Shostack + Friends Blog Archive

 

More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group. According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, […]

 

EFF: Why Bother With DMCA comments?

The EFF has decided that the DMCA “rulemaking process is simply too broken” for them to bother commenting on it any further. See “DMCA Triennial Rulemaking: Failing Consumers Completely:” EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful […]

 

Netgear WGPS606 and Mac Printing

I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package. It turned out to be something of […]

 

NJ's Strong Privacy Law

Apparently, I woke up on the right side of the bed, and am just handing out kudos left and right today. Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses. Social Security numbers will be out as […]

 

UNC Addresses Risk Systemically, Rather than Piecemeal

Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system. Kudos to […]

 

TSA to Revise Rules

[Updated with data from NYT] A new plan by the Transportation Security Administration would allow airline passengers to bring scissors and other sharp objects in their carry-on bags because the items no longer pose the greatest threat to airline security, according to sources familiar with the plans. The TSA’s internal studies show that carry-on-item screeners […]

 

Centers for Disease Control Want To Track All Travel

In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes: Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted. In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. […]

 

Web Browser Developers Work Together on Security

Adam’s post earlier today on efforts to improve browser security, reminded me about this post on KDE.news. George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines: […]

 

More on Deborah Davis

The story of Deborah Davis is getting lots of attention. Rob sent me Refusal to present ID sparks test of rights, which includes: “I boarded the bus and spoke with the individual, Deborah N. Davis . . . asking why she was refusing,” wrote the first Federal Protective Service officer in an incident report posted […]

 

Meet The New Browser Security, Same as the Old Browser Security?

There’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which […]

 

Effective Privacy Law Requires Penalties

Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”) Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim […]

 

Don't Tell People What Not To Do!

[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.] It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he […]

 

Hoder's Denial

Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that […]

 

Defensive driving

As most parents of young children would no doubt attest, when driving with “precious cargo” — lives you particularly want to protect — you typically take extra precautions. Special safety seats with five point harnesses, specialized mounting hardware, taking that bit of extra care that maybe you wouldn’t if driving alone. Well, that may all […]

 

On Torture

I sometimes feel that I have nothing to add to the “debate” around torture, other than the formerly-obvious “torture is ineffective and morally repugnant.” Nevertheless, I feel that keeping silent, or even allowing the debate to occur without adding my voice to the chorus of reason. So, some others’ posts this past week: In Jack […]

 

Scottrade, Millions of "E-secure" system users, SSNs, account numbers, etc, "hacker"

Info is spotty on this, but according to a WFMY TV News report, Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands. Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders. A letter […]

 

Books: "Innocent Code" and "19 Deadly Sins"

I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out […]

 

Make Mine Sony-Free

As the holiday and gift-shopping season arrives, I’d like to talk about what not to get me (or really, anyone on your list). A bad gift is really painful to receive. You have to put on a fake smile and pretend to be happy, and then go return the thing at the first opportunity. My […]

 

No Friday Star Wars Security Blogging Today

Blame Tom Ptacek for ignoring my heroic efforts. My being off with family this week has nothing to do with it. Friday Star Wars Security posts will return next week, with the principle of Least Common Mechanism.

 

Happy Thanksgiving!

As you enjoy your Turkey, recall that the Pilgrims who ended up in Plymouth were fleeing the Anglican church, England’s state religion. The English church, of course, split from the Roman church so that Henry VIII could get a divorce. The little people, however, were not allowed the chance to split their churches in quite […]

 

My Software is Mine.

