Shostack + Friends Blog Archive


WMF Vuln fix

Courtesy of IDA Pro developer Ilfak Guilfanov. Details are available via his web log, the existence of which I learned via the seemingly indefatigable Thomas Ptacek of Matasano.


Totally unforeseeable.

Herbicide-resistant genetically-modified crops cross-breeding with weeds? Shocking. Via Slashdot.


The New York City Police Riots

… The arrest of Mayor Wood was ordered. Captain Walling of the Metropolitan Police was sent to arrest the Mayor but was promptly thrown out on his ear. Wood occupied City Hall protected by 300 of his Municipals who resisted a force of 50 Metropolitans sent there to arrest him. Later that day 50 Metropolitan […]


Gartner to Visa, MasterCard: Play fair

Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard: Recommendations […] * MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly […]


Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]


How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.] Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, […]


Mossberg's Mailbox

This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic […]


Two on the Iraqi Army

A spokesman for the American military command that oversees training of the Iraqi forces also said that while he did not know the security forces’ ethnic mix, he believed that there were more Sunni troops than the election data suggested. From the New York Times, “Election Results Suggest Small Role For Sunnis in Security Forces.” […]


Mariott Vacation Club, 206,000 records, backup tape

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, […]


London and Terror Threats

The BBC reports that the Mayor of London says “there had been 10 attempted attacks since 11 September 2001, two of which had come since the 7 July bombs.” (“Threat to London ‘disorganised’“) Where are the perpetrators? Are they free, because of insufficient evidence? Are they in jail? Were they killed by security forces? Claims […]


Those Boy Scouts…Always Building Nuclear Reactors

Now 17, David hit on the idea of building a model breeder reactor, a nuclear reactor that not only generates electricity, but also produces new fuel. His model would use the actual radioactive elements and produce real reactions. His blueprint was a schematic in one of his father’s textbooks. Ignoring safety, David mixed his radium […]


13 Meter Straw Goat Met His Match

I am deeply saddened to have missed this story until now: Vandals set light to a giant straw goat Saturday night in a central Swedish town, police said, an event that has happened so frequently it has almost become a Christmas tradition. It was the 22nd time that the goat had gone up in smoke […]


Relentless Navel Gazing, Part 6

I’ve made a bunch of changes to style and template stuff. Most noticeable should be that post titles are now links to the posts. There’s also a whole lot of consistency improvements for the Moveable Type 3.2 software. The one remaining change is to bring full (extended) entries into the RSS feed. That Mt3.2 software […]


BancorpSouth, 6500 debit cards, unknown

In a report remarkable for what it doesn’t say, WLBT TV of Jackson, MS reports: A possible security breach has one bank giving customers new debit cards. BancorpSouth is sending out new cards to about 6500 customers. The vice president of the banks security department says account numbers were either lost or they were somehow […]


USA 0, UK 1

We get Mystery Science Theater 3000, they get Badly Dubbed Porn: Badly Dubbed Porn showcases vintage soft porn movies re-dubbed with a wickedly funny soundtrack by some of Britain’s most talented comedy actors. Via the lovely and very funny Ms. Kitka.


Holiday Charity

I’d like to draw your attention to two worthy causes: Tor, and the Creative Commons. Larry Lessig is looking to raise money to ensure that the Creative Commons maintains their non-profit status, and the fine folks who bring you the Tor Internet privacy tool are looking for donations so they can continue their important work.


Florida workers claim outsourced HR system reveals PII, lacks audit trail

The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm. From the article: In an affidavit taken for a lawsuit by five […]


US Department of Justice, several SSNs, Process Errors

The federal government is responsible for issuing Social Security numbers, but it may not be doing enough to protect these critically personal pieces of information on its own Web sites. Acting on a tip, InformationWeek was able to access Web pages that include the names and Social Security numbers of people involved in Justice Department-related […]


Apollo 8

From the good old days, when science was not a matter of press releases, perception management or “long held beliefs.” Click the picture for a larger version at Astronomy Picture of the Day.


