The New York City Police Riots

… The arrest of Mayor Wood was ordered. Captain Walling of the Metropolitan Police was sent to arrest the Mayor but was promptly thrown out on his ear. Wood occupied City Hall protected by 300 of his Municipals who resisted a force of 50 Metropolitans sent there to arrest him. Later that day 50 Metropolitan Police descended on City Hall with night sticks in hand to carry out the order. The Municipals ran into the street and the two factions fought each other. The Metropolitans retreated. 52 policemen were injured, one crippled for life. The Metropolitan Police Board then called in the National Guard who surrounded City Hall. The Mayor finally submitted to arrest but soon returned to office released on minimal bail.

From Ubanography, but I didn’t believe it, until I found confirmation at the official website of New York City.

I’m really tickled to know that New York had two rival police forces. Thanks to Ian Goldberg for mentioning it.

Gartner to Visa, MasterCard: Play fair

Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard:

* MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly unequal treatment of different types of retailers, such as Sam’s Club, and processors, such as CardSystems.

An excellent point, well worth repeating.

Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict how such documents can be used.

But your fingers aren’t government issued. So the same logic doesn’t apply. Now Government Computer News reports that “DHS shoves fingerprint tech forward:”

The Homeland Security Department is working with the departments of Defense and State, the FBI and the Commerce Department’s National Institute of Standards and Technology as well as technology vendors to develop a new generation of 10-finger “slap capture” units for fingerprint collection.

DHS pushing new generation of readers. A “10 finger slap reader” is a reader that’s designed to rapidly read fingers without a need to roll each one for a good read. The new technologies are also supposed to be AFIS compatible, which will be tricky.
The trouble with these five agencies coming together is that they create a predictable, profitable market to encourage R&D spending. Once that money has been spent, these systems will be put in place all over the place.

I’m opposed to driving down the cost or efficiency of bulk fingerprinting. It should remain an expensive process to discourage its use. The cleared, desensitized functionaires who are putting forth what they label a challenge are also putting forth subsidies for a future privacy invasion infrastructure. In many ways worse than that, they’re sending a clear message that “visitors are no longer welcomed, they’re made to feel like suspects in a criminal investigation.

One question to ask is, what happens when everyone tries to do this and use fingerprints as authenticators? When the same authenticator is widely used, it becomes easy to steal. I know that many of my employment agreements have included security policies such as not re-using a password, Does anyone have contract forbidding re-exposure of biometrics? (I’d be happy to help someone create one.) What happens when all ten of your fingers have been claimed by companies whose terms of service forbid you from using that finger elsewhere? Will you be required by contract to resist fingerprinting after arrest?

(Thanks to GCN for the `neutral’ headline, and Alice Marshall for the pointer. Fingerprints by, of, Tow Zwierz, on Flickr. Click the image for the large version. [Updated: Sorry to misspell your name there Tow.)

How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.]

Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, I’m fond of the flexibility that computers give me to do all sorts of things, some of them stupid.

I think that we need to do more to make security usable, to set the defaults right, and to reduce the desensitization that so many products engage in.

What’s worse, auditors and consultants love to insist that you train your users about the importance of security. And that means that training material like Ben Rothke’s “Computer Security: 20 Things Every Employee Should Know” may well be useful.

I have a fondness for little books. That it is hard to write concisely is a subject I intend to talk about quite a bit. Rothke’s ’20 Things’ is best understood as a collection of short essays, a page or three in length. Each is easily digested and understood, and the book as a whole is a fine component of an education program until we start creating better products. It is a little book in the very best of ways. In other words, you ought to be buying this book, and its sequels, for a long time to come.

Mossberg's Mailbox

This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic updates and online backups while you sleep. Mr Mossberg doesn’t discuss the potential risks of leaving your computer on more often, but given the current rate of exploitation, I think this is really an irrelevant concern. Let’s hear it for some sane thought on risk.

Two on the Iraqi Army

A spokesman for the American military command that oversees training of the Iraqi forces also said that while he did not know the security forces’ ethnic mix, he believed that there were more Sunni troops than the election data suggested.

From the New York Times, “Election Results Suggest Small Role For Sunnis in Security Forces.” Contrast with the details from Knight Ridder “How the story was reported:”

(More after the break. Split strangely to allow me to test a change.)

Continue reading

Mariott Vacation Club, 206,000 records, backup tape

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company.

Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company’s Orlando headquarters or whether they were simply lost.

From the Washington Post, via CSO Online.

London and Terror Threats

The BBC reports that the Mayor of London says “there had been 10 attempted attacks since 11 September 2001, two of which had come since the 7 July bombs.” (“Threat to London ‘disorganised’“) Where are the perpetrators? Are they free, because of insufficient evidence? Are they in jail? Were they killed by security forces? Claims such as these matter, and need to be backed by evidence.

Also in the BBC, a long article regarding security in mass transit, “The unlikely enemy of the terrorist:”

…public transport is much harder to protect. There were nearly one billion journeys made last year on the UK’s network, which has 2,500 mainline railway stations and one of the biggest underground systems in the world.

The design is a triumph of convenience, so passengers hop on and off buses, Tubes and suburban trains without the check-in desk or long queues familiar to air travellers. And the stations are built to ease the passage of millions of people each day, with open spaces and multiple entries.