Shostack + Friends Blog Archive

 

What Does Rumsfeld Need to Do To Be Fired?

Law prof. Marty Lederman explains (in great detail) that “Army Confirms: Rumsfeld Authorized Criminal Conduct:” On November 27, 2002, Pentagon General Counsel William Haynes, following discussions with Deputy Secretary Wolfowitz, General Myers, and Doug Feith, informed the Secretary of Defense that forced nudity and the use of the fear of dogs to induce stress were […]

 

Security Breach Roundup

State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss. Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that […]

 

DoD Tricare Management Activity system, SSNs, credit card numbers, health info, 14K people

Via Army Times: The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not […]

 

Big Brother Has Your Best Interests At Heart

So pay no attention to the thoughtcriminals who are not bored, and their ridiculous propaganda documenting “Abuses of surveillance cameras.” We all know that cameras never lie, film can’t be edited or mis-interpreted, the police would never use cameras to look in your bedroom window, and that the videos taken will be strictly controlled. Those […]

 

Live Free or Die: New Hampshire Rejects National ID

Be it Enacted by the Senate and House of Representatives in General Court convened: Prohibition Against Participation in National Identification System. The general court finds that the public policy established by Congress in the Real ID Act of 2005, Public Law 109-13, is contrary and repugnant to Articles 1 through 10 of the New Hampshire […]

 

Two on Presenting

“Making a (Power)Point of Not Being Tiresome,” in the LA Times, via Paul Kedrosky. But more usefully, “The Many Uses of Power Point”

 

aetna insurance,38K customers, names+SSNs, health info, stolen laptop

Report via Reuters. Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense. Stars and Stripes has the scuttlebutt from HQ: The laptop was stolen from an employee’s personal car […]

 

The Iron Fist in a Cute Glove

The BBC reports on Sweet Dreams Security in “Safe, Secure, and Kitsch:” A German artist is trying to change the way people think about security, by replacing barbed wire with heart-shaped metal, and pointed railings with animal shapes. Thanks to N. for the pointer.

 

Purdue University, 1351 applicants+students, SSNs, "unauthorized electronic access"

“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what. Press release today. Happened in February. Notices sent at some unspecified time. Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies. Quoth “Mark Smith, head and […]

 

Tony Chor on Presenting at MIX

Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive: Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I […]

 

Montréal

I’m in Montreal at SIGCHI. (Pronounced “Kai.” Who knew?) I realize haven’t gotten in touch with a slew of people I’d like to see. If you’re one of them, or think you’re one of them, or would like to be one of them, let me know!

 

Slippery Slope, Gaping Chasm and Torture

In February of last year, I told you about Lester Eugene Siler, a Tennessee man who was literally tortured by five sheriff’s deputies in Campbell County, Tennessee who suspected him of selling drugs. The only reason we know Siler was tortured is because his wife had the good sense to start a recording device about […]

 

Infocard: Have I Started a Trend?

After I posted “Infocard, Demystified,” I’m finding a whole lot of articles about it. Mario posted links to “A First Look at InfoCard” and “Step-by-Step Guide to InfoCard” in MSDN magazine, which are useful, but longer descriptions. In “What InfoCard Is and Isn’t,” Kim Cameron reprints an article from Computer Security Alert. So now I […]

 

Bin Laden Tape

Walid Phares summarizes the new Bin Laden tape at “New Bin Laden Tape: Ten Main Points,” and analyzes it in “Bin Laden’s ‘State of the Jihad’ Speech:” One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on […]

 

Man Charged For Notifying USC of Vulnerability

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June […]

 

Homo Economicus?

Researchers have identified brain cells involved in economic choice behavior: The scientists, who reported the findings in the journal Nature, located the neurons in an area of the brain known as the orbitofrontal cortex (OFC) while studying macaque monkeys which had to choose between different flavours and quantities of juices. They correlated the animals’ choices […]

 

Have the Terrorists Won?

