’d prefer if Byron Acohido had said “reported” thefts It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough. Both of those things said, it’s a good article, and […]
This New York Times really is interesting. It’s all about how candidates are losing control of their campaigns, and they’re in a new relationship with emergent phenomenon on the internet. Now, as we come to the end of a tumultuous political year, it seems clear that the candidates and their advisers absorbed the wrong lessons […]
In the new book [Paddington] bear, who arrived in the country as a stowaway, is interviewed about his right to stay in England. He has no papers to prove his identity as his Aunt Lucy arranged for him to hide on a ship’s lifeboat from Peru when she went to live in the Home for […]
I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. […]
Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this […]
If you travel a lot, you’re used to dealing with many network difficulties. For a while now, I’ve been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work […]
I’ve been thinking about Franklin, Perrig, Paxson, and Savage’s “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” for about three weeks now. This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not […]
Today marks the 64th 74th anniversary of the repeal of Prohibition in the United States. For 14 years, Americans were unable to legally have a drink. This led to a dramatic growth in the acceptance of organized crime and violence. Al Capone made his money in the demon rum, and was willing to fight for […]
This in reference to the recent HMRC breach… However, [Gartner VP Avivah] Litan warned that the chance of identity theft was actually small, at just 1%. Digitaltrends.com The probability of this estimate being scientifically defensible is 0.00%. I’ll have something to say about learning (for real) from the HMRC breach in a soon-to-come post.
Frans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price. Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its […]
OK. So while researching the stock tout scam noted in another post, I came across a blog which discussed a similar mechanism, but one using text messages. An obvious variant, but the part I absolutely adored was when they linked to this August 31, 2007 article from MaineToday.com (emphases added to save your time): An […]
Dear Chris: I think you’re a smart person who cares about honesty and the rule of law. I also think your e-mail fundraising campaign is undermining that message by sending what I believe to be deliberately deceptive emails. To be clear, I am not referring to deception in the political message — spinning words, being […]
Ian Brown writes, “Biometrics are not a panacea for data loss:” “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” […]
I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains: In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 […]
I’ve been in the hotel I am in for over a week now. It is a European hotel that has wireless, and you have to get an access card and type a six-character string into an access web page. That authenticates you, and you can go. The problem I have today is that I can […]
In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered […]
There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors: THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone. And […]
Quite possibly the funniest infosec joke seen in 2007. Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to “Her Majesties Audit Office – Child Benefits Section” and marked “Sensitive HM […]
Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:” Alistair Darling has apologised for the “extremely serious […]
The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings. The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome. Although their home address has been made public, it is unclear if the […]
Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment: Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose […]
It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems. I don’t think this is a trouble-free idea. There are lots of complexities. As one example, […]
The Telegraph is concerned that The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends. www.telegraph.co.uk The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand […]
In Controlling Water, Dana writes: …Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song. With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away. This simple phrase had the power of a plot changing hollywood one […]
I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus: Pay By Touch, which has made a major push in POS biometric payments, is backing […]
Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker. I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.” I did something similar after “Security Breaches Are Good for You: […]
Privacy in the EU has been hugely in the news in the last week. Check these out: European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic […]
I have been playing with Splunk, for about 45 minutes. So far, I like it. I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy […]
In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]
There’s a story in the Wall St Journal, “London’s Congestion Fee Begets Pinched Plates:” This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates. Thieves are pinching plates by the dozens every day […]
In a May, 2006 post entitled Codename: Miranda, I joked about having my grocery purchases linked to another Chicagoan due to poor schema design. There, I joked about buying: … granola, yogurt, hummus — the healthy stuff which probably alerts Admiral Poindexter’s Bayesian classifier to my fifth-column status. Maybe this wasn’t jocular after all, as […]
There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things: Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove […]
Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said: “There was a thorough search for the item, which went missing at the end of September, but it has not been found. We […]
The “gPhone” was announced today. I put gPhone in quotes, because there was no actual phone announcement. What was announced was the “Open Handset Alliance” and their toolkit, Android. They are “…committed to commercially deploy handsets and services using the Android Platform in the second half of 2008.” and “An early look at the Android […]
While this great tradition can be traced back to the Magna Carta, it was the rise of the modern state with all the new powers at its disposal that made the 17th century the pivotal period in the struggle against arbitrary and unaccountable government —— as Britain led the way in the battle for freedom […]
Via Michael Froomkin, who points out that if this were an intellectual property license, people would seriously argue that parking there gave the owners the right to spraypaint your car.”
David Litchfield examines some public breach data and concludes that Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. He further surmises that the proportion may be even higher, since […]
The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth’s Tuck School of Business in late June, has just been issued. […] The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. […]
Just because you can’t see it, doesn’t mean it’s not there. Also it doesn’t mean you can’t figure out what it is…. Much like traffic analysis what you show and how you show it, can reveal a lot about what is going on behind the scenes.
Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and […]
Adam’s comment to my previous post prompted me to think about breach reporting rates again. Above, there’s a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources. I think the results are pretty interesting when combined with […]
Mini-me guest posting on The Guerilla CISO tells us all some hard learned lessons in Data Centers and Hair Driers. In it we learn (yet again!) that Disaster Recovery/Emergency Response/Business Continuity rely heavily on documentation, process being followed and above all regular testing. Regular testing is more than just practicing via drills or table top […]
The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this […]
When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over […]
A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, “NZ brewery offers beer for laptop.” Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but […]
In light of FEMA using our tax dollars to stage a fake news conference, I’d like to take a moment to assure you that none of the Emergent Chaos combo works for the Burton Group, and any softball questions in our interviews are just because we like them. Photo: FEMA news conference, AP. [Update: We […]
Alan Shimel writes: My friend Ilena Armstrong, Editor-in-Chief over at SC Magazine is conducting a survey on on how news of breaches, thefts and exposures are affecting organizations info sec plans. Below is a note from Ilena inviting you to participate. If you have a moment please take the time fill out the survey. Everyone […]
I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example: […]
Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals: A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in […]
“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on […]
Carl Ellison has been doing some really interesting work on what he calls Ceremonies: The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band […]
Thanks, Nicko!
There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.” Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other […]
Thanks Les!
What an amazing show. Shane MacGowan slurred a lot, but I just couldn’t care when he sang ‘Brown Eyes’ or ‘The Greenland’ or ‘The Sick Bed Of Cuchulainn.’ They’re touring the western states. Photo: “The Pogues in Seattle on October 17, 2007 – first show of US tour” by Dan10Things.
There’s a story in USA Today, “Most fake bombs missed by screeners.” It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%: At Chicago O’Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, […]
There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed: MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems […]
Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint? Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which […]
Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample: Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from: http://bioethicsdiscussion.blogspot.com/. There are at least two major problems with […]
I, for one, salute our entropy-increasing overlords….but I must confess to being mystified by this press release.
Adam: But applying for a job is exactly what you describe, “organizations with whom you don’t have a lot of history and interaction.” For an awful lot of people, they apply for jobs broadly. One cashiership is as good as another. And there are a lot of places where I’d like to protect my privacy. […]
There’s a story in InformationWeek about the latest TSA privacy violation, “TSA Promises Privacy For Subjects Of Clothing-Penetrating Scans:” “We are committed to testing technologies that improve security while protecting passenger privacy,” said TSA administrator Kip Hawley in a statement. “Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, […]
Adam: I have some cost questions, but I think more importantly, this can limit my exposure to, say, a credit card, but I can get most of this without paying Delaware a couple of hundred bucks. I get a PO box, a limited credit card, and a voice mail service. What’s the advantage that’s worth […]
Adam: The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do […]
I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part […]
At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables. Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. […]
Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.” Don’t miss […]
Yesterday CNN reported that Ohio State Representative Matthew Barrett was giving a presentation to a group of High School students a photo of a naked woman appeared instead of the expected graphic. The State Highway Patrol seized the USB drive containing the presentation and in less than 24 hours determined that the image had been […]
Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles” That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services […]
Those of you who don’t know Sameer Parekh can ignore this message. For those of you who do, he’s joined the Marines and is attending Officer Candidate School, and would appreciate your letters: He does not have access to email or phone. Please send him snail mail (US mail) as often as you can. He […]
If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager […]
BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers. The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers. There are posts from Rain Forest Puppy, Halvar […]
As reported in the Scott and Scott Business and Technology law blog: Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though […]
Ian Rae comments “I think Apple demonstrated quite convincingly their inability to compete with their own proprietary hardware and software platforms.”
On Saturday I was going to a party at an apartment building. The buzzer wasn’t working, and I took out my shiny new iphone to call and get in. As I was dialing, a few young teenagers were coming out. They wanted to see the iPhone, and so I demo’d it in exchange for entry […]
The BBC reports that in Yorkshire, crafty sheep conquer cattle grids: Hungry sheep on the Yorkshire moors have taught themselves to roll 8ft (3m) across hoof-proof metal cattle grids – and raid villagers’ valley gardens. … A National Farmers’ Union spokeswoman in York said: “We have never seen anything like it. We have looked at […]
You can find out, by making a request under the privacy act. “Read Your Own DHS Travel Dossier.” Good commentary and context at Threat Level, “Howto: Check Your Homeland Security Travel File.”
Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan. So how do […]
Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two: Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into […]
According to court papers referenced in this VOA report, U.S. sniper teams in Iraq are using an interesting tactic: [A] so-called baiting program developed at the Pentagon by the Asymmetrical Warfare Group….the baiting was described as putting items, including plastic explosives, ammunition and detonation cords on the battlefield then killing suspected insurgents who picked up […]
Last week, I wrote: It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release. On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:” The Ameritrade […]
If you’re not hidden under a rock, you know about the latest bomb scare in Boston. Some MIT kid forgot that Boston cops think anything with an LED on it is a bomb. A lot of people are saying she got what she deserved, or that she’s lucky to be alive. These people probably think […]
A funny clip for Saturday. I can’t figure out how to embed the video here, so click on the picture to be taken to Gizmodo.
Like most EC readers, I have been following the story of the MIT student with the breadboard and Duracell fashion accessory who nearly got ventilated at Logan airport in the most LED-hostile city in the US, Boston. The Associated Press was quick to repeat the claim that the student was wearing a “fake bomb”, when […]
The Privacy Commissioner of Canada is blogging. Welcome to the blogosphere! In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, “$1 Cdn = $1 US.”
Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore’s choice of reading material, […]
What the hell are the idiots at Facebook thinking? If there’s anything stupider than banning a woman from breastfeeding in public, it is banning a picture of a woman breastfeeding on the grounds that it is “obscene”, which is what the morons at Facebook have done, as reported (for example) by the Toronto Star. Attention […]
The scurvy dogs at TD Ameritrade may have tricked us! Well, maybe. The comments on “Analyzing the TD Ameritrade Disclosure” and articles like “Lawsuit Raises Questions on TD Ameritrade Breach” and “Ameritrade Customers’ contact information hacked” have been demanding a re-think of what I want to think on the subject. But less importantly, today is […]
Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing […]
Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach. According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to […]
In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”) It appeared that […]
NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details. The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only. There are unconfirmed reports that the details were used to make a string of luxury purchases in […]
If you don’t follow sports news, the New England Patriots and their coach have been fined about three quarters of a million dollars and a draft pick. This is reported in articles like “Belichick given record fine for video cheating.” (Times Online, UK) That may seem like a lot, until you realize that that’s less […]
As I’ve mentioned in the past my wife is a linguistics professor. Yesterday she came home from work with the following poster. A little research revealed that it and several others were originally commissioned in 2005 by Indiana University as part of their security awareness program that they assembled for national cyber security awareness month. […]
Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and […]
Adam writes about the brouhaha at NASA over HSPD-12 background checks. A friend of a friend who is in the business of implementing HSPD-12 sent me a tidbit about it, along with a link so that you can read the primary source — something always needed when you get emails from FOAFs. In paragraph 3, […]
There’s a fascinating court fight, being run by people at the Jet Propulsion Lab. See “JPL Employees File Suit to End Background Investigations” From the press release: The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA’s most successful recent programs, including leading engineers and […]
Another in the occasional EC weekend series highlighting awesome covers. I’d like this video even if it was silent. That stage is perfect for a Big Star tune, and the sound is right on. [If only they also performed “Thirteen“…Chilton and friends are too old (or indifferent) to play it properly now].
“Burglars nabbed after stealing from video surveillance firm.” (Thanks, David Fraser.)
For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company. … […]
I had occasion to park at a rather large parking garage attached to a rather larger complex of hospitals in downtown Chicago today. The company that runs this garage does something smart — in addition to numbering the floors of the garage and giving them a characteristic color, they also play a well-known musician’s tunes […]
I wrote this post sitting on a plane to Montreal. There were all sorts of announcements about how you had to be on international flights thirty minutes before takeoff, to make Congress happy: Congress mandated that DHS’ Customs and Border Protection (CBP) establish a requirement to receive advance information on international passengers traveling by air […]
The Beeb reports, “Goats sacrificed to fix Nepal jet,” in which we learn that two goats were slaughtered in sacrifice to the Hindu god of sky protection, Akash Bhairab, in front of a Boeing 757. Airline official Raju KC said to Reuters, “The snag in the plane has now been fixed and the aircraft has […]
[Via FIRST’s Global Security News Feed]
…from Chicago. (May 1st was jettisoned as a date for reasons near and dear to EC — it was too political.)
http://plato.stanford.edu/entries/economics/ http://faculty.fuqua.duke.edu/~rnau/choice/whoswho.htm (Also useful as a reading list for a possible upcoming cage match between Hutton and Bejtlich ;^))
Ryan Singel has a long article in Wired: “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates.” I was pretty stunned at some of the numbers: FBI endpoints on DCSNet have swelled over the years, from 20 “central monitoring plants” at the program’s inception, to 57 in 2005, according to undated pages in the […]
Riffing on Adam’s last post, it has been amusing to watch the whole problem with Senator Craig. However, as I’ve chomped my popcorn, there’s been one thing I keep thinking: what if the guy’s telling the truth? What if he was stupidly caught for not doing much of anything, and the stupidly plead guilty in […]
…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door. Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame. After a man in the […]
Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages […]
Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.” The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses […]
As quoted in Ken Belva’s blog, Larry Gordon writes: However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing […]
There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a […]
A man in the UK has been arrested somewhat dramatically for illegally using a WiFi connection. The BBC reports it here as “Man arrested over wi-fi ‘theft’” and El Reg as “Broadbandit nabbed in Wi-Fi bust.” Each is worth reading. The police statement is worrying. El Reg says: Despite not having secured a conviction yet […]
Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out: You know data security breaches are way too common when a company builds a business around customer notification of stolen information. and he ends: I applaud companies that comply with notification requirements. It’s the […]
In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]
In Australia, Jeffrey Ismail has been convicted of “using a carriage service to menace, harass or offend” meaning using his mobile to coördinate reprisal attacks against a rival gang. Despite registering his phone under the name “John Gotti” and being careful enough to tell his “clerics” to “bring ‘ankshays’ and ‘atbays’” police recorded his calls […]
Kim Cameron has a very interesting article on the distinction between accounts and credentials, “Grab them eyeballs! Any cred at all!:” s this logical? It all escapes me. Suppose I start to log in to Dare’s blog using an AOL OpenID. Does that make money for AOL? No. I don’t have to give AOL two […]
I saw a BBC headline, “Huge payout in US stuttering case“, and figured that somebody who stutters must have been harassed at work or something, and got a settlement of $5 mil. WRONG. What happened is this: Six US citizens who, as children, were used in an experiment that tried to induce stuttering have been […]
I’ve been fond of saying that no company goes under because of a breach. It used to be there was one exception, CardSystems Solutions. There now appears to be a second, Verus, Inc, a medical information processor that revealed information on customers of at least five hospitals. “Medical IT Contractor Folds After Breaches.” So that […]
Or perhaps more correctly, did not internalize Descartes when he heard of him. In “Our Lives, Controlled From Some Guy’s Couch,” John Tierney writes: Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent […]
So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per […]
It’s recently been amusing to look at where Wikipedia’s anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources. I am most amused by this selfless edit which came from IP address 132.185.240.120, which translates to webgw0.thls.bbc.co.uk. I can only think that had the […]
The Associated Press reports that “TJX profit plunges on costs from massive data breach:” FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data […]
So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]
There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:” Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such […]
From a report published August 10 by the House of Lords select committee on science and technology: 5.55. We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at […]
In a comment, Tom Lyons asked: I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a “pattern and practice” on the part of Choice Point. I don’t know Mr. […]
[Updated: see below] Over at Storefront backtalk, Evan Schuman writes “TJX Kiosk Rumors Re-Emerge:” Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged. Could both be true? It’s unlikely, as both […]
Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it’s all good that his employer was so delighted that FSJ is going to be hosted by them, now, […]
I’ve been too busy with travel to Blackhat, WOOT and Metricon to really cover the new wiretap law, or the very encouraging results of de-certifying electronic voting machines. I hope to be less buried soon. In the meanwhile, Photo is “Dan Perjovschi´s installation at the Moma, NYC” by Tibau1.
El Reg reports that “Pipex invites customer to get ‘c**ted’” in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article. There is, however, a second obscenity here that is far more subtle. That obscenity is in the password selection advice and suggestions. The […]
Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you. I also know that there are people I respect […]
Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.” A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches. This is important because there have […]
The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in […]
A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments: [C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of […]
He writes: It appears I can’t attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company. A little background: For the last 7 years, I have attended / presented at the […]
Tourists visiting the White House must now adhere to a dress code which bans jeans, sneakers, shorts, miniskirts, T-shirts, tank tops, and flip-flops. Since this is an extremely important rule, signs were posted and emails sent White House staff (writes Al Kamen in the Washington Post). A telling detail, per the WaPo: The e-mail reminder […]
This is a new twist on an old trick. SFGate reports in, “‘I didn’t eat and I didn’t sleep’ — Coin dealer flies dime worth $1.9 million to NYC’” that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to […]
…is today, July 27. Pizza and beer retailers are standing by, much as florists do on Valentine’s Day. You know what to do.
In “Help EFF Examine Once-Secret FBI Docs,” the folks at EFF ask for your help doing what Congress won’t. Engaging in oversight of our civil servants: We’ve already started scouring newly-released documents relating to the misuse of National Security Letters to collect Americans’ private information. But don’t let us have all fun — you, too, […]
Metricon 2.0 looks to be a great set of papers. I’d tell you what I’m looking forward to, but really, I’m looking forward to the whole day. And it’s only $225, but you have to register by Friday.
A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign. Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors. We are calling […]
A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up. I’m trying to find the first actual documented theft or attempted theft using this attack. […]
In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took. From this, we lean that it was a Canon, likely […]
In “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites: Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated?? It creates havoc for those monitoring the drop since it’s […]
So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors. Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina — a state known for tobacco production. That […]
The New York Times reports, “U.S. Will Allow Most Types of Lighters on Planes” Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded. The ban was imposed at the insistence of Congress […]
Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people. EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing […]
[Added July 21] Roger Grimes, “Identity theft? What identity theft:” Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget […]
(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.) I am writing to you today to comment on your recent report, “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is Unknown” I found GAO’s report and its implied […]
This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why: Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are […]
… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.” Leeson is fascinated by pirates because they flourished outside the state—and, […]
One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This […]
I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap. Last night, Mary Ann Davidson […]
The Wall Street Journal reports that the CEO of Whole Foods, John Mackey, posted on the Yahoo! Finance board for Whole Foods under the pseudonym Rahodeb, which is an anagram of Mackey’s wife’s given name. (It’s also an anagram of “A Bread Ho,” but since the WSJ doesn’t stoop to that sort of cheap joke, […]
The word “killer” gets used in two wretched ways. The first is Killer Application, and the second is product-killer. They’re each wretched in their own special way. It’s not only cliché to use each term, but in using it, you are nearly guaranteed to be wrong. The original killer application was Lotus 1, 2, 3. […]
“The Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t? Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered. Hah-ha! […]
For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether […]
Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that “Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.” (“The ‘Insider Statistic’, Good Data, & Risk.”) Alex’s main point is that it’s not insiders, […]
The headline, and warning, of a story about how data formats change, “Warning of data ticking time bomb,” BBC web site, 3 July 2007.
The New York Times Magazine with a long article about swimming the Hudson River. Image:Clearwater.org
Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident: So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because […]
In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]
For the last several years, Microsoft has worked with the Privacy Enhancing Technologies community to support a prize for the best work done in the field. I’ve been involved as a member of the selection committee, but when I joined Microsoft, stepped away from that. It’s important to us that the prize is independent. This […]
As governor of Texas, George Bush didn’t see fit to commute any of the 152 death sentences brought before him. (Wikipedia) Good thing Scooter Libby ain’t no poor Texan, because if he was, Bush wouldn’t have ruined his law and order record. (Noted at Discourse.net.) Update: 6 days later, the New York Times notes that […]
Over at his excellent blog, Chandler Howell referenced an interesting risk analysis performed by a home inspector: “The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.” That is to say, the switch is right next […]
Last week, the CIA released a document they called ‘The Family Jewels.’ This compendium of shameful acts has gotten a lot of press, and I have not a lot to add. I did like this bit, mentioned in the Washington Post, “Trying to Kill Fidel Castro:” Maheu made the pitch on Sept. 14, 1960, at […]
I think I just watched someone pick up a girl with an iPhone. Photo courtesy of maliavale.
There’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes: If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never […]
At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server. The main points I tried to make […]
(Adds psychiatrist interview, industry comment, paragraphs 4, 7-17) CHICAGO, June 27 (EmergentChaos)- The American Medical Association called for more research into the public health risks of books and reading on Wednesday but stopped short of declaring them addictive. The AMA, which recommended a review of the current publishing system, also said it would leave it […]
Apparently, the forces of evil have inserted themselves a national ID clause into the immigration bill (two bad bills, risen from the dead together?) Please go to Unreal ID’s action page to send a fax. It only takes a minute.
At the Privacy Enhancing Technologies workshop, there is a ‘rump’ session, designed for work that’s not of sufficient quality to make it into the workshop. (And given that the workshop now has a 20% acceptance rate, there’s some pretty interesting stuff that doesn’t make it in.) I didn’t use it for that, I used it […]
The article to which Adam linked in his post about Dark Side of the Moon mentioned derivative versions of the album as performed by other artists. That got me thinking of memorable covers, such as Senor Coconut’s classic renditions of Kraftwerk tunes (like The Robots and Autobahn). Ultimately, I just gotta throw in a quick […]
This is from Non Sequitur by Wiley. Since I’ve shrunk it to fit, the guard says to the other: Accept the security breach, or clean a litter box. Take your pick. Click the picture for the full-size one.
Let’s face it. There hasn’t been a better pressing of Dark Side (with the possible exception of the original vinyl, which I haven’t heard) than the Mobile Fidelity gold disk. Which doesn’t prevent EMI from releasing it over and over again. That makes perfect sense, it keeps selling like mad. As bbum points out in […]
Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by […]
Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those […]
Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the […]
I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email […]
Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize): What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) […]
At Law.com, “Hospitals Fear Privacy Claims Over Medical Records:” The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits. Labor and employment attorneys who represent health care providers are especially concerned about the prospect […]
Having the unfortunate luck to be in National Public Radio’s target demographic, I occasionally wind up hearing stories that clearly are pandering to what I will with all due sarcasm refer to as “my generation”. Actually, I’m in the one after that, but I recognize the pandering. Lately, not just on NPR but on my […]
New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007. I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is: NewHampshire NorthCarolina New Hampshire 40 11 North Carolina 11 41 I am eager to […]
It’s the new normal in the English speaking world. See: “Hard drive stolen from Concordia” hospital in Winnipeg. The Bank of Scotland lost a DVD or DC in the mail, “Bank loses details on 62,000 customers in post.” “Personal banking info goes missing” regarding 120,000 Coastal Community Credit Union in Nanaimo, British Columbia. “Personal information […]
We had some downtime after a failure at our hosting facility. We would like to address the power loss which occurred in our Virginia Datacenter on Wednesday, June 13th. We are still investigating the root cause, but in the interest of full disclosure, here are the facts as we know them today. A more complete […]
Via Lyger at Attrition.org, comes word that New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net. I haven’t had any time to read […]
Zero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?” The […]
Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:” MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security. Secretary General Noble exposed the global problem of prison escapes […]
There was a great interview on the local NPR station yesterday with Chris Salewicz, who has a new biography out. It’s “Redemption Song: The Ballad of Joe Strummer.” The interview was really well done–the music was well and cleverly integrated into the conversation. If you’re taking it easy, why not listen to the KUOW Weekday […]
The FBI runs what they call “Fusion Centers” for intelligence sharing. There’s a fascinating quote in the Washington Technology article, “Boeing to staff FBI Fusion Center:” “As a police chief of the 19th largest city in the nation, and in possession of a top secret clearance, by law I cannot set foot unescorted in the […]
Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:” A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan […]
There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands. This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems. I’d try to contribute, but I’ve been in the midst of a large project at work. Archival links: Stefan: […]
I’m not throwing out a whole iPod just because the headphone jack is hosed. If you have a dead mini iPod (maybe with a smashed display, say?), and you don’t want to take up precious landfill space, leave a comment or send me an email.
There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’ Agencies can eliminate some SSN uses by asking employees not to write their SSNs on […]
…but encasing a skull in millions of bucks worth of diamonds and thinking you’ve made some kind of statement strikes me as uninspired in the extreme. Of course, this matters not, because this is “the work with the highest intrinsic value in modern and contemporary art” according to a guy who works for an insurance […]
[Substantially more than] a week ago, I asked what DVD player I should get. I didn’t get the answer, but I did get a lot of “I’d like to know.” I wanted to share that I ended up with a Philips DVP-5140. It was cheap, there’s an easy fix for the region bug explained in […]
Luc Wathieu and Allan Friedman have an article in Harvard Business School’s ‘working knowledge,’ titled “An Empirical Approach to Understanding Privacy Valuation.” In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include: Contrary to some research, the chief privacy concern appears based […]
USA Today tells us, “Sci-fi writers join war on terror,” in which, “the Homeland Security Department [sic] is tapping into the wild imaginations of a group of self-described “deviant” thinkers….” There are many available cheap shots as well as fish to shoot in that barrel. I’m going to take a cheap shot at one not […]
The iTunes Plus music store opened up today, which sells non-DRM, 256kbit AAC recordings. In case you have missed the financial details, the new tracks are $1.29 per, but albums are still $9.99. You can upgrade your old tracks to high-quality, non-DRM, but you have to do it en masse and it’s only for the […]
Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.” On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how […]
As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws. This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send […]
My friend Jeff Herrold has a new production company, Pure Evil Entertainment. Jeff is one of the best storytellers I know, and he’s put a short he made a few years back up on YouTube. It’s DEADLINE, and it’s a pretty entertaining bit of twistedness.
So the Office of Management and Budget sent a memo this week, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it’s necessary. Unfortunately, what I […]
The BBC reports that “Ministers set out plan for waste.”…Usually, they at least claim they’re spending our money wisely.
Woo hoo! I feel so much safer! The TSA reports, “Transportation Security Officers SPOT Passenger in Fake Military Uniform at Florida Airport.” Picture at right is my foofification of the picture on the TSA site. Our brave protectors write: A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a […]
In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, […]
This via Salon’s “The man who made Gordon Ramsay cry” — and let’s face it, making Gordon Ramsay cry is a great place to start. Alex Koppelman asks: …. Do you think a chef’s recipes should be protected as intellectual property? White replies: You can’t reinvent the wheel. Everyone takes from everybody. How many people […]
United States congressman Tim Ryan is interested in bringing attention to the meager allotment the U.S. food stamp program provides. This program, for those who don’t know, provides what amounts to scrip which can be used for qualified food purchases to persons who meet a certain needs test. The average food stamp recipient receives $21.00 […]
The Cutty Sark, perhaps the last sailing clipper, has burned in Greenwich. It was undergoing a £25M restoration. Details from the BBC as well as CNN. Photo courtesy yours truly. I visited it last summer. I’m going to pour myself a strong drink.
The observation is no less true of legislation than it is of code.
Case in point is the debate over whether to trigger breach notifications when a “reasonable” risk of harm or a “significant” risk of harm exists. Everybody is quick to cite California’s breach law, so I’m going to cite New York’s:
The European Commission has done an “E-Communications Household Survey,” and found that overwhelmingly, “UK internet users want to be informed of data losses:” Most UK residents want to be informed if their personal data is lost or stolen after a corporate security breach, the latest E-Communications Household Survey from the European Commission (EC) has revealed. […]
I’ve been encountering some really silly software lately. I was trying to visit the homeland stupidity blog, with Safari and the most-excellent pithhelmet, and I get this message: We’re sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server. An invalid request was received from your browser. This may be caused by […]
In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, “News from Bizzaro World: Ashcroft Opposed Taps.” Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I’m not particularly a fan of his, but the Venn diagram of what […]
What, indeed, was the nature of the “program” before Goldsmith, Comey and Ashcroft — those notorious civil libertarian extremists — called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that […]
♫Another DHS network, and we’re not sharing yet.♫ So reports Haft of the Spear, in “You’ll Share and You’ll Like It!” The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government […]
There’s a war on cash? Who knew? Dave Birch uses the phrase in “More from the war on cash” without a whole lot of surprise. Here he’s quoting a McKinsey study. (Unsurprisingly, you need to login to read it.) I liked this gem: Cash needs to be priced appropriately. The fact is that, today, the […]
Adam has made several posts about it being ‘good for you’ to open up about data breaches. Unfortunately, keeping a lid on the info is a stable equilibrium. This situation is what economists would call an Assurance Game. A quick pointer to a post I made reviewing a very good book on how to get […]
In a comment on “Why Customers Don’t Flee,” Chris adds “too much work.” I’ll add “too hard to evaluate alternatives.” But before we go much further, I’ll ask, is this the right question? Given that few customers leave after most breaches, is it useful to ask why they’re not leaving, or are there other questions […]
At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I […]
Where’s Waldo? Have you ever been “playing” Where’s Waldo? and after finding him on a particular page needed to prove that you actually found him but didn’t want to reveal his actual location? Personally, I haven’t, but Applied Kid Cryptography recently referenced on the cryptography mailing list was too much fun to pass up.
Aaron Koblin of UCLA has an amazing website of animations he’s done using FAA flight data. It’s well worth a look.
TJX sales up, again. Via StorefrontBacktalk: …TJX reported Thursday that its April sales increased another 2 percent, to $1.28 billion…. More importantly, for the thirteen weeks ended May 5, 2007, sales reached $4.2 billion, a 7 percent increase over last year’s $3.9 billion.
Last week, the Senate Judiciary committee passed the “The Personal Data Privacy and Security Act of 2007” (See more in Security Fix, Federal Data Breach Bills Clear Senate Panel: Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. […]
Scotsman.com reports “Standard Life customers are hit by breach in security,” and Computerworld.uk reports that a “Laptop containing Southend children’s social services case notes bought on eBay.” In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law. However, it’s anarchy in […]
How clean is that piece of food that you dropped on the floor? Do you really want to eat it? Harold McGee explores the five-second rule in the New York Times. Personally, I always heard it as the thirty-second rule. I guess that it’s a good thing I have a strong immune system.
Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains. I have three problems with this: Crooks are already investing […]
On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says, What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think… http://www.albumoftheday.com/facebook/ Trust me, it’s worth the look. And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background […]
Longtime geek author Annalee Newitz and Charlie Anders, published She’s Such A Geek last year. I’ve been meaning to blog about this for a while It’s a collection of over 20 essays by women geeks. These essays cover the trials, tribulations and joys of being a female geek. At times entertaining and other times depressing, […]
Alternate title: “If schadenfreude is wrong, I don’t want to be right.” Ryan Singel reports that the “TSA Lost Sensitive Data on 100,000 Employees.” This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. […]
My colleague Dave Ladd has a post “Security Education v. Security Training:” Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security […]
Today’s xkcd, just seems apropos
Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and […]
Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports: At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches. Generally, these items […]
So I was a little curt in my bloviation the other day about the REAL ID forum. There’s good people doing real work to stop this thing, and they deserve your help and support. Over 40 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national […]
Via StorefrontBacktalk comes news that Following lawsuits in February against some of the nation’s largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors. In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS […]
The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and “took it home for a 20-minute look-see, then turned it over to authorities.” I have three words of advice: full disk encryption. Photo courtesy of POONDOG.
So DHS has managed to cancel all but one “Town Hall Meeting” about REAL ID. They’re sending a “Richard Barth, Assistant Secretary, Office of Policy Development” to talk to the fine people of San Francisco about the travesty of a national ID card which is REAL ID. We’ll waste $20 billion dollars on this nonsense, […]
Nature reports that, “Simulation proves it’s possible to eavesdrop on super-secure encrypted messages.” A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn’t a real attack, but as […]
I’ve often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article “Phone Taps in Italy Spur Rush Toward Encryption” is fascinating: Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to […]
Via Nate, “WOOT = Usenix + Blackhat:” The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks. I was recently saying that vulnerability research […]
My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.
In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention. Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you […]
According to CIO Forum, Gartner has discovered some amazing things. There’s offshoring to India, and it’s growing at a “staggering” 16% per year. And lots of manufacturing is being done in China now. And the US better wake up ASAP because it is “in imminent danger of becoming an industry of failure.” This is a […]
So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: “Companies Say Security Breach Could Destroy Their Business:” One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee. The security […]
“Don’t Mess With Our Chocolate,” says Guittard. Summary: the FDA is considering changing the definitions of “chocolate” and “chocolate flavored” and “chocolaty” so that they don’t have to put as much cocoa solids in it to make it be “chocolate.” The FDA is soliciting comments, and the cutoff is April 25, so that’s not much […]
So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches. In the CSO blog, “What, When and How to Respond to a […]
Emergent Chaos, indeed.
One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not […]
The BBC reports “Motorists hit by card clone scam:” Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn […]
Wired’s Danger Room blog has an interesting quote from the inventor of a liquid explosive in “‘Liquid Landmine,’ Qaeda Tool?:” My advice would be to stick with PETN [a high explosive] and rattlesnakes.
Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike’s post, “it never ceases to amaze me what security people won’t share with each other,” and go understand why you should give Scott a demerit. (I’d meant to post this months ago, when Scott did the interview. Oops!)
The Beeb reports. This means that if you want to start speculating in copies of XP, you probably have even longer to wait.
The 2007 Underhanded C Contest has a marvelous theme — weak crypto. The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library. […] Your challenge: write […]
The title of Stefan Brands’ blog post, “New Credentica white paper and other materials,” pretty much says it all. If you think about identity management, you should go check these out. Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; […]
Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop […]
In October, 2006, I commented on the story of a man in Acarta, California whose credit report bizarrely includes a claim he’s the son of Saddam Hussein. (“The Crap in Credit Reports“) Now, via Educated Guesswork, “If OBL can buy a used car, the terrorists have won” we learn of a fellow who can’t buy […]
Richard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the “Month of Owned Corporations“: Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest […]
Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will “increase consumer ‘stickiness’ and brand affinity” and “increase average ticket price more than 12%.” Okay…. I thought that the reason for bearer-level micropayments was the opposite. Right here […]
I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing […]
When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt 60 percent of the incidents involved organizational mismanagement as a way to question my assertion that insiders […]
So the Boston Globe has this chart of who’s suing whom over failures in the “Big Dig:” (Click for a bigger version) What I find most fascinating is that it’s both pretty and pretty useless. Since just about everyone is suing everyone else, what would be perhaps more interesting is a representation of who’s not […]
Techdirt carries marvelous coverage of the increasing devolution of our intellectual property system. However there is some bad advice in “Be Careful Not To Use Any Patented Tax Shelters This Tax Season.” The bad advice is in the last sentence: So as we get to tax day, besides going over all your tax forms and […]
Today I spent nine (9) (no, that’s not a typo) hours in line to apply for a passport. What happened was, since the U.S. changed the rules to say everyone’s gotta have a passport, a lot of Americans and Canadians who were used to going back and forth between the countries suddenly needed passports, and […]
El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP. No fewer than three people told me yesterday, “This means I have to buy that Mac Book Pro this year. They can’t be alone. I have several co-workers running Vista running on laptops, and even without the overhead of […]
In the secret language of corruption in India, an official expecting a bribe will ask for Mahatma Gandhi to “smile” at him. The revered leader of the independence movement is on all denominations of rupee notes. With rampant dishonesty ingrained in the bureaucratic culture, an anticorruption group has decided to interpret the euphemism literally by […]
Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I’d […]
Just a quick note–you’ve convinced me that my thoughts on credit cards were wrong. (“The Cost of Disclosures, and a Proposal.”) Iang, rG0d and Nick are right. I should have remembered that disclosure is a moral imperative. I’ve also enjoyed the debate with Ken Belva, and will have one final closing post to respond to […]
Kurt Vonnegut, dead at 84.
The Granite State requires that security breaches involving PII be reported to the Attorney General: Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office. […]
IT Week in the UK writes, “Companies keep silent on data breaches.” There are a couple of interesting quotes: Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about […]
Tim O’Reilly with the help of others has posted a “Draft Blogger’s Code of Conduct” in reaction to l’affaire Sierra. Forgive me the pedantry, but I’ve corrected the plural in my derivative topic line above. There have been other comments about this in many other places. I’m not a friend of Sierra’s, but I have […]
Philip Alexander writes in Intelligent Enterprise about “Data Breach Notification Laws: A State-by-State Perspective.” The article is short and readable, and points to his new book, which is likely a good read.
So there’s a spectre haunting my arguments for disclosure, the spectre of cost. I’m surprised none of my critics have brought it up yet. Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don’t care that much. When it’s medical data, […]
I’ll keep this short since you should all be reading Mordaxus’ latest, not this, but speaking of data… This breach report [pdf] from Community National Bank wasn’t sent to consumers, but you can’t say it was short on details.
If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security. John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in […]
So I hate Evite, even when it brings me to cool parties. You know who you are. Encouraging my friends to enter social network information, and then using it to contact me feels tremendously invasive. Failing to understand that annoys me. Their lame privacy policy infuriates me. Their success at co-opting my friends to sucking […]
The New York Times has a story, “Teaching the Police to Stay a Step Ahead of Car Theft:” The police have traditionally kept such conversations quiet, fearing they could tip off aspiring thieves. Mr. Bender’s mission is to bring investigators into the digital age and get them to share information, just as their adversaries are […]
One of the things I really appreciate about phishing is that we pay people to discover the zeitgeist and share it with us. There’s little spam advertising fallout shelters or other ways to deal with the Red Menace. I rarely see advocacy about bimetallism in the currency in my inbox. We see what we see […]
So Ken Belva suggests that we should cordially agree to disagree. (“My Response to Adam Shostack’s Reply on Transparency & Breaches“) I’m happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing […]
These days when you read an article about copyright that involves students, it also involves the RIAA or the MPAA. This article in the Chronicle of Higher Education, on the other hand, is about two high-school students taking on Turnitin. The students specifically asked that certain papers of theirs not be included in Turnitin’s database […]
The other day, I wrote: I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly. So here’s the experiment. It works better in person than in blog comments. Ask two experts to write down how they’d allocate […]
From Silicon.com, “Pressure grows for UK data loss disclosure:” As a spokeswoman for the Information Commissioner’s Office told silicon.com last year: “There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.” But, from the BBC, “Children’s details taken in theft:” Health bosses in Nottinghamshire have issued […]
Welcome to the Stop Real ID Now blog. Not surprisingly, we’ll be talking a lot here about the Real ID Act of 2005… and more specifically about an activism campaign that will use the power of blogs, social networks and art as well as creating partnerships and using media outreach to, we hope, stop the […]
Over at bloginfosec, Ken Belva takes issue with my claim that “security breaches are good for you,” in the aptly titled “Why security breaches are still bad for you…” His summary and response are well thought out, and I’d like to respond to a few of his points. This is a long post because I […]
I keep trying to avoid commenting on TJX, and keep getting drawn back in. The amount of news and analysis out there is large, and I’m selecting islands in the clickstream. (Any advice on who’s covering it well would be appreciated.) In “TJX Lawsuits — 45 Million Credit Cards,” Pete Lindstrom mentions that there are […]
Prof. R. H. Anssen of the Univeristy of Florence, Colorado working under a Department of Homeland Security Advanced Research Projects grant has released a new paper discussing improvements to SecureFlight that make it much more scalable, while adding in grid-computing and privacy-friendly aspects as well. Expanding upon the ideas of K. P. Hilby and J. […]
“Among other changes, the revisions to our Privacy Policy may have changed your preferences for receiving postal mailings from Alaska Airlines and its partners.” Now that’s the power of policy! Photo, text from “Privacy policy update from Alaska Airlines, received March 24, 2007” by JasonJT, on Flickr. He has great outraged commentary.
There’s a lot of headlines about how the TJX “Data Theft Grows To Biggest Ever” (Washington Post). The trouble is, that claim is wrong, and it’s wrong even amended to “Biggest reported ever.” The biggest reported theft of person data is Scott Levine’s theft of over a billion records from Axciom. As the Department of […]
I’d like to respond to two questions posted to my “Security Breaches Are Good For You” post. Antonomasia writes “there are security events other than customer data disclosure – any thoughts on how those can be subjected to evidence-based assessment?” Blivious writes: “What about other kinds of breaches? The apparent moral standard only applies to […]
Riffing on what Arthur has said, I’ll take a slightly different exception to Mike Rothman’s rant on anonymity. Kathy Sierra’s been treated pretty shabbily. The problem isn’t anonymity, it’s a lack of accountability. These people are behaving unacceptably, and we don’t know who they are. However, there are cases where people have acted in similarly […]
At Shmoocon, I talked about how “Security Breaches are Good for You.” The talk deviated a little from the proposed outline. I blame emergent chaos. Since California’s SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. […]
So Mike Rothman thinks that anonymity is for cowards: During the discussion last night, one guy pointed out that sometimes things are too sensitive or controversial or unpopular to say, so anonymity allows folks to do that. I call bullshit on that. Anonymity is the tool of a coward. And while I agree with Mike […]
Portuguese seafarer Christopher de Mendonca led a fleet of four ships into Botany Bay in 1522. No one noticed before because the map was oriented wrong when it was copied. This is a nice article from news.com.au.
Adam comments on some breach commentary, and quotes Nick Owen saying that breaches are a sign of incompetence. I can’t let this stand un-commented-upon. I believe that that is a dangerous comment, and one that needs to be squashed early. It’s like saying that a bug tracking system with lots of bugs in it is […]
Tim Erlin runs some numbers in “Is Brand Damage a Myth” at Ncircle, and Nick Owen piles follows on with some diplomatically presented thoughts in “Brand Damage, Stock Price and Cockroaches:” My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are […]
Dan Solove writes: Professor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been […]
The DailyBreeze tells us about how Lorna Herf discovered South Bay BMW in Torrance’s sales policy of “No fingerprint, no car.” The dealership claims that this is an effort to prevent identity theft, though how this would help the customer is unclear. Additionally, this effort is being actively supported by the sheriff’s office. I think […]
Back in the day, I was a member of FIRST. (Btw, rumor has it Chris and Adam are presenting at their annual conference this summer). At the time, one of the more prolific posters to the mailing list was Robert Hensing from Microsoft (Adam, if you haven’t met Rob, you should look him up). Anyways, […]
I think that a Denial of Service condition is a vulnerability, but lots of other people don’t. Last week Dave G. over at Matasano posted a seemingly very simple explanation that nicely sums up the way I’d always been taught to think about these sorts of issues: The ability to halt or shutdown most modern […]
Where I’ll be explaining that “Security Breaches are good for you.” Come see me speak at 5 PM on Friday. It’ll be … entertaining.
A couple of weeks ago, Mike Rothman linked to an article by George Ou about using EFS and BitLocker under Vista. There he made an extraordinary claim: Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes […]
Before Bruce Schneier started using the term, “Security Theatre” was a term I heard from what I call Real Security People. I was designing a security-oriented NOC, and I interviewed people who built secure sites for a couple of governments, banks, and others. They said that what The Adversary thinks you can do is more […]
Via Silicon Strategy, we learn that “Pressure grows for UK data loss disclosure:” The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts. Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do […]
Matasano’s Thomas Ptacek had a Groucho-like reaction to being included as a “Top 59” infosec influencer in ITSecurity.com’s recent list. EC’s Pre-Blogging Department was initially caught flat-footed on this, but predicted in an update that Tom’s view would gain traction. And it has. Meanwhile, Mark Curphey has stirred the pot by leaving the Security Bloggers’ […]
John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp. Back in the days when I would rather have died than work for […]
I never really thought much of Hamilton, either. I’m glad this wasn’t done on one of the New Ten Dollar bills. If it was, the Constellation EURion might have prevented me from scanning it for your amusement. (Today, that “feature” is mostly in copiers, but expect it to spread.) In other looking at money news, […]
I can’t help but wonder how many bits have died to hold disclaimers like this one: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are […]
Well, here we are, on a list of top influencers in information security, and we’ve barely said welcome to any new readers! Welcome! If you’re just showing up, we’d like to influence you to understand that identification rarely solves security problems by itself. I posted “You Don’t Need to See His Identification,” using a famous […]
Adam (or perhaps EC?) is one of the top 59 infosec influencers, sayeth itsecurity.com Cool. 18. Adam Shostack http://www.emergentchaos.com/ Emergent Chaos is a group blog on security, privacy, liberty and economics – a self-declared “Emergent Chaos jazz combo of the blogosphere. ” While the EC bloggers tend to drift off topic with political posts, they […]
Shimrit sends in this Shanghai Daily story, “Matchmaking site works to cut down deception:” A LEADING Chinese matchmaking Website is to check the age, marital status and other personal details of prospective cyber daters against an official database to prevent deception. Beginning today, Baihe.com will screen its eight million online daters against an ID authentication […]
A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes: One important outcome of […]
At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing. However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social […]
Via a Stitch in Haste, we learn about more members of the ‘sweep it under the rug’ club: David Oliver Burleson, 49, an anesthesiologist whose license was suspended for two years in October 2005 … acknowledged to the Oregon Board of Medical Examiners that he inappropriately touched women whom he had sedated before surgery. The […]
…terrorism suspects from atypical backgrounds are becoming increasingly common in Western Europe. With new plots surfacing every month, police across Europe are arresting significant numbers of women, teenagers, white-skinned suspects and people baptized as Christians — groups that in the past were considered among the least likely to embrace Islamic radicalism. The demographics of those […]
My friend Shimrit saw Cluechick’s post on the dating (“Emerging Dating Paranoia“) and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at “Everyone’s Guide to Online Dating.” She writes: With all the current craziness surrounding online dating background […]
Anybody who objects to their personal details going on the new “Big Brother” ID cards database will be banned from having a passport. James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out – but in return they must “forgo the ability” to have a travel […]
So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future. Oh, and we lost the SSNs of everyone who had […]
In a post at the Counter-terrorism blog, “National Security Letters…An Important Investigative Tool for the FBI” Dennis Lormel writes: The Inspector General (IG), U.S. Department of Justice, has issued a report delineating audit findings identifying significant deficiencies in NSL recordkeeping and reporting processes. This determination is quite troubling and inexcusable. Troubling and inexcusable? Well, you’d […]
The Justice Department’s inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval. The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do […]
Emacs users get addicted to the standard key bindings (which are also available in Cocoa apps). Microsoft Word doesn’t support these by default, but you can add them through customization. Here are the ones I find most useful: StartOfLine: Control-A EndOfLine: Control-E To set these up in Word… …you’ll have to read “Add emacs key […]
Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.” Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:” At his insurance […]
Two reports in the New York Times: “Driver’s License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry” and “Warnings Over Privacy of U.S. Health Network.” Naturally, we’ll have that sorted out by the time the system ships. No reason for you to be worried that your health records will be automatically scanned to see if […]
I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying: I whole-heartedly back these projects as […]
When Adam asked me to guest blog on “Dinner, Movie — and a Background Check — for Online Daters“, I promised him I would do it. And then I read the article and couldn’t think of what to say about it. I’m something of a self-proclaimed expert of internet hookups (as anyone who reads ClueChick, […]
Or so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.” The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions […]
“This repo man drives off with ocean freighters” “I’m sure there are those who would like to add me to a list of modern pirates of the Caribbean, but I do whatever I can to protect the legal rights of my clients,” said Hardberger, whose company, Vessel Extractions in New Orleans, has negotiated the releases […]
[Iggy] wouldn’t tell me who he was talking about specifically, he said, but he believes that the rock business is too big, run by people who know nothing about it. Wasn’t that always the case? “No,” he said, decisively. “The people I met at the top in 1972 tended to be crackpots from the fringes […]
In a week, the US and Canada are changing when they go to Daylight Savings Time. It must also be a slow news time, as well, because I’ve read several articles like this, “Daylight-Saving Time Change: Bigger than Y2K?” When Y2K came around, a number of us quoted Marvin the Martian (now of the Boston […]
So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including: While some expected Homeland Security to require the licenses to […]
Continuing our tradition of bringing you the news before it’s fit to print, Chris covered “The Emperor’s New Security Indicators” in “Why Johnny Can’t Bank Safely.” Don’t miss Andrew Patrick’s “Commentary on Research on New Security Indicators,” Alan Schiffman’s “Not The Emperor’s New Security Studies,” or Alex’s “Bad Studies, Bad!” As an aside, Chris used […]
Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]
Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag. Additionally, Nicole […]
There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:” The leader of a federal panel charged with providing privacy recommendations for […]
Somebody — I want to say Rich Mogull, but I cannot find the reference — wrote sarcastically about breach notices almost always saying “At $COMPANY we take security seriously….” as they report how, well…you know. I just finished scanning 183 notice letters I got from New York, covering the last half of 2006. Using an […]
The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]
Adam Frucci at Gizmodo is calling for action, “Putting Our Money Where Our Mouths Are: Boycott the RIAA in March.” I don’t disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don’t believe me, I can prove it with one TLA: DAT. If your response to that […]
Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it. Chris Paget a well respected researcher is going to present at Blackhat Federal […]
The Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says: requirements of personal identification, such as a driver’s license, in order to change the […]
There’s a really fascinating article in New York Magazine, “Say Everything:” And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street […]
In the “inconvenient coincidences” category, it seems that Al Sharpton’s great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond. Thurmond’s niece, Ellen Senter (via an AP report) provides an interesting perspective: I doubt you can find many native South Carolinians today whose family, if you traced them back far […]
[Via kungfoodie]
I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of […]
So there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer […]
At Balkinization, Scott Horton discusses how “Two Hundred Years Ago Today, the Global Campaign for Human Rights Achieved Its First Victory:” “As soon as ever I had arrived thus far in my investigation of the slave trade, I confess to you sir, so enormous, so dreadful, so irremediable did its wickedness appear that my own […]
Back in September, we covered how Pakistan and Waziristan had a peace deal, essentially, a deal with al Qaeda. In it, I commented on how people would get medals for “convincing al Qaeda to get a territorial base which we can bomb.” Now, in “Al Qaeda Chiefs are seen to regain power,” the Times reports: […]
As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need […]
TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier. Store closings led TJX […]
Where to start on this one? Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I […]
In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing. Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.” Should that entry in a breach list be removed? I think that the […]
The New York Times writes about “The Higher Power of Lucky“, a children’s book which recently won the Newbery Medal. As someone who has purchased his share of kids’ books, I assure you that the Newbery — and its companion the Caldecott Medal — signal quality to buyers. In this case, though, some parents and […]
Using IBM’s cool “Many Eyes” service (now in alpha), I played for a few minutes with some breach data. Nothing more than the size of each entry in Attrition’s database, and its date. Looks kinda cool, I think.
I received the following in the mail the other week and while I was initially amused that I was getting this without asking for it, it took my wife pointing out the irony of there being an actual directory at all:
Chandler says that “would rather be understood than perfect” in response to Mordax’s call to stop cutesy names for attacks. In doing so, he says: Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a […]
A little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I’m told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I’m always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash […]
I’d like to buy a cheap DVD player, and bet someone reading can tell me: Who’s the Apex of 2007? That is, who’s making cheap, consumer-friendly DVD players? I’d like one that’s: region-free fully controllable (none of that “we’re sorry, you have to watch the ads” crap) good at error-correcting for scratched up DVDs.
Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them: Each of these passages has faults of its own, […]
Cutaway’s post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard’s expert moderation, I remain under-whelmed […]
Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is […]
I attended Ignite Seattle last night. It was awful. Don’t attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I’m inspired to put a talk together for next time. My favorites from last night were: Elisabeth Freeman gave a great talk on how the Head First […]
So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that “FTC Findings Undercut Industry Claims that Identity Theft Is Declining.” I think that there’s an interesting possibility which isn’t […]
A bit of background. Sun recently got hit with a 0-day that was 13 years in the making, by seemingly repeating a coding worst practice that bit AIX back in 1994 — trusting environment variables under the control of an attacker. A slightly more complex variant bit Solaris’ telnetd in 1995. From the advisory (NSFW) […]
I’ve been inspired by Christopher Soghoian’s efforts to fly without having to show ID. I figured that my return flight from RSA was the perfect time to try it for myself. I was flying without my family and had lots of time to spare. Chris has previously reported on fun flying out of SFO, I […]
The New York Times has an article “U.S. Presents Evidence of Iranian Weapons in Iraq.” It contains this gem: They said that at least one shipment of E.F.P.’s was captured as it was being smuggled across the border from Iran into southern Iraq in 2005. The precise machining, the officials said, is another feature that […]
A 0-day in Solaris {10,11} telnetd is reported. SANS has some details. Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one. (h/t to KK on this one)
Following up on the issue of astronaut screening, there’s an article at MSNBC, “Former NASA doctor says agency must do more,” in which “NASA flight surgeon and professional psychiatrist Patricia Santy” discusses the screening which takes place. It’s an interesting article, in which she discusses the tension between NASA’s organizational culture and psychological screening. What […]
According to Courtney Manzel, Counsel – Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY’s notification law: A laptop computer was stolen from the human resources department of Velocita Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area. The laptop computer was one of many items stolen. It […]
Ryan Russell shows his loyalty by claiming this is only the second-best ad at RSA. The words beneath the sign read “Beware of false positives:” Incidentally, this is an advertisement, trafficking in stolen property, referring to another ad campaign which caused mass hysteria, and flipping off its audience. What’s not to love? Kudos to Cyberdefender […]
So we here at Emergent Chaos have carefully refrained from using the phrase “astronaut in diapers” not because we think that it is now incumbent apon the blogosphere to maintain what little dignity remains in American journalism, but because, within about nine minutes of the arrest of Lisa Nowak, the blogosphere had thoroughly digested the […]
This is in Harpers, “The Ecstasy of Influence.” It is an interesting meditation on the nature of art itself and how art is composed of other art. However, not only must you read this, you must read it all the way through to understand it and why it is important.
Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]
Privacy, being the right to be left alone, is hard to get with a telephone. Two interesting stories make a trend, and we report on trends here. Or something. I think that the profusion of new services around telephone privacy are the start of an interesting market backlash against the cell phone’s effect of making […]
So there’s a video of how to “Unlock A Car With a Tennis Ball.” I advise turning the sound off-there’s no value to a bad pseudo-rock soundtrack, and no information in it (all the narration is in text in the video). There’s also precious little information in the video. It’s not clear what make or […]
Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer have written a paper which examines the behavior of persons doing on-line banking under various experimentally-manipulated conditions. The paper is getting some attention, for example in the New York Times and at Slashdot. What Schechter, et. al. find is that despite increasingly alarming indicators that […]
I’ve had a conversation recently with a CSO about breach disclosure. His shop had screwed up and exposed, well, an awful lot of social security numbers. They feel really bad about it, and they don’t think anyone will really be hurt. Gosh darn it, he was really sincere. So I take it back. We should […]
The Washington Defense of Marriage Alliance seeks to defend equal marriage in this state by challenging the Washington Supreme Court’s ruling on Andersen v. King County. This decision, given in July 2006, declared that a “legitimate state interest” allows the Legislature to limit marriage to those couples able to have and raise children together. Because […]
Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]
[Updated: This has somehow come to #3 on Google. The best place for up to date news is the Tenacious Search blog.] On Sunday, January 28th, 2007, Jim Gray, a renowned computer scientist was reported missing at sea. As of Thursday, Feb. 1st, the US Coast Guard has called off the search, having found no […]
Today’s Friday Phish blogging comes to you pretending to be from Bank of America: It appears here in our system that you or a wrong person is usually trying to log into your account, in nine differnt occasions have you or (person) provided us a nearly correct answer to your site-key challenging question, of which […]
Dave Molnar has some good comments on ‘Stolen ID Search.’ He writes, starting with a quote from “ben:” “I can’t believe you are advocating typing your ssn or credit card into a mystery box.” That’s “ben”, commenting at TechCrunch on Stolen ID Search, a service from Trusted ID that will tell you if your social […]
Make sure to check out the blog posts Bruce Schneier and a host of others will soon make regarding the paralyzing effect that silly Blinkenlights ads for Aqua Teen Hunger Force had in Boston. The coordinated response by all departments proves the system we have in place works. Boston Mayor Thomas Menino Behold the power […]
“People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,” said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, […]
eBay is stopping all sales of “virtual artifacts.” Maybe. This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says: “The seller must be the owner of the underlying intellectual property, or authorized to distribute it […]
We’ve enjoyed having Mordaxus with us for the last month or so, and are pleased that he’ll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts. First, why do I have pseudonymous co-bloggers? There’s a long history of artists appearing under names not their own, […]
With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]
There’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now. Remember, this will be the most blogged event of RSA. If you want in, blog about the event and trackback Martin McKeay. […]
So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.” First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer. Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II […]
Response #24 in a discussion on FlyerTalk: My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work. Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening. On the return flight, at JFK T-9, they found 2 more, both […]
First, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you’re better off selling the monopoly rights to the highest bidder. It’s what Illinois is doing with their state lottery. […]
They are: Something you’ve lost, Something you’ve forgotten, and Something you used to be. Here is a sad tale of a man who has a failure on (3), realizes he’s done (2), and his solution to the problem. It’s a classic tale of how more is often less when it comes to security. Lest you […]
27B Stroke 6 tells us of a story. The domain SecLists.org was removed from the net by GoDaddy, its registrar. Why? Because MySpace complained. He’s got a mailing list archive and it has some stuff in it that pissed MySpace off — security information about phishing attacks. That’s well and good, but GoDaddy yanked the […]
The title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every […]
There’s an article in Zaman.com, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]
This is probably the most important minute of video you’ll see this week, but on a better week, it won’t be. Thanks to manfromlaramie for finding this.
Hmmm, what to do, what to do? This is so funny on so many levels. How can you not like a phishing attack where the hook is a poll based on eBay being closed because of so many phishing attacks? January 19, 2007 Dear eBay Community: We have decided to close eBay on 27 February […]
“The spread of the credit check as civil rights issue,” in the Christian Science Monitor: Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance. and “Insurers […]
The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years. However, a computer was seized, sources were roughed up and possibly jailed or killed: Since then it […]
“They are a handful of miserable resuscitators of a degenerate dead religion who wish to return to the monstrous dark delusions of the past,” said Father Efstathios Kollas, the President of Greek Clergymen. Hundreds of followers of Zeus, Hera, Poseidon, Artemis, Aphrodite and Hermes stood in a circle, a mile from the Acropolis, in what […]
On January 18th, Attorney General Alberto Gonzales testified in front of the Senate Judiciary Committee. As part of the hearings, there was a discussion of habeas corpus. As part of that discussion, Gonzales said: There is no express grant of habeas in the Constitution. Yes that’s right, our own Attorney General thinks that there is […]
Does Pete Lindstrom need to buy a dictionary? You make the call. In a recent post at Spire Security Viewpoint, he suggests that the folks at Privacyrights.org might be liars: I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it […]
Phil offers up some thoughts on Liberty Bags, named in the tradition of patriot bins and freedom tables. Phil, I think you need to wrap your items in bacon.
Ben Laurie (of Apache-SSL fame) posted a great analysis of a major design problem with OpenID calling it a “Phishing Heaven“. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens. I had hoped that by constantly bringing this up […]
A few days ago, Chris covered the release of a report from the Canadian Internet Policy and Public Interest Clinic, “Approaches to Security Breach Notification” (PDF). This is highly readable and important analysis. If you care about breaches, read it. I’d like to add some notes from my reading of it. First, the report talks […]
I’d attribute our knowledge that “CIBC loses info on 470,000 Canadians” (reported in the Globe and Mail) to the new transparency imperative, but as the CIPPIC survey makes clear, privacy regulators are finding notice requirements in extant laws. (More on that excellent survey soon.) Also note that the Globe and Mail seems to think that […]
Two in the Washington Post today: “Secret [FISA] Court to Govern Warrantless Taps” and “Vast Data Collection Plan Faces Big Delay:” In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks’ […]
There’s a fascinating article in Sunday’s New York Times, “Money Doesn’t Talk.” The money quote: Through her store, Pesca, Ms. Azizian has earned her financial independence, but to avoid the disapproval of her husband of 27 years, she adopts a low profile by using cash. “His tastes aren’t as expensive as mine, and he doesn’t […]
PCMesh, a Canadian company, has something Better Than Encryption. Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, […]
It’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions! If yours is to get better control over your information privacy, […]
The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf]. From the Introduction: This White Paper considers the need for an explicit obligation in Canadian privacy law to notify affected individuals of a breach in an organization’s security that places those individuals’ […]
“Want an iPhone? Beware the iHandcuffs” says The New York Times in today’s edition of “Your Money”. Unfortunately it doesn’t really say much about the iPhone and crippleware beyond saying that it will be limited in music playing in effectively the iPod. However the article does a very nice job of covering the state of […]
As a control against identity theft, firms operating on-line often send snail mail confirmations to their customers when such things as site passwords, beneficiaries, or customer addresses have been changed. This allows the customer to review such changes and catch any that may have been unauthorized. I was the recipient of two such pieces of […]
From the files of “too good to make up”, DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data […]
Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well. I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be […]
Robert Anton Wilson Defies Medical Experts and leaves his body @4:50 AM on binary date 01/11. All Hail Eris! On behalf of his children and those who cared for him, deepest love and gratitude for the tremendous support and lovingness bestowed upon us. (that’s it from Bob’s bedside at his fnord by the sea) RAW […]
The BBC reports that the United Kingdom’s 1945 war debt to US [is] ‘almost paid’ and [was] paid off at the end of last year: The final payment of £45m will be made by the 31 December, meeting a 1945 obligation to repay the debt in full. In unrelated news, I’m told that neither the […]
Seventy Percent of Americans think we need more laws to protect them from identity theft and all that. I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to […]
For those who are located in the SF Bay Area (or will be there on February 21st), the Silicon Valley ISSA Chapter is hosting a one day mock security incident exercise. The goal of the exercise is to explore how different organizations and industries must work together to respond to events based on their organizational […]
The President’s Identity Theft Task Force announced that it is seeking public comment on various possible recommendations to improve the effectiveness and efficiency of the federal government’s efforts to reduce identity theft. The Task Force is chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras and participants […]
First, from 27B/6, we learn that “Supremes Won’t Hear Secret Law Challenge,” and that the administrative agencies such as TSA are free to propogate laws and regulations we can’t see or challenge. Second, via Kansas City Newzine, we learn about the totally screwed up set of rules which are ‘REAL ID,’ featuring this chilling quote: […]
The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:” ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005. Choicepoints losses are a severe outlier. As I said in March, 2005, […]
Over the last week, I’ve read several things involving poor Lind Weaver. In case you missed it, she’s a 57-year-old owner of a horse farm. She got a bill for the amputation of her right foot. As you should expect if you’re a regular reader here, it wasn’t her. Comic hijinks ensue which conclude with […]
Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is: The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he […]
See also Verizon math.
