Shostack + Friends Blog Archive

 

Privacy and Obscenity?

Put bluntly, the law of obscenity, no matter how longstanding, has never satisfied constitutional requirements, and it never will. Finally, a judge has been brave enough to say as much. This opinion is notable for that reason – and for Judge Lancaster’s novel approach. His opinion attacks the obscenity laws on privacy grounds – and […]

 

Small Bits of Irony: Secure Flight, Insecure Borders

Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]

 

More on Nothing to Hide

Chapell points out a very interesting correction at the top of this Seattle Times story: A previous version of this story on Tukwila firefighter Lt. Philip Lyons being charged with first-degree attempted arson incorrectly stated that police reports indicated he had used his Safeway Club Card to purchase 16 fire-starters between June and August. Lyons […]

 

Small Bits of Hope

Some moving blog posts from Iraq include Hammorabi, Messopotamian, and Iraq the Model The first thing we saw this morning on our way to the voting center was a convoy of the Iraqi army vehicles patrolling the street, the soldiers were cheering the people marching towards their voting centers then one of the soldiers chanted […]

 

Good Luck to Iraqis!

In tomorrow’s elections. I have to say that despite a great deal of skepticism in the feasibility, and disappointment over the execution, of Bush’s vision for the Middle East, it represents the one of the core American beliefs. Lincoln called the ideas of democracy the last, best hope of mankind, and in that, he was […]

 

New York Times Links

Aaron Swartz has produced a link generator for the New York Times. It takes a URL and makes it archival, so that it doesn’t expire, and you should be able to visit it after two weeks are up. Its a lazy Saturday afternoon; Atlanta is shut down by the half inch of snow that fell […]

 

More on Economic Analysis of Vulnerabilities

Dave Aitel has a new presentation (“0Days: How Hacking Really Works“) on what it costs to attack. The big cost to attackers is not vulnerability discovery, but coding reliable exploits. (There’s an irony for you: Attackers are subject to the same issues with bad software as their victims.) The presentation is in OpenOffice format only […]

 

Small Bits of Chaos: Vidal, SP2, Iraq

Gore Vidal has a few choice words about the President’s Inaugural address, at DemocracyNow. A Russian company, MaxPatrol, has published a paper on bypassing heap and stack protection for Microsoft Windows XP with SP2. Winterspeak has an interesting summary of Iraq: The big bet that President Bush placed all these months ago, the bet that […]

 

Nothing to Hide, Plenty to Fear

Longtime security and privacy researcher Richard M. Smith tells Farber’s IP list about Philip Scott Lyons, a Tukwila, Washington firefighter. Lyons was accused of arson because he’d bought the same type of fire starters at Safeway. Or, that’s what Safeway’s “Club Card” records show. How or why they were obtained isn’t clear. The charge was […]

 

"Analysis of the Texas Instruments DST RFID"

A group at Johns Hopkins and RSA security have interesting new attacks on the RFID chips used in Mobil Speedpass. They’ve put up a web site at http://www.rfidanalysis.org, and gotten some press at the New York Times.   [Edited 29/4/2017 to unlink RFIDanalysis.org because Google claims its distributing malware.]

 

Folksonomies, Tested

I’ve just stumbled across this abstract comparing full-test searching to controlled vocabulary searching. The relevance to Clay’s posts on controlled vocabularies is that our intuitive belief that controlled vocabulary helps searching may be wrong. Unfortunately, the full paper is $30–perhaps someone with an academic library can comment. …In this paper, we focus on an experiment […]

 

Small Bits of Chaos: Brazilian Democracy, Traffic Cameras, Locks, Hamas, and Curtains

Lessig discusses what democracy looks like in Brazil: I remember reading about Jefferson’s complaints about the early White House. Ordinary people would knock on the door, and demand to see the President. Often they did. The presumption of that democracy lives in a sense here. And you never quite see how far from that presumption […]

 

"The Arthur Andersen Of Banking?"