People often become emotionally entangled with the software they use. It’s not a geek-only thing, although geeks often become more entangled with a broader range of the software they use. Normal people speak of “My Excel is screwed up,” or feel bad that their Sony CD has messed things up for them. One of the […]

 

Australian Minister Vanstone on Stupid Security

An Australian Senator has created a bit of a kerfuffle by saying what everyone has thought in private. Bruce Schneier comments: During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy. Implied? I’ll say it outright. It’s stupid. For all its faults, I’m always pleased when […]

 

Book: Who Becomes a Terrorist and Why

I found “Who Becomes a Terrorist and Why” in a used bookstore for $2.99, and it was worth every depressing penny and more. The book is a US government funded study from 1999. It’s not clear if this work would be possible today or not. Much of the body of the book is a an […]

 

Aspirin and the Regulation of Medicine

As we discuss the effects of various laws designed to protect us from various and sundry, we often lose track of the real, tangible benefits of liberty that we’re giving up. They’re sometimes hard to see, in the same way the Internet was hard to see in the early 90s. It was here, but most […]

 

Deborah Davis and the Denver "Public" Transit System

On the 9th of December 2005, a Denver woman is scheduled to be arraigned in U.S. District Court. Her crime: refusing to show ID on a public bus. At stake is nothing less than the right of Americans to travel freely in their own country. The woman who is fighting the good fight is named […]

 

A great idea whose time has come

Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not […]

 

Book: Secure Architectures with OpenBSD

Jose Nazario gave me a copy of Secure Architectures with OpenBSD this summer. I’m way behind with book reviews, and I wanted to start with this one. I’m a fan of the OpenBSD project. Not only for their efforts around security, but also because they put a great deal of effort into the documentation. I’ve […]

 

More on "Freedom To Tinker, Freedom to Learn"

In “Freedom To Tinker, Freedom to Learn,” I made some assumptions about the user interface for the $100 laptop. In “Alan Kay at WSIS,” Ethan Zukerman explains that Alan Kay will be doing much of the user interface design work: Kay began by explaining that most people aren’t using computers to do the most important […]

 

Google buys Riya, Steamrollers Your Pictures' Anonymity

Riya is a Redwood City startup that makes facial recognition software. Rumor from Om Malik says Google is buying them. I believe that this purchase has some of the farthest reaching privacy implications we’ve yet seen from Google. Anonymity, in its most literal meaning of “without a name,” is the current state of many photographs […]

 

Boeing, 161,000 SSNs, Stolen laptop

A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. From “Boeing says laptop with employee info stolen.” A bit more in the Seattle Post-Intelligencer.

 

Indiana University, 5300 students, malware

According to an Associated Press article appearing in the Indianapolis Star, Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said. Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said […]

 

Star Wars and the Principle of Least Privilege

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of least privilege: Least privilege: Every program and every user of the system should operate using the least set of privileges necessary […]

 
 

ex-MI5 Head: ID Cards are a Bogus National Security Measure

Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”. “But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards. From the BBC, “Ex-MI5 chief sparks ID card row.” Normally, a “row” requires two sides, with arguments. […]

 

Panexa

How did Sivacracy manage to rope in the sponsorship dollars? I really need to monetize some sticky eyeballs here. Meanwhile, click the image for more on Panexa.

 

The Importance of Due Process to Gary Gordon Smith, Abu Bakker and Adel ?

The United States is holding captive at Guantanamo Bay at least two men it knows are innocent of any wrongdoing. These men were cleared by the military courts, almost two years ago, and they are still in captivity. It makes me too angry to write about, so go read Requiem: In the comments to an […]

 

Sony's Rootkit and the DMCA

Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are […]

 

Industry to Customers: "You're Reckless and Apathetic"

It’s a long standing “joke” that only drug dealers and the computer industry call their customers “users.” But at least drug dealers pretend that your behavior is ok. Not so the Universities educating our next generation of programmers, such as Carnegie Mellon. Their student news source, the Tartan, reports in “Study shows students cause computer […]

 

Delicious, Feed Me!