Having thought about my previous post, “On airport advertising,” I’d like to see what content-based restrictions are in place. If the ACLU applies and is accepted, I’ll donate $500 for the ACLU to buy bins that advise people of their rights when passing through airport screening. [Update/clarification: I’ll pay for the ACLU to inform travellers […]
Via Eric Rescorla, who has insightful comments, and Boingboing, we learn that “TSA Pilot Would Offer Ads at Airport Security Checkpoints.” A few chaotic comments: What authority does TSA have to sell advertising? Isn’t Congress supposed to fund their operations? The advertisers will “who will provide divestiture bins, divestiture and composure tables, and metal-free bin […]
I was wondering what United Airlines customer service did. This screen capture seems to make it all clear. United Airlines has been featured before, in “Dear United.” To be fair, I met a very nice and human supervisor while I was stuck in Denver due to their crew change, but he maintained the claim that […]
Matt Hines reports on a growing market for corporate insurance, responding to concerns about breach laws, in “Dark Day Planning: Insuring Against Data Loss:” As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another […]
Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]
My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so. The nice folks in NY made […]
So there’s an article in ZDNet Australia, “Establish a strategy for security breach notification.” All well and good, but Australia doesn’t have a breach notice law. (As far as I know.) So all you ‘new normal’ skeptics, who don’t believe me that standards are changing ahead of laws…why did a competent journalist writing for editor […]
It seems that the Gavle goat survived the holiday this year. Giant goats in Gavle seem to have about a 20% survival rate, with this year’s being only the 11th to survive the holiday season since 1966. No word on what fire-retardant was used, which is too bad. How are other 13 meter straw goats […]
Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. […]
The excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:” In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the […]
Dear Bob, You may think I’ve been ignoring your post, but I’ve been trying to decide how to approach it. This morning, courtesy of Scoble, I found Hugh McLead’s post on the subject: I dislike you intensely. I love it when bad things happen to you. When your name is mentioned I immediately try to […]
Paul Murphy has made some predictions for 2007. EC readers can judge their value.
Mr. Murphy makes one comment on data breaches that I can’t resist reacting to (after the jump), however.
(Via Kip Esquire.)
As if Barbie isn’t a bad enough role model, it seems that at least one Bratz doll came complete with actual marijuana as an after-market accessory. The unlucky recipient’s mom quickly called 911 when she found the contraband packaged with the doll she received in the mail, having thought it was an identical doll she […]
In a scary story, the Christian Science Monitor reports “US creates terrorist fingerprint database:” Last year, the Department of Homeland Security (DHS) announced the completion of a database system that collects electronic fingerprints of both the index and middle fingers of every noncitizen entering the US. The system now documents 64 million travelers. The Homeland […]
In the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version. I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally […]
Here’s the lead story in this week’s CSO magazine. I’m sure glad we no longer have to worry about breaches or compliance and can focus on whether we’re wearing the right things.
The BBC reports that Modern measuring methods proved that Liechtenstein’s borders are 1.9km (1.2 miles) longer than previously thought. The border has been changed in some of the more remote corners of the mainly mountainous state, which has now grown in size by 0.5sq km (123 acres). Black Unicorn tattoo by Monique’s Euro Tattoo and […]
Michael Arrington writes at Techcrunch about a former law firm, all of whose records are going to be opened to the public: Brobeck, Pleger & Harrison LLP was a well known law firm in silicon valley during the first Internet boom. They had thousands of startup and public company clients and handled all aspects of […]
Nick Owen posts his favorite blog posts of the year. I have my favorites, but I’m curious. What are yours? What do you remember? We’d love to know.
In “The Vehicular Thomas Crowne Affair: how to creatively defeat photo radar,” Scrollin On Dubs points out that: I just got my plate from AZ DMV and happily installed it this morning. It can still be read by the keen eye but from one of those crappy photo radar pictures it will be a non-trivial […]
In March of 2005, Alec Muffett predicted “National loyalty cards,” and I mocked him for it. Since then, I’ve decided that all non-trivial privacy fears come true. And since then, Alec’s plan has taken another step. The BBC reports about a new “Blair plan for ‘people’s panels’.” No, I didn’t make that up, Comrade. He […]
Blaugh.com via Canadian Privacy Law blog (who’s had a good series of privacy and liberty cartoons up lately).
Saar Drimer and Steven Murdoch will be getting lumps of coal from the banking industry, and amused laughter from the rest of us: It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent […]
James Brown (May 3, 1933 – December 25, 2006)
I’ve made explicit that that email addresses are optional when commenting. I’ve added easy links to Del.icio.us, Digg, Reddit, Furl, YahooMyWeb and NewsVine. If you have a bookmark system you’d like me to add, let me know. [Update: More navel gazing: added dates to post footers, and fixed underlining for links in the […]
The Department of Homeland Security (DHS) Privacy Office conducted a review of the Transportation Security Administration’s (TSA) collection and use of commercial data during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA Privacy Officer of preliminary […]
In “Radical Transparency to improve resilience,” John Robb posts about Chris Anderson’s ‘radical transparency:’ Think about how these tactics can be applied to societal resilience: Show who we are. Show what we are working on. “Process as Content.” Privilege the crowd. Let readers decide what is best (aka: wisdom of the crowd) Wikify (this another […]
If you’re coming here on a holiday weekend, you might be bored. So why not take advantage of this list of online video of 46 of “The 50 Greatest Cartoons?” PS: I can’t believe they put Gertie the Dinosaur above the Rabbit of Seville. Critics.
There’s an article in Wall Street and Technology, “When Risk Managers Cry Wolf.” It opens: Avoiding “reputation risk” is a common justification for increasing security measures, protecting customers’ financial information and reporting security breaches in a timely manner. But now more than 18 months after the big ChoicePoint incident when 163,000 bogus accounts were created […]
Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release: The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher […]
In “Stellar Lavarand,” Ben Laurie writes: Some crazy people think they can make a business of this, only using the solar wind, the clouds of Venus, the Northern Lights, Jupiter’s shortwave emissions and other cosmic events as their random source. Just like lavarand, this causes a moment of “oooo, shiny”, rapidly followed by “but why […]
The Wall Street Journal reported yesterday that “Stars Find Privacy Breached In Aspen by Phone Book” (behind paywall, sorry). According to the Journal: When the Yellow Book directory for Aspen, Colo. came out recently, residents of this ultra-chic ski town found it contained more than the usual list of local bars, hair salons and ski […]
Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin. On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers […]
Mike Rothman writes: On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & […]
My friend Austin Hill has put up the Million Dollar Blog Post. They, and their sponsors, will donate up to a million dollars to charity, at $1 per comment. I think charity is tremendously important. I’ve been lucky enough to have a set of skills that are well rewarded in today’s world. (I’m reminded of […]
Do share your opinions and suggestions. Personally, I don’t read enough, and I stay within a too-narrow comfort zone of UNIX geek material. Help me, and other EC readers similarly situated. It’d be nice if the techie side of infosec was not the subject (Rich Bejtlich has that covered anyway) I wrote up a review […]
Cryptological in this case meaning those who like thinking about the hidden. Authorized Da Vinci Code Cryptex from The Noble Collection. It’s very nice, made of good, solid brass. It avoids many combination lock issues. I tried some obvious ways you can cheat a letter from such a device and it was well-made enough that […]
In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively: The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal […]
The BBC reports that “Prozac ‘found in drinking water’” in Britain, and that: In the decade leading up to 2001, the number of prescriptions for antidepressants went up from nine million per year to 24 million per year, says the paper. They point to a Observer story, “Stay calm everyone, there’s Prozac in the drinking […]
Have a happy one. And thanks to TaranRampersad for the picture.
Someone sent me this picture. I thought I’d share.
In “Threatening Winds Likely to Close Major Bridges,” the Washington State department of transportation declares: WSDOT has never closed Tacoma Narrows Bridge for high winds. I don’t know that I’d be braggin’ about that. Picture from Wikipedia. [Update: They did in fact close the bridge. And I’m fine. Never lost power, no trees fell on […]
Ahmet Ertegun has passed away. Ertegun founded Atlantic Records because he loved music, and at 83, the BBC reports: He suffered a head injury when he fell at a Rolling Stones concert at New York’s Beacon Theatre in October, and died after slipping into a coma. (Emphasis added.) His book “What I’d Say: The Atlantic […]
So there’s been discussion here recently of how to motivate security professionals to do better on security. I think it’s also worthwhile to look at normal people. And conviniently, Bruce Schneier does so in his Wired column this month, “MySpace Passwords Aren’t So Dumb.” He looks at how MySpace users do in their passwords versus […]
hold the RFID. I just got my US passport renewed, and I was pleasantly surprised when it came back Old Skool — no RFID. I’m happy…until 2016 anyway.
Stefan Esser announced earlier this week that he was retiring from security@php.net citing irreconcilable differences with the PHP group on how to respond to security issues within PHP. Of particular interest is that he will be making changes to how he handles security advisories for PHP (emphasis mine): For the ordinary PHP user this means […]
Adam quoted some interesting thinking about infosec incentives. However, I’m not sure it’s that simple. Gordon and Loeb say that you shouldn’t spend more than 37% of an expected loss. However, at last summer’s WEIS (Workshop on the Economics of Information Security), Jan Willemson published a paper, “On the Gordon & Loeb Model for Information […]
Mordaxus is a longtime former cypherpunk with interests in anonymity, security and usability. He’s been involved in some of the biggest brands in security, and has entertaining stories about some of the most interesting events in information security history. He can’t tell those without giving away his secret identity, and so will focus on adding […]
First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per […]
Apparently it’s Identity Theft Tuesday here on Emergent Chaos. CNN reports that a “Hacker attack at UCLA affects 800,000 people”, which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it […]
“Protectors, Too, Gather Profits From ID Theft” in today’s New York Times tells the tale of woe of Melody and Steven Millett and her husband who despite a subscription Equifax’s Identity Theft protection service still had Steven’s SSN readily abused. Privacy consultant Robert Gellman summed up one of the problems with these services nicely: Identity […]
There’s a new blog, “Corruption-free Anguilla.” Long time cypherpunks will remember the joys of the Cable and Wireless contract with Anguilla. From the blog’s inaugural post: The need for such a site is based on the perception that there is much discussion in hushed tones about corruption. No one discusses the matter publicly. The press […]
History teaches you that dictators never end up well. Augusto Pinochet, November 25, 1915 – December 10, 2006
Ferran Adria, Heston Blumenthal, Thomas Keller and Harold McGee have issued a statement on the New Cookery: In the past, cooks and their dishes were constrained by many factors: the limited availability of ingredients and ways of transforming them, limited understanding of cooking processes, and the necessarily narrow definitions and expectations embodied in local tradition. […]
So it was a busy week, and I was behind everyone and their brother blogging about the Antikythera machine. Most of the articles only gave a few pictures. The one shown here is from Philip Coppens, who has great background. Also, courtesy of Stefan Geens, here are 3d views, courtesy of HP and Scientific American.
Ben Laurie has some knots from Second Life. Pretty.
There’s a really interesting story in the New York Times last Sunday, “Health Hazard: Computers Spilling Your History.” Money quote: Some patients are so fearful that they make risky decisions about their health. One in eight respondents in a survey last fall by the California HealthCare Foundation said they had tried to hide a medical […]
“Please put your bra in the bin,” at Flyertalk: items used to augment the body for medical or cosmetic reasons such as mastectomy products, prosthetic breasts, bras or shells containing gels, saline solution, or other liquids; and, … 1. Separate these items from the liquids, gels, and aerosols in your quart-size and zip-top bag. 2. […]
Or, “It’s not the crime, it’s the coverup”. It may be one problem airline security officials never envisioned — a passenger lighting matches in flight to mask odors from her flatulence. The woman’s actions resulted in an emergency landing on Monday in Nashville of an American Airlines flight bound for Dallas from Washington, D.C., said […]
Can a rocket powered mini match the distance of an olympic ski jumper? Watch and see. For a full explanation of the results read Popular Science’s breakdown of the experiment.
In “Citadel, Sensitive Data, and Plusfunds’ Bankruptcy” Paul Kedrosky looks at the impact of youthful chattiness on an industry: Apparently hedge fund Citadel is trying to purchase data from bankrupt Plusfunds that would detail trading strategies at some of its major competitors. The latter company had run a hedge fund index underlying which were trading […]
At MSNBC, Bob Sullivan writes about Gift Cards: Why Cash is Still Better: I’ll show you how a $50 bank card will cost you $60 and could easily be worth only $40 to the recipient. We know, it’s the practical tips that keep you coming back day after day. Image by rgluckin.
Two Seattle Seahawks fans are suing the stadium for unreasonable searches: “There’s no specific reason, or identifiable credible threat to Seahawks fans and because the stadium is a public stadium, it is unconstitutional to require these pat-downs,” said Chris Wion, one of the Seattle lawyers representing the plaintiffs. “I think this is the same type […]
Ed Felten points out that “NIST Recommends Decertifying Paperless Voting Machines:” In an important development in e-voting policy, NIST has issued a report recommending that the next-generation federal voting-machine standards be written to prevent (re-)certification of today’s paperless e-voting systems. … The new report is notable for its direct tone and unequivocal recommendation against unverifiable […]
In “Our Tax Dollars at Work,” Phil writes: After half an hour I gave up on figuring out how to do my civic duty, and leveraged Adam for some help. He’s my go-to guy for this kind of thing. He has the kind of readership that provides answers in as little as forty earth minutes, […]
If you’ve ever lived in Cambridge, Mass, you’ve probably seen the sign. I recognized it instantly, seven years after I left Boston. It’s on Cambridge St, in East Cambridge. Boston’s Weekly Dig dug in: It’s one of the more puzzling quirks of the local cultural consciousness that Gould’s shop is almost universally known, yet few […]
There are days when I wish I was Boingboing. No, really. Because if I were Boingboing, I could blog about friggin’ Bacon of the Month Clubs all day long, and have a everybody on the planet clicking on my ads while I sat in my hot tub dictating posts. But we’re not. We have self-respect, […]
Security 2.0 indeed….. Thanks Illiad…. s/WEB/SECURITY/g Happy Saturday
Last night, I blogged about the ridiculous TSA Scores and how hard it is to comment on them. Then I realized that I don’t have a good sample comment. Well, I have lots of comments, but now and then we pretend that this is a family blog, and that anyone under 21 might be interested […]
Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments: I tried for 30 goddamn minutes to figure out how to comment. That’s why there are only 15 comments. All I could find was a Privacy […]
Sometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not […]
How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights? Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to […]
There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?) Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with […]
So I’ve been discomfited by the thoughts expressed by Tom Ptacek and the Juice Analytics guys over what presentations are for, and a post over at Eric Mack’s blog, “A New Two Minute Rule for Email.” The thing that annoys me is the implicit assumption that all issues should be broken down into two minute […]
Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following. The saying often quoted from Lord Kelvin (though the substance, I believe, ismuch older) that “where you […]
Back in July, I wrote: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting […]
Following on Arthur’s post about Banksy, and for your weekend amusement, videos of Banksy installing his artwork are at his site. I had to hand-enter URLS to get the videos to display, they’re of the form http://www.banksy.co.uk/films/video5.html, with the others being 1, 3, and 4. Via Alec Muffet.
Michael Giest is covering Canadian Parliamentary hearings over that country’s privacy law in “PIPEDA Hearings – Day 01 (Industry Canada)” “PIPEDA Hearings – Day 02 (B.C. Privacy Experts)” Bakelblog vents about the petty tyranny of immigration bureaucrats in “Welcome to America, Fuckwads!” Alec Muffet has interesting and detailed comments about the broken security of the […]
Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing […]
Hey everyone, it’s time to celebrate Thanksgiving here in the U.S. Or in the words of Anya, engage in “ritual sacrifice with pie.” If pie isn’t your thing, perhaps cookies are. kung-foodie points us to Joseph Hall’s Ubuntu and
Via the Beeb: Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities. A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints. Police say they will save time because […]
Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying: I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident […]
Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness. It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in […]
“It’s too late, baby” Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops. Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is […]
Apparently, artist Kristian Von Hornsleth has been paying Ugandans to rename themselves Hornsleth, as a way of drawing attention to aid failures. His exhibit is sub-titled “We want to help you, but we want to own you.” I think it’s brilliant. Regular readers know that we talk a lot about identity, id cards, and economics. […]
Frito-Lay spokeswoman Lisa Greeley, who said that the company made a commitment in 2004 to develop a healthier line of snacks but “never thought it would actually come to this,” described the Flat Earth brand as “tailor-made for the small, vocal minority of health-conscious consumers who apparently can’t just be content with salads, bananas, apples, […]
So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software? There’s also […]
SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too. Anyway, it seems like the SANS people have a bit of competition. Check out this list: Failing to assess adequately the vulnerability of its […]
Juice Analytics comments on “Godin’s take on Tufte:” (Godin) I think this is one of the worst graphs ever made. He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words. I don’t think that is what graphs […]
So, I was commenting over on Econlog, and noticed this: “Email Address (Required. Your email address will not display to the public or be used for any other purpose.)” So, umm, what is it being used for? This is both snarky (obviously) and serious (less obviously). The less obvious part is that information is being […]
Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:” The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year […]
So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things […]
A few months back, I said “Ironically, privacy advocates warned that the number would become a de facto national ID, and their concerns were belittled, then proven right, setting a pattern that still goes on today.” In thinking about Alec Jeffrey’s come-to-Jesus moment, I realized that we can state that another way: All non-trivial privacy […]
cypherpunk, n. Computing slang. A person who uses encryption when sending emails in order to ensure privacy, esp. from government authorities. For the full text, see his post, The OED. Me, I’m disappointed that they didn’t quote the Forbes article.
On Friday, BoingBoing linked to a great story about some kids mugging magician David Copperfield. Copperfield used sleight-of-hand to hide the items in his pockets: The assistants handed over money and a cellphone, but the illusionist turned his pockets inside out to reveal nothing, although he was carrying his passport, wallet and cell phone. So […]
There’s the Budapest Declaration on Machine Readable Travel Documents: By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies […]
Via CNN: WELLINGTON, New Zealand (AP) — New Zealand’s high school students will be able to use “text-speak” — the mobile phone text message language beloved of teenagers — in national exams this year, officials said. Text-speak, a second language for thousands of teens, uses abbreviated words and phrases such as “txt” for “text”, “lol” […]
Or, is it? Credit: http://xkcd.com/c182.html
Via the Beeb, writing about a county board election in South Dakota: Marie Steichen, who died of cancer in September, beat a Republican rival by 100 votes to 64 and became a county commissioner posthumously. The election list closed on 1 August, but Ms Steichen’s name was kept on the list for Tuesday’s election. Voters […]
Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person. So, […]
His posts on “Microsoft hosts OEM partners for a crash-course in SDL (Day Two)” and “Microsoft hosts OEM partners for a crash-course in SDL (Day Three)” cover much of what I wanted to say: My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very […]
Let’s see..we’ve got shadows, random colors, and the colors are graduated, and so is the background. Displaying 13 digits takes 109,341 bytes (in the original), for a remarkable data density of .0001 digit per byte. Anti-phishing working group? You can, I hope, do better. Via the F-Secure blog, who don’t have per-post links.
My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)” As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for […]
The White House has been gloriously editing history for the edification of the people. Or, as Roger Bakel points out: Remember Bush’s speech on the aircraft carrier three and a half years ago, in which he declared an end to major combat in Iraq while standing under that instantly notorious ‘Mission Accomplished’ banner? Well, the […]
I heard on the radio last night that these are the most expensive elections in US history. (It was not clear if that was accounting for inflation, or considering Presidential elections as well.) They also said that only about 50 of the 454 Congressional seats are considered to be in play. This years after McCain-Fiengold […]
A pioneer of Britain’s DNA database said on Wednesday it may have grown so far beyond its original purpose that it now risks undermining civil rights. Professor Alec Jeffreys told BBC radio that hundreds of thousands of innocent people’s DNA was now held on the database, a disproportionate number of them young black men. … […]
Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]
I found this beautiful set of photos of the Sultan’s Elephant show in London. (Mentioned previously.) Photos by Simon Crubellier. Found while searching for a photo to go with “If you’d seen the things I’ve seen with these eyes of yours…” Since we’re being slightly political, can you imagine this show being put on anywhere […]
Apparently, in Ohio, you’ll be able to vote if you know the last 4 digits of an SSN. As the Cleveland Plain Dealer reports: Voters who don’t have identification will be able to vote at next week’s election by presenting the last four digits of their Social Security number and casting a provisional ballot. Will […]
The National Highway Traffic Safety Administration (NHTSA) is again bending to the will of the auto industry as the agency is proposing to restrict access to information about consumer complaints, warranty claims and service reports. NHTSA was ordered by Congress to make information about problems with vehicles public after it withheld information about the blowout […]
Someone who likes his privacy sent me this link to an “Encyclopedia of Privacy.” It’s 672 pages, for $199. How many people are going to read that? How many copies are they going to sell? Its sad that they’ve chosen to lock up all that work that way, rather than putting it somewhere where the […]
The New York Sun reports, “A Rebellion Erupts over Journals of Academia:” “Elsevier’s prices are very high,” said an emerita mathematics professor at Barnard College, Joan Birman, who resigned a few years ago from the board of an Elsevier journal, Topology and Its Applications. She said her feeling was, “We do the work, we check […]
Dave Weinstien has a really interesting article, “PLOS – Open Access science:” PLoS has an “intrinsic tension” [Hemai Parthasarathy] says because most of the people who started the journal don’t believe in elite publishing. “We think it’s wrong for tenure committees to pass the buck” to the editors of the top-tier journals. That’s why they’ve […]
My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.” What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, […]
Sometimes it’s OK to take candy from strangers.
Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting: More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected […]
At first I thought that the stories around Sequoia Voting Systems and Smartmatic having connections to Hugo Chavez were silly. I still do think that, but I also think that they’re coming out for an important reason: we have lost trust in the machinery of voting, and that is a criminal shame. The right to […]
Yesterday, I blogged about Christopher Soghoian’s print your own boarding pass tool. Quite a few people (including the FBI) are taking the wrong lesson from this. Wrong lessons include “we shouldn’t be allowed to print boarding passes,” “we should check ID at the gate,” and “Christopher Soghoian should be arrested.” The right lesson is that […]
Sure, it’s all over the web, but you might be living under a rock, or in a reality-free zone, and have missed “Make Your Own Fake Boarding Pass” at 27b/6. The short version of the story is that someone has automated the process of creating your own fake boarding passes. Don’t worry, though, Osama isn’t […]
Earlier this week, Mike Rothman took a swipe at Alex Hutton’s What Risk Management Isn’t by saying: But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall […]
Bob Sullivan has an article at Red Tape, “Health care privacy law: All bark, no bite?” and focuses on the lack of penalties. Two years ago, when Bill Clinton had heart surgery performed in New York’s Columbia Presbyterian Medical Center, 17 hospital employees — including a doctor — peeked at the former president’s health care […]
Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. […]
And so it continues…. Reuters has a few details. Unsurprisingly, Bruce Schneier also has a blog entry up on this.
I like to celebrate moments of human freedom, even when they are not as successful as we would hope. And so, it’s worth remembering the Hungarian revolution against Soviet rule. Nick Szabo has a fine post about it, which started fifty years ago yesterday, and it was the featured article on Wikipedia yesterday, “The Hungarian […]
There’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records. I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they […]
Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and […]
With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. PoundPrivacy.org is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to […]
Well, not intentionally. Seems that multiple versions of source code (including the one used to run the 2004 primaries in Maryland) were delivered anonymously to a former legislator who has been critical of Diebold. Note that this is not the same source examined by Avi Rubin, et. al., and found wanting from a security perspective. […]
I came prepared. I knew I would be walking in to the lion’s den with my spartan Thinkpad running Windows and Ubuntu. Sure enough there was an eerie sea of glowing white Mac logos in the conference room which reminded me vaguely of Wyndham’s Midwich Cuckoos. I surreptitiously covered the IBM logo with a white […]
“Decaf” over on DeadBeefCafe, relates the story of a colleague whose response to yet another virus outbreak is to convince management to purchase Macintoshes, with the following justification: We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems. Decaf breaks down the several fallacies of this […]
Click the picture to be taken to Google video. (Don’t forget to remove the flash cookies when you’re done.)
How can you not like these warning signs? Via Schneier’s blog
Iang over at Financial Cryptography talks about the importance of not just which cryptographic algorithm to use, but which mode it is implemented with. He uses three pictures from Mark Pustilnik’s paper “Documenting And Evaluating The Security Guarantees Of Your Apps” that are such a great illustration of the problem, that I have to include […]
At the Volokh Conspiracy, Jonathan non-Alder points to the John Yoo op-ed which …argues that Congress sent a message to the Supreme Court with the passage of the Military Commissions Act: Mind your own business and leave the war on terror alone. In this regard, Yoo argues, the law was, above all else, a “stinging […]
Nick Szabo takes issue with an article I pointed to in “Reservoirs of Data” in his post, “Citron’s ‘data reservoirs:’ putting liability at the wrong end of the problem:” Bottom line: liability should be put on the low-cost avoider. This is not merely a rule of negligence but a guideline for determining where any kind […]
Wynn stepped away from the painting, and there, smack in the middle of Marie-Therese Walter’s plump and allegedly-erotic forearm, was a black hole the size of a silver dollar – or, to be more exactly, the size of the tip of Steve Wynn’s elbow — with two three-inch long rips coming off it in either […]
My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer: These are leadership level positions in a growing company with great financial resources. Each of these team members will have the chance to […]
I’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up. The way it works is that they put a lock on […]
I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy […]
It’s the scenes Lucas was too scared to film! The actual presentation, with voice overs. At http://lay-uh.ytmnd.com/.
. It’s the Nietzsche Family Circus, which pairs a randomized Family Circus cartoon with a randomized Friedrich Nietzsche quote. Hours of fun!
Are condemned to be mocked for it. See what happens when Australia’s “The Chasers War On Everything” build their own Trojan Horse and haul it around town.
The periodic table is under-appreciated as a design masterpiece, and as an iconic representation of science. The table works as a taxonomy, showing someone who knows how to read it a great deal of information about the elements based on their arrangement in space. So it’s pretty audacious to come out with a re-design: The […]
Harkening back to Adam’s post a while back concerning EC being blocked or miscategorized by various “security” products, tk of nCircle posts that nCircle.com has been blocked from some security vendor sites. This reads to me like the equivalent (speaking of analogies) of Toyota blocking Honda.com, rather than the categorization of nCircle.com as evil in […]
So Chandler offers up “The Last Security Analogy You’ll Ever Need.” I’d like to pile on: Analogies are like fish. Sometimes they just don’t make sense.
So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor […]
Over at the OSVDB blog, blogauthor writes: On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software […]
There are a bunch of ways to estimate how many people have died in the Iraq war. One is to keep track of news stories and official reports of combatant and civilian deaths, and add them up. Another is to employ the tools of epidemiology and demography. Until now, we’ve had essentially only the former […]
On August 10, after his family was refused a home loan, an Arcata man was mortified to find the phrase “son of Saddam Hussein” included on his credit report. “I looked at it and couldn’t believe my eyes!” Said the Arcata man who asked that only his middle name, Hassan, be divulged. The routine credit […]
What could you do with $11 billion? How many ways could we make the world a better place with that money? I know! Let’s spend it on a national ID card! The $11 billion figure comes from the National Conference of State Legislatures, and doesn’t include wasted time by productive members of society. On the […]
Orin Kerr has an interesting post over at Volokh Conspiracy, “Government Responds in United States v. Ziegler,” which contains this interesting bit: But that’s simply not how the Fourth Amendment works. The “reasonable expectation of privacy” test is actually a system of localized rules: the phrase is simply a label, and what it actually means […]
I forgot to turn my wifi card off on the plane last night, and saw this: Kids today! Back in my day, man in the middle attacks were hard.
Danielle K. Citron has put a new paper on SSRN, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of […]
If, as is being suggested, North Korea has tested a nuke, things will be getting mighty interesting. I don’t know what to make of it, frankly. Update, 2350 CDT: Looks increasingly like there was, indeed, a test.
This seems to be the weekend of redux posts and back tracking to earlier in the year. Way back in January, Adam wrote about the RFID Zapper created by the folks at the annual Chaos Computer Club conference. Along a similar vein, Julian of exremflug.de, has also produced an RFID Zapper made from a disposable […]
Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could […]
Here in the U.S., one of our Old Order Amish communities has recently suffered an infamous crime — the murder of several schoolchildren. Interest in this case has been high. Naturally, the public’s right to know has been ably served, as journalists took plenty of funeral photographs, despite the fact that the Amish, on strict […]
As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this: 1. Exploratory hacking 2. Vandalism 3. Hactivism 4. Cyber crime 5. Information Warfare It turns out that this hierarchy is also a predictive time line. Obviously we are […]
There’s a really interesting article at Blogging on the Identity Trail, “Bouquets and brickbats: the informational privacy of Canadians:” In the course of our investigations, I frequently found myself reflecting on two broader questions: first, I wondered how best law could protect the personal information of Canadians—and by extension the privacy of Canadian citizens—in the […]
Thanks for the emails. We’re aware of some problems with the RSS and comments feeds, and will be working through them asap. [Update: Should be fixed, as of Oct 05, 2006 at 05:01:36PM -0400. cw] [Update 2: When Chris said “fixed,” he was of course using the term in the sense of a Vegas prize […]
Thanks to my lovely spouse, I came across a series of fascinating papers by Walter R. Mebane, Jr. a professor of Government at Cornell. These papers use statistics, specifically Benford’s Law, to detect election fraud. Now I know statisticians, and I am no statistician (and boy howdy is my higher level math rusty), but the […]
There is a Workshop on Privacy in The Electronic Society taking place at the beginning of November. We (George Danezis, Marek Kumpost, Vashek Matyas, and [Dan Cvrcek]) will present there results of A Study on the value of Location Privacy we have conducted a half year back. We questioned a sample of over 1200 people […]
[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]
Bob Sullivan has an interesting article, “Is that picture keeping your money safer” in which he takes dueling quotes over the Bank of America Sitekey deployment. Rather than arguing again about Sitekey (see “Easy Pickings for Bank Robbers,”) I’d like to ask why a respected and competent reporter like Bob can’t get a straight answer […]
Marty Roesch writes “Miracle Weapon in the War on Terror Discovered!.” You’d think he’d have more sympathy for the need for standardized transports while doing high-speed inspection.
Ping over at Useable Security has a great analysis of Rivest’s ThreeBallot voting system. The delightful thing about ThreeBallot is that it should be incredibly easy to implement on a small scale and not much harder on a large scale and has in built in provisions to prevent voter error, counter fraud and vote buying. […]
A loyal reader reports that we’ve hit the big time, and Secure Computing’s censorware has banned us at their dozens of customers’ sites. Now, it’s their right to make software that prevents you from getting the best in security news and analysis, and my right to wonder how they get their heads up there. I’m […]
long unsigned int maxwordsize(char *inputFromStdIn) { long unsigned int tmpwordsize=0,maxword=1,i; for (i=0; i
In “SecureWorks Backs Out of Macbook Demo,” Brian Krebs writes: David Maynor, the SecureWorks researcher who was set to demonstrate how wireless driver flaws could be used to compromise an Apple Mac laptop, suddenly has been yanked from the ranks of Toorcon presenters. At around 12:50 p.m. PT, SecureWorks issued the following press release: “SecureWorks […]
Yesterday, Mary Ann Davidson had a fascinating post about the classics of Western literature. As usual for Mary Ann, the apparent basis of the post is really just exposition for her main point. In this case, the thrust of her post is the need for developers to have more training in secure coding at the […]
Social Security Administration officials believe computerization of files has contributed to their security. In the manual era, the applicant’s record was an individual ledger sheet. Thus if a person could get to the file drawer and then the ledger, he could check any record. Although entry to the files area was restricted by guards who […]
No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgement of his equals or by the law of […]
Mike Cook, author of the ID Analytics report referred to in a recent Breach Tidbit post, has responded in the comments.
Stupid bills before legislatures seem to be a target rich environment which is to say, its hard to even say where to start. So allow me to offer a suggestion: California’s SB768 will slow RFID stupidity. Take a look at EFF’s fact sheet, and then, if you’re in California, call your local Governator, and tell […]
Ed Felten, who has been doing research into security issues with Diebold’s voting machines, is testifying today at a House Administration Committee hearing. He’s posted his written testimony on his website. Check it out. [Edit: Corrected the spelling of Ed’s name.]
Most readers of these words are probably familiar with at least one of the lists of data breaches commonly referenced in the media and in specialized blogs. Among these are Attrition.org’s Dataloss, and Privacyrights.org’s Breach Chronology. The ID Theft Center also maintains a list (available, it seems, only as a PDF), and various academic researchers […]
“Everybody personally and professionally that I know who is afraid to fly gets their hands on Xanax,” said Jeanne Scala, a psychotherapist in Roxbury, N.J., adding that she has seen an increase in patients and friends talking about taking medication for flying jitters. “They’ll do anything to take the edge off the anxiety of sitting […]
Our very own Chris Walsh was featured today on Dark Reading. In “Financial Firms Losing Data”, they profile Chris and his research using the Freedom of Information Act to better quantify the nature of privacy breaches in New York. The results may surprise you…
So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money: Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP […]
Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular: […]
In a comment on “What’s Next in Breach Analysis,” Ian Grigg pointed out the very interesting “Handling Security Breaches Under European Law:” There are as yet no direct equivalents of the mandatory security breach reporting legislation we have seen in the U.S., either at a European Union level or within Europe itself. That is not […]
So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to […]
Photo credit: eecue.com
One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud. ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability […]
Read “Google is Watching You” for the worksafe details. Via Sivacracy.
“Until Solaris became open, students were only interested in Solaris for the same reason they were interested in NextStep Unix — because it was this arcane, old-fashioned thing,” said Asheesh Laroia, a graduate student in computer science at Johns Hopkins University. Via NetworkWorld.
..’cause she’s Dunn! What’s the over/under on how long Hurd lasts? Image credit: progodess
I started this week asking “Is It Time To End the Breaches Category” and “What’s Next In Breach Analysis?” I talked about “Emergent Breach Research,” Chris talked about the theme of the “19th Annual FIRST Conference” including data being out of control. Arthur followed that up with “CSO Breach SOP == FUD?” and pointed out […]
I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.
I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, […]
This story just keeps getting more entertaining. “HP targeted reporters before they published.” They tried to install spyware on target’s computers, as CNET reported in “HP Spying More Elaborate Than Reported.” They engaged in physical surveillance of targets, as reported by the Washington Post in “Extensive Spying Found At HP.” And the Post reports that […]
Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business […]
The Forum of Incident Response and Security Teams (FIRST) has put out a call for papers for its nineteenth annual conference. The theme for 2007 is “Private Lives and Corporate Risk: Digital Privacy – Hazards and Responsibilities”. Full details at: http://www.first.org/conference/2007/call_for_papers.html FIRST 19th Annual Conference, June 17 – 22, 2007, Melia Seville hotel, Seville, Spain […]
I talk about research and next steps, but what do I mean? We’re starting to see academics taking a serious look at the data sets we’ve accumulated here and at Attrition, and that’s awesome. I want to see more papers like: “Notification of Data Security Breaches,” by Paul M. Schwartz and Edward J. Janger, forthcoming […]
Me calendar tells me it be Talk Like a Pirate Day! Yarrr!
I asked recently “Is It Time To End the Breaches Category?” I think we, amongst others, have driven real change in expectations. Organizations outside the US, not compelled by any law, have chosen to notify customers. (Examples include a Bank of Montreal latop, the Government of British Columbia, KDDI, a Japanese phone company, the Bank […]
Looking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint’s dedication to bringing about public debate on the issue, the outstanding reporting […]
There’s a fascinating discussion of the intersection of cryptanalysis, specification and flexibility, all of it stemming from yet another SSL attack by Bleichenbacher. The best posts are over at Matasano: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere Mozilla Falls to RSA Forgery Attack RSA Signature Forgery Explained (with Nate Lawson) – Part […]
Real construction sites were transformed into LEGO-like universes, simply by adding a few colorful containers shaped as overdimensional LEGO bricks. Sometimes the marketing driven designers spew irks me. “transformed into Lego-like universes?” Please. It would be like security folks telling you we made your application/network/business secure. Via Guerrilla Innovation. I’d link more, but can’t find […]
Analysis shows that a small number of users have been impacted by this issue. Given the documented workaround, it may be addressed in a future service pack. Photo: Adam, the entrance to a Microsoft garage.
Ethan Leib blogs about being the victim of a fraudster: An individual in California posing as “Ethan Leib” (with phony ID to match) has been walking into branches of my bank across the state and taking all my money — despite a fraud alert on my accounts. They even stole thousands from my 6-week old […]
Metricon 1.0 papers and a remarkable digest are available at the security metrics web site. Dan Geer took extensive notes, and has turned them into a very useful document for those who weren’t able to make it.
In “Walt Disney World: The Government’s Tomorrowland?” Karen Harmel and Laura Spadanuta discuss how Disney has moved from finger geometry (to constrain ticket re-sale) to fingerprinting their customers. I think the most important bit about this is about the links between Disney and the government: Former Disney employees have filled some of the most sensitive […]
$50 Million Verdict for Violating Drivers’ Privacy in FL A Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust purchased 656,600 names and addresses from the Florida DMV for use in direct marketing. The purchase violated the Drivers Privacy Protection […]
Via Stupid Security, I learned of a gent whose T-shirt was deemed a security risk because it showed crossed pistols and could upset passengers. He was allowed to board the plane, but only after turning his shirt inside out. Good thing he wasn’t wearing a Zeppelin shirt. I guess Bush would be OK (ironic, given […]
It may seem hard to believe, but a nuclear-armed power has made peace with al-Qaeda. I know, with the Bush administration’s stunning competence, as demonstrated in the aftermath of Katrina, in keeping gas below a dollar a gallon, in containing Iraq while keeping North Korea from getting nuclear weapons, it’s hard to believe that they’d […]
See “Leak Scandal Costs HP’s Dunn Her Job.” [Update: It’s only her chairwoman job. Somehow the board members at HP don’t see action that leads to criminal investigation as all that bad. See Paul Kedrosky’s “HP Splits the Boardroom Baby,” which is an awful title for a great article. Solomon’s splitting of the baby was […]
If you’ve not been paying attention, HP’s Chairwoman hired private investigators who lied their way to the phone records of board members and journalists. HP then lied to the SEC about why Silicon Valley eminence Tom Perkins resigned from the board, and Mr. Perkins, being a standup guy, called them on it. If you haven’t […]
Eric Rescorla ties HP’s use of traffic analysis to that of the NSA in “I told you traffic analysis was useful.” Apparently, HP didn’t just chase down directors and reporters, but also the father of at least one journalist. See “HP Leak Investigation Extended Beyond Reporters, Directors.” (I say HP rather than HP’s investigators because […]
Pseudonymous contributor “DK”, of Josh Marshall’s blog expresses several worthy thoughts about national character with a brevity and nuance I envy: OK, I’ll admit to a bias here. I think the Netherlands is one of the best places on the planet. They have our entrepreneurial spirit, but with good taste. Like us, they have completely […]
It’s only with the understanding that privacy has many meanings that I can comprehend people on Facebook complaining about privacy. (People interested in this should read Alessandro Acquisti’s work.) That’s not what I wanted to post about. What I wanted to post about was the great way the CEO of Facebook took the wind out […]
The best posts I’m seeing are coming from Paul Kedrosky, who has posts like “Patricia Dunn Lectures on Corporate Governance,” and Playing Truth or Dare with HP’s Patricia Dunn” and Robert Scoble, with posts like “HP Story Keeps Getting Worse,” and “HP Has Major Ethical Problem, Day 2.” I’m using Scoble’s picture here. Don’t miss […]
So Chris’ post “Are they stupid, or just lying?” got me thinking. Chris was talking about the spectacle of the House voting to ban the sale of horsemeat. But he had this quote: Added Rep. Christopher Shays, R-Conn.: “The way a society treats its animals, particularly horses, speaks to the core values and morals of […]
The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees. […]
On the recent House of Representatives vote to ban the slaughter of horses: “It is one of the most inhumane, brutal, shady practices going on in the U.S. today,” said Rep. John Sweeney, R-N.Y., a sponsor of the ban. Sweeney argued that the slaughter of horses is different from the slaughter of cattle and chickens […]
The Payment Card Industry Digital Security Standard, version 1.1, has been released [pdf]. This was widely anticipated, and has been remarked upon here at EC. A noteworthy change is that stored card numbers needn’t be encrypted: Compensating Controls for Requirement 3.4 For companies unable to render cardholder data unreadable (for example, by encryption) due to technical […]
Bob Blakely used to be fond of saying that privacy is the ability to lie and get away with it. To have to hide one’s name is considered deeply shameful. But with sectarian violence surging, Iraqis fear that the name on an identification card, passport or other document could become an instant death sentence if […]
Nick Owen brings us the story of how passengers on a Paris-Mauritius flight are suing Air France, because Bonnie Tyler sang “Total Eclipse of the Heart.” (He also brings us the headline, and the closing thought, “I assumed that first class was always filled with song. If the first class can’t sing love ballads, then […]
Bob Dylan’s latest album debuts at number one on the US charts.
EWeek has the story: Window Snyder has joined Mozilla as Security Chief. Congratulations all around. PS: Just when Window and I were gonna live in the same city, again, too. Bugger. PPS: Apparently, it’s from Mike Schroepfer’s blog post.
Via David Lazarus, writing about yet another lost laptop, this one belonging to an an outside auditor working for Wells Fargo: “The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants,” said Julia Tunis, a Wells spokeswoman. “The auditor is […]
…I’ll beat it out of you: President George W. Bush’s proposal for trying suspected terrorists captured overseas would allow the use of evidence obtained by coercion and let judges bar defendants from hearings where classified evidence is discussed, a Senate Republican aide who has been briefed on the plan said. Or, as Firesign Theatre put […]
The New York Times has an article, “Some ID Theft Is Not for Profit, but to Get a Job,” about immigrants using other people’s SSNs so they can get jobs, and the impact that this has (because of the databases that run our lives): “All that was happening was that the illegal alien who had […]
From this photoessay, it appears that the seal Diebold places on its electronic voting machines doesn’t do a darn thing. It is possible to remove the card from which the thing boots, and replace it with one of your choosing, leaving no trace — the seal itself remains unchanged. Elapsed time, a bit over four […]
So John Gruber, who has written quite a bit on the whole did-they-didn’t-they spat between Apple and Dave Maynor and Jon Ellch, offers up “An Open Challenge to David Maynor and Jon Ellch,” offering them a Macbook if they can root it. I’d like to mention something that hasn’t happened lately. By not happening, it […]
Or, the times, they are a-changin’: To a certain extent I admire this. It’s a way of making the physical object worth more than the digital download. But it can also be seen as yet another example of DRM. In this case, the stronger DRM present on a DVD than the unprotected audio CD. The […]
In many cities, real estate agents have tried to restrict access to M.L.S. information or to limit its use on the database. Some have asked state legislatures to pass laws forcing brokers to offer certain levels of service, a move that Mr. Kelman [CEO of Redfin, an online brokerage] sees as intended to squeeze out […]
The Tom Sawyer kind, that is, known formally as Google Image Labeler: You’ll be randomly paired with a partner who’s online and using the feature. Over a 90-second period, you and your partner will be shown the same set of images and asked to provide as many labels as possible to describe each image you […]
Roger Cauvin has some really interesting points on “Requirements and Apple’s “Time Machine”:” CRUD requirements assume that users actually want to create, update, and delete information. But users don’t really want to create, update, and delete information. They want to access it to achieve some larger goal. Enabling the user to create, update, and delete […]
Various folks at Northwestern’s Medill School of Journalism have done some great work, which they call Data Dilemma: Privacy in an Age of Security. I was led to this by various stories about the US Department of Education feeding information on financial aid applicants to the DHS for five years without bothering to inform those […]
How can we resist blogging about Rudresh Mahanthappa’s latest album, as covered in “From Crypto to Jazz” at Wired News: To the uninitiated, modern jazz can sound like a secret language, full of unpredictable melodies and unexpected rhythms. For alto saxophonist Rudresh Mahanthappa, however, the idea of jazz as code is more than just a […]
A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see “Job seeker loses opportunity after inaccurate background check” for details: “Well, first they said, ‘Something was wrong with your background check,’” she said. “I said, ‘What is wrong with it? What is wrong with my background […]
There’s been a great deal of talk around the London plot about the impact of the destruction of ten airliners. Senior US officials called it inconceivable. Now, destroying 10 planes might be murder on the scale of 9/11. It would certainly be shocking and despicable. I’d like to point out that the Iraqi people can […]
OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was […]
First, don’t miss the great series of posts on the “Excel 2007 Trust Center.” There’s some really good thought on security and usability in there. (While I’m at it, after two months of using ribbons, the idea of going back pains me. It really does. I had that “WTF did you do to my screen […]
“Is There Still a Terrorist Threat” asks Foreign Affairs. Bruce Schneier considers “What the Terrorists Want,” and also offers up a useful roundup of “Details on The British Terrorist Alert.” In that details space, Phil offers up thoughts on what a “Temporary Flight Restriction” meant to his travel. Meanwhile Kung-Fu Monkey asks “Wait, Aren’t You […]
I’ve come across some blogs I find interesting. Maybe others will, too. Statistical Modeling, Causal Inference, and Social Science Weblog of a Syrian Diplomat in America Decision Science News Social Science Data and Software (SSDS) Blog SecuritySauce (Marty “Snort” Roesch’s blog) Plus, a special bonus non-blog: UCSB’s Cylinder Preservation and Digitization Project
I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction. I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments […]
In North Dakota, the state agricultural commissioner, Roger Johnson, has proposed allowing () farming, and has been working with federal drug regulators on stringent regulations that would include fingerprinting farmers and requiring G.P.S. coordinates of () fields. “We’ve done our level best to convince them we’re not a bunch of wackos,” Mr. Johnson said. The […]
There have been two fatal air accidents this week, one in Ukraine in which 170 people died, and one in Kentucky, in which 50 people died. In neither case is terrorism being blamed as I write this. The safety engineering that makes air travel so safe is astounding. The primary activities, from pilot training to […]
WASHINGTON – Despite mounting public criticism of his administration’s handling of Iraq and the war on terror, 58 percent of voting machines approve of the way Bush is handling his job according to the latest poll by Shamby and Associates. This is in contrast to the 42% approval rating he has among human beings from […]
(or “The New York Times Gets Self-Referentially Ironic“) … he recognizes that plenty of people must think that rounding up friends and family members to go in on a thousand-dollar ham that he envisions hanging in his living room is crazy. But food lovers like him understand, he says. And in the end, the elaborate […]
Life in Somalia seems truly awful, and, like Hobbes, many are willing to turn to a very powerful government to fix it. See Ethan Zuckerman’s “Somalia Update,” which points to “The Path to Ruin” in the Economist.
At first I was afraid, I was petrified. I kept thinking I could never live without you by my side. But then I spent so many nights thinking how you did me wrong. I grew strong. Via Accordion Guy.
In posting yesterday about Debix, I should have disclosed that I have personal and financial relationships with the company. In addition, I was one of the 54 people in the test, and my fraud alerts did not set properly. I should have disclosed that as well. I apologize for the oversight. My thanks to Mr. […]
So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?” Since this is part of a continuing conversation, let me summarize by stating […]
Now that ISS has been purchased by IBM? Or is consolidation not really happening?
[Update 3: I should have disclosed affiliations with Debix in this post. See “Mea Maxima Culpa.”] Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret. […]
When I started blogging, I wanted to say one interesting and insightful thing per day. I still do, and so say several things in the hopes that one of them is interesting. Nick Szabo, on the other hand, has apparently been storing them up, and is on a roll lately: “Book consciousness,” on the effects […]
“Unattended children will be given an espresso and a free puppy.” (via Asteroid.)
RyanAir of England is decidedly non-plussed by the UK security theater, and is threatening to sue. (Via Boingboing.) Remember, emptying the planes not only hurts the airlines, but when it pushes people to drive instead of fly, it kills people. Not in as newsworthy a fashion, but more people die driving than flying.
I just got a response from North Carolina to my freedom of information request, asking for records pertaining to security breaches resulting in the exposure of personal information. North Carolina requires that such breaches be reported centrally. The data were sent in printed form, in a table obviously derived from a spreadsheet. I hope to […]
AOL’s CTO has “decided to leave” the company, “effective immediately”, according to an email message sent to remaining employees by CEO Jon Miller. Additionally, CNet news reports that the researcher who posted the data, and the researcher’s supervisor (a direct report of ex-CTO Maureen Govern) have been fired.
Dave Weinberger absolutely nails why I worry about the whole Identity 2.0 plan, in “Anonymity as the default, and why digital ID should be a solution, not a platform.” If you know what Identity 2.0 means, you owe it to yourself to read this post. If you build Identity 2.0 platforms/solutions/best-of-breeds, you owe it to […]
Last night, passengers on a Malaga-Manchester flight misbehaved until the airline took two “Asian” men off the flight. See “Mutiny as passengers refuse to fly until Asians are removed” in the Daily Mail. For me, this raises a number of questions, in no particular order: Why weren’t the unruly passengers arrested? Who was forcing them […]
Don’t miss the picture that Jerry Fishenden paints in “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences:” Outside, armed policemen, guard dogs and riot barriers prevent the curious crowds pushing too close. On the office rooftops – police marksmen. In the Victorian drains below the courtroom – boiler-suited […]
While we’re celebrating, let me tip the hat to three new bloggers: Mary Ann Davidson has a blog, confusingly headlined “Sandra Vaz Blog (en Portuguese!)” I suspect it’s a template issue, but then again, I’ve seen Mary Ann with–oh, I shouldn’t tell you what she put on her name badge at the Exec Women’s Forum […]
Emergent Chaos was launched two years ago today. My very first post was “Why Did Google Pop.” I could go through and talk about my favorite posts, but I’m more interested in your favorites. In the 2 years of operation, we’ve averaged just over 2.5 posts per day, and I think we’ve only been silent […]
Kip Esquire has a blog post about liabilities and restatments and product liabilities with an interesting twist for the capture-everything crowd: As for the costs of warning: How geographically diverse are the customers? How easy or difficult would it be to communicate the warning — would a press release be sufficient? Is the product likely […]
“Why’s Everybody Pissed at Consumer Reports?” and “Thoughts About OpenOffice” are both great posts.
The Permanent Injunction of the TSP requested by Plaintiffs is granted inasmuch as each of the factors required to be met to sustain such an injunction have undisputedly been met. The irreparable injury necessary to warrant injunctive relief is clear, as the First and Fourth Amendment rights of Plaintiffs are violated by the TSP. See […]
Or not. The BBC reports that “10,000 bags misplaced at airports,” and a “Boy boards [a] plane without tickets (sic).” Meanwhile, here at home, we have a program that engages in behavioral profiling in some airports. How effective is it? The New York Times reports in “Faces, Too, Are Searched at U.S. Airports:” In nine […]
Voyager 1 has passed 100 AU. It’s a stunning feat of engineering. (Story via Slashdot.)
I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says: Full disclosure is the only thing that forces […]
In London, and apparently some other parts of Europe, you can no longer bring electronics on board, including laptops, which are this here Jazz Combo’s instruments of choice. It’s much worse for actual musicians, many of whom have antique and irreplacable instruments which they usually carry on board. The NY Times reports in “Tighter Security […]
  Paul Saffo provides the picture. (Via Dave Farber’s IP list.)
Via the SacBee: WASHINGTON (AP) – FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes. One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday The article continues: […]
In response to “Choicepoint Spins off Three Businesses,” Choicepoint spokesperson Matt Furman sent the following: It is factually incorrect to describe ChoicePoint or its subsidiary, Bode Technology Group, as attempting to “amass a DNA database.” Bode’s clients are almost entirely government laboratories that are trying to solve crimes and identify victims as well as felony […]
As the shock and awe wears away, we learn more about what happened and why. Perhaps this plot was not about to go operational, as MSNBC reports that “U.S., U.K. at odds over timing of arrests.” Meanwhile, after years of debate over warrantless surveillance, the Washington Post reports that a “Tip Followed ’05 Attacks on […]
Amazing Circles is a photoset on Flickr. This is #2 in the series, “Cornflower Circle.” If you’re curious, there’s instructions on “How to create amazing circles.”
I have to fly (from PDX to MDW) Sunday AM. Anybody flown domestically who can tell me what the real-world impact of the new rules has been in terms of delays at security? As Leslie NielsenLloyd Bridges might say “I picked the wrong four days to go on vacation”. Updated: Lloyd, not Leslie. Thanks, Asteroid.
Over at the CSO blog “Brand Loyalty Hinges On Security,” we learn that: In 2005, more than 52 million account records were reportedly stolen or misplaced, according to a study by CMO Council and Opinion Research. … “Security is what I call the 800-pound gorilla of reputation,” Jeffrey Resnick, EVP and global managing director of […]
Over at the Open Source Vulnerability Database blog, we learn that Ryan Russel has won the “Oldest Vulnerability Contest.” It is in the interests of science that I ask how Mr. Russel was able to come from behind like this. And much as I like and respect Mr. Russel, it’s quite a last minute leap […]
I’m glad to hear that they caught a set of people with real plans and capabilities to carry out an act of mass murder. Too many of the recent groups arrested have fit better into the “round up some suspects” line of thinking. I don’t have a lot to add to FDR’s fine words, but […]
I am beyond words, I’ll let others say it for me. [Via: Bruce Schneier]
My co-worker Mike Howard has a really good article on “A Process for Performing Security Code Reviews” in IEEE Security & Privacy. It’s chock full of useful advice.
Is that enough acronyms yet? In Adam’s previous post, Justin Mason commented: There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging […]
So two stories came out recently, and they’re connected by a thread, which is the assignment of identifiers. The first was in Government Computer News, “IG: U.S. Visit RFID needs better security controls,” which opens: The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which […]
EKR is the voice of reason when he points out that of course RFID passports are clonable, when he responds to all the press brouhaha about, Lukas Grunwald’s demonstration at Black Hat showing that an RFID passport can be duplicated using off the shelf parts. This outcome is hardly surprising, this is yet another side […]
Most readers will have read by now of America Online publicly releasing a large sample of search records. From the README supplied with the data: The data set includes {AnonID, Query, QueryTime, ItemRank, ClickURL}. AnonID – an anonymous user ID number. Query – the query issued by the user, case shifted with most punctuation removed. […]
Sorry about the downtime. The fine folks who host this blog for us have been having hardware troubles. They’re swapping components around, and we hope it all heals up soon. Photo: Waiting to Breathe, from Stock.xchng.
In “Legislating Virtue,” Phill takes me to task for being unclear in “So, this, ummm, friend of mine, umm has a problem with security.” That’s fair. I’ve been saying similar things a lot, and I forget that I need to back up and frame it from time to time. Phill spends a lot of his […]
Whadda ya mean, you won’t pre-fill the bathtub with jello? (Actually, I stayed at the San Remo for Defcon last year. It was a long walk, but walkable, to the Alexis Park, and it was a great little dive hotel. I did find the rent-a-cops roughing up the vagrant a little disturbing. Maybe now they […]
Thanks for understanding that after a day and a half hiking through Garibaldi Provincial Park, all I want is a quiet room that doesn’t cost an arm and a leg, and a shower. At first I shuddered at having a room between the elevators and the ice machine, but it was quiet as a tomb. […]
Well, yeah. Of course. The perfect storm for a new wave of attacks: 1. New protocol catching on fast that involves completely trusting clients. 2. Insecure servers maintained by inexpereinced sys-admins. 3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?) A report out of SpiDynamics at BlackHat this week: Attackers […]
There’s a feeling you get when you watch a formulaic movie. After seeing a half-hour’s worth, you just know how it will end. You can see the decision points characters reach, and you know they’ll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or […]
Please stop sucking. For $250 a night, give me a shower which doesn’t fluctuate in temperature and pressure. Give me a door which keeps out hallway noise and light. Don’t have your cleaning staff re-arrange my things so your things (like the room-service menu) can take up space on the desk I rented from you. […]
A £40,000 teddy bear formerly owned by Elvis Presley was destroyed when a guard dog which was supposed to protect it went on the rampage. “Dog chews its way through Elvis’ £40,000 teddy.” Photo, “Elvis With Teddy Bear” is not the bear that was destroyed, but is a better picture. Thanks Nicko!
Not that it needed clarification. RFID passports have been a boondogle without a purpose for a long time. It’s been clear that they make us less secure. Now it turns out they can be easily cloned: German computer security consultant has shown that he can clone the electronic passports that the United States and other […]
Yesterday at Metricon, Gunnar Peterson felt a need to mock me over not blogging from the conference. I really enjoyed Metricon. There was a lot of good discussion, and because Dan Geer took extensive notes, I didn’t have to. I was able to pay attention and consider the talks as I heard them. Gunnar, however, […]
See “Mac OS X Server Firewall Serial Hole:” …What they haven’t noticed yet is Mac OS X Server 10.4 overrides an explicit administrator firewall security setting to keep its copy protection functional. OSXS 10.4’s “Server Admin” lists “Serial Number Support” on UDP port 626 under its firewall pane, with an option to turn it off. […]
In a comment on “Drowning In Notices,” Phill Hallam-Baker writes: My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them. I don’t think people should be more embarrassed about […]
In “More Thoughts On Blogging,” Richard wrote about the upsides and downsides: The upside, there’s great information, the downside, there’s more to sift through. It feels to me, before I run to Metricon, that that’s exactly the value: The filters are in everyone’s hands. You do have to look at more, but in doing so, […]
Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch. The one question I have for everyone, bloggers and blog […]
Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]
So this week I’m off to Metricon and Usenix Security. Many of my co-workers are off (to present an entire track) at Blackhat. What I find really interesting is that there are these two separate streams of security research, one academic and one hacker, in the most positive sense of the word. Both have produced […]
I’m pleased to introduce the Jazz Combo’s first actual rocket scientist guest blogger, Richard Stiennon. Before founding IT Harvest, a startup dedicated to re-inventing IT research, Richard worked at Gartner and PriceWaterHouseCoopers. He usually blogs at Threat Chaos, and was kind enough to feature Chris and I as his first podcast, in Meet The Security […]
In “Access controlled by a password,” Phillip Hallam-Baker writes: It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices. I must say, I don’t get this objection. Does it apply to any other bit of information […]
Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this: There are already a myriad of good sources of information about secure programming, including books targeted specifically to developers […]
Indiana’s breach notification law went into effect on July 1, 2006. An excerpt relevant the “lost laptop” phenomenon: Sec. 2. (a) As used in this chapter, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local […]
A federal Department of Homeland Security agent passed along information about student protests against military recruiters at UC Berkeley and UC Santa Cruz, landing the demonstrations on a database tracking foreign terrorism, according to government documents released Tuesday. From San Francisco Chronicle, “Terror database tracks UC protests U.S. agent reported on ’05 rallies against military […]
‘The Australian’ has a great story on “Focus key to crack money-laundering.” Its focused on the testimony of a British expert on “money laundering” and includes: Last year, British banks, accountants and lawyers made some 200,000 reports to the authorities. But in the three years since Britain’s law was implemented, there had been only one […]
So there’s a post over at F-Secure’s blog: There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if […]
Eric Rescorla writes: Koblitz and Menezes are at it again. Back in 2004, they published Another Look at “Provable Security” arguing that the reduction proofs that are de rigeur for new cryptosystems don’t add much security value. (See here for a summary.) Last week, K&M returned to the topic with Another Look at “Provable Security” […]
The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments. Even better, the people who are “suspicious” are put into secret databases with no way to find out why their […]
Via America’s Finest News Source: Postmaster General Loses Laptop; Zip-Code Data Of Millions At Risk July 25, 2006 | Issue 42•30 WASHINGTON, DC—The U.S. Postal Service has confirmed that a laptop computer issued to Postmaster General John Potter and containing the zip-code information of over 280 million Americans was allegedly left in a taxicab Monday […]
As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]
In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA. So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed? I think there are […]
There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]
(Via Caspar and Nicko.) I hesitated before posting this. I’m pretty sure it’s a Dr. Fun cartoon, but the jerks in “my confined space” have obscured the signature. I try hard to attribute all the images I use here. I’ve given credit to Galerie which we use to produce the frames. (They even added a […]
An reader who wants to remain anonymous points us to “Another CAPTCHA — But I failed (partly)” and “http://hotcaptcha.com/:” I cracked up when I saw this. It uses “the hotornot API” (Web 2.0 is getting out of hand!) to offer up pictures of nine women (or men) and asks you to prove you’re human by […]
Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit. [Via FIRST News.]
No, not that kind, silly. I just read over at Bejtlich’s blog, that he has decided to start NoVA Sec, having been inspired by Chisec, which was begun by Matasano honcho Thomas Ptacek. ChiSec is fun, and has been rapidly imitated by other Matasano folks, yielding Seasec and NYsec (I’m hoping it will go next […]
[Via: Yahoo News]
Wiedmaier over at Flickr, has a series of the “seven deadly sins” shot with gummy bears. Who knew sinning could be so cavity forming? Aside from gluttony of course. [via Slashfood]
Check out Benjamin Sternke’s “Church 2.0: Emergence/Chaos theory.” Itn’s an interesting examination of how churches need to evolve to respond to a different type of parishoner: Church 2.0 will leave room for the Holy Spirit in its planning and structuring and strategizing. She’ll leave room for happy accidents to emerge. She’ll be patient with chaos, […]
Today, in 1969, Neil Armstrong walked on the moon.
So in the “Code Review Guidelines” which I wrote a long time back, I quote a bit of code by Peter Guttmann, on how to open a file securely. Last week, Ilja van Sprundel got in touch with me, and said that the lstat/open/fstat chain is insecure, because you can recycle inodes by creating a […]
Press release describes a FOIA request seeking info on governmental surveillance of Fedwire, among other programs. This would be troubling. It is difficult to overstate the extent to which the Federal Reserve System values its reputation for ethical behavior and fair play. A reputation, I might add, that based on my observations it deserves.
