Shostack + Friends Blog Archive

 

Software Liability by Contract, Not Regulation

While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts. “I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s […]

 

Emergent Chaos Choicepoint Posts

I have added a Choicepoint category, which is great if you want to see all my posts on Choicepoint on one long page, and I am no longer updating this roundup. I’ve been posting a lot on Choicepoint. I’ve done a number of roundup posts listing things I find interesting around the web, and a […]

 

Choicepoint Roundup ($16,600,000 edition)

Having already posted a Feb 28th roundup a day early, I was forced to think about a new title for today’s edition, and what better than the $16.6 million dollars that ChoicePoint CEO Derek Smith and President Douglas Curling have made selling 472,000 shares of CPS since the day before the first arrest in the […]

 

Choicepoint Roundup (Feb 28)

I accidentally published this too early, but given the nature of trackbacks, and other such privacy-invasive technologies, its too late. You know my secret. I accumulate and then (try to) post in the morning. Midnight Special asks “Where’s the accountability” and talks about government outsourcing and incentives in a well written post. Why Now has […]

 

Publishing a List of SSNs Will Not Fix Anything

Pete Lindstrom suggests: My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news. The net result is to eliminate the notion that perhaps SSNs are “secure enough” for […]

 

Good Folks Looking for Help

A group that wants to assist free speech in authoritarian nations is looking for a technically savvy person — a CTO or lead engineer type — who can do a short term study, possibly leading to a longer-term job. This is a paying gig for the right person. The project is intended, in its intitial […]

 
 

Choicepoint Roundup for Today (27 Feb)

Choicepoint doesn’t make an appearance in the June, 2003 Congressional testimony of Leonard Bennett, (or PDF), but the testimony is on how hard it is to get your credit files corrected with those companies that follow the Fair Credit Reporting Act. Given that Choicepoint believes that they don’t even have to do that, it will […]

 

Choicepoint's Orientation

As Choicepoint’s little error threatens to grow into a full-blown scandal, with Attorneys-General posturing, Congressional hearings, and daily press coverage in every state of the Union, it may be worth stepping back, and asking, “Why is this happening?” It’s not just the size of the exposure, both Bank of America and PayMaxx are larger. It […]

 

Choicepoint Won't Benefit from Bank of America Leak

I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on: In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to […]

 

Choicepoint Roundup for Today (Feb 26)

Chris Walsh has a really good comment on yesterday’s roundup. HCS asks, was Choicepoint going to be the data provider for the new national ID card? Ed Bott finds that birds of a feather flock together: A company that falsely claimed that ICSA labs had certified their tool has an SSL certificate issued by everyone’s […]

 
 

What's with this Dialog?

This dialog box is modal. It has no “take me there” button. Even having taken notes, I couldn’t figure out how to follow the instructions. You can “clear formatting” and make spell checking work again. A double-feh at Redmond. I take back all the mean things I said about Firefox this morning.

 

Two Minutes Hate

So everyone seems to be accepting at face value the claim that Choicepoint was scammed by Olatunji Oluwatosin and colleagues not yet named. But let’s step back, and ask, was there a scam? Why did these folks need to cheat? Was it habit, or necessity? What was really needed to get a Choicepoint account of […]

 

Quick Followups

David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.

 

Choicepoint Roundup for Today

The Associated Press has a story “Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance” (actually, we all face a lifetime of vigilance, as these companies make buckets of money by gossiping about us.). The money quote: Many victims are dumbfounded by the dearth of federal and state laws aimed at […]

 

Roger McNamee on Sarbox

Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be. It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year.  […]

 

Finding Security Issues

In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled. The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, […]

 

Small Bits of Chaos: Conferences and What Would Dylan Do?

This Concealled I conference in Ottawa March 4-5 looks really good. Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework: “I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.) Who did this: Privacy Enhancing Technologies, May 30-June […]

 

Today's Choicepoint Roundup

The Privacy Rights Clearninghouse has an extensive sheet on what to do if you’re a victim of Choicepoint’s failure to secure data. SoftReset calls for banning the use of SSNs for non-government purposes. I take a slightly more moderate view: Anyone using the SSN is already subject to GLB liability. Random Thoughts on Politics comments […]

 

Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis: Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks […]

 

Oh, there it is.

