Shostack + Friends Blog Archive

 

National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16. I haven’t read the full text of the bill (and it […]

 

Metricon 1.0 Announced

At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended. One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a […]

 

Privacy Enhancing Technologies Award/Call for Nominations

We’re looking for nominations of great work in Privacy Enhancing Technologies: The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Workshop (PET). The PET Award carries a prize of 3000 […]

 

Lapel Pin, Redux

Dear Arthur, In Re: your post, “Die Struck Lapel Pins From Collinson Enterprises.” They’ve some neat ones for sale too, if you’d like to be spotted as a Fed at Defcon.

 

Lapel Pins?!?

There is an AP article in todays Washington Post about Cynthia McKinney, a Georgia Congresswoman who was in a scuffle with the police today after refusing to identify herself upon entering one of the House buildings in the “Capitol Complex”. The truly scary part of the article was this: Members of Congress do not have […]

 

How New Ideas Emerge From Chaos

There’s an interesting contrast between “The Problem With Brainstorming” at Wired, and “Here’s an Idea: Let Everyone Have Ideas” at the New York Times. The Problem with Brainstorming starts out with some history of brainstorming, and then moves to its soft underbelly: The tendency of groupthink to emerge from groups: Thinking in teams, and pitching […]

 

Security Flaws and The Public Conciousness

In “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests: “Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)…. “Another red flag was the wire-transfer […]

 

"Suffering in Silence With Data Breaches"

That’s a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case “under investigation,” he said. “Only about […]

 

Privacy Grants from the Canadian Privacy Commissioner

The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the renewal of funding through her Office’s Contributions Program which, for the last three years, has allowed some of Canada’s brightest privacy experts to develop a wealth of information on various privacy challenges of the 21st century. From “Privacy Commissioner’s Office renews its cutting-edge privacy research […]

 

196,000 HP Employee SSNs, Fidelity Laptop

A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night. “This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and […]

 

England

By Banksy, via Saar Drimer.

 

How Private Are Your Tax Records?

In “How private are your tax records? You’ll be surprised,” Bob Sullivan illustrates why the “opt-in/opt-out” way of discussing privacy is so destructive: Any information you give to a company that helps you prepare your taxes can be sold to anyone else. Only a single signature on a permission slip stands between you and the […]

 

Congratulations, Professor Ian!

I’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. […]

 
 

Destructive Chaos

Sorry about the unavailability over the last (unknown time period) My DNS registrar, Joker.com was under DDOS attack. If you’re reading this, you either have a cache, or the attack has been mitigated in some way. We now return you to your regularly scheduled list of stolen laptops, lost backup tapes, and who knows, maybe […]

 

Laptop theft

The Register has been on Ernst & Young’s case. The latest Exclusive! talks about a laptop stolen in early January, and how we now know it had info on BP employees, along with those from IBM and others. The article also observes that: It’s difficult to obtain an exact figure on how many people have […]

 

I’m Sure I Don’t Want to Continue

When I try to drop files in the Trash, the Finder gives me this awful[1] dialog box. I really don’t want to delete files immediately, and am not sure why it wants to. Does anyone know what I do to fix this? [1] It’s awful for two reasons: First, it gives me no advice on […]

 

You can't buy publicity like this!

UCSB has a project to digitize wax cylinder recordings. They have thousands cataloged, with the majority downloadable as mp3s. It’s awesome. Naturally, I wanted to see what software they used. Being archivists, they of course go into great detail, including this gem: We’d like to use this space as a soapbox to say that Cleaner […]

 

Sprint "Security"

So the other day, I called up Sprint, my illustrious cell phone provider, to make some changes to my service plan. The very nice agent asked me to identify myself with either the last 4 digits of my SSN or my password. Now, I’ve never set up a password for use over the phone and […]

 

Many Meanings of Privacy

I regularly talk about how privacy has many meanings, but haven’t put those in a blog posting. Since this blog has more readers than most of my talks have attendees, I figure it’s a sensible thing to blog about. The point of this list is to illustrate the dramatically different things people mean when they […]

 

Art Imitating Life?