Over at The CounterTerrorism Blog, Andrew Cochran accuses Riggs Bank of being “the Arthur Andersen of banking.” Riggs is apparently pleading guilty to violating the Bank Secrecy Act, by “failing to file reports to regulators on suspicious transfers and withdrawals by clients.” I’d like to address the comparison to Arthur Andersen, and through that lens, […]

 

Small Bits of Chaos: Taxes, Orientation, Liberty, Fraudulent Licenses

Scrivner writes about the perverse nature of the AMT. Chuck Spinney at D-N-I asks “Is America Inside Its Own OODA Loop?” The article contains some very clear writing on the meaning of orientation, and applies that idea: He showed why the most dangerous internal state of an OODA loop occurs when the Orientation process becomes […]

 

Ben Rothke on Best Practices

Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight. Writes Ben Rothke in a short, incisive […]

 

Towards an Economic Analysis of Disclosure

In comments on a my post yesterday, “I Am So A Dinosaur“, Ian asks “Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?” I believe that the answer is no, and so will give it a whack. The costs I see associated with a vulnerability discovery and disclosure, in chronological […]

 

I Am So A Dinosaur…

…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage: Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS […]

 

Patterns of Conflict, Easier on the Eyes

I’ve been posting a fair bit about Boyd. Boyd’s wrote very little. Most of his communication was in the form of briefs. At least two of you have publicly admitted to getting the slides, and, if you’re like me, struggled with the form of the presentation: A scan of a typed, hand-annotated presentation book. There’s […]

 

More on Do Security Breaches Matter?

In responding to a question I asked yesterday, Ian Grigg writes: In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large […]

 

Small Bits of Chaos: Blind overflows, National ID, and Looney Tunes

SecurityFocus has a new article on blind buffer overflows. I’m glad these techniques are being discussed in the open, rather than in secret. Julian Sanchez has the perfect comment on Congressman Dreier’s new national ID plan, at Hit & Run. And finally, don’t visit this Looney Tunes site if you’re busy. (Via Steven Horowitz at […]

 

Do Security Breaches Matter?

Nick Owen posts about the stock valuation impact of security breaches. This UMD study found that a firm suffering a breach of ‘confidential information’ saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact. I read it as the market over time learning the difference between a DOS attack […]

 

Catastrophe and Continuation

Dr. David Ozonoff, a professor of environmental health at the Boston University School of Public Health who originally supported the new laboratory but now opposes it, argues that biodefense spending has shifted money away from “bread-and-butter public health concerns.” Given the diversion of resources and the potential for germs to leak or be diverted, he […]

 

California Privacy Law

CIO Magazine has an article “Riding The California Privacy Wave,” reviewing California’s new and pending privacy laws. There’s bits I wasn’t aware of, such as SB 186 168, preventing “businesses from using California residents’ Social Security numbers as unique identifiers.” There’s a slew of new laws in California, a great many of which affect IT […]

 

Economics of Taxonomies

In his latest post on folksonomies, Clay argues that we have no choice about moving to folksonomies, because of the economics. I’d like to tackle those economics a bit. (Some background: There was recently a fascinating exchange between Clay Shirky and Louis Rosenfeld on the subject of taxonomies versus “folksonomies,” lightwieght, uncontrolled terms that users […]

 

Mac Software: Memento

Memento is an application that helps you find web pages you’ve stumbled across and forgotten where the site is. It does this by searching the cache (copies that Safari keeps locally). Very cool, and free.

 

Congrats to David Akin

I first met David Akin when he was covering Zero-Knowledge Systems, where I worked. David was always insightful, and even when he thought he saw us blowing smoke, he was pleasant about it. So I’m both disappointed and excited to see that he “will join CTV’s Ottawa bureau as a Parliamentary Reporter.” I sincerely hope […]

 

Application Layer Vulnerability, an Orientation Issue

Richard Bejtlich comments on a new “@RISK: The Consensus Security Alert“, which starts: “Prediction: This is the year you will see application level attacks mature and proliferate.” He says: You might say that my separation of OS kernel and OS applications doesn’t capture the spirit of SANS’ “prediction.” You might think that their new warning […]

 

All Good Things Must End

Phrackstaff is pleased to bring you _our_ LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. … Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available […]

 

CCS Industry Track

I’m excited to be a part of the ACM’s 2005 Computer and Communication Security Conference, which has an Industry Track this year. We’re working to foster more interplay and collaboration between industry, the public sector, and academia: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of […]

 

Secure Programming

Dave Wheeler has a new article out “Call Components Safely.” Developers should take a few minutes to read it.