On Wednesday, officials closed down all security checkpoints at the Hartsfield-Jackson Atlanta International Aiport when a “suspicious device” was detected in a screening machine. … All departing flights were stopped, and arriving flights were delayed 90 minutes, affecting 120 flights during the day’s peak travel time, according to the Associated Press. However, after two hours, […]

 

Imagine

I second Alec Muffett’s recommendation of ThePartyParty. In particular, the cover of Imagine is dumbfoundingly bittersweet. Happy Earth Day. [Image: NASA]

 

Statistics

In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing: These crooks get away with it, and that’s why they keep doing it. They’ve got about […]

 

Vengeful God Hurts Those With Demands

I forgot to blog this at the time, so will simply say that “Long-Awaited Medical Study Questions the Power of Prayer,” as reported in the NY Times and elsewhere, demonstrates that if there is a god, he prefers those who help themselves.

 

The law is an ass

Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law. To wit: NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: 1. Prevent, impede, delay or disrupt […]

 

State disclosure laws

I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently. I’m experimenting with Blosxom, so I posted this over here. The executive summary is all the state laws could use […]

 

How Low The Bar

The 2nd Circuit Court of Appeals upheld a ruling against a Ms. Cassano, who feared that providing her SSN placed her “in dire jeopardy of having her identity stolen,” refused to provide it, and was terminated. The decision states that “There is no doubt that laws requiring employers to collect SSNs of employees have a […]

 

Giant Elephants in London

The Sultan’s Elephant Theatre Show will be in London May 4-7. Eric Pouhier has photos of another event, or you can click the photo for his full-size image. Thanks to S. for the link.

 

US Travel ID to have RFID Readable at 25 feet

Declan McCullagh and Anne Broache have the story in “New RFID travel cards could pose privacy threat:” Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the […]

 

Metricon 1.0 Call For Papers

MetricCon 1.0 – Announcement and Call for Participation First Workshop on Security Metrics (MetriCon 1.0)August 1, 2006 Vancouver,B.C., Canada Overview Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may […]

 

"The Far Enemy"

I’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time. The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” […]

 

Infocard, Demystified

For every product, there are thousands of sentences which result in the reply “well, why didn’t you just say that?” The answer, of course, is that there are thousands, and often its not clear which is the right one. For me, the useful sentence is that ‘Infocard is software that packages up identity assertions, gets […]

 

What Would Jesus Compile?

Generally, when I talk about religion, it’s in the Emacs vs. vi sense. One of my RSS bookmarks contained a somewhat thought-provoking article about the similarities between the philosophy advanced by Free Software Foundation, and certain aspects of Catholic doctrine, and ‘Christian charity’ more broadly. It’s an interesting take on Open Source, and perhaps appropriate […]

 

Animal Farm

Animal Farm is a 30-acre family farm in Orwell, Vermont. We are certified organic for milk, butter, eggs, and hay and pasture. Some things you just can’t make up, because someone else already has.

 

Lady Liberty

These folks would like to put a monument to the Bill of Rights in every state. Clearly a better use of cash than a ginourmous diamond in New York’s harbor.

 

Kudos to Avis

I happened to look recently at the little card that Avis puts in the cars of frequent renters. The idea is that you land, get to Avis, see your name on a board, and walk directly to the car with one fewer line to stand in. So as you drive away, the fellow who checks […]

 

I Bet He Failed The Background Check

Staff Sgt. Daniel Brown is having trouble getting on a plane. He’s apparently known to work in close proximity to terrorists: A Minnesota reservist who spent the past eight months in Iraq was told he couldn’t board a plane to Minneapolis because his name appeared on a watch list as a possible terrorist. Marine Staff […]

 

Internet Explorer Flaw, Transparency, and App Compat

“After IE Attacks, Microsoft Eyes Security Betas” is by Al Sacco at CSOOnline. He has a lot of good orientation and background. Then take a look at Mike Reavy’s “Third party solutions to the Internet Explorer CreateTextRange vulnerability.” Mike runs MSRC, and it’s a pleasant surprise to see him acknowledging customer fears with a post […]

 

Matt Murphy on Microsoft & Transparency

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s […]

 

British National ID

“You may have heard that legislation creating compulsory ID Cards passed a crucial stage in the House of Commons. You may feel that ID cards are not something to worry about, since we already have Photo ID for our Passport and Driving License and an ID Card will be no different to that. What you […]