Because Emergent Chaos cares about your privacy, we employ industry standard measures to protect the security of our site, and convince you to provide us with personal data we don’t need, which we shall carelessly sling around. Our compliance is monitored by Ernst and Young, we ship backups via UPS to Iron Mountain, and our […]
Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it. Thanks […]
I’m looking for a service that will give me a US phone number capable of accepting SMS messages, and forwarding those messages to an email account. I’m happy to pay for the service, but my searches have come up blank. I don’t want a service where the user has to add the destination email manually. […]
Like everyone, there comes a time in every CSOs career where they need to look for a new job. I’ve reached that point in my career and in looking around, I’ve run into several challenges. The first problem I’ve found is that there are a lot of different titles for the person who owns all […]
From North Carolina’s breach notification law, which took effect on December 1, 2005: (f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that […]
From their press release: ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ — ChoicePoint (NYSE: CPS – News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the […]
Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]
Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues […]
I completely have to support Chris in his analysis of the latest CSI/FBI Survey. He sums it up nicely with: “there is no reason to give this survey any credence.” The survey, does an excellent job of highlighting a general problem within the security industry, the sharing of data. If we’re to make real progress […]
The latest 2006 CSI-FBI Computer Crime and Security Survey has been released. Already, it is making waves, as it does each year. I want to simply state that there is no reason to give this survey any credence. The survey instrument is sent only to CSI members. This time, it was sent to 5,000 of […]
Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist: On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York’s Adirondacks, soldiers readied for deployment halfway across […]
So I’ve been too busy to blog the Spector bill, but the astounding quality of analysis that’s been applied to Spector’s “”Judical Review” for Spying On Americans” bill has been really astounding. Early reports in (say) the Washington Post were really positive, saying that the bill was quite a positive development. Then legal bloggers got […]
Shoelaces got you down? Constantly tripping over your own laces? Your bows off kilter? Everything you could possibly want to know about shoelaces, courtesy of Ian’s Shoelace Site.
According to Charlie Paglee, Skype has been cracked, and a compatible client implemented. This promises to have wide ramifications, about which Charlie writes at length.
I have two boxes. Each has some positive amount of money in it, but I will give you no information about the possible dollar amounts other than the fact that one box has exactly twice the amount of money in it as the other. You randomly select one of the two boxes, open it, and […]
This week marks the first installment of a series of podcasts I am producing called “Meet The Security Bloggers”. I asked Adam Shostack and Chris Walsh to be the guinea pigs for the first one and it turned out really well. These guys write for EmergentChaos, a blog that Adam started. When he got it […]
…to the United States’ Freedom of Information Act, a national law signed on July 4, 1966, by a reluctant Lyndon Johnson, after having been championed by U.S. Representative John Moss.
Vystar Credit Union was hit by “hackers”, who obtained personal info on 10% or so of their 334,000 customers. The information included “names, addresses, social security numbers, birth dates, mothers’ maiden names and e-mail addresses”, according to Jacksonville.com. Credit union CEO Terry West took a rather old school approach: West said the company noticed the […]
Houston police and the federal Transportation Security Administration disagree over who is responsible for allowing a man with what appeared to be bomb components board an aircraft at Hobby Airport last week. Although the FBI eventually cleared the man of wrongdoing, police officials have transferred the officer involved and are investigating the incident while insisting […]
Here’s news of a breach that (I presume) involved no PII, but which could be significant. I wrote about a previous Debian breach back in December, 2003. I hadn’t realized it had been so long! Update: Local vuln used to elevate privs. Local access gained due to weak developer password. Details here.
“The Plot to Hijack Your Computer” in Business Week lays out some of the history of “Direct Revenue,” a spyware company whose products are so beloved of their customers that DR receives regular death threats. Cryptome presents an except from a complaint in a lawsuit against AT&T, claiming that “NSA/AT&T Spying Began 8 Months beofre […]
Syd Barrett has died.
Via Charlie Stross we learn that the Sunday Times reports, “ID cards doomed, say officials:” TONY BLAIR’S flagship identity cards scheme is set to fail and may not be introduced for a generation, according to leaked Whitehall e-mails from the senior officials responsible for the multi-billion-pound project. … [Peter Smith, acting commercial director at the […]
Ian Goldberg likes to state Kerckhoffs’ principle as “The security of a system shouldn’t rely on anything that’s hard to change.” So it is with deep amusement that I report on what’s probably one of the hardest to change systems out there. And I do mean out there: 23,222 km out there. Let me back […]
Nothing says “prepared for power outages” at your summer parties like a human powered blender, so you can crush that all ice into frothy goodness before it melts. And thanks to the wonders of capitalism, now you don’t have to build your own. (Forgot to mention..click the picture to go to their site.)
People whine about Sarbanes-Oxley as if it were government accountants with a sense of neither humor nor proportion watching everything an executive does, 24/7. Thing is, much of the actual regulation is courtesy of the Public Company Accounting Oversight Board, a private corporation. My hat is off to the accounting profession, which successfully met an […]
The Department of Defense monitored e-mail messages from college students who were planning protests against the war in Iraq and against the military’s “don’t ask, don’t tell” policy against gay and lesbian members of the armed forces, according to surveillance reports released last month. While the department had previously acknowledged monitoring protests on campuses as […]
Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company’s CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly “to ensure we’re hitting every aspect of security and privacy,” says DiBattiste. “One of the lessons we […]
Over at Concurring Opinions, Dan Filler asks a question that a lot of people are asking: We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses – most obviously identity fraud – but I […]
Regarding the theft of Coca Cola intellectual property and its attempted sale to arch-rival Pepsico, we learn PepsiCo was offered a new product sample and confidential documents in May, in a letter from someone calling himself ‘Dirk’. But instead of taking the bait it tipped off Coca-Cola, which brought in the FBI. […] Coca-Cola’s chairman […]
At WEIS last week, Allan Friedman presented “Is There a Cost to Privacy Breaches? An Event Study.” The study looked at the effect of a privacy breach on stock value, and roughly concluded that it doesn’t do any harm to the shareholders after a few days. Tom Espiner of ZDNet has an article that explains […]
Over at Security Incite, Mike Rothman discusses the recovery of the VA laptop: In other good news, they found the missing VA laptop, evidently with all the data intact. That really is great news, but I guess we’ll never get to test Adam Shostack’s contention (link here) that identity thieves could get to all 26 […]
On the plane home from England, I watched V for Vendetta. (If you haven’t seen it, the basic story is that terror attacks cause turn England into a police state, and a masked freedom fighter terrorist blows things up and kills people and makes it all better. Oh, he plays with Natalie Portman’s head, too. […]
In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]
…but my internet tube was flooded. If you want to know what the heck that means, the good folks at 27B Stroke 6 (easily the best blog name I’ve seen this year), provide the details. The short and sweet is that U.S. senator Ted Stevens ain’t exactly Vint Cerf: I just the other day got, […]
Following up on Friday’s internet innovation post, I’d like to clarify a few things: First, net neutrality is about regulating a set of regulated monopolies, whose services and profits are protected by the state against new entrants. The regulatory apparatus has fairly clearly been captured by the regulated. The discussion about larger packets misses the […]
Maybe IBM does have a sense of humor. “Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!”. This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year’s Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory […]
Dan Kaminsky has a good essay on internet isolationism, which is his name for the opposite of net neutrality. It starts: Oh, sure, there’s UPS and DHL and the US Postal Service. But imagine if they were all proposing that, because people make money based on the contents of packages other people shipped, that they […]
This is really cool: “Email Thread Visualization” via infoesthetics.
Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they […]
The press relase you won’t see. For Immediate Release CATAWBA COUNTY SCHOOL SYSTEM, June 26 — The Catawba County Public School System (NC) announced today that district web site administrators have remedied a configuration error which accidentally resulted in the social security numbers and names of several hundred students being made available via the popular […]
I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this […]
There’s a number of good comments on “Risk Appetite or Volatility Appetite,” and I’d like to respond to two of the themes. The first is “risk appetite is an industry-standard term.” I don’t dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend […]
This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.
Over at the Counterterrorism Blog, Dennis Lormel writes “Initial Comments about Terrorist Financing and “The One Percent Doctrine”” and “U.S. Government Terrorist Financing Initiative Involving SWIFT:” …I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we […]
Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in: They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content […]
The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities. The Washington Post has more.
Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com. A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still […]
It’s easy to put presentations on the web, just like it’s easy to create them. Neither is easy to do well. I’d like to talk not only about good slide creation, but how to distribute a presentation in a useful way. It’s not easy to create good presentations, even when you have good content. Simson […]
June 26-July 1, I’ll be at the the Workshop on Economics of Information Security, and then Privacy Enhancing Technologies next week. Mindless ranting on the blog will be replaced by mindless ranting over beer.
Over at “Not Bad For A Cubicle,” Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in “A super-size risk appetite?” No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced […]
Over at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for “Responsibility and Disclosure.” His argument is solid: We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years – the point is simply that, while disclosure forces everyone to be responsible, sometimes, […]
The Associated Press pushed a story to the wires about the Data Surveillance workshop which I’d mentioned a while back: As new disclosures mount about government surveillance programs, computer science researchers hope to wade into the fray by enabling data mining that also protects individual privacy. Largely by employing the head-spinning principles of cryptography, the […]
Is something a little off balance when we background check people trying to learn about computer security, but not chemists or nucular physicists?
I never knew they did such things.
Andrew Jaquith has posted the Metricon Agenda. We had a lot of good papers, and couldn’t accept them all. (We’ll provide, umm, numbers, at the workshop.) If you’ve submitted a paper, you should have heard back by now. Thanks to all the submitters, and we look forward to seeing you at the workshop.
I’m deeply in favor of holidays which celebrate freedom. We need more of them. Juneteenth, also known as Freedom Day or Emancipation Day, is an annual holiday in the United States. Celebrated on June 19, it commemorates the announcement of the abolition of slavery in Texas. The holiday originated in Galveston, Texas; for more than […]
To protect the rights of the official beer they were denied entry, so the male fans promptly removed the trousers and watched the game in underpants. The BBC asserts that up to 1,000 fans were told to strip off their orange pants in “Fans Lose Trousers to Gain Entry.” Markus Siegler, the control-freak in charge […]
From Maine’s Public Law, Chapter 583, passed April 2006: Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read: 5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information […]
In “Scots Crush Cars Over ‘Document Offenses,’” Rogier van Bakel writes about bad new UK law: Now cars can be seized and crushed if document offences are detected — and the region’s top police officer said yesterday a “clear message” is being sent to would-be offenders. … Tough new powers in the Serious Organised Crime […]
(From Bram Cohen and Nick Mathewson.) The players are three reclusive artists. Their real names are Anaïs, Benoît, and Camille, but they sign their works as “A,” “B,” and “C” respectively in order to cultivate an aura of mystery. Every week, each artist paints a new work in one of two styles: X and Y. […]
Expedia/Ernst & Young, 250,000 CC, Lost Laptop. Ed Hasbrouck has a great analysis of Expedia’s privacy policy at “Expedia auditors lose laptop with customer credit card numbers.” Japanese Telco KDDI, 4million names, address, phone numbers, mechanism unknown. “KDDI Suffers Massive Data Leak.” Why is a Japanese telco owning up? New expectations. AIG (American Insurance Group), […]
State of Colorado, 150,000 voter records, “missing.” “Records for 150,000 Colo. voters missing,” via Dataloss. State of Oregon, 2,200 tax records, ex-employee getting trojan’d by a porn site. “State says taxpayer files may have been compromised.” AP via dataloss. Minnesota State Auditor, numbers about unknown number of state and local employee, stolen laptops. “3 laptops […]
…but we can’t be right all the time.
Well, now that America’s Finest News Source is getting into breach coverage, I guess I can move on. See “Hotels.com Information Stolen” in the Onion. Also, Nick Owen has some good analysis of the Ohio State comedy of errors in “Repurcussions of data loss at Ohio University.” I’m hoping Chris will cover the N+1 Ohio […]
Ed Felten asks: What would be the Exxon Valdez of privacy? I’m not sure. I don’t think it will just be a loss of money — Scott explained why it won’t be many small losses, and it’s hard to imagine a large loss where the privacy harm doesn’t seem incidental. So it will have to […]
…in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said. … “That’s hogwash,” Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. “You report directly […]
Recently, you had a very interesting story on your web site. I left a browser tab open, so I could read it on the plane. But your very interesting story meta-refreshed itself so you could serve me more ads. Then the airport’s wireless portal showed up, and it stopped refreshing. And I couldn’t read your […]
I have a proposal for all British and American faculty who care about global justice: Please boycott me. Siva Vaidhyanathan asks that we boycott him in “A Modest Proposal: Boycott me.” I think its the best response I’ve seen to the British boycott of Israeli academics.
Via Netsec blog. I’d love to know if this is a real billboard improvement, or a photoshop job?
A merchant is going to feel some pain from the FTC. Visa and MC are going to look bad for not talking about who this merchant is. Jun. 8–Federal officials cannot disclose what national merchant or merchants were involved in a recent debit card security breach that spurred at least two local banks to reissue […]
Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as […]
Pop quiz time! What do you call a set of regulations that the government won’t enforce? HIPAA. In the three years since Americans gained federal protection for their private medical information, the Bush administration has received [nearly 20,000] complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal […]
Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate. The problem? Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if […]
Don’t miss this stunning picture of the Cleveland volcano, in the Alaskan Aleutian Islands. You can click for the larger original at Astronomy Picture of the Day:
I bet these guys at Giveusallyourmoney.com are raking it in. Thanks, Rob!
Where two organizations are implicated, the first is the one which collected the data, the second is Ernst and Young the one that lost it. Texas Guaranteed Student Loan/Hummingbird, 1.3m SSNs, “lost equipment.” “Toronto firm at centre of security breach” Hotels.com/Ernst and Young, 243,000 credit cards, lost laptop. “Hotels.com customer info may be at risk” […]
Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories. For example, we know of 800 ID thefts from the […]
Nick Szabo has a fascinating article on “Jurisdiction as property and peer-to-peer government.” I’m not going to attempt to summarize it, but will simply quote the opening: Modern civics and political science is often taught as an absurd dichotomy: that government is a “monopoly over the use of force” and that the absence of government […]
“Los Angeles Consumers File Class Action Lawsuit Against Used-Car Dealer Drive Time For Allegedly Leaking Their Private Financial Information to Unauthorized Third Parties.” “Down To Business: Time To Get Tough On Security Slackers” Rob Preston in Information Week, “Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security […]
Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort. He’s right. […]
There’s a great story in Wired “Don’t Try This at Home,” about how our obsessions with terrorism and safety have destroyed the ability of our children to learn chemistry: The chemophobia that’s put a damper on home science has also invaded America’s classrooms, where hands-on labs are being replaced by liability-proof teacher demonstrations with the […]
Well, its been a week since DaveG threatened to “run [undodb] on itself and cause a rift in the space-time continuum.” Has anyone heard from him since? (Light cone image from Patricia Schwarz.)
Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:” A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is […]
The European Court has ruled the US/EU treaty on data sharing around air travelers is not legal. (I’m not saying “about air travelers” because I read Ed Hasbrouck, and thus know that PNRs contain data on more than just the travelers.) That’s not why I’m posting. I’m posting because of this choice quote from the […]
We live in a society of laws. Why do you think I took you to all those “Police Academy” movies? For fun? Well, I didn’t hear anybody laughin’, did you? — Homer Simpson Marge Be Not Proud
I’m in Seattle this week for some work-related stuff, and have some free evenings. If you’re in Seattle and would like to get together, drop me a note.
There’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and […]
[T]he VA’s inspector general, George Opfer, said that the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.” via the Bradenton Herald Now that the funny part is out of the way… Asked the cost for preventing and covering potential losses from identity theft, [VA Secretary] Nicholson […]
Kim Cameron has a post, “IBM Researcher Slams UK Identity Card Scheme” in which he writes: He couldn’t be more right. My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected […]
SiliconBeat has a story, “Jangl’s new angle on phone calling:” Jangl is a new phone service that, initially anyway, will allow people to anonymize their phone numbers the same way they can their email addresses when posting on places such as craigslist. When you sign up with Jangl, you get access to disposable phone numbers […]
Public Law 094-0799 now allows Illinois residents to have a freeze applied to their credit reports. The maximum fee (not applicable to those 65 and over) is $10.00. The law, according to a press release from the governor’s office, takes effect January 1, 2006. Look for other states to continue to pile on, now that […]
I came across this sign while I was attending a software design methodology course at an IBM building in London. After wondering several times why each time I tried to go to the toilets I ended up in the restaurant, I looked carefully at the sign. Which way would you go at a glance? Which […]
Seriously. Plus, he says it wouldn’t be a civil liberties issue.
A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications: 5 (815 ILCS 530/25 new) 6 Sec. 25. Annual reporting. Any State agency that collects 7 personal data and has had a breach of security of the system 8 data […]
Paxx Telecom has issued a press release that they’ll hand over records only when given a court order: The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree […]
I’m not sure what to expect out of this story of a guy who, left behind in a crazed state and presumed to have died, overnighted above 8000 meters on Everest and was found alive the next day, prompting a rescue effort expected to take three days. (Note that this is a different climber from […]
Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, […]
8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws […]
On upcoming changes to the Payment Card Industry Data Security Standard: “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes […]
One of the motivators often discussed for voter ID card requirements is voter registration fraud. I believe that ID card requirements are like poll taxes, and are not justified. I believe that they’re not justified even if they’re free, because of personal privacy concerns, regarding addresses. You know, like Gretchen Ferderbar had before her 911 […]
Last week Dan Gillmor talked about Verisign’s monopoly wishes, stating: This deal would be great for VeriSign, but terrible for the marketplace. It would consolidate one company’s control over an essential part of the Internet infrastructure. Is the sky falling? I don’t think so. This sounds a whole lot like before GeoTrust was launched. GeoTrust […]
I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID. Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. […]
Normally this would go in the breach roundup, but it is noteworthy in that it is the only case of substitute notice I can recall seeing. All state breach laws provide for notifications to be made via mail or telephone, and allow so-called “substitute notice” via a press release, prominent web page placement, and the […]
In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes: The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human […]
There’s some fascinating presentation of numbers in the BBC’s “Criminal records mix-up uncovered:” Education Secretary Alan Johnson told the BBC only 0.03% of the nine million “disclosures” the agency makes had been wrong, so the issue had to be put “into context”. He is so right! Let’s put those numbers in context, shall we? The […]
Not only was the Ethiopian food at Queen Sheba quite good, but when I went back, they had my jacket, and my somewhat expensive camera was still in the pocket. Doubly recommended. Queen Sheba is at 916 East John St, a block from Broadway, 206-322-0852. Thanks to W. for introducing me. [Updated to fix spelling. […]
After some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:” So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for […]
Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday. The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information […]
An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them. See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal […]
Ohio University I: On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes. Ohio University II: 300,000 alums and friends. […]
Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.” This is an important report. The money quote is useful because it comes out of DHS: Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated […]
You’re incompetent. We don’t trust you. Please stop wasting our time. Love, El Al Israel Airlines. No, really. Ok. Maybe the quote isn’t precisely their words, but that’s the message. See “El Al wants to do its own bag screening at Newark airport.” (Via Gary Leff.)
One of the things that makes building secure products such a challenge is how hard people will work to steal. Clever criminals who come up with new attacks will spread them around. Today’s attacks often seem to center on identity. “Identity” seems to be hard-wired into our brains (or at least our society) as a […]
When I drew that picture for Don Marti, he suggested a market in software vulnerabilities. People who had invested in knowledge about a program could then buy or sell in that market. I think that the legal threats and uncertainties are probably sufficiently market-distorting to make such a market hard to operate and hard to […]
For the week since Brad Feld published it, I’ve been trying to find something to enhance “Norms-based IP and French Chefs:” Norms-based IP systems are an alternative (or a complement) to legal based IP systems. The Case of French Chefs is a superb example of how this works. If you care a lot about IP […]
We’ve announced the program for the 6th Workshop on Privacy Enhancing Technologies, and space is still available for registrants. The program is so cool that I’m not going to try to summarize it, but rather quote Kim Cameron (“SEE IF YOU CAN MAKE PET 2006“): Here’s one conference I definitely won’t miss. I’ve been lucky […]
Chickweed, thanks to Xeger.
        The lawsuit we mentioned the other day is now up to $200 billion, as Bellsouth and AT&T are added as defendants. Photo via realitynewsonline.com
[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law. Of course, that means the rest of us will need the cards, too, […]
Lack of trust in online banking among U.S. consumers is a serious constraint because of doubts about banks’ security measures, according to eMarketer’s new report, “Online Banking: Remote Channels, Remote Relationships?” The result is a slowing rate of adoption, with online banking households increasing by only 3.1% in the last quarter of 2005 — the […]
Teach Florida’s alligators to feed on sharks. Unfortunately, this would deprive CNN of much of its material, so they will oppose it strenuously.
Looks like the Bush administration is tracking reporters’ phone calls. Also, the FBI admits that it uses the Patriot Act to obtain journalists’ phone records in an attempt to determine to whom they have been speaking. Read more here and here, from an ABC News reporter who has received some “attention” from the government. Photo: […]
Lately, I’ve been playing with an idea. Work by both Microsoft and certain open source projects has made finding and exploiting vulnerabilities in their code substantially harder. So, the effort needed to find a vulnerability has gone up. The effort needed to build a working exploit has gone up. Thus, the willingness of a vulnerability […]
Or so it seems, as Bush prepares to send thousands of National Guard troops to patrol our border with Mexico.
“The NSA would like to remind everyone to call their mothers this Sunday. They need to calibrate their system.” (Quip from Bruce Schneier, poster by Tom Tomorrow, for RSA Data Security, at archive.org.)
Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December. Interestingly enough, when you don’t take […]
This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration’s Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI — though […]
A former intelligence officer for the National Security Agency said Thursday he plans to tell Senate staffers next week that unlawful activity occurred at the agency under the supervision of Gen. Michael Hayden beyond what has been publicly reported, while hinting that it might have involved the illegal use of space-based satellites and systems to […]
There are times you just have to defer to the lawyers. So I shall. Orin Kerr, “Thoughts on the Legality of the Latest NSA Surveillance Program,” (his blog) then later, “More Thoughts on the Legality of the NSA Call Records Program” (at Volokh, it’s keeping him up at night!) and “How The Latest NSA Surveillance […]
So if you have a Mac, you really want to open software update now. You can read about Apple Security Update 2006-0003 after you’ve installed it and the Quicktime patch. In “Apple Security Update RoundUp,” DaveG explains: So, in short, without the latest update, OS X is secure as long as you don’t look at […]
Because of the lack of proceedings, we have removed the no-dual-submission rule. That is, work submitted elsewhere is ok. Best: Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be […]
Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users’ privacy has been sent to a “legislative ‘Guantanamo Bay’” in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.
The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY. The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary […]
Members of an Alberta Hutterite colony have won the right to carry driver’s licences that don’t carry their photographs. The Wilson Colony, near Coaldale, 12 kilometres east of Lethbridge, took the province to court after the government introduced a new licence that must have a driver’s photo on it. The colony argued in a Lethbridge […]
What exactly happened between lines 1 and 2? Just curious.
On June 3, 2006 Harvard University’s Center for Research on Computation and Society will hold a day-long workshop on Data Surveillance and Privacy Protection. Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could […]
I think Adam is too kind to Arizona’s new breach law. My issues have to do with how various elements of the law might be interpreted: “materially compromises”: Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this […]
To a first approximation, all inbound trackbacks here have been spam for a while. As such, they’ve been turned off, and I’ve now made that official by turning them off in the MT layer, so you should no longer see trackback URLs. I thought about this a while back in “Trackbacks vs. Technorati?”
Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not. Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an […]
Ryan Singel opens an excellent article “Feds’ Watch List Easts Its Own,” with a pertinent question. The article is worth reading for its enumeration of how the watch list catches senior military and State Department officials, who also can’t get off the list. It opens: What do you say about an airline screening system that […]
Over at Security Curve, Ed Moyle has some good thoughts on “the Gigantic ‘Bull’s Eye’ on Apple’s Forehead:” Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much […]
I’ve mentioned before that other than New York, only New Jersey requires that security breaches involving personal identifying information be reported centrally. I hazarded a guess at the time that, unlike NY, NJ would not respond favorably to a freedom of information request for such records, because the mandated reporting is to the state police, […]
Oops. My bad, I’d turned off comments on a bunch of posts. I think its fixed.
“The United States said on Friday it had flown five Chinese Muslim men who had been held at the Guantanamo Bay prison to resettle in Albania, declining to send them back to China because they might face persecution. The State Department said Albania accepted the five ethnic Uighurs — including two whose quest for freedom […]
I admit it, probably ten or more years ago I actually signed up for a supermarket affinity card. Of course, I promptly lost it during the great migration to the suburbs, and for a good while I would simply claim to have left it at home and the cashier would cheerfully use a “store card”, […]
In a long interesting article in Wired on “The RFID Hacking Underground,” I came across this quote: While it may be hard to imagine why someone other than a determined vandal would take the trouble to change library tags, there are other instances where the small hassle could be worth big bucks. The article went […]
I was talking to a CISO friend recently about Metricon, and encouraging him or his team to submit a paper. He told me about a concern, which was that it sounded like we’re looking for “how do we give indications so we can pat ourselves on the back,” or “how can we terrify execs?” He’d […]
I usually try to cut down quotes. This essay by Siva Vaidhyanathan in Slate’s Altercation is worth quoting at length: I was wondering something. Maybe somebody could help me out here. Yesterday a federal jury decided appropriately that this country shall not execute Zacarias Moussaoui, a wanna-be-mass murderer who also happens to be a mentally […]
In response to overwhelming demand, Lucasfilm Ltd. and Twentieth Century Fox Home Entertainment will release attractively priced individual two-disc releases of Star Wars, The Empire Strikes Back and Return of the Jedi. Each release includes the 2004 digitally remastered version of the movie and, as bonus material, the theatrical edition of the film. That means […]
There’s a great article in the Guardian, “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much:” This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing […]
IMABARI, Ehime [Japan] — A paint firm here is hoping to add color to wedding receptions in Japan with a new device it has jointly developed — a gun-shaped party [favor] that shoots out a teddy bear. Sunamiya, a paint firm based in Imabari, Ehime Prefecture, announced the development of the device, which blasts a […]
So Representative Julia Carson discovered when she tried to use her United States House of Representatives ID card to vote: Carson’s card does not have an expiration date as the new law requires of valid voter IDs, and Indianapolis poll workers tried to reach election officials before allowing the five-term Democratic congresswoman to cast her […]
Slashdot is carrying the story of a rather large bug find in the X11 code. Judging by the patch, it looks like the problem was due to a lack of caffeine: if (getuid() == 0 || geteuid != 0) The OpenBSD code auditors seem to have found this one independently: This is one of those […]
Michael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner: This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to […]
So I’ve seen the story in a bunch of places, but something about Bruce Schneier’s posting on “Counterfeiting an Entire Company” made me think about certificates, and the green URL bar. In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – […]
Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes: Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks […]
First, apologies to Kim Cameron for taking a while to get to posting this. Being at a conference in Montreal, I was distracted from in-depth blog entries. Go figure. Anyway, in a back and forth on to develop a short explanation of Infocard, we are at: The relying party states what assertions it wants, the […]
Law prof. Marty Lederman explains (in great detail) that “Army Confirms: Rumsfeld Authorized Criminal Conduct:” On November 27, 2002, Pentagon General Counsel William Haynes, following discussions with Deputy Secretary Wolfowitz, General Myers, and Doug Feith, informed the Secretary of Defense that forced nudity and the use of the fear of dogs to induce stress were […]
State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss. Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that […]
Via Army Times: The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not […]
So pay no attention to the thoughtcriminals who are not bored, and their ridiculous propaganda documenting “Abuses of surveillance cameras.” We all know that cameras never lie, film can’t be edited or mis-interpreted, the police would never use cameras to look in your bedroom window, and that the videos taken will be strictly controlled. Those […]
Be it Enacted by the Senate and House of Representatives in General Court convened: Prohibition Against Participation in National Identification System. The general court finds that the public policy established by Congress in the Real ID Act of 2005, Public Law 109-13, is contrary and repugnant to Articles 1 through 10 of the New Hampshire […]
“Making a (Power)Point of Not Being Tiresome,” in the LA Times, via Paul Kedrosky. But more usefully, “The Many Uses of Power Point”
Report via Reuters. Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense. Stars and Stripes has the scuttlebutt from HQ: The laptop was stolen from an employee’s personal car […]
The BBC reports on Sweet Dreams Security in “Safe, Secure, and Kitsch:” A German artist is trying to change the way people think about security, by replacing barbed wire with heart-shaped metal, and pointed railings with animal shapes. Thanks to N. for the pointer.
“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what. Press release today. Happened in February. Notices sent at some unspecified time. Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies. Quoth “Mark Smith, head and […]
Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive: Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I […]
I’m in Montreal at SIGCHI. (Pronounced “Kai.” Who knew?) I realize haven’t gotten in touch with a slew of people I’d like to see. If you’re one of them, or think you’re one of them, or would like to be one of them, let me know!
In February of last year, I told you about Lester Eugene Siler, a Tennessee man who was literally tortured by five sheriff’s deputies in Campbell County, Tennessee who suspected him of selling drugs. The only reason we know Siler was tortured is because his wife had the good sense to start a recording device about […]
After I posted “Infocard, Demystified,” I’m finding a whole lot of articles about it. Mario posted links to “A First Look at InfoCard” and “Step-by-Step Guide to InfoCard” in MSDN magazine, which are useful, but longer descriptions. In “What InfoCard Is and Isn’t,” Kim Cameron reprints an article from Computer Security Alert. So now I […]
Walid Phares summarizes the new Bin Laden tape at “New Bin Laden Tape: Ten Main Points,” and analyzes it in “Bin Laden’s ‘State of the Jihad’ Speech:” One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on […]
Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June […]
Researchers have identified brain cells involved in economic choice behavior: The scientists, who reported the findings in the journal Nature, located the neurons in an area of the brain known as the orbitofrontal cortex (OFC) while studying macaque monkeys which had to choose between different flavours and quantities of juices. They correlated the animals’ choices […]
On Wednesday, officials closed down all security checkpoints at the Hartsfield-Jackson Atlanta International Aiport when a “suspicious device” was detected in a screening machine. … All departing flights were stopped, and arriving flights were delayed 90 minutes, affecting 120 flights during the day’s peak travel time, according to the Associated Press. However, after two hours, […]
I second Alec Muffett’s recommendation of ThePartyParty. In particular, the cover of Imagine is dumbfoundingly bittersweet. Happy Earth Day. [Image: NASA]
In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing: These crooks get away with it, and that’s why they keep doing it. They’ve got about […]
I forgot to blog this at the time, so will simply say that “Long-Awaited Medical Study Questions the Power of Prayer,” as reported in the NY Times and elsewhere, demonstrates that if there is a god, he prefers those who help themselves.
Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law. To wit: NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: 1. Prevent, impede, delay or disrupt […]
I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently. I’m experimenting with Blosxom, so I posted this over here. The executive summary is all the state laws could use […]
The 2nd Circuit Court of Appeals upheld a ruling against a Ms. Cassano, who feared that providing her SSN placed her “in dire jeopardy of having her identity stolen,” refused to provide it, and was terminated. The decision states that “There is no doubt that laws requiring employers to collect SSNs of employees have a […]
The Sultan’s Elephant Theatre Show will be in London May 4-7. Eric Pouhier has photos of another event, or you can click the photo for his full-size image. Thanks to S. for the link.
Declan McCullagh and Anne Broache have the story in “New RFID travel cards could pose privacy threat:” Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the […]
MetricCon 1.0 – Announcement and Call for Participation First Workshop on Security Metrics (MetriCon 1.0)August 1, 2006 Vancouver,B.C., Canada Overview Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may […]
I’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time. The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” […]
For every product, there are thousands of sentences which result in the reply “well, why didn’t you just say that?” The answer, of course, is that there are thousands, and often its not clear which is the right one. For me, the useful sentence is that ‘Infocard is software that packages up identity assertions, gets […]
Generally, when I talk about religion, it’s in the Emacs vs. vi sense. One of my RSS bookmarks contained a somewhat thought-provoking article about the similarities between the philosophy advanced by Free Software Foundation, and certain aspects of Catholic doctrine, and ‘Christian charity’ more broadly. It’s an interesting take on Open Source, and perhaps appropriate […]
Animal Farm is a 30-acre family farm in Orwell, Vermont. We are certified organic for milk, butter, eggs, and hay and pasture. Some things you just can’t make up, because someone else already has.
These folks would like to put a monument to the Bill of Rights in every state. Clearly a better use of cash than a ginourmous diamond in New York’s harbor.
I happened to look recently at the little card that Avis puts in the cars of frequent renters. The idea is that you land, get to Avis, see your name on a board, and walk directly to the car with one fewer line to stand in. So as you drive away, the fellow who checks […]
Staff Sgt. Daniel Brown is having trouble getting on a plane. He’s apparently known to work in close proximity to terrorists: A Minnesota reservist who spent the past eight months in Iraq was told he couldn’t board a plane to Minneapolis because his name appeared on a watch list as a possible terrorist. Marine Staff […]
“After IE Attacks, Microsoft Eyes Security Betas” is by Al Sacco at CSOOnline. He has a lot of good orientation and background. Then take a look at Mike Reavy’s “Third party solutions to the Internet Explorer CreateTextRange vulnerability.” Mike runs MSRC, and it’s a pleasant surprise to see him acknowledging customer fears with a post […]
Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s […]
“You may have heard that legislation creating compulsory ID Cards passed a crucial stage in the House of Commons. You may feel that ID cards are not something to worry about, since we already have Photo ID for our Passport and Driving License and an ID Card will be no different to that. What you […]
“We try to weed out those who pose a security risk,” Chertoff said in a briefing with reporters. “I don’t know … that background checks with people hired will predict future behavior.” Well, golly, Mr. Secretary, I don’t know…that either. So will you please cancel CAPPSIII/Secure Flight/Free Wheelchairs for Paraplegic Children, rather than invading the […]
In “Why Some People Put These Credit Cards In the Microwave,” the Wall St. Journal incidentally captures everything you need to know: Makers of products using RFID say privacy and security safeguards are being built into the chips to prevent abuses. MasterCard International says multiple layers of security are available to prevent MasterCard data from […]
Because of the volume, I’m going to consolidate these: US Marine Corp/Naval Postgraduate School, 207,750 SSNs, dismal process. From Stars and Stripes, “Thousands of Marines may be at risk for identity theft after loss of portable drive,” via Dataloss list. Marines affected should know there’s an “active duty military” alert you can add to their […]
There’s an article about the chaos of Palestinian TV on Wired News, “Live From the West Bank,” which starts: Helga Tawil Souri reclines on the couch at a friend’s house in the Palestinian West Bank, getting sucked into an Egyptian movie about a woman in an insane asylum. Right before the climactic face-off, though, the […]
% prstat PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 14135 nobody 16M 12M sleep 60 0 0:00:11 4.2% mt-tb.cgi/1 14207 nobody 14M 11M run 55 0 0:00:08 4.1% mt-tb.cgi/1 14203 nobody 14M 11M run 56 0 0:00:08 4.1% mt-tb.cgi/1 14209 nobody 14M 11M run 54 0 0:00:08 4.1% mt-tb.cgi/1 14215 nobody 14M […]
I missed this article when it first came out, but Andrew W. Lo’s “Market Efficiency from an Evolutionary Perspective” is fascinating and readable. The abstract: One of the most influential ideas in the past 30 years of the Journal of Portfolio Management is the Efficient Markets Hypothesis, the idea that market prices incorporate all information […]
This Cabspotting project reminds me a lot of the Open Geodata work that Steve Coast is working on. The map, in particular, reminds me of their map of London. (Cabspotting via Boingboing.)
“Official blog of the Metasploit Project.” Either you know who Metasploit is, in which case you’ve already clicked through, or you’re unlikely to understand their subject matter. PS to Vinnie: Where’s the Smallpox-making post?
In a post titled “self-evidently wrong post title” “Blog Posts Do Not Include The Words ‘dizzying array of talent,’” Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario’s “The Market-Driven (Vulnerability) Economy” post is pretty good. However, I think we need video of Dug Song reading this text, which in “News Flash: […]
Many years ago, I needed to deploy a bunch of UNIX machines very quickly. When I created the golden system image, it included an ntp.conf file that pointed to a nearby public stratum 2 server not under my administrative control. This was dumb, because I could (and should) have just had my boxen chime against […]
Attorney General Alberto R. Gonzales left open the possibility yesterday that President Bush could order warrantless wiretaps on telephone calls occurring solely within the United States — a move that would dramatically expand the reach of a controversial National Security Agency surveillance program. From the Washington Post, “Warrantless Wiretaps Possible in U.S..” It used to […]
Earlier this week, there was a story “Microsoft Says Recovery from Malware Becoming Impossible.” I’m not sure why this is news: Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel […]
The Nasa projectile that slammed into Comet Tempel 1 last year kicked out at least 250,000 tonnes of water. The figure comes from UK/US scientists on the Swift telescope, one of many observatories called on to study the US space agency’s Deep Impact event. Swift’s X-ray Telescope (XRT) saw the comet continue to release water […]
The UK, having already abolished liberty, is now hard at work on abolishing any relevance Parliament might have. See SaveParliament.org.uk. In “Who wants the Abolition of Parliament Bill,” David Howarth writes: The boring title of the Legislative and Regulatory Reform Bill hides an astonishing proposal. It gives ministers power to alter any law passed by […]
The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff’s detective who he thought was a 14-year-old girl, the Polk County Sheriff’s Office said. Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. […]
This year’s challenge: ridiculous performance degredation For this year’s challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor’s OS. The program is supposed to read a set of words on stdin, and print […]
I’m a little behind in posting this, but modern medical science can be so cool: US scientists have successfully implanted bladders grown in the laboratory from patients’ own cells into people with bladder disease. The researchers, from North Carolina’s Wake Forest University, have carried out seven transplants, and in some the organ is working well […]
The other day, I wrote about the Data Accountability and Trust Act (DATA), which has been received well by consumer and privacy advocacy organizations. For example, “We’re pleased with the compromise ‘trigger’ language relating to when a business must notify individuals of a breach of their personal information,” said several privacy advocacy groups in a […]
Federal regulators today released Evolution of a Prototype Financial Privacy Notice… The report’s release concludes the first phase of an interagency project […] to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies […]
My friend Robert Stratton has taken the CTO role at Revive Systems. He’s both a serial startup guy (Wheel Group and UUNet) and has been on the investor side In-Q-Tel. We’ve spent some time talking about the technology, too, and it sounds very intriguing. The remainder of this post is his job description for their […]
Get Pac Man for the Smartphone before it’s too late. Doubtless the lawyers will come in and remove this version, too. Because, you know, if they didn’t, Midway wouldn’t be able to make any money on Pac-man.
The 2004 National Criminal Victimization Survey includes ID theft data, for the first time. From a CSOOnline blog post, “DOJ Study: ID Theft Hit 3.6M In US:” About 3 percent of all households in the U.S., totaling an estimated 3.6 million families, were hit by some sort of ID theft during the first six months […]
Declan McCullagh writes cogently on the matter of national security breach legislation. His article makes many important points, and should be read widely. However, his overall thrust — that federal legislation is inferior to state legislation as a means of addressing security breaches — touches too briefly on an important point: we can have both. […]
HotSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas in all aspects of systems security. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are discouraged. Papers will be selected for their potential to stimulate discussion in the workshop. […]
As April Fool’s hoaxes go, this search engine results aggregator for credit card numbers is a good one.
Mountain View, CA., April 1 /PRNewswire/ — Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the “Lifetime Acheivement” Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. “Google’s mission is to “organize the world’s information and make it universally […]
H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16. I haven’t read the full text of the bill (and it […]
At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended. One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a […]
We’re looking for nominations of great work in Privacy Enhancing Technologies: The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Workshop (PET). The PET Award carries a prize of 3000 […]
Dear Arthur, In Re: your post, “Die Struck Lapel Pins From Collinson Enterprises.” They’ve some neat ones for sale too, if you’d like to be spotted as a Fed at Defcon.
There is an AP article in todays Washington Post about Cynthia McKinney, a Georgia Congresswoman who was in a scuffle with the police today after refusing to identify herself upon entering one of the House buildings in the “Capitol Complex”. The truly scary part of the article was this: Members of Congress do not have […]
There’s an interesting contrast between “The Problem With Brainstorming” at Wired, and “Here’s an Idea: Let Everyone Have Ideas” at the New York Times. The Problem with Brainstorming starts out with some history of brainstorming, and then moves to its soft underbelly: The tendency of groupthink to emerge from groups: Thinking in teams, and pitching […]
In “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests: “Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)…. “Another red flag was the wire-transfer […]
That’s a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case “under investigation,” he said. “Only about […]
The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the renewal of funding through her Office’s Contributions Program which, for the last three years, has allowed some of Canada’s brightest privacy experts to develop a wealth of information on various privacy challenges of the 21st century. From “Privacy Commissioner’s Office renews its cutting-edge privacy research […]
A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night. “This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and […]
By Banksy, via Saar Drimer.
In “How private are your tax records? You’ll be surprised,” Bob Sullivan illustrates why the “opt-in/opt-out” way of discussing privacy is so destructive: Any information you give to a company that helps you prepare your taxes can be sold to anyone else. Only a single signature on a permission slip stands between you and the […]
I’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. […]
Sorry about the unavailability over the last (unknown time period) My DNS registrar, Joker.com was under DDOS attack. If you’re reading this, you either have a cache, or the attack has been mitigated in some way. We now return you to your regularly scheduled list of stolen laptops, lost backup tapes, and who knows, maybe […]
The Register has been on Ernst & Young’s case. The latest Exclusive! talks about a laptop stolen in early January, and how we now know it had info on BP employees, along with those from IBM and others. The article also observes that: It’s difficult to obtain an exact figure on how many people have […]
When I try to drop files in the Trash, the Finder gives me this awful[1] dialog box. I really don’t want to delete files immediately, and am not sure why it wants to. Does anyone know what I do to fix this? [1] It’s awful for two reasons: First, it gives me no advice on […]
UCSB has a project to digitize wax cylinder recordings. They have thousands cataloged, with the majority downloadable as mp3s. It’s awesome. Naturally, I wanted to see what software they used. Being archivists, they of course go into great detail, including this gem: We’d like to use this space as a soapbox to say that Cleaner […]
So the other day, I called up Sprint, my illustrious cell phone provider, to make some changes to my service plan. The very nice agent asked me to identify myself with either the last 4 digits of my SSN or my password. Now, I’ve never set up a password for use over the phone and […]
I regularly talk about how privacy has many meanings, but haven’t put those in a blog posting. Since this blog has more readers than most of my talks have attendees, I figure it’s a sensible thing to blog about. The point of this list is to illustrate the dramatically different things people mean when they […]
Many laughs, and perhaps a tear or two, from The Cubes
In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company […]
I’d like to say more about the issue of privacy law, and clarify a bit of jargon I often use. (Alex Hutton pointed out it was jargon in a comment on “There Outta be a Law“.) As background, some people have objected to privacy laws as being at odds with the First Amendment guarantees of […]
You two and your obsession with modern entertainment. Get out, and go for a walk to Rivendell. If you are going to insist on watching movies, at least go see some real ones. (Image is “Descent to Rivendell, by John Howe, from theonering.net)
I’ve made the text darker, and hope its a tad easier to read, and thanks to N, have finally added a closing quote to blockquotes: blockquote { background: url(“https://adam.shostack.org/blog/wp-content/uploads/2018/08/uq.png”) no-repeat bottom right; } blockquote:before { content: url(“https://adam.shostack.org/blog/wp-content/uploads/2018/08/q.png”); display: run-in ; padding-right: 10px;} The tricky part was to ensure that the closing quotation mark stayed within […]
Adam, I learned of the flick via a blog unrelated to either Star Wars or computing, so no need for Google. Not to get all “vi vs. emacs” on you, but I never understood the fascination with Star Wars. :^) Photo cred: kemikore
Chris, I can’t believe you mentioned Snakes on a Plane, and failed to link to a blog called “I Find Your Lack of Faith Disturbing,” whose article, “Snakes on a Motherfucking Plane” is like the 3rd hit on Google. I mean, really! Its not like you had to look hard to find that. Do I […]
Edward Tufte’s new book, Beautiful Evidence, is now at the printer and should be available in May 2006. The book is 214 pages, full color, hard cover, and at the usual elegant standards of Graphics Press. (Thanks, Mr. X!)
When Larry Ellison said “We have the security problem solved,” a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“) That level of dripping sarcasm is fairly widespread amongst the security experts I talk […]
The movie “Jaws” made a lot of money. People like money. Hence, people made derivative movies, “Orca” for example. One copycat, IMO, was so dreadfully bad that it was good. That movie was “Grizzly“, which I saw on its first run. It told the tale of a rogue bear which, you know, basically roamed around […]
“In all 21 airports tested, no machine, no swab, no screener anywhere stopped the bomb materials from getting through. Even when investigators deliberately triggered extra screening of bags, no one stopped these materials,” the report said. … The Transportation Security Administration (TSA) had no comment on the report but said in a statement that detecting […]
Eweek covers a paper (“SubVirt: Implementing malware with virtual machines“) coming out of Microsoft and UMichigan in “ VM Rootkits: The Next Big Threat?. Joanna Rutkowska gives some thoughts in a post to Daily Dave, “redpill vs. Microsoft rootkit….” My take is its good to see Microsoft working on this sort of research, and thinking […]
Crazy Apple Rumors has the scoop: “Macs Just As Vulnerable To Wolverine Attack.” (Picture from SamCat.)
One of the neat things about Blue Hat is that people get pulled aside and introduced to people who have problems that they’d like your thoughts on. In one of those meetings, it came out that the person I was meeting with was destroying lots of data before it came to his group. Very cool. […]
A reader wrote in to ask why I’m not more forcefully advocating new laws around information security. After all, we report on hundreds of failures with deeply unfortunate consequences for people. Those people have little say in how their data is stored, so shouldn’t we have a law to protect them? We probably should, and […]
This was supposed to be a part of my book review post, but early user testing showed us confusion and a desire for a more tightly focused blog post experience… It may also help to attend events like the “Security User Studies Workshop at SOUPS 2006” or the “Workshop on Psychological Acceptability and How to […]
At Blue Hat, David Litchfield of NGS asked me ‘how many of the issues we see are related to SQL injection?’ I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates: State of Rhode Island, 4,118 or 53,000 CC, Hacker Reeves Namepins, Unknown # Cop […]
Story at CNET. In related news, OfficeMax says there’s no evidence they were broken into, and back it up with help of outside experts. I’m done being a Kremlinologist on this one, for now. With as little solid info as has made it into the press, it’s just not worth it. Perhaps some facts will […]
The CBC has a story on how “Global child porn probe led to false accusations:” An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and […]
Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and […]
J. in the Windows Build room, and some labels on a cabinet. And baby, that’s all you’re gonna see of the pictures. We value everyone else’s privacy, unless you were there. In which case, its all groovy. Drop me a note and you’ll get the super-double-secret URL. As to the picture honoring ‘patch Tuesday,’ I […]
Information courtesy of the Reporting Form E&Y filed pursuant to New York state law. The consulting firm has been criticized for the delay in reporting this breach, which occurred on January 4.
American Banker has a useful article about the debit card/PIN breach that has been making news. Unfortunately, it is behind a paywall. After reciting the background, the article presents some additional info in Q and A form. Herewith, some fair-use excerpts. All italics emphasis is added. If you have access, I urge you to read […]
Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]
I just got my “Your Social Security Statement” in the mail. The very first words on the top of it are “Prevent identity theft—protect your social security number.” Inside, it only prints the password to my cell phone last 4 digits. If your bank, school, or employer does worse, ask them why they’re less enlightened […]
As I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy. Unfortunately, that makes it hard to properly attribute this bit of genius: 1 bottle of beer on the wall, 1 bottle of […]
New Jersey’s breach notification law went into effect in mid-December 2005. Like New York’s, it requires that a state entity be notified, in addition to the persons whose info was exposed: c. (1) Any business or public entity required under this section to disclose a breach of security of a customer’s personal information shall, in […]
[Update: Everyone says I’m being taken, in the comments.] French archaeologists have taken pottery from ancient Pompeii and played the grooves back like a record to get the sounds of the pottery workshop, including laughter. Click “Telecharger la video” to play the short video which contains a sample of the audio. Audio from ancient Pompeii, […]
…or, more generally, “I’m now doing that weird thing I saw an influential elder do, but now it seems to make sense”. I have several examples from my own life (generally rather predictable for a balding 40-something suburbanite), but just today I found another one, and I didn’t see it coming.
Mike Bond at Cambridge University has a page “Chip and PIN (EMV) Point-of-Sale Terminal Interceptor,” in which he documents: Our interceptor is a prototype device which sits between a Point-of-Sale (POS) terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – “the conversation” […]
The federal Privacy Commissioner is looking into a faxing incident involving Canadian Imperial Bank of Commerce and one of its clients. The case began last October when CIBC was told by Christine Soda that she had been receiving faxes at her home in Mississauga that were supposed to be going to Gerry McSorley, who runs […]
A massive amount of investigation data kept by Ehime Prefectural Police has been leaked onto the Internet, apparently after the computer that kept the data was infected with a virus through the file exchange software Winny, it has been learned. The amount of information leaked from the Ehime police computer is about four times that […]
Information on about 2,800 patients who had surgery at a privately-run hospital in Toyama between 1997 and December 2004 was unintentionally uploaded to the Internet. According to the hospital, the man in charge of data on surgery transferred the information–consisting of patients’ names, sexes, birthdates and information on surgical procedures for which they were hospitalized–to […]
Jeremy Rauch over at Matasano is running a survey on how companies are using HTTPS/SSL. I encourage you to go there resond. My answers are below the cut.
The Associated Press is reporting that: An Internet server used by the state Transportation Department’s Ferry Division to process credit card payments for ferry fares may have been breached by outsiders, the agency said Friday. The computer database contained 16,000 credit card numbers, the DOT said. The Office of the State Controller has notified its […]
Merchants and credit card processors are not allowed to store a host of sensitive data, according to Visa and MasterCard. That includes personal identification numbers, or PINs, used to withdraw cash, the three-digit code on the signature panel, and data on the magnetic stripe on the back of credit cards. A Visa spokeswoman would not […]
Michael Howard over at Microsoft, has a great post, on why security analogies are usually wrong, that has a beautiful analogy of his own that aptly makes his point. Also, note that Ed Felten, is currently teaching a class, InfoTech & Public Policy, at Princeton. Students are required to post weekly, and non-students are encouraged […]
The news that one of “Saturn’s moons is spewing water vapor” is worth reading because the universe is cool, Enceladus will have life found on it, and life will get more interesting. “Fix My Settings in IE7” is worth reading for user interface designers. I hope to see the idea exposed to some user testing […]
The phrase worth reading is a crutch for lazy writers. I use it a lot, and shall use it less. Please call me, and anyone else you read on this bit of spinelessness in our writing. At least, I’ll endeavor to say why I find something worth reading, and try to suggest which readers might […]
I’ve just finished reading “The Pursuit of Wow!” by Tom Peters. The essential message is that if you’re not enthused by what you’re doing, change things until you’re enthused. It’s a great reminder of the importance of passion for delivering great products and services. Unfortunately, as a startup veteran, there’s a conflict that I run […]
So says Gartner analyst Avivah Levitan, as reported in Computerworld. Much has been made recently about a purported “class break” of Citi’s ATMs. A class break being “an attack that breaks every instance of some feature in a security system”. The term was popularized by Bruce Schneier, in Beyond Fear, from which this definition comes. […]
It would be so nice if you could put the same information on the web, the departures board, and the gate. I’d like to now say KTHXBY, but I can’t, because no one here seems to know when my flight is leaving. I know, you all don’t do a lot of business in Denver, so […]
There’s a fascinating new paper available from West Point’s Combatting Terrorism Center, on “Harmony and Disharmony: Exploiting al-Qa’ida’s Organizational Vulnerabilities.” What I found most fascinating about the paper was not the (apparently) new approach of reading what the terrorists are saying to gain insight into their weaknesses, but its adoption of the language of economics […]
Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data. Multichannelmerchant.com You can’t […]
Ethan Zuckerman did a great job of blogging from TED. The most interesting post for me was his summary of David Pogue’s talk: But he’s a big fan of the iPod and the “cult of simplicity”. Despite violating every rule of product design – going up against Microsoft, having fewer features, having a proprietary, closed […]
I’m on the road this week, here and there, with here being, well, illustrated and there being Seattle, at Microsoft’s Blue Hat event. Some things that I’m hoping to find some time to write about include: “Person to Person Finance” at the Economist (paywall) is fascinating, and I think there’s a fascinating question of if […]
The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people’s medical conditions, their social insurance numbers and their dates of birth. Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely […]
In a jargon-rich yet readable essay, (“Cryptographic Commitments“) David Molnar discusses the assumptions that he brings to his work as a cryptographer. Its fascinating to me to see someone lay out the assumptions portion of their orientation like this, and I think readers can ignore the specifics and get a lot out of the essay. […]
Kim Cameron, in the course of saying nice things about us (thanks, Kim!) says: “In my view, the identity problem is one of the hardest problems computer science has ever faced.” I think this is true, and I’d like to tackle why that is. I’m going to do that in a couple of blog posts, […]
A rose by any other name might smell as sweet, but it would certainly be confusing to order online. Consistent naming is useful, but requires much effort to get right. In identity management, which I hadn’t thought of as closely related to taxonomies, Zooko has argued that names can be “secure, decentralized or human memorable […]
During 2005, the Vail Police Department alphabetized hundreds of drivers licenses, passports and other shoddy identification that will be incinerated at year’s end. Once the IDs come through the department’s doors, they’re gone for good, Mulson said. A liquor license allows bars to confiscate any ID that is fake or appears to be fake. Glendining […]
Yesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms: Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t […]
Executive summary: Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop. Money quote from a Medco spokesperson: You’re as efficient as the lessons learned in the last […]
In Big Bangs, John Robb uses complex aircraft dynamics as a fascinating metaphor for society: If we look at today’s global environment we see a moderately unstable system. It is a relatively high performance system that is increasingly controlled by global markets. This explains why it is spreading so quickly. However, our drive towards a […]
The comments on “Patents and Innovation” and “New Products, Emerging from Chaos” have been really good. I want to draw your attention to them, because I’m impressed at how much has been added. I’m really enjoying the feedback, and the ability to continue a thread that’s emerged from a comment. I’m also curious what I […]
Twelve barrels of the world’s most alcoholic whisky, or enough to wipe out a medium-size army, will be produced when the Bruichladdich distillery revives the ancient tradition of quadruple-distilling today. With an alcohol content of 92 per cent, the drink may not be the most delicate single malt ever produced but it is by far […]
In responding to “New Products, Emerging from Chaos,” Albatross makes a good comment about how the RSA patent expiry didn’t lead to an immediate outpouring of new products. Albratross also mentions how transaction costs encourage people to look for new ways to solve a problem. Mordaxus says there has been an explosion in the use […]
I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident. Similarly, while it’s quite hard to make code that runs and does what you […]
In a recent post, “The Future Belongs To The Quants,” Chris suggests that risk mitigations must be quantifiable. My post “In The Future, Everyone Will Be Audited for 20 Years,” lists what the FTC is requiring for risk mitigation. It seems none of it is quantifiable. Chris? (Incidentally, I think this iptables […]
There is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened: The private […]
We made a few changes yesterday. There’s now a special archive page for the “Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars” series of posts. I’ve gotten more kudos for that series than anything else, so added a way for you to read them all in the order they were presented. […]
I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful. The URL is http://www.cwalsh.org/BreachInfo/ […]
I’m looking for code that will parse the emails sent by online travel agencies and airlines. Ideally, it would be Python code that allows me invoke something like itinerary.get_next_flight(msg) and get a dictionary of (to, from, airline, flight #, date), etc. Does such a library exist?
Surprise surprise, the Department of Justice doesn’t think that the Bush administration’s request for search data violates users’ privacy rights. [Edit: Fixed broken link] [Update: Try this link instead. ]
Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.
Something is seriously wrong when the New York Times has an article “I.R.S. Finds Sharp Increase in Illegal Political Activity,” and fails to mention the free speech issues associated with the claptrap coming out of Congress: While pointing out the extent of the problem, the agency published more guidance for nonprofit organizations, including examples of […]
The title is of course stolen from Dan Geer. By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database. In dismissing the case with prejudice, the court took note of an […]
In a trenchant comment on “Secretly Admiring,” Victor Lighthill writes: Not to disrespect Ron Rivest or Credentica’s Stefan Brands, but patenting your ideas in crypto is, historically, a great way to ensure that it takes them 15 years to go from concept to use. While there may be important grains of truth in this, and […]
You know breaches are reaching the public consciousness when spammers use them to make money. I got this in email yesterday, along with a URL that I don’t feel like linking. Banks would do really well to send less email with the words “click here,” and more saying “visit our site using a bookmark.” Good […]
UAE running our ports? CFIUS is cool with that. Israeli ownership of an IDS company? Now hold on there, pardner. Hat tip to Richard Bejtlich.
Via news.com.au: BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck. The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, […]
As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued […]
In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an […]
By now, most have heard about Dubai Ports World, a foreign entity, assuming control of operations at various U.S. ports. The arguments around this transaction are predictable and uninteresting. One thing that is clear is that the Committee on Foreign Investment in the United States (CFIUS) is legally mandated to consider such deals. In fact, […]
Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile […]
Read “Learning from Sony: An External Perspective” on Dan’s blog: The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources […]
Quick! Name the speaker: In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing […]
Brian Krebs wrote about a botnet and the 733t d00d who ran one, nom de hack 0x80. Well, turns out the doctored on-line photo the Washington Post ran contained metadata identifying the gentleman’s rather small home town. Coupled with information in Krebs’ article concerning businesses near 0x80’s residence, identifying the young criminal would seem a […]
Brian Skyrms’ The Stag Hunt and the Evolution of Social Structure addresses a subject lying at the intersection of the social sciences, philosophy, and evolutionary biology — how it is possible for social structures to emerge among populations of selfishly-acting individuals. Using Rousseau’s example of a Stag Hunt, in which hunters face a decision between […]
Yet another incident of ineffective redaction? Adam’s del.icio.us bookmarks alerted me to this blog entry, in which commenters describe the ease with which the drivers’ license numbers of witnesses to the VP’s recent hunting accident are revealed. If this stuff is worth blocking, it’s worth blocking properly.
How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how […]
Harold Hurtt has suggested that surveillance cameras be placed “in apartment complexes, downtown streets, shopping malls and even private homes”, according to this story in the Seattle Post Intelligencer. In response, I hereby found…. The Hurtt Prize The Hurtt Prize is a $1120 (and growing) reward for the first person who can provide definitive videotaped […]
Go to preferences, general, and un-select that box. From “Apple Safari Browser Automatically Executes Shell Scripts,” via SANS and Eric Rescorla. Don’t miss Peter da Silva’s comment on Eric’s post. Eric, how do you get such good comments?
One of the most interesting and controversial aspects of Phil Zimmerman’s PGP was that it avoided any central repositories of information, relying instead on what Phil labeled the “web of trust.” The idea was that Alice “trusts” Bob, and Bob “trusts” Charlie, there’s some transitive trust that you can establish.[1] (I’m going to stop putting […]
For quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.) I am FORCED to ask, HOWEVER , what the average consumer is supposed to […]
The FCC has asked for comments on “TELECOMMUNICATIONS CARRIER’S USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION.” “Customer Proprietary Network Information” is newspeak for “selling your phone records.” Several anonymous readers commented on “Selling Your Phone Records” about their troubles with T-Mobile. Here’s a chance to tell the FCC what you went through. […]
Ok, so the Stones are playing, free, in Rio. I figure the crowd will be big. Maybe huge. Apparently not a record-breaker, though: Saturday’s crowd may not be as big as that at Rod Stewart’s 1994 concert, also at Copacabana beach, which drew a crowd of 3.5 million. Rod Stewart?
Police say a convicted murderer used his job as a car salesman in Sandy to track a female customer to her home and rape her. Cleon Jones, 34, was arrested Wednesday on multiple first-degree felonies and remains in the Salt Lake County Jail without bail. Authorities allege Jones tracked down his victim by using her […]
An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during “routine monitoring”. Via wcfCourier.com: The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed […]
Get your custom shirts with font size controlled by word frequency. It’s shirts-2.0, now available from Snapshirts. Cool.
John Robb has some very interesting thoughts on the next major al Qaeda attack on the United States in “The Next Attacks on America:” The impact of these attacks, particularly if they are numerous (attracting copycats?) and spread out over an extended period of time will be severe. Given their lack of symbolic content (and […]
In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. (“ODU Graduate Student Posts Student Information on Website, School Investigating,” via Netsec.) Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don’t add up. There’s a story in […]
Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth. OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333. Via F-Secure. I feel weird linking […]
The Agriculture Department says it accidentally released Social Security numbers and tax IDs for 350,000 tobacco farmers. But the department says those who received the information agreed to destroy copies and return discs to the government. The agency said it inadvertently released the data in response to Freedom of Information Act requests about the tobacco […]
The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday. The contractor had access to a database of identification badge information and transferred it […]
There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits: 6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder 6b) If your uid != 0 […]
The Suffolk county [New York] clerk’s office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don’t have a way to remove them. And soon, a new plan will make it easier to retrieve them. Mortgages and deeds that contain Social Security numbers for an estimated […]
It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story: Last week, the company notified […]
(From Something Awful, via Boing Boing.)
Light blue touchpaper is a new web log written by researchers in the Security Group at the University of Cambridge Computer Laboratory. You should read it. As for the headline, zombies eat brains. There’s plenty of ’em [edited to add: brains, that is!!] in close proximity in Ross Anderson’s group. ’nuff said.
John Robb has a fascinating post on how networked organizations learn and improve their orientation as they engage with their worlds. In “Emergent Intelligence,” Robb focuses on the Iraqi insurgency, but draws important and general lessons. He says there are five factors needed for emergent intelligence: A critical mass of participation. I’d suggest that a […]
Cities can require stores to send customers’ identification to an electronic database for police to monitor, judges in two [Canadian] provinces have ruled this week. Cash Converters Canada Inc. and British Columbia’s largest pawn shop have each failed to persuade judges that a new generation of city bylaws is trampling customers’ legal rights. From “Courts […]
Here’s one that we all need from time to time — France’s “Security Feel Better” drink. [It’s for hangovers, but a guy can hope, right?]
3. Protect Stored Data 3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (not […]
Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds. In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced […]
At lunch after Shmoocon, Nick Mathewson said he’d like to pay something between zero and the amount of money in his wallet. I think this suggests a fascinating game, which is that Alice asks Bob for some amount of money. If Bob has that much money in his wallet, he pays. Otherwise, Alice pays him […]
Earlier today Chris wrote (“Naming names isn’t always bad“): A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability. Bugger efficient markets! […]
A good breach disclosure fills you up with what happened, how, and what the company is doing for you. But too often, such notices are soggy and imprecise. Want more precision in the recipe? Beefier response? Cooks Illustrated set out to see what could be done, in “What Happened To Your Website.” Unfortunately, the disclosure […]
In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this […]
As mentioned on Freedom To Tinker and by Lauren Gelman, at the Center for Internet and Security, the TSA has mothballed it’s plans to deploy Secure Flight. Though the TSA will surely come up with something else, this is definitely a step in the right direction.
