Shostack + Friends Blog Archive

 

Iraq

I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation. The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. […]

 

Nevada Gaming Commission vs. Diebold

It’s always good to see our best resources being applied to the most important things in society, like voting. The “independant” validation, paid for by the software creators, is closed to the public. But when the Nevada Gaming Commission gets into the act, it seems they know a scam when they see one. (Disclaimer: I […]

 

A message from God?

Bob Morris maps hurricanes Ivan, Charley, and Frances against voter maps. (No mention of Jeanne, which seems to have taken the same path as Frances. Enquiring minds want to know, is this that Bob Morris?

 

Travel, Speaking Plans in October

I’m speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a “Privacy Industry View of Reducing Cybercrime.” This is an extended version of Zero-Knowledge’s talk we gave to law enforcement. I’m speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on “Beyond Penetrate, Patch and […]

 

"A Roadmap for Forgers"

Ed Felten has a great post over at Freedom To Tinker about Rather-Gate: In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, […]

 

Cultural Imperialism At Its Best

Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just “practising his basic rights, namely free speech”. […]

 

"Tomorrow is Zero Hour"

More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday. The problems, unsurprisingly, are […]

 

The Two 9/11 Commisson Reports

I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.) One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique […]

 
 

Appreciating Shakespeare

Recently, I found myself wondering why Hamlet had never gotten a proper treatment in Powerpoint. After another drink, I took it apon myself to remedy the situation.

 

"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual […]

 

Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file! Firefox 1.0PR now includes code to deal with this. Here’s how […]

 

Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not. Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland […]

 

Verisign's Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which […]

 

What's In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.” Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said. How can you argue with messing […]

 

"Post-Totalitarian Stress Disorder"

This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking […]

 

Acceptable ID

Virginia Postrel writes about flying without ID: Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked […]

 

account.management@gmail.com

So when Google Mail started up, I managed to register “account.management@gmail.com.” I didn’t have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time […]

 

"All Persons Held As Slaves Shall Be Forever Free"

Happy Emancipation Proclamation Day! On Sept 22, 1862, President Lincoln issued the Emancipation Proclamation: “…all persons held as slaves within any State or designated part of a State the people whereof shall then be in rebellion against the United States shall be then, thenceforward, and forever free; Now, like many government proclamations, there was more […]

 

Testing Airline Data for …what?

The New York Times reports that “The Transportation Security Administration said Tuesday that it planned to require all airlines to turn over records on every passenger carried domestically in June, so the agency could test a new system to match passenger names against lists of known or suspected terrorists.” The data will vary by airline. […]

 

Iraqis Target Forigners

Omar writes about A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side. According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in […]

 
 

CAPPS as Corporate Welfare

I’ve written in the past about how government-validated ID acts as a subsidy to privacy invasion. In the absence of such a card, I can give you whatever name I want, protecting my privacy. With such a card, it becomes easy to invade people’s privacy. Under CAPPS-2, the government would like the airlines to collect […]

 

Testing Airline Customers

Ed Hasbrouck has another pair of good posts (1, 2) on the “Free Wheelchairs” program. In the first one, he quotes from “Department of Homeland Security Appropriations Act, 2005”, H.R. 4567: (2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk […]

 

New York Protests

Eugene Volokh rightly criticizes a corespondent for his ad-hominum attacks on NYC Mayor Bloomberg, who said (I’m quoting Volokh): But Bloomberg insisted that there’s no proof that the NYPD did anything wrong. “There is absolutely no evidence whatsoever that there was any intent by any law-enforcement official to hold people any longer than was absolutely […]

 

AT&T Wireless time service

I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It’s great when you land in a new city. It hasn’t been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. […]

 
 

Jefferson Nickels

Samablog points to the new nickel design which will have either a buffalo or a depiction of the pacific coast on the back. The buffalo refers to the Louisiana Purchase, while the pacific coast refers to Lewis and Clark’s expedition . Despite his careers as a lawyer, diplomat, Secretary of State, and President of the […]

 

Free gropes for travellers

Over at BoingBoing, Cory points to a USA Today story at NewsIsFree about more screening. There seem to be four components: Explosives Detection Secondary screening will now always include nitrate detection swabbing. This is a fine step, but why has it taken 3 years to come in? (In fact, every time I’ve been thrown into […]

 

Qui Custodes Custodiat?

There’s a brilliant post over at Orcinus about the 9/11 commission, whose (outstanding) report I’m just getting around to reading. Really, if the Kerry campaign is serious about persuading the American public that Bush is a serious liability when it comes to securing the nation from the terrorist threat, this should be Exhibit A: Bush […]

 

Ian Grigg on Verisign

Ian Grigg has some very interesting comments on Verisign’s certificate business and what it means for privacy, over at Financial Cryptography

 

Bin Laden Unit downsided?