 

"Just the Standard Rhetoric"

…Iran’s supreme leader, Ayatollah Ali Khamenei, told Muslims making the annual pilgrimage to Mecca that Rushdie was an apostate whose killing would be authorised by Islam, according to the Iranian media. How very reassuring and level-headed of the British to respond by saying: The Foreign Office said: “The key thing from our point of view […]

 

Software Security: What's Your Next Move?

I met Gunnar Peterson after attending one of his talks at BlackHat. It was very well done, and it looks like he’s now offering longer versions. If you’re concerned about the security of your software, and want to improve your development process, you should consider this. If you produce software, and aren’t concerned about the […]

 

Rob Slade Ben Rothke Writes a Positive Review (Forensic Discovery) [Ooops!]

Rob Slade reviews security books. No, more generally, Rob Slade points out in excruciating detail the flaws in security books. So when he I misread a post from ISN and think it says Slade, rather than Rothke, I look like a real fool who can’t find the flaws in my own writing. Really, Ben Rothke, […]

 

Small Bits: Secret Law and Security, Root-Fu, New Blog, and Canadians Stagnate

Cory Doctrow points to a letter he’s sent American Airlines about The security officer then handed me a blank piece of paper and said, “Please write down the names and addresses of everyone you’re staying with in the USA.” and his Kafka-esque experience in trying to find out why they were asking. Good on Cory […]

 

Attackers Are Evolving, Are You?

When I was getting into computer security, back in the dark ages, when Nirvana was releasing albums, hacking was an art. It was passed along in hard to find text ‘philes’, which were a mixture of technology and philosophy. 2600 Magazine remains an example of this sort of old-school hackerdom. The world-view that accompanied the […]

 

Why I Want HTML Export (from Keynote)

Lately, I’ve been complaining that Keynote still can’t export to the web. Now, I’ve been remiss in ensuring all of my writing is in HTML. I’ve been slowly going back and converting things, as I have a few minutes, or as I want to link to something I’ve said. Today, in posting a comment to […]

 

"Thinking WiKID Thougts"

Nick Owen has a new corporate blog up. His very first post is “Why ROI is a crappy measure for Information Security.” I look forward to more.

 

Canada, Land of Rugged Individualists?

Well, for the sake of our non-Canuck visitors, a brief primer is in order. The post 1960’s Canada can be better described as Trudeaupia – a progressive-era dream that just kept on chugging along. The stage in our history where good liberals had become bad Liberals and were well past the point of no return. […]

 

Small Bits of T-Mobile

A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets. Customer, Please see the press release below regarding the hacker investigation with T-Mobile’s customer information. If your information was compromised you would have […]

 

Symposium on Usable Privacy And Security CFP

The Symposium on Usable Privacy and Security will be July 6-8 at CMU: The Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and discussion sessions.

 

Small Bits of Chaos

The Globe and Mail has a good story on how copyright law is preventing the re-release of “Eyes On the Prize:” The makers of the series no longer have permission for the archival footage they previously used of such key events as the historic protest marches or the confrontations with Southern police. Given Eyes on […]

 

Mac Software Updates

Devosquared has a new release of PowerCard. If you need project management, check this out. It fixes a “bug” where you couldn’t mark days as “weekend.” As a startup person, I’m not sure why that needed fixing, but maybe it matters. Apple has a announced new release of Keynote, which still can’t export to the […]

 

The Iron Fist and the Orange Revolution

There’s a fascinating and moving article in the New York Times about how elements of Ukranian intelligence aided Yushchenko in his bid to overturn the first, fraudulent election: Whether the collaboration was a convergence of political aims, or a pragmatic understanding by the siloviki that Mr. Yushchenko’s prospects were rising, is subject to dispute. Yulia […]

 

Trouble with Surveying Cybercrime

In a comment yesterday, Chris Walsh said: In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence. In theory, I agree with Chris. In […]

 

Students for an Orwellian Society

These heroic students have made many sacrifices in the name of IngSoc. They stand as a stirring example to us all. They have denounced the crimes of Davis Sos, who promised over 100 IngSoc posters, but have shirked their duty, and squandered the money provided to them. Those students are now hard at work being […]

 

DHS to Survey Cybercrime

In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents. This is a really exciting development. DHS seems to be taking a good approach, and in a […]

 

Giving New Meaning to "You Can't Get There From Here"

Microsoft MapPoint helpfully suggests this scenic route from Haugesund, Rogaland, Norway to Trondheim, Sør-Trøndelag, Norway, when asked for the quickest. This route may well be the quickest that includes England, France, Belgium, the Netherlands, Germany, Denmark, and Sweden. James Tyre (who credits David Flint) told Eugene Volokh.