Establishing villainy is hard work. Too little, and your villains seem pathetic. Too much, and they’re over the top. Even drawing deeply on Joseph Campbell and with the music of John Williams, Lucas still needs actions to show that Darth Vader is the embodiment of evil. What does he choose? The first time we see […]
Buried in your wireline and wireless telephone subscriber agreement is a notice concerning “customer proprietary network information” (CPNI). CPNI is your calling records. CPNI shows the phone numbers you called and received and for how long you talked. Privacy Rights Clearing House has a guide to “opting out of CPNI sharing.” This is great, because […]
Sam Hughes on responding to terrorism. Finally a rational reaction! (Via Ceci n’est pas un Bob)
The Fifth Workshop on the Economics of Information Security (WEIS 2006), University of Cambridge, England, June 26-28, 2006 has issued a call for papers. Submissions are due March 20th.
In “How to Manage Passwords and Prevent Phishing,” Ping writes: So, right up front, here is the key property of this proposal: using it is more convenient than not using it. This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each […]
For the past six months, Brigham and Women’s Hospital in Boston has been accidentally faxing the confidential medical records of women who’d recently given birth to a Boston investment bank, regardless of the bank’s repeated attempts to stop them, the Boston Herald reports. (via CSO Online.) (and) The records, called inpatient admission sheets, contain a […]
Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver’s licenses, yet the District Department of Motor Vehicles continues […]
A “human error” at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. (“Computerworld“)
This administration reacts to anyone who questions this illegal program by saying that those of us who demand the truth and stand up for our rights and freedoms somehow has a pre-9/11 world view. In fact, the President has a pre-1776 world view. Our government has three branches, not one. And no one, not even […]
In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks: It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether […]
From Indychannel.com: Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states — including Indiana — saying a separate company put their credit information at risk. Regions said the security breach involves a company that processes credit and debit cards nationwide. The bank, which says it was not responsible for […]
Bob Sullivan has a must-read article “Her ATM card, but her impostor’s picture” about a woman whose SSN is being used by someone else: For years, Margaret Harrison believed she had an impostor. There were signs her Social Security number was living a double life. Four years ago, an unemployment office in West Virginia almost […]
Mike Howard (and company) have a great post about why “Code Scanning Tools Do Not Make Software Secure:” Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to […]
OpenSSH 4.3 is out. It has one new feature: Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or […]
In responding to Lyal Collins’ comment on my “Disclosure Laws” post, I went and read the Rhode Island Identity Theft Protection act of 2005 (H6191). A couple of things occured to me. First, the National Conference of State Legislatures has a great list of Security Breach Legislation. Second, and perhaps more important, I don’t see […]
In an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes: The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit […]
Once I was loose on the streets of the city, I continued to be impressed with what I saw. Spain is definitely no stranger to terrorism. They suffered the Madrid bombings just over 18 months ago and have been living with the current form of the ongoing sometimes-violent Basque Separatist movement since 1968. Somehow, though, […]
Voting is a means of aggregating individual preferences in order to obtain a collective choice from a set of potential outcomes. Arrow notwithstanding, various voting schemes are often used for very important decisions. Voting is also used to select the winner of the Guy Toph Award, in Hillsborough County, Florida. In this case, the voters […]
I posted this to the Dataloss list earlier today. Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December. With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that […]
Guy Kawasaki has a great post up on “The Art of Schmoozing.” It’s full of great advice. So read it, and let me know, what can we do to make this blog more useful to you?
Following on Chris’s post on disclosure, I’ve been meaning to mention Peter Swire’s “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies:” A previous article proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than […]
The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across. In it, Mr. Rianda, esq., discusses his view of why the breaches we are all […]
The New York Times reports that “Police Officers Sue Over Police Surveillance of Their Protests.” Previously in the New York Police Department department, we offered a look back at the “The New York City Police Riots,” which, if you think about it, indicates that New York City Police, unlike most of the unarmed demonstrators in […]
Did you ever have one of those days where you had a great, totally unfair pot shot to sling at Microsoft, and events just overtake your plans? It started out when I watched the videos of “Blue Hat 2005 – Security Researchers come to MS, Part I.” Now, I have some insight into the training […]
In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a […]
Looks like a worm hit a personnel department PC. From the Colorado Springs Gazette: Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus. Names, Social Security numbers, birth dates and addresses […]
A common argument used against state-level breach notification laws, and in favor of federal legislation overriding state laws, is that existence of these numerous state laws with their differing requirements and conditions raises the cost of compliance unacceptably. Just to be prepared to comply with potentially fifty distinct notification regimes, a firm would need to […]
Don’t miss the awesome video of Somebody’s Watching Me from Progress Now Action. (Dear Sama: Thanks!)
Via MSNBC: Two newspapers owned by The New York Times Co., the Boston Globe and Worcester (Massachusetts) Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with credit card data of up to nearly a quarter million subscribers. The credit card numbers were been printed on routing slips attached to 9,000 […]
Long Island Newsday reports on Honeywell paying for credit monitoring for 19,000 current and former employees after their information somehow wound up on a web site: The company notified employees about the breach within a day of learning of it Jan. 20, according to spokesman Robert C. Ferris. “The company immediately contacted the relevant service […]
“Contrasts in presentation style: Yoda vs. Darth Vader” is brilliant! How can I not love a mash-up of what you do and Star Wars?
Back in August, (“Demand Your records“) I mentioned the effort to request, under the Freedom of Information Act, records relating to the TSA’s illegal data grab on Americans. In December, I got a response, and share a redacted copy here. All redactions are mine. (The whole process of redaction is remarkably difficult, but that’s a […]
Workshop on the Economics of Securing the Information Infrastructure October 23-24, 2006 Arlington, VA Submissions Due: August 6, 2006 (11:59PM PST) Has just been announced. There’s a great topics list, and a great list for the program committee. It should be quite the workshop.
Remember the US Government plan to put a radio chip in your passport? The one whose security has never been seriously studied, whose justification seemed to boil down to a hope that it would speed processing, but even that was wrong? The one whose security gets worse every time anyone competent looks at it? Well, […]
In comments on “Bank of America Customers Under Attack,” Options Scalper writes: I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud […]
I love the little corners of the law that is ancient rights and privileges. They illustrate ways in which our institutions have evolved, and from where they came, we can learn much about where they may go. That’s why I was delighted to read “Russian-Israeli who Left Newfoundland and Labrador Church Sanctuary Is Deported.” Church […]
Dear San Jose Mercury News, In re your article, “Date set for hearing on Google data-sharing.” It’s not sharing when you’re holding a court hearing. It’s a demand. I share my toys with my friends. The man with a gun demanded my wallet. Please make a note of it. PS: If you didn’t promulgate the […]
There are calls for tougher guidelines in the handling of private information after 1,000 medical files went missing when a courier car was stolen in Langley on Thursday. The courier company says the driver left the car running for less than a minute. When the car was stolen, so was a box of health records […]
Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday. The private company that runs http://www.ri.gov said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any […]
Rare video footage shows a giant octopus attacking a small submarine off the west coast of Vancouver Island. Salmon researchers working on the Brooks Peninsula were shocked last November when an octopus attacked their expensive and sensitive equipment. The giant Pacific octopus weighs about 45 kilograms, powerful enough to damage Mike Wood’s remote-controlled submarine. From […]
About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records…In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data […]
From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was […]
Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest […]
On Wednesday, Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee’s parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports. The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current […]
I’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board: In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes […]
The University of Delaware “UDaily” reports on two breaches: [A] computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students. […] A back-up hard drive was stolen from […]
Courtesy of Ero Carrera’s blog, much of which I am too mathematically ignorant to appreciate fully.
Everyone knows that the Motion Picture Association of America is very much against unauthorized copying of movies. Then why is the MPAA admitting that it copied a movie, when it was specifically told not to by the copyright owner. The movie in question is Kirby Dick’s This Film Is Not Yet Rated. According to the […]
This one seems to have slipped below the radar. From the January 25 Corvallis, Oregon Gazette-Times: Fair Isaac Corp., a Minnesota-based data security provider, late last week alerted the OSU Federal Credit Union, Citizens Bank, Benton County Schools Credit Union and Central Willamette Community Credit Union that customer debit cards bearing the Visa imprint may […]
In “Hayden Delivers Impassioned Defense of NSA,” Powerline excerpts Hayden’s Speech to the National Press Club (PDF). One section that jumped out at me was: GEN. HAYDEN: You know, we’ve had this question asked several times. Public discussion of how we determine al Qaeda intentions, I just — I can’t see how that can do […]
Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary […]
Not much detail on this one, but it looks like a box used for fundraising purposes got 0wned. The intrusion was detected by “security software” on January 13, but the intrusion itself is said to have occurred between November 22 and January 12. [I guess they run Tripwire monthly ;^)]. Information potentially obtained by the […]
A hacker, entrepreneur, and all around mischief maker, Melvin wanted something he could give to peers and prospective clients that spoke of this nature. Talk about a card that opens doors! Via Boingboing.
For Aisha Shahid and dozens of others who went to an advertised job fair in Chattanooga and got offers of nightclub work in Atlanta, Memphis and Miami, the “dream jobs” turned out to be an identity theft scam. A man who identified himself as record company and music group president William Devon took applications and […]
[Update: Fixed headline, thanks to to anonymous.] Students who applied via the online application put out by the Department of Student Housing were alerted through either an e-mail or a letter that their private information might have been exposed. According to a University Relations news release, a computer file with names, addresses, birth dates, phone […]
The program for CodeCon 2006 has been announced. CodeCon is the premier showcase of innovative software projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the lead developers, and accompanied by a functional demo. Early registration ends Jan 31.
[Update: I meant to tie this more closely to “Illicit” book review, because I think this illustrates those hard choices.] There’s some fascinating competing legal goals on display in the Washington Post story “Area Police Try to Combat a Proliferation of Brothels:” “Sometimes it takes five or six interviews to break these girls [sic], to […]
The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas: According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally […]
Get the bumper sticker! The background is that a Canadian MP, Sam Bulte, referred to people other than her film and music business corporate backers as “pro-user zealots” at an all candidates meeting. (Michael Geist has a good summary in “The Bulte Video, Boingboing has covered it extensively, and Technorati can help you find lots […]
The sixth presentation was based on a paper titled “Towards a Common Enumeration of Vulnerabilities” by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism […]
In a comment on “Software Usability Thoughts: Some Advice For Movable Type,” Beau Smith asks “What Mac software do you like?” That’s a tough question for three reasons: First, there’s enough decent software (consistent, attractive, discoverable) that the bad stuff can generally be avoided. Secondly, I’d like to choose examples which are either free or […]
Deptarment of Work and Pensions, 8,800 identities Her Majesty’s Revenue and Customs (HMRC) was forced to close down the tax credits website at the start of December last year, after a spate of fraudulent claims came to light which exploited the stolen identities of Department for Work and Pensions staff. Network Rail, 4,000 identities Primarolo […]
As readers of this blog probably are already aware, Google has been subpoenaed. The United States government is demanding, in part, that they provide a list of all URLs they index. This is something I’d expect them, or any other search firm, to want to keep secret. Imagine my surprise when I read this in […]
In “Six Messages From the New Bin Laden Tape,” Walid Phares transcribes, translates, and comments on the new Bin Laden tape.
Researchers led by Dr. Gitte Lindgaard at Carleton University in Ontario wanted to find out how fast people formed first impressions. They tested users by flashing web pages for 500 msec and 50 msec onto the screen, and had participants rate the pages on various scales. The results at both time intervals were consistent between […]
Before I’d had much in the way of coffee, I thought that the “Firefox Ping URLs” might offer a way to scan the web for sites to avoid. It would be simple. For each site mentioned in a ping URL, add it to a blacklist. The trouble with this is that the same set of […]
It’s all over the internet that Mozilla has added a “ping” attribute to URLs: I’ve been meaning to blog about a new web platform feature that we’ve added to trunk builds of Firefox. It is now possible to define a ping attribute on anchor and area tags. When a user follows a link via one […]
Oracle has just released fixes for 82 vulnerabilities. After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security […]
An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. From the FreeBSD Advisory. Researcher advisory is at Signedness.org. No word yet on if Macs are vulnerable. I think Richard at TaoSecurity sums it up well: […]
E*Trade is implementing a program under which it will reimburse on-line fraud victims for their losses, according to a New York Times report This is an interesting step. Now the question is whether investors who prefer to use their pet’s name as a password will shift their accounts to E*Trade :^)
One of the noteworthy aspects to the ‘NSA Wiretap’ revelations is how it has galvanized a broad swath of people, far beyond the “usual suspects” to state that the program was a mistake, and we need to function within the rule of law. For example, Suzanne Spaulding, former assistant general counsel at the CIA: Before […]
Hi, My name is () and I am a recruiter for (). I came across your name on an internet search and wanted to tell you about our opportunities available within our NYC and Houston locations. (), a key component of the firm’s () practice, provides the building blocks for a secure and protected business […]
These rare long clouds may form near advancing cold fronts. In particular, a downdraft from an advancing storm front can cause moist warm air to rise, cool below its dew point, and so form a cloud. When this happens uniformly along an extended front, a roll cloud may form. Image and text from “Astronomy Picture […]
Democracy Now has a radio interview, downloadable in several formats, and a transcript at “National Security Agency Whistleblower Warns Domestic Spying Program Is Sign the U.S. is Decaying Into a “Police State.” Reason’s Julian Sanchez has an interview “Inside The Puzzle Palace:” REASON: You’re referring to what James Risen calls “The Program,” the NSA wiretaps […]
Ethan Zuckerman has a great post about the practicalities of international workers sending money ‘home,’ “Remittance – the big business of sending money home:” It’s difficult to overstate the importance of remittance income to most African nations and many developing nations. Nworah cites a figure of $300 billion dollars sent from diasporas to developing nations […]
For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At […]
Another method, says Princeton University economist Alan B. Krueger, is to increase the civil liberties of the countries that breed terrorist groups. In an analysis of State Department data on terrorism, Krueger discovered that “countries like Saudi Arabia and Bahrain, which have spawned relatively many terrorists, are economically well off yet lacking in civil liberties. […]
“To leave a message, press ‘1234’ and listen to confidential client voicemail containing SSNs and other identifying information”. The compromised information dated back to mid-November 2005. Additional details at the Belleville News-Democrat, which notes that this is a repeat offender — the same office left unshredded confidential documents in a trash bin until the paper […]
Bruce Schneier links to an AP article about the hideous costs of the RealID Act. Early estimates were for $120 million, current estimates are for $300 million for the first year alone, and that’s just for three states, Pennsylvania, Virginia and Washington state. So we can safely say that nationally we’re looking at billions of […]
The folks at eEye and Fortinet have identified a variety of image based heap overflows that allow for arbitrary code execution on both OSX and on Windows. Also an article on news.com.com claims that the patch initially caused some issues for some users on both platforms, that have been addressed now. Seems that poor implementation […]
Public speaking is an art, but like every art it depends not only on innate talent, but also on mastery of a set of technical skills which empower the artist to share their vision with an audience in a compelling way. Presentations by Steve Jobs are unique, not within the computer industry, but across business. […]
In a comment on “Atlantis Resort (Bahamas) 50,000, Hacker,” Ian Grigg explains that the reason Bahamas Casinos collected 55,000 SSNs is that the various and sundry “anti-money laundering” regulations force them to, or be labeled “naughty.” Err, ‘non-compliant.’ How’s that for NewSpeak? There’s a pretty large steamroller behind such rules and regulations, and the push […]
A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported today. People’s Bank, based in Bridgeport, Connecticut, is sending letters to the affected customers, it said in a statement. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. […]
When you’re facing hard time, and the chips are down, you need to hunker down and dig up all the dirt you can on the stool pigeon who fingered you. That’s where whosarat.com comes in: Who’s A Rat is a database driven website designed to assist attorneys and criminal defendants with few resources. The purpose […]
At the Windows Mobile team blog, Mike Calligaro releases a bunch of cool freeware, including a simple Bluetooth toggler. This will make demo’ing the Smurf Bluetooth logger sooo much easier. Thanks Mike!
There’s a story at CNet, “Microsoft to hunt for new species of Windows bug:” Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products. Now, its’s easy to kick Microsoft for not having perfect code, […]
This morning I got two different emails saying something like “I need an answer to that question.” Trouble is, I hadn’t seen the original emails. If you’ve sent me email lately, and not heard back, please resend it. I’m trying to respond to every email within 24 hours so I can get a clean inbox. […]
I read about these records being disposed of improperly yesterday but decided it wasn’t worth a blog entry. Since international hotel data breaches seem the up-and-coming thing, I have reconsidered. That and SecurityFocus stealing our move by getting the Bahamas breach into print so quickly :^). The BBC provides some additional detail: The discovery of […]
Customers of the Atlantis resort in the Bahamas have reason to worry this week, as over 50,000 identities have been taken from the hotel’s database. The information was revealed in a document submitted to the Bahamas Securities and Exchange Commission. The information includes typical information such as names, addresses and credit card details, but also […]
ROCKFORD, Ill. – The Winnebago County Clerk is apologizing for releasing a list of election officials that included Social Security numbers. County Clerk Dave Johnson said an employee forgot to blacken out the numbers before giving the list of Democratic election judges to county clerk candidate Jeff Polsean. The Illinois Freedom of Information Act exempts […]
Wow. An innocent man has been freed based upon his “brain fingerprint”. This happened over a year ago, but hey, I’ve been busy. The murder conviction of an Iowa man was overturned last year by that state’s highest court on the basis of a new technique called “brain fingerprinting”. Terry Harrington had served more than […]
AppArmor, the security tool formerly known as SubDomain, has been released under the GPL by Novell. See the Apparmor FAQ or the CNET story, “Novell delivers security shield for Linux computers.” If you need another layer of resilience for your Linux systems, take a look.
Unique, hardcoded device IDs are bad for privacy. We hate them. Our friends hate them. So its nice to see that Microsoft is making it harder to get to them: GetDeviceUniqueID attempts to address these issues and to reduce applications dependency on the precious device id. Firstly GetDeviceUniqueID can be called from the trusted or […]
I’ve been mulling over John Robb’s description of the (very cool) RFID zapper the Chaos Computer Club demoed at their conference. He calls them “the German branch (privacy activists) of the global guerrilla innovation network.” He also states that “In order to correctly route and track items from inception to purchase, these chips are attached […]
The Blog Safer Wiki was announced by the Spirit of America’s Anonymous Blogging project. There’s a lot of technology know how, and a lot of cultural issues that go into this, and Curt is doing a great job at bringing the technical knowledge to those who need it, and helping them help each other: Spirit […]
Justin Mason has some thoughts in “Google DRM and WON Authentication:” That’s interesting. In my opinion, given that quote, I’ll bet Google’s DRM is something similar to the copy-protection systems used for many games since about id’s Quake 3 and Valve’s Half-Life; an online “key server” which validates codes, tracks player IDs, and who’s viewing […]
Following up on previous posts on the concept of high assurance certificates (“Web Certificate Economics“), I’d like to draw attention to a CSOOnline blog post, “Phishers Now Targetting SSL:” The spoofing has taken a number of forms, which appear to be becoming highly sophisticated. They vary from exploiting browser flaws, to hacking legitimate sites or […]
The quotation is from Joseph Stiglitz, who has co-authored a new paper which conservatively estimates the costs of the Iraq war as exceeding one trillion U.S. dollars.
The study, which followed more than 1,300 adults over 2 years, found that those who consistently used a mobile phone or pager throughout the study period were more likely to report negative “spillover” between work and home life — and, in turn, less satisfaction with their family life. From “Cell phones tied to family tension,” […]
I have friends who believe that grammar is handed down from on high, either by Safire, or Strunk and White, or some are strange adherents of something they call ‘Chicago.’ One of them even argues that the rules of grammar are no subject to evolution. Which is odd, given that we’re speaking really bad French, […]
I realized today that Chris Hoofnagle’s blog at EPIC West wasn’t on my blogroll. He’s had lots of important posts up lately, from the informational (“ CA OPP: 13 New Privacy Laws in Effect“) to the amusingly disgusting (“Pretexting Isn’t Lying, According to Bestpeoplesearch.com“) California’s Office of Privacy Protection just released an announcement that 13 […]
Here at SiteAdvisor, we strongly believe in the importance of this feature. But we admit that so far we’ve done a mediocre job explaining our motivation and our initial implementation. So writes Chris Dixon in “The Role of Affiliates in Spyware, Adware, and Spam.” Chris is using the Siteadvisor blog as an extended discussion of […]
After 9 years, I have completed Beautiful Evidence, except for the index and a few loose ends. We are currently proofing some difficult images on press, negotiating with printers, planning the order for paper and binding, and working through other production issues. Probably the major threats to breaking the schedule will be in color-correcting images […]
Two leading governor candidates are trying to outdo each other in protecting Minnesotans’ privacy…The candidates’ dueling news conferences produced more politics than policy, with each charging the other with not doing enough to protect citizens’ privacy. From “Governor is seeking privacy law changes.” I don’t like some of the proposals. It seems to me that […]
Following up with further conspiracy theory on Adam’s post, I also have to wonder just how accidental it was that a properly cryptographically signed version of the patch for WinXP was “posted to a community site” yesterday. Given the pressure to quickly product a patch combined with the one produced by Ilfak Guilfanov, it wouldn’t […]
If you’ve followed the “WMF Vulnerability” that’s been all over the security blogosphere, with leaks into the mainstream media, then you know that today Microsoft released a patch. (If you don’t know this, please just go run Windows update.) I haven’t talked about it because I haven’t had much to add, but today’s release of […]
Rebecca MacKinnon has a post on Microsoft’s removal of a blog, run by Michael Anti from their MSN Spaces blog site. (“Why Microsoft censorship in China matters to everybody.”) I’m finding the justifications and responses (both official and unofficial) to be fascinating and ultimately confusing. Matt Marshall at SiliconBeat has “Microsoft and Bokee mired in […]
I’d like to remind everyone that Emergent Chaos now has three people posting, not just Adam. I see comments and links that assume I’m writing everything here, which is a little demeaning to Chris and Arthur. Also, I’d like to remind people that I maintain del.icio.us bookmarks of things I find interesting, but don’t have […]
The New York Times reports on the completion of the first phase of the treat-visitors-like-criminals US-Visit system. The article is informative, and tells us: The fingerprint check at the borders has turned up just 970 hits of visa violators or criminal suspects. The total rises to about 15,000 with inclusion of the cases identified overseas […]
If you haven’t read about Farris Hassan and his trip, take a minute to do so. He flew to Iraq to learn what was going on. I’d like to start by congratulating the teachers at Pine Crest School. How often, today, are teachers so inspiring? The goal of school should be to develop both a […]
Today I received a great add for a newish security company, Devicewall. They are yet another company providing a solution for prevention of intellectual property theft. They sent me a stack of humorous stickers saying things like: “This Computer is Protected by BRSD Technology. Big Red Sticker of Doom technology leverages our natural fear of […]
Illicit, by Mosés Naím is a tragic book. It is considered, insightful, wide-ranging, deep, and so close to amazing. Had Naím gone just a little further, it could have been brilliant, and the tragedy is that he didn’t. Perhaps I should back up, and explain. Naím is the editor of Foreign Policy. He has written […]
Stories like this one make me scratch my head and wonder, what is a breach? What should this category cover? Why do I blog these things? Why are we here? Why are you here? And what are those clowns doing over there? However, since we sent you this CD, we have become aware of a […]
One that I missed. The executive summary is that somebody, somehow, got into the machine that prints W-2s for the university. The University sent out an undated disclosure letter which was very sparsely detailed — “one of the worst” seen by Beth Givens of privacyrights.org, who’s seen plenty of ’em. Story is at the San […]
The Des Moines Register reports on a December, 2005 breach at Iowa State: [3,000 ISU employees’] personal data might have been viewed by hackers who infiltrated two computers earlier this month. One held about 2,500 encrypted credit card numbers of athletic department donors. The second computer contained Social Security numbers for more than 3,000 ISU […]
..may just have been found! The Associated Press reports that Fashion model Beverly Peele was arrested on identity theft charges for allegedly buying around $10,000 worth of housewares, appliances and furniture by using credit card numbers without permission, authorities said Friday. […] The complaint filed against the 30-year-old alleges she charged furniture, a refrigerator, a […]
I have a number of LPs which gradually I am ripping to disc, using The Analogue Ripper (which is adequate but I’m not raving). At the moment, I’m recording an old blues album I haven’t listened to in probably ten years. Naturally, then, I thought of “The UPS Song“, which you can even listen to. […]
Courtesy of IDA Pro developer Ilfak Guilfanov. Details are available via his web log, the existence of which I learned via the seemingly indefatigable Thomas Ptacek of Matasano.
Herbicide-resistant genetically-modified crops cross-breeding with weeds? Shocking. Via Slashdot.
… The arrest of Mayor Wood was ordered. Captain Walling of the Metropolitan Police was sent to arrest the Mayor but was promptly thrown out on his ear. Wood occupied City Hall protected by 300 of his Municipals who resisted a force of 50 Metropolitans sent there to arrest him. Later that day 50 Metropolitan […]
Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard: Recommendations […] * MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly […]
I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]
[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.] Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, […]
This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic […]
A spokesman for the American military command that oversees training of the Iraqi forces also said that while he did not know the security forces’ ethnic mix, he believed that there were more Sunni troops than the election data suggested. From the New York Times, “Election Results Suggest Small Role For Sunnis in Security Forces.” […]
Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, […]
The BBC reports that the Mayor of London says “there had been 10 attempted attacks since 11 September 2001, two of which had come since the 7 July bombs.” (“Threat to London ‘disorganised’“) Where are the perpetrators? Are they free, because of insufficient evidence? Are they in jail? Were they killed by security forces? Claims […]
Now 17, David hit on the idea of building a model breeder reactor, a nuclear reactor that not only generates electricity, but also produces new fuel. His model would use the actual radioactive elements and produce real reactions. His blueprint was a schematic in one of his father’s textbooks. Ignoring safety, David mixed his radium […]
I am deeply saddened to have missed this story until now: Vandals set light to a giant straw goat Saturday night in a central Swedish town, police said, an event that has happened so frequently it has almost become a Christmas tradition. It was the 22nd time that the goat had gone up in smoke […]
I’ve made a bunch of changes to style and template stuff. Most noticeable should be that post titles are now links to the posts. There’s also a whole lot of consistency improvements for the Moveable Type 3.2 software. The one remaining change is to bring full (extended) entries into the RSS feed. That Mt3.2 software […]
In a report remarkable for what it doesn’t say, WLBT TV of Jackson, MS reports: A possible security breach has one bank giving customers new debit cards. BancorpSouth is sending out new cards to about 6500 customers. The vice president of the banks security department says account numbers were either lost or they were somehow […]
We get Mystery Science Theater 3000, they get Badly Dubbed Porn: Badly Dubbed Porn showcases vintage soft porn movies re-dubbed with a wickedly funny soundtrack by some of Britain’s most talented comedy actors. Via the lovely and very funny Ms. Kitka.
I’d like to draw your attention to two worthy causes: Tor, and the Creative Commons. Larry Lessig is looking to raise money to ensure that the Creative Commons maintains their non-profit status, and the fine folks who bring you the Tor Internet privacy tool are looking for donations so they can continue their important work.
(I got it from Mikko at F-Secure. If you don’t understand, click here.)
The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm. From the article: In an affidavit taken for a lawsuit by five […]
The federal government is responsible for issuing Social Security numbers, but it may not be doing enough to protect these critically personal pieces of information on its own Web sites. Acting on a tip, InformationWeek was able to access Web pages that include the names and Social Security numbers of people involved in Justice Department-related […]
From the good old days, when science was not a matter of press releases, perception management or “long held beliefs.” Click the picture for a larger version at Astronomy Picture of the Day.
Scientists have discovered the “beautifully preserved” bones of about 20 dodos at a dig site in Mauritius. Little is known about the dodo, a famous flightless bird thought to have become extinct in the 17th century. No complete skeleton has ever been found in Mauritius, and the last full set of bones was destroyed in […]
In search of a terrorist nuclear bomb, the federal government since 9/11 has run a far-reaching, top secret program to monitor radiation levels at over a hundred Muslim sites in the Washington, D.C., area, including mosques, homes, businesses, and warehouses, plus similar sites in at least five other cities, U.S. News has learned. In numerous […]
This week’s Friday Star Wars Security Blogging closes the design principles series. (More on that in the first post of the series, “Economy of Mechanism.”) We close with the principle of psychological acceptability. We do so through the story that ties the six movies together: The fall and redemption of Anakin Skywalker. There are four […]
Watch this astounding video of a shark in the Seattle aquarium. I suggest turning down the volume, the only really useful thing you’ll learn is that the shark in question was about 3-4 feet long. Via TEDBlog
This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:” None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, […]
In “Play Break,” Hilzoy writes: Here’s what it’s about: as most parents know, little boys tend to be more interested in toys like trucks, and little girls in toys like dolls. (I was an exception: someone gave me a doll once, and I dissected it.) There is no obvious way to decide whether this is […]
The question is a fair and natural one to ask, and I’d like to examine it in depth. I think my intuitive answer (“revelations about wiretaps don’t help the terrorists”) is wrong, and that there are surprising effects of revealing investigative measures. Further, those are effects I haven’t seen discussed. Allow me to explain the […]
Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility. From the WSJ, “Ford Computer Holding Staff Data Is Reported Stolen.” “Where Identity Theft is Job #1!”
Among those who understand that software is, almost without exception, full of security holes, there are at least three major orientations. I’ve recently seen three articles, all of which I wanted to talk about, but before I do I should explain how I’m using the word orientation, and the connotations it carries. As used by […]
Lasalle Bank’s tape of mortgage-related information on 2 million customers has been found by DHL. (Thanks to Adam for the heads-up) No word on whether the tape was in a container which would show evidence of tampering, so this doesn’t foreclose (pardon the pun) the possibility of PII being stolen: […]the tape had been located […]
I’ve discussed the $100 laptop in “Freedom To Tinker, Freedom to Learn,” and “More on ‘Freedom To Tinker, Freedom to Learn’.” In “Tech Delusions and The Trouble with Christmas,” Kerry Howley discusses many reasons why this is a bad idea: For now, OLPC plans to sell only to governments of poor countries, not individuals here […]
Chris Anderson warms the cockles of our heart as he discusses the psychological acceptability of “The Probabilistic Age:” When professionals–editors, academics, journalists–are running the show, we at least know that it’s someone’s job to look out for such things as accuracy. But now we’re depending more and more on systems where nobody’s in charge; the […]
I’d like to talk a bit about usability as it intersects with software design. I’m motivated by three things: Firstly, my own attempts to be comprehensible and understandable, not only in this blog, but also in software whose design I participate in. Years ago, Steve Karkula provided me the phrase “design from interface” while doing […]
If you watch “The Simpsons”, you’ve probably seen “Puberty Boy“, the pimply-faced kid who appears in many episodes in a variety of menial jobs. Well, it looks like he may be working for the NSA: Q If FISA didn’t work, why didn’t you seek a new statute that allowed something like this legally? ATTORNEY GENERAL […]
Or, “I Wonder How They Figured It Out.” Online attackers breached the security of a server at digital forensics firm Guidance Software and stole the account information of nearly 4,000 customers, the company acknowledged on Monday according to news reports. From Rob Lemos, “Customer Data Stolen From Guidance Software.”
One of the really cool things about blogs is that very smart, knowledgeable people can offer up their opinions on topics of the moment. In this case, it’s Orin Kerr and Daniel Solove offering up extended legal analyses of the wiretaps. (Well, extended from the lay perspective, anyway.) Professor Kerr has posted “Legal Analysis of […]
Some friends have just launched Snarfer, a new Windows RSS reader, designed to be fast, efficient, and easy to use. Check it out! If you’re not familiar with RSS Really Simple Syndication, it’s a way to bring lots of content, like blogs, into one place. If I didn’t have NetNewsWire (a Mac client) I couldn’t […]
Reevesnamepins.com, a company that manufacturers the plastic and metal name tags that police officers around the country wear on their uniforms, had its customer database hacked recently, exposing credit card and other personal data for a number of police departments. So writes Brian Krebs in “Database Hack Exposes Police Financial Data.”
The Open Source Vulnerability DataBase (OSVDB) is in need of additional programmers. If you’re not familiar with it because you’ve been hiding in a cave somewhere, OSVDB is a tremendous project that dramatically enhances the quality and availability of vulnerability information. Today, they posted a teaser, “OSVDB is Closing:” That said, OSVDB could substantially benefit […]
Of a Financial Times online >poll about torture, Alice Marshall asks “ How did this even get to be part of the conversation?” Meanwhile, the BBC reports on the investigation of a Swiss Senator in “CIA abduction claims ‘credible:’” He went on: “Legal proceedings in progress in certain countries seemed to indicate that individuals had […]
Via USA Today: Days after the Sept. 11 attacks, the head of the National Security Agency met his workforce at the nation’s eavesdropping and code-breaking headquarters at Fort Meade, Md., near Washington, for a pep talk. “I told them that free people always had to decide where to draw the line between their liberty and […]
Ryan Singel has a post “Bush Wiretaps Supremely Illegal,” in which he discusses how this aspect of wiretaps are settled law. Perry Metzger’s excellent “A small editorial about recent events” is also worth reading: As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the […]
There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable: One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just […]
The other day on “On Point,” I heard some astoundingly clear exposition of executive management, in the words of Dr. Bernadine Healy, the former CEO of the Red Cross. The program, Examining The Red Cross was promoted as: When 9/11 came, the Red Cross was there — with mountains of Americans’ donations and support for […]
I want Frequent Flyer Hours. They’d work almost the same. You’d get 550 or so points per hour from gate to gate. So all that time, sitting on the runway, circling in a holding pattern, waiting for the previous plane to vacate your gate? All would be paid back in some small way to the […]
[Adam updates: The reporter has recanted his story, “Federal agents’ visit was a hoax .”] Apparently, the Staasi are watching what we read. A senior at UMass Dartmouth was visited by federal agents two months ago, after he requested a copy of Mao Tse-Tung’s tome on Communism called “The Little Red Book.” Two history professors […]
I’d like to respond to Dan Solove’s article “How Much Government Secrecy Is Really Necessary” with the perspective of a veteran of the 1990s crypto wars, in which we fought the NSA for the practical right to build and use encryption to protect sensitive data. A central tenat of the government’s position was that there […]
From Crain’s Chicago Business: LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas. The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or […]
This week and next are the two posts which inspired me to use Star Wars to illustrate Saltzer and Schroeder’s design principles. (More on that in the first post of the series, Star Wars: Economy Of Mechanism.) This week, we look at the principle of Open Design: Open design: The design should not be secret. […]
“Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say.” A 10 page story in the New York Times opens: Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without […]
I can’t tell you how strongly tempted I am to just steal Daniel Solove’s “What If Copyright Law Were Strongly Enforced in the Blogosphere?” It’s a great article, and it would be deeply, deeply ironic for that article to be at the center of a lawsuit over copyright infringement.
The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach. As we’ve commented on previously, information concerning […]
The game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks. Dear White Wolf Users, Like many other well-known companies of the last few years, White Wolf was […]
Shmoocon has announced their 2006 speaker list. Today is the last day to submit to Codecon.
One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:” TAMPA – Andrea Davis can’t understand what two flat tires and […]
Via Bejtlich, I learned that SANS is now offering degree programs. I have not been able to determine whether they are an accredited institution of higher learning, however.
From the press release: SALT LAKE CITY, Dec. 13 /PRNewswire-FirstCall/ — silex technology america, Inc. and TROY Group, Inc. signed a definitive agreement effective today stating that silex technology america will acquire the Wireless & Connectivity Solution Business of TROY Group, Inc. […] “We are pleased to announce this transaction as we believe that the […]
Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then “read” by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They […]
Last week, Secretary of State Condoleezza Rice made a speech in which she made apparently definitive statements about our policies towards torture. See Jack Balkin, “Rice: ‘U.S. Personnel’ Don’t Enage in Cruel, Inhuman and Degrading Treatment ”Wherever They Are.’” Then be sure to see Marty Lederman’s follow-up, “Condi Rice’s ‘No Torture” Pledge: Don’t Believe the […]
Not sure if the personal details obtained by hackers include CC#s, but names and addresses are certainly involved in this breach at a UK charity. A couple of interesting twists to this one, as reported at Silicon.com. First, the thieves weren’t content with just stealing the info — they used it to extort victims directly: […]
In a comment on “Build Irony In,” “Frank Hecker writes:” First, note that the “invalid certificate” message when connecting to buildsecurityin.uscert.gov using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain buildsecurityin.us-cert.gov (note the dash) and thus doesn’t match […]
Speaking of tracking and databases: Mobile Landscape Graz in Real Time harnesses the potential of mobile phones as an affordable, ready-made and ubiquitous medium that allows the city to be sensed and displayed in real-time as a complex, pulsating entity. Because it is possible to simultaneously ‘ping’ the cell phones of thousands of users – […]
Ever-increasing requirements that every item be uniquely identifiable are combining with the power of the internet to invade everyone’s privacy. The Guardian (UK) has a story about how ‘planespotters’ are gathering data that allows the after-the-fact tracking of CIA torture planes. (“How planespotters turned into the scourge of the CIA.”) Paul last saw the Gulfstream […]
This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member […]
As we continue the series, illustrating Saltzer and Schroeder’s classic paper, “The Protection of Information in Computer Systems,” we come to the principle of separation of privilege. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter […]
Thieves broke into an auditor’s car trunk and stole a laptop containing SSNs and other information on approximately 800 people. Details at http://fortress.wa.gov/esd/portal/securitybreach
Much is being made of a press release from ID Analytics. Based on results from that firm’s fraud detection products, a conservative estimate is that one of every 1000 pieces of PII lost in a data breach results in an actual fraud. An additional finding is that the likelihood of a fraud being committed using […]
More than 8,000 people have been mistakenly tagged for immigration violations as a result of the Bush administration’s strategy of entering the names of thousands of immigrants in a national crime database meant to help apprehend terrorism suspects, according to a study released on Thursday. The study, conducted by the Migration Policy Institute, a research […]
“Brand new Microsoft Excel Vulnerability:” The lot: One 0-day Microsoft Excel Vulnerability Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It […]
I’ve often thought that I over-analyze some things. But as I enjoy blogging, I’ve come to realize that having standards about the little things helps me write faster and more effectively. More importantly, I hope, they allow you to skim here faster, and retain more of what you’re reading. Bloggers who want to be read […]
Ann Harrison reports: The government dropped all charges against Deborah Davis yesterday for failing to show her ID on a Denver public bus. Officials claim that passengers still have to show ID to transit through the Denver Federal Center, but said there were no clear signs to inform them of this requirement. Davis’ lawyers are […]
According to documents (pdf) obtained by EPIC under the Freedom of Information Act, a government report found significant problems with new hi-tech passports. Tests conducted last year revealed that “contactless” RFID passports impede the inspection process. At a meeting of a Privacy Advisory Committee today in Washington, EPIC urged (pdf) the Department of Homeland Security […]
In “OpenSolaris, Pluggable Crypt, and the SunMD5 Password Hash Algorithm,” Alec Muffett writes: Several years ago now, Darren Moffat, Casper Dik and I started swapping e-mail about how pathetic it was to still be using the traditional 8-character-password unix crypt() routine in Solaris, and how we could architect something to be much better. You’d have […]
American Banker(12/7/2005) reports [warning: paywall] on the tight-lipped reaction of Sam’s Club, MasterCard, and Visa to a recent data breach involving credit and debit card mag stripe data from Sam’s Club gas stations. The affected cards seem to have been primarily from two issuers, and hundreds of actual frauds have already occurred. Nobody is talking […]
Bruce Schneier demonstrates the truth of the old saying in a must-read blog entry. In a nutshell, Nature published an article written by a physicist with little or no background in cryptography, claiming to have devised a mechanism foroptically transmitting encrypted messages using a “chaotic carrier”. Bruce trains his skeptical and expert eye on the […]
[Important update below] Nearly 30,000 airline passengers discovered in the past year that they were mistakenly placed on federal “terrorist” watch lists, a transportation security official said Tuesday. Jim Kennedy, director of the Transportation Security Administration’s redress office, revealed the errors at a quarterly meeting convened here by the U.S. Department of Homeland Security’s Data […]
Tom Ptacek’s blog is full of smart people introducing themselves, and their new company, Matasano. They’re talking about the new mix, which is to be consultants while you build your startup and look for funding. I hope that Window, Dave, and Jeremy all get the blogging bug. Heck, I hope Dino does too, because with […]
Russian security agents have arrested a group of policemen and civilians suspected of forging Kremlin passes. The items seized included identity cards guaranteeing entry to President Vladimir Putin’s offices, the FSB security service said. … According to security officials, some of the items were being sold at a car market in the south of Moscow, […]
Democracies do not fare well with military dictators, nor when entrusted to overpowering and internally focused armies. Armies are trained, quite rightly, to kill and ask questions later. Police forces are trained to exercise discretion, sustain the rule of law, respect human rights, understand the freedoms we have embodied neatly in a Bill of Rights […]
I’d like to draw attention to venture capitalist Brad Feld’s post, “Doing Good By Doing Well:” I’ve strongly encouraged my portfolio companies to incorporate “philanthropic activities” into their businesses early in their life. I don’t advocate any particular focus – I simply encourage founders and leadership teams to think about what they can do to […]
Chuck Tanowitz has an interesting post “Ethicist in the Boardroom?” in which he expounds on … a discussion with Phil Libin a while back he suggested that companies should have an ethicist on board. More specifically, he suggested an outside ethics consultant to help keep them on track. The post is worth reading in its […]
After the Second World War, Germans claimed they didn’t know what was being done to Jews, Catholics, Gays, Gypsies and others by their government. We, as Americans, have no such excuse. We know what’s being done in our name, and have failed to stop it. The American government is torturing prisoners, and sending prisoners to […]
Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data. Many people might assume that only cops can look up this type of information, but Smith was granted access to the […]
Secure operation of a site is hard. Really, I’m not looking to pick on CERT. They’re doing some very good work, and Build Security In is important. At the same time, this message is only appearing because SSL certificates are focused on identity, and that identity needs to be “rooted” at a certificate authority. That […]
Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt since this probably isn’t completely out of the ordinary) let them know that you are keeping […]
Bob Sullivan has a good post, “Gift card fees still playing Scrooge:” How much is that $50 gift card really worth? Well, it’s hard to say. The art of irritating and sneaky fees has reached new heights in this 21st century version of gift certificates. There are sign-up fees, transaction fees, dormancy fees and outright […]
A school psychologist’s records detailing students’ confidential information and personal struggles were accidentally posted to the school system’s Web site and were publicly available for at least four months. … The psychological profiles, some dating back more than a decade, contained children’s full names, birthdays and, in many instances, IQ scores and grades, the newspaper […]
It’s no ordinary holiday season in the Gulf Coast this year, so Frank Evans built an unconventional holiday display at a suburban New Orleans shopping mall to match. He thought the tiny blue-tarped roofs, little toppled fences and miniature piles of hurricane debris in the display he builds annually for the mall struck just the […]
Cornell employees this past summer discovered a security breach on a computer that contained personal information, such as names, addresses, social security numbers and bank names and account numbers. After conducting an analysis of the breach, Cornell Information Technology (CIT) did not find evidence that any information stored on the computer had been inappropriately accessed. […]
Nick is a premier thinker about history, law and economics, and the lessons they have for security. Take this brief sample from “Origins of the joint-stock corporation:” The modern joint-stock corporation has many sources in medieval Europe. First among these was corporate law itself. Although the era is commonly referred to as “feudalism,” for the […]
Today, in Friday Star Wars Security blogging, we continue with Saltzer and Schroeder, and look at their principle of Least Common Mechanism: Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information […]
There’s a fascinating set of articles in Nature this week on openness, sharing, and new publication models. From “Science in the web age: Joint efforts:” “Science is too hung up on the notion of ‘the paper’ as the exclusive means of scientific communication,” says Leigh Dodds, a web expert at the publisher Ingenta. Publication and […]
Last month, I commented on how the DMCA was preventing research on spyware: …the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when […]
A Year of Agony, beause Despair doesn’t have a monopoly on “inspirational” corporate art.
The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they’re doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what’s the real cost of the brand damage done to Choicepoint? Along with several […]
Social Security cards run about $20, green cards about $70 and a California driver’s license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft. … “You name it, they can make it,” said Los Angeles Deputy City […]
In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group. According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, […]
The EFF has decided that the DMCA “rulemaking process is simply too broken” for them to bother commenting on it any further. See “DMCA Triennial Rulemaking: Failing Consumers Completely:” EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful […]
I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package. It turned out to be something of […]
Apparently, I woke up on the right side of the bed, and am just handing out kudos left and right today. Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses. Social Security numbers will be out as […]
Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system. Kudos to […]
[Updated with data from NYT] A new plan by the Transportation Security Administration would allow airline passengers to bring scissors and other sharp objects in their carry-on bags because the items no longer pose the greatest threat to airline security, according to sources familiar with the plans. The TSA’s internal studies show that carry-on-item screeners […]
In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes: Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted. In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. […]
Adam’s post earlier today on efforts to improve browser security, reminded me about this post on KDE.news. George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines: […]
The story of Deborah Davis is getting lots of attention. Rob sent me Refusal to present ID sparks test of rights, which includes: “I boarded the bus and spoke with the individual, Deborah N. Davis . . . asking why she was refusing,” wrote the first Federal Protective Service officer in an incident report posted […]
There’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which […]
Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”) Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim […]
[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.] It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he […]
Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that […]
As most parents of young children would no doubt attest, when driving with “precious cargo” — lives you particularly want to protect — you typically take extra precautions. Special safety seats with five point harnesses, specialized mounting hardware, taking that bit of extra care that maybe you wouldn’t if driving alone. Well, that may all […]
I sometimes feel that I have nothing to add to the “debate” around torture, other than the formerly-obvious “torture is ineffective and morally repugnant.” Nevertheless, I feel that keeping silent, or even allowing the debate to occur without adding my voice to the chorus of reason. So, some others’ posts this past week: In Jack […]
Info is spotty on this, but according to a WFMY TV News report, Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands. Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders. A letter […]
I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out […]
As the holiday and gift-shopping season arrives, I’d like to talk about what not to get me (or really, anyone on your list). A bad gift is really painful to receive. You have to put on a fake smile and pretend to be happy, and then go return the thing at the first opportunity. My […]
Blame Tom Ptacek for ignoring my heroic efforts. My being off with family this week has nothing to do with it. Friday Star Wars Security posts will return next week, with the principle of Least Common Mechanism.
As you enjoy your Turkey, recall that the Pilgrims who ended up in Plymouth were fleeing the Anglican church, England’s state religion. The English church, of course, split from the Roman church so that Henry VIII could get a divorce. The little people, however, were not allowed the chance to split their churches in quite […]
People often become emotionally entangled with the software they use. It’s not a geek-only thing, although geeks often become more entangled with a broader range of the software they use. Normal people speak of “My Excel is screwed up,” or feel bad that their Sony CD has messed things up for them. One of the […]
An Australian Senator has created a bit of a kerfuffle by saying what everyone has thought in private. Bruce Schneier comments: During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy. Implied? I’ll say it outright. It’s stupid. For all its faults, I’m always pleased when […]
I found “Who Becomes a Terrorist and Why” in a used bookstore for $2.99, and it was worth every depressing penny and more. The book is a US government funded study from 1999. It’s not clear if this work would be possible today or not. Much of the body of the book is a an […]
As we discuss the effects of various laws designed to protect us from various and sundry, we often lose track of the real, tangible benefits of liberty that we’re giving up. They’re sometimes hard to see, in the same way the Internet was hard to see in the early 90s. It was here, but most […]
On the 9th of December 2005, a Denver woman is scheduled to be arraigned in U.S. District Court. Her crime: refusing to show ID on a public bus. At stake is nothing less than the right of Americans to travel freely in their own country. The woman who is fighting the good fight is named […]
Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not […]
Jose Nazario gave me a copy of Secure Architectures with OpenBSD this summer. I’m way behind with book reviews, and I wanted to start with this one. I’m a fan of the OpenBSD project. Not only for their efforts around security, but also because they put a great deal of effort into the documentation. I’ve […]
In “Freedom To Tinker, Freedom to Learn,” I made some assumptions about the user interface for the $100 laptop. In “Alan Kay at WSIS,” Ethan Zukerman explains that Alan Kay will be doing much of the user interface design work: Kay began by explaining that most people aren’t using computers to do the most important […]
Riya is a Redwood City startup that makes facial recognition software. Rumor from Om Malik says Google is buying them. I believe that this purchase has some of the farthest reaching privacy implications we’ve yet seen from Google. Anonymity, in its most literal meaning of “without a name,” is the current state of many photographs […]
A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. From “Boeing says laptop with employee info stolen.” A bit more in the Seattle Post-Intelligencer.
According to an Associated Press article appearing in the Indianapolis Star, Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said. Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said […]
In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of least privilege: Least privilege: Every program and every user of the system should operate using the least set of privileges necessary […]
Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives — and now, according to a letter sent home, the drive was […]
Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”. “But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards. From the BBC, “Ex-MI5 chief sparks ID card row.” Normally, a “row” requires two sides, with arguments. […]
How did Sivacracy manage to rope in the sponsorship dollars? I really need to monetize some sticky eyeballs here. Meanwhile, click the image for more on Panexa.
The United States is holding captive at Guantanamo Bay at least two men it knows are innocent of any wrongdoing. These men were cleared by the military courts, almost two years ago, and they are still in captivity. It makes me too angry to write about, so go read Requiem: In the comments to an […]
Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are […]
It’s a long standing “joke” that only drug dealers and the computer industry call their customers “users.” But at least drug dealers pretend that your behavior is ok. Not so the Universities educating our next generation of programmers, such as Carnegie Mellon. Their student news source, the Tartan, reports in “Study shows students cause computer […]
Del.icio.us is a ‘social bookmark manager.’ It’s a way to bookmark things, and let you see that I’ve bookmarked, and perhaps commented on them. I’m using it more like a “clip blog,” with short commentary on many of the things dropped there. If you read it via the RSS feed, you get my commentary. But […]
Via Sivacracy.
Alex Tabarrok has some interesting arguments as to why torture should be made illegal in “Torture, terrorism, and incentives.” I’d like to extend his argument: President Bush, Dick Cheney and others who support the use of torture by the United States and its agents usually rely on the ticking time bomb argument. Sometimes torture is […]
I’m becoming less and less satisfied with AWStats as a log analyzer. There are some things that it does reasonably well. But I’d really like a lot more. I’d like to be able to see how things have changed day to day (for example, how many new unique visitors did I get today?) I’d like […]
I appreciate all the notes you’ve been sending me telling me about “FBI, Pentagon pay for access to trove of public records.” I’d love to have something insightful to add to this, but I don’t. Ryan Singel has a bit more: The article, which relies on heavily redacted documents acquired through an open government request, […]
In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart: …Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her […]
I’m feeling under the weather today, and so I’m sitting on the morning posts until I have a chance to re-read them. Expect posting to be heavy today, because I can’t do much real work, and have to entertain myself somehow. I’m hopeful that you’ll either be entertained as well, or forgive me for what […]
(by arthur) I’m back from travels, so it’s time to post some more…. As Adam just posted, Jeff Moss sold Blackhat to CMP Media. Presumably, this sale is partially (largely?) a result of the various lawsuits that Blackhat was dealing with as fallout of “Cisco-gate”. Fortunately, these were recently settled in an equitable fashion, but […]
MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and […]
Dan Kaminsky has done some digging into the Sony rootkit: It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows…unsurprisingly, they are not particularly communicative. But at that scale, it doesn’t take much to make this a […]
In “The $100 Laptop Moves Closer to Reality,” the Wall St Journal discusses a project to provide very inexpensive laptops to millions of poor children around the world. I think its a great idea, and wish them the best of luck. Delivering internet connectivity to millions of poor children will be a world-altering project. One […]
The United States senate voted today to deny habeas corpus to prisoners at Guantanamo. The United States Supreme Court had recently held that United States courts have jurisdiction to consider challenges to the legality of the detention of foreign nationals captured abroad in connection with hostilities and incarcerated at Guantanamo Bay. The vote today would […]
The sad passing of Peter Drucker, and Paul Kedrosky’s post on it brought something into sharp focus for me. It’s the value of working hard to make yourself understood, as opposed to making your audience work hard to understand you. One of my goals in blogging here is to learn to be understandable to the […]
A post by Paul Wouters to the DailyDave list drew attention to “Vendor response of the Openswan project” to “NISCC Vulnerability Advisory 273756/NISCC/ISAKMP.” I feel like its 1997 again. The Oulu University Secure Programming Group (OUSPG) discovered a number of flaws with the ISAKMP/IKE portions of the IPSec protocols. OUSPG built a tool, and either […]
My friend Sharon, who is an excellent patent attorney, showed me this, her favorite U.S. patent. You should hire her![1] She’s really good, even if she does a lot of work for an empire of questionable morals, but is not yet so evil as to have written anything like US Patent 4,646,382, “Lottery Ticket Scraper:” […]
Gordon Johnston didn’t want to be frisked. So as the 60-year-old high school teacher approached the gates of Raymond James Stadium here for a Buccaneers football game last month, he lifted the team jersey he was wearing to show it wasn’t necessary. He was concealing no bombs. It didn’t work. So reports the Washington Post […]
Some folks have put up a site, “Kill Bill’s Browser,” based on Google’s offer to pay up to $1 for each Firefox/Google Toolbar install. It offers up both good and entertaining reasons to switch: 7. It will make Bill Gates soooooooooo mad. Seriously– super, super mad. And even more than Bill, let’s think about Steve […]
Abstract: Among a fringe community of paranoids, aluminum helmets serve as the protective measure of choice against invasive radio signals. We investigate the efficacy of three aluminum helmet designs on a sample group of four individuals. Using a $250,000 network analyser, we find that although on average all helmets attenuate invasive radio frequencies in either […]
This week in Friday Star Wars Security Blogging, we examine the principle of Complete Mediation: Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes […]
[Update: Welcome Wired readers! If you enjoyed Bruce Schneier’s article on who’s responsible for security flaws, please explore a little. The economics of security and privacy issues are an ongoing theme.] It wasn’t a plan that I was going to slag Apple this week. Really, I’m fond of my Mac, I’m just tired of claims […]
Tom Peters has a magnificent article, “Simple.” Go read the article. It’s really beautiful. Don’t mistake simple for easy, but this is an easy read about the need for respect in winning the cooperation of whomever you’re dealing with: “We were friendly and respectful whenever we met a Bedouin or farmer, often sharing tea with […]
The Amazon Mechanical Turk. Basically, you have your code do a remote procedure call, where the bulk of the work on the remote side is performed by a human being.
At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it […]
MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls. As a result of these changes that we made for security sake, for a limited amount of […]
A gamer who spent £13,700 on an island that only exists in a computer game has recouped his investment, according to the game developers. The 23-year-old gamer known as Deathifier made the money back in under a year. The virtual Treasure Island he bought existed within the online role-playing game Project Entropia. He made money […]
[U]se of commercial products with unbreakable cryptography could seriously undermine the ability of law enforcement to perform critical missions such as protecting against threats posed by terrorists, organized crime, and foreign intelligence agents This from a rather lightweight report prepared by the Congressional Research Service. I may have read it with a jaundiced eye, but […]
In the midst of a CBC story about how a consultant went through “door after door” in Toronto’s Pearson airport (“Investigation highlights security concerns at Canadian airports“), we’re treated to these lovely tidbits: Mark Duncan, chief operating officer for the Canadian Air Transport Security Authority, the agency tasked with providing security at Canadian airports, says […]
In the midst of an excellent long article on how the Wine Windows emulation layer will interact with OSX86, (“I invite you to wine“), Wil Shipley writes: When you can run Windows apps on Mac OS X, you’ll still be protected by Mac OS X. Viruses are going to be dead. D-E-D. Ok, yes, there […]
Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was […]
The Seattle Post Intelligencer reports that “ChoicePoint warns consumers about fraud:” ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud. The story […]
The University of Tennessee notified about 1,900 students and employees yesterday that their names and Social Security numbers inadvertently were posted on the Internet. … A University of Tennessee student made the discovery about two weeks ago when she searched the Internet for her name and found it listed with her Social Security number on […]
(I wrote this a few weeks back, and forgot to post it. It’s even more fun with the bruhahaha about Sony/BMG screwing with your computer if you buy their “music.”) In conversation with Lucky Green, he commented that “You won’t be able to buy a laptop w/o a TPM in a few years.” This doesn’t […]
There’s apparently a critical flaw in Macromedia Flash 7. (You know, the software that plays annoying ads in your browser?) This affects at least PCs and Macs. Macromedia’s advisory is here. eeye has an advisory which makes it sound like a PC-only issue. Sec-Consult has published POC code. It’s unclear to me why, 130 days […]
Two related posts from last week that I’d like to tie together. Jeff Veen writes about the lack of either Mac software or standards compliance in Polar Heart Rate Monitors in “Polar Heart Rate Monitors: Gimme my data,” and Bob Frankston writes about how the telcos use the regulators to stifle competition and innovation in […]
Well, I’ve tried going cold turkey, but wasn’t getting positive reinforcement, so I stopped. Let’s start from the positive, shall we? Chris Hoofnagle of EPIC is quoted in a positive light in “ChoicePoint says it’s securing public’s personal data better” in the Atlanta Journal Constitution. Now that that’s out of the way. Science Daily tells […]
The New York Times has a story, “Report Warned Bush Team About Intelligence Doubts:” “It is possible he does not know any further details; it is more likely this individual is intentionally misleading the debriefers,” the February 2002 report said. “Ibn al-Shaykh has been undergoing debriefs for several weeks and may be describing scenarios to […]
Audiences at the Government-funded Chapter arts centre in Canton, Cardiff, see Miss Takahashi arrive on stage in high heels and a smart black business suit. For the next three hours, they watch her drink bottle after bottle, periodically lurching towards her beam and seeing how much of it she can negotiate without falling off. … […]
Ann Bartow describes it as “completely awesome pedantic weeniedom, and I mean that in the best possble way.” I would have just tossed this in my del.icio.us feed, but wanted to boost Michael Froomkin’s page rank for pedantic weeniedom. I hope he doesn’t mind. (Via Volokh)
Global Guerrillas has a fascinating post, “PARTIAL vs. COMPLETE SYSTEM DISRUPTION.” The thesis is that Iraqi guerrillas and terrorists have the ability to complete the collapse of Iraq into anarchy, but have chosen not to, for reasons that he lays out. As van Creveld predicted in “The Transformation of War,” we lack a good way […]
New Scientist reports “Anonymous sperm donor traced on internet:” LATE last year, a 15-year-old boy rubbed a swab along the inside of his cheek, popped it into a vial and sent it off to an online genealogy DNA-testing service. But unlike most people who contact the service, he was not interested in sketching the far […]
Miss McDonald has an art project at Livejournal: Or perhaps Miss McDonald is an art project. Hard to say with any certainty. But why would you want to?
Police have a warning for anyone who did business with the Oregon Department of Motor Vehicles in 1999 or 2000. They say as many as a half-million stolen DMV records were found on a laptop during a methamphetamine bust Wednesday night at a southeast Portland apartment complex. They allegedly discovered evidence of meth distribution and […]
Business process hacking is the act of using weaknesses in the way an application is exposed to garner information or break in. Recent examples include the ChoicePoint and Lexis-Nexis attacks. Here is a new one. A couple of young traders at an Estonion bank got a Businesswire account and proceeded to dig around until they […]
This is why habeas corpus used to exist. Either that, or they hate getting laughed at. (Via This Modern World)
Bob Sullivan provided excellent “mainstream media” ChoicePoint coverage, and is doing some good blogging about breach legislation. From the blog post cited above, it’s clear that Sullivan considers the Act in question to be nigh-on to a total cave-in to industry. That things would have taken this turn is not surprising, but is nonetheless somewhat […]
Sony’s DRM rootkit has been harnessed by folks selling a program which hides game cheats from detective measures shipped with WoW and affectionately known as The Warden. Somehow, I am reminded of a Simpson’s quote [.mp3]
In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of fail-safe defaults: Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965 means […]
Arab News picks up an Agency France Presse story, “Terrorist Access to Stolen Passports Alarms Interpol:” (Via Flogging the Simian’s Nov 4 PDB.) NEW YORK, 4 November 2005 — With 10 to 15 million stolen passports in use around the world at the present time, the global struggle against terrorism is seriously hampered, Interpol Secretary-General […]
Thanks for great intro Adam!. Steven Bellovin and Eric Rescorla recently released a paper, “Deploying a New Hash Algorithm.” This is a great analysis of both the operational and protocol issues with changing which hash algorithms get used by various security protocols. For instance, S/MIME has no real mechanism for negotiating which hashes (and this […]
I’d like to introduce Arthur, our newest guest. I was going to say Arthur is not his real name, but that would be a lie. It is his real name for purposes of this blog. It might, however, not be what his wife calls him. (“Sweetie.”) Arthur is, however, the chief information security officer for […]
The [Stearns] bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company’s security program. “But it needs better enforcement language,” said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently […]
Yesterday’s Washington Post had a long, sickening article on “CIA Holds Terror Suspects in Secret Prisons:” The hidden global internment network is a central element in the CIA’s unconventional war on terrorism. It depends on the cooperation of foreign intelligence services, and on keeping even basic information about the system secret from the public, foreign […]
[Update: There’s a fairly long clarification in the middle of the post, which expands on a sentence that was too brief to be understandable.] One of the fond dreams of the counter-terror community is to be able to take Deep Throat’s advice, and follow the money. In “New Anti-Money Laundering Regulations and Compliance Solutions Announced,” […]
Q. Do friends and family ever ask you [Frank Oz] to do Yoda on their phone answering machines? A. Yep. And I always say no. He’s not a party trick. He’s not a trained monkey. And I’m not a man like Mel Blanc, who’s a brilliant man of voices. I’m a man of characters; I […]
Upgraded the blog software, added a fair number of little tidbits, including lots more archive indexes, better per-post options, and will be tweaking lots of little stuff over the next few days. Also, added automated “posted by” bits, and am going through older posts and cleaning out those bits. Which means that RSS will get […]
Following up on Chris’s worm post, Red Database Security has an advisory on an Oracle worm. On 31-october 2005 an anonymous poster (oracleworm@hushmail.com) released a proof-of-concept PL/SQL source code of an Oracle worm on the full disclosure mailing list. The worm is using the utl_tcp package to find other Oracle databases in the same subnet […]
In “learning from others,” Jerry Fishenden writes at length about National ID systems and their impact on society. His post includes a list of properties an ID system should have, (originally from Niels Bjergstrom). His theme that these systems don’t only have ‘features,’ but properties is an important one. I’d like to suggest two additions: […]
A Department of Brand and Integrated Marketing that is.