Back in October, I asked, “where’s the 8-in-1 media reader to take photos directly from your camera.” From today’s Apple press release: The new iPod Camera Connector is an optional accessory that enables customers to connect their digital camera to iPod photo and import their photos into the iPod. By simply connecting the iPod Camera […]

 

When The Future Has No Shadow

I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you. The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded […]

 

Today's Choicepoint Roundup

Google is running an ad when you search on Choicepoint: “ChoicePoint letter says your identity stolen? Learn your rights. www.jameshoyer.com” On clicking through, its just a form, asking someone to contact you. Renaissancemen has a good roundup, including the fact that only 5% or perpetrators are arrested, and a pointer to Kevin Drum arguing for […]

 

More on Choicepoint

Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched. starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you […]

 

The Open Passport

Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.” writes […]

 

Cool Tech at RSA: i-Mature

At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company. There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits […]

 

Small Bits of Chaos: Passports, Financial Crypto

Ryan Singel has a good post on chipped passports: Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure. But, the chips create a new […]

 

Free Mojtaba and Arash!

Sending people to jail for expressing their opinions is wrong. In the west we’ve understood why it was wrong since John Stuart Mill wrote On Liberty. So please, for the betterment of Iran, and the entire world: Mojtaba and Arash are Iranian bloggers jailed for their ideas. What ideas is almost not relevant. Even if […]

 

Cool Tech At RSA

One of the best bits at RSA was at the HP booth. Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to […]

 

Security So Good, No One Could Login

One of the ironic bits about the RSA conference was the wireless network. Your username was your email and the password was on your badge. However, I had trouble logging in, so they gave me this username and password. I’m pretty sure that they didn’t record who I was as they did it. Even once […]

 

Hunter S. Thompson, 1937-2005

Hunter S. Thompson killed himself last night. While I enjoyed his books, for me, his ultimate work wasn’t reading about times I hadn’t experienced, but when his writing was live and raw, about the day, when he wrote the definitive obituary of Richard Nixon. He’s gone, and I am poorer for it.

 

Openness: Maps

After RSA, some friends and I went up to Russian River. I was looking at some old maps at the Quinvera Quivira Vineyard, and the caption under one said “The author of this map is believed to have had access to Drake’s secret maps.” Today, large scale maps of everywhere are easily available. But there […]

 

Small Bits on Programming

Max Dornseif asserts it’s easy to find bugs. (Perhaps even easier than figuring out trackbacks for his blog?) In an article in ACM Queue, Ioannis Samoladas, Ioannis Stamelos, Lefteris Angelis, Apostolos Oikonomou examine some measures of code quality between open and closed source apps.

 

What do Apple's Common Criteria Tools Do?

Apple has made available a set of “Common Criteria” tools. The “evaluation” page is here. The evaluation criteria is “EAL 3, CAPP, version 1.d, October 8, 1999.” (The README is a bit better.) If anyone would care to explain to me what I’ve just said, or, really, what the tools package does, I’d be much […]

 

Small Bits: T-Mobile, Google, Passports, Terrorism

Jack Koziol has a long post on security issues with T-Mobile’s web site. (Via /.) Did you know that Google’s “Dissatisfied? Help us improve” link only appears on the first page of a search? That’s fascinating–they expect their search to be so good that they get what you want on page 1, and you’ll complain […]

 

An Open Society?

Eric Rescorla discusses this account: Officer Primiano expressed extreme frustration with me as soon as I began speaking of my rights to photograph in public places. She wanted to debate the wisdom of my taking pictures and asserted that in the wake of the Sept 11th attacks on our country, I should be more interested […]

 

Two More on Choicepoint

See Taosecurity, on IDS and Choicepoint, and this choice excerpt from Reuters, relayed by Dave Evans at Corante’s Online Dating: U.S. investigators notified the company of the breach in October, but ChoicePoint did not send out the consumer warnings until last week. It’s fascinating that the company didn’t detect the breach, and that they seem […]

 

More on Choicepoint

The Atlanta Journal Constitution (use Bugmenot) reports: “We know that there is a national number that is much larger than that,” said Lt. Paul Denny of the [Los Angeles County] sheriff’s department. “We’ve used the number 400,000, but we’re speculating at this point.” Executives at ChoicePoint, which maintains one of the largest databases of personal […]