Del.icio.us is a ‘social bookmark manager.’ It’s a way to bookmark things, and let you see that I’ve bookmarked, and perhaps commented on them. I’m using it more like a “clip blog,” with short commentary on many of the things dropped there. If you read it via the RSS feed, you get my commentary. But […]

 
 

Torture and the "Ticking Bomb" Argument

Alex Tabarrok has some interesting arguments as to why torture should be made illegal in “Torture, terrorism, and incentives.” I’d like to extend his argument: President Bush, Dick Cheney and others who support the use of torture by the United States and its agents usually rely on the ticking time bomb argument. Sometimes torture is […]

 

What I Want From A Log Analyzer

I’m becoming less and less satisfied with AWStats as a log analyzer. There are some things that it does reasonably well. But I’d really like a lot more. I’d like to be able to see how things have changed day to day (for example, how many new unique visitors did I get today?) I’d like […]

 

Choicepoint's Custom Products

I appreciate all the notes you’ve been sending me telling me about “FBI, Pentagon pay for access to trove of public records.” I’d love to have something insightful to add to this, but I don’t. Ryan Singel has a bit more: The article, which relies on heavily redacted documents acquired through an open government request, […]

 

Epic Problems With Phone Privacy

In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart: …Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her […]

 

Under The Weather

I’m feeling under the weather today, and so I’m sitting on the morning posts until I have a chance to re-read them. Expect posting to be heavy today, because I can’t do much real work, and have to entertain myself somehow. I’m hopeful that you’ll either be entertained as well, or forgive me for what […]

 

Unintended Consquences of Blackhat '05

(by arthur) I’m back from travels, so it’s time to post some more…. As Adam just posted, Jeff Moss sold Blackhat to CMP Media. Presumably, this sale is partially (largely?) a result of the various lawsuits that Blackhat was dealing with as fallout of “Cisco-gate”. Fortunately, these were recently settled in an equitable fashion, but […]

 

BlackHat Pwned!

MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and […]

 

568,200 DNS servers Know Sony

Dan Kaminsky has done some digging into the Sony rootkit: It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows…unsurprisingly, they are not particularly communicative. But at that scale, it doesn’t take much to make this a […]

 

Freedom To Tinker, Freedom to Learn

In “The $100 Laptop Moves Closer to Reality,” the Wall St Journal discusses a project to provide very inexpensive laptops to millions of poor children around the world. I think its a great idea, and wish them the best of luck. Delivering internet connectivity to millions of poor children will be a world-altering project. One […]

 

"To none will we sell, to none deny or delay, right or justice."

The United States senate voted today to deny habeas corpus to prisoners at Guantanamo. The United States Supreme Court had recently held that United States courts have jurisdiction to consider challenges to the legality of the detention of foreign nationals captured abroad in connection with hostilities and incarcerated at Guantanamo Bay. The vote today would […]

 

Simplify!

The sad passing of Peter Drucker, and Paul Kedrosky’s post on it brought something into sharp focus for me. It’s the value of working hard to make yourself understood, as opposed to making your audience work hard to understand you. One of my goals in blogging here is to learn to be understandable to the […]

 

NISCC Does It Their Way: Poorly

A post by Paul Wouters to the DailyDave list drew attention to “Vendor response of the Openswan project” to “NISCC Vulnerability Advisory 273756/NISCC/ISAKMP.” I feel like its 1997 again. The Oulu University Secure Programming Group (OUSPG) discovered a number of flaws with the ISAKMP/IKE portions of the IPSec protocols. OUSPG built a tool, and either […]

 

New, Useful, and Non-Obvious

My friend Sharon, who is an excellent patent attorney, showed me this, her favorite U.S. patent. You should hire her![1] She’s really good, even if she does a lot of work for an empire of questionable morals, but is not yet so evil as to have written anything like US Patent 4,646,382, “Lottery Ticket Scraper:” […]

 

Gordon Johnston vs. The NFL Who Cried Wolf

Gordon Johnston didn’t want to be frisked. So as the 60-year-old high school teacher approached the gates of Raymond James Stadium here for a Buccaneers football game last month, he lifted the team jersey he was wearing to show it wasn’t necessary. He was concealing no bombs. It didn’t work. So reports the Washington Post […]

