Shostack + Friends Blog Archive

 

Harper's Privacy Framework for DHS

Jim Harper writes: At this week’s meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the California Office of Privacy Protection, and I circulated and presented a draft ‘Framework’ for assessing homeland security programs in terms of their consequences for privacy and related values. Members of the […]

 

Fishermen's Friend, Breathalyzers

It comes after a 24-year-old driver was found to be over the legal drink-drive limit during a routine control in Munich. He was taken to the police station where blood tests found he had no alcohol in his system. The man was released after officers found the strongest thing he had taken was a Fisherman’s […]

 

"Remains Safely Anonymous"

People seem to dig Star Wars posts. I could probably blog for a month on security lessons, illustrated with Star Wars quotes, but I’d need to buy the DVDs and get some video capture technology, and … …ok. You’ve convinced me. Friday Star-Wars-security-lessons-blogging it is. Ben: The “other” he spoke of is your twin sister. […]

 

Bugger Productivity

It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But: Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting […]

 

University of Georgia, 2400 SSNs, Hacker

ATHENS – A hacker broke into a computer database at the University of Georgia, gaining access to the Social Security numbers of employees in the College of Agricultural and Environmental Sciences and people who are paid from that department. More than 2,400 numbers, belonging to roughly 1,600 people, may have been exposed, UGA spokesman Tom […]

 

FinCEN Effectiveness

At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:” The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases. The system, enacted under […]

 

What About My Needs?

While everyone (FCC, FBI, RIAA) is lining up to decide what software you can run, I’d just like to ask that I be included in the list. The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves. No, really. In an obscure “policy” document released […]

 

RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee

The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc. The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter […]

 

CUNY, Hundreds of SSNs, Exposed Files

The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web. City University of New York officials detected the unprotected payroll link for Hunter College Campus […]

 

New Ten Dollar Bills

The US has unveiled new ten dollar bills, and, unsurprisingly, they contain Constellation EUrion in an entertaining spot: That’s right. Big Alexander Hamilton is watching you. Close up from Money Factory.com.

 

More On Cardsystems Lawsuit

Joris Evers continues to report well on the Cardsystems lawsuit, this time in “Judge looks for links in credit card case:” Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to […]

 

Google VPN, Macs, and Privacy

NudeCybot (hey, you’re blogging again!) asked me for opinions on Google Secure Access (or just GSA), and sent me a link to Kevin Stock’s Google Secure Access on Mac OS X. There’s a lot of critiques of Google’s Privacy policy around GSA: “Hide what you’re doing from everyone but us! And, umm, anyone who asks […]

 

North Fork Bank, 9000 mortgageholders (Not SSNs), stolen laptop

Data relating to about 9,000 mortgages that were originated by Countrywide Home Loans but sold to North Fork were in the laptop, according to a letter received by a customer on Thursday. The laptop was one of several stolen over the July 24 weekend, the letter said without identifying the office. The data included the […]

 

What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay […]

 

A Life, Observed

A blogger who I’d recently discovered has retired: I’ve always had my two lives separated – my offline world and my online one. That’s the way I wanted it and that’s the way I set it up and I’ve got my own reasons for it. And someone decided to ruin all the fun and be […]

 

Sweet Land of Databases

In “Stuck on the No-Fly List,” Ryan Singel discusses the procedure for, no not getting off the list [1], but for getting onto yet another “cleared” list.[2] Confused? I was too. The head of the Terrorist Screening Center [3] told me recently that I’d mixed up “No-Fly” and “Selectee.” As Daniel Solove explains in “Secure […]

 

Cardsystems Breach and Notice

On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people. Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in […]

 

Never Enough

After the 7/7 London bombings, France decided it was not enough. So, even though France has already one of the toughest anti-terrorism judicial arsenal in Europe, it is adding to it. Indeed, French newspaper Le Monde just revealed the clauses of the new anti-terrorist law due to be formally presented to the government on October […]

 

Judging Wines By Their Labels

Stefan Geens has an entertaining post about “how to judge a wine by its label:” Therein lies the secret as to why you really can judge wine by its label: Companies where the management has an atrocious taste in labels tend to be the old-school type, uncertain about innovation, parochial about marketing and under the […]