Dodo bones

Scientists have discovered the “beautifully preserved” bones of about 20 dodos at a dig site in Mauritius. Little is known about the dodo, a famous flightless bird thought to have become extinct in the 17th century. No complete skeleton has ever been found in Mauritius, and the last full set of bones was destroyed in […]


Nuclear Surveillance

In search of a terrorist nuclear bomb, the federal government since 9/11 has run a far-reaching, top secret program to monitor radiation levels at over a hundred Muslim sites in the Washington, D.C., area, including mosques, homes, businesses, and warehouses, plus similar sites in at least five other cities, U.S. News has learned. In numerous […]


Friday Star Wars and Psychological Acceptability

This week’s Friday Star Wars Security Blogging closes the design principles series. (More on that in the first post of the series, “Economy of Mechanism.”) We close with the principle of psychological acceptability. We do so through the story that ties the six movies together: The fall and redemption of Anakin Skywalker. There are four […]


Shark Video

Watch this astounding video of a shark in the Seattle aquarium. I suggest turning down the volume, the only really useful thing you’ll learn is that the shark in question was about 3-4 feet long. Via TEDBlog        


More on Snow's Assurance Paper

This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:” None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, […]


It's Chaos Out There!

In “Play Break,” Hilzoy writes: Here’s what it’s about: as most parents know, little boys tend to be more interested in toys like trucks, and little girls in toys like dolls. (I was an exception: someone gave me a doll once, and I dissected it.) There is no obvious way to decide whether this is […]


Do Wiretap Revelations Help the Terrorists?

The question is a fair and natural one to ask, and I’d like to examine it in depth. I think my intuitive answer (“revelations about wiretaps don’t help the terrorists”) is wrong, and that there are surprising effects of revealing investigative measures. Further, those are effects I haven’t seen discussed. Allow me to explain the […]


Ford, 70,000 Employee SSNs, Stolen Computer

Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility. From the WSJ, “Ford Computer Holding Staff Data Is Reported Stolen.” “Where Identity Theft is Job #1!”


Epstein, Snow and Flake: Three Views of Software Security

Among those who understand that software is, almost without exception, full of security holes, there are at least three major orientations. I’ve recently seen three articles, all of which I wanted to talk about, but before I do I should explain how I’m using the word orientation, and the connotations it carries. As used by […]


Update on ABN Amro (Lasalle Bank) tape

Lasalle Bank’s tape of mortgage-related information on 2 million customers has been found by DHL. (Thanks to Adam for the heads-up) No word on whether the tape was in a container which would show evidence of tampering, so this doesn’t foreclose (pardon the pun) the possibility of PII being stolen: […]the tape had been located […]


Even More on the $100 Laptop

I’ve discussed the $100 laptop in “Freedom To Tinker, Freedom to Learn,” and “More on ‘Freedom To Tinker, Freedom to Learn’.” In “Tech Delusions and The Trouble with Christmas,” Kerry Howley discusses many reasons why this is a bad idea: For now, OLPC plans to sell only to governments of poor countries, not individuals here […]


Emergent Properties of the Long Tail

Chris Anderson warms the cockles of our heart as he discusses the psychological acceptability of “The Probabilistic Age:” When professionals–editors, academics, journalists–are running the show, we at least know that it’s someone’s job to look out for such things as accuracy. But now we’re depending more and more on systems where nobody’s in charge; the […]


Software Usability Thoughts: Some Advice For Movable Type

I’d like to talk a bit about usability as it intersects with software design. I’m motivated by three things: Firstly, my own attempts to be comprehensible and understandable, not only in this blog, but also in software whose design I participate in. Years ago, Steve Karkula provided me the phrase “design from interface” while doing […]


I'll have to check with my manager

If you watch “The Simpsons”, you’ve probably seen “Puberty Boy“, the pimply-faced kid who appears in many episodes in a variety of menial jobs. Well, it looks like he may be working for the NSA: Q If FISA didn’t work, why didn’t you seek a new statute that allowed something like this legally? ATTORNEY GENERAL […]


Guidance Software, 4,000 CC+CCV, Hacker

Or, “I Wonder How They Figured It Out.” Online attackers breached the security of a server at digital forensics firm Guidance Software and stole the account information of nearly 4,000 customers, the company acknowledged on Monday according to news reports. From Rob Lemos, “Customer Data Stolen From Guidance Software.”