 

Kill Bill's Browser (and Comments)

Some folks have put up a site, “Kill Bill’s Browser,” based on Google’s offer to pay up to $1 for each Firefox/Google Toolbar install. It offers up both good and entertaining reasons to switch: 7. It will make Bill Gates soooooooooo mad. Seriously– super, super mad. And even more than Bill, let’s think about Steve […]

 

MIT Researchers on Radio Shielding

Abstract: Among a fringe community of paranoids, aluminum helmets serve as the protective measure of choice against invasive radio signals. We investigate the efficacy of three aluminum helmet designs on a sample group of four individuals. Using a $250,000 network analyser, we find that although on average all helmets attenuate invasive radio frequencies in either […]

 

Friday Star Wars and the Principle of Complete Mediation

This week in Friday Star Wars Security Blogging, we examine the principle of Complete Mediation: Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes […]

 

Macs and Sony's Rootkit

[Update: Welcome Wired readers! If you enjoyed Bruce Schneier’s article on who’s responsible for security flaws, please explore a little. The economics of security and privacy issues are an ongoing theme.] It wasn’t a plan that I was going to slag Apple this week. Really, I’m fond of my Mac, I’m just tired of claims […]

 

R-E-S-P-E-C-T! Find Out What It Means to Tom Peters

Tom Peters has a magnificent article, “Simple.” Go read the article. It’s really beautiful. Don’t mistake simple for easy, but this is an easy read about the need for respect in winning the cooperation of whomever you’re dealing with: “We were friendly and respectful whenever we met a Bedouin or farmer, often sharing tea with […]

 

This is convergence, too :^)

The Amazon Mechanical Turk. Basically, you have your code do a remote procedure call, where the bulk of the work on the remote side is performed by a human being.

 

Preserving the Internet Channel Against Phishing, Part 2

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it […]

 

Kudos to Microsoft, Brick-brats to Apple

MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls. As a result of these changes that we made for security sake, for a limited amount of […]

 

This is convergence

A gamer who spent £13,700 on an island that only exists in a computer game has recouped his investment, according to the game developers. The 23-year-old gamer known as Deathifier made the money back in under a year. The virtual Treasure Island he bought existed within the online role-playing game Project Entropia. He made money […]

 

Digital Pearl Harbor

[U]se of commercial products with unbreakable cryptography could seriously undermine the ability of law enforcement to perform critical missions such as protecting against threats posed by terrorists, organized crime, and foreign intelligence agents This from a rather lightweight report prepared by the Congressional Research Service. I may have read it with a jaundiced eye, but […]

 

Canadian Air Transport Security Authority to Hire Angelina Jolie

In the midst of a CBC story about how a consultant went through “door after door” in Toronto’s Pearson airport (“Investigation highlights security concerns at Canadian airports“), we’re treated to these lovely tidbits: Mark Duncan, chief operating officer for the Canadian Air Transport Security Authority, the agency tasked with providing security at Canadian airports, says […]

 

The Approaching Apple OSX86 Security Nightmare

In the midst of an excellent long article on how the Wine Windows emulation layer will interact with OSX86, (“I invite you to wine“), Wil Shipley writes: When you can run Windows apps on Mac OS X, you’ll still be protected by Mac OS X. Viruses are going to be dead. D-E-D. Ok, yes, there […]

 

Transunion, 3,623 SSNs, Stolen Computer

Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was […]

 

How Much Goodwill is 17,000 Letters Worth?

The Seattle Post Intelligencer reports that “ChoicePoint warns consumers about fraud:” ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud. The story […]

 

University of Tennessee, 1,900 SSNs, Bad Policies

The University of Tennessee notified about 1,900 students and employees yesterday that their names and Social Security numbers inadvertently were posted on the Internet. … A University of Tennessee student made the discovery about two weeks ago when she searched the Internet for her name and found it listed with her Social Security number on […]

 

Are You Selling This Computer to Me or the RIAA?