The New York Times reports: he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress. A senior […]

 

Mozilla Patches

The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!

 

Microsoft JPG Bug, Patch, Tool

Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps. I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their […]

 

Apple Security Updates

Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make. […]

 

Holy Lousy Security, Batman!

Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon. From the New York Times story. Or, Google News has more. The […]

 

With so many planes, it had to happen

This is a remarkably cool shot, which SteveC asserts is a plane flying in front of “The ULO telescope as it observes the transit of Venus.” I started asking what are the odds, and then ended up at a back of the envelope, why are these so rare?

 

"Want more Secure Software?"

SecurityFocus points to a nice short article over at Silicon.com suggests that Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give […]

 

Mathematical Classifications

Mathematicians use a scheme called the Mathematics Subject Classification, (MSC) which includes a “how to use“, as well as a long history of being revised to reflect changes in the field, and I would guess, practice in how to effectively classify things. It has a General and Miscellaneous Topics section, too. Articles must be given […]

 

Canadian Health Care

The New York Times reports on a lack of doctors in Canada, along with a rise in Canadians using emergency rooms to replace family doctors. (Use BugMeNot if you don’t want to register.) The basic problem is economic. Doctors are much better paid in the US than in Canada, and doctors can easily move. Its […]

 

Shih shih…

The great linguist Chao Yuen-Ren once wrote an essay in Chinese using only words which (in Mandarin) would be transliterated as shih (using Wade-Giles; shi in pinyin). You can see the text in characters and two transliterations, read the translation (“A poet by the name of Shih Shih living in a stone den was fond […]

 

Bluetooth and phone security

Some Singaporean students have figured out how to use Bluetooth to turn off the cameras in Nokia’s phones, according to an article in Gizmodo, via a long chain to a now deleted newspaper article. I wonder if they turn it back on when you leave the area? However, Loosewire, the earliest still working link, implies […]

 

Airline "security"

The Webflyer points to a great David Rowell column, including: An argument ensued. Ms O’Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested […]

 

Swire on Disclosure

Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical […]

 

"Four More Pretzels?"

Over at American Spectator, Shawn Macomber writes about being arrested in New York this week, and suggests a reality TV show is in order: It could be called POWDERKEG! Each week, I’ll be arrested without my rights being read to me and held for 14 hours while police refuse to tell me what charges I’m […]

 

Taxonomies are hard

Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin’s have moved to email.) “Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own […]

 

Free Wheelchairs for Paraplegic Children

If you ever saw Julia Child or Jacques Pepin take apart a chicken, you’ll remember how easy they made it look. It’s a level of skill that we can all aspire to. Watching Ed Hasbrouck take apart the latest incarnation of free wheelchairs for paraplegic children is like watching Julia Child take apart a chicken. […]

 

Wikipedia vs Britannica tested

In Wikipedia vs. Britannica Smackdown, Ed Felten takes my challenge. In the meanwhile, I’d done some hypothesizing, here. So how’d I do? Hypothesis 1 is spot on. #2 is more challenging to assess: The errors in Britannica are smaller, and I think I’ll judge myself wrong. #3 I think is accurate, if only because of […]

 

Wikipedia vs Britannica

A few days ago, I challenged Ed Felten to do some more comparison work. In the spirit of Milgram, I didn’t propose a theory. (This was mostly because I was trying to make a good joke about assigning the professor homework, but couldn’t come up with one.) However, on consideration, I think that I should […]

 

Science is easier from the outside

As part of a larger project on security configuration issues, I’m doing a lot of learning about taxonomies and typographies right now. (A taxonomy is a hierarchical typography.) I am often jealous of the world of biology, where there are underlying realities that can be used for categorization purposes. (A taxonomy needs a decision tree. […]

 

Volokh commentary

this post by Todd Zywicki clearly illustrates the difference between law professors and economics professors.

 

Airline Security

In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria. The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale […]

 

Wikipedia

Over at Freedom To Tinker, Ed Felten writes about the Wikipedia quality debate. He takes a sampling of six entries where he’s competent to judge their quality, and assesses them. Two were excellent, one was slightly inaccurate, two were more in depth, but perhaps less accessible than a standard encyclopedia, and one (on the US […]

 

Lock 'em up!

Over at TaoSecurity, Richard writes: Remember that one of the best ways to prevent intrusions is to help put criminals behind bars by collecting evidence and supporting the prosecution of offenders. The only way to ensure a specific Internet-based threat never bothers your organization is to separate him from his keyboard! Firstly, I’m very glad […]

 

The Man Who Shocked the World

I’ve recently finished The Man Who Shocked the World, a biography of Stanley Milgram. The book’s title refers to the “Authority Experiments,” wherein a researcher pressured a subject to deliver shocks to a victim. The subjects of the experiments, despite expressing feelings that what they were doing was wrong, were generally willing to continue. Other […]