Shostack + Friends Blog Archive


Small Bits: Caller-ID, FBI Lies, Intel Reform, and GCC

  • Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller id when the provider accepts no liability, is an accident waiting to happen. And now it has. Don’t blame VOIP. Blame the financial services companies who have placed their convenience over your security.
  • Ed Hasbrouck has a long article on the FBI’s grubbing around in personal data:

    Once again, the question comes down to whether the TSA was incompetent or lying: Was the TSA actually unfamiliar with the FBI’s analysis of the content of PNR data, even as the TSA was devising massive, and massively intrusive, systems highly dependent on what such data might contain? Or was the TSA actually aware, from its familiarity with at least the structure of the FBI data set, that PNR’s invariably contain personally identifiable information on people other than passengers, in the form of the required unique agent sine?

    These folks would be a lot more trustworthy if they could be relied on to get basic facts right in their public statements.

  • Speaking of trustworthy, the Economist has an article on intelligence agency reforms.
  • Lastly, GCC4 has a new feature, mudflap, for debugging pointers and some stack/heap issues. The slashdot discussion has some good bits.