Many laughs, and perhaps a tear or two, from The Cubes              

 

Breach notification escape mechanisms

In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company […]

 

Government Issued Data and Privacy Law

I’d like to say more about the issue of privacy law, and clarify a bit of jargon I often use. (Alex Hutton pointed out it was jargon in a comment on “There Outta be a Law“.) As background, some people have objected to privacy laws as being at odds with the First Amendment guarantees of […]

 

Relentless Walking

You two and your obsession with modern entertainment. Get out, and go for a walk to Rivendell. If you are going to insist on watching movies, at least go see some real ones. (Image is “Descent to Rivendell, by John Howe, from theonering.net)

 

Relentless Navel Gazing, Pt 9

I’ve made the text darker, and hope its a tad easier to read, and thanks to N, have finally added a closing quote to blockquotes: blockquote { background: url(“https://adam.shostack.org/blog/wp-content/uploads/2018/08/uq.png”) no-repeat bottom right; } blockquote:before { content: url(“https://adam.shostack.org/blog/wp-content/uploads/2018/08/q.png”); display: run-in ; padding-right: 10px;} The tricky part was to ensure that the closing quotation mark stayed within […]

 

I find your faith disturbing

Adam, I learned of the flick via a blog unrelated to either Star Wars or computing, so no need for Google. Not to get all “vi vs. emacs” on you, but I never understood the fascination with Star Wars. :^) Photo cred: kemikore

 

You Have Failed Me For the Last Time

Chris, I can’t believe you mentioned Snakes on a Plane, and failed to link to a blog called “I Find Your Lack of Faith Disturbing,” whose article, “Snakes on a Motherfucking Plane” is like the 3rd hit on Google. I mean, really! Its not like you had to look hard to find that. Do I […]

 

Beautiful Evidence

Edward Tufte’s new book, Beautiful Evidence, is now at the printer and should be available in May 2006. The book is 214 pages, full color, hard cover, and at the usual elegant standards of Graphics Press. (Thanks, Mr. X!)

 

Security & Orientation

When Larry Ellison said “We have the security problem solved,” a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“) That level of dripping sarcasm is fairly widespread amongst the security experts I talk […]

 

St. Patrick would know what to do

The movie “Jaws” made a lot of money. People like money. Hence, people made derivative movies, “Orca” for example. One copycat, IMO, was so dreadfully bad that it was good. That movie was “Grizzly“, which I saw on its first run. It told the tale of a rogue bear which, you know, basically roamed around […]

 

TSA: 0 for 21 in a Game They Rigged

“In all 21 airports tested, no machine, no swab, no screener anywhere stopped the bomb materials from getting through. Even when investigators deliberately triggered extra screening of bags, no one stopped these materials,” the report said. … The Transportation Security Administration (TSA) had no comment on the report but said in a statement that detecting […]

 

Virtual Machine Rootkits

Eweek covers a paper (“SubVirt: Implementing malware with virtual machines“) coming out of Microsoft and UMichigan in “ VM Rootkits: The Next Big Threat?. Joanna Rutkowska gives some thoughts in a post to Daily Dave, “redpill vs. Microsoft rootkit….” My take is its good to see Microsoft working on this sort of research, and thinking […]

 
 

Slightly Unique Identifiers

One of the neat things about Blue Hat is that people get pulled aside and introduced to people who have problems that they’d like your thoughts on. In one of those meetings, it came out that the person I was meeting with was destroying lots of data before it came to his group. Very cool. […]

 

There Outta be a Law

A reader wrote in to ask why I’m not more forcefully advocating new laws around information security. After all, we report on hundreds of failures with deeply unfortunate consequences for people. Those people have little say in how their data is stored, so shouldn’t we have a law to protect them? We probably should, and […]

 

Security & Usability, Workshops

This was supposed to be a part of my book review post, but early user testing showed us confusion and a desire for a more tightly focused blog post experience… It may also help to attend events like the “Security User Studies Workshop at SOUPS 2006” or the “Workshop on Psychological Acceptability and How to […]

 

David Litchfield Asked Me

At Blue Hat, David Litchfield of NGS asked me ‘how many of the issues we see are related to SQL injection?’ I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates: State of Rhode Island, 4,118 or 53,000 CC, Hacker Reeves Namepins, Unknown # Cop […]

 

NJ prosecutor reports debit card ring has been busted

Story at CNET. In related news, OfficeMax says there’s no evidence they were broken into, and back it up with help of outside experts. I’m done being a Kremlinologist on this one, for now. With as little solid info as has made it into the press, it’s just not worth it. Perhaps some facts will […]

 

Identity Theft and Child Pornography

The CBC has a story on how “Global child porn probe led to false accusations:” An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and […]

 

Security and Usability

Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and […]

 

Blue Hat Pictures

J. in the Windows Build room, and some labels on a cabinet. And baby, that’s all you’re gonna see of the pictures. We value everyone else’s privacy, unless you were there. In which case, its all groovy. Drop me a note and you’ll get the super-double-secret URL. As to the picture honoring ‘patch Tuesday,’ I […]

 

Stolen Ernst and Young laptop had 84,000 SSNs

Information courtesy of the Reporting Form E&Y filed pursuant to New York state law. The consulting firm has been criticized for the delay in reporting this breach, which occurred on January 4.