 

More on DNA Dragnet

Chapell nails the “why you might have nothing to hide, but hide anyway” angle: Even more troubling is the possibility that the person who’s DNA was inside this woman may very well have had nothing to do with the crime. But rest assured, that won’t matter to the hundreds of police, FBI, press, and other […]

 

More on TMobile

The LA Times has a story on Jacobsen, the hacker, and the AP has a story with more technical details. The Infosec Potpourri blog has some analysis of the AP story.

 

Model Checking One Million Lines of C Code

Hao Chen, Drew Dean, and David Wagner have a paper of that name in Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171–185, San Diego, CA, February 2004. Hao Chen’s papers page has powerpoint, PDF and PS, as well as this abstract: Implementation bugs in security-critical software are pervasive. Several […]

 

On Torture

The New York Times reported yesterday that the White House fought for the CIA’s right to torture. In a letter to members of Congress, sent in October and made available by the White House on Wednesday in response to inquiries, Condoleezza Rice, the national security adviser, expressed opposition to the measure on the grounds that […]

 

Small Bits of Chaos

Scrivner points out a basic lack of agreement amongst the pundits: Damn that Bush, cleverly whipping up this fantasy of a threat to scare people into voting for him. … Damn that Bush, ineptly bungling America’s defense against the most dangerous threat Ian has a post about Ron Paul trying to ban the government issuance […]

 

What Makes Good Science?

Over at the Volokh conspiracy, Jim Lindgren writes: Crichton then describes scientific consensuses that turned out to be wrong. I don’t think that there is anything wrong with talking about the consensus of scientists or social scientists (and I certainly do so myself), but one must remember that it is the quality of the evidence […]

 

Financial Cryptography

The conference, not the blog, is now accepting registrations. The program looks really good this year.

 

Hotel Rwanda

I saw Hotel Rwanda this weekend. It’s a true story of a hotel manager who saved over 1,000 people from genocide. If you’ll allow me a moment of disgusted sarcasm, I look forward to the sequel, Hotel Darfur, now in pre-production. The story is the same: No one is bothering to intervene in African genocide, […]

 

T-Mobile

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. … T-Mobile, which apparently knew of the intrusions […]

 

Blog Spam

Stefan Geens has a long post on why SixApart’s TypeKey system is not a good solution to blog spam. He points out that the system has bad economies of scale: Here too, the spammer needs to sit down, get a key, pretend to be human for a minute and behave until he gets a comment […]

 

Penny-Wise, Pound-Foolish?

The Supreme Court has just heard a case, Tenet vs Doe, over promises allegedly made to spies: Two former Soviet-bloc diplomats recruited to spy for the CIA during the Cold War say the agency later reneged on promises to compensate them for the dangerous missions they performed.  The husband and wife team are bringing this […]

 

DNA Dragnets and Criminal Signaling

In responding to my comments about Truro’s DNA dragnet, with a fascinating discussion of signaling, Eric Rescorla writes: Even if they’re not the perp, they may have other reasons not to have their DNA collected–for instance they’ve committed another crime that their DNA might match to. (The police say they’re only going to use the […]

 

Private Lives and Psychology

“In a very deep sense, you don’t have a self unless you have a secret, and we all have moments throughout our lives when we feel we’re losing ourselves in our social group, or work or marriage, and it feels good to grab for a secret, or some subterfuge, to reassert our identity as somebody […]

 

Threatcode

In a post to the patch management mailing list, Jay Woody mentions Threatcode, a site dedicated to tracking and shaming badly written code. Cool! I wish the site was a little easier to read, but nice going!

 

Safari

The “back” button is Safari is way too close to the “close” button. Safari would be a much better browser if there was an option to not close (or confirm closing) the window if there are multiple tabs open. Bugger it!