 

More Toys: Suicide Bomber Barbie

Yes, its suicide bomber Barbie! Click the picture for a few more views. Toy supplier Shuki Toys, responsible for the distribution of the stickers, said in response, “We were very surprised to see the stickers in the shop, the several sheets of stickers have been pulled of the shelves.” “We check all the stickers, thousands […]

 

From The Mouths of Toymakers

We all understand that Ryan Singel deserves a break from reporting on stories like “TSA Chief Nixes Commercial Databases” or “Advisory Panel: Delay Secure Flight” or even “[TSA] Advisory Panel Report Made Public.” Reporting on the duckspeakers and their plans to grope us all in the name of liberty is enough to wear anyone down. […]

 

Apple Security Update 2005-08

There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data […]

 

Chinese Censorship

Rebecca MacKinnon has the story on how AOL is refusing to collaborate on blocking freedom in China, in “Internet Censorship & Corporate Choices.” Companies do have a choice, and the choices they make matter a great deal. Security technologies that help protect people from their governments are not yet internationalized and easy to use. So […]

 

Real ID, Real Unfunded Mandate, Real Unnecessary

It seems to be standard that major new government programs cost more than we expect. Federal Computer Week has a story, “Real ID costs rising:” Earlier this year, Congressional Budget Office officials said nationwide implementation of the Real ID Act would cost $100 million in five years. The act requires minimum national standards and physical […]

 

Security Implications of Economics of ID Cards

Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.” These are attractive notions, but will not be borne out in reality. Actually, the […]

 

"Every Valid Vote?"

Kip Esquire continues his coverage in “ACLU Sues to Block Georgia Voter ID Law,” and closes, like he did a comment on my last post on the subject: Always remember, it’s not about “making every vote count,” but rather “making every valid vote count.” I don’t think this works as a requirements statement. First, it […]

 

Small Bits on Security

“Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.” Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could […]

 
 

You Don’t Need To See His Identification

If you’re a jack-booted thug, one of the saddest moments in Star Wars is when Obi-Wan Kenobe and Luke Skywalker slip past the Imperial Stormtroopers, out looking for stolen property. Had the Stormtroopers been a little more on the ball, all of those innocents on the Death Star would still be alive. You may not […]

 

Thoughts on Chapell's View

Alan Chapell has some interesting thoughts in “CONSUMER WATCH: Localities put private data in harm’s way:” As an aside, some might argue that there’s little distinction between “evil doer” and “data broker”. I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. […]

 

2005 MacArthur Fellows Announced

I always find it fascinating to see who the foundation chooses to honor and support. The list of 2005 Winners is worth reading. Hey! No, really! Even if this is a short post, go click the link. Hmm, I should add a picture or something.

 

Palo Alto Children's Health Council, 6,700 SSNs, Thief

A backup tape containing the names, Social Security numbers and detailed health information of as many as 6,000 current and former clients of the Children’s Health Council was stolen from the nonprofit agency’s offices, officials confirmed Sunday. From SignonSandiego, “Thousands of health records stolen from Palo Alto agency.” via Cotse Privacy Watch. The Children’s Health […]

 
 

Investigating New Orleans Failures

In “Bush Aide Will Lead Hurricane Inquiry,” the New York Times chronicles the sort of petty bickering we’ve come to expect from kindergarteners America’s leadership. Today’s subject-of-bickering is who is to investigate the failures in New Orleans: On Capitol Hill, Congressional Republicans continued their efforts Monday to persuade Democrats to take part in a special […]

 

Yahoo & China

Yahoo! co-founder Jerry Yang said the company was merely following Chinese law – it had no choice. But as human rights groups have been pointing out, Yahoo! has been going above and beyond the strict legal requirements for some time. In 2002 it signed the Internet Society of China’s Public Pledge on Self-Discipline for the […]

 

Voter ID Cards

Kip Esquire, who I enjoy reading, writes: The voter ID proposal, already causing a stir in Georgia, is a reasonable compromise. ID cards help deter voter fraud, yet if the cards are free, then the “poll tax” histrionics evaporate (see, e.g., my previous post). I agree that some histrionics may go away, but the real […]