Legal Analysis of the Wiretaps

One of the really cool things about blogs is that very smart, knowledgeable people can offer up their opinions on topics of the moment. In this case, it’s Orin Kerr and Daniel Solove offering up extended legal analyses of the wiretaps. (Well, extended from the lay perspective, anyway.) Professor Kerr has posted “Legal Analysis of […]


Snarfer RSS Reader

Some friends have just launched Snarfer, a new Windows RSS reader, designed to be fast, efficient, and easy to use. Check it out! If you’re not familiar with RSS Really Simple Syndication, it’s a way to bring lots of content, like blogs, into one place. If I didn’t have NetNewsWire (a Mac client) I couldn’t […]


Reeves Namepins, Unknown # Cop Credit Cards, Hacker, a company that manufacturers the plastic and metal name tags that police officers around the country wear on their uniforms, had its customer database hacked recently, exposing credit card and other personal data for a number of police departments. So writes Brian Krebs in “Database Hack Exposes Police Financial Data.”


OSVDB Needs Programmers

The Open Source Vulnerability DataBase (OSVDB) is in need of additional programmers. If you’re not familiar with it because you’ve been hiding in a cave somewhere, OSVDB is a tremendous project that dramatically enhances the quality and availability of vulnerability information. Today, they posted a teaser, “OSVDB is Closing:” That said, OSVDB could substantially benefit […]


Torturing The Norms

Of a Financial Times online >poll about torture, Alice Marshall asks “ How did this even get to be part of the conversation?” Meanwhile, the BBC reports on the investigation of a Swiss Senator in “CIA abduction claims ‘credible:’” He went on: “Legal proceedings in progress in certain countries seemed to indicate that individuals had […]


" L'├ętat c'est moi"

Via USA Today: Days after the Sept. 11 attacks, the head of the National Security Agency met his workforce at the nation’s eavesdropping and code-breaking headquarters at Fort Meade, Md., near Washington, for a pep talk. “I told them that free people always had to decide where to draw the line between their liberty and […]


America Needs a Full Time President

Ryan Singel has a post “Bush Wiretaps Supremely Illegal,” in which he discusses how this aspect of wiretaps are settled law. Perry Metzger’s excellent “A small editorial about recent events” is also worth reading: As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the […]


Meth Addicts and ID Theft

There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable: One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just […]


Managing and the Red Cross

The other day on “On Point,” I heard some astoundingly clear exposition of executive management, in the words of Dr. Bernadine Healy, the former CEO of the Red Cross. The program, Examining The Red Cross was promoted as: When 9/11 came, the Red Cross was there — with mountains of Americans’ donations and support for […]


Bugger Frequent Flyer Miles

I want Frequent Flyer Hours. They’d work almost the same. You’d get 550 or so points per hour from gate to gate. So all that time, sitting on the runway, circling in a holding pattern, waiting for the previous plane to vacate your gate? All would be paid back in some small way to the […]


The shame of it all

[Adam updates: The reporter has recanted his story, “Federal agents’ visit was a hoax .”] Apparently, the Staasi are watching what we read. A senior at UMass Dartmouth was visited by federal agents two months ago, after he requested a copy of Mao Tse-Tung’s tome on Communism called “The Little Red Book.” Two history professors […]


Government Secrecy and Wiretaps

I’d like to respond to Dan Solove’s article “How Much Government Secrecy Is Really Necessary” with the perspective of a veteran of the 1990s crypto wars, in which we fought the NSA for the practical right to build and use encryption to protect sensitive data. A central tenat of the government’s position was that there […]


Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape

From Crain’s Chicago Business: LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas. The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or […]


Friday Star Wars: Open Design

This week and next are the two posts which inspired me to use Star Wars to illustrate Saltzer and Schroeder’s design principles. (More on that in the first post of the series, Star Wars: Economy Of Mechanism.) This week, we look at the principle of Open Design: Open design: The design should not be secret. […]


NSA Spying on Americans Without Warrants

“Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say.” A 10 page story in the New York Times opens: Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without […]


"What if Copyright law were strongly enforced…"

I can’t tell you how strongly tempted I am to just steal Daniel Solove’s “What If Copyright Law Were Strongly Enforced in the Blogosphere?” It’s a great article, and it would be deeply, deeply ironic for that article to be at the center of a lawsuit over copyright infringement.


No good deed goes unpunished

The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach. As we’ve commented on previously, information concerning […]


White Wolf, Unknown number of Passwords, Hackers

The game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks. Dear White Wolf Users, Like many other well-known companies of the last few years, White Wolf was […]


Conference News

Shmoocon has announced their 2006 speaker list. Today is the last day to submit to Codecon.


Insurance Claims and Privacy

One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:” TAMPA – Andrea Davis can’t understand what two flat tires and […]

Via Bejtlich, I learned that SANS is now offering degree programs. I have not been able to determine whether they are an accredited institution of higher learning, however.


Firm breached in Scottrade incident to sell business unit

From the press release: SALT LAKE CITY, Dec. 13 /PRNewswire-FirstCall/ — silex technology america, Inc. and TROY Group, Inc. signed a definitive agreement effective today stating that silex technology america will acquire the Wireless & Connectivity Solution Business of TROY Group, Inc. […] “We are pleased to announce this transaction as we believe that the […]


Fake Fingerprints

Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then “read” by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They […]


Torturing People

Last week, Secretary of State Condoleezza Rice made a speech in which she made apparently definitive statements about our policies towards torture. See Jack Balkin, “Rice: ‘U.S. Personnel’ Don’t Enage in Cruel, Inhuman and Degrading Treatment ”Wherever They Are.’” Then be sure to see Marty Lederman’s follow-up, “Condi Rice’s ‘No Torture” Pledge: Don’t Believe the […]


"Aid to the Church in Need", 2000 donors to charity, "personal details"

Not sure if the personal details obtained by hackers include CC#s, but names and addresses are certainly involved in this breach at a UK charity. A couple of interesting twists to this one, as reported at First, the thieves weren’t content with just stealing the info — they used it to extort victims directly: […]


Web Certificate Economics

In a comment on “Build Irony In,” “Frank Hecker writes:” First, note that the “invalid certificate” message when connecting to using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain (note the dash) and thus doesn’t match […]


Tracking Graz (Austria)

Speaking of tracking and databases: Mobile Landscape Graz in Real Time harnesses the potential of mobile phones as an affordable, ready-made and ubiquitous medium that allows the city to be sensed and displayed in real-time as a complex, pulsating entity. Because it is possible to simultaneously ‘ping’ the cell phones of thousands of users – […]


Planespotters vs. the CIA

Ever-increasing requirements that every item be uniquely identifiable are combining with the power of the internet to invade everyone’s privacy. The Guardian (UK) has a story about how ‘planespotters’ are gathering data that allows the after-the-fact tracking of CIA torture planes. (“How planespotters turned into the scourge of the CIA.”) Paul last saw the Gulfstream […]


Passwords: Lessons for Japan Airlines from Harry Potter

This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member […]


Star Wars and Separation of Privilege

As we continue the series, illustrating Saltzer and Schroeder’s classic paper, “The Protection of Information in Computer Systems,” we come to the principle of separation of privilege. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter […]


Estimating breach size by fraud volume

Much is being made of a press release from ID Analytics. Based on results from that firm’s fraud detection products, a conservative estimate is that one of every 1000 pieces of PII lost in a data breach results in an actual fraud. An additional finding is that the likelihood of a fraud being committed using […]


Is the Database Half-Wrong, or Half-Right?