Over at Sysinternals, Mark posts “Sony, Rootkits and Digital Rights Management Gone Too Far.” [Update: If that doesn’t work, try Sysinternals Blog; when I checked, it was the first post.] If you’re at all technical, read it closely. If you’re not, you should at least skim it. The story is that Mark (who knows more […]
There’s a fascinating story at imedia connection, “Why Consumers Trust American Express:” How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that “American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy.” Moreover, she felt that American Express had done a […]
In “The endgame on Iraq began a long time ago,” Thomas Barnett writes some shocking things: This is Musab al-Zarqawi’s worst nightmare: the Americans safe behind their compound walls and everyday he’s doing battle against Iraqis, or-more to the point-against Shiites increasingly backed by Iran, no friend to the global Salafi jihadist movement, being as […]
In “GE Puffer Stinks of Dr. Strangelove,” Kim Cameron writes about his experiences with the new explosive detection machines: People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt. I had been told there […]
Its that time of year again, when Congress decrees that you shift your clock back an hour to save miniscule amounts of energy. The fine folks of Arizona and Indiana have noticed that Congress doesn’t really have the power to regulate time, and don’t like playing along. But if you think about it, time is […]
From the lovely and talented Glimpse of A Grrl.
Well, I don’t know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don’t own Porsches. Maybe you have to control for age. Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure. Jaquith handily, yet unwittingly, […]
If Nick Weaver and Jose Nazario are writing about it, it’s probably way over my head, or interesting, or both. I am happy to say this is in the second category.
Posted by Adam It seems that most everything that one could say about the President of Iran calling for Israel to be wiped off the map has been said. Good articles include Daniel Drezner’s “How crazy is Mahmoud Ahmadi-Nejad?” (about the strategy behind the statement), Hossein (Hoder) Derakhshan’s “The fundamentalist minority” (about how Iranians feel […]
Tom Peters has a blog, and in “The Days of Our Lives,” writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility: This may be day 45 and mile 76,000 for me, but for the Client it is […]
Before I start on the Star Wars part of today’s Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That […]
The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?” The overall point is that since banks store check images and provide […]
For the last couple of weeks, peddlers have set up shop just outside Chicago’s Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon. Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 […]
Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000. Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada. Alternative headlines […]
It occurs to me that when a senior US governement lawyer says: foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to “gross physical abuse.” that they are in direct contradiction to the US Constitution […]
In “A Life, Observed,” I mentioned that I’d been enjoying “Flogging The Simian,” and that she’d left due to privacy issues. Well, she’s back, and so are her “PDBs,” her summaries of what’s interesting: ‘” read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events.” […]
America’s Finest News source reports, “Trick-Or-Treaters To Be Subject To Random Bag Searches:” “Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of ‘tricks’ to extort ‘treats’ from unsuspecting victims,” Chertoff said. “Such scare tactics may have been tolerated in the past, but they will […]
As I mentioned in my “Blue Hat Report,” I want to expand on one of my answers I gave to a question there. My answer involved better separation of code and data. I’ve since found, in talking to a variety of folks, that the concept is not so obvious as it seems to me. The […]
You might have thought that the White House had enough on its plate late last month, what with its search for a new Supreme Court nominee, the continuing war in Iraq and the C.I.A. leak investigation. But it found time to add another item to its agenda – stopping The Onion, the satirical newspaper, from […]
I’ve set up a Delicious feed for stuff that I want to point to, but don’t have either anything to add, or time to add it. I feel sort of bad doing this; I’d like to discuss John Gilmore on the New York Times, but all I have to say is bravo!
Last week in “Notes from the Security Road,” Mike Nash wrote: My favorite moment on the trip — which actually resulted in my circumnavigating the entire globe in just a week — was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise […]
Rosa Parks passed away this evening. She was 92.
Various data protection bills to be consolidated? [P]ressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories […]
To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. […]
Posted by Adam Lots and lots of people are commenting on the first public release of flock. After I met Bart Decrem, he was nice enough to let me into the alpha, and so I’d like to offer a slightly different perspective, about what’s changed, and the rate of change. I think that examining what’s […]
In ‘honor’ of the Sessions bill (see “The hand is quicker than the eye” and “Adding Silent Insult to Injury (Senator Sessions’ ‘privacy’ act)“), we offer up stories about three breaches. Under Sessions’ bad law, the state of Georgia would not be coming clean with its residents, nor would the California school system. I think […]
State officials on Friday began notifying 465,000 Georgians that they might be at risk of identity theft because of a government security breach detected in April. Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. But she said officials are […]
The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system. … The problem occurs when […]
Due to what Montclair State University officials are calling an “inadvertent error,” the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud. Etc, etc, files found by a student ego-surfing on Google. Read “Negligence At MSU […]
Earlier this month, I posted “Archimedes’ Death Ray,” about the MIT team trying to replicate Archimedes’ legendary defense of Syracuse, setting fire to ships with polished mirrors. Now Mythbusters has brought MIT Professor David Wallace to San Francisco to: …attempt to set fire to an 80-year-old fishing boat with a contraption made of 300 square […]
Omid Sheikhan has been sentenced by the Iranian court to one year in prison and 124 lashes. Omid was first arrested last year, confined for two months, including one in solitary confinement, and tortured, due to his blog which featured satire on the Iranian situation. When he was brought to court on October 8 he […]
I just skimmed the Sessions’ bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system: 3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a […]
Arlen Specter and Pat Leahy have proposed the “Personal Data Privacy and Security Act of 2005“. This is a comprehensive proposal, and is opposed big-time by various industry lobbies. As reported in the October 21, 2005 American Banker, this bill has hit a snag, and is languishing in Committee. Meanwhile, another bill, courtesy of Jeff […]
‘There is a Party slogan dealing with the control of the past,’ [O’Brien] said. ‘Repeat it, if you please.’ ‘”Who controls the past controls the future: who controls the present controls the past,”‘ repeated Winston obediently. ‘”Who controls the present controls the past,”‘ said O’Brien, nodding his head with slow approval. ‘Is it your opinion, […]
Posted by Adam Richard Bejtlich predicts that the Snort network monitoring tool will be hit with a worm shortly in “The Coming Snort Worm.” He has some good qualitative analysis, and Tom Ptacek disagrees with him in “Opposition Research.” I find it fascinating that we know so little that two smart guys like Tom and […]
Or, perhaps, in this instance, having a cow would be a perfectly fine response, as it is revealed that the average European cow gets a subsidy of $2.62 a day. About 3,000,000,000 people live on less than that. Doubtless, if cows could call their representatives and vote, the subsidy would be higher. (Research by Oxfam, […]
Brilliant retelling of the Tell-tale Heart, by Poe, in the style of Dr. Suess. True, I’ve been shaken – and true, I’ve been bad. But how can you say that this elephant’s mad? This Loopidy sickness has sharpened my brain! My ears are quite large, and I hear things quite plain. So before you pass […]
As we now know courtesy of the Philippines’ National Capital Regional Police Office, a typical terrorist is “a man aged 17 to 35, wearing a ball cap, carrying a backpack, clutching a cellular phone and acting uneasily” [manilatimes.net]. This critical piece of intelligence, I am sorry to report, seems to have taken a step closer […]
OpenStreetMap is a project aimed squarely at providing free geographic data such as street maps to anyone who wants them. This is because most maps you might think of as free actually have legal or technical restrictions on their use, holding back people from all walks of life who would like to use a map […]
I don’t know how Ethan Zuckerman is finding time to enjoy the conference, but his series of posts from Pop!Tech make me jealous that I’m missing it.
In Friday Star Wars Security blogging, I was planning to start on Saltzer and Schroeder this week. But I’m going to detour a bit into genetic privacy (and Star Wars, of course). I’m inspired in part by an interview over at GeneForum with bioethicist Insoo Hyun. Hyun is studying cloning with the South Korean team […]
Chris just wrote a long article on “Liability for bugs is part of the solution.” It starts “Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write.” Chris talks about market failures, but I’d like to take a different direction and talk about organizational failures. Security […]
Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth — alot of code stinks, and people are damaged by it. The reason good programs (which means those […]
Via Alec Muffett’s dropsafe, I learned of a British SF television program which eerily predicted a future Britain in which a sinister governmental department that has abolished individual rights and introduced ID cards for all citizens, rationing and sophisticated electronic surveillance I would have preferred to have gotten a transdimensional police box.
The EFF has done some great work on how high resolution color printers are embedding tracers in every document they print. It’s at “DocuColor Tracking Dot Decoding Guide.” I’d call them high quality printers, but how could I? They intentionally distort every document they print on the off-chance it contains evidence of thoughtcrime. The work […]
I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. Now there’s more data, in a survey sponsored by the law firm of White and Case. They have a press release, and you can download the full survey. As Chris pointed out, knowledge is good. According to the survey, […]
John Gruber has an interesting article on the economics of being a one-man software shop, “The Life.” He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard. Jeff Veen of Adaptive Path has announced “MeasureMap,” a new blog-focused log analysis […]
From New York’s Information Security Breach and Notification Act: 7. (A) IN THE EVENT THAT ANY NEW YORK RESIDENTS ARE TO BE NOTIFIED AT ONE TIME, THE PERSON OR BUSINESS SHALL NOTIFY THE STATE ATTORNEY GENER- AL, THE CONSUMER PROTECTION BOARD, AND THE STATE OFFICE OF CYBER SECURI- TY AND CRITICAL INFRASTRUCTURE COORDINATION AS TO […]
The roundtable I did as part of the Security 360 (with Amy Roberts, Peter Cullen, and Gerry Gebel) is now archived at “Microsoft Executive Circle Webcast: Security360 with Mike Nash: Managing Privacy in Your Organization.” Since I’ve been posting a lot recently, I’ll repeat: after filming I participated in Microsoft’s Blue Hat, you can read […]
Microsoft UK National Technology Officer Jerry Fishenden warns that the push for a national ID card in Great Britain could lead to identity fraud on a gigantic scale unlike anything that has been seen before. The Register reports… and Charles Clarke confirms that ID cards will be a massive waste of both time and money […]
In “Online Dirty Tricks at American Airlines ” Gary Leff reports: The Wikipedia entry on the Wright Amendment (the law which restricts destinations of flights taking off from Dallas’ Love Field, which serves — and was intended — to protect American Airlines from Southwest) was edited by someone using an American Airlines domain. Someone using […]
I’ll confess to some stage fright, since this blog’s readership is probably two or three orders of magnitude larger than what my fortnightly rants over at my place probably garner. Anyway, I hope to have posts forthcoming about a few things, among them CVSS, and research into estimating the impact of security events (variously defined) […]
One of the things that happens as a blog takes on a personality is that readers start to send you links to things that are “more your blog than theirs.” Over the last few months, Chris has fed me something between a third and a half of the breaches listed in my breaches archive. At […]
As I experiment with bringing in guest bloggers, the old subtitle of the blog, ‘Musings from Adam Shostack on security, privacy, and economics’ is now inaccurate. Now I could simply declare this “Adam Shostack and friends,” but that is both boring and, with no offense to my invitees, inaccurate. (I’ve never met the fellow who […]
Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]
Shmoocon was a great get-together last year, and I look forward to being there this year, especially now that they’ve announced a first batch of speakers. Via the Shmoocon RSS feed. No, just kidding, they don’t have an RSS feed.
The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great […]
Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]
Several folks have sent me a link to a Free Market News article “HOMELAND SEC. SURVEIL ALL AOL FILES,” with a suggestion I link to it. I thought it was squirrelly, but when the normally quality Chief Security Officer Magazine picks it up, I felt a need to respond. And frankly, I call bull. by […]
I’ve slept in three different hotels in the last ten days or so, and noticed a number of things that (seemingly) could be done a lot better. The first is voice mail spam. I get no warm fuzzy from picking up a pre-recorded voice mail welcoming me to the hotel. But I do get to […]
If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure. This meme must be eradicated from the gene pool. So writes Rich Stiennon in “Dangerous meme.” He’s absolutely right. Training […]
Over at the History News Network, Keith Halderman reports on medical marijuana. It seems that the cool kids don’t want to be taking any drug that old geezers use: “Nine years after the passage of the nation’s first state medical marijuana law, California’s Prop. 215, a considerable body of data shows that no state with […]
We take a break from our regularly scheduled, deeply-movie-focused, Friday Star Wars security blogging to mention the Chewbacca defense, and its interplay with a story that’s floating around. First, if you’re not familiar with it, “The ‘Chewbacca Defense‘ is a satirical term for any legal strategy that seeks to overwhelm its audience with nonsensical arguments […]
I’m at Microsoft’s ‘Blue Hat’ event, and it’s been fascinating. Very senior folks got briefed today while I sat in the back of the room and (mostly) listened. I’ll blog some thoughts shortly, but I expect to continue to be mostly unresponsive through Sunday.
February 10-12, 2006 San Francisco CA, USA codecon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what’s going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one […]
In “In the Classification Kingdom, Only the Fittest Survive,” Carol Kaesuk Yoon writes about the profusion of naming schemes for animals: Then there’s uBio, which has sidestepped the question of codes and regulations altogether and instead aims to record every single name ever used for any organism, scientific or common, correct or incorrect, down to […]
One of the things that I’ve meant to do here is have a little chaos now and then, and see what emerges. One type of chaos that I’ve been aiming for is carefully selected guest bloggers. In talking to someone about that, he asked: What are the editorial parameters? Looking to avoid a possible “I […]
Some prominent business organizations are complaining to Congress that the Patriot Act makes it too easy for the government to get confidential business records. These groups endorsed proposed amendments that would require investigators to say how the information they seek is linked to individual suspected terrorists or spies. The changes also would allow businesses to […]
A few weeks ago, I reported on PlayMobil’s airport screening playset in “From The Mouths of Toymakers.” Dan Solove shows his true commitment by buying one, and documenting his hours of fun in “The Airline Screening Playset: Hours of Fun!” Read it.
In Balkinization, Stephen Griffin writes about the efforts to get government and society functional again in New Orleans in “The Katrina Experiment.” In a pair of posts that are, to me, closely related, Michael Froomkin writes about “My notes from the ‘The Great Debate’ at State of Play III” and “Summing Up ‘The Great Debate’ […]
I usually call my collections of links ‘small bits,’ rather than roundups, because I make no effort to round up all of what’s interesting about a subject. But today’s subject, especially the first items, I can not call small. I start with the most horrific, Rebecca MacKinnon’s “Chinese activist bludgoned to death in front of […]
In a letters sent to Buxx [prepaid debit cards] users and dated Sept. 23, [Bank of America] warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped […]
Letters have gone out to about 10,000 Ground Zero rescue and cleanup workers, notifying them that a computer containing Social Security numbers and health records was stolen, leaving them vulnerable to identity theft. The letters were sent by the World Trade Center Medical Monitoring Program, which is providing free health-care services to the workers. Workers […]
Congratulations to Thomas Schelling, who was awarded the Nobel Prize in economics (with Robert Aumann). Schelling, amongst many accomplishments which Tyler Cowan discusses here, put forth the notion that there are questions with answers which are correct because those are the answers everyone would choose. (The canonical example is where do you meet in New […]
David Litchfield lets rip at Oracle in “Complete failure of Oracle security response.” Such questions need to be directed to more vendors than just Oracle. Andrew Jaquith writes about “Hamster Wheels of Pain” in security company presentations. The Seattle Times has an article on those new fancy, radio controlled cockpit doors, “Glitch forces fix to […]
There’s some fascinating tidbits about how Federal Express plans for the unforseen in a New York Times story, “Have Recessions Absolutely, Positively Become Less Painful?” I wonder what (if anything) information security could take away from this sort of approach? It had been a busy day for Georgia businesses, and FedEx’s regular nightly flights from […]
The people of Belgium have been left reeling by the first adult-only episode of the Smurfs, in which the blue-skinned cartoon characters’ village is annihilated by warplanes. The short but chilling film is the work of Unicef, the United Nations Children’s Fund, and is to be broadcast on national television next week as a campaign […]
Rob Sama IM’d me a link to some Mac launch rumors at “http://www.macpro.se/?p=3014.” He then commented: Rob: I was the one who pointed that out to Cringley, and Calzone had pointed it out to me Adam: and you got no cred? Rob: I guess. I mean, columnists like that often say “a reader told me…” […]
Boingboing directs us to “Archimedes Death Ray: Idea Feasibility Testing,” in which an MIT class decides to test Archimedes’ ray: The use of mirrors to set warships on fire. Mythbusters claimed it was a myth, that the idea couldn’t be made to work. Well, the MIT class gave it a shot, and it turns out […]
VADER: Where is that shuttle going? PIETT (into comlink): Shuttle Tydirium, what is your cargo and destination? PILOT VOICE (HAN)(filtered): Parts and technical crew for the forest moon. VADER: Do they have a code clearance? PIETT: It’s an older code, sir, but it checks out. I was about to clear them. In modern cryptography, a […]
As an aside in a longer article, Dan Markel writes: As a matter of blogging ethics, I think the way to handle it is to post an apology and clarification and to remove the inaccurate material, with a followup email that clarified the situation. This is dangerously wrong. The inaccurate material needs to stay, because […]
Daniel Solove and company have launched a new blog, “Concurring Opinions.” Today, they posted their privacy policy. I think they’ll be sued shortly by Experian, for copyright infringement.
I should also mention that I had a good time at the Detroit IT Security Summit. I thought there was an interesting and broad selection of panelists, including some technical people and some senior managers. I didn’t get to talk to as many folks as I might have liked, but that’s always the case.
On the “Meet the Bloggers” panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005. Also on the panel, Ed Vielmetti brought up a really good point that I hadn’t heard recently, that of […]
A federal judge on Tuesday struck down a California law that restricts banks from selling consumers’ private information to their affiliates, ruling that the state law is pre-empted by federal rules. The American Bankers Association, the Financial Services Roundtable and Consumer Bankers Association had sued California Attorney General Bill Lockyer, arguing that the federal Fair […]
“Smart Borders: A wholesale information sharing and surveillance regime” is Krista Boa’s overview of the amorphous and opaque ‘Smart Border’ program: Smart Borders encompasses a range of individual and cooperative initiatives, including US-VISIT, biometric passports in both nations, automated passenger risk assessment, and no fly lists among many others, all of which put privacy rights […]
I spent a lot of energy to make Emergent Chaos look nice. And how do you all repay me? You read the RSS feeds. Most of my readership (85% or so) are reading via RSS. Which is nice. It says that there’s a core of folks who are interested in what I have to say, […]
PaybyTouch has arrived, and that finger in their logo looks awfully short to me. Maybe subconsciously, they know the truth? See my “Fingerprint Privacy” or “A Picture is Worth A Thousand Words” for some actual analysis, rather than silly sniping. (via Silicon Beat, who has notes on their unusual financing techniques.)
NewsGator Technologies has acquired NetNewsWire, along with Ranchero Software founder Brent Simmons. Simmons joins NewsGator as product architect. I discovered this via Brent’s NetNewsWire, and am blogging it with his MarsEdit. See the interview with Brent and Greg Reinacker. For consistency’s sake, I ought to be confusing Newsgator with someone else.
There’s a fascinating article on Dozame.org, a Kurdish site: “Emergence of a better Kurdish 4GW frightens Turkey:” An interesting observation is that HPG is now playing by all the rules set up by international conventions, treaties and war-laws [Jus in Bello] (which ARGK unfortunately occasionally broke). People in the military or with a military background […]
6th Workshop on Privacy Enhancing Technologies will be held at Robinson College, Cambridge, United Kingdom, June 28 – June 30, 2006. Paper submissions are due March 3, 2006. See http://petworkshop.org/2006/ for more details. [Also note that this will be colocated with the workshop on economics and information security. Thanks to Allan Friedman for reminding me.]
Over at Infectious Greed, Paul Kedrosky responds to a reader about the “Web 2.0” meme: As much as I love trying the new technology and services, very little has changed in how I use the web. Only RSS aggregation has truly offered me value. Everything else I enjoy trying out and then utterly forget it […]
Since Katrina, I’ve been trying to spend about $25 a week on disaster preparedness. Fortunately, I already own some basic camping gear, so I’m starting out by storing more food and water. My pantry tends to be thin on food that can be eaten without preparations. I have powerbars and snack bars so I’ve been […]
In “Bureaucracy Kills,” Daveed Gartenstein-Ross writes (quoting CNN): FEMA halted tractor trailers hauling water to a supply staging area in Alexandria, Louisiana[.] The New York Times quoted William Vines, former mayor of Fort Smith, Arkansas, as saying, “FEMA would not let the trucks unload. . . . The drivers were stuck for several days on […]
Today is the last day to get the stunningly low $75 rate for Shmoocon in Washington DC Jan 13-15, 2006. Remember to bow to Bruce’s firewall (largish video download). I understand this years con will culminate in a deathmatch between a new, armed Shmoo robot and the speaker who gets the worst ratings. The speaker […]
The fine folks at BugMeNot (free registration required) are sponsoring “Internet Advertiser Wakeup Day.” I think it’s a cool, but flawed, idea. If you believe that paying for service is better than kneeling before the advertisers and giving up your privacy, then poisoning the databases is good. However, to be effective, the poisoning needs to […]
Jim Harper writes: At this week’s meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the California Office of Privacy Protection, and I circulated and presented a draft ‘Framework’ for assessing homeland security programs in terms of their consequences for privacy and related values. Members of the […]
It comes after a 24-year-old driver was found to be over the legal drink-drive limit during a routine control in Munich. He was taken to the police station where blood tests found he had no alcohol in his system. The man was released after officers found the strongest thing he had taken was a Fisherman’s […]
People seem to dig Star Wars posts. I could probably blog for a month on security lessons, illustrated with Star Wars quotes, but I’d need to buy the DVDs and get some video capture technology, and … …ok. You’ve convinced me. Friday Star-Wars-security-lessons-blogging it is. Ben: The “other” he spoke of is your twin sister. […]
It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But: Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting […]
ATHENS – A hacker broke into a computer database at the University of Georgia, gaining access to the Social Security numbers of employees in the College of Agricultural and Environmental Sciences and people who are paid from that department. More than 2,400 numbers, belonging to roughly 1,600 people, may have been exposed, UGA spokesman Tom […]
At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:” The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases. The system, enacted under […]
While everyone (FCC, FBI, RIAA) is lining up to decide what software you can run, I’d just like to ask that I be included in the list. The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves. No, really. In an obscure “policy” document released […]
The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc. The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter […]
The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web. City University of New York officials detected the unprotected payroll link for Hunter College Campus […]
The US has unveiled new ten dollar bills, and, unsurprisingly, they contain Constellation EUrion in an entertaining spot: That’s right. Big Alexander Hamilton is watching you. Close up from Money Factory.com.
Joris Evers continues to report well on the Cardsystems lawsuit, this time in “Judge looks for links in credit card case:” Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to […]
NudeCybot (hey, you’re blogging again!) asked me for opinions on Google Secure Access (or just GSA), and sent me a link to Kevin Stock’s Google Secure Access on Mac OS X. There’s a lot of critiques of Google’s Privacy policy around GSA: “Hide what you’re doing from everyone but us! And, umm, anyone who asks […]
Data relating to about 9,000 mortgages that were originated by Countrywide Home Loans but sold to North Fork were in the laptop, according to a letter received by a customer on Thursday. The laptop was one of several stolen over the July 24 weekend, the letter said without identifying the office. The data included the […]
In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay […]
A blogger who I’d recently discovered has retired: I’ve always had my two lives separated – my offline world and my online one. That’s the way I wanted it and that’s the way I set it up and I’ve got my own reasons for it. And someone decided to ruin all the fun and be […]
In “Stuck on the No-Fly List,” Ryan Singel discusses the procedure for, no not getting off the list [1], but for getting onto yet another “cleared” list.[2] Confused? I was too. The head of the Terrorist Screening Center [3] told me recently that I’d mixed up “No-Fly” and “Selectee.” As Daniel Solove explains in “Secure […]
On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people. Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in […]
After the 7/7 London bombings, France decided it was not enough. So, even though France has already one of the toughest anti-terrorism judicial arsenal in Europe, it is adding to it. Indeed, French newspaper Le Monde just revealed the clauses of the new anti-terrorist law due to be formally presented to the government on October […]
Stefan Geens has an entertaining post about “how to judge a wine by its label:” Therein lies the secret as to why you really can judge wine by its label: Companies where the management has an atrocious taste in labels tend to be the old-school type, uncertain about innovation, parochial about marketing and under the […]
Yes, its suicide bomber Barbie! Click the picture for a few more views. Toy supplier Shuki Toys, responsible for the distribution of the stickers, said in response, “We were very surprised to see the stickers in the shop, the several sheets of stickers have been pulled of the shelves.” “We check all the stickers, thousands […]
We all understand that Ryan Singel deserves a break from reporting on stories like “TSA Chief Nixes Commercial Databases” or “Advisory Panel: Delay Secure Flight” or even “[TSA] Advisory Panel Report Made Public.” Reporting on the duckspeakers and their plans to grope us all in the name of liberty is enough to wear anyone down. […]
There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data […]
Rebecca MacKinnon has the story on how AOL is refusing to collaborate on blocking freedom in China, in “Internet Censorship & Corporate Choices.” Companies do have a choice, and the choices they make matter a great deal. Security technologies that help protect people from their governments are not yet internationalized and easy to use. So […]
It seems to be standard that major new government programs cost more than we expect. Federal Computer Week has a story, “Real ID costs rising:” Earlier this year, Congressional Budget Office officials said nationwide implementation of the Real ID Act would cost $100 million in five years. The act requires minimum national standards and physical […]
Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.” These are attractive notions, but will not be borne out in reality. Actually, the […]
Kip Esquire continues his coverage in “ACLU Sues to Block Georgia Voter ID Law,” and closes, like he did a comment on my last post on the subject: Always remember, it’s not about “making every vote count,” but rather “making every valid vote count.” I don’t think this works as a requirements statement. First, it […]
“Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.” Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could […]
Congratulations to the pilot who brought it down safely.
If you’re a jack-booted thug, one of the saddest moments in Star Wars is when Obi-Wan Kenobe and Luke Skywalker slip past the Imperial Stormtroopers, out looking for stolen property. Had the Stormtroopers been a little more on the ball, all of those innocents on the Death Star would still be alive. You may not […]
Alan Chapell has some interesting thoughts in “CONSUMER WATCH: Localities put private data in harm’s way:” As an aside, some might argue that there’s little distinction between “evil doer” and “data broker”. I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. […]
I always find it fascinating to see who the foundation chooses to honor and support. The list of 2005 Winners is worth reading. Hey! No, really! Even if this is a short post, go click the link. Hmm, I should add a picture or something.
A backup tape containing the names, Social Security numbers and detailed health information of as many as 6,000 current and former clients of the Children’s Health Council was stolen from the nonprofit agency’s offices, officials confirmed Sunday. From SignonSandiego, “Thousands of health records stolen from Palo Alto agency.” via Cotse Privacy Watch. The Children’s Health […]
Is it art? If you grinned, it’s art. If you didn’t grin, it’s still art, and you’re a luddite.
In “Bush Aide Will Lead Hurricane Inquiry,” the New York Times chronicles the sort of petty bickering we’ve come to expect from kindergarteners America’s leadership. Today’s subject-of-bickering is who is to investigate the failures in New Orleans: On Capitol Hill, Congressional Republicans continued their efforts Monday to persuade Democrats to take part in a special […]
Yahoo! co-founder Jerry Yang said the company was merely following Chinese law – it had no choice. But as human rights groups have been pointing out, Yahoo! has been going above and beyond the strict legal requirements for some time. In 2002 it signed the Internet Society of China’s Public Pledge on Self-Discipline for the […]
Kip Esquire, who I enjoy reading, writes: The voter ID proposal, already causing a stir in Georgia, is a reasonable compromise. ID cards help deter voter fraud, yet if the cards are free, then the “poll tax” histrionics evaporate (see, e.g., my previous post). I agree that some histrionics may go away, but the real […]
My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby’s due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not […]
The Mac’s Terminal.app is way too easy to quit; it seems to absorb any command-Q typed near it, even if the menubar is showing you that you’re in another app. (This may be an interaction with the preference FocusFollowsMouse.) Anyway, having just lost a bunch of terminals with useful data in them, I went and […]
Arrrgh! It be National Talk Like a Pirate Day! And remember, kiddies, more pirates, less global warming!
Congratulations to the three winners: M Joonas Pihlaja and Paul V-Khuong (who had a joint entry) and Natori Shin. Code is here. I previously blogged about the contest here.
Miami University is notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet. University officials said that at this point they have no evidence of illegal use of the information, which included […]
Earlier, I mentioned the Powerpoint deck being used to pitch the idea of Iran’s Nuclear ambitions. Now, courtesy of Edward Tufte’s forums, we have links to the presentation (PDF). This is mentioned in “U.S. Deploys Slide Show to Press Case Against Iran ” in the Washington Post. The presentation is a nearly classic example of […]
Thomas Barnett comments that “The U.S. is pushing a secret PowerPoint briefing to allies on Iran, trying to convince them that the WMD question is drawing to a head there.” Maybe they’ve read “The Cognitive Style of Powerpoint,” and would prefer data to being pitched? I’ll (ahem) pitch my lesser-known Hamlet in Powerpoint. Jacob Nielsen […]
Or maybe just spit on them, and then rub it in. Not Bad For a Cubicle has “http://thurston.halfcat.org/blog/?p=243Don’t Plan on It: From what I can tell, the best way to keep a building from catching fire would be put these clowns in charge of burning it down. They truly are The Gang That Couldn’t Shoot […]
Via Seth Levine.
I took a little time away from the conference to visit the Salvador Dali Museum in St. Petersburg, Fl. It’s an impressive museum, and worth seeing. One of the strongest impressions I got from the experience was that of Dali’s sheer technical skill. From paintings that he made as a child (as young as 9), […]
The term “right to privacy” has, in the debate over the Supreme Court, become a code-word for a woman’s right to abortion (or more specifically, to a liberty to choose without government interference.) As someone who believes that privacy is broader than that, I was very pleased to see that Roberts said: “Senator, I do. […]
A new survey is reported in “Privacy and Security Concerns Flatten Interest in Online Banking” (Government Technology): After years of dramatic growth in online banking penetration, the percentage of Americans who conduct personal banking activities online remained unchanged during the 12-month period ending August 2005. According to results from a new survey of 1,000 American […]
COLORADO SPRINGS – Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman […]
EBay has bought Skype, for reasons that I don’t quite understand. Perhaps all that cash was burning holes in their pockets. The BBC reports: “Communications is at the heart of e-commerce and community,” said eBay chief executive Meg Whitman. “By combining the two leading e-commerce franchises, eBay and PayPal, with the leader in internet voice […]
Today, I’m at the National Institute of Justice’s National Conference on Science, Technology, and the Law, and am participating in a panel on “Balancing Information Sharing and Privacy.” I’ll present “Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing” (Or get the powerpoint slides. I don’t know why Powerpoint makes all the speaker […]
My friend and former boss at Radialpoint is looking for a malicious code and malware expert: The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, […]
I’ve been mystified for a while by people talking about a need for RSS security products, as if those were somewhat different than other HTTP security products. Apparently, I wasn’t alone in this, Greg Reinacker, CTO of Feedburner Newsgator writes: I was on a call the other day with some folks in the industry, and […]
John Quarterman tells of airlines sending planes to New Orleans without contracts or guarantee of payment. And the New Orleans Times Picayune tells stories of those who stayed to man the pumps in “Pace of drainage is rare bright spot.” Incidentally, while I hate ads, the work done by the staff of the Times Picayune […]
The New York Times Magazine has a long (14 screen) article, “Taking Stock of the Forever War,” reflecting on the four years since the attacks on New York and Washington. It seems fairly even-handed overall: any article that long will have points people contest. I’m in full agreement with the general thesis, that the United […]
An article in the BBC, “Uniform row rocks HK Disneyland” has great quotes from Chinese officials: Financial Secretary Henry Tang said: “We welcome Disney to come to Hong Kong to invest in Disneyland, but in the process of building Disneyland, no-one has special rights. Everyone is equal before the law.” An editorial in the Ming […]
…I have determined that this incident is of such severity and magnitude that effective response is beyond the capabilities of [Louisiana] and affected local governments, and that supplementary Federal assistance is necessary to save lives, protect property, public health, and safety, or to lessen or avert the threat of a disaster. I am specifically requesting […]
Ed Felten reports on a new technique to turn go from a recording of typing to the sequence of keystrokes: Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can […]
Richard Bejtlich comments on a Federal Computer Week article, “Security clearance delays still a problem” in “Feds Hurry, Slow Down.” “ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent.” I’m glad to see […]
I’m very excited to say we’ve added two more outstanding judges to the Tor GUI contest: Edward Tufte and Bruce Schneier. I’m honored and excited to be working with both. As a reminder, you have at least until October 31 for submissions, and all qualifying entrants will receive a t-shirt.
This is a follow-on to “Who Will Rid Me of This Meddlesome Bureaucracy?” and the same disclaimers apply. I’ll note that Time Magazine has an article “How Reliable Is Brown’s Resume:” The White House press release from 2001 stated that Brown worked for the city of Edmond, Okla., from 1975 to 1978 “overseeing the emergency […]
Max Dornsief complains that “Capture the Flag is getting somewhat boring.” That’s too bad, so with all due haste, here are some suggestions: Capture the Business: …is a slight variation on the Ghetto Hackers game. The Ghetto hackers were all about simulating a real business, with its need for uptime. In capture the business, teams […]
It has a lot to recommend it, but there are a number of niggling annoyances: Saved pages are poorly named. (Safari gives the page a name based on its title; Opera uses the filename, often “index.html.”) Since I save a lot of web pages, this is an issue. Cookie management doesn’t seem as good as […]
It’s not a question you’ll hear me ask often, but when PrestoVivace sends me a link to “DOD plans to recognize more than just fingerprints:” “We’re looking for new technologies, innovators and companies that recognize that the biometrics enterprise in the Defense Department and the U.S. government in five years is going to be very […]
Both T-Salon and RConversation are reporting a Reporters Without Borders story, “Information supplied by Yahoo ! helped journalist Shi Tao get 10 years in prison:” The text of the verdict in the case of journalist Shi Tao – sentenced in April to 10 years in prison for “divulging state secrets abroad” – shows that Yahoo […]
One of the facets of the response to and analysis of Katrina is that the disaster is large enough that everyone can choose an aspect of it to look at from the comfortable heights of their favorite hobby-horse. Be it the incompetence of (state, federal, or local) government, the evils of (small or big) government, […]
As historians, they did a fantastic job of gathering information. They have credibility and stature. They have the perspective to tie the destruction of New Orleans to the destruction in New York, Washington, and Pennsylvania, and to consider the failures of leadership and the failures of response in the context of massive new spending to […]
Michael Froomkin points to a claim that “Long before FEMA dropped the ball, local authorities decided they didn’t need one: See See LENIN’S TOMB: Everything has gone according to plan.” For more, the City of New Orleans web site is still operational, and has a section on Emergency Preparedness. Bruce Sterling, with only a small […]
Suzette Haden Elgin has an interesting essay on the “biblical proportions” construct, and its meaning. Thomas Barnett has written “The art of the long view,” which is an interesting perspective to be able to maintain right now. Another useful perspective comes from Bill west at the Counterterrorism blog in “Katrina Response – Another Quick Observation,” […]
…Every official at the Federal Emergency Management Agency should be fired, Director Michael Brown especially. In a nationally televised interview Thursday night, he said his agency hadn’t known until that day that thousands of storm victims were stranded at the Ernest N. Morial Convention Center. He gave another nationally televised interview the next morning and […]
(CNN reports🙂 President Bush told reporters on Friday that millions of tons of food and water are on the way to the people stranded in the wake of Hurricane Katrina — but he said the results of the relief effort “are not acceptable.” He then went on to fire DHS Secretary Cherntoff. I’m such a […]
In May, I blogged “Georgia DMV, employee Asif Siddiqui, “hundreds of thousands.”” An anonymous tipster sent me a link to “Unemployment Appeal Decision:” The following is the decision of Appeals Tribunal of Georgia Department of Labor ruling that Asif Siddiqui is entitled to unemployment benefits as employer Georgia Technology Authority failed to prove their allegations. […]
It seems that both the French Quarter may have survived, and Fats Domino definitely has, despite earlier reports he was missing. It also seems that the National Guard is finally getting food to some people, and evacuating others, although there’s a lot more to do. Oh, and just when I try to get in a […]
There’s a very long post on the public health implications of Katrina at Dave Farber’s IP list, “Hurricane Katrina Analysis – CFR Global Health Program.” I hope that we respond better to these threats than we have to the hurricane. Thomas Barnett takes a look at the long term effects of “Katrina’s System Pertubation.” (I […]
There’s a lot of amazing things being written out there. One of the more fascinating would be Interdictor’s LiveJournal. He’s keeping a New Orleans ISP running, and blogging as he and his co-workers do. He asks that we link with mgno.com, but that’s been intermittent. Use Livejournal as a backup. Michael Froomkin has a roundup, […]
Before I get into this post, I’d like to say I have a great deal of sympathy for the individuals whose lives, but nothing else, have been saved. However, I find the comparisons to the Indian ocean tsunami to be irresponsible and wrong. Sample quote: Biloxi Mayor A.J. Holloway said the storm’s damage was overwhelming, […]
The head of a radical Islamic prison gang and three others were “on the verge” of carrying out attacks against U.S. military sites, synagogues or other Los Angeles-area targets when police foiled the alleged plot, prosecutors said. From “Four indicted in alleged terrorist plot against LA-area targets.” The Counterterror blog has some analysis and links […]
Researchers from the non-profit Rand Corp. looked at the ability of local agencies to meet federal standards for responding to urgent-case reports of infectious diseases like bubonic plague, anthrax or botulism. Of 19 local public health agencies called in 18 states, only two met the U.S. Centers for Disease Control and Prevention’s standards, which include […]
Enter narrator I pray you all give your audience, And here this matter with reverence, By figure a moral play- The Flooding of New Orleans called it is, That of our lives and ending shows How transitory we be all day. Enter preacher, sturm and drang… It has nothing to do with Southern Decadence, despite […]
Our Saudi allies, displaying their tolerance: Paper cups with Hebrew writing disturbed both employees and medical staff at King Khaled National Guard Hospital on Saturday. The catering subcontractor for the hospital coffee shops began using them on Saturday after their usual supply ran out. “We were shocked and angry,” said an employee. “How can Israeli […]
The scale of destruction from Katrina is simply staggering. The Red Cross, and other good organizations could use your help. I do wonder if Pompeii isn’t a better analogy than others being brought up, such as the Indian Ocean Tsunami or Hiroshima. As an aside, I expect there will be fake charity sites set up, […]
Having taken advantage of Opera’s offer (still valid for a few hours!) I must say, I’m impressed. Opera is snappy in a way that Safari (with all the plugins I’ve added) is not. There’s some small bits of things not working as I expect, things that should be controlled differently*, as I move, but there […]
The Opera browser, which some friends rave about, is now ten years old! To celebrate, they’re offering free full copies if you send a note to “registerme@opera.com before midnight tonight. The registered copies do not have the ad bar. Woot!
An article in the summer 2005 issue of 2600 magazine (“The Hacker Quarterly”) discusses a timing attack on the Paradise Poker Blackjack game. In essence, the game reveals when the dealer’s hole card is a 10, because it takes longer to process that situation. (The article isn’t online, near as I can tell.) There’s more […]
Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning. I had an experience with Citi Mastercard. After some problems, I was […]
In PGP’s CTO Corner, Jon Callas draws attention to the second world war Colossus computer: The Colossus Rebuild Project took 10 years and 6,000 hours of effort. The resulting machine is not a replica of a Colossus, but an actual Colossus that uses some of the actual parts. The team finished a Mark II Colossus […]
Yinan Wang, the 14-year-old Chinese boy who clinched a place at Oxford University last week, will be the last child prodigy to study there under reforms being considered by admissions tutors. Despite an almost perennial flurry of headlines on children barely in their teens being offered places, the university is considering an unprecedented blanket rule […]
It used to be that to mock lawyers sending cease and desist letters, you had to be elite Swedish file traders. (Or Phrack. Phrack used to mock their correspondants, too, before they got all corporate.) But now, even gadget blogs can play, and play Gizmodo does, when some bunch of lawyers sends them a letter […]
By Amy Franceschini. See the complete work at Future Farmers. It’s not new, but Gizmodo picked it up and reminded us.
On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area. […]
In “Getting Serious about Smog,” Virginia Postrel writes: After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, […]
WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter […]
I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel Against Phishers,” and is designed to be shared with marketing folks without insulting them. Alternate title: […]
It seems that Zylon “bulletproof” vests are not nearly as effective as Kevlar ones, and the Justice department may pull funding for purchasing them. (All the press releases and reports are at the DOJ site.) They are, however, more effective than not wearing a vest. I am routinely outraged here by poor technology decisions that […]
The dominant headline around Robertson’s attempt to retract his comments is that he “apologized.” That is false. He claimed to have not called for an assassination: “I said our special forces could take him out. Take him out could be a number of things including kidnapping.” Mark, at Cutting Edge of Ecstasy takes out goes […]
Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉 Curt Hopkins points to a fascinating story about the folks who run the great […]
CSO’s Security Feed has a story “RFID Technology Prevents Infant Abduction.” The story reads like a press release: VeriChip Corporation, a subsidiary of Applied Digital (ADSX), a provider of security and identification technology, stated that its “Hugs” RFID infant protection system prevented the abduction of a baby at Presbyterian Hospital in Charlotte, North Carolina. A […]
Television evangelist Pat Robertson told viewers the U.S. should kill Venezuelan President Hugo Chavez to prevent the Latin American country from becoming a “launching pad” for extremism, the Associated Press said. From Bloomberg. Ezra Klein has comments in It Was The Christian Thing To Do. Apparently, Venezuela is upset. Thanks to Nick for distracting me […]
I took this picture of a sign, lying on its side, near gate A12 of the Atlanta airport on August 16th, 2005. The photo is what I saw; it has not been retouched. It needs a caption, and I am simply flabbergasted.
Captchas are those annoying, spamatuer “type this so we can stop spam” things that you see on some blogs. PWNtcha stands for “Pretend We’re Not a Turing Computer but a Human Antagonist”, as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations. For an overview on why visual […]
I’ve deleted Geoff’s ScreenDiscussion for negligent posting, and added Mario’s blog, Ed and Diana at Security Curve and TQBF and his service-oriented chargen 19/udp.
Volubis picks up stories in Information Week and Computer World: Roughly 20% of businesses report computer intrusions annually, a figure the agency believes is low. Director Robert Mueller urged businesses to step forward, promising greater sensitivity from the FBI in return. This reluctance has become especially important at a time when identity theft is growing […]
In her “On the Record” blog, Ann Harrison (Hi Ann!) covers how to use the privacy act to request the records TSA collected, illegally, on millions of innocent people. Incidentally, Arthur Anderson was shut down for destroying data like this.
I just blogged about a breach of data which could be used for ID theft in “US Air Force, 33,000 SSNs, Hacker.” I’d like to tie that to a story I mentioned earlier this week, “TSA May Loosen Ban on Razorblades, Knives:” The Aug. 5 memo recommends reducing patdowns by giving screeners the discretion not […]
In : Half of USAF’s officers’ PII stolen, Chris points to stories about “AFPC notifies Airmen of criminal activity exposing personal info,” and “Air Force investigates data breach.” AMS, an online program used for assignment preferences and career management, contains career information on officers and enlisted members as well as some personal information like birth […]
In Lee Kuan Yew is usually worth reading, Tyler Cowen discusses a Lee Kuan Yew interview, where Lee mentions ‘intellectual property’ law as a place Singapore can stay ahead of its competitors. Mr Lee says: Such as where the rule of law, intellectual property and security of production systems are required, because for them to […]
The EFF is directing attention to the Leave My Child Alone! colalition. Did you know that President Bush’s No Child Left Behind Act mandates that public high schools turn over private student contact information to local military recruiters or risk losing federal education funding? Not only that, but the Pentagon has compiled a database of […]
[Update: Welcome Buzzflash readers! If you enjoy this post, please have a look around, you might enjoy the air travel or privacy category archives.] USA Today reports “TSA hopes modifications make X-ray not so X-rated.” The TSA now hopes to test modified “backscatter” machines in a few airports this fall that will solve the privacy […]
In private email to Justin “SpamAssassin” Mason, I commented about blog spam and “how to fix it,” then realized that my comments were really dumb. In realizing my stupidity, I termed the word “spamateur,” which is henceforth defined as someone inexperienced enough to think that any simple solution has a hope of fixing the problem.
The announcement says: Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 50,000 Tor users currently, routing their traffic through about 250 volunteer Tor servers on five continents. However, Tor’s current user interface approach — running as a […]
It’s my one year blogiversary. In that time, about 300,000 words including comments and trackbacks have been posted in 957 articles. That’s a little over 2.6 articles a day, some of which some of you seem to have enjoyed reading. Moveable type added about 40,000 words of html tags, colon tagged junk etc. So, really, […]
Two diners on a date at a fancy Jersey Shore restaurant were furious when they saw the check — which listed their table as that of the “Jew Couple.” … Stein said he took the offensive bill and showed it to Jewish friends seated nearby who said they could not believe it. When the group […]
Thanks for your patience, I think we’ve solved the problem. Some comments may be moderated, but the rejection should be done. Please email if there’s any more rejections.
A group of Alaskans have gotten tired of being jerked around by TSA and filed suit in the US District Court in Anchorage. Read the story at TSA Secrecy Must Stop.
Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details. None of the attacks I saw used are less than five years old. More seriously, I […]
Allow me to begin by shocking my regular readers with a few words of praise for TSA: Ryan Singel reports that they found a bomb, in “ Screeners ID IED .” Of course, that’s 1 bomb:1,000,000 nail clippers, but still. It’s good to see that they can find the bombs. When they’re not harassing babies […]
A couple of people have mentioned that something in the comment posting code is rejecting their comments for “questionable content.” I’m very sorry, and am working with my fine technical support staff to try to solve it. If this happens to you, please email me: emergentchaos & gmail & com, and I’ll try to post […]
Sunday’s Washington Post has a story, “U.S. Lowers Sights On What Can Be Achieved in Iraq:” The Bush administration is significantly lowering expectations of what can be achieved in Iraq, recognizing that the United States will have to settle for far less progress than originally envisioned during the transition due to end in four months, […]
Remember that bulky jacket-wearing, fare-skipping young foreigner who taught the world that it’s a bad idea to act suspiciously near public transportation after a terrorist attack? The UK’s Observer investigates, and among other things finds: Initial claims that de Menezes was targeted because he was wearing a bulky coat, refused to stop when challenged and […]
[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] There have been lots of good comments, both here and over at Nielsen Hayden’s Making Light. There’s a few points left dangling that I wanted to respond to further. Those are the “ignore the marketing department” view and the “train the customer view.” […]
[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] In his talk at Defcon, David Cowan talked about how he doesn’t bank online anymore. Banks are now facing the imminent destruction of their highest bandwidth, lowest cost way to interact with customers. Actually, its worse than that. Bankers are killing online banking, […]
I’m on vacation through Sunday, and won’t be blogging until next week.
Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the city of Tokyo…No, I’ve never worked for the city of Tokyo. Now, as I’ve said repeatedly, […]
Hackers have broken into Sonoma State University’s computer system, where they had access to the names and Social Security numbers of 61,709 people who either attended, applied, graduated or worked at the school from 1995 to 2002, university officials disclosed Monday. So says SF Chronicle. Sonoma State has a page.
The job of a shareholder-owned company is to make money for shareholders, not to coddle its employees. But sometimes, being good to your employees can be good for the shareholders. In “Living the Dog’s Life at Costco,” Kevin Carson takes to task Wall St analysts who are trying to run Costco’s business for them: “He […]
Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication. And Mario’s comments on tor vs the Freedom Network are interesting: Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w! While I agree with this, […]
The UNT server storing the electronic university housing records of about 34,000 current, former and prospective students was accessed by a computer hacker. In addition, an Internet-based form available to students to make inquiries to the UNT financial aid office mistakenly created a file containing personal information of the current and former students who used […]
Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June. “We got hit by a hacker,’ said Debra Brum, interim vice president of instructional and information technology. Personal data, including names and Social Security numbers […]
Microsoft ‘s experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors’ computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month. So reports Rob Lemos, in “Microsoft’s “monkeys” find first zero-day exploit.” We’ve […]
I’ll be at the National Conference on Science, Technology and the Law, A National Institute of Justice Conference sponsored by the National Clearinghouse for Science, Technology, and the Law, September 12-14, 2005, St. Petersburg, Florida. I’m on a panel with a great group of folks on “Balancing Information Sharing and Privacy Concerns.” We haven’t put […]
America’s Finest News source reports that “Our Global Food-Service Enterprise Is Totally Down For Your Awesome Subculture” while the New York Times covers “Hip-Hop Argot Meets Corporate Cant, All to Sell Chryslers.” One story or the other contained the line: Sometimes it feels like nobody understands your rebellious, genre-defying crew of goth-rocker pals—am I right? […]
Richard Bejtlich talks about the backlog in security clearances in “Opportunity Costs of Security Clearances,” using an anecdote about an unnamed agency trying to hire someone “clearable” to train to do complex work that requires particular skills and orientation. Meanwhile, at Cutting Edge of Ecstacy, Mark writes about “A Mexican man who used a fake […]
Newsfactor has a long story, “U.S. Passes the Buck on Identity Theft,” which discusses the Identity Theft Penalty Enhancement Act of 2004, some of a current crop of products designed to reduce ID theft risks at businesses, and the need to shift liability. Speaking of shifting liability, in “Despite Claims of “Exceptional” Security, Acxiom’s Defenses […]
This Aqueon Fireplace, from Heat and Glo separates water into hydrogen and oxygen, and then burns them. Because the hydrogen burns cleanly (unlike, say wood or gas), there’s no need to ventilate. As if you needed more proof that science trumps idiocy. I look forward to having six hydrogen burners in my stove. Because that […]
The arrest of the Algerian-born Britain with 452 forged European passports at Bangkok’s Don Muang airport is only the latest in incidences of document forging in Thailand. … But here’s the rub: The suspect, 35 year old Mahieddine Daikh, may not be charged with any crime. To date none of the government’s whose forged passports […]
Flyertalk brings us the story of Continental Airlines and Boston’s Logan Airport having a little spat. The core of the dispute is that Continental offers its customers Wifi access for free. But Boston wants to charge for it. Boston has always had a bit of a control thing. That’s not unique. There are lots of […]
Thurston points to “London blasts – expert comments” at the London School of Economics. I know you all come here for the bombast and snark, so be warned: These are trained professionals. Do not try this on your blog. Boyodite William Lind reports on the “Modern Warfare Symposium,” organized by (ret) Colonel Mike Wyly. The […]
Over at Sivacracy, Ann Bartow is running a series of pictures on flag desecration.
Marty Lederman has a long post, “The Heroes of the Pentagon’s Interrogation Scandal — Finally, the JAG Memos” about the Judge Advocate Generals of the Armed Forces, who took a stand against the President’s position that the United States could behave as it has at Guantanamo and elsewhere: The memos are extraordinary. They are written […]
Defcon is better experienced than read about. How could I argue with a slogan like “What happens in Vegas gets posted to thousands of blogs? stays in Vegas?” But when those involved blog about it, I’ll admit to a little involvement: I recruited Brian Krebs onto team Shmoo. Because everyone knows I’m a Shmoo wannabe. […]
Ross Anderson has announced that the fifth WEIS will be held in Cambridge (England) 26-28 June 2006. Papers due March of next year. I’m sad that I’ve only made one of the WEIS workshops so far. (Life keeps interfering.) What’s there is amongst the most interesting bits being done in security. I hope they continue […]
In the spirit of my personal information breach posts, I present to you the South African Sunday Independent’s story, “Hacker ‘outs’ news of the 10th planet of our solar system:” Brown has submitted a name for the new planet to the International Astronomical Union, which has yet to act on the proposal, but he did […]
Gary Wolf has an article in Wired this month: In fact, the people inside the towers were better informed and far more knowledgeable than emergency operators far from the scene. While walking down the stairs, they answered their cell phones and glanced at their BlackBerries, learning from friends that there had been a terrorist attack […]
Hackaday posts pictures in “defcon day 2 – don’t use the atm.” I don’t trust the ATMs at any Defcon haunt anymore, and was surprised to see a fellow I respect stick his ATM card into the machine at Hamburger Mary’s. I do wonder if any of the well-dressed guys using the ATMs were adding […]
Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net. Tech Policy points to Bill West at Counterterror blog, in “Liberty & Security vs. Terror – an American Perspective.” Its worth reading in […]
I’m at Black Hat and Defcon through Sunday, and blogging will be light, and slightly error-prone.
In comments, Izar asks why we feel that having policemen check up on us is an affront to our liberty. He also asks that we call him a “serf of the totalitarian state machine,” so I shall. I suppose I might feel differently if, regularly, people around me were being murdered by terrorists. But the […]
My friend and colleague Scott Blake is looking for smart people: I have openings for 5 information security analysts. Level of seniority is negotiable, but I prefer senior-level folks. I’m looking for the following specialties: security awareness training/communications, secure application development, risk assessment, network architecture, and security policy development. I also have an opening for […]
A few weeks ago, it came out that the MTA wasn’t spending their security budget: In December 2002, the Metropolitan Transportation Authority announced it had completed a lengthy assessment of potential threats to the city’s transportation infrastructure, from subway lines to major bridges. The authority, which had begun the study in the weeks after the […]
Michael Geist has the scoop at “Telus Blocks Subscriber Access to Union Website.” Short version: Telus and their union are fighting. Telus has chosen to prevent their customers from reaching “Voices for Change, the union website. I urge Telus customers to call and customer support and ask what’s up. Repeatedly. Voices for change also suggests […]
David Cowan tells a sad story about his experience with unauthorized data collection and use in “Freshman Week.” Speaking of unauthorized data collection and use, Jonathan Krim reports that “License-Screening Measure Could Benefit Data Brokers:” Jason King, spokesman for the American Association of Motor Vehicle Administrators, said commercial data brokers are notorious for refusing to […]
In “Behind-the-Scenes Battle on Tracking Data Mining,” the New York Times reports that the Department of Justice really does care about privacy, and really doesn’t want those nosy Congressional committees poking about how the government operates. So, why should they care? Are they hiding something? Of course, this being a New York Times article, there’s […]
It’s going to be 105 (or so) in Las Vegas for Blackhat, and, as always, a little hotter for Defcon. Tickets for the DC702 Summit/EFF Benefit are for sale online through Monday. As a smaller, private event, I expect the AC will work. So you should be there, instead of say, lolling about by the […]
Carl Ellison has a blog. There’s other bloggers listed, but no recent posts by them. The title, of course, is a reference to Carl’s long-used signature file, of “Officer, arrest that man, he’s whistling a dirty tune!“
Ryan Singel has the scoop. The GAO report to Congress is also covered in the New York Times, “Flight Database Found to Violate Privacy Law:” “Careless missteps such as this jeopardize the public trust and D.H.S.’ ability to deploy a much-needed, new system,” Senator Susan Collins, Republican of Maine, wrote on Friday to Secretary Michael […]
Kip Esquire has a good post, “On ‘Consenting’ versus ‘Submitting’ to a Search.” The upshot is: If you happen to be stopped for a search such as this, you should not say “Yes I consent” or “Sure, go ahead.” Rather try saying something like “I consent to nothing, but if you are requiring me to […]
The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site. A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information. … By tapping into the computer, […]
Police will begin randomly beating people entering city subways, officials announced Thursday after a new series of bomb attacks in London. “We just live in a world where, sadly, these kinds of security measures are necessary,” Mayor Michael Bloomberg said. “Are they intrusive? Yes, a little bit. But we are trying to find that right […]
So says SteveC, and he’s right: Its a relatively small group of criminals. At the same time, I can’t agree with his feeling that “These bombings occured in all probability because of our unprovoked invasion.” The United States was attacked before we invaded Iraq or Afghanistan. People who will kill civilians on the tube are […]
Michael Geist continues to take the Privacy Commissioner’s office to task for protecting the privacy of infringers: Moreover, the Commissioner canvassed other banks and found that at least two others did allow their customers to opt-out of such marketing. Now if only the Commissioner would reveal which banks respected their customers’ privacy and which decided […]
With London being attacked again, I am heartened to see that the attacks were (apparently) less effective, and otherwise defer to the wisdom of Sir Winston Churchill: These cruel, wanton, indiscriminate bombings of London are, of course, a part of Hitler’s invasion plans. He hopes by killing a large number of civilians, women and children, […]
36 years ago today, two Americans landed on the moon before returning safely to Earth. It’s a feat worth celebrating.
Elizabeth Blodgett Hall, 95, founder of Simon’s Rock College, died July 18 at Geer Nursing and Rehabilitation Center in Canaan, Conn. In 1964, with 200 acres of her family’s land and a grant of $3 million from the Margaret Kendrick Blodgett Foundation — a charitable educational trust established by her mother — she founded America’s […]
David Cowan has a nice post on technologies he won’t fund, and why. It’s a great post. More investors should be up front about what they’re not interested in. Bessemer has funded 16 security startups–more than any other traditional VC firm–but there are some areas of security that even we have never funded, despite the […]
“CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts,” said Tim Murphy, Visa’s senior vice president for operations in a memorandum sent to several banks. “Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system.” So […]
Over at Volokh, Orin Kerr writes “The New York Times ACLU Story Begins to Look A Bit Fishy.” The essence of Kerr’s argument is that with the ACLU’s request for any document mentioning the ACLU, of course they’re going to get a lot of documents: I should point out that it is at least theoretically […]
Last week, I asked, Now, if Evan Kohlmann can get to this gathering, and if John Walker-Lindh can meet bin Ladin, why haven’t we penetrated and shut down more groups which are openly calling for murder? Today’s New York Times has the answer in “Large Volume of F.B.I. Files Alarms U.S. Activist Groups:” WASHINGTON, July […]
In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data. “According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through […]
The Walt Disney Corporation has started fingerprinting all visitors to their parks. They claim, incorrectly, that the fingerprint scans can’t be turned into pictures of fingerprints. True Americans understand that fingerprinting is for criminals. A presumption of guilt — of criminality — underlies a company taking your fingerprints. In “Welcome to Disney World, please let […]
You make a very nice client. But the “Remove Contact” menu item in the Contact menu is fucking broken. It is not clear that “Remove Contact” means “Blow away this entire group of contacts.” How about (1) making the item name plural, and (2) adding the list of contacts to be deleted to the warning […]
David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.” His post about Too Many Security Startups? is fascinating: The night I closed our investment in my 12th data security deal, Cyota, my […]
The Committee to Protect Bloggers reports that prominent Iraqi blogger Khalid Jarrar has been taken into custody by the Iraqi mokhabarat, or secret service. Jarrar is author of Secrets in Baghdad and is the brother of Raed from Raed in the Middle. B.L. Ochman has the scoop. Raed has more. If the United States is […]
CSO Magazine’s Security Feed juxtaposes two stories, “Stolen Data Worries Financial Institutions” and “EU Ministers Promise Data Retention Agreement.” The Privacy Law has an article on fingerprinting at Disney. His blog won’t allow anonymous comments, so I’ll say read “Fingerprint Privacy.” (I’m with Nancy Kerrigan, anyway.) Chris Hoofnagle has a story about a new database […]
Privacy Law lists the 16 states that now have notification laws. Thanks, Choicepoint! At Balkin, ‘JB’ has a long discussion of why 2nd term Presidents all seem to be scandal ridden…since the 22nd Amendment took away what game theorists call ‘the long uncertain shadow of the future.’ I nearly said something about ‘experimental confirmation’ here, […]
You’ve heard of the tube, of lorries and bobbies, but “cleanskins?” It’s a word that has emerged from London after last week’s bombings. The English police believe the suspects in the case are “cleanskins” – young operatives with no background of terrorism or crime. It’s more difficult to investigate cleanskins because they have no criminal […]
The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. According to email organizers sent, they’re fast running out of tickets, so get your tickets now, and […]
The Arizona Republic brings us the news that “Medical firm’s files with personal data stolen:” The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company. Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday […]
Kim Zetter reports in Wired, Bill Strives to Protect Privacy : Another bill introduced in the Senate judiciary committee about two weeks ago addresses some of the same issues in a comprehensive way, and several other bills address individual issues, such as notification to consumers. The commerce bill, however, is likely to go the distance […]
Friends, colleagues, and co-conspirators, It has been 17 long years and now the time is finally here to celebrate at the: BLIND SIGNATURE PATENT EXPIRATION PARTY WHAT: A party to celebrate the expiration of the Blind Signature patent. WHY: U.S. Patent 4,759,063 (“Blind Signature Systems“) to David Chaum is the core invention enabling privacy-protecting electronic […]
Frank Work, Alberta’s Information and Privacy Commissioner, released a report on his investigation into missing Health and Wellness computer data storage tape. Work stated the incident is a low risk for potential fraud. As soon as the incident was reported, Alberta Health and Wellness changed practices and eliminated the related tape transfer business process. … […]
The folks over at The Counterterrorism Blog have been doing a great job the last week or so. Lots of very high quality posts, good roundups around the London attacks. I wanted to point and comment on several of their recent posts. First is Where do Homegrown British Suicide Bombers Come From?, a first person […]
Less useful is another call for “Israeli style profiling,” in Bill West’s Bolstering Transit Security the Old Fashioned Way: The more such officers there are, and the better trained they are, especially if they are trained in behavioral profiling techniques like the Israeli security services have used for decades, the better protected these transportation systems […]
Item: OCC Guidance on Phishing Websites, Ethan Preston writes about The Office of the Comptroller of the Currency provided guidance for banks on appropriate countermeasures against phishing websites. The guidance provides fairly common sense advice: designate employees to respond to phishing threats, cultivate contacts with the FBI to expedite law enforcement’s response, prepare to identify […]
Err, no. But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:” I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email: (jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york) But such rules […]
The latest critic of Sarbanes-Oxley? Michael Oxley told the International Corporate Governance Network (ICGN) annual conference yesterday that, ‘if I had another crack at it, I would have provided a bit more flexibility for small- and medium-sized companies.’ Always nice to see a fellow own up to his mistakes. From Accountancy Age, via Volubis Infosec […]
Jeff Moss takes blogging into thematically and visually new territory with The Black Pages, with Jeff posting on a theme, and then his speakers adding details. Now if only they had an RSS feed. Or my post. I wonder which they’ll get first? I have a soft spot for the word “chaos.” I like the […]
Rebecca MacKinnon’s “Response to Scoble” is worth reading in its entirety. I have just one small comment: In justifying Microsoft’s filtering of politically sensitive Chinese words on MSN spaces, Microsoft’s uber-blogger Robert Scoble writes: “I have ABSOLUTELY NO BUSINESS forcing the Chinese into a position they don’t believe in.” He continues… Except Scoble Microsoft is […]
The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. Hmmm, this needs some extra text to balance the icon. Dumb stylesheet. Who the heck wrote that […]
Senators Specter and Leahy have proposed a new law on identity theft and privacy. Some thoughts as I read it. But first, what the hell are they doing preventing me from copying sections? Frigging DRM. Quotes shall be shorter than they otherwise would. Title III, 301.b.1 (pg21): “A data broker shall, upon the request of […]
There’s a new feed, of posts + comments, available here: RSS. (It’s also on in the little “blog tech stuff” list, if you want to come back to see it later.) Thanks to Lisa for setting this up!