 

Parental Privacy

My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby’s due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not […]

 

Command-Q Getting Me Down

The Mac’s Terminal.app is way too easy to quit; it seems to absorb any command-Q typed near it, even if the menubar is showing you that you’re in another app. (This may be an interaction with the preference FocusFollowsMouse.) Anyway, having just lost a bunch of terminals with useful data in them, I went and […]

 
 

2005 Underhanded C Contest Winners Announced

Congratulations to the three winners: M Joonas Pihlaja and Paul V-Khuong (who had a joint entry) and Natori Shin. Code is here. I previously blogged about the contest here.

 

Miami University of Ohio, 21,762 SSNs, Staff

Miami University is notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet. University officials said that at this point they have no evidence of illegal use of the information, which included […]

 

"Iran's Nuclear Ambitions" Pitch

Earlier, I mentioned the Powerpoint deck being used to pitch the idea of Iran’s Nuclear ambitions. Now, courtesy of Edward Tufte’s forums, we have links to the presentation (PDF). This is mentioned in “U.S. Deploys Slide Show to Press Case Against Iran ” in the Washington Post. The presentation is a nearly classic example of […]

 

Small Bits on Usability

Thomas Barnett comments that “The U.S. is pushing a secret PowerPoint briefing to allies on Iran, trying to convince them that the WMD question is drawing to a head there.” Maybe they’ve read “The Cognitive Style of Powerpoint,” and would prefer data to being pitched? I’ll (ahem) pitch my lesser-known Hamlet in Powerpoint. Jacob Nielsen […]

 

Security Bloggers Spit-Polish DHS

Or maybe just spit on them, and then rub it in. Not Bad For a Cubicle has “http://thurston.halfcat.org/blog/?p=243Don’t Plan on It: From what I can tell, the best way to keep a building from catching fire would be put these clowns in charge of burning it down. They truly are The Gang That Couldn’t Shoot […]

 
 

Musings After the Dali Museum

I took a little time away from the conference to visit the Salvador Dali Museum in St. Petersburg, Fl. It’s an impressive museum, and worth seeing. One of the strongest impressions I got from the experience was that of Dali’s sheer technical skill. From paintings that he made as a child (as young as 9), […]

 

Roberts on the Right to Privacy

The term “right to privacy” has, in the debate over the Supreme Court, become a code-word for a woman’s right to abortion (or more specifically, to a liberty to choose without government interference.) As someone who believes that privacy is broader than that, I was very pleased to see that Roberts said: “Senator, I do. […]

 

More on Preserving the Internet Channel Against Phishers

A new survey is reported in “Privacy and Security Concerns Flatten Interest in Online Banking” (Government Technology): After years of dramatic growth in online banking penetration, the percentage of Americans who conduct personal banking activities online remained unchanged during the 12-month period ending August 2005. According to results from a new survey of 1,000 American […]

 

Soldier Readiness Processing Center, "1000s" of SSNs, Thieves

COLORADO SPRINGS – Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman […]

 

Skype, EBay, and Communications Privacy

EBay has bought Skype, for reasons that I don’t quite understand. Perhaps all that cash was burning holes in their pockets. The BBC reports: “Communications is at the heart of e-commerce and community,” said eBay chief executive Meg Whitman. “By combining the two leading e-commerce franchises, eBay and PayPal, with the leader in internet voice […]

 

"Protecting Society By Protecting Information"

Today, I’m at the National Institute of Justice’s National Conference on Science, Technology, and the Law, and am participating in a panel on “Balancing Information Sharing and Privacy.” I’ll present “Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing” (Or get the powerpoint slides. I don’t know why Powerpoint makes all the speaker […]

 

Director, Malicious Code and Malware

My friend and former boss at Radialpoint is looking for a malicious code and malware expert: The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, […]

 

On RSS Security

I’ve been mystified for a while by people talking about a need for RSS security products, as if those were somewhat different than other HTTP security products. Apparently, I wasn’t alone in this, Greg Reinacker, CTO of Feedburner Newsgator writes: I was on a call the other day with some folks in the industry, and […]