 

Felten on The Record Industry

Ed Felten has a great post today, asking “How Competitive Is the Record Industry?” How can we tell whether the record industry is responding competitively to DRM? An interesting natural experiment is about to start. MP3Tunes, a new startup headed by serial entrepreneur Michael Robertson, is launching a new music service that sells songs in […]

 

More on Fighting Terrorist Ideas

I liked how my previous post on this subject read. It was very positive, and I like being positive about the future. (I’m not very good at it.) However, there’s a contrast which needs to be drawn, between the way Yemen (Yemen? Yemen!?!) is handling some prisoners and the way the US is handling some […]

 

How Many Choicepoint Victims Are at Risk?

Choicepoint is a large credit bureau who denies being one. Yesterday, MSNBC reported that “more than 30,000 Californians” had been notified of problems. Now, no one opts-in to Choicepoint. No one can opt-out. They maintain files on you without your knowledge or permission. Now we know that at least 30,000 people were put at risk […]

 

The Real-ID Theft Act of 2005

The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]

 

JAG Heroics

Michael Froomkin applauds those “Military lawyers at the Guantanamo Bay terrorist prison tried to stop inhumane interrogations, but were ignored by senior Pentagon officials.”

 

Purpose of a System Is What it Does?

Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the […]

 

Dave Eggers and the Pirate Store

By reading this post, you agree not to do anything to get the author or Dave Eggers in trouble, even if those actions that lead to trouble are entirely their own, and you’re just commenting on them, even in a sort of approving way that happens to continue the unfortunate chain of events that were […]

 

What Did TSA Know, and When Did They Know It?

Recently, Slate had an article on how to alter your boarding passes and bypass the silly watch lists. It was picked up by BoingBoing, and it turns out that Bruce Schneier talked about it 18 months ago. Recently, I was talking to a friend who started telling me about…how to alter your boarding passes. What […]

 

Proof Of Concept Code, Boon or Bane

Microsoft has come out swinging against researchers who publish code: Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code. This generally accepted […]

 

Charlie Wilson's War

I’ve recently finished Charlie Wilson’s War, which Jeff Moss suggested to me. Charlie Wilson was a Congressman from Texas. Gust Avrakotos was a CIA officer. Together, they conspired to get hundreds of millions of dollars funneled to the Afghanistan resistance. The story is simply astounding–at times you think this can’t be true, but it all […]

 

US National ID Card

This was first created in December 2004’s Intelligence bill, loosely called the Patriot II act because it snuck in provisions like this without the Representatives knowing it. The deal is basically a no-option offer to the states: either you issue all your state citizens with nationally approved cards, or all federal employees are instructed to […]

 

Could We Trade Judges?

NPR is reporting that The Bush administration is seeking to justify the imprisonment of an American citizen using secret evidence. The Justice Department has asked a federal judge to throw out the case based on evidence that is being withheld from the man’s lawyers. Perhaps we could trade judges with Yemen. (Via Hit & Run.) […]

 

Small Bits of Chaos: Passwords, Metrics, Self-Awareness, Mozilla

Bruce Schneier has a nice article on the risks of e-commerce sites that make you establish an account, rather than just giving them money. Pete Lindstrom has an article in Information Security magazine about security metrics. Roger McNamee has an insightful post at his new blog about the importance of self-awareness generally. It’s especially applicable […]

 

Security Planning

Gunnar Peterson (who has a new blog) points to the public release of the worksheets from “Misson Critical Security Planner.” I haven’t read that book, but the worksheets look like useful planning documents.

 

Fighting Terrorist Ideas

I believe that the Wahabbi-inspired terrorist strain of Islam represents a great material danger to the ideals of liberty and equality, as well as to free inquiry and science. (The state’s response to this danger also creates a great threat to those goods.) It is thus a pleasure to see a Yemini judge taking to […]

 

Small Bits of Chaos: How to Present, ID Theft Victims List

higB at secureme has good advice for presenters at security cons. Ian G has a good post explaining that government only illegally links their databases when they want to, not when it could help the citizenry. No privacy story is ever truly complete without a tool of the man talking out both sides of their […]

 

Shmoocon Slides

At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled “Evidence Based Security.” The feedback I got from the audience was all positive. I was hoping that things would have gone more towards the question of what is good evidence, and how you evaluate questions, but that’s the joy of you […]

 

Wachovia Misdirects Customer Information

Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140. … Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one […]

 

Good Thing We're Checking IDs

Normally, I try hard to bring you only the freshest news. This has been all over the blogosphere, but I can’t resist: Slate on bypassing airport ID checks. [Other commentary on why they’re bad in the “air travel” category of this blog. Are you listening, David Neslon?]

