Shostack + Friends Blog Archive

 

The Alexis Park ATMS are Perfectly Safe

Hackaday posts pictures in “defcon day 2 – don’t use the atm.” I don’t trust the ATMs at any Defcon haunt anymore, and was surprised to see a fellow I respect stick his ATM card into the machine at Hamburger Mary’s. I do wonder if any of the well-dressed guys using the ATMs were adding […]

 

Long Bits of Stuck in McCarran International Airport

Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net. Tech Policy points to Bill West at Counterterror blog, in “Liberty & Security vs. Terror – an American Perspective.” Its worth reading in […]

 

At Black Hat

I’m at Black Hat and Defcon through Sunday, and blogging will be light, and slightly error-prone.

 

Why Not Accept Random Searches?

In comments, Izar asks why we feel that having policemen check up on us is an affront to our liberty. He also asks that we call him a “serf of the totalitarian state machine,” so I shall. I suppose I might feel differently if, regularly, people around me were being murdered by terrorists. But the […]

 

Job Openings

My friend and colleague Scott Blake is looking for smart people: I have openings for 5 information security analysts. Level of seniority is negotiable, but I prefer senior-level folks. I’m looking for the following specialties: security awareness training/communications, secure application development, risk assessment, network architecture, and security policy development. I also have an opening for […]

 

Are Police the Best Response?

A few weeks ago, it came out that the MTA wasn’t spending their security budget: In December 2002, the Metropolitan Transportation Authority announced it had completed a lengthy assessment of potential threats to the city’s transportation infrastructure, from subway lines to major bridges. The authority, which had begun the study in the weeks after the […]

 

Canadian Telco Telus Blocks access to Union Website, How to Access

Michael Geist has the scoop at “Telus Blocks Subscriber Access to Union Website.” Short version: Telus and their union are fighting. Telus has chosen to prevent their customers from reaching “Voices for Change, the union website. I urge Telus customers to call and customer support and ask what’s up. Repeatedly. Voices for change also suggests […]

 

Risks of Data Collection and Use

David Cowan tells a sad story about his experience with unauthorized data collection and use in “Freshman Week.” Speaking of unauthorized data collection and use, Jonathan Krim reports that “License-Screening Measure Could Benefit Data Brokers:” Jason King, spokesman for the American Association of Motor Vehicle Administrators, said commercial data brokers are notorious for refusing to […]

 

If You Have Nothing to Hide…

In “Behind-the-Scenes Battle on Tracking Data Mining,” the New York Times reports that the Department of Justice really does care about privacy, and really doesn’t want those nosy Congressional committees poking about how the government operates. So, why should they care? Are they hiding something? Of course, this being a New York Times article, there’s […]

 

105°. But It's a Dry Heat

It’s going to be 105 (or so) in Las Vegas for Blackhat, and, as always, a little hotter for Defcon. Tickets for the DC702 Summit/EFF Benefit are for sale online through Monday. As a smaller, private event, I expect the AC will work. So you should be there, instead of say, lolling about by the […]

 
 

What Do You Have to Do To Get Fired Here?

Ryan Singel has the scoop. The GAO report to Congress is also covered in the New York Times, “Flight Database Found to Violate Privacy Law:” “Careless missteps such as this jeopardize the public trust and D.H.S.’ ability to deploy a much-needed, new system,” Senator Susan Collins, Republican of Maine, wrote on Friday to Secretary Michael […]

 

Consent, Submit, Forest, Trees

Kip Esquire has a good post, “On ‘Consenting’ versus ‘Submitting’ to a Search.” The upshot is: If you happen to be stopped for a search such as this, you should not say “Yes I consent” or “Sure, go ahead.” Rather try saying something like “I consent to nothing, but if you are requiring me to […]

 

Iowa State, 2037 SSNs and 2,379 CC, "Hacker"

The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site. A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information. … By tapping into the computer, […]

 

New York to Randomly Beat People In Hopes of Beating Terrorists

Police will begin randomly beating people entering city subways, officials announced Thursday after a new series of bomb attacks in London. “We just live in a world where, sadly, these kinds of security measures are necessary,” Mayor Michael Bloomberg said. “Are they intrusive? Yes, a little bit. But we are trying to find that right […]

 

"Not the Blitz"

So says SteveC, and he’s right: Its a relatively small group of criminals. At the same time, I can’t agree with his feeling that “These bombings occured in all probability because of our unprovoked invasion.” The United States was attacked before we invaded Iraq or Afghanistan. People who will kill civilians on the tube are […]

 

Small Bits: Privacy for Infringers, IEEE Cipher, Oracle, Footnotes, and a Mug

Michael Geist continues to take the Privacy Commissioner’s office to task for protecting the privacy of infringers: Moreover, the Commissioner canvassed other banks and found that at least two others did allow their customers to opt-out of such marketing. Now if only the Commissioner would reveal which banks respected their customers’ privacy and which decided […]

 

These cruel, wanton, indiscriminate bombings

With London being attacked again, I am heartened to see that the attacks were (apparently) less effective, and otherwise defer to the wisdom of Sir Winston Churchill: These cruel, wanton, indiscriminate bombings of London are, of course, a part of Hitler’s invasion plans. He hopes by killing a large number of civilians, women and children, […]

 

Happy Moon Day!

36 years ago today, two Americans landed on the moon before returning safely to Earth.   It’s a feat worth celebrating.

 

Elizabeth Blodgett Hall, 1909-2005

Elizabeth Blodgett Hall, 95, founder of Simon’s Rock College, died July 18 at Geer Nursing and Rehabilitation Center in Canaan, Conn. In 1964, with 200 acres of her family’s land and a grant of $3 million from the Margaret Kendrick Blodgett Foundation — a charitable educational trust established by her mother — she founded America’s […]

 

Who Has Time For This, Indeed?

David Cowan has a nice post on technologies he won’t fund, and why. It’s a great post. More investors should be up front about what they’re not interested in. Bessemer has funded 16 security startups–more than any other traditional VC firm–but there are some areas of security that even we have never funded, despite the […]

 

Cardsystems Death Penalty?

“CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts,” said Tim Murphy, Visa’s senior vice president for operations in a memorandum sent to several banks. “Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system.” So […]

 

More on the FBI and ACLU

Over at Volokh, Orin Kerr writes “The New York Times ACLU Story Begins to Look A Bit Fishy.” The essence of Kerr’s argument is that with the ACLU’s request for any document mentioning the ACLU, of course they’re going to get a lot of documents: I should point out that it is at least theoretically […]

 

Oh, That's Why

Last week, I asked, Now, if Evan Kohlmann can get to this gathering, and if John Walker-Lindh can meet bin Ladin, why haven’t we penetrated and shut down more groups which are openly calling for murder? Today’s New York Times has the answer in “Large Volume of F.B.I. Files Alarms U.S. Activist Groups:” WASHINGTON, July […]

 

Acxiom, 8.2 gb of love, Bad Password

In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data. “According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through […]

 

Fingerprints at Disney: The Desensitization Imperative

The Walt Disney Corporation has started fingerprinting all visitors to their parks. They claim, incorrectly, that the fingerprint scans can’t be turned into pictures of fingerprints. True Americans understand that fingerprinting is for criminals. A presumption of guilt — of criminality — underlies a company taking your fingerprints. In “Welcome to Disney World, please let […]

 

Dear Adium People…

You make a very nice client. But the “Remove Contact” menu item in the Contact menu is fucking broken. It is not clear that “Remove Contact” means “Blow away this entire group of contacts.” How about (1) making the item name plural, and (2) adding the list of contacts to be deleted to the warning […]

 

David Cowan Blogging

David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.” His post about Too Many Security Startups? is fascinating: The night I closed our investment in my 12th data security deal, Cyota, my […]

 

A New Birth of Freedom in Iraq?

The Committee to Protect Bloggers reports that prominent Iraqi blogger Khalid Jarrar has been taken into custody by the Iraqi mokhabarat, or secret service. Jarrar is author of Secrets in Baghdad and is the brother of Raed from Raed in the Middle. B.L. Ochman has the scoop. Raed has more. If the United States is […]

 

Small Bits of Irony

CSO Magazine’s Security Feed juxtaposes two stories, “Stolen Data Worries Financial Institutions” and “EU Ministers Promise Data Retention Agreement.” The Privacy Law has an article on fingerprinting at Disney. His blog won’t allow anonymous comments, so I’ll say read “Fingerprint Privacy.” (I’m with Nancy Kerrigan, anyway.) Chris Hoofnagle has a story about a new database […]

 

Small Bits: Silver Linings, Presidential Game Theory, Disclosure, War

Privacy Law lists the 16 states that now have notification laws. Thanks, Choicepoint! At Balkin, ‘JB’ has a long discussion of why 2nd term Presidents all seem to be scandal ridden…since the 22nd Amendment took away what game theorists call ‘the long uncertain shadow of the future.’ I nearly said something about ‘experimental confirmation’ here, […]

 

Nothing to Hide, but "Nothing to Hide"

You’ve heard of the tube, of lorries and bobbies, but “cleanskins?” It’s a word that has emerged from London after last week’s bombings. The English police believe the suspects in the case are “cleanskins” – young operatives with no background of terrorism or crime. It’s more difficult to investigate cleanskins because they have no criminal […]

 

Pre-Defcon Summit, Get Your Tickets Now

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. According to email organizers sent, they’re fast running out of tickets, so get your tickets now, and […]

 

Blue Cross of Arizona, 57,000 SSNs + Medical Data, Arizona Biodyne

The Arizona Republic brings us the news that “Medical firm’s files with personal data stolen:” The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company. Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday […]

 

Nelson-Smith Data Protection Bill

Kim Zetter reports in Wired, Bill Strives to Protect Privacy : Another bill introduced in the Senate judiciary committee about two weeks ago addresses some of the same issues in a comprehensive way, and several other bills address individual issues, such as notification to consumers. The commerce bill, however, is likely to go the distance […]

 

Blind Signature Patent Expiration Party

Friends, colleagues, and co-conspirators, It has been 17 long years and now the time is finally here to celebrate at the: BLIND SIGNATURE PATENT EXPIRATION PARTY WHAT: A party to celebrate the expiration of the Blind Signature patent. WHY: U.S. Patent 4,759,063 (“Blind Signature Systems“) to David Chaum is the core invention enabling privacy-protecting electronic […]

 

Alberta Health and Wellness, 670,000 Health Care Numbers, Tape

Frank Work, Alberta’s Information and Privacy Commissioner, released a report on his investigation into missing Health and Wellness computer data storage tape. Work stated the incident is a low risk for potential fraud. As soon as the incident was reported, Alberta Health and Wellness changed practices and eliminated the related tape transfer business process. … […]

 

Homegrown Bombers, ID Cards, Intelligence Activity, and Profiling

The folks over at The Counterterrorism Blog have been doing a great job the last week or so. Lots of very high quality posts, good roundups around the London attacks. I wanted to point and comment on several of their recent posts. First is Where do Homegrown British Suicide Bombers Come From?, a first person […]

 

"Israeli Style Profiling"

Less useful is another call for “Israeli style profiling,” in Bill West’s Bolstering Transit Security the Old Fashioned Way: The more such officers there are, and the better trained they are, especially if they are trained in behavioral profiling techniques like the Israeli security services have used for decades, the better protected these transportation systems […]

 

On Phishing

Item: OCC Guidance on Phishing Websites, Ethan Preston writes about The Office of the Comptroller of the Currency provided guidance for banks on appropriate countermeasures against phishing websites. The guidance provides fairly common sense advice: designate employees to respond to phishing threats, cultivate contacts with the FBI to expedite law enforcement’s response, prepare to identify […]

 

My Bleeding Snort Rules Just Alerted Me to TERRORISM!

Err, no. But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:” I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email: (jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york) But such rules […]

 

Comrade Sarbanes Remains Uncorrupted

The latest critic of Sarbanes-Oxley? Michael Oxley told the International Corporate Governance Network (ICGN) annual conference yesterday that, ‘if I had another crack at it, I would have provided a bit more flexibility for small- and medium-sized companies.’ Always nice to see a fellow own up to his mistakes. From Accountancy Age, via Volubis Infosec […]

 

New Security Blogs

Jeff Moss takes blogging into thematically and visually new territory with The Black Pages, with Jeff posting on a theme, and then his speakers adding details. Now if only they had an RSS feed. Or my post. I wonder which they’ll get first? I have a soft spot for the word “chaos.” I like the […]

 

Small Bits of Liberty

Rebecca MacKinnon’s “Response to Scoble” is worth reading in its entirety. I have just one small comment: In justifying Microsoft’s filtering of politically sensitive Chinese words on MSN spaces, Microsoft’s uber-blogger Robert Scoble writes: “I have ABSOLUTELY NO BUSINESS forcing the Chinese into a position they don’t believe in.” He continues… Except Scoble Microsoft is […]

 

Pre-Defcon Summit, and some small bits

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. Hmmm, this needs some extra text to balance the icon. Dumb stylesheet. Who the heck wrote that […]

 

Random Thoughts on Specter-Leahy

Senators Specter and Leahy have proposed a new law on identity theft and privacy. Some thoughts as I read it. But first, what the hell are they doing preventing me from copying sections? Frigging DRM. Quotes shall be shorter than they otherwise would. Title III, 301.b.1 (pg21): “A data broker shall, upon the request of […]

 

Gaze Into Navels!

There’s a new feed, of posts + comments, available here: RSS. (It’s also on in the little “blog tech stuff” list, if you want to come back to see it later.) Thanks to Lisa for setting this up!

 

MSU, 27,000 SSNs, "intrusion"

More than 27,000 students were informed by e-mail on Tuesday that their Social Security numbers could have been compromised by an attack on the College of Education’s server. The server housed information that included student names, addresses, student courses and personal identification numbers. After the intrusion was discovered at the beginning of April, the server […]

 

Small Bits on Privacy

Larry Ponemon has a good article in Computerworld, “After a privacy breach, how should you break the news?:” We learned that about one-third of subjects believed that the notification was truthful. Another 41% believed that the notice they received failed to communicate all the facts. The remaining 26% were unsure about the integrity or honesty […]

 

ID Card Program Stopped Over Security Concerns

So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.

 

Small Bits: Government, Government, Government, Bill Scannell and Christopher Hitchens

Kip Esquire has a great roundup in “Linkfest — Special “Hear/See/Speak No Evil” Edition,” guaranteed to boil the blood of anyone who thinks that sometimes government goes too far. Then again, sometimes government doesn’t go far enough. In the case of New York’s MTA, they’ve spent $30m of the $600m they have available for security, […]

 

"Declaration of Repudiation?"

Dave Belfer-Shevett points to a Declaration Of Repudiation by Will Frank. It starts out pretty well, but then degenerates into complaining about gay rights, abortion, sex ed and Kyoto. Yes, I say degenerates, even if I might agree with some of these, because they’re a distraction. Reagan and Bush Sr. were opposed to abortion rights […]

 

London, Perspective

At the end of a long, thoughtful post, Thurston writes: One final thought. Four bombings in London are front-page, stop-the-presses news for two days straight. If that was Baghdad, only four bombings would have been a slow day. What message does that send the the Third World?

 

Backup Tapes?

Allan Friedman asks for comments on Lauren Weinstein’s post to Interesting People: (Lauren W) Ironically, it’s true that the probability of lost backup tapes being used opportunistically for ID theft is probably fairly low, at least in comparison to all the “ID theft supermarkets” that are out there — crooked commercial and government employees willing […]

 

An Israeli Friend in London Writes…

(This entire post is by my friend Shimrit, an Israeli living in London, and is posted with permission.) I felt the need to write down my thoughts about today so I did. Seeing as I have nowhere to publish them, I am sending them round instead. Once again, it seems my terrorist attack luck has […]

 

On "Bringing To Justice"

First, let me say that the response from not only Blair, but all of London is inspiring. They are refusing to panic after these attacks. The underground is open and running this morning (with some nervousness). At Balkanization, Kim Lane Scheppele makes an interesting point about “Britain’s State of Emergency, and the anti-terrror laws in […]

 

Ping Flood

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top of his blog. Who knew he’d invent a new denial of service attack?

 

"These cruel, wanton, indiscriminate bombings of London…"

My sympathies to the people of London, and all those around the world who are worried about their loved ones in London. Wikipedia has a clear summary of what’s happened, along with this translation from the pigs responsible: We continue to warn the governments of Denmark and Italy and all the crusader governments that they […]

 

Citi National Bank, Thousands of Millionaires, Iron Mountain

In the San Francisco Chronicle, David Lazurus reports “Personal data lost — again:” Today I bring news of yet another security breach involving potentially thousands of people’s personal info, and this is the first anyone’s hearing of it. The latest company to drop the data ball is City National Bank, based in Los Angeles and […]

 

USC Admissions, 320,000 SSNs, SQL Injection

A programming error in the University of Southern California’s online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday. “Sap,” discoverer of the vulnerability in USC’s Web application The flaw could have allowed an attacker to send commands to the […]

 

Russia's Information Market

Bruce Schneier mysteriously titles a post “Russia’a Black-Market Data Trade.” But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail: At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner […]

 

What Is Terrorism?

A quirk in how the U.S. government defined terrorism meant that when Chechen rebels blew up two airliners almost simultaneously over Russia last year, only one was counted in an annual tally of terrorist attacks. On board one plane were 46 Russians. But the other had 43 Russians and an Israeli citizen — a foreign […]

 

Hoder, US: Ahmadinejad not Hostage Taker

On June 30th, Hoder says: “As much as I dislike Ahmadinejad, I don’t think the guy in this picture is him. They look similar, but have differenet eyes and eyebrows.” The LA Times. I reported on the story in “Iran’s New President a “Moderate”.”

 

Choicepoint Roundup

At MSNBC, Bob Sullivan covers the loss of confidence in ecommerce that leaks are causing: The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer […]

 

"The Great Equalizer"

Pittsburgh Mayor Tom Murphy tells the Post Gazette that “Eminent domain ‘is a great equalizer when you’re having a conversation with people…’” Indeed it is. Pictured is another “great equalizer.” (Quote via John Tierney in “Your Land Is My Land,” in the New York Times.)

 

Two Minutes Hate in the Blogosphere

Fred, who did graphic design for RECon, is doing a comic book of 1984. (The copyright on 1984 has expired in Canada.) He also had great “Big Brother is Watching You” posters, one of which I bought. Fred (pictured, left) was also good enough to introduce my talk, and provide a hanging banner. You can […]

 

Small Segments Stolen From Some People Surnamed "S"

The first two are from Scrivener, because he’s going on vacation, they’re good, and I’m shameless. “Iraq Swede vows to catch kidnappers, reports “The Local:” A Swede held hostage in Iraq for 67 days and released a month ago has vowed to take revenge on his captors and has hired bounty hunters to capture them, […]

 

The unanimous Declaration of the thirteen united States of America

The Declaration of Independence of the Thirteen Colonies In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the […]

 

Deep Impact

We’re about 4 hours from Deep Impact making a large hole in Comet Tempel 1. The National Business Review in New Zealand has an excellent links roundup in “Comet impact: See it online.”

 

Why I Read Blogs

In a post titled “Why Blog, Anyway, Mark makes a really good point: And what about the audience? Readers who don’t blog may not be aware of how much bloggers want readers. Part (I suspect a very big part for most) of it’s an ego thing, like people on soapboxes at the town square with […]

 

Small Bits: Adam Sah on Startups, RECon, Irony and Biometrics

Adam Sah (hi Adam!) has a great page of startup advice I hadn’t seen before. Presentations from RECon are now online. The University of Connecticut will be offering a Masters in Homeland Security. That’s a database I’d like to steal. Thanks to Chris Walsh for pointing it out. I’ve been meaning to followup on Juxtaposition’s […]

 

The Next PR Speciality?

Over at Presto Vivace, Alice suggests that “Security breaches and violations of privacy are going to be the next speciality in crisis communications.” I suspect that she’s right, and hope she’s wrong. In cases like Cardsystems or Choicepoint, where the organization is violating policy, contract, or law with its data, the impact on the company […]

 

Well Said!

“IRS announces plans to be the butt of three consecutive days of “Daily Show” jokes.” So headlines John Paczkowski’s post at Good Morning Silicon Valley.

 

Doing the Devil's Work

The Internet, with its freedom of communication, scares a lot of people. Some people argue that this is “just political,” but its not. Chinese repression includes information about health issues, such as the abuse of antibiotics to control avian flu. (See, for example, “Bird Flu Drug Rendered Useless in the Washington Post.) The companies that […]

 

Inviting Cockroaches to the Feast?

Over at “The Security Samurai,” Eric Marvets posts on “How Do I Get My Company To Take Security Seriously? Will Liability Work?” I’ve posted my thoughts on liability (“ Avoiding Liability: An Alternative Route to More Secure Product) and hope to develop those further sometime. One thing Eric says jumped out at me: Today I […]