More than 27,000 students were informed by e-mail on Tuesday that their Social Security numbers could have been compromised by an attack on the College of Education’s server. The server housed information that included student names, addresses, student courses and personal identification numbers. After the intrusion was discovered at the beginning of April, the server […]
Larry Ponemon has a good article in Computerworld, “After a privacy breach, how should you break the news?:” We learned that about one-third of subjects believed that the notification was truthful. Another 41% believed that the notice they received failed to communicate all the facts. The remaining 26% were unsure about the integrity or honesty […]
So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.
Kip Esquire has a great roundup in “Linkfest — Special “Hear/See/Speak No Evil” Edition,” guaranteed to boil the blood of anyone who thinks that sometimes government goes too far. Then again, sometimes government doesn’t go far enough. In the case of New York’s MTA, they’ve spent $30m of the $600m they have available for security, […]
Dave Belfer-Shevett points to a Declaration Of Repudiation by Will Frank. It starts out pretty well, but then degenerates into complaining about gay rights, abortion, sex ed and Kyoto. Yes, I say degenerates, even if I might agree with some of these, because they’re a distraction. Reagan and Bush Sr. were opposed to abortion rights […]
At the end of a long, thoughtful post, Thurston writes: One final thought. Four bombings in London are front-page, stop-the-presses news for two days straight. If that was Baghdad, only four bombings would have been a slow day. What message does that send the the Third World?
Allan Friedman asks for comments on Lauren Weinstein’s post to Interesting People: (Lauren W) Ironically, it’s true that the probability of lost backup tapes being used opportunistically for ID theft is probably fairly low, at least in comparison to all the “ID theft supermarkets” that are out there — crooked commercial and government employees willing […]
(This entire post is by my friend Shimrit, an Israeli living in London, and is posted with permission.) I felt the need to write down my thoughts about today so I did. Seeing as I have nowhere to publish them, I am sending them round instead. Once again, it seems my terrorist attack luck has […]
First, let me say that the response from not only Blair, but all of London is inspiring. They are refusing to panic after these attacks. The underground is open and running this morning (with some nervousness). At Balkanization, Kim Lane Scheppele makes an interesting point about “Britain’s State of Emergency, and the anti-terrror laws in […]
Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top of his blog. Who knew he’d invent a new denial of service attack?
My sympathies to the people of London, and all those around the world who are worried about their loved ones in London. Wikipedia has a clear summary of what’s happened, along with this translation from the pigs responsible: We continue to warn the governments of Denmark and Italy and all the crusader governments that they […]
In the San Francisco Chronicle, David Lazurus reports “Personal data lost — again:” Today I bring news of yet another security breach involving potentially thousands of people’s personal info, and this is the first anyone’s hearing of it. The latest company to drop the data ball is City National Bank, based in Los Angeles and […]
A programming error in the University of Southern California’s online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday. “Sap,” discoverer of the vulnerability in USC’s Web application The flaw could have allowed an attacker to send commands to the […]
Bruce Schneier mysteriously titles a post “Russia’a Black-Market Data Trade.” But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail: At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner […]
A quirk in how the U.S. government defined terrorism meant that when Chechen rebels blew up two airliners almost simultaneously over Russia last year, only one was counted in an annual tally of terrorist attacks. On board one plane were 46 Russians. But the other had 43 Russians and an Israeli citizen — a foreign […]
On June 30th, Hoder says: “As much as I dislike Ahmadinejad, I don’t think the guy in this picture is him. They look similar, but have differenet eyes and eyebrows.” The LA Times. I reported on the story in “Iran’s New President a “Moderate”.”
At MSNBC, Bob Sullivan covers the loss of confidence in ecommerce that leaks are causing: The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer […]
Pittsburgh Mayor Tom Murphy tells the Post Gazette that “Eminent domain ‘is a great equalizer when you’re having a conversation with people…’” Indeed it is. Pictured is another “great equalizer.” (Quote via John Tierney in “Your Land Is My Land,” in the New York Times.)
Fred, who did graphic design for RECon, is doing a comic book of 1984. (The copyright on 1984 has expired in Canada.) He also had great “Big Brother is Watching You” posters, one of which I bought. Fred (pictured, left) was also good enough to introduce my talk, and provide a hanging banner. You can […]
The first two are from Scrivener, because he’s going on vacation, they’re good, and I’m shameless. “Iraq Swede vows to catch kidnappers, reports “The Local:” A Swede held hostage in Iraq for 67 days and released a month ago has vowed to take revenge on his captors and has hired bounty hunters to capture them, […]
The Declaration of Independence of the Thirteen Colonies In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the […]
We’re about 4 hours from Deep Impact making a large hole in Comet Tempel 1. The National Business Review in New Zealand has an excellent links roundup in “Comet impact: See it online.”
In a post titled “Why Blog, Anyway, Mark makes a really good point: And what about the audience? Readers who don’t blog may not be aware of how much bloggers want readers. Part (I suspect a very big part for most) of it’s an ego thing, like people on soapboxes at the town square with […]
Adam Sah (hi Adam!) has a great page of startup advice I hadn’t seen before. Presentations from RECon are now online. The University of Connecticut will be offering a Masters in Homeland Security. That’s a database I’d like to steal. Thanks to Chris Walsh for pointing it out. I’ve been meaning to followup on Juxtaposition’s […]
Over at Presto Vivace, Alice suggests that “Security breaches and violations of privacy are going to be the next speciality in crisis communications.” I suspect that she’s right, and hope she’s wrong. In cases like Cardsystems or Choicepoint, where the organization is violating policy, contract, or law with its data, the impact on the company […]
“IRS announces plans to be the butt of three consecutive days of “Daily Show” jokes.” So headlines John Paczkowski’s post at Good Morning Silicon Valley.
The Internet, with its freedom of communication, scares a lot of people. Some people argue that this is “just political,” but its not. Chinese repression includes information about health issues, such as the abuse of antibiotics to control avian flu. (See, for example, “Bird Flu Drug Rendered Useless in the Washington Post.) The companies that […]
Over at “The Security Samurai,” Eric Marvets posts on “How Do I Get My Company To Take Security Seriously? Will Liability Work?” I’ve posted my thoughts on liability (“ Avoiding Liability: An Alternative Route to More Secure Product) and hope to develop those further sometime. One thing Eric says jumped out at me: Today I […]
We open with two articles from News.com: “ChoicePoint overhaul falls behind,” (June 24) and “ChoicePoint overhaul completed, company says” (June 30). From the latter: “In fact, we’ve gone beyond our announced commitments to make substantial changes in the past 90 days,” ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday. The Alpharetta, Ga.-based data […]
Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes: “Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or […]
I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless: In December […]
I don’t care what you think of the conduct of a war. What you think of the reasons we’re involved in that war. The funeral of a soldier is no place for political portest, except, perhaps, maybe, if that soldier is a direct family member. The behavior of a dozen assholes from Kansas at the […]
“After all, he didn’t kill his hostages…” London, Jun. 29 – Iran Focus has learnt that the photograph of Iran’s newly-elected president, Mahmoud Ahmadinejad, holding the arm of a blindfolded American hostage on the premises of the United States embassy in Tehran was taken by an Associated Press photographer in November 1979. Prior to the […]
The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah […]
But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said. “It’s not going to help and the public is starting to learn that,” Chapman said. He decried the […]
There have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like it is not possible to recreate the […]
Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“: Personal details […]
In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” Privacy.org reports on a dispute between the parents and children, mediated by the state: A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause […]
This was going to be a roundup, but heck, There’s a backlog of hate, and I must post. Under the headline, “Who let Jeb Bush and ChoicePoint into the UK?” ‘Brother Rail Gun of Desirable Mindfulness’ points to a BBC story, “Hundreds wiped off vote register.” An oldy-but-I-Hadn’t-linked, Adrift at Sea comments in “Bleeding Edge […]
A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk. … The breach occurred on October 26, 2003. […]
Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed. Read “TSA Lies, Could Face Fines” at Secondary Screening. Pictured […]
The U.S. tax agency — whose databases include suspicious activity reports from banks about possible terrorist or criminal transactions — launched the probe after the Government Accountability Office said in April that the IRS “routinely permitted excessive access” to the computer files. The GAO team was able to tap into the data without authorization, and […]
The fine folks at MITRE have published “CVE Abstraction Content Decisions: Rationale and Application:” This document is intended for use by Candidate Numbering Authorities (CNAs)and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and technical consumers of vulnerability information on a large scale. Via OSVDB Blog, […]
Gizmodo asks “Am I the only one extremely disappointed by the fact that these upcoming Lucas-approved USB keys don’t offer a Han model?” No, you’re not. I’d get me Han in Carbonite to protect my data any day. I bet Wil Shipley would to. Anyone who can explain why Anakin went to the dark side […]
Thank you so much for your recent letter, telling me that We’ve noticed that you haven’t used your Gmail account, account.management@gmail.com, for quite some time. In order to make Gmail better for our users, we’ve added a lot of things in the last few months and we hope you’ll want to start using your account […]
But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims. It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve […]
This post updated to replace the Suntrust logo with “You can’t shut me up by Jennifer Moo, after a bunch of bozos called “Internet Identity” sent vaguely scary letters that chilled my web hosting company. The Atlanta Journal Constitution reports that “Ex-SunTrust employee charged in check scam.” (Use Bugmenot for a login.): The U.S. attorney’s […]
CBC is reporting “Hacker accesses files at Equifax:” A computer hacker has accessed the files of about 600 consumers at Equifax Canada, one of Canada’s major credit bureaus. Most of the files are for consumers from British Columbia. Better Business Bureau spokesperson Sheila Chernesky said personal financial information is being gathered all the time, and […]
ALTAMONTE SPRINGS, Fla. — The private medical information for hundreds of people ended up at a Seminole County airplane parts business. The information was about patients at Florida Hospital East and Florida Hospital Altamonte. It included hundreds of names, birth dates, social security numbers and medical diagnosis information. … The 40-page fax included appointment information […]
In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications […]
This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.” Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports: Among the report’s most interesting findings: only 14 percent of consumers who […]
Rebecca MacKinnon has a post about US companies which are selling internet censorship technologies to China, “Confirmed: All Typepad blogs blocked in China:” It’s a complicated issue. We need greater scrutiny of U.S. tech companies in China by bloggers, journalists, human rights activists, and anybody who cares about free speech and corporate accountability. We need […]
Daniel Solove has posts on “If It’s Against Your Privacy Policy, Just Change It” (Social Security Administration): This feeds distrust about the government’s law enforcement activities as well as makes people unsure that they are ever being given the complete story about what the government is doing with their personal data. And what good is […]
Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad: This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – […]
Computerworld reports that “Kaiser Permanente division fined $200k for patient data breach:” The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web […]
Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder. Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell […]
CSO has a “Do it Yourself Disclosure.” Hey, you skimped on security, you might as well skimp on the PR. Wired News comes out in favor of a data protection and privacy law for the US in “Conress Must Deal with ID Theft.” The Financial Times has an article on [UK] “Regulator urges tougher laws […]
Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that. That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point […]
The Denver Channel reports that “Stolen Credit Card Data Now Being Sold On Internet:” CardSystems Solutions Inc. is admitting it made a huge mistake after some 40 million credit card accounts ended up in the wrong hands. Some of those account numbers are already being sold on a Russian Web site, and some consumers are […]
In U.S. Medical Privacy Law Gutted, Bruce Schneier analyzes the new rules on who gets prosecuted for violating your medical privacy. Answer: fewer people than you’d think or hope: I’ve been to my share of HIPAA security conferences. To the extent that big health is following the HIPAA law — and to a large extent, […]
Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases. In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial […]
Inspired in part by Daniel Solove’s “How Blogging Changed My Life,” in part by a number of emails I’ve just sent saying “Sorry, I’ve been heads down with product release,” and the contrasting reality that I’ve found energy to write twelve blog posts in that time, I thought I’d talk about the muses. I started […]
Because no one’s ever said “Is that a hip flask in your bike shorts, or are you happy to see me?” Available from Aherne Cycles.
The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.” MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the […]
The Open Mind kindly writes: Adam Shostack who is in the computer security side of business always has informed and interesting news on the security vs privacy front. (Another great blog via Harry’s world of interesting links. ) If you read anything vaguely connected to security or privacy in the mainstream media, Adam has probably […]
I wrote about this in “North Korean Hacking Story,” and more detail emerges from a mail (or perhaps its a website? Hard to tell.) Anyway, this was eventually forwarded to Dave Farber’s IP list, Anyway, Brooks Isoldi, edidor of Intellnet writes: North Korea has trained a small army of computer hackers whose capability is equal […]
The Duluth News Tribue is carrying a story, “State’s Web systems bogged down:” [Monicq] Feider, [manager of the Health Professionals Services Program] disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals. “The case management system database includes private and public information about you,” she wrote. “The security company believes that […]
Privacy Law has a post, “Senate to Hold Security Breach and ID Theft Hearings” about a June 16 2005, Senate Committee on Commerce, Science and Transportation hearing on identity theft. The DailyBulletin editorializes against the Real ID act, “
In an article titled “Stolen PCs contain Motorola HR data“, Reuters is reporting that: In the latest example of hardware theft putting data security at risk, two computers containing personal information on Motorola employees were stolen from the mobile phone maker’s human resources services provider, Affiliated Computer Services (ACS). The data on the stolen computers […]
Lileks bleats: When you switch to the Dark Side, do you have to go to Sith HR to fill a bunch of forms? If the Jedi Council finds out you’re looking to switch sides, they send guards to make you empty out your desk and escort you out – or at least they used to. […]
Inspired by Daniel Horn’s Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward […]
Except this time, the “terrorists” are American veterans working for a private company in Iraq: “I never in my career have treated anybody so inhumane,” one of the contractors, Rick Blanchard, a former Florida state trooper, wrote in an email quoted in the Los Angeles Times. “They treated us like insurgents, roughed us up, took […]
Artiloop reports on a security poster on the Marc commuter trains. Its clearly the work of a thoughtcriminal, encouraging ironic responses. I want to heroically help plan the tractor factory. I’ve been meaning to discuss the Chinese blog crackdown, but instead I’ll just juxtapose it with Soviet Realism. The Supreme Court of Canada has ruled […]
The server that Emergent Chaos lives on is at Server Beach, who have had serious problems with power. If you saw the Most Significant Bit home page, that’s Dwight Ernest, who kindly provides the space for me. Thanks Dwight!
For those who, during the ChoicePoint outcry, (see Secondary Screening) were critical of me for not supporting a notification law for companies who maintain databases of personal information I point you to a couple of facts. First, today’s news that tapes with the sensitive data of 4 million Americans are missing is just the latest […]
Industry and Government Track of CCS ’05 is now accepting submissions: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of the research community. Audience members would like to learn about pressing security vulnerabilities and deficiencies in existing products and Internet-facing systems, and how these should motivate […]
At the Workshop on Information Security Economics, Rahul Telang and Sunil Wattal presented “Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation.” I’m pretty busy, so I’ll point to comments by Ed Moyle, and hefty analysis by Tom Ptacek. [Private to DM: If I say its a workship, […]
AP is reporting “Man With Chain Saw, Sword Is Let Into U.S.:” On April 25, Gregory Despres arrived at the U.S.-Canadian border crossing at Calais, Maine, carrying a homemade sword, a hatchet, a knife, brass knuckles and a chain saw stained with what appeared to be blood. U.S. customs agents confiscated the weapons and fingerprinted […]
Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they’ve created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit […]
I think I had also noticed that there are not enough plastic bins or tables to line them up on, and that “X-ray machines that examine carry-on baggage sit idle as much as 30 per cent of the time.” The time elapsed between Sept. 11, 2001, and today’s writing (1,364 days) is only slightly less […]
The Supreme Court today handed down a decision in “Gonzales vs. Raich.” Larry Solum has done outstanding work blogging it. The essence of the case was the limits of the commerce clause, and the case was decided that the commerce clause places, essentially, no limits on what Congress may legislate. Respondents nonetheless insist that the […]
[Update: Bruce Schneier has an important update in “E-Hijacking.” Thanks to Chris for pointing this out.] CNN is reporting that Info on 3.9M Citigroup customers lost. Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau — the […]
Professor Bradley Neil Slosberg asked students in his anatomy and physiology class to sign in with their name and social security numbers. They did. CNN quotes student Amanda Bracewell: “We all signed it. We figured, ‘He’s a teacher, what is he going to do with it?’” TBO.com news has the only non-AP story, at Professor […]
At MSNBC, Bob Sullivan reports “Got a nanny? You need a shredder:” Even if you ordered a background check on your kid’s coach, or nanny, or — as is the latest trend in online dating — on a prospective blind date, the law applies to you. Transgressions — such as tossing paperwork containing personal information […]
CakeEater has a beautiful post on the man in front of the tanks: Then the tank tried to get around him. And he moved in concert with it, shifting to stay directly in its path. I remember being stunned when this happened. I remember saying, “Holy Shit!” to no one in particular in the family […]
In Hacker hits Duke system, the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school’s “Security Incident at Duke” page states: On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke […]
Its all over the web that Penn Jillette and his wife Emily have named their new baby Moxie CrimeFighter. I’m sorta disappointed that they didn’t go all the way, and name her “Moxie CrimeFighter™ Jillette, a member of the Jillette family of people.”
The Washington Post reports: States Keep Watchful Eye on Personal-Data Firms: Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the […]
The fine folks over at Black Box Voting demonstrate that Diebold can’t even build an optical scan voting machine without screwing it up in “Optical scan system hacked (3 ways).” If we existed in a reality-driven world, these people would be permanently disqualified from participating in the vote counting process. Vote counting is, as Stalin […]
At our best, the United States inspires people around the world to reach for freedom and democracy. In the student led rallies in Tiananmen Square, the students built a statue of liberty as one of the centerpieces of their protest. I remember watching the protests on TV, being thrilled by the power of people to […]
The Korea Herald has done an awful job of reporting in “N.K. hacking ability matches that of CIA, analyst says.” Normally, I ignore awful reporting as roughly par for the course, but this is egregious. “Our electronic warfare simulation indicates that North Korea’s capability has reached a substantial level, unlike what is generally known to […]
VikingZen posts her Two Cents about Revenge of The Sith, and closes with: My big question: Why didn’t Padme just release a can of whoop-ass on her husband? I mean, they’re secretly married, the guy’s off in some outer galaxy playing space cowboy while she’s lugging around a pregnant belly full of twins? How about […]
The Telegraph has a roundup story, “FBI Deep Throat branded a traitor by Nixon aides:” Charles Colson, Nixon’s chief counsel who served seven months in jail for his role in the Watergate scandal, confessed to understanding the dilemma Mr Felt faced. But he added: “When any president has to worry whether the deputy director of […]
Cincinnati’s Channel Cincinnati reports that “Hacker Steals Personal Data From UC System:” UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system. “This was obviously a serious breach,” Siff said. “This is a very sophisticated hack. I hope that goes without question. It wasn’t just […]
The Washington Post reports, “FBI Probes Theft of Justice Dept. Data” The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was […]
Pete Spire Lindstrom* points to a press release from the SEC on “Commission Statement on Implementation of Internal Control Reporting Requirements:” “Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404.” “A one-size fits all, bottom-up, check-the-box […]
DM pointed me to this Register story, “Fraud expert becomes victim of credit card crime.” Its a nice bit of irony, but my favorite bit is the very end: CNP (Cardholder Not Present) fraud in the UK has grown nearly 50 times between 1994 and 2003 to £116.4 million. Goodwill wants the government to recognise […]
For more than 30 years, W. Mark Felt, and three co-conspirators have protected his privacy after one of the most spectacular whistleblowing act in history. He’s admitted to being Deep Throat in this Vanity Fair article. The Washington Post has coverage in “FBI’s No. 2 Was ‘Deep Throat’“, and “Conflicted and Mum For Decades.” I’ve […]
The National Conference of State Legislatures has a “2005 Breach of Information Legislation” summary page: Summary: Legislation was introduced in at least 34 states as of May 18, 2005. Legislation enacted in at least six states in 2005: Arkansas, Georgia, Indiana, Montana, North Dakota and Washington. Thank you, masked man Choicepoint. (Via The HIPAA blog.)
John Early has an interesting editorial over at Computer Weekly “Infrared meets speed and security needs:” Famously associated with applications such as personal digital assistant to laptop synchronisation, PDA business card exchange and short-haul mobile phone data transfer; IRDA, with its short range and relatively low 4mbps throughput, was understandably discounted by the IT community […]
Household Watch has a story: When Ms. Marshall got a $6,000 home-improvement loan from a credit union in April 2003, she had to pay relatively high interest because of a weak credit score. The credit check had showed a court ruling ordering her to pay overdue rent to a former landlord in a Washington, D.C., […]
The New York Times has a long article on the successors to Air America, “C.I.A. Expanding Terror Battle Under Guise of Charter Flights.” The bit that really caught my attention was: On closer examination, however, it becomes clear that those companies appear to have no premises, only post office boxes or addresses in care of […]
The New York Times is reporting on a number of undercover investigations that have lead to charges against people accused of helping or trying to help terrorists. in “Trying to Thwart Possible Terrorists Quickly, F.B.I. Agents Are Often Playing Them.” The use of undercover agents is an excellent move by the FBI, and should be […]
I met Hossein Derakhshan at Blognashville. He and I respectfully disagree about the value of privacy to bloggers in oppressive regimes. He points out (correctly) that a blogger who has the courage to use his or her own name gains credibility. While I don’t disagree, I think there are people out there who don’t blog […]
Jon Mills, who has been heading up Florida’s Committee on Privacy and Court Records. He has an article in the HeraldTribune: How do we balance the competing values of privacy and openness? The Internet makes possible greater openness, so indispensable to good government, and allows for greater convenience in accessing government services, including court records. […]
Nat Friedman has a good post on usability testing: Over the last several months we at Novell have sent a team of people around the world with a portable usability testing lab… It is amazing to watch the ways that people fall on their face. We’ve all read about the benefits of usability testing, but […]
The French have apparently rejected the EU Constitution. With 83% of the votes counted, it’s 57% Non, according to ABC news. The draft constitution was, from my perspective, the worst of the new Europe: Opaque, complex and undemocratic. We can hope that new blood in the EU will press for a simpler, more transparent, and […]
You might not know it if you read only the American press, but the French voted today in a referendum on the European Union’s proposed Constitution. It’s an awful document, and the French are expected to reject it, plunging the EU into crisis, and leading to the Chancellor being made Emperor. If the EU would […]
I try to stay out of debates that have devolved into the red and blue halves of the Demopublican party screaming soundbites at each other. The party hopes that the American people won’t notice that they’re the same if they yell and scream a lot, and I try not to play their game. C. Eugene […]
Bryan Caplan takes issue with his mentor, Tyler Cowen over “The public choice economics of Star Wars: A Straussian reading. (I also commented on that post). Caplan says: After Anakin’s betrayal, the remnant of surviving Jedi reveal their “secret and mysterious ends.” They turn out to be neither secret nor mysterious. Yoda and Obi-wan take […]
I’ve played with the stylesheet for the web version of the blog, added an individual-i logo, removed the calendar and put the search bits in what seems like a more rational order. Some other general tweaks, too, in the hopes of making the web version aesthetically pleasing. I knew you’d be thrilled. [Update: fixed link. […]
[The] Freeradical S.U.B conversion kit … makes your favorite ride into the baddest sport utility bike on the planet. Forget pantiers and racks on the front, or over the back tire that bump your knees and feet. Rather than relying on the strength of a single peg or gimbal on a bike trailer, the Freeradical […]
Justin Mason has a good post on the new backscatter radiation xray machines that TSA would like to deploy. My favorite part: They create child pornography. Interestingly, these are one of the relatively few places that a privacy invasion makes us safer. Also interesting is that different people perceive either the hand-pat or the naked […]
Purdue University is alerting current and former employees that their Social Security numbers and other information may have been illegally accessed from at least one of four campus computer workstations. “Our investigation of a recent information technology security breach shows that the records of 11,360 current and former employees may have been accessed electronically,” said […]
The action is motivated by the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site. He had pointed this out last November, at which time all of the several dozen files […]
Some folks calling themselves “American Rhetoric” have put up a page entitled “Top 100 Speeches.” On further examination of the site, it’s the 100 most significant American political speeches of the 20th century, according to a list compiled by Professors Stephen E. Lucas and Martin J. Medhurst. Dr. Lucas is Evjue-Bascom Professor in the Humanities […]
Over at “Statistical Modelling,” Sam discusses “Sabermetricians vs. Gut-metricians:” There’s a little debate going on in baseball right now about whether decisions should be made using statistics (a sabermetrician is a person who studies baseball statistics) or instincts. Two books are widely considered illustrative of the two sides of the debate. Moneyball, by Michael Lewis, […]
Todd Seavey has a well-written and entertaining long article on continuity in long series. I’ll leave the continuity error as an exercise for readers. In fact, so many necessary plot details of Episode III are already known that the ticket-selling site Moviefone.com already has a lengthy summary of the film on its site, as if […]
Hal Stern has a blog! Hi, Hal! Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up. The BBC has an article on British reactions […]
The Associated Press reports “Identity theft risk widens at Valdosta State:” VALDOSTA — A computer identity breach at Valdosta State University has widened, with authorities now saying up to 40,000 people could have had their Social Security numbers accessed by a computer hacker last week. The breach was larger than originally thought, said school spokesman […]
I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio […]
The San Jose Mercury News reports that “Computer system hacked at Stanford:” The FBI and Stanford University are investigating how someone hacked into a computer system containing information about people looking for work through the university’s Career Development Center. University spokesman Jack Hubbard said there was no evidence that any data had actually been acquired […]
The New York Times reports on the “Customs-Trade Partnership Against Terrorism” in “U.S. Effort to Secure Foreign Ports Is Faulted:” The Department of Homeland Security’s effort to extend its antiterrorism campaign overseas by enlisting help from importers and foreign ports has been so flawed that the program may have made it easier at times to […]
… SEC. 5. SENSE OF CONGRESS. It is the sense of Congress that the United States should… (3) deploy, at the earliest practicable date, technologies aimed at defeating state-sponsored and state-directed Internet jamming by repressive foreign governments and the intimidation and persecution by such governments of their citizens who use the Internet. Rebecca MacKinnon has […]
The Privacy Rights Clearinghouse have been tracking breaches too. They’ve tallied 5,476,150 people affected, and have a better list than I do. I’ll continue to cover as I see things, since their list isn’t complete either.
Like I said, I do like rules, rules that make sense. But this is a form of institutional insanity, and someone needs to do an intervention. When a soldier in full uniform, in the company of nothing but other soldiers, is allowed to retain the bayonet for his M-16 and his M-16, yet has to […]
There’s a placeholder page at NIST for their SAMATE project, (“Software Assurance Metrics and Tool Evaluation”). Interesting stuff if you wonder why its so hard to release secure software. Also, Lauri@Schedler writes, in Making correct code look good Reading the article I was wondering what is the point of leaving information about safe and unsafe […]
Two new books that may be of interest are blogger Wendy McElroy’s “National Identification Systems, Essays in Opposition” and Choicepoint CISO Richard Baich’s “Winning as a CISO.” I was going to add clever text juxtaposing the texts, but really. hmmm, I really must make this post longer, or the blog looks really bad. […]
The Detroit Free Press reports that “Hacker may have stolen Social Security numbers from Jackson Community College:” A hacker who broke into the computer system at Jackson Community College may have accessed as many as 8,000 Social Security numbers, the college said Monday. The hacker broke into the system Wednesday. College officials are still investigating […]
Reuters is reporting “MCI: employee data was on stolen laptop:” A laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI Inc. was stolen last month, the Wall Street Journal reported on Monday. The computer was stolen from a car that was parked in the garage at […]
If you think that an application is more secure because it’s undocumented, you should read Salman A. Baset and Henning Schulzrinne’s “An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol.” (Thanks, DM) Network Computing also discusses the idea, in the context of How Dangerous Was The Cisco Code Theft?. Gunnar Peterson mentions a Richard Clark […]
In “…And Another Thing: Those Jedi Children Were a Threat,” Gene Healy refers to the Weekly Standard review of Attack of the Clones, with its famous defense of the Empire. Make no mistake, as emperor, Palpatine is a dictator–but a relatively benign one, like Pinochet. It’s a dictatorship people can do business with. They collect […]
To help folks in places like China blog, there’s the obvious problems of protecting their privacy against the local authorities. But often, the audience that a blogger seeks is not the international, but the local. A blogger in China should be able to write in Chinese and share their thoughts with the people around them. […]
Kip Esquire discusses “Housing Bubble: The Non-Lessons of the Past:” Today, we get some unhelpful noise from TCS Overlord James “Always Wrong” Glassman. (Remember “Dow 36,000”? The only thing dumber than the book was his half-hearted non-apology for it.) Now he’s fanning the flames of “What, us worry?” for the housing market: Since 1950, according […]
Recently, I discussed bridge bloggers, folks who make an effort to make their posts comprehensible to those outside their country. In that post I mentioned a few information security bridge bloggers; folks who try to make our profession understandable to those outside. Something that I wanted to mention, if only it had fit into an […]
Stuart Berman reminded me of the original plan, which was a 9-episode epic cycle for Star Wars. At some point, Lucas made the decision to allow others, the novelists, the game creators, and even the fans to define what happens after Return of the Jedi. It was a brilliant choice. The original Star Wars was […]
But if he did, he’d be all over the new Das Keyboard, in pure modernist black, without any decoration, like letters printed on the keys. Because sometimes you just need to signal that you’re so…ummm….cool…that you don’t need letters on the keys. (Via Daring Fireball, who points out that it’s “marketed to “übergeeks” who might […]
The Washington Post reports on Computers Seized in Data-Theft Probe: According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department’s account at Accurint, a LexisNexis service provided […]
NASA’s Mars Odyssey spacecraft appears twice in the same frame in this image from the Mars Orbiter Camera aboard NASA’s Mars Global Surveyor. The camera’s successful imaging of Odyssey and of the European Space Agency’s Mars Express in April 2005 produced the first pictures of any spacecraft orbiting a foreign planet taken by another spacecraft […]
I mean, really. If you mind spoilers, you’ve seen Revenge of The Sith already. Ok, maybe not. So I’ll just throw a few comments out. Marginal Revolution discusses The public choice economics of Star Wars: A Straussian reading. I’m surprised that Tyler misses the Hayekian aspect. That is, other people’s choices are so complex that […]
Electronic account records for some 500,000 banking customers at four different banks were allegedly stolen and sold to collection agencies in a data-theft case that has so far led to criminal charges against nine people, including seven former bank employees. Police in Hackensack, N.J., are continuing their investigation into the theft by a crime ring […]
Iranian blogger Mojtaba Saminejad has declared a hunger strike to protest his imprisonment. The Committee to Protect Bloggers has asked that we observe a media fast next Thursday, May 26th and not blog. There are also email addresses to write to to ask that Mojtaba be released. Ethan Zuckerman has some fascinating comments on the […]
100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive […]
The fair and balanced Real ID Sucks blog (“A clearinghouse of stories about how the states will be required to spend $250 million to create standardized, machine-readable driver’s licenses, to make it easier for hackers, thieves and credit bureaus to track your every move.”) points to a San Jose Mercury News editorial, “Real ID Act […]
I don’t know if it was better than A New Hope or The Empire Strikes Back. It was certainly better than I or II by a long margin. More on the politics after I’ve seen it several more times, and perhaps slept.
It has become cliche to go on about how Greedo shooting first nearly destroyed Episode IV. For characters not to mature and grow through the course of Star Wars makes it just an action flick. But what makes Star Wars truly great is the conflict within Anakin Skywalker. And tonight’s episode is all about Anakin. […]
(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]
Last month, I asked “What Do You Need To Do To Get Fined?” in reference to CIBC’s improper disclosure issues. Now the Ottawa Citizen is reporting that “Bank springs another privacy leak:” Fresh off fax blunders that earned it a rebuke from the federal privacy commissioner, the Canadian Imperial Bank of Commerce admitted yesterday that […]
Only 14 years after they were liberated by American-led forces, our ally Kuwait…gives women the vote. The Chicago Tribune reports: KUWAIT CITY — Parliament extended political rights to Kuwaiti women Monday, but religious fundamentalists who opposed women’s suffrage succeeded in attaching a clause requiring future female politicians and voters to abide by Islamic law. The […]
Way back in August, I mentioned the CERT/CC collaboration with the Secret Service in analyzing insider threats. They’ve just released a second report, “Computer System Sabotage in Critical Infrastructure Sectors” (163k PDF). I haven’t had a chance to read it, but that’s no reason not to blog about it. Tip of the hat to Dan […]
Knight Errant has a long post, “Tipping My Tinfoil Hat,” in which he makes mention of Choicepoint. And Consumer Affairs has a long article “USA PATRIOT Act Rewards ChoicePoint.” The IntegraSys corporation’s ID Verification software, for example, cross-checks and references 23 billion data records, including everything from credit report headers to “warm address lists” that […]
TechDirt points to a Cnet story by Declan McCullagh, “Kiss your old SSN goodbye:” Rep. Joe Barton, another Texas Republican who happens to chair the House Energy and Commerce Committee, said last week that he plans to “outlaw the use of Social Security numbers for any purposes other than government purposes.” … “The time has […]
Joseph Nathaniel Harris has been arrested and charged with the April break-in to the San Jose Medical Group, and stealing two computers with 185,000 medical records on them. The San Francisco Chronicle reports: “During Harris’ employment at San Jose Medical Group, there were several incidents of reported theft of money and medications,” according to an […]
If these data brokers had any ability to deliver on their marketing, these things would never happen. Some assistant DA somewhere is going to close a data broker on false advertising, and make a name for themselves. The Daily Interlake reports “Thief nets personal information from Kalispell company:” About 9,000 people have been notified that […]
ABC7Chicago reports “Two students investigated for identity theft at high schoo” May 12, 2005 — Criminal charges might be filed against two students for stealing personal information at a west suburban high school. The students at Hinsdale Central are accused of hacking into the school’s computer system and obtaining Social Security numbers for students and […]
The Detroit Free Press reports “Michigan State’s Wharton Center says computer security breached:” EAST LANSING, Mich. (AP) — Michigan State University has warned more than 40,000 Wharton Center patrons that a hacker broke into a computer server involved in credit card processing for the performing arts venue. But so far, there has been no indication […]
In discussing private blogging at Blognashville, the idea of identifying bloggers by their writing style kept coming up. The example that was used (at least) twice was the “computerized” identification of the anonymous author of Primary Colors. The trouble is, the identification wasn’t done by computer. It was done by Vassar English Professor Don Foster. […]
The Atlanta Journal Constitution reports Georgia driver’s license data put at risk (Use Bugmenot if you need a login.): Georgia Technology Authority said Friday that Asif Siddiqui, a 43-year-old Pakistani who worked for GTA, could have downloaded information on “hundreds of thousands” of drivers before he was arrested and fired late last month. … The […]
20Q is a website and now a handheld electronic toy that plays 20 questions. But the web site doesn’t just play 20 questions, it learns as it goes. It decides which questions are good, and which questions are bad. Alex Tabarrok writes on Marginal Revolution: I was skeptical when my wife handed me a small […]
A year after federal agents raided his home in a terrorism investigation, Muslim businessman Syed Maswood is lucky to get on an airplane without being detained and searched. But that didn’t stop him from getting an invitation to dine with U.S. President George W. Bush. Maswood, a nuclear engineer who has not been charged with […]
Scared Monkeys asks “Could Iris Scanning be Coming To an Airport Near You?” (As if the TSA hadn’t wasted enough money on machines that don’t work, or seizing zippo lighter cameras.) Maybe the camera in their iris scanner was busted? New blog “The Dunning Letter” claims to be from a long-time junk mailer, now repentant. […]
I’ve mentioned using PithHelmet. One of the most annoying remaining behaviors in Safari is that the close button closes all your tabs, and its very close to the minimize button. D’oh! Holy usability errors without a warning batman! Taboo comes to the rescue, adding that warning. (While I’m blathering about my web browser, let me […]
The Mutualist Blog has a great article on how and why the right to choose your own medical treatments was removed, and what that means to you.
Law.com has an article “Lawyers See Data ‘Fear Factor’ Rising:” The suits, which have been consolidated in federal court in Los Angeles and are requesting class action status, seek monetary, statutory and punitive damages, including compensation for the anxiety of waiting and wondering. They also aim to represent consumers regardless of whether their data were […]
Orcinus has a great, long post on “Undertow Of Totalism.” He starts with Two Minutes Hate, and goes from there. Read it, and then ask yourself, does your blood boil when someone mentions Ann Coulter? Michael Moore? If it’s one or the other, ask yourself if you’re being played, and stop. Pay no attention. Participate […]
Via Gizmodo, we learn of the mysterious and wonderous Sogreni Bicycle Trouser Clip. I’m not sure what a bicycle trouser clip is, but I bet you could get it spinning pretty fast to, you know, enhance a frank exchange of views with the bikes-are-just-for-Friday crowd.
I have a long list of issues with the academic publishing process. I’m a big fan of the Public Library of Science model. So when Ian Grigg asked me if I’d be interested in helping with his new publishing model, I was pretty excited. And now, I have an essay in the first issue: I’m […]
I had lunch yesterday at Minh, at 2500 Wilson Blvd, Arlington, VA, and it was excellent. The spring rolls were crispy, tender, and not greasy. I had mint scallops as a main, and they were subtle and well prepped. The dessert, which I think was made offside was a hollowed out tangerine filled with tangerine […]
Thomas Schelling is, without a doubt, one of the smartest people I’ve ever been privileged to meet. There’s a long interview with him at the Federal Reserve Bank of Richmond. (Via Marginal Revolution.) Ryan Singel has a long excerpt from Joe Lieberman. Normally, I don’t agree with much he has to say, but this is […]
First, a very brief bit of terminology: A typography is a way to organize things, much like a taxonomy. Each item within a typography has clearly distinguishing characteristics, but there’s no hierarchy such as animal, vertebres, mammals, hominids, humans. To be honest, I’m not sure if this is a typography or just some categories. But […]
The fine folks over at NCircle seem to have been given a directive from on high: Let there be blogs! And there were. And ncircle saw, and they were good. And someone said, let the bloggers be prolific, and behold, they were, with 18 or more posts in 5 days. Great coverage of CanSecWest, and […]
Dr Jim Swan, a consultant to the drinks industry, said: “There has been much in the news about the health benefits of antioxidants in red wine. By contrast, very little has been said about malt whisky distillery science. “However, research has shown that there are even greater health benefits to people who drink single malt […]
From Astronomy Picture of The Day.
If you’re the Department of Homeland Security, another day older and deeper in debt. The New York Times reports on “U.S. to Spend Billions More to Alter Security Systems:” Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry […]
Right before Mark Glasser started his talk on protecting bloggers (which Nashville files covers really well), Mark asked to borrow my laptop (picture by Nashville Files.) [Update, May 11, Mark’s column about BlogNashville is now online, and he mentions this as his pet peeve.] We got into a discussion of me having just attempted to […]
Bill Scannell writes: We have less than 48 hours to stop our nation from having a National ID card scheme. Do we really want to have the same ID system as Communist China? I think not. The US Senate is scheduled to vote this Tuesday on the Real ID Act. They’ve never debated the bill. […]
I have about 30 tabs open from Blognashville, and probably not enough time to sort through them all. Also, I really want to spend time thinking about what I heard and learned at the anonymous blogging roundtable and the protecting bloggers session (well covered by the Nashville Files.) So a link dump: The New York […]
The computer industry is good at coming up with Orwellian names for things. The software that call center operators and others use is called a “Customer Relationship Management” system (or ‘CRM.’) The goal of such systems is to help you decide which of your customers are profitable, and give them better service. Cynics might add: […]
I was unfortunately late to the Making Money Blogging session at BlogNashville. It was run by Henry Copeland of Blogads. There was a lot of discussion on driving ads, targeting ads, complaining that RSS doesn’t allow you to demographic your audience. There was some great discussion of how Major League Baseball is drawing baseball bloggers […]
I didn’t expect to have quite such a good time at BlogNashville. I mean, really. But I did. I felt really energized, and learned an awful lot from conversations. I left before the tailgating and evening dinners because I was already pretty worn down at 5PM, and it was going to be a long drive […]
In Hoder’s session on Building a Blogosphere, Rebecca MacKinnon asked “what can we do to encourage people to link to bloggers internationally?” Thats been sort of a theme today. I think its challenging, because often bloggers in different places have very different orientations; that combination of cultural, educational, and training background that acts as a […]
An agency that warns Texans not to share personal information with strangers because of the risks of identity theft mistakenly mailed hundreds of driver’s licenses to the wrong people. The Texas Department of Public Safety (DPS) blamed the mixup on a malfunctioning machine that was recently installed to sort licenses for mailing. Statewide, at least […]
I think the roundtable went well. Mark Glasser started us off with a review of the state of the world, with China having 67 bloggers in jail, Bahrain requiring bloggers to register, Cuba having a black market in email accounts with one costing $240, out of an average annual income of $1700. We talked a […]
I’m finishing my coffee, and about to hop in the car for BlogNashville, and the Anonymous Blogging Roundtable.
An employee hoping to get extra work done over the weekend printed out 2004 payroll information for hundreds of Safenet’s U.S. employees, snapped it into a briefcase and placed the briefcase in a car. The car was broken into over the weekend and the briefcase stolen – along with the employees’ names, bank account numbers […]
USA Today reports “U.S. asks for more data on travelers” The federal government plans to begin collecting the full names and birth dates of air travelers this summer in its latest effort to screen passengers for possible links to terrorism. In a few weeks, the Transportation Security Administration will notify airlines, travel agents and online […]
Perspectives from the gossip industry are presented by Information Week, in “Execs Testify In Favor Of National Data-Security Law:” In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California’s law requiring companies to notify customers about security breaches. ChoicePoint […]
Gunnar Peterson asks “How far can software architects get using a purely rational approach to software development,” and Michael Howard points to Dave Leblanc’s “Another Look at the SafeInt Class.” If you write in C++, check out the SafeInt stuff. It’s the sort of “close off a class of vulnerabilities” approach that I love.
I’ve been thinking lately about licensing my content under a Creative Commons license, maybe non-commercial, attribution. As I think about such things, I look for scenarios where I’d be sad I’d done such a thing. While I haven’t come up with any, I’ve been noticing lately that more and more of my readership comes via […]
Scott S. Shim, an assistant professor in the Purdue College of Liberal Arts, along with students Ryan Lightbody and Matt Grossman have won the 9th International Bicycle Design Competition in Taiwan, according to this press release. (Unfortunately, the web site isn’t going to win any design awards.) “None of us had ever designed a bicycle […]
Today’s Wall Street Journal has an good summary article, “For Big Vendor of Personal Data, A Theft Lays Bare the Downside” (Thanks, Nick!. Also, the Pittsburgh Post-Gazette has picked up the story, and made it available): The vulnerability of the company’s data and its difficulty in tracking the breach point to a paradox. ChoicePoint and […]
Time Warner Inc. on Monday said data on 600,000 current and former employees stored on computer back-up tapes was lost by an outside storage company, which the U.S. Secret Service is now investigating. Time Warner’s data storage company, Boston-based Iron Mountain Inc., lost the tapes during transport, Time Warner said. reports the New York Times. […]
Following up on my earlier post about staying in touch, there’s a bit of technology that I’ve been meaning to build for, well, over a year now, and haven’t gotten to it. I was in Portland, Oregon for business, and someone I was speaking with said “Hey, you know Lucas Nelson is there this week?” […]
WYFF-TV, “The Carolina Channel,” interviews two fraudsters who made money impersonating others. If you have any doubt these people are scum, one impersonated his own brother, and stole $71,000. In another, on Dave Farber’s list, victim Tom Goltz writes: Speaking as a victim of identity theft, there is absolutely nothing that an individual can do […]
I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been […]
Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.) Alan Chapell (whose blog is looking much […]
Mayor Potter, a former Portland police chief, earlier this year requested that the federal government grant him, the police chief and the city attorney top-secret security clearance — the same as task force officers — so that city leaders could have access to case files and more frequent updates. Potter said he wanted the ability […]
As the trust and reliance people place in drivers licenses, the greater the incentive to get fraudulently issued ones. FoxNews reports on “Workers Charged With Taking Payoffs for IDs ” (via JihadWatch.) “With a valid driver’s license, you establish an identity,” said Michael Garcia, assistant secretary of the Homeland Security Department. … The three Florida […]
Since Choicepoint demonstrated that screening is hard, they’ve been repeating the phrase “We look forward to a national debate.” But at yesterday’s annual meeting, they once again failed to engage in that debate. The LA Times has an AP story “No Answers for ChoicePoint Shareholders” (Bugmenot, because no other paper has picked up the story, […]
But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders. … Lauren Waits, who oversaw ChoicePoint’s charitable giving program before leaving earlier this year, describes her former boss as a visionary who also […]
In “Proposed Legislation Limiting PI Access to Data“, Private Investigator News and Information provides the National Council of Investigation and Security Services’s roundup of legislation that would affect the private investigator business. Naturally, the private investigators are up in arms; their job is about to be made a lot harder over something that wasn’t their […]
1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they […]
A former employee of a Blockbuster video store in Washington, D.C., has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods. Miles N. Holloman is charged with stealing credit card numbers, Social Security numbers and other private financial information from the application […]
“The State Department seems to be putting down the purple Kool-Aid and looking at the serious problem this technology presents,” said Mr. Scannell, who runs an Internet site called RFIDKills.com; the first part of the name stands for radio frequency identification chips. “But no matter how much stuff you layer on the technology, it is […]
Gunnar Peterson offers up a label for software that he stole from Jeff Williams. I had a good, if short, back and forth with Geoff, of Screen Discussion, in his comments, on using photographs to enhance criminal background checks, by including photos with the records of criminals, so the viewer of a report can compare. […]
“AML software will change international banking forever,” said Suheim Sheikh of SDG Software, an Indian software firm hoping to tap into the big new market. “Governments across the world will have their eyes on bank customers,” he added. “Since the software can monitor so many accounts, so many transactions, all kinds of people will be […]
Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security […]
Time Magazine reports: The State Department has traditionally put together a list of industry representatives for these [Inter-American Telecommunication Commission] meetings, and anyone in the U.S. telecom industry who had the requisite expertise and wanted to go was generally given a slot, say past participants. Only after the start of Bush’s second term did a […]
The Privacy Law Site posted on the Schumer-Nelson Comprehensive Privacy bill on April 13, but I just found it. The author summarizes the bill. Richard Clarke has a column in the New York Times, “You’ve Been Sold,” in which he outlines some reasonable parts of a new law. [Added shortly after first posting.] The Seattle […]
After a recent hard drive failure on my Mac, I realized just how much I hate the web. No, that’s not really true. I don’t hate the web. I think the web is great. Advertising on the web, that drives me to distraction. And so I realized how much I appreciate Mike Solomon’s PithHelmet plug-in […]
While denying being a member of the ruling class, Asteroid points to some pretty cool music, including DJ Earworm, which helped me track down another site Asteroid mentioned: DJ Cal, at Robootlegs.com, whose “Hendrix vs Jackson – Foxy Jean Haze” is a masterpiece.
Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.” When the patch comes out, many people […]
Martin Pool, whose blog lacks a comment facility, quotes a history of Windows NT: The first two weeks of development were fairly uneventful, with the NT team using Microsoft Word to create the original design documentation… Finally, it was time to start writing some code. (I wish I’d seen this line a couple of days […]
In the New York Times, Virginia Postrel writes about the work of Eric von Hippel, head of the Innovation and Entrepreneurship Group at the Sloan School of Management at MIT, who has a new (academic) book, “Democratizing Innovation.” But a lot of significant innovations do not come from people trying to figure out what customers […]
Bruce Schneier writes: The UK government tried, and failed, to get a national ID. Now they’re adding biometrics to their passports. Financing for the Passport Office is planned to rise from £182 million a year to £415 million a year by 2008 to cope with the introduction of biometric information such as fingerprints. A Home […]
Stupid Security covers an AP story: Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude. None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph: “A lot of people will […]
It turned out someone I had dinner with last night had gotten an Ameritrade letter. According to her, Amertrade is not offering credit monitoring service.* “Lotus, Surviving A Dark Time,” has some good analysis: Well, duh with a PR stamp. How could they have heard of any such “misuse?” If customers had any bad experiences, […]
A hacker who tapped into business school computers at Carnegie Mellon University may have compromised sensitive personal data belonging to 5,000 to 6,000 graduate students, staff, alumni and others, officials said yesterday. … There is no evidence that any data, including Social Security and credit card numbers, have been misused, officials said. But they have […]
ChoicePoint Inc. (NYSE: CPS), today reported first quarter total revenue growth of 19 percent compared to 2004. First quarter total revenue for 2005 was $259.3 million. … These expenses included approximately $2.0 million for communications to, and credit reports and credit monitoring services for, individuals receiving notice of the fraudulent data access and approximately $3.4 […]
The Department of Homeland Security Office of Inspector General has written a report on TSA security: Improvements are still needed in the screening process to ensure that dangerous prohibited items are not being carried into the sterile areas of airports, or do not enter the checked baggage system. In our report on the results of […]
Presto Vivace reports that: During the April NCC AIIM meeting, a member of the audience asked how the IRS’ Free-File could avoid becoming another ChoicePoint, clearly a reference to recent security breaches. Everyone in the room immediately understood the reference; no explanation was needed. CBS Marketwatch reports “For now, little way to halt firms’ leaks […]
Kip Esquire points to WILLisms, who wants to “Save the trackback.” I think I’m running about 10-to-1 spam trackbacks to real ones. It’s clearly because I talk about nothing but poker and viagra. I have to say, I love getting real trackbacks. I like it when people take what I’ve said and expand on it. […]
Some days I feel like I’m playing Clue…It was Mr. Mustard, in the study with the lead pipe. Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing their personal information has been lost, MSNBC.com has learned. The tape contained information spanning the years 2000-2003, and included both current and […]
I have a document where I started to create a macro, then realized that some clever search and replace would work. So I stopped creating the macro. But now, the document (which I share with others) has a macro in it. Sure, its possible to open with macros disabled, but I’d like to remove the […]
In his closing CFP keynote, Bill Scannell of RFIDKills.com asked for voice votes by the audience on whether a series of government measures including the use of secretly and remotely-readable RFID chips in passports were stupid or evil. “Both” seemed to be the predominant response. I and some others (including Ryan Singel of Wired News […]
What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed. In other news, the General Accounting Office reports [The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition […]
The fine folks at Spirit of America are blogging their time in Lebanon. Yesterday, they point to Pulse of Freedom, where folks working towards real democracy in Lebanon are blogging. Very cool.
As I covered in “Canadian Privacy Law and CIBC,” CIBC spent years faxing information to, amongst others, a West Virginia scrap yard. Today, the Privacy Commissioner released her report, and asks that they please, pretty please do better next time. See the press release, if you really want to. Via Dave Akin.
Tyler Cowen asks, does DC have a housing bubble, and asks how can we justify the price rise: Housing can be lived in, most buyers have only one home, transaction costs are relatively high, and rarely are homes sold and resold in a matter of days. All those features militate against a housing bubble. Yet […]
I’ve made a couple of CSS changes. (CSS is the Content Style Sheet which controls how this page looks in your browser.) Mostly making the CSS fully valid, and adding some padding around list items so they don’t scrunch together quite as much. Aren’t you thrilled? Do let me know if it looks messed up, […]
Speaker B: And the helmets are shaking their purple-dyed crests, and for the wearers of breast-plates the weavers are striking up the wise shuttle’s songs, that wakes up those who are asleep. is a pretty unexceptional line of a play, unless you happen to be a classicist, familiar enough with the works of Sophocles to […]
I have a confession to make. I’ve spent way too much time thinking about patching, and secure programming technique. This week’s Apple security update is interesting to me for a few reasons. Two side comments before I delve into the nitty-gritty. What’s with releasing this at 5.30PM on a Friday? If Microsoft had done that, […]
The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands: [An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine […]
Students need volunteers: Back in the 1930s, Alan Turing proposed a “Gender Guessing Game” in which a judge, connected to two people in closed rooms with a teletype each, would attempt to guess which was a man and which was a woman. Turing then proposed extending the game into his infamous “Turing Test” where a […]
In January, I blogged about the city of Truro, Mass, trying to get DNA samples from all 790 residents. (“DNA Dragnets” and “DNA Dragnets and Criminal Signaling.”) The New York Times reports that they’ve arrested someone: Mr. McCowen was first considered a possible suspect in April 2002, three months after the murder, Mr. O’Keefe said, […]
Inside Bay Area claims “Protecting consumers’ personal information may not be possible.” Former Congressman Bob Barr, writing for Findlaw, disagrees in an insightful article. Robert Gelman suggests that government only buy from vendors who voluntarily follow fair information practices in the second half of his DMNews editorial, “ . . And Into the Fire” Businessweek […]
You’ve won the Big Brother award for Lifetime achievement! It was a tough battle for top place this year, and while Choicepoint was the people’s fave, we all know that those privacy elitists don’t really care about the little people. Other winners included California’s Brittan Elementary. The Department of Education got worst government department, despite […]
This New York Times article on Videos Challenge Accounts of Convention Unrest covers the fascinating conflict between the video and human memories of an event; the issues raised by transparent video editing, and other issues. Worth reading. During a recess, the defense had brought new information to the prosecutor. A videotape shot by a documentary […]
Following yesterday’s Congressional testimony, there’s analysis by Thomas Greene in The Register, also in Internet News. The Atlanta Journal Constitution reports that Choicepoint VP Doug Curling, and LexisNexis President Kurt Stanford both seemed to come out as accepting of extending fair information practices to their businesses. The testimony prompted editorials in USA Today, and the […]
Dear Canon, Why do you make it harder for me to download the software for my camera than to download a brochure? Is it because I’m stuck and have already bought your camera? Do you hope I’ll forget this experience? Because I can’t figure out how to make either of my web browsers suck enough […]
Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government’s point man on this issue … In the Q&A session, I asked Mr. Moss directly why the decision was made to use a remotely readable chip rather than […]
Infoworld reports 106,000 Tufts Alumni getting letters, and Cnet reports that “A bank tells 180,000 people who used their GM MasterCards at Polo Ralph Lauren that their data may have been stolen.” (That sounds like a strange set of circumstances. Who sorts their data by credit card issuer?)
Over at Volokh, Orin Kerr has a beautiful analogy which illustrates orientation issues in reading Supreme Court cases. By orientation, I mean the sum of cultural, educational, and training experience that come together to influence the way people interpret the things they observe. (In other words, what Boyd meant.) Kerr writes (emphasis mine): I think […]
Sitting at a coffeeshop today, I listened to the fellow behind me try to get Dell and Equifax to agree to fix his credit. It seems that his father passed away recently, in debt to Dell over a computer. That debt is now on his credit report, despite his not being a co-signer for the […]
Iran seems to be annoyed that Canada is engaged in a minimal attempt to find out who murdered Zahra Kazemi, and see that they’re brought to justice. It seems that more and more academics are getting the word: Access to your research is good. I wonder when the computer scientists at IEEE and ACM will […]
Internet News has one of many reports on the latest breaches, this one titled “Feinstein Tightens ID Theft Proposal” Bob Sullivan at MSNBC reports on background checks: But experts say the nationwide tallies are often full of holes, and contain as few as 70 percent of all felony conviction records, leading in turn to a […]
Declan has some choice words about Choicepoint’s new Credentialling, Compliance and privacy officer, in “Sidelining Homeland Security’s privacy chief:” DiBattiste sounded like she was replying to a pesky reporter when she wrote back [To TSA Privacy Officer Nuala O’Conner Kelly]: “TSA Public Affairs has no information in response to your request.” How fitting, then, that […]
[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said. (From CNN, or see the statement here.) So, let’s review. A slew of […]
The Daily Caveat tells us that “Choicepoint Changes Access to Personal Data, and Research News has more. No word on what level of audits Choicepoint will be doing. It sounds like there will be a pulldown menu or checkboxes for “allowable uses,” perhaps causing people to think for a bit, then get used to selecting […]
Forty-four years ago today, Yuri Alexeyevich Gagarin became the first person to fly in space. There’s a fascinating anecdote from Doug Higley at the Encyclopedia of Astrobiology, Astronomy, and Spaceflight. Higley was with the US Army Security Agency unit tasked with monitoring Russian missiles on the day Gagarin flew. Or read up on the Yu. […]
Apparently, I need an excuse to go to Montreal in the summer. Ooh, look, an excuse!
Lexis Nexis is saying that they understated the number of victims in last month’s incident. It is not 32,000, but 310,000. Kudos to them for stepping up and admitting to it. It’s the right thing both ethically and strategically. Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during […]
I’ve briefly mentioned the story of a fellow getting his finger hacked off so the thieves could make off with his S-Class Mercedes. But images are far more powerful than words. Google claims that the German reads “Forest worker…or S-Class owner?” I’d love it if someone could offer a translation of the German text in […]
Apr. 10 – People who compare Adscam to Watergate are missing a vital difference. Whereas the Watergate hearings began with the use of private donations to President Nixon’s re-election campaign for illegal operations, Adscam is increasingly exposing the use of public, taxpayer money to fund the election campaigns of the Liberal Party. So says Being […]
Over drinks, I like to enrage my computer security colleagues by suggesting that we’re spending too much on computer security. My evidence for this is that, despite all the attacks and break-ins and worms and what-have-you, no one’s going out of business. But the news in Saturday’s Washington Post, “Most Area Terrorism Funding Not Spent,” […]
Over at Boing-Boing, Cory posts the latest in his saga of having American Airlines ask for a written list of his friends. As I thought about this story, I realized something very worrisome. I fly American! I also realized that I don’t know if I’ll have the right papers with me when I do. So […]
Capturing the Unicorn is an article at the New Yorker about the hubris of technologists trying to capture art. (The technologists win, but the archivist in me asks: CDs?) 13 things that do not make sense is a New Scientist article about, well, 13 things that don’t make sense. Some foolish people might look at […]
BANGALORE, India — Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis […]
Choicepoint has been nominated for a lifetime Big Brother award. Best of luck, folks! Prophet or Madman points to an article at Knowledge@Wharton about the issues raised by the case. Robert Gellman has a column in DMnews “Out of the Frying Pan.” Choicepoint has announced their earnings call and webcast, on April 21. (Is ‘before […]
JihadWatch points to a Sunday Times article: PALESTINIAN fighters have revealed that Hezbollah, the militant Lebanese group backed by Iran, is offering to pay for attacks aimed at shattering the fragile truce with Israel. Maciej Ceglowski has some harsh words for Paul Graham’s essay “Hackers and Painters,” in an essay “Dabblers and Blowhards. However, he […]
Newsday reports on Orange County, Florida Sheriff Kevin Beary abusing law enforcement access to records. He sent a letter to Alice Gawronski’s home, objecting to her letter to a local neswpaper. He claims it was “legitimate use of public records.” Dan Farmer’s new company, Elemental Security, has launched. Speaking of launched, Steve Hofmeyer, of Sana […]
Normally, I try to avoid comment on religious matters, but I think its important to be aware that Samablog has taken the first step to becoming an anti-Pope by declaring himself Interim Pope. The blogosphere shall elect the next pope! Or something. We bloggers didn’t cause the Thirty Years war.
Diebold, Choicepoint Partner to Offer Innovative Voting Technology was an April Fools item I forgot to blog: Alpharetta, GA – Diebold Election Systems and Choicepoint, Inc., today announced a joint venture that could revolutionize the voting market. The concept is simple: combine Diebold’s demonstrated expertise in voting systems with Choicepoint’s superior data-mining techniques to produce […]
I’ve mentioned the Spirit of America anonymous blogging project before. To help move things forward, I’ve offered Jim Hake my assistance as a project coordinator. As Jim describes the project: The project is to review all available technologies and techniques and get the input of the best minds available to put together a plan for […]
Recently, I griped about AOL’s privacy policy. Today, PGP Corp announced their second public beta of PGP 9, which includes support for encrypting AIM sessions. Its not clear if this will be in the personal edition. I sure hope so.
The program has been posted for The Fifth Privacy Enhancing Technologies Workshop, which will be held in Drubrovnic , Croatia, 30 May – 1 June. (Corrected spelling.) There’s an affiliated executive briefing, 2-3 June.
The Fourth Workshop on the Economics of Information Security will be held in Boston, June 2-3. The schedule is now online. I’ll be presenting a short essay on “Avoiding Liability: An Alternative Route to More Secure Products” at the rump session. I’d love feedback. Ian Grigg has talked about alternate review systems.
Both Blog*on*Nymity and Kip Esquire are covering a massive student database, that seems to be there to ensure that, well, you know, look! A terrorist! More compulsory privacy invasions for little apparent benefit to anyone, except the newly fully employed bureaucrats. And you thought Berkeley losing a laptop was bad?
I never really liked the bar down the side of my blockquotes, and have finally replaced them, with a style stolen from Simple Thoughts. They’re in 52pt Copperplate as transparent background gifs. Does anyone know how to add a second image, at bottom right? Putting background: url(http://www.emergentchaos.com/close-quote.png) no-repeat bottom right; url(http://www.emergentchaos.com/quote.png) no-repeat top left; into […]
While publicly recalling their Ambassador over the brutal murder of Zahra Kazemi, the Canadian government was playing host to Iranian officials, looking for security information, reports the CBC: In dozens of e-mails, there is no mention of Kazemi, and no one questions why Canada would help Iran, considered by some to be a brutal police […]
In this New York Times article on NASA’s “broken safety culture,” we find: In the months after the Columbia disaster in February 2003, the space agency started several initiatives to enhance safety, including the creation of an Engineering and Safety Center at its Langley Research Center in Virginia. It has worked with Behavioral Science Technology, […]
I’m not sure if Jon Ostik’s column “Want to prevent ID theft? Get back to basics” is a brilliant April Fool’s Day joke, or, an example of, as the Identity Theft blog claims, “Many “security professionals” are clueless about identity theft.” Before anyone panics, the logical first step in any security process is an audit. […]
A legal principle which prevents people being tried for the same crime twice is being scrapped in England and Wales. The ban on “double jeopardy”, which has existed for around 800 years, will be consigned to history from Monday. The Court of Appeal can now quash an acquittal and order a retrial when “new and […]
Quick! Someone get these folks a marketing department! Someone showed me a cool password storage token from Mandylion Labs. You can load passwords over a little electronic interface, and then keep long lists of superuser passwords in your pocket. I had to mail my buddy to get their name. It seems somewhat better than a […]
My local supermarket has Stroopwafels! They’re cleverly hidden in the cookie section, which I carefully avoid (due to a lack of willpower). But next time someone gripes about global free trade, I have a miniature stroopwafel to throw at them. Yes, I got the mini ones. No, I’m neither illiterate, nor smoking anything. I got […]
I’ve added Screendiscussion to the blogroll. I don’t always agree with Geoff, but he seems insightful, interesting, and genuinely willing to grapple with the questions that his profession raises. He also posts actual posts, rather than a clipblog. For example, this morning’s post is “Background Checks Must Be Relevant, and points out a case where […]
The Atlanta Journal Constitution has an editorial “ChoicePoint’s offer not enough :” The better solution would be to prohibit companies such as ChoicePoint from warehousing personal information in the first place, since security has proved so problematic. Computerized collections of consumers’ Social Security numbers, credit information, driving histories, medical and court records may make commerce […]
Information Security Magazine has an interview with Choicepoint CISO Richard Baich. It’s behind a subscriber-wall, so I’m excerpting bits of it after the read more.. (Via Run-DMZ.)