(I wrote this a few weeks back, and forgot to post it. It’s even more fun with the bruhahaha about Sony/BMG screwing with your computer if you buy their “music.”) In conversation with Lucky Green, he commented that “You won’t be able to buy a laptop w/o a TPM in a few years.” This doesn’t […]

 

Macromedia Flash Critical Update

There’s apparently a critical flaw in Macromedia Flash 7. (You know, the software that plays annoying ads in your browser?) This affects at least PCs and Macs. Macromedia’s advisory is here. eeye has an advisory which makes it sound like a PC-only issue. Sec-Consult has published POC code. It’s unclear to me why, 130 days […]

 

Freedom to Develop

Two related posts from last week that I’d like to tie together. Jeff Veen writes about the lack of either Mac software or standards compliance in Polar Heart Rate Monitors in “Polar Heart Rate Monitors: Gimme my data,” and Bob Frankston writes about how the telcos use the regulators to stifle competition and innovation in […]

 

Choicepoint Roundup

Well, I’ve tried going cold turkey, but wasn’t getting positive reinforcement, so I stopped. Let’s start from the positive, shall we? Chris Hoofnagle of EPIC is quoted in a positive light in “ChoicePoint says it’s securing public’s personal data better” in the Atlanta Journal Constitution. Now that that’s out of the way. Science Daily tells […]

 

Iraq-al Qaeda Link Questioned

The New York Times has a story, “Report Warned Bush Team About Intelligence Doubts:” “It is possible he does not know any further details; it is more likely this individual is intentionally misleading the debriefers,” the February 2002 report said. “Ibn al-Shaykh has been undergoing debriefs for several weeks and may be describing scenarios to […]

 

The Tories Just Don't Understand Art

Audiences at the Government-funded Chapter arts centre in Canton, Cardiff, see Miss Takahashi arrive on stage in high heels and a smart black business suit. For the next three hours, they watch her drink bottle after bottle, periodically lurching towards her beam and seeing how much of it she can negotiate without falling off. … […]

 

Froomkin and Vladeck on Roberts

Ann Bartow describes it as “completely awesome pedantic weeniedom, and I mean that in the best possble way.” I would have just tossed this in my del.icio.us feed, but wanted to boost Michael Froomkin’s page rank for pedantic weeniedom. I hope he doesn’t mind. (Via Volokh)

 

Strategy In Iraq: Stay the Course vs Partial Disruption

Global Guerrillas has a fascinating post, “PARTIAL vs. COMPLETE SYSTEM DISRUPTION.” The thesis is that Iraqi guerrillas and terrorists have the ability to complete the collapse of Iraq into anarchy, but have chosen not to, for reasons that he lays out. As van Creveld predicted in “The Transformation of War,” we lack a good way […]

 

Data Destroying Anonymity

New Scientist reports “Anonymous sperm donor traced on internet:” LATE last year, a 15-year-old boy rubbed a swab along the inside of his cheek, popped it into a vial and sent it off to an online genealogy DNA-testing service. But unlike most people who contact the service, he was not interested in sketching the far […]

 

Miss McDonald's Halloween

Miss McDonald has an art project at Livejournal: Or perhaps Miss McDonald is an art project. Hard to say with any certainty. But why would you want to?