 

Ban Windows, Not Cell Phones

Scrivner has another great post, this one to a study at Virginia Commonwealth University. (My link is to the study, not the press summary Scrivner links.) The press summary claims that rubbernecking accounts for 16% of accidents, looking at scenery or landmarks 10%, while cell phones account for only 5%. Clearly the answer is to […]

 

DNA Dragnet

The city of Truro, Massachusetts is trying to collect DNA from all 790 residents to solve a crime, reports the New York Times. Its not clear why they believe that residents are more likely to be the criminal than non-residents, and it is clear that they don’t get the 4th amendment, against dragnet searches, or […]

 

Small Bits of Chaos

Simson Garfinkel announces a new article analyzing the security of Skype. JihadWatch comments on a story on NPR yesterday, bemoaning the descriptivist reality that Jihad is now used to describe violent acts of terror. I heard this story on the radio, and the commentator’s prescriptivist bias of “Darn it, this is what the word means!” […]

 

Economics of Price Discrimination

Scrivner points out that the airlines, masters of price discrimination are giving up: In response they’ve become perhaps the world’s most expert practitioners* of price discrimination, mastering the art of charging the business traveler $1,000 more than the tourist in the next seat in exchange for a short-notice booking with few restrictions. But even that […]

 

Does Ryan Singel Need A Privacy Policy?

Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.” Not to pick […]

 

Framing Effects and Apple

Until I read John Gruber’s latest Daring Fireball on “The Rumor Game,” I was firmly in the “Apple is being Ridiculous” camp, and “Apple is chilling free speech” camp. The essence of the story is Apple is suing a rumors site because they’re leaking product details. What Gruber points out, and a quick Google search […]

 

Presentation of Risk

The Wall Street Journal posted this table today, in an article on how risks are presented. Note the lack of a time scale. Is that a lifetime risk of a heart-attack? Are there lifetime stats for Vioxx takers? How does that risk compare to the risk of winning the lottery? Those odds are (I’m guessing) […]

 

Small Bits of Chaos

Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]

 

Help! Mac Project Management Software

I need project management software for a small project (20-50ish tasks, 8-10 people come and go and need to be assigned tasks.) I’d like software that will assign resources to time blocks, handle dependencies, and be easy to use. I’ve spent the morning testing apps, going until I found something either I or the software […]

 

Boyd's Relevance Today

In a comment, Ian Grigg asks, “I haven’t got to the modern stuff yet, so quite what he has to say that is currently relevant eludes me for now.” Over at Defense and the National Interest, there’s an article that draws heavily on Boyd: In a new briefing [1.7 MB PPT], three retired officers—each hailing […]

 

Disclosure

Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we’re safe? Bluetooth is different from internet vulns, […]

 

Small Bits of Chaos

Ed Felten announced a “Clip Blog,” of short articles with no or small comments. Hmmm. Neat idea. Ian Grigg gives us his thoughts on the Abagnale controversy: [Clausewitz] said something to the extent of “Know yourself and you will win half your battles. Know your enemy and you will win 99 battles out of a […]

 

Boyd

John Boyd was arguably the best fighter pilot in American history. While at the Air Force Fighter weapons school, he was not only undefeated, he won every fight so fast he was known as “Forty second Boyd.” While there, he wrote the “Arial Attack Study,” which transformed the study of fighter combat from an art […]

 

Educated Pat-Downs

Eric Rescorla has two good posts on screening at Educated Guesswork. I’d still like to expand the range of questions, and ask, is intense personal screening effective or needed? Can we use air marshals, different aircraft designs, and armed pilots so that we don’t need to compare rub-downs to millimeter-wave xrays?

 

Small Bits of Chaos

Much as I hate blogging anything from Slashdot, Why the Space Station Almost Ran Out of Food is great. (The previous crew had permission to borrow the current crews’ food, but didn’t record how much they’d eaten.) Maybe they could get jobs working for the Social Security administration. John McWhorter has a new book out, […]

 

Evaluating Security

The study, published in the January issue of the journal Emerging Infectious Diseases, concluded that the estimated $7.55 million spent on [SARS] screening at several Canadian airports failed to detect one case of the disease. … “Sometimes what seems like a reasonable thing to do doesn’t turn out that way,” the report’s lead author, Dr. […]

 

370,000 Absconders

Buried in this story about tracking illegal immigrants is the interesting item that as of early 2003, of 6,000 Muslims who absconded within the US after being told to leave the country, only 38 percent had been found. That left over 3,500 still at large. How many have been caught since then? Where are the […]

 

Ratty Signals

So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed? There are a few things that jump to mind: Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue […]