Shostack + Friends Blog Archive

 

"The Offending Articles Will Be Disposed Of"

Our Saudi allies, displaying their tolerance: Paper cups with Hebrew writing disturbed both employees and medical staff at King Khaled National Guard Hospital on Saturday. The catering subcontractor for the hospital coffee shops began using them on Saturday after their usual supply ran out. “We were shocked and angry,” said an employee. “How can Israeli […]

 

The Gulf Coast

The scale of destruction from Katrina is simply staggering. The Red Cross, and other good organizations could use your help. I do wonder if Pompeii isn’t a better analogy than others being brought up, such as the Indian Ocean Tsunami or Hiroshima. As an aside, I expect there will be fake charity sites set up, […]

 

Impressions of Opera

Having taken advantage of Opera’s offer (still valid for a few hours!) I must say, I’m impressed. Opera is snappy in a way that Safari (with all the plugins I’ve added) is not. There’s some small bits of things not working as I expect, things that should be controlled differently*, as I move, but there […]

 

Happy Birthday Opera

The Opera browser, which some friends rave about, is now ten years old! To celebrate, they’re offering free full copies if you send a note to “registerme@opera.com before midnight tonight. The registered copies do not have the ad bar. Woot!

 

ParadisePoker.com Blackjack Cracked

An article in the summer 2005 issue of 2600 magazine (“The Hacker Quarterly”) discusses a timing attack on the Paradise Poker Blackjack game. In essence, the game reveals when the dealer’s hole card is a 10, because it takes longer to process that situation. (The article isn’t online, near as I can tell.) There’s more […]

 

Companies Helping Phishers

Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning. I had an experience with Citi Mastercard. After some problems, I was […]

 

Colossus, Anon Blogging, and International Blogging

In PGP’s CTO Corner, Jon Callas draws attention to the second world war Colossus computer: The Colossus Rebuild Project took 10 years and 6,000 hours of effort. The resulting machine is not a replica of a Colossus, but an actual Colossus that uses some of the actual parts. The team finished a Mark II Colossus […]

 

Oxford No Longer Accepting "Child Prodigies"

Yinan Wang, the 14-year-old Chinese boy who clinched a place at Oxford University last week, will be the last child prodigy to study there under reforms being considered by admissions tutors. Despite an almost perennial flurry of headlines on children barely in their teens being offered places, the university is considering an unprecedented blanket rule […]

 

Cease and Desist, or I Shall Embarrass Myself Some More!

It used to be that to mock lawyers sending cease and desist letters, you had to be elite Swedish file traders. (Or Phrack. Phrack used to mock their correspondants, too, before they got all corporate.) But now, even gadget blogs can play, and play Gizmodo does, when some bunch of lawyers sends them a letter […]

 

Homeland Security Blanket

By Amy Franceschini. See the complete work at Future Farmers.   It’s not new, but Gizmodo picked it up and reminded us.

 

ChartOne, 3,851 SSNs+Medical Records, System Administrator

On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area. […]

 

Enforcement and Incentives

In “Getting Serious about Smog,” Virginia Postrel writes: After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, […]

 

WiKID Goes Open Source

WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter […]

 

"Preserving the Internet Channel Against Phishers"

I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel Against Phishers,” and is designed to be shared with marketing folks without insulting them. Alternate title: […]

 

Speaking of Hot Knives, Butter

It seems that Zylon “bulletproof” vests are not nearly as effective as Kevlar ones, and the Justice department may pull funding for purchasing them. (All the press releases and reports are at the DOJ site.) They are, however, more effective than not wearing a vest. I am routinely outraged here by poor technology decisions that […]

 

Robertson Lies In Apology

The dominant headline around Robertson’s attempt to retract his comments is that he “apologized.” That is false. He claimed to have not called for an assassination: “I said our special forces could take him out. Take him out could be a number of things including kidnapping.” Mark, at Cutting Edge of Ecstasy takes out goes […]

 

Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉 Curt Hopkins points to a fascinating story about the folks who run the great […]

 

No Child Left Untagged

CSO’s Security Feed has a story “RFID Technology Prevents Infant Abduction.” The story reads like a press release: VeriChip Corporation, a subsidiary of Applied Digital (ADSX), a provider of security and identification technology, stated that its “Hugs” RFID infant protection system prevented the abduction of a baby at Presbyterian Hospital in Charlotte, North Carolina. A […]

 

From the "Who Will Rid Me Of This Meddlesome Priest" Department…

Television evangelist Pat Robertson told viewers the U.S. should kill Venezuelan President Hugo Chavez to prevent the Latin American country from becoming a “launching pad” for extremism, the Associated Press said. From Bloomberg. Ezra Klein has comments in It Was The Christian Thing To Do. Apparently, Venezuela is upset. Thanks to Nick for distracting me […]

 

Caption Contest

I took this picture of a sign, lying on its side, near gate A12 of the Atlanta airport on August 16th, 2005. The photo is what I saw; it has not been retouched. It needs a caption, and I am simply flabbergasted.                

 

Released!

Captchas are those annoying, spamatuer “type this so we can stop spam” things that you see on some blogs. PWNtcha stands for “Pretend We’re Not a Turing Computer but a Human Antagonist”, as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations. For an overview on why visual […]

 

Blogroll Rolls On

I’ve deleted Geoff’s ScreenDiscussion for negligent posting, and added Mario’s blog, Ed and Diana at Security Curve and TQBF and his service-oriented chargen 19/udp.

 

"FBI: Businesses (Still) Reluctant To Report Cyber Attacks"

Volubis picks up stories in Information Week and Computer World: Roughly 20% of businesses report computer intrusions annually, a figure the agency believes is low. Director Robert Mueller urged businesses to step forward, promising greater sensitivity from the FBI in return. This reluctance has become especially important at a time when identity theft is growing […]

 

Demand Your Records

In her “On the Record” blog, Ann Harrison (Hi Ann!) covers how to use the privacy act to request the records TSA collected, illegally, on millions of innocent people. Incidentally, Arthur Anderson was shut down for destroying data like this.

 

US Air Force Hack and TSA

I just blogged about a breach of data which could be used for ID theft in “US Air Force, 33,000 SSNs, Hacker.” I’d like to tie that to a story I mentioned earlier this week, “TSA May Loosen Ban on Razorblades, Knives:” The Aug. 5 memo recommends reducing patdowns by giving screeners the discretion not […]

 

US Air Force, 33,000 SSNs, Hacker

In : Half of USAF’s officers’ PII stolen, Chris points to stories about “AFPC notifies Airmen of criminal activity exposing personal info,” and “Air Force investigates data breach.” AMS, an online program used for assignment preferences and career management, contains career information on officers and enlisted members as well as some personal information like birth […]

 

"Its Precious Patents Disclosed"

In Lee Kuan Yew is usually worth reading, Tyler Cowen discusses a Lee Kuan Yew interview, where Lee mentions ‘intellectual property’ law as a place Singapore can stay ahead of its competitors. Mr Lee says: Such as where the rule of law, intellectual property and security of production systems are required, because for them to […]

 

No Child Left Alone

The EFF is directing attention to the Leave My Child Alone! colalition. Did you know that President Bush’s No Child Left Behind Act mandates that public high schools turn over private student contact information to local military recruiters or risk losing federal education funding? Not only that, but the Pentagon has compiled a database of […]

 

TSA to Look Through Your Clothes

[Update: Welcome Buzzflash readers! If you enjoy this post, please have a look around, you might enjoy the air travel or privacy category archives.] USA Today reports “TSA hopes modifications make X-ray not so X-rated.” The TSA now hopes to test modified “backscatter” machines in a few airports this fall that will solve the privacy […]

 

I'm a Spamateur

In private email to Justin “SpamAssassin” Mason, I commented about blog spam and “how to fix it,” then realized that my comments were really dumb. In realizing my stupidity, I termed the word “spamateur,” which is henceforth defined as someone inexperienced enough to think that any simple solution has a hope of fixing the problem.

 

Tor GUI Contest

The announcement says: Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 50,000 Tor users currently, routing their traffic through about 250 volunteer Tor servers on five continents. However, Tor’s current user interface approach — running as a […]

 

300,000 words and counting

It’s my one year blogiversary. In that time, about 300,000 words including comments and trackbacks have been posted in 957 articles. That’s a little over 2.6 articles a day, some of which some of you seem to have enjoyed reading. Moveable type added about 40,000 words of html tags, colon tagged junk etc. So, really, […]

 

Avoid Parkhill's Waterfront Grill in Allenhurst, NJ

Two diners on a date at a fancy Jersey Shore restaurant were furious when they saw the check — which listed their table as that of the “Jew Couple.” … Stein said he took the offensive bill and showed it to Jewish friends seated nearby who said they could not believe it. When the group […]

 

Your Questionable Content (redux)

Thanks for your patience, I think we’ve solved the problem. Some comments may be moderated, but the rejection should be done. Please email if there’s any more rejections.

 

TSA Sued by Real Americans

A group of Alaskans have gotten tired of being jerked around by TSA and filed suit in the US District Court in Anchorage. Read the story at TSA Secrecy Must Stop.

 

Where's the Evidence?

Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details. None of the attacks I saw used are less than five years old. More seriously, I […]

 

TSA Roundup

Allow me to begin by shocking my regular readers with a few words of praise for TSA: Ryan Singel reports that they found a bomb, in “ Screeners ID IED .” Of course, that’s 1 bomb:1,000,000 nail clippers, but still. It’s good to see that they can find the bombs. When they’re not harassing babies […]

 

Your Questionable Content

A couple of people have mentioned that something in the comment posting code is rejecting their comments for “questionable content.” I’m very sorry, and am working with my fine technical support staff to try to solve it. If this happens to you, please email me: emergentchaos & gmail & com, and I’ll try to post […]

 

The Malaysia Option

Sunday’s Washington Post has a story, “U.S. Lowers Sights On What Can Be Achieved in Iraq:” The Bush administration is significantly lowering expectations of what can be achieved in Iraq, recognizing that the United States will have to settle for far less progress than originally envisioned during the transition due to end in four months, […]

 

The Death of Jean Charles de Menezes

Remember that bulky jacket-wearing, fare-skipping young foreigner who taught the world that it’s a bad idea to act suspiciously near public transportation after a terrorist attack? The UK’s Observer investigates, and among other things finds: Initial claims that de Menezes was targeted because he was wearing a bulky coat, refused to stop when challenged and […]

 

More on Using Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] There have been lots of good comments, both here and over at Nielsen Hayden’s Making Light. There’s a few points left dangling that I wanted to respond to further. Those are the “ignore the marketing department” view and the “train the customer view.” […]

 

Don't Use Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] In his talk at Defcon, David Cowan talked about how he doesn’t bank online anymore. Banks are now facing the imminent destruction of their highest bandwidth, lowest cost way to interact with customers. Actually, its worse than that. Bankers are killing online banking, […]

 

On Vacation

I’m on vacation through Sunday, and won’t be blogging until next week.

 

Lindstrom's Indemnification

Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the city of Tokyo…No, I’ve never worked for the city of Tokyo. Now, as I’ve said repeatedly, […]

 

Sonoma State, 61,709 SSNs, Hacker

Hackers have broken into Sonoma State University’s computer system, where they had access to the names and Social Security numbers of 61,709 people who either attended, applied, graduated or worked at the school from 1995 to 2002, university officials disclosed Monday. So says SF Chronicle. Sonoma State has a page.

 

Costco Employees and "Market Analysts"

The job of a shareholder-owned company is to make money for shareholders, not to coddle its employees. But sometimes, being good to your employees can be good for the shareholders. In “Living the Dog’s Life at Costco,” Kevin Carson takes to task Wall St analysts who are trying to run Costco’s business for them: “He […]

 

New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication. And Mario’s comments on tor vs the Freedom Network are interesting: Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w! While I agree with this, […]

 

University of North Texas, 34,000 SSNs, Bad Design + Google

The UNT server storing the electronic university housing records of about 34,000 current, former and prospective students was accessed by a computer hacker. In addition, an Internet-based form available to students to make inquiries to the UNT financial aid office mistakenly created a file containing personal information of the current and former students who used […]

 

Cal Poly, 31,077 SSNs, Hacker

Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June. “We got hit by a hacker,’ said Debra Brum, interim vice president of instructional and information technology. Personal data, including names and Social Security numbers […]

 

Microsoft's "monkeys" find first zero-day exploit

Microsoft ‘s experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors’ computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month. So reports Rob Lemos, in “Microsoft’s “monkeys” find first zero-day exploit.” We’ve […]

 

Balancing Information Sharing and Privacy Concerns

I’ll be at the National Conference on Science, Technology and the Law, A National Institute of Justice Conference sponsored by the National Clearinghouse for Science, Technology, and the Law, September 12-14, 2005, St. Petersburg, Florida. I’m on a panel with a great group of folks on “Balancing Information Sharing and Privacy Concerns.” We haven’t put […]

 

Life Imitates Art

America’s Finest News source reports that “Our Global Food-Service Enterprise Is Totally Down For Your Awesome Subculture” while the New York Times covers “Hip-Hop Argot Meets Corporate Cant, All to Sell Chryslers.” One story or the other contained the line: Sometimes it feels like nobody understands your rebellious, genre-defying crew of goth-rocker pals—am I right? […]

 

Two on Security Clearance

Richard Bejtlich talks about the backlog in security clearances in “Opportunity Costs of Security Clearances,” using an anecdote about an unnamed agency trying to hire someone “clearable” to train to do complex work that requires particular skills and orientation. Meanwhile, at Cutting Edge of Ecstacy, Mark writes about “A Mexican man who used a fake […]

 

Two On ID Theft

Newsfactor has a long story, “U.S. Passes the Buck on Identity Theft,” which discusses the Identity Theft Penalty Enhancement Act of 2004, some of a current crop of products designed to reduce ID theft risks at businesses, and the need to shift liability. Speaking of shifting liability, in “Despite Claims of “Exceptional” Security, Acxiom’s Defenses […]

 

Make Fire With Water, Electricity

This Aqueon Fireplace, from Heat and Glo separates water into hydrogen and oxygen, and then burns them. Because the hydrogen burns cleanly (unlike, say wood or gas), there’s no need to ventilate. As if you needed more proof that science trumps idiocy. I look forward to having six hydrogen burners in my stove. Because that […]

 

Passport Forgery Legal in UK?

The arrest of the Algerian-born Britain with 452 forged European passports at Bangkok’s Don Muang airport is only the latest in incidences of document forging in Thailand. … But here’s the rub: The suspect, 35 year old Mahieddine Daikh, may not be charged with any crime. To date none of the government’s whose forged passports […]

 

The Control Impulse, The Security Canard, and The Boy Who Cried Wolf

Flyertalk brings us the story of Continental Airlines and Boston’s Logan Airport having a little spat. The core of the dispute is that Continental offers its customers Wifi access for free. But Boston wants to charge for it. Boston has always had a bit of a control thing. That’s not unique. There are lots of […]

 

Short Bits on Terrorism

Thurston points to “London blasts – expert comments” at the London School of Economics. I know you all come here for the bombast and snark, so be warned: These are trained professionals. Do not try this on your blog. Boyodite William Lind reports on the “Modern Warfare Symposium,” organized by (ret) Colonel Mike Wyly. The […]

 

Flag Desecrations?

Over at Sivacracy, Ann Bartow is running a series of pictures on flag desecration.

 

Real American Heroes

Marty Lederman has a long post, “The Heroes of the Pentagon’s Interrogation Scandal — Finally, the JAG Memos” about the Judge Advocate Generals of the Armed Forces, who took a stand against the President’s position that the United States could behave as it has at Guantanamo and elsewhere: The memos are extraordinary. They are written […]

 

Defcon Coverage?

Defcon is better experienced than read about. How could I argue with a slogan like “What happens in Vegas gets posted to thousands of blogs? stays in Vegas?” But when those involved blog about it, I’ll admit to a little involvement: I recruited Brian Krebs onto team Shmoo. Because everyone knows I’m a Shmoo wannabe. […]

 

The Fifth Workshop on the Economics of Information Security (WEIS 2006)

Ross Anderson has announced that the fifth WEIS will be held in Cambridge (England) 26-28 June 2006. Papers due March of next year. I’m sad that I’ve only made one of the WEIS workshops so far. (Life keeps interfering.) What’s there is amongst the most interesting bits being done in security. I hope they continue […]

 

CalTech, One Planet, Hacker

In the spirit of my personal information breach posts, I present to you the South African Sunday Independent’s story, “Hacker ‘outs’ news of the 10th planet of our solar system:” Brown has submitted a name for the new planet to the International Astronomical Union, which has yet to act on the proposal, but he did […]

 

Question Authority: The Life You Save May Be Your Own

Gary Wolf has an article in Wired this month: In fact, the people inside the towers were better informed and far more knowledgeable than emergency operators far from the scene. While walking down the stairs, they answered their cell phones and glanced at their BlackBerries, learning from friends that there had been a terrorist attack […]