 

Some Good News From New Orleans

John Quarterman tells of airlines sending planes to New Orleans without contracts or guarantee of payment. And the New Orleans Times Picayune tells stories of those who stayed to man the pumps in “Pace of drainage is rare bright spot.” Incidentally, while I hate ads, the work done by the staff of the Times Picayune […]

 

"Taking Stock of the Forever War"

The New York Times Magazine has a long (14 screen) article, “Taking Stock of the Forever War,” reflecting on the four years since the attacks on New York and Washington. It seems fairly even-handed overall: any article that long will have points people contest. I’m in full agreement with the general thesis, that the United […]

 

Special Administrative Improvement District?

An article in the BBC, “Uniform row rocks HK Disneyland” has great quotes from Chinese officials: Financial Secretary Henry Tang said: “We welcome Disney to come to Hong Kong to invest in Disneyland, but in the process of building Disneyland, no-one has special rights. Everyone is equal before the law.” An editorial in the Ming […]

 

A Cry for Help

…I have determined that this incident is of such severity and magnitude that effective response is beyond the capabilities of [Louisiana] and affected local governments, and that supplementary Federal assistance is necessary to save lives, protect property, public health, and safety, or to lessen or avert the threat of a disaster. I am specifically requesting […]

 

Can You Hear Me Now?

Ed Felten reports on a new technique to turn go from a recording of typing to the sequence of keystrokes: Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can […]

 

Small Bits: Clearance, Security Legislation, Schneier Pointers, Get Me An Operator

Richard Bejtlich comments on a Federal Computer Week article, “Security clearance delays still a problem” in “Feds Hurry, Slow Down.” “ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent.” I’m glad to see […]

 

Tor GUI Contest Update

I’m very excited to say we’ve added two more outstanding judges to the Tor GUI contest: Edward Tufte and Bruce Schneier. I’m honored and excited to be working with both. As a reminder, you have at least until October 31 for submissions, and all qualifying entrants will receive a t-shirt.

 

More on Bureaucracy

This is a follow-on to “Who Will Rid Me of This Meddlesome Bureaucracy?” and the same disclaimers apply. I’ll note that Time Magazine has an article “How Reliable Is Brown’s Resume:” The White House press release from 2001 stated that Brown worked for the city of Edmond, Okla., from 1975 to 1978 “overseeing the emergency […]

 

Capture The Flag Too Boring?

Max Dornsief complains that “Capture the Flag is getting somewhat boring.” That’s too bad, so with all due haste, here are some suggestions: Capture the Business: …is a slight variation on the Ghetto Hackers game. The Ghetto hackers were all about simulating a real business, with its need for uptime. In capture the business, teams […]

 

More on Opera

It has a lot to recommend it, but there are a number of niggling annoyances: Saved pages are poorly named. (Safari gives the page a name based on its title; Opera uses the filename, often “index.html.”) Since I save a lot of web pages, this is an issue. Cookie management doesn’t seem as good as […]

 

What's Wrong With Fingerprints?

It’s not a question you’ll hear me ask often, but when PrestoVivace sends me a link to “DOD plans to recognize more than just fingerprints:” “We’re looking for new technologies, innovators and companies that recognize that the biometrics enterprise in the Defense Department and the U.S. government in five years is going to be very […]

 

Journalist Shi Tao Jailed For 10 Years, after Yahoo! Helped

Both T-Salon and RConversation are reporting a Reporters Without Borders story, “Information supplied by Yahoo ! helped journalist Shi Tao get 10 years in prison:” The text of the verdict in the case of journalist Shi Tao – sentenced in April to 10 years in prison for “divulging state secrets abroad” – shows that Yahoo […]

 

Who Will Rid Me of This Meddlesome Bureaucracy?