 

15% of Oregonians at Risk from DMV

Police have a warning for anyone who did business with the Oregon Department of Motor Vehicles in 1999 or 2000. They say as many as a half-million stolen DMV records were found on a laptop during a methamphetamine bust Wednesday night at a southeast Portland apartment complex. They allegedly discovered evidence of meth distribution and […]

 

Business Process Hacking

Business process hacking is the act of using weaknesses in the way an application is exposed to garner information or break in. Recent examples include the ChoicePoint and Lexis-Nexis attacks. Here is a new one. A couple of young traders at an Estonion bank got a Businesswire account and proceeded to dig around until they […]

 
 

We want it all, and we want it now

Bob Sullivan provided excellent “mainstream media” ChoicePoint coverage, and is doing some good blogging about breach legislation. From the blog post cited above, it’s clear that Sullivan considers the Act in question to be nigh-on to a total cave-in to industry. That things would have taken this turn is not surprising, but is nonetheless somewhat […]

 

Oh what a tangled web we weave…

Sony’s DRM rootkit has been harnessed by folks selling a program which hides game cheats from detective measures shipped with WoW and affectionately known as The Warden. Somehow, I am reminded of a Simpson’s quote [.mp3]

 

Friday Star Wars: Principle of Fail-safe Defaults

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of fail-safe defaults: Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965 means […]

 

10m (or more) Stolen Passports

Arab News picks up an Agency France Presse story, “Terrorist Access to Stolen Passports Alarms Interpol:” (Via Flogging the Simian’s Nov 4 PDB.) NEW YORK, 4 November 2005 — With 10 to 15 million stolen passports in use around the world at the present time, the global struggle against terrorism is seriously hampered, Interpol Secretary-General […]

 

Hashes: The High Cost of Deployment

Thanks for great intro Adam!. Steven Bellovin and Eric Rescorla recently released a paper, “Deploying a New Hash Algorithm.” This is a great analysis of both the operational and protocol issues with changing which hash algorithms get used by various security protocols. For instance, S/MIME has no real mechanism for negotiating which hashes (and this […]

 

Introducing Arthur

I’d like to introduce Arthur, our newest guest. I was going to say Arthur is not his real name, but that would be a lie. It is his real name for purposes of this blog. It might, however, not be what his wife calls him. (“Sweetie.”) Arthur is, however, the chief information security officer for […]

 

Joseph Ansanelli, Brad Smith on Privacy Law

The [Stearns] bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company’s security program. “But it needs better enforcement language,” said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently […]

 

The CIA's "Prisons"

Yesterday’s Washington Post had a long, sickening article on “CIA Holds Terror Suspects in Secret Prisons:” The hidden global internment network is a central element in the CIA’s unconventional war on terrorism. It depends on the cooperation of foreign intelligence services, and on keeping even basic information about the system secret from the public, foreign […]

 

The Cost of Following The Money

[Update: There’s a fairly long clarification in the middle of the post, which expands on a sentence that was too brief to be understandable.] One of the fond dreams of the counter-terror community is to be able to take Deep Throat’s advice, and follow the money. In “New Anti-Money Laundering Regulations and Compliance Solutions Announced,” […]

 

Episode III Released on DVD

Q. Do friends and family ever ask you [Frank Oz] to do Yoda on their phone answering machines? A. Yep. And I always say no. He’s not a party trick. He’s not a trained monkey. And I’m not a man like Mel Blanc, who’s a brilliant man of voices. I’m a man of characters; I […]

 

Relentless Navel Gazing, Part 2

Upgraded the blog software, added a fair number of little tidbits, including lots more archive indexes, better per-post options, and will be tweaking lots of little stuff over the next few days. Also, added automated “posted by” bits, and am going through older posts and cleaning out those bits. Which means that RSS will get […]

 

Speaking Of Worms

Following up on Chris’s worm post, Red Database Security has an advisory on an Oracle worm. On 31-october 2005 an anonymous poster (oracleworm@hushmail.com) released a proof-of-concept PL/SQL source code of an Oracle worm on the full disclosure mailing list. The worm is using the utl_tcp package to find other Oracle databases in the same subnet […]

 

Properties of National ID Systems

In “learning from others,” Jerry Fishenden writes at length about National ID systems and their impact on society. His post includes a list of properties an ID system should have, (originally from Niels Bjergstrom). His theme that these systems don’t only have ‘features,’ but properties is an important one. I’d like to suggest two additions: […]