Grits for Breakfast writes about his testimony before the Texas House in Biometrics debate hinged on ID theft: The committee also seemed surprised that DPS had included facial recognition technology in their drivers license re-engineering RFP, even though the Legislature did not approve it. My understanding is that the AAMVA (American Association of Motor Vehicle […]
Rape, Torture, and Lies An ongoing Canadian saga has a sad new twist today: photojournalist Ziba Zahra Kazemi was likely brutally tortured and raped before her death in Iran in 2003. Arrested after a demonstration, the official Iranian line has been that her death was an accident due to injuries from a fall. The ER […]
Alpharetta, Georgia, April 1 /PRNewsWire/ Alpharetta-based information broker Choicepoint today announced its intent to acquire the blog “EmergentChaos,” citing market synergies, cost reductions, and new revenue opportunities. Financial terms of the deal were not disclosed, but Choicepoint CEO Derek Smith said “We knew just which buttons to push.” Emergent Chaos is a weblog, or “blog,” […]
Alacrablog discusses a Morgan Stanley research report: Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers. There’s also an interesting post rounding up the SIA Anti-Money Laundering conference. The Atlanta Business Journal […]
Screendiscussion makes a case for criminal records searching as an adjunct to a background check: One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty […]
With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they’re not to be trusted; students have no choice but to provide that […]
The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names (“2 yo getting raped during diaper change”). He doesn’t download any files, but takes this as evidence for his title. […]
I was talking to someone about a New York Times story “U.S. Is Examining a Plan to Bolster the Rights of Detainees.” The story contains the line: Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said. I made a […]
EPIC has obtained documents which… … reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and […]
By the end of 2005, we will have had a month with at least 30 disclosures of serious security breaches, making private information about people available. At least 10 of these breaches will involve data which organizations are required by law to store and protect. This will cause a set of Congressional hearings, in which […]
Juan Carlos Merida is an unusual victim of the watch lists. He knows why he’s on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of […]
The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it. Want to see if there are more Americans on the right or left side of the plaza? No […]
Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security. Slag all you want, but I don’t see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, “We should emulate Microsoft…” or “Even Microsoft does…” It’s a win. Thanks for […]
Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it’s just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr […]
Iraqi prisoners have dug a 200m tunnel out of one of the US run prisons in Iraq. The BBC has pictures. The Marburg is spreading in Angola. Marburg is an Ebola-like heamorraghic agent. Some analysis. Charles Cooper has some commentary ranting about the state of the information security industry at cnet: It’s tempting to become […]
Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. “Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency’s actions.” In other news, the Pentagon will ignore the recommendation of the Army Criminal […]
The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches. Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart: “A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards.” [Choicepoint CEO] Derek […]
Screendiscussion responds to my comments about “Three Privacy Breaches” in Security In a Changing Nation. He sums up his argument as “Why? The reason is that we, as a nation, have become extremely security conscious in the past few years.” I think this is only partially correct. I suspect that this is part of it. […]
Ed Felten summarizes Wendy Seltzer’s comments on the NYT “Open Wifi is evil” article: “anonymous sources claim anonymity is evil.” The Department of Citizenship amends their terms and conditions. (Via Michael Froomkin.)
A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison. Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August. Baas was a systems administrator for Market Intelligence […]
Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators. A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on […]
Brad Feld pointed to an essay by Paul Graham, entitled “A Unified Theory of VC Suckage.” (VC is short for venture capitalist, the folks who invest in certain types of startup companies.) I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to […]
“What would Gandhi do?” is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer’s memoir of his time with Gandhi. I’d like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi’s visit to England, and in […]
“DMV hopes to reassure clients about security.” The DMV on Wednesday will send out letters describing the incident and new driver’s licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV. “Audit: State voter system left information vulnerable:” The state elections […]
Asteroid analyzes Sisyphean volunteers and the modern condition in a brilliant essay. It just goes to show, the Greeks really did invent everything. Robert Poole and Jim Harper debate the TSA in “Transportation Security Aggravation” at Reason. Tyler Hamilton looks at two schemes to cut your auto insurance premiums by monitoring your driving, and their […]
The Daily Caveat rounds up the five shareholder lawsuits against Choicepoint. The Atlanta Business Journal has an article on Choicepoint’s executive compensation. Kim Zetter at Wired has a 3 page story on Choicepoint’s Checks Under Fire. CNN reports that only 11% of id theft occurs online. Well, actually, there might be some methodological problems. It’s […]
Read this transcript about former UN Oil-for-Food program lead, Benon Sevan. Apparently the UN is paying his legal fees. Question: The other question was a follow-up to a story in the New York Sun today. The United Nations has been paying Benon Sevan’s legal fees. Is this appropriate? Is this normal practice? And why did […]
Jason Young has a great, thoughtful post at Blog*on*nymity: Like other nations, Canada has moved to adopt criminal sanctions for electronic voyeurism, a social problem that has become acute with the availability of cheap and inobtrusive surveillance technologies. The legislative efforts are welcome and yet I cannot help but wonder if we are missing the […]
I was trying to enter someone’s web address into Apple’s Address book recently. Unfortunately, Apple believes that you have a home page. This is at odds with almost all the other fields in Address Book. You can have lots of phone numbers. A profusion of email addresses. And one home page. Me? I have a […]
Businessweek has an editorial, saying strong regulation is unlikely, but credit freezes, mandatory disclosure, and liability for breaches should come. (I’d argue that liability for inaccuracy, creating a duty to the subjects of a database should also be considered a floor for a new law.) EPIC has written to the FTC, critiquing their testimony. (Via […]
Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller […]
The BBC is reporting that Opposition demonstrators in Kyrgyzstan have taken control of a town, as protests continue a week after the second round of disputed elections. In Jalal-Abad, a police station was set on fire, and protesters took control of the airport to prevent reinforcements being flown in. Protesters say President Askar Akayev’s party […]
As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free […]
Susan Kuchinskas writes “No Security in SSNs?” for Internetnews. Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to. “They had their chance. They weakened the legislation, and, as a result, more […]
Ed Foster writes about Brink’s contract provisions with contracts that don’t go month to month, but year to year when you try to leave. Brink’s is fully within their right to write such contracts, and I’m free to suggest that you should consider shopping elsewhere. (Via Dan Gillmor.) Mark Miller suggests a new code metric, […]
Not In Chicago Anymore comments on Handling of Credit Related Information, and some of the possible repercussions of new law. Ryan Singel at Secondary Screening points out in “Popcorn, popcorn” that (Choicepoint Vice President) McGuffey testified under oath that he told (CPS President) Doug Curling about the investigation in November, which would mean that Curling […]
If you’ve been enjoying the Chaos-Paradox spat, Ryan Singel’s Paradox Still a Paradox is not to be missed: But when it comes to big data brokers that compile dossiers on Americans and list marketing firms that enhance their lists with data bought from data brokers, Bailey thinks they should be immune from the return gaze, […]
Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan’s research: Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or […]
ChoicePoint’s data bonanza lures thieves , in the Atlanta Journal Constitution. The Q Speaks asks what have we wrought in “ID theft writ large” In another example of what we have wrought, “the Fairfax County’s School Board awarded a contract Thursday night to ChoicePoint, Inc., for testing student athletes and bus drivers for drug and […]
For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet: Dunn said [Boston] college […]
Chris Allen has been doing a series of posts on the sizes of social groups, what factors can make groups work and not work, and related bits, like the use of software to help manage groups of friends. His latest post is Dunbar, Altruistic Punishment, and Meta-Moderation. It concludes: In summary this research offers me […]
Simson Garfinkel has won a Neal award for his writing for CSO. Congratulations! (His latest column is on Skype.) Whiskey Bar has a comparison between Maoists and American Conservatives in Scenes From the Cultural Revolution. Willie Sutton finds the Internet, according to this news.com story. Israeli police are investigating with British forces an attempted robbery […]
Choicepoint’s 10K warns of danger to profits. (AJC) The full filing is about a megabyte; Yahoo has excerpts. Kip Esquire at A Stitch in Haste offers practical advice to Choicepoint on how to make an apology sound sincere in Linkfest — Special “While You Were Out” Edition. Daniel Munz transcribes more of the Senate hearings, […]
Justin Mason has a post on Open APIs, Open Source, And Giving Away The Crown Jewels. I talked about very similar issues in Emergent Uses of Technology a few days ago. Jim Henley has a great essay on “The Citizen or the Police” Nobody worth performing the Heimlich Maneuver on is going to tell the […]
Google Labs has done an OSX Dock style home page. It’s pretty cool. What makes it cool is not the graphical style it presents, but the brilliance of the icon design. If you know what services Google offers, the icon makes sense. (I had to mouse over local, video and options to see what they […]
Cryptome publishes “Homeland Security Council: 15 Attack Scenarios“, “DHS Universal Task List v.2.0“, and “DHS Target Capabilities List v.1.0.” It looks like a well executed set of planning docs. Some quotes from the New York Times: The agency’s objective is not to scare the public, officials said, and they have no credible intelligence that such […]
Academic publishing is an interesting racket. An academic, probably paid by government grants, writes a paper. They submit this paper to various venues, in the hopes of getting it published. The people who review the paper are volunteers, paid in prestige. The paper is then put into a volume costing gobs of money, which goes […]
The House Energy and Commerce committee held hearings. Thanks to Ryan Singel for letting me know they were webcast. Payments News points to the written testimonies of Choicepoint and LexisNexis “Let me begin by offering an apology on behalf of our company and my own personal apology to those consumers whose information may have been […]
The categories I’ve set for this blog are non-functional. I have 16 categories, of which maybe 4 are ever exclusive. Do you look at my categorization of posts? Do you look at the category archives? Should I create a new set of categories? If so, what? (mmm, Choicepoint! Not.) Should I abandon categories and go […]
The LA Times has more on what happened, and Choicepoint’s controls. A great many people feel that this is a compelling story. I enjoyed reading the spouter inn. Finally, today’s Two Minutes Hate comes to you from Futurismic. I’ve been covering Choicepoint issues since the scandal broke.
Justin Mason has a great rant, titled “taxation ventage.” In the US, every worker is required to prepare and file their own taxes, in detail. Nowhere outside of India can do bureaucracy quite like the US, as far as I can tell — even the brits have embraced simplicity to a greater degree — so […]
Omari Norman takes issue with the term identity theft. It’s a good point. Paul Syverson has pointed out that correct terms are “fraud,” “misrepresentation” and “libel,” but those don’t seem to have caught on. This ABC News story about how Americans think there’s too much government secrecy doesn’t relate directly to Choicepoint, except the government […]
In a comment, Axinar writes: Is it reasonable for an employer to know whether or not a potential employee has a history of violence or theft? Well, probably. And with our liability situation the way it is, generally any company with deep pockets is virtually REQUIRED to run background checks because if an employee “goes […]
Over at Open Society Paradox, Dennis Bailey challenges me: Emergent Chaos documents some problems but ends with a personal slam against ChoicePoint’s CEO. [Ed Note: Technically, we call that the “middle,” not the end.] What would Emergent Chaos have us do? Should we follow the Fair Information Practices and allow 300 million citizens to be […]
I love navel gazing. I try not to expose my readers to too much of it, but this post by Seth Schoen at EFF’s Deep Links captures the spirit I think about when talking about emergent chaos: The Business Models working group‘s mission has been based on the premise that “no system can be properly […]
It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it? There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. (It’s useful […]
Axiomlounge talks about public records, outsourcing, and the public records laws that cause all of this. Joseph Menn has a great story at the LA Times called “Did Choicepoint End Run Backfire?” Menn asks questions about the effect of Choicepoint’s choices in avoiding regulation. Public Domain Progress notes is not archival quality. Speaking of which, […]
In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver’s licenses in Nevada, told her Thursday the information was not encrypted, and […]
Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on […]
Ryan Singel has interesting analysis of the FTC’s Congressional testimony. Ellen Simon of the AP has a story about her Choicepoint and Lexis Nexis files. Hint: They’re imperfect, but that won’t stop them from screwing up your life. Others (nothing to see here, Scott C Smith) touch on the same theme. The Daily Caveat points […]
Boing Boing comments on a French stamp with an airbrushed picture of Sarte, sans cigarette. However, the French are way behind on this. Uncle Sam led the way in airbrushing cigarettes, but not people, out of pictures, as these two images of blues pioneer Robert Johnson show. The Honolulu Star got a great quote from […]
Dennis Bailey at The Open Society Paradox objects to my characterization of Hank Asher, and says: Rather than debate the merits of the program, they have to make this a personal attack on the man. Well, let’s talk about the programs. DBT, the first company Asher founded, was deeply involved in disenfranchising Florida voters. MATRIX […]
Latanya Sweeney has announced a new tool, Identity Angel, to crawl the web and discover if there’s enough information to steal an identity. Stefan Brands has made the first four chapters of a book on Electronic Money available. This will be a great reference for people wanting to think about privacy and payments. I’d like […]
D Magazine is looking for a private plane to transport Salman Rushdie so he can speak at an event in Dallas. Apparently, he’s been denied the ability to board a plane. Maybe someone realized he’s associated with Islamic Terrorists? (Via Virginia Postrel.) In other news, the Coalition of Airline Pilots Association has released an airline […]
Today is the “Legislative truckroll” edition. The Motley Fool says: Barring a miracle — or a busload of lobbyists and two truckloads of money (yeah, same difference) — regulation looks to be inevitable at this point. ChoicePoint’s breach alone might not have tipped the scales, but if many other businesses are being ransacked as well, […]
With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one? Some disclaimers: I’m not entirely in favor of a new law. There’s a lot of potential for harm when […]
I like the cynicism displayed at http://security.typepad.com/, by a squinty fellow who seems to want to remain anonymous.
It seems that Lexis Nexis’s breach was because of bad passwords: The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers. I don’t mean to be snide. No, that’s a lie. I do. It’s 2005. You’re making all this data available via a password? Are your auditors telling you […]
Juan Non-Volokh writes: Ignatius notes that espionage and interrogation experts tend to doubt that torture works. As a friend with experience in that area put it to me: Torture makes people tell you what they think you want to hear, when what you want is the truth. Nonetheless, rendition may result in the torture of […]
Alec Muffet provides the best way I’ve seen to get people to take up National ID Cards: Loyalty points. He claims to be kidding, but I’ve already picked up a dozen citizenship points by turning him in for Mocking the Crown. That brings me nearly halfway to an upgraded room next time I’m in the […]
Harry Weber of the Associated Press is looking to talk to Choicepoint employees. Email him at hweber@ap.org He’s been covering the story since it broke. The readers of Chief Security Officer Online have spoken, and not one opposes more disclosure laws. (As of noon, Thursday.) Bruce Schneier asks why Choicepoint seems to be saying “Please […]
The American Banker has a long story about how some regulations from GLB are now five years behind schedule: Ironically, both bankers and consumer advocates panned the agencies when they proposed guidelines on identity theft prevention in August 2003. The 25-page guidelines were based on Section 501 of the Gramm-Leach-Bliley Act of 1999, which required […]
The theft occurred early Monday in a remote industrial area, authorities said. The thieves took blank licenses and laminated covers, a digital license camera, a camera computer and a license printer. … “It’s been pondered that this has national security interests,” [police spokesman Tim] Bedwell said. “But it’s easier to pass a fake ID to […]
A great essay on living and working creatively by Milton Glaser (via BoingBoing) What it takes to get a drivers license in Germany. Stefan Brands On Quintessenz and the Biometric Consortium. Quintessenz is an Austrian civil liberties group that’s learned about how NSA is driving the biometrics industry. What may be the largest database on […]
In both military or information security situations, the position of the attacker is very powerful. An attacker can choose when, where, and how to attack. Attackers are not constrained by change management committees, operational risk, or a need to make economic tradeoffs within a budget. [1] Attackers don’t need to consider other work that needs […]
To follow up to my post on Terror Suspects and Firearms, I’d like to take a moment to rail against the Kafka-esque implementation of “watch lists” in the United States. For the FBI, or other investigative or intelligence agencies, to have lists of “interesting people” makes perfect sense. You’ll always have people who you suspect […]
Tara Wheatland has a long post Un-Spinning the ChoicePoint Scandal. (Via Personal Democracy Forum.) Local TV station WXIA Atlanta says ChoicePoint Management Under Fire Not actually Choicepoint, but DSW Shoes and Seisint, makers of the massively overhyped MATRIX database for law enforcement have both announced breaches. I wonder when the attackers are going to start […]
The New York Times is running a somewhat alarmist article, Terror Suspects Buying Firearms, Report Finds. The report says that At least 44 times from February 2004 to June, people whom the F.B.I. regards as known or suspected members of terrorist groups sought permission to buy or carry a gun, the investigation found. In all […]
Not bad for a Cubicle has a good post on the credit card industry replacing their risk management efforts with bad law: Bad laws instead of good Risk Management. I like what he’s saying enough that I’ve added him to the blogroll. Daring Fireball links to this article on How to Snatch a Domain Name, […]
Today’s roundup takes a different turn with more about privacy-invasive infrastructures. Also, previous scammer gets 5½ years, and Choicepoint appoints a new officer to deal with compliance and credentials. Deep in the Heart of … France discusses the move to hosted applications, and ties in Choicepoint as an example of the new security issues, like […]
Stefan Geens points to It Takes More Than Money to Buy a Hot Piece of Art. I Came to Japan Because of the Chopstick makes dinner plates fascinating. Thanks Rosa! Two shorts at AntiTerrorism & Security: The firm running airport security at SFO has been accused of cheating by a former manager. The lawsuit is […]
Saturday’s New York Times reports (thanks Alex for the pointer): Lt. Ronnie Williams, project director of the Southern California Identity Theft Task Force, which is investigating the ChoicePoint case, said that the breach was brought to his agency’s attention in late October, and that on Nov. 23, the agency asked the company to delay notifying […]
Erik Rescorla takes note of my CVSS post, and comments that he’s not sure he likes some technical aspects of the system (emphasis added): CVSS does have a formula which gives you a complete ordering but the paper doesn’t contain any real explanation for where that formula comes from. The weighting factors are pretty obviously […]
There’s some great blogging at the Identity Trail conference. I wish I’d been there. Read the official blog for Friday, Saturday AM, Saturday PM, or Michael Froomkin‘s post.
The Atlanta Journal Constitution contains the first MSM discussion I’ve seen of Derek Smith losing his job over this. Evan Hendricks of Privacy Times has a good article in the Washington Post, discussing who owns data, how we’ve gotten here. Axel, of Balrog.de comments “that ChoicePoint does NOT state in that Form 8-K that they […]
Some states will begin using new watermark technology akin to that used on currency for drivers’ licenses next year… While the backers of these efforts say they herald the demise of the fake ID, officers on the beat have doubts. “They find a loophole and exploit it,” said Sergeant Planeta of the New York document […]
Scrivner points out that the Golden Palace is winning all bids to advertise on people’s bodies, and asks “What is all this telling us? Ummm, Scrivner, it’s telling us…Visit Golden Palace! These foxes are being bred for tameness by scientists in Siberia. (I hope that URL is resilient?) I guess that’s what happens when you’re […]
My big question for the day: When Choicepoint announced a re-screening of their small business customers, that segment was 5% of their $900m revenue. Today’s announcement of closing that segment is $15-20m, or about 2%. So it seems that the exceptions that they list in their 8K account for 60% of their small business sales. […]
Iraq The Model points to this WorldNetDaily article: Designating Hezbollah a terror group in Europe will mean “the sources of [our] funding will dry up and the sources of moral, political and material support will be destroyed,” Nasrallah told Al Manar, Hezbollah’s satellite television station. Boyd discusses war as having moral, mental, and physical dimensions, […]
“On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins,” the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. (Via Information Week, via ISN)
The focus of today’s roundup is “an object lesson in how not to manage a crisis.” Call Choicepoint CEO Derek Smith at home, 770 667 5775, and tell him what you think. Remember, Atlanta is on Eastern Standard Time. On to the roundup: Not Bad For a Cubicle points out that “This is the first […]
I visited maps.google.com, and tried going east from the default view. A press of the “right” button seems to move you about 1,500 miles east. A second press takes you, err, nowhere. Another 16 or so clicks should be bringing you to the West coast of the US, but no luck. (25000 miles/1500 miles per […]
This New York Times story discusses the “need” to submit high school students to Breathalyzer tests to ensure they’re not drinking. It’s a good thing we have all those mandatory ID checks. It seems they’re highly effective at stopping teen drinking, so there’s no need for such tests. The TSA is maintaining a secret database […]
There’s a belief out there that the measles, mumps and rubella (MMR) vaccination is linked to autism, with some scientific sounding hypothesis as to what the causal link is. The BBC is reporting on a study done by Hideo Honda of the Yokohama Rehabilitation Center, along with Yasuo Shimizu and Michael Rutter of the Institute […]
At RSA, Mike Schiffman presented a Common Vulnerability Scoring System. Brian Erdelyi has taken that, and made a web page to generate numbers. It’s at SecurityHive. (The page requires Javascript be turned on to function.)
On Monday, I had the opportunity to see Ed Tufte teach. Much of his analysis revolves around failures to think clearly. Things like poor presentation of data, or selection of data to not include enough context. He said he was in Houston last week, giving a class to the people who were responsible for the […]
Chris Walsh provides this AP story about prior frauds. In light of Choicepoint CISO Baich saying “That’s such a negative impression that suggests we failed to provide adequate protection,” these stories are going to have legs. Reporters will chase down the inadequate protection. And Choicepoint has yet to say they’re sorry. Blog or Die comments […]
I often hear folks who believe in astrology saying things like “That’s just the scorpio in her.” Or, “All Leos act that way.” I rarely hear them say “That’s so unlike a scorpio.” Underlying this is a mind-set which searches for ‘evidence in favor’ of a proposition. This search is a fundamental, and common, misunderstanding […]
One of the neat things about talking to different sorts of conferences is that you find neat stuff that you don’t otherwise see. At the Southeast Cybercrime Summit, I was supposed to talk about “Reducing Crime In Cyberspace, a Privacy Industry View.” (The talk I used to give for Zero-Knowledge.) Due to a small error […]
There’s a good interview with Larry Gordon at SecurityPipeline. It came out in April of last year, but I’d missed it. Gordon has hosted the Security and Economics workshop. “I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says […]
Thomas Barnett has some links and analysis about the effect of Iraq on the middle east: Yes, there will dangers along the way. But tell me that any of this happens when it does without the invasion of Iraq. Bush is engineering his own serious change in the Middle East, with the simplest and most […]
In the 195 days since I started this blog, I’ve posted 499 times: This is the 500th. I’d planned, when I started, for about one long post a day. It hasn’t always worked that way. I’m posting slightly more than 2.5 posts a day. I’m think I’m now getting more comments than I post, but […]
A Canadian blogger, PIPEDA, points to Scott Bradner’s column at Network World, as well as an LA Times story (at Yahoo News) on an earlier breach. It’s a good thing California gave us 1386, or this would have been swept under the rug, too. Stephan Brands at Identity Corner points to a column at DM […]
Webflyer has a good post about the economics of new security rules that the TSA wants to impose: Requiring information to be submitted an hour before flight takeoff involves a full 75 minutes greater notice than currently provided. This will mean passengers turning up at the airport at least an additional hour in advance of […]
KnobBoy, demonstrating that the new media can do research, points out that Choicepoint execs didn’t trade like that before. In an AP Interview, Choicepoint CEO “Smith said he believes his company is as much a victim in the episode as the roughly 145,000 Americans whose personal information may have been viewed by criminals.” The Los […]
While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts. “I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s […]
I have added a Choicepoint category, which is great if you want to see all my posts on Choicepoint on one long page, and I am no longer updating this roundup. I’ve been posting a lot on Choicepoint. I’ve done a number of roundup posts listing things I find interesting around the web, and a […]
Having already posted a Feb 28th roundup a day early, I was forced to think about a new title for today’s edition, and what better than the $16.6 million dollars that ChoicePoint CEO Derek Smith and President Douglas Curling have made selling 472,000 shares of CPS since the day before the first arrest in the […]
I accidentally published this too early, but given the nature of trackbacks, and other such privacy-invasive technologies, its too late. You know my secret. I accumulate and then (try to) post in the morning. Midnight Special asks “Where’s the accountability” and talks about government outsourcing and incentives in a well written post. Why Now has […]
Pete Lindstrom suggests: My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news. The net result is to eliminate the notion that perhaps SSNs are “secure enough” for […]
A group that wants to assist free speech in authoritarian nations is looking for a technically savvy person — a CTO or lead engineer type — who can do a short term study, possibly leading to a longer-term job. This is a paying gig for the right person. The project is intended, in its intitial […]
Blah blah, Choicepoint blather blah.
Choicepoint doesn’t make an appearance in the June, 2003 Congressional testimony of Leonard Bennett, (or PDF), but the testimony is on how hard it is to get your credit files corrected with those companies that follow the Fair Credit Reporting Act. Given that Choicepoint believes that they don’t even have to do that, it will […]
As Choicepoint’s little error threatens to grow into a full-blown scandal, with Attorneys-General posturing, Congressional hearings, and daily press coverage in every state of the Union, it may be worth stepping back, and asking, “Why is this happening?” It’s not just the size of the exposure, both Bank of America and PayMaxx are larger. It […]
I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on: In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to […]
Chris Walsh has a really good comment on yesterday’s roundup. HCS asks, was Choicepoint going to be the data provider for the new national ID card? Ed Bott finds that birds of a feather flock together: A company that falsely claimed that ICSA labs had certified their tool has an SSL certificate issued by everyone’s […]
Blog*on*Nymity looks really good. Thanks to Stefan Brands for the pointer. Reason has an article on firearms and civil rights.
This dialog box is modal. It has no “take me there” button. Even having taken notes, I couldn’t figure out how to follow the instructions. You can “clear formatting” and make spell checking work again. A double-feh at Redmond. I take back all the mean things I said about Firefox this morning.
So everyone seems to be accepting at face value the claim that Choicepoint was scammed by Olatunji Oluwatosin and colleagues not yet named. But let’s step back, and ask, was there a scam? Why did these folks need to cheat? Was it habit, or necessity? What was really needed to get a Choicepoint account of […]
David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.
The Associated Press has a story “Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance” (actually, we all face a lifetime of vigilance, as these companies make buckets of money by gossiping about us.). The money quote: Many victims are dumbfounded by the dearth of federal and state laws aimed at […]
Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be. It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year. […]
In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled. The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, […]
This Concealled I conference in Ottawa March 4-5 looks really good. Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework: “I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.) Who did this: Privacy Enhancing Technologies, May 30-June […]
The Privacy Rights Clearninghouse has an extensive sheet on what to do if you’re a victim of Choicepoint’s failure to secure data. SoftReset calls for banning the use of SSNs for non-government purposes. I take a slightly more moderate view: Anyone using the SSN is already subject to GLB liability. Random Thoughts on Politics comments […]
There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis: Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks […]
Back in October, I asked, “where’s the 8-in-1 media reader to take photos directly from your camera.” From today’s Apple press release: The new iPod Camera Connector is an optional accessory that enables customers to connect their digital camera to iPod photo and import their photos into the iPod. By simply connecting the iPod Camera […]
I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you. The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded […]
Google is running an ad when you search on Choicepoint: “ChoicePoint letter says your identity stolen? Learn your rights. www.jameshoyer.com” On clicking through, its just a form, asking someone to contact you. Renaissancemen has a good roundup, including the fact that only 5% or perpetrators are arrested, and a pointer to Kevin Drum arguing for […]
Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched. starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you […]
Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.” writes […]
At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company. There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits […]
Ryan Singel has a good post on chipped passports: Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure. But, the chips create a new […]
Sending people to jail for expressing their opinions is wrong. In the west we’ve understood why it was wrong since John Stuart Mill wrote On Liberty. So please, for the betterment of Iran, and the entire world: Mojtaba and Arash are Iranian bloggers jailed for their ideas. What ideas is almost not relevant. Even if […]
One of the best bits at RSA was at the HP booth. Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to […]
One of the ironic bits about the RSA conference was the wireless network. Your username was your email and the password was on your badge. However, I had trouble logging in, so they gave me this username and password. I’m pretty sure that they didn’t record who I was as they did it. Even once […]
Hunter S. Thompson killed himself last night. While I enjoyed his books, for me, his ultimate work wasn’t reading about times I hadn’t experienced, but when his writing was live and raw, about the day, when he wrote the definitive obituary of Richard Nixon. He’s gone, and I am poorer for it.
After RSA, some friends and I went up to Russian River. I was looking at some old maps at the Quinvera Quivira Vineyard, and the caption under one said “The author of this map is believed to have had access to Drake’s secret maps.” Today, large scale maps of everywhere are easily available. But there […]
Max Dornseif asserts it’s easy to find bugs. (Perhaps even easier than figuring out trackbacks for his blog?) In an article in ACM Queue, Ioannis Samoladas, Ioannis Stamelos, Lefteris Angelis, Apostolos Oikonomou examine some measures of code quality between open and closed source apps.
Apple has made available a set of “Common Criteria” tools. The “evaluation” page is here. The evaluation criteria is “EAL 3, CAPP, version 1.d, October 8, 1999.” (The README is a bit better.) If anyone would care to explain to me what I’ve just said, or, really, what the tools package does, I’d be much […]
Jack Koziol has a long post on security issues with T-Mobile’s web site. (Via /.) Did you know that Google’s “Dissatisfied? Help us improve” link only appears on the first page of a search? That’s fascinating–they expect their search to be so good that they get what you want on page 1, and you’ll complain […]
Eric Rescorla discusses this account: Officer Primiano expressed extreme frustration with me as soon as I began speaking of my rights to photograph in public places. She wanted to debate the wisdom of my taking pictures and asserted that in the wake of the Sept 11th attacks on our country, I should be more interested […]
See Taosecurity, on IDS and Choicepoint, and this choice excerpt from Reuters, relayed by Dave Evans at Corante’s Online Dating: U.S. investigators notified the company of the breach in October, but ChoicePoint did not send out the consumer warnings until last week. It’s fascinating that the company didn’t detect the breach, and that they seem […]
The Atlanta Journal Constitution (use Bugmenot) reports: “We know that there is a national number that is much larger than that,” said Lt. Paul Denny of the [Los Angeles County] sheriff’s department. “We’ve used the number 400,000, but we’re speculating at this point.” Executives at ChoicePoint, which maintains one of the largest databases of personal […]
Ed Felten has a great post today, asking “How Competitive Is the Record Industry?” How can we tell whether the record industry is responding competitively to DRM? An interesting natural experiment is about to start. MP3Tunes, a new startup headed by serial entrepreneur Michael Robertson, is launching a new music service that sells songs in […]
I liked how my previous post on this subject read. It was very positive, and I like being positive about the future. (I’m not very good at it.) However, there’s a contrast which needs to be drawn, between the way Yemen (Yemen? Yemen!?!) is handling some prisoners and the way the US is handling some […]
Choicepoint is a large credit bureau who denies being one. Yesterday, MSNBC reported that “more than 30,000 Californians” had been notified of problems. Now, no one opts-in to Choicepoint. No one can opt-out. They maintain files on you without your knowledge or permission. Now we know that at least 30,000 people were put at risk […]
The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]
Michael Froomkin applauds those “Military lawyers at the Guantanamo Bay terrorist prison tried to stop inhumane interrogations, but were ignored by senior Pentagon officials.”
Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the […]
By reading this post, you agree not to do anything to get the author or Dave Eggers in trouble, even if those actions that lead to trouble are entirely their own, and you’re just commenting on them, even in a sort of approving way that happens to continue the unfortunate chain of events that were […]
Recently, Slate had an article on how to alter your boarding passes and bypass the silly watch lists. It was picked up by BoingBoing, and it turns out that Bruce Schneier talked about it 18 months ago. Recently, I was talking to a friend who started telling me about…how to alter your boarding passes. What […]
Microsoft has come out swinging against researchers who publish code: Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code. This generally accepted […]
I’ve recently finished Charlie Wilson’s War, which Jeff Moss suggested to me. Charlie Wilson was a Congressman from Texas. Gust Avrakotos was a CIA officer. Together, they conspired to get hundreds of millions of dollars funneled to the Afghanistan resistance. The story is simply astounding–at times you think this can’t be true, but it all […]
This was first created in December 2004’s Intelligence bill, loosely called the Patriot II act because it snuck in provisions like this without the Representatives knowing it. The deal is basically a no-option offer to the states: either you issue all your state citizens with nationally approved cards, or all federal employees are instructed to […]
NPR is reporting that The Bush administration is seeking to justify the imprisonment of an American citizen using secret evidence. The Justice Department has asked a federal judge to throw out the case based on evidence that is being withheld from the man’s lawyers. Perhaps we could trade judges with Yemen. (Via Hit & Run.) […]
Bruce Schneier has a nice article on the risks of e-commerce sites that make you establish an account, rather than just giving them money. Pete Lindstrom has an article in Information Security magazine about security metrics. Roger McNamee has an insightful post at his new blog about the importance of self-awareness generally. It’s especially applicable […]
Gunnar Peterson (who has a new blog) points to the public release of the worksheets from “Misson Critical Security Planner.” I haven’t read that book, but the worksheets look like useful planning documents.
I believe that the Wahabbi-inspired terrorist strain of Islam represents a great material danger to the ideals of liberty and equality, as well as to free inquiry and science. (The state’s response to this danger also creates a great threat to those goods.) It is thus a pleasure to see a Yemini judge taking to […]
higB at secureme has good advice for presenters at security cons. Ian G has a good post explaining that government only illegally links their databases when they want to, not when it could help the citizenry. No privacy story is ever truly complete without a tool of the man talking out both sides of their […]
At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled “Evidence Based Security.” The feedback I got from the audience was all positive. I was hoping that things would have gone more towards the question of what is good evidence, and how you evaluate questions, but that’s the joy of you […]
Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140. … Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one […]
Normally, I try hard to bring you only the freshest news. This has been all over the blogosphere, but I can’t resist: Slate on bypassing airport ID checks. [Other commentary on why they’re bad in the “air travel” category of this blog. Are you listening, David Neslon?]
Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]
JihadWatch is upset because (9/11 hijacker) Nawaf Alhazmi got a CA drivers license with a fake SSN. But so did 184,000 other people, most of whom have not turned terrorists. Perhaps we should focus on things other than SSN fraud in tracking down terrorists?
Max Dornseif has a post titled “Top 18 Papers in Information Security,” with 28 papers. But who’s counting? Its a fascinating exercise, and I’m glad to see papers from Phrack. I’d suggest that they define top: Most influential? Most cited? Most important? I do think that no paper which isn’t available to the public via […]
I’m at Shmoocon, and trying to liveblog a little. There’s network trouble, so it may not quite be live. I’m at Tina Bird’s talk on patching, and she mentioned that in the Teragrid attack, the attackers were hitting supercomputer centers, and there’s some evidence that they were 1) using 0day and 2) using the big […]
For some reason, enemies of Václav Havel want him to waste his astounding moral authority by becoming Secretary General of the UN. I prefer he remain a private citizen, where there is nothing to hold him back from this most elegant dressing down of the European Union: I vividly remember the slightly ludicrous, slightly risqué […]
There’s a new blog, from a fellow claiming to be the CEO of a public company, experimenting with blogging. Welcome! In his second post, he responds to the WikID Thoughts, Emergent Chaos, Financial Crypto series on IT breaches, calling it an example of “IT Propaganda.” I love the ‘IT propaganda’ phrase–one of the themes that […]
Ian Grigg and I have a letter to ICANN about Verisign. See his post. Eric Rescorla has a Kafka-esque excerpt from the “trial” of Mustafa Ait Idr, who wasn’t allowed to see the evidence against him. Mort points me to US Senate Bill 166116, introduced by Diane Feinstein, making it a crime to sell social […]
Martin Pool says “gcc makes my day.” If the sentence “Generate traps for signed overflow on addition, subtraction, multiplication operations” means anything to you, read his post. (I’ve discussed gcc in the past here.
Nude Cybot, in an email in which he promises to emerge soon, presumably to be exceptionally cold, mentions that folksonomies have hit Wired News. The Wired article points out that there are more “cat” (16,297) tagged images than “dog” (14,041) in Flickr. But the conclusion they draw from this, “If the photo-sharing site Flickr is […]
Two posts this morning grabbed my attention. They are “Hide Your Ipod, Here Comes Bill,” (at Wired) and “Sanyo asks workers to buy goods to ease loss” (Hindustan Times via BoingBoing.) In a presentation at Belisarius.com, Chet Richards applies Boyd to business. One of his suggestions, which isn’t new, is to get inside the mind […]
The Sarbanes-Oaxley act is driving up the costs of being a public company. Its driving up both direct costs, in terms of investing in assurance technologies, audit, and new processes to produce (slightly) more reliable accounting. But much more important, it imposes a highly risky cost on CEOs and financial officers who must sign off […]
Uncle Sam is trying to restrict basic research. This approach comes from such a foreign orientation I’m not even going to comment. Jerimiah Grossman has an article on easy things to do to protect your locally developed application. I still think you should look at your code, but that’s still unfortunately expensive and difficult. Finally, […]
Put bluntly, the law of obscenity, no matter how longstanding, has never satisfied constitutional requirements, and it never will. Finally, a judge has been brave enough to say as much. This opinion is notable for that reason – and for Judge Lancaster’s novel approach. His opinion attacks the obscenity laws on privacy grounds – and […]
Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]
Chapell points out a very interesting correction at the top of this Seattle Times story: A previous version of this story on Tukwila firefighter Lt. Philip Lyons being charged with first-degree attempted arson incorrectly stated that police reports indicated he had used his Safeway Club Card to purchase 16 fire-starters between June and August. Lyons […]
Some moving blog posts from Iraq include Hammorabi, Messopotamian, and Iraq the Model The first thing we saw this morning on our way to the voting center was a convoy of the Iraqi army vehicles patrolling the street, the soldiers were cheering the people marching towards their voting centers then one of the soldiers chanted […]
In tomorrow’s elections. I have to say that despite a great deal of skepticism in the feasibility, and disappointment over the execution, of Bush’s vision for the Middle East, it represents the one of the core American beliefs. Lincoln called the ideas of democracy the last, best hope of mankind, and in that, he was […]
Aaron Swartz has produced a link generator for the New York Times. It takes a URL and makes it archival, so that it doesn’t expire, and you should be able to visit it after two weeks are up. Its a lazy Saturday afternoon; Atlanta is shut down by the half inch of snow that fell […]
Dave Aitel has a new presentation (“0Days: How Hacking Really Works“) on what it costs to attack. The big cost to attackers is not vulnerability discovery, but coding reliable exploits. (There’s an irony for you: Attackers are subject to the same issues with bad software as their victims.) The presentation is in OpenOffice format only […]
Gore Vidal has a few choice words about the President’s Inaugural address, at DemocracyNow. A Russian company, MaxPatrol, has published a paper on bypassing heap and stack protection for Microsoft Windows XP with SP2. Winterspeak has an interesting summary of Iraq: The big bet that President Bush placed all these months ago, the bet that […]
Longtime security and privacy researcher Richard M. Smith tells Farber’s IP list about Philip Scott Lyons, a Tukwila, Washington firefighter. Lyons was accused of arson because he’d bought the same type of fire starters at Safeway. Or, that’s what Safeway’s “Club Card” records show. How or why they were obtained isn’t clear. The charge was […]
A group at Johns Hopkins and RSA security have interesting new attacks on the RFID chips used in Mobil Speedpass. They’ve put up a web site at http://www.rfidanalysis.org, and gotten some press at the New York Times. [Edited 29/4/2017 to unlink RFIDanalysis.org because Google claims its distributing malware.]
I’ve just stumbled across this abstract comparing full-test searching to controlled vocabulary searching. The relevance to Clay’s posts on controlled vocabularies is that our intuitive belief that controlled vocabulary helps searching may be wrong. Unfortunately, the full paper is $30–perhaps someone with an academic library can comment. …In this paper, we focus on an experiment […]
Lessig discusses what democracy looks like in Brazil: I remember reading about Jefferson’s complaints about the early White House. Ordinary people would knock on the door, and demand to see the President. Often they did. The presumption of that democracy lives in a sense here. And you never quite see how far from that presumption […]
Over at The CounterTerrorism Blog, Andrew Cochran accuses Riggs Bank of being “the Arthur Andersen of banking.” Riggs is apparently pleading guilty to violating the Bank Secrecy Act, by “failing to file reports to regulators on suspicious transfers and withdrawals by clients.” I’d like to address the comparison to Arthur Andersen, and through that lens, […]
Scrivner writes about the perverse nature of the AMT. Chuck Spinney at D-N-I asks “Is America Inside Its Own OODA Loop?” The article contains some very clear writing on the meaning of orientation, and applies that idea: He showed why the most dangerous internal state of an OODA loop occurs when the Orientation process becomes […]
Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight. Writes Ben Rothke in a short, incisive […]
In comments on a my post yesterday, “I Am So A Dinosaur“, Ian asks “Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?” I believe that the answer is no, and so will give it a whack. The costs I see associated with a vulnerability discovery and disclosure, in chronological […]
…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage: Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS […]
I’ve been posting a fair bit about Boyd. Boyd’s wrote very little. Most of his communication was in the form of briefs. At least two of you have publicly admitted to getting the slides, and, if you’re like me, struggled with the form of the presentation: A scan of a typed, hand-annotated presentation book. There’s […]
In responding to a question I asked yesterday, Ian Grigg writes: In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large […]
SecurityFocus has a new article on blind buffer overflows. I’m glad these techniques are being discussed in the open, rather than in secret. Julian Sanchez has the perfect comment on Congressman Dreier’s new national ID plan, at Hit & Run. And finally, don’t visit this Looney Tunes site if you’re busy. (Via Steven Horowitz at […]
Nick Owen posts about the stock valuation impact of security breaches. This UMD study found that a firm suffering a breach of ‘confidential information’ saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact. I read it as the market over time learning the difference between a DOS attack […]
Dr. David Ozonoff, a professor of environmental health at the Boston University School of Public Health who originally supported the new laboratory but now opposes it, argues that biodefense spending has shifted money away from “bread-and-butter public health concerns.” Given the diversion of resources and the potential for germs to leak or be diverted, he […]
CIO Magazine has an article “Riding The California Privacy Wave,” reviewing California’s new and pending privacy laws. There’s bits I wasn’t aware of, such as SB 186 168, preventing “businesses from using California residents’ Social Security numbers as unique identifiers.” There’s a slew of new laws in California, a great many of which affect IT […]
In his latest post on folksonomies, Clay argues that we have no choice about moving to folksonomies, because of the economics. I’d like to tackle those economics a bit. (Some background: There was recently a fascinating exchange between Clay Shirky and Louis Rosenfeld on the subject of taxonomies versus “folksonomies,” lightwieght, uncontrolled terms that users […]
Memento is an application that helps you find web pages you’ve stumbled across and forgotten where the site is. It does this by searching the cache (copies that Safari keeps locally). Very cool, and free.
I first met David Akin when he was covering Zero-Knowledge Systems, where I worked. David was always insightful, and even when he thought he saw us blowing smoke, he was pleasant about it. So I’m both disappointed and excited to see that he “will join CTV’s Ottawa bureau as a Parliamentary Reporter.” I sincerely hope […]
Richard Bejtlich comments on a new “@RISK: The Consensus Security Alert“, which starts: “Prediction: This is the year you will see application level attacks mature and proliferate.” He says: You might say that my separation of OS kernel and OS applications doesn’t capture the spirit of SANS’ “prediction.” You might think that their new warning […]
Phrackstaff is pleased to bring you _our_ LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. … Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available […]
I’m excited to be a part of the ACM’s 2005 Computer and Communication Security Conference, which has an Industry Track this year. We’re working to foster more interplay and collaboration between industry, the public sector, and academia: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of […]
Dave Wheeler has a new article out “Call Components Safely.” Developers should take a few minutes to read it.
…Iran’s supreme leader, Ayatollah Ali Khamenei, told Muslims making the annual pilgrimage to Mecca that Rushdie was an apostate whose killing would be authorised by Islam, according to the Iranian media. How very reassuring and level-headed of the British to respond by saying: The Foreign Office said: “The key thing from our point of view […]
I met Gunnar Peterson after attending one of his talks at BlackHat. It was very well done, and it looks like he’s now offering longer versions. If you’re concerned about the security of your software, and want to improve your development process, you should consider this. If you produce software, and aren’t concerned about the […]
Rob Slade reviews security books. No, more generally, Rob Slade points out in excruciating detail the flaws in security books. So when he I misread a post from ISN and think it says Slade, rather than Rothke, I look like a real fool who can’t find the flaws in my own writing. Really, Ben Rothke, […]
Cory Doctrow points to a letter he’s sent American Airlines about The security officer then handed me a blank piece of paper and said, “Please write down the names and addresses of everyone you’re staying with in the USA.” and his Kafka-esque experience in trying to find out why they were asking. Good on Cory […]
When I was getting into computer security, back in the dark ages, when Nirvana was releasing albums, hacking was an art. It was passed along in hard to find text ‘philes’, which were a mixture of technology and philosophy. 2600 Magazine remains an example of this sort of old-school hackerdom. The world-view that accompanied the […]
Lately, I’ve been complaining that Keynote still can’t export to the web. Now, I’ve been remiss in ensuring all of my writing is in HTML. I’ve been slowly going back and converting things, as I have a few minutes, or as I want to link to something I’ve said. Today, in posting a comment to […]
Nick Owen has a new corporate blog up. His very first post is “Why ROI is a crappy measure for Information Security.” I look forward to more.
Well, for the sake of our non-Canuck visitors, a brief primer is in order. The post 1960’s Canada can be better described as Trudeaupia – a progressive-era dream that just kept on chugging along. The stage in our history where good liberals had become bad Liberals and were well past the point of no return. […]
A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets. Customer, Please see the press release below regarding the hacker investigation with T-Mobile’s customer information. If your information was compromised you would have […]
The Symposium on Usable Privacy and Security will be July 6-8 at CMU: The Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and discussion sessions.
The Globe and Mail has a good story on how copyright law is preventing the re-release of “Eyes On the Prize:” The makers of the series no longer have permission for the archival footage they previously used of such key events as the historic protest marches or the confrontations with Southern police. Given Eyes on […]
Devosquared has a new release of PowerCard. If you need project management, check this out. It fixes a “bug” where you couldn’t mark days as “weekend.” As a startup person, I’m not sure why that needed fixing, but maybe it matters. Apple has a announced new release of Keynote, which still can’t export to the […]
There’s a fascinating and moving article in the New York Times about how elements of Ukranian intelligence aided Yushchenko in his bid to overturn the first, fraudulent election: Whether the collaboration was a convergence of political aims, or a pragmatic understanding by the siloviki that Mr. Yushchenko’s prospects were rising, is subject to dispute. Yulia […]
In a comment yesterday, Chris Walsh said: In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence. In theory, I agree with Chris. In […]
These heroic students have made many sacrifices in the name of IngSoc. They stand as a stirring example to us all. They have denounced the crimes of Davis Sos, who promised over 100 IngSoc posters, but have shirked their duty, and squandered the money provided to them. Those students are now hard at work being […]
In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents. This is a really exciting development. DHS seems to be taking a good approach, and in a […]
Microsoft MapPoint helpfully suggests this scenic route from Haugesund, Rogaland, Norway to Trondheim, Sør-Trøndelag, Norway, when asked for the quickest. This route may well be the quickest that includes England, France, Belgium, the Netherlands, Germany, Denmark, and Sweden. James Tyre (who credits David Flint) told Eugene Volokh.
Chapell nails the “why you might have nothing to hide, but hide anyway” angle: Even more troubling is the possibility that the person who’s DNA was inside this woman may very well have had nothing to do with the crime. But rest assured, that won’t matter to the hundreds of police, FBI, press, and other […]
The LA Times has a story on Jacobsen, the hacker, and the AP has a story with more technical details. The Infosec Potpourri blog has some analysis of the AP story.
Hao Chen, Drew Dean, and David Wagner have a paper of that name in Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171–185, San Diego, CA, February 2004. Hao Chen’s papers page has powerpoint, PDF and PS, as well as this abstract: Implementation bugs in security-critical software are pervasive. Several […]
The New York Times reported yesterday that the White House fought for the CIA’s right to torture. In a letter to members of Congress, sent in October and made available by the White House on Wednesday in response to inquiries, Condoleezza Rice, the national security adviser, expressed opposition to the measure on the grounds that […]
Scrivner points out a basic lack of agreement amongst the pundits: Damn that Bush, cleverly whipping up this fantasy of a threat to scare people into voting for him. … Damn that Bush, ineptly bungling America’s defense against the most dangerous threat Ian has a post about Ron Paul trying to ban the government issuance […]
Over at the Volokh conspiracy, Jim Lindgren writes: Crichton then describes scientific consensuses that turned out to be wrong. I don’t think that there is anything wrong with talking about the consensus of scientists or social scientists (and I certainly do so myself), but one must remember that it is the quality of the evidence […]
The conference, not the blog, is now accepting registrations. The program looks really good this year.
I saw Hotel Rwanda this weekend. It’s a true story of a hotel manager who saved over 1,000 people from genocide. If you’ll allow me a moment of disgusted sarcasm, I look forward to the sequel, Hotel Darfur, now in pre-production. The story is the same: No one is bothering to intervene in African genocide, […]
A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. … T-Mobile, which apparently knew of the intrusions […]
Stefan Geens has a long post on why SixApart’s TypeKey system is not a good solution to blog spam. He points out that the system has bad economies of scale: Here too, the spammer needs to sit down, get a key, pretend to be human for a minute and behave until he gets a comment […]
The Supreme Court has just heard a case, Tenet vs Doe, over promises allegedly made to spies: Two former Soviet-bloc diplomats recruited to spy for the CIA during the Cold War say the agency later reneged on promises to compensate them for the dangerous missions they performed. The husband and wife team are bringing this […]
In responding to my comments about Truro’s DNA dragnet, with a fascinating discussion of signaling, Eric Rescorla writes: Even if they’re not the perp, they may have other reasons not to have their DNA collected–for instance they’ve committed another crime that their DNA might match to. (The police say they’re only going to use the […]
“In a very deep sense, you don’t have a self unless you have a secret, and we all have moments throughout our lives when we feel we’re losing ourselves in our social group, or work or marriage, and it feels good to grab for a secret, or some subterfuge, to reassert our identity as somebody […]
In a post to the patch management mailing list, Jay Woody mentions Threatcode, a site dedicated to tracking and shaming badly written code. Cool! I wish the site was a little easier to read, but nice going!
The “back” button is Safari is way too close to the “close” button. Safari would be a much better browser if there was an option to not close (or confirm closing) the window if there are multiple tabs open. Bugger it!
Scrivner has another great post, this one to a study at Virginia Commonwealth University. (My link is to the study, not the press summary Scrivner links.) The press summary claims that rubbernecking accounts for 16% of accidents, looking at scenery or landmarks 10%, while cell phones account for only 5%. Clearly the answer is to […]
The city of Truro, Massachusetts is trying to collect DNA from all 790 residents to solve a crime, reports the New York Times. Its not clear why they believe that residents are more likely to be the criminal than non-residents, and it is clear that they don’t get the 4th amendment, against dragnet searches, or […]
Simson Garfinkel announces a new article analyzing the security of Skype. JihadWatch comments on a story on NPR yesterday, bemoaning the descriptivist reality that Jihad is now used to describe violent acts of terror. I heard this story on the radio, and the commentator’s prescriptivist bias of “Darn it, this is what the word means!” […]
Scrivner points out that the airlines, masters of price discrimination are giving up: In response they’ve become perhaps the world’s most expert practitioners* of price discrimination, mastering the art of charging the business traveler $1,000 more than the tourist in the next seat in exchange for a short-notice booking with few restrictions. But even that […]
Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.” Not to pick […]
Until I read John Gruber’s latest Daring Fireball on “The Rumor Game,” I was firmly in the “Apple is being Ridiculous” camp, and “Apple is chilling free speech” camp. The essence of the story is Apple is suing a rumors site because they’re leaking product details. What Gruber points out, and a quick Google search […]
The Wall Street Journal posted this table today, in an article on how risks are presented. Note the lack of a time scale. Is that a lifetime risk of a heart-attack? Are there lifetime stats for Vioxx takers? How does that risk compare to the risk of winning the lottery? Those odds are (I’m guessing) […]
Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]
I need project management software for a small project (20-50ish tasks, 8-10 people come and go and need to be assigned tasks.) I’d like software that will assign resources to time blocks, handle dependencies, and be easy to use. I’ve spent the morning testing apps, going until I found something either I or the software […]
In a comment, Ian Grigg asks, “I haven’t got to the modern stuff yet, so quite what he has to say that is currently relevant eludes me for now.” Over at Defense and the National Interest, there’s an article that draws heavily on Boyd: In a new briefing [1.7 MB PPT], three retired officers—each hailing […]
Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we’re safe? Bluetooth is different from internet vulns, […]
Ed Felten announced a “Clip Blog,” of short articles with no or small comments. Hmmm. Neat idea. Ian Grigg gives us his thoughts on the Abagnale controversy: [Clausewitz] said something to the extent of “Know yourself and you will win half your battles. Know your enemy and you will win 99 battles out of a […]
John Boyd was arguably the best fighter pilot in American history. While at the Air Force Fighter weapons school, he was not only undefeated, he won every fight so fast he was known as “Forty second Boyd.” While there, he wrote the “Arial Attack Study,” which transformed the study of fighter combat from an art […]
Eric Rescorla has two good posts on screening at Educated Guesswork. I’d still like to expand the range of questions, and ask, is intense personal screening effective or needed? Can we use air marshals, different aircraft designs, and armed pilots so that we don’t need to compare rub-downs to millimeter-wave xrays?
Much as I hate blogging anything from Slashdot, Why the Space Station Almost Ran Out of Food is great. (The previous crew had permission to borrow the current crews’ food, but didn’t record how much they’d eaten.) Maybe they could get jobs working for the Social Security administration. John McWhorter has a new book out, […]
The study, published in the January issue of the journal Emerging Infectious Diseases, concluded that the estimated $7.55 million spent on [SARS] screening at several Canadian airports failed to detect one case of the disease. … “Sometimes what seems like a reasonable thing to do doesn’t turn out that way,” the report’s lead author, Dr. […]
Buried in this story about tracking illegal immigrants is the interesting item that as of early 2003, of 6,000 Muslims who absconded within the US after being told to leave the country, only 38 percent had been found. That left over 3,500 still at large. How many have been caught since then? Where are the […]
So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed? There are a few things that jump to mind: Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue […]
I’ve been debating if I should respond to this idea of unlimited searches of Muslims again, and realized that there’s a perhaps interesting analogy. JihadWatch quotes an AP story BUFFALO, N.Y. — An Islamic civil rights group Wednesday accused U.S. border agents of religious profiling after dozens of American Muslims were searched, fingerprinted and photographed […]
Cory points to another example of anti-consumer activity, this time Apple disabling the high quality audio-in on the ipod. How to fix it at Hack-a-day. Also via Hack-a-day is the paper Enigma machine Scrivner discovers that Uncle Sam admits to cooking the books, in a way that the SEC would never tolerate from a public […]
Cory Doctrow posts a delicious rant against Wired’s review policy here. Unfortunately, he fails to stress what I think is the a point. Wired is writing reviews. Those reviews are supposed to be impartial. Whatever you may think about DRM, it is clearly an important mis-feature of a product which you may buy. Informed reviewers, […]
I’ve always believed that my readers are smarter and better looking than average, and now I have proof. Yesterday, for the first time, over half (50.3%) of the visitors to this site were using Mozilla or Firefox. (As summarized by AWStats.) Browsers Grabber Hits Percent Mozilla No 10308 31.4 % Unknown ? 9786 […]
John Robb has an article at Global Guerrillas about the cost of terrorist attacks and their impact on the economic equilibria at work in cities, based on a report by the NY Fed. A terrorism tax is an accumulation of excess costs inflicted on a city’s stakeholders by acts of terrorism. These include direct costs […]
You can get ROI from security solutions by automating manual processes. Patch management and automated password resets are two solutions that don’t need “incidents” to gain a return. says Pete Lindstrom, responding to my comments that: Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool […]
News.com has an article entitled “Craigslist costing newspapers millions. Which is nominally accurate, but a better title would be “Craigslist saving consumers millions.” Craigslist, which generates more than 1 billion page-views each month, also has cost the newspapers millions more in merchandise and real estate advertising, and has damaged other traditional classified advertising businesses, according […]
Anyone who talks to journalists to provide background or commentary says things that they wish they hadn’t. This is in contrast to when you’re making news, and can plan what you want to say, and it’s easier to stay “on message.” Kudos to Bruce for owning up to it. I’m sure I said that, but […]
With Yushchenko at 52% of the votes to Yanukovich’s 44%, it seems likely that he Yushchenko will be the next leader of the Ukraine. Congratulations to all who stood up for a fair and honest vote. Oh, and it means I can get a nicer stylesheet in place, too.
Michael Froomkin sees the idea of the secretary of the treasury investing the social security trust fund, and finds it wanting.
“We used to talk about the intent of a tank,” Colonel Thomas explained in an interview. “If you saw one, you knew what it was for. But the intent of electrons – to deliver a message, deliver a virus, or pass covert information – is much harder to figure.” Ian Grigg points out an interesting […]
Rob Lemos has an article in CNET about NGSSoftware. On Thursday, they released a slew of advisories about Oracle products with flaws NGS had discovered 3 months ago. Now, it turns out that the problems may be more risky than thought. Alternately, the release of the exploit code may have cause SecurityFocus to raise its […]
I was just playing with Keynote, working on some slides for Shmoocon, when I realized that I couldn’t get my slides onto the web! Now, I’ve griped about how Powerpoint makes its slides for the web, but at least it makes them. It seem that Tim Bray figured this out a while ago, but I […]
I hope that your elections go smoothly, fairly, and peacefully, and that when they’re done, the people’s will is respected.
A historian, Isaiah (Ike) Wilson III, Ph.D, gave a talk a few months ago at Cornell, entitled “Thinking Beyond War: Civil-Military Operational Planning in Northern Iraq.” His basic thesis seems to be that, in contrast to a carefully planned and executed war campaign, there were no definitive plans for what to do after the Iraqi […]
There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues. While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by […]
In writing about Delta Blood Bank earlier today, one of the issues I was thinking about was the unnecessary use of social security numbers, and how it’s an industry standard. One area where this is particularly evident is in the bifurcated market for cell phones. At one end are providers like Virgin and MetroPCS, who […]
Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. … In addition to the letter…The blood bank will no longer require Social Security numbers from its donors… No longer require […]
Starting today, the federal Transportation Security Administration is telling its screeners to keep their hands to the “chest perimeters” of women unless handheld metal detectors beep when waved over their breasts. I’ve mentioned outrage at TSA intrusiveness in the past. (From Boston.com, via CSOOline.)
Over at TaoSecurity, Richard Bejtlich writes: ‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group… Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary […]
[DOD interrogators presented themselves as FBI agents and…] These tactics have produced no intelligence of a threat neutralization nature to date and CITF believes that techniques have destroyed any chance of prosecuting this detainee. If this detainee is ever released or his story made public in any way, DOD interrogators will not be held accountable […]
Europhobia nails the link between privacy and economics in the UK imposes national ID cards stupidity: But usually what gets them is “what? I’ll have to pay eighty-five quid for this thing?” No, Europhobia, they’ll have to pay 85 quid for the card, and another 10 quid in taxes for the backend database. (Figuring 60% […]
After upgrading to Panther and installing X-Tools, several people complained that some unix man pages, specifically section 3 (standard library), are missing. For example, if you try: % man 3 strcmp and get no man page, you need to follow procedure below: Remove /Library/Receipts/BSD.pkg/ (rename or delete) Insert Panther CD 1 Install BSD package from […]
The British Medical Journal has just published a study showing either that democracy makes you live longer, or living in a dictatorship kills you, by three Spanish professors.
Michael Froomkin comments: We vastly overestimated the speed with which non-techies would take up the toys; the growing and enduring dominance of one software platform that didn’t take up the toys; and especially the ability of the empire to strike back via both tech (trusted user) and law (DMCA and worse). Some time about four […]
Scrivener has an interesting post about an episode of ‘Family Guy’ that shows Osama bin Laden bypassing airport security with a song and dance routine. “This was all quite amusing in 2000. Does it mean anything in retrospect? You decide.”
Ross Anderson has added three papers to his Economics and Security Resource page: Fetscherin and Vlietstra’s DRM and music: How do rights affect the download price? shows that the prices of music tracks sold online are mostly determined by the rights granted to the purchaser – including the right to burn, copy or export the […]
Michael Froomkin has three nice posts today. First, Inside The TSA, we learn that power tends to corrupt: This account of the goings-on at the MIA TSA branch, brought to you by the feisty local Miami New Times, is worse than not pretty. It’s pretty ugly: allegations of theft from passengers’ bags, sexual harassment (of […]
Julie, formerly of the Julie/Julia project, has an article in Archaeology on how to cook like the ancients. There are also recipies. Unfortunately, Mongolian Lamb Liqour is (as presented) less interesting than it sounds. (Via Samablog.)
The normally insightful JihadWatch writes: It sounds terrible: restricting their civil liberties. Until you read into the story and find that they’re talking about registration, profiling, and monitoring of mosques and Islamic organizations. Horrors! Registration may inconvenience some people, but after all, a lot of people were inconvenienced on 9/11; as with all these measures, […]
Doug Barnes has a great reciept on You Must Be Present To Win. [Update: Gosh, I wish I’d said something insightful here. Stay a minute, read the rest of my ramblings!]