One of the facets of the response to and analysis of Katrina is that the disaster is large enough that everyone can choose an aspect of it to look at from the comfortable heights of their favorite hobby-horse. Be it the incompetence of (state, federal, or local) government, the evils of (small or big) government, […]

 

Bring Back The 9/11 Commission

As historians, they did a fantastic job of gathering information. They have credibility and stature. They have the perspective to tie the destruction of New Orleans to the destruction in New York, Washington, and Pennsylvania, and to consider the failures of leadership and the failures of response in the context of massive new spending to […]

 

New Orleans Roundup

Michael Froomkin points to a claim that “Long before FEMA dropped the ball, local authorities decided they didn’t need one: See See LENIN’S TOMB: Everything has gone according to plan.” For more, the City of New Orleans web site is still operational, and has a section on Emergency Preparedness. Bruce Sterling, with only a small […]

 

Katrina Roundup

Suzette Haden Elgin has an interesting essay on the “biblical proportions” construct, and its meaning. Thomas Barnett has written “The art of the long view,” which is an interesting perspective to be able to maintain right now. Another useful perspective comes from Bill west at the Counterterrorism blog in “Katrina Response – Another Quick Observation,” […]

 

New Orleans Times-Picayune Open Letter To The President.

…Every official at the Federal Emergency Management Agency should be fired, Director Michael Brown especially. In a nationally televised interview Thursday night, he said his agency hadn’t known until that day that thousands of storm victims were stranded at the Ernest N. Morial Convention Center. He gave another nationally televised interview the next morning and […]

 

Bush Fires Cherntoff

(CNN reports🙂 President Bush told reporters on Friday that millions of tons of food and water are on the way to the people stranded in the wake of Hurricane Katrina — but he said the results of the relief effort “are not acceptable.” He then went on to fire DHS Secretary Cherntoff. I’m such a […]

 

Asif Siddiqui Update

In May, I blogged “Georgia DMV, employee Asif Siddiqui, “hundreds of thousands.”” An anonymous tipster sent me a link to “Unemployment Appeal Decision:” The following is the decision of Appeals Tribunal of Georgia Department of Labor ruling that Asif Siddiqui is entitled to unemployment benefits as employer Georgia Technology Authority failed to prove their allegations. […]

 

Some Good News from New Orleans

It seems that both the French Quarter may have survived, and Fats Domino definitely has, despite earlier reports he was missing. It also seems that the National Guard is finally getting food to some people, and evacuating others, although there’s a lot more to do. Oh, and just when I try to get in a […]

 

Katarina, Looking Longer Term

There’s a very long post on the public health implications of Katrina at Dave Farber’s IP list, “Hurricane Katrina Analysis – CFR Global Health Program.” I hope that we respond better to these threats than we have to the hurricane. Thomas Barnett takes a look at the long term effects of “Katrina’s System Pertubation.” (I […]

 

New Orleans Roundup

There’s a lot of amazing things being written out there. One of the more fascinating would be Interdictor’s LiveJournal. He’s keeping a New Orleans ISP running, and blogging as he and his co-workers do. He asks that we link with mgno.com, but that’s been intermittent. Use Livejournal as a backup. Michael Froomkin has a roundup, […]

 

"This is Our Tsunami"

Before I get into this post, I’d like to say I have a great deal of sympathy for the individuals whose lives, but nothing else, have been saved. However, I find the comparisons to the Indian ocean tsunami to be irresponsible and wrong. Sample quote: Biloxi Mayor A.J. Holloway said the storm’s damage was overwhelming, […]

 

Four Alleged Terrorist Plotters Indicted in LA

The head of a radical Islamic prison gang and three others were “on the verge” of carrying out attacks against U.S. military sites, synagogues or other Los Angeles-area targets when police foiled the alleged plot, prosecutors said. From “Four indicted in alleged terrorist plot against LA-area targets.” The Counterterror blog has some analysis and links […]

 

Disaster Preparedness

Researchers from the non-profit Rand Corp. looked at the ability of local agencies to meet federal standards for responding to urgent-case reports of infectious diseases like bubonic plague, anthrax or botulism. Of 19 local public health agencies called in 18 states, only two met the U.S. Centers for Disease Control and Prevention’s standards, which include […]

 

New Orleans is Not a Morality Play

Enter narrator I pray you all give your audience, And here this matter with reverence, By figure a moral play- The Flooding of New Orleans called it is, That of our lives and ending shows How transitory we be all day. Enter preacher, sturm and drang… It has nothing to do with Southern Decadence, despite […]