 

Some additional info on the debit card breach

American Banker has a useful article about the debit card/PIN breach that has been making news. Unfortunately, it is behind a paywall. After reciting the background, the article presents some additional info in Q and A form. Herewith, some fair-use excerpts. All italics emphasis is added. If you have access, I urge you to read […]

 

Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]

 

Social Security Administration, 300 Million Americans Not Exposed

I just got my “Your Social Security Statement” in the mail. The very first words on the top of it are “Prevent identity theft—protect your social security number.” Inside, it only prints the password to my cell phone last 4 digits. If your bank, school, or employer does worse, ask them why they’re less enlightened […]

 

Private Thoughts on Blue Hat

As I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy. Unfortunately, that makes it hard to properly attribute this bit of genius: 1 bottle of beer on the wall, 1 bottle of […]

 

New Jersey's breach law

New Jersey’s breach notification law went into effect in mid-December 2005. Like New York’s, it requires that a state entity be notified, in addition to the persons whose info was exposed: c. (1) Any business or public entity required under this section to disclose a breach of security of a customer’s personal information shall, in […]

 

Audio Surveillance Can Be Cool, or a Hoax

[Update: Everyone says I’m being taken, in the comments.] French archaeologists have taken pottery from ancient Pompeii and played the grooves back like a record to get the sounds of the pottery workshop, including laughter. Click “Telecharger la video” to play the short video which contains a sample of the audio. Audio from ancient Pompeii, […]

 

"I've turned into my mother!"

…or, more generally, “I’m now doing that weird thing I saw an influential elder do, but now it seems to make sense”. I have several examples from my own life (generally rather predictable for a balding 40-something suburbanite), but just today I found another one, and I didn’t see it coming.

 

Chip and Pin Point-of-Sale Interceptor

Mike Bond at Cambridge University has a page “Chip and PIN (EMV) Point-of-Sale Terminal Interceptor,” in which he documents: Our interceptor is a prototype device which sits between a Point-of-Sale (POS) terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – “the conversation” […]

 

CIBC, One Customer's Wire Transfers, Data They Didn't Use

The federal Privacy Commissioner is looking into a faxing incident involving Canadian Imperial Bank of Commerce and one of its clients. The case began last October when CIBC was told by Christine Soda that she had been receiving faxes at her home in Mississauga that were supposed to be going to Gerry McSorley, who runs […]

 

Ehime Prefectural Police (Japan), Data on unknown # Suspects, Virus

A massive amount of investigation data kept by Ehime Prefectural Police has been leaked onto the Internet, apparently after the computer that kept the data was infected with a virus through the file exchange software Winny, it has been learned. The amount of information leaked from the Ehime police computer is about four times that […]

 

Toyama Japan Hospital, 2,800 patients, file sharing

Information on about 2,800 patients who had surgery at a privately-run hospital in Toyama between 1997 and December 2004 was unintentionally uploaded to the Internet. According to the hospital, the man in charge of data on surgery transferred the information–consisting of patients’ names, sexes, birthdates and information on surgical procedures for which they were hospitalized–to […]

 

SSL Survey over at Matasano

Jeremy Rauch over at Matasano is running a survey on how companies are using HTTPS/SSL. I encourage you to go there resond. My answers are below the cut.

 

North Carolina Transportation Department, 16,000 credit card #s, outside intruder

The Associated Press is reporting that: An Internet server used by the state Transportation Department’s Ferry Division to process credit card payments for ferry fares may have been breached by outsiders, the agency said Friday. The computer database contained 16,000 credit card numbers, the DOT said. The Office of the State Controller has notified its […]

 

The wall starts to crack

Merchants and credit card processors are not allowed to store a host of sensitive data, according to Visa and MasterCard. That includes personal identification numbers, or PINs, used to withdraw cash, the three-digit code on the signature panel, and data on the magnetic stripe on the back of credit cards. A Visa spokeswoman would not […]

 

Mary Worth

Michael Howard over at Microsoft, has a great post, on why security analogies are usually wrong, that has a beautiful analogy of his own that aptly makes his point. Also, note that Ed Felten, is currently teaching a class, InfoTech & Public Policy, at Princeton. Students are required to post weekly, and non-students are encouraged […]

 

Worth Reading, 2.0

The news that one of “Saturn’s moons is spewing water vapor” is worth reading because the universe is cool, Enceladus will have life found on it, and life will get more interesting. “Fix My Settings in IE7” is worth reading for user interface designers. I hope to see the idea exposed to some user testing […]

 

"Worth Reading" (Elements of Blogging Style)