My friend Sameer takes issue with my hoping for experimentation by criminals, on two grounds: First, he believes I’m encouraging violence. This wasn’t my intent. I assume that there are all sorts of ways to non-violently behave badly, from calling a guard snookums to having a tattoo needle in your cell. However, I don’t know. […]
David Akin blogs that Fitch Ratings has purchased Toronto’s Algorithmics for $175M (the press release is datelined New York, so I’m guessing that’s a US dollar figure). Algorithmics makes risk management software, focusing on market risks for banks, things like hedging strategies and BASEL II compliance (based on a quick read of their site.) So […]
In its powerfully worded decision, the [UK Law Lords] said that the government’s “draconian” measures unjustly discriminate against foreigners since they do not apply to British citizens and constitute a lopsided response to the threat of a terrorist attack. (From The New York Times, see also the BBC or Volokh.) WASHINGTON (AP) — A [US] […]
Over at Marginal Revolution, Alex Tabarrok quotes a letter from an inmate: [Inmate:] A privately owned and publicly traded company like CCA has no incentive to rehabilitate criminals. It is in the best interests of the company for even more criminals to exist. Unfortunately, the same is true of government run prisons. And contrary to […]
Scriviner.net has an interesting article about taxes and your phone company. Any article that starts with an error about how long ago the Spanish American war took place is a little worrisome, but I love watching badly written law becoming irrelevant. Stefan Geens has a great article taking a simple question and exploring the math […]
A friend writes and asks: I’m working in NYC now, as the Web Admin for Safe Horizon. We’re the largest service agency in the US for victims of violence, crime or abuse. We’re interested in putting in some features into our site, but we have to protect our visitor’s privacy, since they might be visiting […]
I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product. I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static […]
The first two claim to be UNDER CONSTRUCTION, and this makes my hypothesise that they are honeypots of a sort, respectively researching whether Deep-URLs (“/friendslinks.php”) or merely Root-URLs (“/”) are most effective methods of Referrer-Spamming, plus also providing a check to see which blogs are the most valuable ones to be worth spamming. In short: […]
My friend Rob Sama is hosting this week’s Carnival of the Capitalists, and was kind enough to give me a shout out. So, welcome if you’re coming in from there. I’m traveling on business, so blogging will be a little slow, but please, have a look around! I try to apply economics to security problems […]
Global Guerrillas has a great post on how US efforts in Iraq are broken: Unfortunately, the US effort to rebuild Iraq is out of synch (a full 180 degrees) with what is really needed. If we map US efforts to Maslow’s hierarchy we see something quite unsettling.
Ed Hasbrouck has a long post on the impact of the new “intelligence reform” bill on privacy and liberty. The CBC has an article on Australia imposing random drug tests on its consumer-units, or citizens, or something.
Nikita Borisov and Ian Goldberg have released Off-the-Record Messaging, an IM plugin for private communication providing not only the usual encryption and authentication, but also deniability and perfect forward secrecy. Deniability avoids digital signatures on messages (while preserving authenticity and integrity), so there is no hard-to-deny proof you wrote anything in particular; in fact, there […]
Federal Computer Week has a story about the Air Force’s efforts to patch faster: Officials’ ultimate goal is to have software patches implemented across the Air Force in minutes. During the next few months, they hope to cut the time from tens of days to just days, said Col. Ronnie Hawkins, director of communications operations […]
Chibineko.org has a nice page of software for techies switching to a Mac. Speaking of techie Mac use, I’m playing with subversion and the sweet looking SCPlugin. To make it see my ssh keys, I’ve added SSHkeychain. That required logging out and back in. After I did, I was getting lots of Keychain errors. It […]
CIBC is a Canadian bank, who has recently been sued by a West Virginia scrapyard operator for faxing their customer’s private data to him. I’ve blogged about them here and here. (It turns out that other banks are doing the same thing, as David Akin blogs.) SB 1386 is a California law that requires companies […]
John Perry Barlow writes about the apparently limitless suspension of the Constitution that’s already happened in airports. But randomly searching people’s homes against the possibility that someone might have a bio-warfare lab in his basement would reveal a lot of criminal activity. And it is certainly true that such searches would reduce the possibility of […]
Kerik issued a statement saying: “In the course of completing documents required for Senate confirmation, I uncovered information that now leads me to question the immigration status of a person who had been in my employ as a housekeeper and nanny,” he said. “It has also been brought to my attention that for a period […]
The BBC is reporting that Kerik has withdrawn, citing personal reasons. The BBC also mentions controversy over his link to Taser, Inc, and a possible nannygate issue.
Doug Barnes writes: There is a clear basis for regulation of objects that, with great force, fling themselves into the sky and have an opportunity to subsequently land on random people and property. Even from a purely selfish point of view, it’s not going to be good for the development of a commercial spaceflight industry […]
Writing to Farber’s Interesting People list, Lauren Weinstein writes: Their new system is obscuring *all* e-mail addresses in *all* netnews messages in the archive (including the vast numbers of messages that do not originate within the Google environment and/or that predate the existence of Google Groups). This includes not only the addresses of individual netnews […]
In a recent comment, Pete Lindstrom asks: So do you think this can be modeled using a version of the El Farol’s Bar you post about in the future? Maybe we can optimize the number of acceptable bugs… How does/should the policies of Microsoft and Oracle affect this model? I’ve been thinking about this, and […]
…it’s pretty scary when the only Asian leader taking your side is the allegedly former crony-capitalist-in-chief of an island police state best known for its canings and outlawing of bubblegum. Says Doug, and who am I to argue with him?
After installing Apple’s latest security update, my laptop no longer goes to sleep when I close it. Is anyone else with more time experiencing this? I am using Bernhard Baehr’s excellent Sleepwatcher, a daemon that allows you to add sleep and wakeup actions, but that hasn’t changed in a while. (If I had more time, […]
Ed Felten writes about a library survey in which few tech books, and none worthwhile, made the top-1000 list. He concludes: It’s the technology books that really disappoint. These books are useful, to be sure, and it’s not surprising that libraries have them. What’s really sad is that no book about the intellectual content or […]
For traditional financial services alone, compliance with the PATRIOT anti-money laundering provisions is projected to cost $10.9 billion by the end of 2005, according to the research firm Celent Communications. No wonder that the champions of forced business spying didn’t want to present even this watered down procedure for congressional review, says banking industry consultant […]
Daring Fireball points to a new Apple technote full of ways to debug programs under MacOS X.
In 1994, Brian Arthur introduced the `El Farol Bar’ problem as a paradigm of complex economic systems. In this model a population of agents have to decide whether to go to the bar each thursday night. All agents like to go to the bar unless it is too crowded (i.e. when more that 60% of […]
My friend Dave writes about trains vs. planes: On that topic, it’s not hard to make a point that train travel is really not far behind airline travel. For me, it was 45 minutes to the station, only 10 minutes to checkin and board, 7.5 hours to DC in a comfy seat (with 120v power […]
Ekr writes: These tools aren’t perfect and it certainly would be nice to have better tooling, but it’s worth noting that a lot of the bugs they find are the kind of thing that could be entirely eliminated if people would just program in safer languages. For instance, the buffer overflow vulnerabilities which have been […]
The disaster over at CIBC is telling, and bears a little exploration. The real victims, whose details were faxed to never saw the violation of their privacy. It was CIBC tossing data around incompetently, all the while publicly proclaiming their commitment to privacy. Wade Peer, a scrapyard operator in West Virginia brought the three years […]
In a move that surprises no one, the screensaver that Lycos created to target spammers has been used to target Lycos. The screensaver was designed to launch a DOS attack against sites that are known for their spamming techniques. (From Chris Richardson at SecurityProNews via Mort. See the ZDNet UK article for more details.)
I believe this is a bug in Netnewswire, and will be reporting in there in just a second, but it’s so pretty I wanted to share it. Note the menubar has gone transparent, but is still readable. It looks way cool this way. Maybe someone will find a hook in the OS to allow us […]
Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada’s largest banks was flooding his fax machine […]
Go tell the pollsters that we’ve had enough government sponsored groping. [Update: You may use BugMeNot for a login, or you might want to create a new one for the poll, and feed the bugmenot database.]
The New York Times is reporting that Bernard Kerik, formerly of the NYPD, has been tapped for homeland security secretary. [Update: VikingZen has an alternate suggestion that shouldn’t be missed!],br> [Update 2: Declan has found a more relevant set of links than I did. Thanks to Secondary Screening.]
The call for papers for Blackhat Europe and Asia are now online.
There’s an interesting article on metrics over at CSO Online. The comments are great, too. Now if you’ll excuse me, I need to go ring a gong.
This information has been confirmed by another listener. She said that in ticket sales offices on Hnatyuk street in Lviv the cashier was extremely friendly to those who were traveling to Kiev, but she did record the passport data into some sort of catalogue. Maidan-INFORM has been stressing, that such practice of registering movement of […]
Florence Olsen writes in Federal Computer Week about security training: Last year, for example, officials at a federal financial institution tested employees’ adherence to the agency’s computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. [Kathy Coe, regional director of educational services at Symantec] […]
John Lebkowsky comments that he’s being paid to blog by “Marqui.” The first two headlines on their web site sums it all up: MARKETING IS IN A STATE OF CRISIS! Watch the demo (5 minutes) I have to spend 5 minutes figuring out how you distinguish yourselves as a marketing company? Sheesh.
Ian Grigg is on a roll with good posts. See this 2005 – The Year of the Snail Since he’s doing the thinking, and I haven’t had my coffee yet, I’ll just ask, what happens when this gets 10x worse? Is there anything acting as a serious brake to that? Also, Ian says “serious money” […]
Ian has a fine post over at financial cryptography: The only thing I’m unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public’s mind, the popular definition of economics is closer to the image that we […]
Security experts take it as a truism that you can’t defend everything. So you have to make choices about what attacks to worry about, and which ones to ignore. A study released today claims that unprotected hosts are attacked once per second. (USA Today reports on the study, and avantgarde.com is utterly swamped. So I […]
I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it: This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad […]
A SOUTH Korean woman paralysed for 20 years is walking again after scientists say they repaired her damaged spine using stem cells derived from umbilical cord blood. Hwang Mi-Soon, 37, had been bedridden since damaging her back in an accident two decades ago. Last week her eyes glistened with tears as she walked again with […]
SteveC, whose comments are broken, says: “wikinews is demoing here. When you have a hammer, everything looks like a nail. I can’t wait for wiki… wiki… wikigovernment. Or something. We could all edit the laws. yay!” Me, I want WikiAirlineSchedules.
Cryptome points to a fascinating article in The Guardian about how the US is training young activists to undermine corrupt regimes: Funded and organised by the US government, deploying US consultancies, pollsters, diplomats, the two big American parties and US non-government organisations, the campaign was first used in Europe in Belgrade in 2000 to beat […]
Allan Schiffman has sorted through the papers from the DIMACS Workshop on Usable Privacy and Security Software, and has summaries and recommendations in “Bad Security = Bad UI?.” [Update: Oh, the irony of a conference on usability naming all their files things like “blaze.pdf” or “garfinkel.ppt”– how about “blaze-usable-privsec.pdf,” so I can easily archive the […]
Naxos is a classical music company. They bill themselves as the world’s leading classical label. They have a fascinating business model, which is that they find great ensembles, often in eastern Europe, have them record interesting music, and then sell it cheaply. I’ll often buy 2 or 3 Naxos CDs as experimentation. When they’re 7 […]
America’s Secret War, by George Friedman, is reviewed in the Australian: The Americans had established and then strengthened a military presence in countries surrounding Saudi Arabia – Yemen, Oman, Qatar, Bahrain and Kuwait. Invasion of Iraq would complete the encirclement. “From a purely military view,” Friedman adds, “Iraq is the most strategic single country in […]
The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.” These chips can be read from 30 feet away, today. That’s the opinion […]
For Yushchenko, and fair elections. It’s a small thing, but show your support. Turn your blog orange.
From Iraq, the start of a new political party, and the jitters that come from living under totalitarianism. From Ukraine, people continue to rally and demonstrate against the hijacking of their democracy: The past four days have taught me something valuable: when I’m watching the situation unfold on television, I grow tense, fearful that it’s […]
Will President George W. Bush now stand up to Russia’s blatant imperial overreach in Ukraine? Will Mr. Bush protect America’s interest in the spread of democracy and free markets? While the President has touted good relations with his Russian counterpart, it is clear that Vladimir Putin financed and actively campaigned on behalf of an authoritarian […]
The curiosity that fueled the experiments in Mr. McGee’s first book is undiminished after 20 years, and his approach to cooking is still skeptical. He tries to take as little as possible for granted, asking at each step: Why am I doing this? Is there a better way? All this questioning has yielded conclusions, some […]
“I will not accept the results of the presidential election until it is proved to me and the Ukrainian people that they are legitimate and credible in accordance with conditions set down by the constitution,” [Yanukovych] said in a statement. “I need no fictitious victory, a result which could lead to violence and victims. No […]
George Akerlof shared the 2001 Nobel prize in economics for his paper on “Lemon markets.” While reading Akerlof’s Nobel Prize essay, I was struck by the comment: I submitted “Lemons” there, which was again rejected on the grounds that the The Review did not publish papers on topics of such triviality. It seems to me […]
Anti-spyware software has many of the issues that other privacy software has had.* It’s hard to understand the technical means by which privacy is invaded. It’s hard to see that you have (some) spyware. And it’s hard to evaluate what anti-spyware software works, and what doesn’t. Well, it was. Eric Howes has started testing anti-spyware, […]
Ed Felten has an insightful analysis of Identification Codes on Printer Output over at Freedom To Tinker.
Crispin Cowan and I will be running a BOF at Shmoocon, on Evidence Based Security. Shmoocon is in DC, Feb 4-6 of next year.
These women and a good many others, both frequent and occasional travelers, say they are furious about recent changes in airport security that have increased both the number and the intensity of pat-downs at the nation’s 450 commercial airports. And they are not keeping quiet. … Most of the women interviewed said they did not […]
A man with an expired passport got onto Air France flight 26 on Saturday, November 19th: Flight 026 from Paris to Washington Dulles International Airport was diverted to Bangor, Maine, after U.S. officials discovered that the man was listed on the government’s no-fly list. The man’s name also was on the State Department’s terrorist watch […]
…Mr. Bush had to wade into a group of security agents to pull his lead Secret Service agent out of a shoving match with the Chilean police. The tape showing the president assuring the Chileans that his agent could come with him played over and over on television screens in the region this weekend. By […]
There are lots of so-called ‘social software’ web sites that help you umm stay in touch with friends, or make new ones or something (Friendster, Tribe, Orkut, etc). Some are more socially oriented, others are more about business. What I’d really like is one that supports my travel habits. I fly to lots of places. […]
Experts tend to know that when journalists report on their subject, things get twisted up and wrong. You start to evaluate a publication by looking at how it does on subjects you know, and assume that its work is consistently at the same level. I’ve been (cautiously) reading Informed Comment, by Juan Cole. He tends […]
I opened this blog, exactly three months and 250 posts ago, asking, “Why Did Google Pop?” (with a second post on the topic as well.) Nudecybot has two fascinating posts on Google today. The first is on Google bias, the second on gmail, and the fact that it now actually secures your email (way to […]
Ryan Singel catches an AP article on RFID passports: On the latest passports, the agency has “taken a ‘keep it simple’ approach, which, unfortunately, really disregards a basic privacy approach and leaves out the basic security methods we would have expected to have been incorporated for the security of the documents,” said Neville Pattinson, an […]
After the election, I asked What’s a Free Election worth?.” John Robb over at Global Guerrillas has a partial answer, which is what the 2nd intifada has cost both sides over 4 years: 10% of Israel’s GDP (roughly 2.5% of GDP per year), and a stunning 300% of GDP over 4 years for the Palestinians. […]
There’s a 3 page article in the Washington Post on phishing, the use of fake email and web sites to capture usernames and passwords. The phishers often target financial institutions. Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not […]
The always engaging Doug Barnes has a new paper out, “Deworming the Internet“. The paper is more interesting because Doug is technically and legally savvy. (Always a dangerous combination.) The paper evaluates regulations, markets, government intervention, litigation, and finally, a set of suggestions for what is most likely to work. Its perhaps the most comprehensive […]
Discovered a bunch of friends’ blogs today: You Must Be Present to Win (Doug Barnes), Creative Destruction (Sameer), Evil Geniuses For A Better Tomorrow (Jim McCoy, from whom I stole the “Most Evil Genius” gag title I used while at Zero-Knowledge).
The EFF is doing a great job trying to prevent bad law from being created at a global level. There’s a bizzare story of EFF docs being stolen and trashed to prevent their message getting out. Cory writes: We ended up posting a guard over the table — thanks to Rufus Pollock from the Campaign […]
Great cartoon at Ok/Cancel. [Update: The image doesn’t fit on a lot of browsers with my CSS so its now just a link.]
[Inland Revenue] learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated. Computing has a good basic article on security issues in outsourcing of IT […]
In A Market for Journal Articles, Alex Tabarrok refers to a paper by David Zetland on A Market for journal articles. Zetland suggests that journal publishers should buy manuscripts in an auction. You probably already have some objections, Where would the money come from? Why would journal editors buy what they can get for free? […]
“The question was, why do I support a strong dollar policy? The answer is because it is our policy,” [US Treasury secretary John] Snow said. “Our dollar policy remains unchanged because a strong dollar is in both the national and international interest.” He pledged to curb the US massive budget deficit – but said the […]
US Homeland Security undersecretary Asa Hutchinson said the current practice of airlines giving the names of passengers to US officials 15 minutes after take-off did not make sense. … “If we have to have information 60 or 45 minutes before, you’ve got to close off the passengers that come in at the last second,” he […]
In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better: Legislate/enforce the law Buy exploits now and then Create Software security data sheets More honeypots I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information […]
As I and others >predicted, the TSA has chosen to run roughshod over our concerns. Interestingly, they claim that we have implicitly consented to the data being used this way. That’s interesting, because in the comments which I sent to them, I explicitly stated that I don’t consent. (Search this document for the words “do […]
Thanks to Ed Hasbrouck for catching the TSA’s disdainful response to the American people. Quotes are from the TSA’s Notice of Final Order for Secure Flight Test Phase and Response to Public Comments. Because the document is apparently a scan of a printout, I can’t copy text, and thus chose which words I bother to […]
Thanks to Dave and Lisa, I’ve moved to a new host. Things may have unsettled during the move. We’ve also added a feature that closes comments after a bit, because old posts are getting nothing but blogspam.
A long story in the New York Times ends: Still, as Wal-Mart recently discovered, there can be such a thing as too much information. Six women brought a sex-discrimination lawsuit against the company in 2001 that was broadened this year to a class of about 1.6 million current and former female employees. Lawyers for the […]
Pete Lindstrom has argued that we need to end the bug-hunt: Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences. There is a rarely mentioned upside to all this bugfinding, which is that researchers use the exploit code to […]
This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2. Robert Lemos at CNET writes: “We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.” However, Microsoft’s […]
Kapersky Labs makes some of the best anti-virus software out there, as analyzed by the Virus Test Center at the University of Hamburg. They recently announced a new naming scheme. I’ve been thinking a lot about naming schemes recently, and I think this one could be better. Let me take it apart, and explain why. […]
The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor. Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in […]
Hundreds of passengers were evacuated briefly Thursday from the main terminal at Dulles International Airport outside Washington after airport screeners thought a suspicious image on an X-ray monitor might be a gun. Screeners spotted the image about 4:40 p.m. EST Thursday and the terminal reopened about an hour later. Passengers went through security checkpoints again, […]
Macworld excerpts a very detailed analysis of the MacOS 10.3.6 update. Its too bad that Apple chooses to give us a 22 item change description when they’ve changed upwards of 1,000 files.
There’s a nice interview with Kathleen Hagerty over at CSO. She’s a finance professor, talking about risk. (Speaking of business school professors, work by Martin Loeb and Lawrence Gordon on the Economics of Information security investment is outstanding, and unfortunately, not online as an html or pdf file.) Second, I just got around to reading […]
Antigua and Barbuda have won a case at the World Trade Organization, claiming that US laws against internet gambling are a violation of the WTO rules.
Yesterday, I mentioned the 700 arrests [in the United States] in an attempt to deter terrorist activity. Also yesterday, several residents of The Hauge violently objected when the police showed up to arrest them. This is a pattern in the arrest of Al Qaeda suspects: Some of them decide that shooting the police is the […]
There’s a coalition of universities working on a security testbed, called DETER. It’s an excellent idea, and apparently, they’re up and running. I look forward to the output from the conference. I hope they’ll ensure that all papers are online and available to the public.
Samablog, irked that Rush has stolen his joke, explains that you can get at all of Rush’s $7 a month content, just by turning off all the scripting stuff in your browser. He then goes on to say: “What it says that a celebrity of Limbaugh’s stature keeps his site so insecure, I don’t know.” […]
The chief warned Anthony Johnson to point his video camera elsewhere, then wrestled the camera away and put Johnson in jail for recording communication without permission, court records say. … A 9th Circuit U.S. Court of Appeals panel last week reinstated Johnson’s suit, which had been thrown out by a federal magistrate in Tacoma, and […]
So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing? Asks Nudecybot. And the answer is…NOW! Why wait? Generate some keys and use them!
Eric Rescorla has a great post reporting from the IETF on the “Better Than Nothing Security BOF.” As I see it, this boils down to an understanding that paying for digital signatures is very expensive, while we’ve known for ten years that “keys are cheap.” (Thanks, Eric!) The SSH folks got this very right: You […]
U.S. regulators ruled Tuesday that providers of Internet-based phone call services fall under the jurisdiction of the federal government and cannot be regulated by states. … Vonage has been battling public utilities officials in Minnesota who want the company to register in the state as a telecommunications service, subjecting it to rate regulation and other […]
There’s a post over at BoingBoing, laughing at some poor software transcription of Jabberwocky. Hello? What do you expect? The poem is full of nonsense words. If my speech recognition program starting putting brilling and slithy toves in my text, I’d be pissed off. So of course it gets this wrong. C’mon, folks, you want […]
“The bottom line that we have heard from the manufacturer is that these votes are not missing. They’re lost,” county commissioner-elect Tom Steepy said. “It’s very disheartening. It really is.” Damn right it is. Voting machines should produce paper ballots, or their CEOs should offer to commit sepuku over any failures. (From WRAL.com Carteret Voting […]
The friends often lend each other large amounts on the strength of a handshake and a handwritten i.o.u. Both sides then go to an automated teller machine or bank branch to transfer the money, which is then withdrawn from the bank. Or sometimes they do it the old-fashioned way: exchanging burlap sacks stuffed with cash. […]
Jihad Watch points to an AP story: More than 700 people were arrested on immigration violations and thousands more subjected to FBI interviews in an intense government effort to avert a terrorist attack aimed at disrupting the election. As with past unrealized al Qaeda threats, law-enforcement officials said yesterday they don’t know for sure whether […]
We need more holidays that celebrate liberty. The fall of the Berlin Wall is a good a day as you can find. However, Wikipedia points out that: Some believe November 9 would have made a good German National Holiday, since November 9 is also the date of the declaration of the Weimar Republic in 1918. […]
The only three facts that are necessary to my disposition of the petition for habeas corpus and of the cross-motion to dismiss are that Hamdan was captured in Afghanistan during hostilities after the 9/11 attacks, that he has asserted his entitlement to prisoner-of-war status under the Third Geneva Convention, and that the government has not […]
Overuse of the term ‘cyber-terrorism’ is confusing board directors and preventing much needed investment in IT security, says former White House security advisor Richard Clarke. Now if we could just get rid of the term “cyber,” we’d be all set to have a mature discussion. (From VNUnet, via InfoSecNews.)
Nudecybot has a thoughtful post on Computer security and the human factor. He takes a discussion we had, and organizes it well. He talks about airline safety vs computer safety, and how an anonymous reporting system has helped in the airline case. I think there’s two bits that he misses that make the airline safety […]
Or, as your attorney, I advise you to look at these maps.
You can probably skip this post. I wanted to blog it to help people with this problem solve it faster. It involves the Mac System update tool throwing up a dialog that says: A networking error has occurred: zero byte resource (-1014). Make sure you can connect to the Internet, then try again. [Update, 20 […]
You can probably skip this post. I wanted to blog it to help people with this problem solve it faster. It involves the Mac System update tool throwing up a dialog that says: A networking error has occurred: zero byte resource (-1014). Make sure you can connect to the Internet, then try again. I was […]
There’s a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. “CIOs are now relying on convoluted processes rather than using sound business judgement based […]
Further quoting from that same article in the Register about the impact of new rules: Business managers becoming fed up with FUD In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security […]
Thanks to our industrious sysadmin, we have a new rev of MT in place. It’s much more aggressive about weeding comments, so what you say won’t show up instantly. If your real comment doesn’t show up, please drop me a note. And please, do leave comments. Even if it’s against your better judgement. (Yes, I’m […]
Not too long ago, I gave a talk on privacy technology to the Atlanta chapter of the High Tech Crime Investigators Association. It was a talk that several of us at Zero-Knowledge had learned to give. The basic method for talking to police about privacy is to start from the need to reduce and prevent […]
“Unionized employees at the SAQ are launching a four day strike that will shut down Quebec liquor board stores for the weekend.” Says the Montreal CBC site. The SAQ is Quebec’s government owned liquor monopoly. Non-SAQ stores can sell only bad wine and some beer. (No, really, there’s a list of approved wines that others […]
Bigpicture has put up 11 map links, some of which are very cool. I really like the parallel maps of 2000 vs 2004. (If you use Safari, with its transparent drag, you can produce your own overlay maps!) I also like the county-by-county maps, they’re elegant. Not so good is the chartjunk map from the […]
Canada Post has apparently told the world that they’ll only deliver mail with a return address. This is clearly silly, phone books are full of valid return addresses for your city. Over at StupidSecurity, nrh asks: Part of the reason I delayed was that I was trying to find out if this was even legal. […]
No, not the elections, silly, the contest! And now the results are up, and it seems that Michal Zalewski is in the lead.
There’s a petition to stop ID cards in the U.K. Alas, there’s no where for residents of Clark county, Ohio, to express opinions. (Via Steve at Fractalus.)
[Microsoft] will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release… The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected. This has been available to select customers for a while. […]
Sixteen years ago, the first worm spread across the Internet. It used password cracking, a buffer overflow in fingerd, and a flaw in sendmail to spread. At least today, sendmail seems more secure. Passwords and buffer overflows, check back in sixteen more.
The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and […]
Sure, the Electoral college is mostly winner-take-all, but America isn’t. The “red/blue” divide nonsense on TV is all about polarizing the country. See the map bigger here. It’s like Jon Stewart said to the boys at Crossfire: Stop hurting America. (Via BoingBoing.)
Ed Hasbrouck writes: For the first time ever, lawyers for the USA Transportation Security Administration (TSA) will appear in court tomorrow in Seattle to try to defend their (still largely secret) procedures for the compilation and use by the TSA, law enforcement agencies, and airlines of “No-Fly” and “selectee” watch lists. … I got word […]
On three occasions over the past five months, Tubiana said, outside judges assigned to review the vendor’s case have set deadlines for investigating magistrates to either indict or release him. The deadlines have passed, but his client remains locked up, court documents show. “There is in fact no control” over these magistrates, he said. “They […]
However, Engler thinks the security explanation should be taken with a grain of salt. His research in the late 1990s aimed to improve the reliability of software. Security analysis was part of the story, he says, but “basically, we just didn’t want stuff to crash.” (writes Jon Udell in Infoworld.) But Crispin Cowan has a […]
As we go into the 54th Presidential elections under the US Constitution, two things , possibly related, have struck me. The first is the elections in Afghanistan. Millions of people ignored threats and went out to vote. Millions of them were women, given a say in their country’s government for the first time. The other […]
I recently blogged about Ted Taylor, and the book he inspired. He passed away recently: Thirty-one years ago, The New Yorker published a profile of nuclear weapon designer Ted Taylor, written by John McPhee. Published in book form as “The Curve of Binding Energy,” this was the first time the prospect of nuclear terrorism was […]
The announcement suggests that Rehnquist is suffering from anaplastic thyroid cancer, a rare and aggressive form of the disease, said Herman Kattlove, an oncologist and medical editor for the American Cancer Society. The anaplastic variety is the only type of thyroid cancer that is treated with chemotherapy. “It’s not treatable by surgery, only by chemotherapy […]
The New York Times reports: Lawyers for many of the detainees, including the ones named in the Supreme Court ruling, say the Bush administration is purposely ignoring the justices’ mandate and stalling. They cite the government’s refusal to acknowledge that detainees are entitled to free access to lawyers to make their cases before federal judges. […]
Larry Lessig and Dave Winer have the very clever idea of a polling site based on blog links and click-throughs: [Lessig] wrote a passioned essay about the Presidential election of 2004, and he wanted to tell people who agreed with his choice to click on a link to express their support. And if they really […]
Last week, I commented on Michael Geist’s column. In part 2, he took an excellent direction. He suggests not only economics, but a legal structure that forbids Canadian companies’ compliance with US orders. Read it.
This month the B.C. government passed a law to prevent the U.S. from examining information on British Columbians that is in possession of private U.S. companies. The CBC reports on information about Canadians being sent to the US for processing, and the attendant legal risks. In Canada, they have strong-sounding data-protection laws that they don’t […]
Neither, of course, is true. But these rumors testify to one of the most distinguishing — and disturbing — aspects about this election: Paranoia is rampant. “I haven’t seen an election in which more people are worried about what’s going to happen to them on Election Day,” said Herb Asher, an Ohio State University political […]
Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading. The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m […]
An update on the Americans Stream to Canada For Flu Shots story: In eight days 3,800 people have jumped on the ship and paid their $105. Victoria Clipper’s Managing Director said the company had not expected there would be such a massive take up. The company says the day trips still continue, but the number […]
So let me get this straight… Quebec Court Judge Danielle Cote handed down a 153-page ruling that found two sections of the federal Radiocommunication Act violate the Canadian Charter of Rights and Freedoms. … Cote extended a grace period of one year before her ruling would come into effect. So the law is a violation […]
It seems a bizarre right to be allowed to watch TV, but not say insensitive things. (It’s sad that the car dealer felt ok insulting customers and turning away business. It’s sadder that the courts are intervening where the right answer would be more speech, publicizing intolerance and shaming the dealer.)
On one occasion [Johnnie Thomas] was told that she had graduated to the exalted status labeled, ‘Not allowed to fly.’ She discovered that there was no method available for having ‘her’ name removed from the DNFL; indeed, one person from her local FBI office dismissively told her to hire a lawyer (although ironically, he refused […]
There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.) The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever […]
Something about a post by Steve got to me… Whenever amazon comes up in conversation I tell people how particularly behind they are but I don’t think I get the point across. Who does better? I find that it always works better to say who does well, rather than who does poorly. Let people figure […]
Nat has a typically insightful post inspired by Muine, a radical re-think of what a music player on your computer should do. Why would those things be there? Because every other music app has those features, and if you’re building a music tool, you’ve got to have them too. Only, somehow, you’ve got to do […]
Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?: Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According […]
Statistics gleaned from the labs’ Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland. So far, 100 percent of the products evaluated have been approved, she said. The testing […]
According to a new report from the Department of Homeland Security’s inspector general, airport screeners still Need Improvement. That will not come as a surprise to anyone who travels, but some of the details, as reported by A.P., are still disturbing: -Screeners aren’t tested on when they should pat down passengers and what the passengers’ […]
With a US shortage caused by contaminated vaccine and flu season approaching, business has been brisk at Canadian clinics and doctors’ offices along the border from British Columbia to as far east as New Brunswick. A Canadian Internet pharmacy is working with a half-dozen physicians in Montreal to offer weekend flu-shot tours to New Yorkers. […]
My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure: I think that Dave has a valid […]
The Little Brother’s Database, an addressbook program, includes a tool, ABQuery, that allows you to look inside the Mac’s address book from the command line. (Via MacOSXHints.com.)
Tonight, take a break from the World Series, and go outside to look at the total lunar eclipse.
Apple announced a new Ipod that shows pictures. What I want to know is, where’s the 8-in-1 media reader to take photos directly from your camera?
Michael Powell was on the Ronn Owens show. 15 minutes into the show, Howard Stern calls in. Listen here. As Sama says, Stern is an unfortunate advocate for free speech. But its nice to hear someone directly challenge America’s censor. (Via BoingBoing.)
Is the story of Ted Taylor, one of the cleverest of the very clever men who designed nuclear bombs. He designed the largest bomb ever set off by the US, and the smallest. He once used a nuclear bomb to light a cigarette. And in the early 1970s, he was very concerned that terrorists could […]
One of the worse bits of law to come out of the Clinton years was the “Digital Millennium Copyright Act,” (DMCA). The law made it a crime to break any copy protection scheme, even if the data it was protecting was subject to some form of fair use. The law had lots of nasty chilling […]
But the real issue is that the explosives can be used against civilians and soldiers in Iraq and around the world. Consider that only five grams of RDX, for example, is enough to kill a person when used in an anti-personnel land mine. When 1,000 pounds of explosives were set off by a suicide bomber […]
Michael Froomkin has a long post on the 350 tons of stolen high explosives, which I’m excerpting at length: If all that matters is our safety and security, then today’s news makes it clear beyond peradventure that the Bush administration is horribly dangerous to our national security. Josh Marshall’s blog today runs an extensive quote […]
Steven Landsburg makes a very entertaining point about democracy: …It is worth observing that if you really believe in democracy, and if the election is close, then it doesn’t much matter who wins. The theory of democracy (stripped down to bare essentials, and omitting all sorts of caveats that I could list but won’t) is […]
People trying to infringe our privacy often claim that they’re making a tradeoff between security and privacy. Sometimes they’re even right. But I think today, we’re trading security for “security,” giving up real protection for an illusion. For example, the TSA is spending lots of money to build and connect databases all about travelers. For […]
I’m trying to submit my comments on Secure Flight. When I try to upload my file to http://dmses.dot.gov/submit/ProcessES.cfm, I’m told: An error occured while attempting to upload your comment [Microsoft][ODBC driver for Oracle][Oracle]ORA-01401: inserted value too large for column I’ve submitted a request for help via the provided link.
WASHINGTON — The Transportation Security Administration was lax in overseeing a $1.2 billion contract to install and maintain explosives-detection machines at U.S. airports, resulting in excess profit of about $49 million for Boeing Co., a Department of Homeland Security review found. (From a Wall St Journal article, October 19th. (Sorry, subscriber-only link.)
Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions. He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats […]
There’s an alarmist headline at MacSlash about a new mac virus. Its been picked up in a bunch of places. The commenters correctly identify it as a rootkit, not a virus. A rootkit is a program you install, after break in, to hide your tracks. Its not even a sophisticated rootkit. Its stunningly primitive. Reading […]
Another interesting article from Peter Merholz closes with: Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest […]
In “Metadata for the masses,” Peter Merholz presents an interesting idea, which is build a classification scheme from free-form data that users apply. He points to Flikr’s “Cameraphone” category, which would probably not exist if there was only a pull-down list. He also points up problems: Many categories for one thing (nyc, NewYork, NewYorkCity), one […]
NudeCybot sent me a link to an interesting looking book on “Sorting Things Out.” I found this review resonated with how I often feel reading academic work: This tragic book is full of important ideas and significant research, but it’s so poorly written you hardly notice. Other reviews kindly describe its style as “academic,” but […]
Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system “is no more than 53 percent effective in matching fingerprints with poor image quality against the government’s biometric terrorist watch-list.” Turner said the system falls far short of keeping the country secure. Its not clear to me why […]
In a post below, I quoted my friend Craig commenting on the differences between election sites and the IEM. Steven Landsburg had previously commented privately that IEM together with TradeSports is inefficient. By playing one against the other you could make money on either likely outcome of the election. So, if these markets were efficient, […]
Signaling is a term from the study of lemons markets. A lemons market is a market, such as in used cars, where one party (the seller) knows more than the buyer. There are good cars (peaches) and bad ones (lemons). The buyer is willing to pay a fair price, but can’t distinguish between the cars. […]
Andrew Stewart pointed me to Notational Velocity, an interesting little note taking app. Its a little disconcerting at first, because you only have one note area, and the way to create a new note is to just overwrite the old title. (There’s a menu item to rename something.) But worth checking out if you’re a […]
Unfortunately, the BBC is simply reporting on him falling over, not on his 45 year dictatorship being toppled, the Cuban people gaining a measure of self-determination, or the freedom to speak one’s mind: A few blocks away, a 27-year-old man who didn’t want to give his real name, had some advice for the only president […]
Ryan Singel has a long and worthwhile post at Secondary Screening on the JetBlue FOIAs. I have only one thing to add, which is that his closing line somewhat misses the mark: But this issue is not going away as there is at least one report coming out soon that will further complicate the debate […]
The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1] This technique helps settle the question of “Is Astraptes fulgerator […]
My friend Craig Sauer wrote: In the spirit of the equal time, here’s what’s keeping me from being optimistic about Kerry’s chances: The Iowa Electronic Markets. You’ll have to read on the site to get the real skinny, but basically, the IEM is a real-money futures market where people make informed “bets” about who is […]
Computer hackers have emailed 3000 of the company’s customers, saying a company product – lamb chips – are being recalled due to an infectious agent, and the warning has since been posted on internet message boards. Sad as it is for Erik Arndt and Aria Farm that this has happened, I think this is interesting […]
Larry Poneman writes: Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals: What is the security return on investment? What is the probability of a catastrophic security failure? What is the cost of self-insuring against security risks? What are the tangible benefits of being an […]
In order to set her straight, I had to let her know that the reason she’d never heard of me was because I was famous. … Mind you, much of the authority and seniority in that world is benevolent, or at least well-intentioned. If you are trying to become a writer by taking expensive classes […]
I’ve put slides and a pdf from a talk yesterday on my homepage. Making pdf is easy on the mac, making html less so. Since this is the web, I’d like to put up html of the slides, and I think that the HTML that PPT produces is poor. In particular, I’d like smaller files, […]
Each aircraft operation … with a MTOW of more than 12,500 pounds, must conduct a search of the aircraft before departure and screen passengers, crew members and other persons, and all accessible property before boarding in accordance with security standards and procedures approved by TSA. … [Seperately, charter aircraft run as clubs…] These clubs transport […]
Looking for a link to SB 1386, I noticed that of the first 10 Google hits, 2 are legislative, 2 are law firms, 3 are information security portals, and 3 are for security companies. Three of the security companies, (Verisign, Threatfocus and Watchfire) are simply adding “SB 1386” to existing products, and claiming to provide […]
A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday. (This is all over the web, I found a version at News.com.com.) A few questions […]
Alex Tabarrok writes: The headline in the Washington Post yesterday read “FDA Approves Artificial Heart for Those Awaiting Transplant.” The language annoys me – it sounds as if the FDA gave a Good Housekeeping Seal of Approval to the artificial heart. Consider how much clearer the tradeoffs of medical policy would be if instead the […]
Michael Froomkin points to Wired’s article Inventor Rejoices as TVs Go Dark, is enough to make me want a TV-B-Gone. It fits on your keychain, “looks like an automobile remote, has just one button. When activated, it spends over a minute flashing out 209 different codes to turn off televisions, the most popular brands first.” […]
Michael Geist’s recent … Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner’s office […]
To date, the government has wasted over $100 million in a flawed effort to improve airport security by identifying passengers and, well, doing something to the naughty ones. Meanwhile, the reality is that airport screeners continue to miss items like knives, guns and bombs. Meanwhile, there’s lots of good work in computer vision systems, which […]
Household Finance, a unit of HSBC, has sent me a $5,000 check out of the blue. Big verbage on the front indicates that “Signing this check will result in a loan…” at 23%, which over 5 years comes to an estimated $3,500 in finance charges. Most attractive. Now, ignoring Household’s record of fraud, and ignoring […]
The ever-energetic Bill Scannell has set up unsecureflight.com for you to politely but forcefully register your comments with the TSA on what they’re doing to our privacy. Why use Unsecure Flight over the TSA’s site? It’s easier! There is a public record of your comment, the TSA can’t silently discard it. There’s a plethora of […]
Ed Hasbrouck points out that Public comments are open through Monday, 25 October 2004, on the Secure Flight airline passenger identification, selection, and surveillance system proposed by the USA Transportation Security Administration (TSA) and its Office of National Risk Assessment (ONRA). My draft comments are here, and I’d love feedback before sending them. [Update: Fixed […]
In a comment below, Nudecybot mentions Mark Rasch’s “You Need A Cyber-Lawyer” article in Wired News. I don’t buy this line of reasoning. Making a decent auto-lawyer requires being able to parse legalese, which is a hard problem. Now, legalese is a subset of English, so you might think that the weather parsers, or similar […]
WVLT VOLUNTEER TV Knoxville, TN reports: ” Accused Domestic Terrorist Arrested In Knox County.” According to the criminal complaint, the FBI says that Ivan Braden was planning to enter this Armory Friday, armed with guns and bombs. … The feds say the former 278th soldier planned to take people hostage at the Lenoir City Armory and […]
There’s a long running contest to write C code that’s hard to understand. Daniel Horn has taken it one step further–the goal is to write a program that looks right, but actually produces bogus counts in on of several ways. It’s brilliant!
“We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over,” Judge Gerald Tjoflat wrote for the panel. “Sept. 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country.” A three judge […]
“We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over,” Judge Gerald Tjoflat wrote for the panel. “Sept. 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country.” A three judge […]
This site has a Wankometer rating of .58, which is exactly the same level that Alec Muffet got. The white house (1.40) is apparently more wanky than the BBC, but less wanky than Sun. The George Bush and John Kerry for President sites score .63 and 1.83, respectively. I can’t believe Alec is nearly as […]
A few days ago, I commented on Bush’s lack of self doubt. Now Ron Suskind takes on the theme in a 10 page article in The New York Times, entitled “Without A Doubt.”
The ever-entertaining Nat talks about Google’s desktop search (for Windows), and says “Google shocked the world by releasing something highly imperfect.” Really? Google’s been imperfect a lot lately. Have you tried using Gmail with Safari? It pops up three windows every time you click a link. Orkut? Bad server, no donut. (Actually, the issues seem […]
There’s a critique of Google’s new Desktop Search that it…wait for it…searches your computer! No, really, it does. And so it finds things that are … on your computer! Some of these things, like your email, your spouse’s email, your IM logs, are things that Microsoft hides intra-user are exposed. This is probably a bad […]
Ed Hasbrouck, who in a more perfect world would be paid to be the TSA’s chief privacy officer, writes RFID passport data won’t be encrypted: So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able — without ever having actually seen you or your passport — to […]
The always insightful Michael Froomkin has an article called The Uneasy Case For National ID Cards, which I wanted to link to earlier. I don’t like his arguments, being a believer that privacy invasion is a slippery slope. I expect that laws put in place to protect privacy around a national ID card will be […]
I was flying home recently from a very quick jaunt out to do a customer install. I went to the back of the plane to stretch, and noticed that (horror of horrors) there were people congregating and talking! Fortunately, they were white Americans, so they weren’t scary. Anyway, I got to talking with them, and […]
Chris Allen has a typically long, thoughtful essay on the history of social software, going back to Vannevar Bush and Memex. I think one of the more interesting transformations was that of collaboration to introduction, with services like LinkedIn or Spoke trying to add practical applications to Milgram’s work on connectedness, and I’m surprised that […]
Security patches should not have licenses. There’s no fair re-negotiation under threat. If I bought your software, and am using it, then you find a bug, you should not be allowed to put new terms on the software in order for me to be safe using it. Imagine a hotel which lost a master key […]
Attorney General John Ashcroft has announced a major new effort to crack down on intellectual property theft, by which he apparently means illegally-copied DVDs, CDs, and software. (I refuse to use the term piracy to refer to illegal copying. Piracy is the violent boarding and theft of property on ships, and is a major problem […]
Gramme has a long interview with the author of the Medici Effect over at Financial Cryptography. The book focuses on how the Medicis helped drive the Renaissance by bringing together a slew of people from different cultures and backgrounds. Far too often people become narrowly focused on issues that their peers agree are important. They […]
A new technique has won the 20th anniversary competition in iterated prisoner’s dilemma. The technique involves a sequence of moves designed to signal other players that they are competing with one of the great many other Southhampton university submissions. When they discover that, one entry will self-sacrifice such that the other can rack up a […]
“It’s O.K. to spend $85 on a hotel, $15 for parking and another $15 for breakfast, but if you spend $90 for a hotel where parking and breakfast are included, you’re over budget,” he said. “And it’s O.K. to drive 400 miles in your own car and to get reimbursed at 34 cents per mile, […]
A woman said she drove home to San Diego from Denver rather than submit to what she viewed as an intrusive search by airport security screeners. Ava Kingsford, 36, of San Diego said she was flagged down for a pat-down search at Denver International Airport last month as she prepared to board a flight home […]
Ok, you know I’m being sarcastic with the title. The New York Times titles its article “Security Grants Still Streaming To Rural States.” And the message is politics remains more important than ensuring that those cities likely to be hit next are well prepared. The article goes on to cite politics as usual as the […]
So it seems that Apple installs /bin/ps setuid root. (Scare #1). It seems also that the last bits emitted by a ‘strings /bin/ps’ is J8 RUSITH? . I have no idea what that is or what it means, but I think it belongs on a tshirt. (Thanks to Dave and Ted for validating those for […]
“Wherin links between a number of disparate ideas are put forth for the amusement of our readers” Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on […]
Ryan Singel has a couple of good posts up: Why Privacy Laws and Advocates Matter and Trusty Logo Not Worth The Pixels It Is Printed On. The later explains in detail what economics predicts: Trusty won’t shaft its paying customers to make them actually enforce privacy policies, when people who rely on the trusty seal […]
The elections in Afghanistan have apparently gone off with fewer problems than expected, which is outstanding. (And hey, the ink I mentioned to Sama makes an appearance!) I am slightly worried by a line in The New York Times article, ” International organizations, which spent $200 million to finance the election, indicated that they had […]
I listen to a lot of music. When I visit friends, I often invite them to drop random discs they think I’d like into iTunes for a rip. Combine that with my cd habit (“I can quit anytime!”), and I have a fair bit of music that I don’t recognize quickly. So I just found […]
Do you want to save American lives? Stop senseless deaths? Here’s some ideas: Require real driver training, and enforce traffic laws. Ration the sale of alcohol to prevent the nasty diseases over-indulgence causes. Ban tobacco. Ban firearms. Require calisthenics in the morning, by neighborhood, and in the afternoon, at work. Ban the use of corn […]
There’s an article in today’s The New York Times asking, Can Prayer’s Heal? (Critics Say Studies Go Past Science’s Reach). The article talks about a number of studies that apparently show a correlation between being prayed for and better medical results. The article also talks about how flawed some of the studies are, once you […]
I just got a fascinating email. No, not really. It was a simple little email, from someone who’s being very helpful on a project that I’ll speak of in excrutiating detail later. What was fascinating about it was that it was PKCS 7 signed, and Apple’s Mail.app told me so. It told me so with […]
The ACLU has made the TSA explain to the American people some subset of the faulty reasoning, faulty processes, and broken systems behind the so-called “No fly” lists, which have now snared, along with Johnnie Thomas and David Nelson (all of them), 3 members of Congress. Read the articles, Faulty ‘No-Fly’ System Detailed (Washington Post) […]
Orin Kerr discusses (deep breath!) Michael Froomkin links (via Proof Through the Night) to this story from a Seattle TV station about a local library that has fought off an FBI subpoena for a list of names and addresses of who took out a book on Osama bin Laden. Kerr does a good job of […]
In response to 9 hijackers getting fraudulently issued ID cards from the state DMV, Virginia is considering issuing harder-to-fake ID cards that will broadcast your identity. As long as the value of an id card keeps going up, the reward for breaking the system will go up as well. If you want to rely on […]
Every now and then, I come across a blog I want to skim regularly. When its easy to do so, I add it to my list. Which is to say I drop the RSS feed at NetNewswire, and I then at least see the headlines. Blogspot/Blogger doesn’t make it easy to add RSS to your […]
IDC’s research director, Lars Vestergaard, said their research found interest by businesses in WLAN usage was widespread, but not many of them were particularly interested. “Unfortunately IT managers are being uncertain about using this technology, but they use a lot of bad excuses,” he said. “This is because they often fear a lack of security […]
If you somehow missed it, AP released a “test article” claiming Bush had won re-election. BoingBoing has the story, and screen captures of a web site that carried it. We all know that computers don’t make mistakes, and that software is bug-free. More seriously, we need to take a lesson from Florida, and understand that […]
A small window into a large world, with its own software: biological software, including DELTA, a DEscription Language for TAxonomy, database software, ecology software, morphometric, paleontologic, and phylogentics software. (Hey, I need a taxonomy just to keep the breakdowns straight!) Or DMOZ has a page, but it doesn’t seem as comprehensive. What I want to […]
Biological taxonomy is not fixed, and opinions about the correct status of taxa at all levels, and their correct placement, are constantly revised as a result of new research, and many aspects of classification will always remain a matter of judgement. The ITIS database is updated to take account of new research as it becomes […]
As anyone who takes advice from the Vice President now knows, he didn’t really mean to tell you to go to factcheck.com, but factcheck.org, whose article still doesn’t fully support his point. This little glitch lead the owners of factcheck.com, a small site that lists sellers of dictionaries and encyclopedias, to suffer a massive denial […]
There’s useful instructions here as to how to add a “Paste as Plaintext” option to iChat. If you’re reasonably technical, you can go off and do all sorts of neat stuff here.
Christopher Allen has a cool post about a map mash up, along with some analysis of what makes it work.
There’s a set of interesting conferences looking for papers: Privacy Enhancing Technologies Economics of Information Security Codecon [update: closed html list tag]
Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can […]
Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press. (It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the […]
Bruce Schneier has a blog: http://www.schneier.com/blog/.
I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts: Ellyn believes that companies should strive for a […]
0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability. Less than 60 […]
But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place. says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly […]
Watching the NASA video, SpaceshipOne just won the X-Prize, having made space twice in under 14 days. Congratulations to Burt Rutan and his whole team.
My 12-year-old at home doesn’t want to hear that he can’t put all the music that he wants in all of the places that he would like … says Steve Ballmer. It’s good to see Microsoft, like the health care industry, catering to people other than end-users. If they were as smart collectively as they […]
That said: my home directory is now encrypted which should make any further hardware maintenance a doddle (no more erase/flood before mailing) and I’ve blown-away the old UFS partition which although useful was tying up a few too many Gb. Alas the rebuild doesn’t seem to have fixed the lack-of-sleep-on-lid-closure problem. One more for Applecare. […]
Why cannot markets allocate this function to the least cost decider? Why does the usual solution — intermediation — appear to be working so badly? Asks Tyler Cowen over at Marginal Revolution. I believe that a large part of the problem comes from a side effect of the employer subsidy. Because health insurers are selling […]
The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office. … The new proposal would create […]
You have to respect a man who can take on a central bank and win. The Motley Fool did a nice bio piece with background. And now, he’s blogging. [Update: Oops! Via BoingBoing]
Ryan Singel has a great post on the watch lists, and the keystone-cops fumbling behind the scenes.
Matt Cordes modified the Zombie simulators to give humans a chance to fight back. Its fascinating, because with some small mods to the source, you get a much more interesting simulation. (Unfortunately, I don’t see Matt’s source anywhere, so I can’t say how long it might have taken.) The simulation makes viscerally clear how chains […]
I saw the excellent Shaun of The Dead last night. (Or see Quicktime trailers or the official site. Or heck, just buy it from Amazon.co.uk where it’s already available on DVD, but only if you have a free-world DVD player. Ok, really this post is an excuse to link to the Zombie Infection Simulation in […]
One of the best signs that things are going down the tubes is that officialdom tries to control information flow. I now know that things in Iraq are officially going to hell, because the security situation is bad enough that they’re trying to prevent people from learning about it. Kroll, a large physical and investigative […]
Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single’s day notice of his intentions to leave. Yoran said Friday he ”felt the timing was […]
The cost of last minute ticket doesn’t seem to be enough for airlines to break even. How much of this is due to a lingering fear of flying? How much of it is the extra cost to travelers, in inconvenience and hassle, of being bit players on the security stage? As long as a carrier […]
Writes Bill Scannell in a piece for USA Today. Not new, but a good intro as to why.
I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation. The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. […]
It’s always good to see our best resources being applied to the most important things in society, like voting. The “independant” validation, paid for by the software creators, is closed to the public. But when the Nevada Gaming Commission gets into the act, it seems they know a scam when they see one. (Disclaimer: I […]
Bob Morris maps hurricanes Ivan, Charley, and Frances against voter maps. (No mention of Jeanne, which seems to have taken the same path as Frances. Enquiring minds want to know, is this that Bob Morris?
I’m speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a “Privacy Industry View of Reducing Cybercrime.” This is an extended version of Zero-Knowledge’s talk we gave to law enforcement. I’m speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on “Beyond Penetrate, Patch and […]
Ed Felten has a great post over at Freedom To Tinker about Rather-Gate: In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, […]
Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just “practising his basic rights, namely free speech”. […]
More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday. The problems, unsurprisingly, are […]
I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.) One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique […]
“Roman Catholic and Orthodox clerics have exchanged blows inside Jerusalem’s Church of the Holy Sepulchre, one of Christianity’s holiest sites,” says the BBC.
Recently, I found myself wondering why Hamlet had never gotten a proper treatment in Powerpoint. After another drink, I took it apon myself to remedy the situation.
I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual […]
his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file! Firefox 1.0PR now includes code to deal with this. Here’s how […]
Do current security plans depend on no guns getting onto the planes? I hope not. Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland […]
So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which […]
“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.” Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said. How can you argue with messing […]
This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking […]
Virginia Postrel writes about flying without ID: Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked […]
So when Google Mail started up, I managed to register “account.management@gmail.com.” I didn’t have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time […]
Happy Emancipation Proclamation Day! On Sept 22, 1862, President Lincoln issued the Emancipation Proclamation: “…all persons held as slaves within any State or designated part of a State the people whereof shall then be in rebellion against the United States shall be then, thenceforward, and forever free; Now, like many government proclamations, there was more […]
The New York Times reports that “The Transportation Security Administration said Tuesday that it planned to require all airlines to turn over records on every passenger carried domestically in June, so the agency could test a new system to match passenger names against lists of known or suspected terrorists.” The data will vary by airline. […]
Omar writes about A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side. According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in […]
Don’t read this if you’re easily annoyed.
I’ve written in the past about how government-validated ID acts as a subsidy to privacy invasion. In the absence of such a card, I can give you whatever name I want, protecting my privacy. With such a card, it becomes easy to invade people’s privacy. Under CAPPS-2, the government would like the airlines to collect […]
Ed Hasbrouck has another pair of good posts (1, 2) on the “Free Wheelchairs” program. In the first one, he quotes from “Department of Homeland Security Appropriations Act, 2005”, H.R. 4567: (2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk […]
Eugene Volokh rightly criticizes a corespondent for his ad-hominum attacks on NYC Mayor Bloomberg, who said (I’m quoting Volokh): But Bloomberg insisted that there’s no proof that the NYPD did anything wrong. “There is absolutely no evidence whatsoever that there was any intent by any law-enforcement official to hold people any longer than was absolutely […]
I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It’s great when you land in a new city. It hasn’t been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. […]
September 19th is National Talk Like a Pirate Day “Dude, anyone got the new Metallica?”
Samablog points to the new nickel design which will have either a buffalo or a depiction of the pacific coast on the back. The buffalo refers to the Louisiana Purchase, while the pacific coast refers to Lewis and Clark’s expedition . Despite his careers as a lawyer, diplomat, Secretary of State, and President of the […]
Over at BoingBoing, Cory points to a USA Today story at NewsIsFree about more screening. There seem to be four components: Explosives Detection Secondary screening will now always include nitrate detection swabbing. This is a fine step, but why has it taken 3 years to come in? (In fact, every time I’ve been thrown into […]
There’s a brilliant post over at Orcinus about the 9/11 commission, whose (outstanding) report I’m just getting around to reading. Really, if the Kerry campaign is serious about persuading the American public that Bush is a serious liability when it comes to securing the nation from the terrorist threat, this should be Exhibit A: Bush […]
Ian Grigg has some very interesting comments on Verisign’s certificate business and what it means for privacy, over at Financial Cryptography
The New York Times reports: he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress. A senior […]
The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!
Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps. I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their […]
Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make. […]
Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon. From the New York Times story. Or, Google News has more. The […]
This is a remarkably cool shot, which SteveC asserts is a plane flying in front of “The ULO telescope as it observes the transit of Venus.” I started asking what are the odds, and then ended up at a back of the envelope, why are these so rare?
SecurityFocus points to a nice short article over at Silicon.com suggests that Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give […]
Mathematicians use a scheme called the Mathematics Subject Classification, (MSC) which includes a “how to use“, as well as a long history of being revised to reflect changes in the field, and I would guess, practice in how to effectively classify things. It has a General and Miscellaneous Topics section, too. Articles must be given […]
The New York Times reports on a lack of doctors in Canada, along with a rise in Canadians using emergency rooms to replace family doctors. (Use BugMeNot if you don’t want to register.) The basic problem is economic. Doctors are much better paid in the US than in Canada, and doctors can easily move. Its […]
The great linguist Chao Yuen-Ren once wrote an essay in Chinese using only words which (in Mandarin) would be transliterated as shih (using Wade-Giles; shi in pinyin). You can see the text in characters and two transliterations, read the translation (“A poet by the name of Shih Shih living in a stone den was fond […]
Some Singaporean students have figured out how to use Bluetooth to turn off the cameras in Nokia’s phones, according to an article in Gizmodo, via a long chain to a now deleted newspaper article. I wonder if they turn it back on when you leave the area? However, Loosewire, the earliest still working link, implies […]
The Webflyer points to a great David Rowell column, including: An argument ensued. Ms O’Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested […]
Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical […]
Over at American Spectator, Shawn Macomber writes about being arrested in New York this week, and suggests a reality TV show is in order: It could be called POWDERKEG! Each week, I’ll be arrested without my rights being read to me and held for 14 hours while police refuse to tell me what charges I’m […]
Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin’s have moved to email.) “Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own […]
If you ever saw Julia Child or Jacques Pepin take apart a chicken, you’ll remember how easy they made it look. It’s a level of skill that we can all aspire to. Watching Ed Hasbrouck take apart the latest incarnation of free wheelchairs for paraplegic children is like watching Julia Child take apart a chicken. […]
In Wikipedia vs. Britannica Smackdown, Ed Felten takes my challenge. In the meanwhile, I’d done some hypothesizing, here. So how’d I do? Hypothesis 1 is spot on. #2 is more challenging to assess: The errors in Britannica are smaller, and I think I’ll judge myself wrong. #3 I think is accurate, if only because of […]
A few days ago, I challenged Ed Felten to do some more comparison work. In the spirit of Milgram, I didn’t propose a theory. (This was mostly because I was trying to make a good joke about assigning the professor homework, but couldn’t come up with one.) However, on consideration, I think that I should […]
As part of a larger project on security configuration issues, I’m doing a lot of learning about taxonomies and typographies right now. (A taxonomy is a hierarchical typography.) I am often jealous of the world of biology, where there are underlying realities that can be used for categorization purposes. (A taxonomy needs a decision tree. […]
this post by Todd Zywicki clearly illustrates the difference between law professors and economics professors.
In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria. The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale […]
Over at Freedom To Tinker, Ed Felten writes about the Wikipedia quality debate. He takes a sampling of six entries where he’s competent to judge their quality, and assesses them. Two were excellent, one was slightly inaccurate, two were more in depth, but perhaps less accessible than a standard encyclopedia, and one (on the US […]
Over at TaoSecurity, Richard writes: Remember that one of the best ways to prevent intrusions is to help put criminals behind bars by collecting evidence and supporting the prosecution of offenders. The only way to ensure a specific Internet-based threat never bothers your organization is to separate him from his keyboard! Firstly, I’m very glad […]
I’ve recently finished The Man Who Shocked the World, a biography of Stanley Milgram. The book’s title refers to the “Authority Experiments,” wherein a researcher pressured a subject to deliver shocks to a victim. The subjects of the experiments, despite expressing feelings that what they were doing was wrong, were generally willing to continue. Other […]
I’m reading through NIST SP-800-70 (pdf), the NIST guide to producing security configuration guides. Let me get more coffee before I continue. Thanks for waiting. “If home users and other users without deep security expertise attempt to apply High Security checklists to their systems, they would typically experience unwanted limitations on system functionality and possibly […]
Or, if you prefer, the original can be found elsewhere. It’s always nice when things I want to abuse like that are in the public domain. (Obligatory Lessig link.) But beyond that, think how much poorer literature in the computer science field would be if we didn’t have Alice In Wonderland to freely quote from, […]
“The time has come,” the Walrus said, “To talk of many things: Of shoes–and ships–and sealing-wax– Of cabbages–and kings– And why the sea is boiling hot– And whether pigs have wings.” “But wait a bit,” the Oysters cried, “Before we have our chat; For some of us are out of breath, And all of us […]
Bruce Schneier has written insightfully about Olympic security. They’ve spent $1.5 billion, and today’s marathon race was marred by some idiot leaping into the path of the front-runner, and dragging him into the crowd. Its always tempting, and usually wrong, to say that any failure of security could be prevented. However, this Olympics has seen […]
Frank Sanache was one of eight Meswaski code talkers. He served in North Africa, and was captured by the Germans. I’m fairly interested in the history of code talkers, and had missed the Army’s use of them. It turns out that there were codetalkers in the First World War, that German civilains had travelled to […]
Beatrice Arthur, who apparently enjoys a little politics along with her fame, got irked at the airport police: “She started yelling that it wasn’t hers and said ‘The terrorists put it there,’ ” a fellow passenger said. “She kept yelling about the ‘terrorists, the terrorists, the terrorists.’ ” After the blade was confiscated, Arthur took […]
Over at TaoSecurity, Richard writes about a new report from CERT/CC and the Secret Service, studying “23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002.” I’m very glad that they’re doing this. I think that actually studying how bad guys carry out attacks is critical for defending […]
The fine folks at handsoffmybag.com have the first set of their tote bags emblazoned with the 4th ammendment, and are shipping! Get yours before they’re outlawed!
(Dave asked in a comment.) Yes, disabling Javascript is a win. Here’s an IE issue, and here’s one for Mozilla. Now, using Javascript, when its on, to reduce the number of clicks a user needs to make is a fine thing. I’m in favor of it. (Although I often find myself in misselect hell, when […]
“The president said he wanted to work together (with McCain) to pursue court action to shut down all the ads and activity by the shadowy … groups,” White House spokesman Scott McClellan told reporters Shadowy? What’s shadowy about free speech? There’s a very bad law in place which restricts your ability to spend your money […]
So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain. A […]
Alec Muffet comments on sysadmin resistance to applying patches. As Steve Beattie and a bunch of others of us wrote about the issue is that there’s a tradeoff to be made to find the optimal uptime for a system. Its a tradeoff between a security risk and an operational risk. Organizationally, different teams are often […]
“The Central Intelligence Agency is committed to protecting your privacy and will collect no personal information about you unless you choose to provide that information to us.” Of course, this just goes to show that “We’re committed to protecting your privacy” has finally made it to the exalted and hard-to-reach level of “Of course I’ll […]
So it seems that two members of Congress have now been added to “watch lists.” “[Representative John] Lewis contacted the Department of Transportation, the Department of Homeland Security and executives at various airlines in a so-far fruitless effort to get his name off the list, said spokeswoman Brenda Jones.” It seems that this sort of […]
In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day. NIST […]
According to David Garrity, a technology analyst in New York with Caris & Co.: It was supposed to democratize the process and let people buy in at just a few shares, but it was a miserable failure because the organizers didn’t realize the securities regulations that require people who bid to have a certain net […]
So Google popped 18% today. That shouldn’t have happened. The goal of their much-discussed auction was to ensure that they made money. The typical bubble IPO involved a “pop” of as much as 100-300% on opening day. This put huge sums in the hands of bankers and the bankers friends, sometimes illegally. Ideally, Google’s trading […]