 

Stefan Brands Blogging

Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]

 

SSNs and Drivers Licenses

JihadWatch is upset because (9/11 hijacker) Nawaf Alhazmi got a CA drivers license with a fake SSN. But so did 184,000 other people, most of whom have not turned terrorists. Perhaps we should focus on things other than SSN fraud in tracking down terrorists?

 

Top 30 Papers in Infosec

Max Dornseif has a post titled “Top 18 Papers in Information Security,” with 28 papers. But who’s counting? Its a fascinating exercise, and I’m glad to see papers from Phrack. I’d suggest that they define top: Most influential? Most cited? Most important? I do think that no paper which isn’t available to the public via […]

 

Liveblogging Shmoocon: Patching

I’m at Shmoocon, and trying to liveblog a little. There’s network trouble, so it may not quite be live. I’m at Tina Bird’s talk on patching, and she mentioned that in the Teragrid attack, the attackers were hitting supercomputer centers, and there’s some evidence that they were 1) using 0day and 2) using the big […]

 

Vaclav Havel on the EU

For some reason, enemies of Václav Havel want him to waste his astounding moral authority by becoming Secretary General of the UN. I prefer he remain a private citizen, where there is nothing to hold him back from this most elegant dressing down of the European Union: I vividly remember the slightly ludicrous, slightly risqué […]

 

CEOBlogger on "IT Propaganda"

There’s a new blog, from a fellow claiming to be the CEO of a public company, experimenting with blogging. Welcome! In his second post, he responds to the WikID Thoughts, Emergent Chaos, Financial Crypto series on IT breaches, calling it an example of “IT Propaganda.” I love the ‘IT propaganda’ phrase–one of the themes that […]

 

Small Bits: ICANN, Mock Trials, S.116, etc

Ian Grigg and I have a letter to ICANN about Verisign. See his post. Eric Rescorla has a Kafka-esque excerpt from the “trial” of Mustafa Ait Idr, who wasn’t allowed to see the evidence against him. Mort points me to US Senate Bill 166116, introduced by Diane Feinstein, making it a crime to sell social […]

 

One more thing in the -We-really-mean-all department

Martin Pool says “gcc makes my day.” If the sentence “Generate traps for signed overflow on addition, subtraction, multiplication operations” means anything to you, read his post. (I’ve discussed gcc in the past here.

 

A Few Ideas Connected by the Tag "Folksonomy"

Nude Cybot, in an email in which he promises to emerge soon, presumably to be exceptionally cold, mentions that folksonomies have hit Wired News. The Wired article points out that there are more “cat” (16,297) tagged images than “dog” (14,041) in Flickr. But the conclusion they draw from this, “If the photo-sharing site Flickr is […]

 

Eating Your Own Dogfood?

Two posts this morning grabbed my attention. They are “Hide Your Ipod, Here Comes Bill,” (at Wired) and “Sanyo asks workers to buy goods to ease loss” (Hindustan Times via BoingBoing.) In a presentation at Belisarius.com, Chet Richards applies Boyd to business. One of his suggestions, which isn’t new, is to get inside the mind […]

 

Sarbox and Venture Capital

The Sarbanes-Oaxley act is driving up the costs of being a public company. Its driving up both direct costs, in terms of investing in assurance technologies, audit, and new processes to produce (slightly) more reliable accounting. But much more important, it imposes a highly risky cost on CEOs and financial officers who must sign off […]

 

Small Bits: Research, Web Security, Saturn's Moon

Uncle Sam is trying to restrict basic research. This approach comes from such a foreign orientation I’m not even going to comment. Jerimiah Grossman has an article on easy things to do to protect your locally developed application. I still think you should look at your code, but that’s still unfortunately expensive and difficult. Finally, […]