The phrase worth reading is a crutch for lazy writers. I use it a lot, and shall use it less. Please call me, and anyone else you read on this bit of spinelessness in our writing. At least, I’ll endeavor to say why I find something worth reading, and try to suggest which readers might […]

 

The Pursuit of Wow and the Virtue of Shipping

I’ve just finished reading “The Pursuit of Wow!” by Tom Peters. The essential message is that if you’re not enthused by what you’re doing, change things until you’re enthused. It’s a great reminder of the importance of passion for delivering great products and services. Unfortunately, as a startup veteran, there’s a conflict that I run […]

 

Citibank card cancellations are likely due to Sam’s Club

So says Gartner analyst Avivah Levitan, as reported in Computerworld. Much has been made recently about a purported “class break” of Citi’s ATMs. A class break being “an attack that breaks every instance of some feature in a security system”. The term was popularized by Bruce Schneier, in Beyond Fear, from which this definition comes. […]

 

Dear United

It would be so nice if you could put the same information on the web, the departures board, and the gate. I’d like to now say KTHXBY, but I can’t, because no one here seems to know when my flight is leaving. I know, you all don’t do a lot of business in Denver, so […]

 

The Emergent Field of War and Economics?

There’s a fascinating new paper available from West Point’s Combatting Terrorism Center, on “Harmony and Disharmony: Exploiting al-Qa’ida’s Organizational Vulnerabilities.” What I found most fascinating about the paper was not the (apparently) new approach of reading what the terrorists are saying to gain insight into their weaknesses, but its adoption of the language of economics […]

 

Direct Marketing Association opposes consumer right to see, correct information

Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data. Multichannelmerchant.com You can’t […]

 

Software That Works

Ethan Zuckerman did a great job of blogging from TED. The most interesting post for me was his summary of David Pogue’s talk: But he’s a big fan of the iPod and the “cult of simplicity”. Despite violating every rule of product design – going up against Microsoft, having fewer features, having a proprietary, closed […]

 

My Blogging Will Be Light

I’m on the road this week, here and there, with here being, well, illustrated and there being Seattle, at Microsoft’s Blue Hat event. Some things that I’m hoping to find some time to write about include: “Person to Person Finance” at the Economist (paywall) is fascinating, and I think there’s a fascinating question of if […]

 

British Columbia, More than 65,000 SINs, Dismal Process

The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people’s medical conditions, their social insurance numbers and their dates of birth. Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely […]

 

I am not a Probabalistic Polynomial Time Turing Machine; I am a Free Man!

In a jargon-rich yet readable essay, (“Cryptographic Commitments“) David Molnar discusses the assumptions that he brings to his work as a cryptographer. Its fascinating to me to see someone lay out the assumptions portion of their orientation like this, and I think readers can ignore the specifics and get a lot out of the essay. […]

 

Identity is Hard, Let’s go Shopping.

Kim Cameron, in the course of saying nice things about us (thanks, Kim!) says: “In my view, the identity problem is one of the hardest problems computer science has ever faced.” I think this is true, and I’d like to tackle why that is. I’m going to do that in a couple of blog posts, […]

 

What’s in a Name?

A rose by any other name might smell as sweet, but it would certainly be confusing to order online. Consistent naming is useful, but requires much effort to get right. In identity management, which I hadn’t thought of as closely related to taxonomies, Zooko has argued that names can be “secure, decentralized or human memorable […]

 

Economics of Detecting Fake ID

During 2005, the Vail Police Department alphabetized hundreds of drivers licenses, passports and other shoddy identification that will be incinerated at year’s end. Once the IDs come through the department’s doors, they’re gone for good, Mulson said. A liquor license allows bars to confiscate any ID that is fake or appears to be fake. Glendining […]

 

Your Apple-Fu Is Impressive!

Yesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms: Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t […]

 

Medco (prescription drug service)/ 4600 people, birth dates, SSNs, drug info/lost laptop

Executive summary: Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop. Money quote from a Medco spokesperson: You’re as efficient as the lessons learned in the last […]

 

John Robb on Big Bangs

In Big Bangs, John Robb uses complex aircraft dynamics as a fascinating metaphor for society: If we look at today’s global environment we see a moderately unstable system. It is a relatively high performance system that is increasingly controlled by global markets. This explains why it is spreading so quickly. However, our drive towards a […]

 

Patents and Comments

The comments on “Patents and Innovation” and “New Products, Emerging from Chaos” have been really good. I want to draw your attention to them, because I’m impressed at how much has been added. I’m really enjoying the feedback, and the ability to continue a thread that’s emerged from a comment. I’m also curious what I […]