More than 8,000 people have been mistakenly tagged for immigration violations as a result of the Bush administration’s strategy of entering the names of thousands of immigrants in a national crime database meant to help apprehend terrorism suspects, according to a study released on Thursday. The study, conducted by the Migration Policy Institute, a research […]


0Day on Ebay

“Brand new Microsoft Excel Vulnerability:” The lot: One 0-day Microsoft Excel Vulnerability Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It […]


Elements of Blogging Style

I’ve often thought that I over-analyze some things. But as I enjoy blogging, I’ve come to realize that having standards about the little things helps me write faster and more effectively. More importantly, I hope, they allow you to skim here faster, and retain more of what you’re reading. Bloggers who want to be read […]


Deborah Davis Charges Dropped, Rally to Proceed

Ann Harrison reports: The government dropped all charges against Deborah Davis yesterday for failing to show her ID on a Denver public bus. Officials claim that passengers still have to show ID to transit through the Denver Federal Center, but said there were no clear signs to inform them of this requirement. Davis’ lawyers are […]


EPIC on RFID Passports

According to documents (pdf) obtained by EPIC under the Freedom of Information Act, a government report found significant problems with new hi-tech passports. Tests conducted last year revealed that “contactless” RFID passports impede the inspection process. At a meeting of a Privacy Advisory Committee today in Washington, EPIC urged (pdf) the Department of Homeland Security […]


Muffett on Passwords

In “OpenSolaris, Pluggable Crypt, and the SunMD5 Password Hash Algorithm,” Alec Muffett writes: Several years ago now, Darren Moffat, Casper Dik and I started swapping e-mail about how pathetic it was to still be using the traditional 8-character-password unix crypt() routine in Solaris, and how we could architect something to be much better. You’d have […]


Sam's Club, CC #'s and more?, they're not saying

American Banker(12/7/2005) reports [warning: paywall] on the tight-lipped reaction of Sam’s Club, MasterCard, and Visa to a recent data breach involving credit and debit card mag stripe data from Sam’s Club gas stations. The affected cards seem to have been primarily from two issuers, and hundreds of actual frauds have already occurred. Nobody is talking […]


A little knowledge is a dangerous thing

Bruce Schneier demonstrates the truth of the old saying in a must-read blog entry. In a nutshell, Nature published an article written by a physicist with little or no background in cryptography, claiming to have devised a mechanism foroptically transmitting encrypted messages using a “chaotic carrier”. Bruce trains his skeptical and expert eye on the […]


Tens of Thousands Mistakenly on Watchlists

[Important update below] Nearly 30,000 airline passengers discovered in the past year that they were mistakenly placed on federal “terrorist” watch lists, a transportation security official said Tuesday. Jim Kennedy, director of the Transportation Security Administration’s redress office, revealed the errors at a quarterly meeting convened here by the U.S. Department of Homeland Security’s Data […]


Hey, Look, It's Matasano!

Tom Ptacek’s blog is full of smart people introducing themselves, and their new company, Matasano. They’re talking about the new mix, which is to be consultants while you build your startup and look for funding. I hope that Window, Dave, and Jeremy all get the blogging bug. Heck, I hope Dino does too, because with […]


Economics of Fake ID (Kremlin Edition)

Russian security agents have arrested a group of policemen and civilians suspected of forging Kremlin passes. The items seized included identity cards guaranteeing entry to President Vladimir Putin’s offices, the FSB security service said. … According to security officials, some of the items were being sold at a car market in the south of Moscow, […]


Fighting Terror: Police, not Armies

Democracies do not fare well with military dictators, nor when entrusted to overpowering and internally focused armies. Armies are trained, quite rightly, to kill and ask questions later. Police forces are trained to exercise discretion, sustain the rule of law, respect human rights, understand the freedoms we have embodied neatly in a Bill of Rights […]


Speaking of Ethical: Brad Feld on Philanthropy

I’d like to draw attention to venture capitalist Brad Feld’s post, “Doing Good By Doing Well:” I’ve strongly encouraged my portfolio companies to incorporate “philanthropic activities” into their businesses early in their life. I don’t advocate any particular focus – I simply encourage founders and leadership teams to think about what they can do to […]


Ethical Behavior

Chuck Tanowitz has an interesting post “Ethicist in the Boardroom?” in which he expounds on … a discussion with Phil Libin a while back he suggested that companies should have an ethicist on board. More specifically, he suggested an outside ethics consultant to help keep them on track. The post is worth reading in its […]


American Torture Chambers

After the Second World War, Germans claimed they didn’t know what was being done to Jews, Catholics, Gays, Gypsies and others by their government. We, as Americans, have no such excuse. We know what’s being done in our name, and have failed to stop it. The American government is torturing prisoners, and sending prisoners to […]


Like Taking Candy from a Database

Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data. Many people might assume that only cops can look up this type of information, but Smith was granted access to the […]


Build Irony In

Secure operation of a site is hard. Really, I’m not looking to pick on CERT. They’re doing some very good work, and Build Security In is important. At the same time, this message is only appearing because SSL certificates are focused on identity, and that identity needs to be “rooted” at a certificate authority. That […]


Guerrilla Identity Protection

Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt since this probably isn’t completely out of the ordinary) let them know that you are keeping […]


More on What Not To Get Me, Or Anyone

Bob Sullivan has a good post, “Gift card fees still playing Scrooge:” How much is that $50 gift card really worth? Well, it’s hard to say. The art of irritating and sneaky fees has reached new heights in this 21st century version of gift certificates. There are sign-up fees, transaction fees, dormancy fees and outright […]


Disclosure Rules are Changing (Salem, MA Schools, 'several dozen psych profiles')

A school psychologist’s records detailing students’ confidential information and personal struggles were accidentally posted to the school system’s Web site and were publicly available for at least four months. … The psychological profiles, some dating back more than a decade, contained children’s full names, birthdays and, in many instances, IQ scores and grades, the newspaper […]


It's Christmas Time in New Orleans

It’s no ordinary holiday season in the Gulf Coast this year, so Frank Evans built an unconventional holiday display at a suburban New Orleans shopping mall to match. He thought the tiny blue-tarped roofs, little toppled fences and miniature piles of hurricane debris in the display he builds annually for the mall struck just the […]


Cornell, 900 SSNs, "breach"

Cornell employees this past summer discovered a security breach on a computer that contained personal information, such as names, addresses, social security numbers and bank names and account numbers. After conducting an analysis of the breach, Cornell Information Technology (CIT) did not find evidence that any information stored on the computer had been inappropriately accessed. […]


Nick Szabo Blogging

Nick is a premier thinker about history, law and economics, and the lessons they have for security. Take this brief sample from “Origins of the joint-stock corporation:” The modern joint-stock corporation has many sources in medieval Europe. First among these was corporate law itself. Although the era is commonly referred to as “feudalism,” for the […]


Star Wars and Least Common Mechanism

Today, in Friday Star Wars Security blogging, we continue with Saltzer and Schroeder, and look at their principle of Least Common Mechanism: Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information […]


The Future of Scientific Research

There’s a fascinating set of articles in Nature this week on openness, sharing, and new publication models. From “Science in the web age: Joint efforts:” “Science is too hung up on the notion of ‘the paper’ as the exclusive means of scientific communication,” says Leigh Dodds, a web expert at the publisher Ingenta. Publication and […]


DMCA vs. Security Research

Last month, I commented on how the DMCA was preventing research on spyware: …the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when […]


Costs of Breaches

The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they’re doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what’s the real cost of the brand damage done to Choicepoint? Along with several […]


Fake ID Markets

Social Security cards run about $20, green cards about $70 and a California driver’s license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft. … “You name it, they can make it,” said Los Angeles Deputy City […]