 

Perspective on Brian Doyle, Background Checks

“We try to weed out those who pose a security risk,” Chertoff said in a briefing with reporters. “I don’t know … that background checks with people hired will predict future behavior.” Well, golly, Mr. Secretary, I don’t know…that either. So will you please cancel CAPPSIII/Secure Flight/Free Wheelchairs for Paraplegic Children, rather than invading the […]

 

Consumer-Grade RFID Analysis

In “Why Some People Put These Credit Cards In the Microwave,” the Wall St. Journal incidentally captures everything you need to know: Makers of products using RFID say privacy and security safeguards are being built into the chips to prevent abuses. MasterCard International says multiple layers of security are available to prevent MasterCard data from […]

 

Breach Notices Round Up

Because of the volume, I’m going to consolidate these: US Marine Corp/Naval Postgraduate School, 207,750 SSNs, dismal process. From Stars and Stripes, “Thousands of Marines may be at risk for identity theft after loss of portable drive,” via Dataloss list. Marines affected should know there’s an “active duty military” alert you can add to their […]

 

Palestinian TV and Regulatory Capture

There’s an article about the chaos of Palestinian TV on Wired News, “Live From the West Bank,” which starts: Helga Tawil Souri reclines on the couch at a friend’s house in the Palestinian West Bank, getting sucked into an Egyptian movie about a woman in an insane asylum. Right before the climactic face-off, though, the […]

 

Why trackback spam is bad

% prstat PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 14135 nobody 16M 12M sleep 60 0 0:00:11 4.2% mt-tb.cgi/1 14207 nobody 14M 11M run 55 0 0:00:08 4.1% mt-tb.cgi/1 14203 nobody 14M 11M run 56 0 0:00:08 4.1% mt-tb.cgi/1 14209 nobody 14M 11M run 54 0 0:00:08 4.1% mt-tb.cgi/1 14215 nobody 14M […]

 

Market Efficiency from an Evolutionary Perspective

I missed this article when it first came out, but Andrew W. Lo’s “Market Efficiency from an Evolutionary Perspective” is fascinating and readable. The abstract: One of the most influential ideas in the past 30 years of the Journal of Portfolio Management is the Efficient Markets Hypothesis, the idea that market prices incorporate all information […]

 

Emergent Geodata about San Francisco

This Cabspotting project reminds me a lot of the Open Geodata work that Steve Coast is working on. The map, in particular, reminds me of their map of London. (Cabspotting via Boingboing.)

 

Metasploit blogging

“Official blog of the Metasploit Project.” Either you know who Metasploit is, in which case you’ve already clicked through, or you’re unlikely to understand their subject matter. PS to Vinnie: Where’s the Smallpox-making post?

 

"Security To The Core"

In a post titled “self-evidently wrong post title” “Blog Posts Do Not Include The Words ‘dizzying array of talent,’” Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario’s “The Market-Driven (Vulnerability) Economy” post is pretty good. However, I think we need video of Dug Song reading this text, which in “News Flash: […]

 

Bad neighbor policy?

Many years ago, I needed to deploy a bunch of UNIX machines very quickly. When I created the golden system image, it included an ntp.conf file that pointed to a nearby public stratum 2 server not under my administrative control. This was dumb, because I could (and should) have just had my boxen chime against […]

 

Presidential Power, At Its Lowest Ebb

Attorney General Alberto R. Gonzales left open the possibility yesterday that President Bush could order warrantless wiretaps on telephone calls occurring solely within the United States — a move that would dramatically expand the reach of a controversial National Security Agency surveillance program. From the Washington Post, “Warrantless Wiretaps Possible in U.S..” It used to […]

 

Microsoft and Rootkits

Earlier this week, there was a story “Microsoft Says Recovery from Malware Becoming Impossible.” I’m not sure why this is news: Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel […]

 

Deep Impact, Deep Analysis

The Nasa projectile that slammed into Comet Tempel 1 last year kicked out at least 250,000 tonnes of water. The figure comes from UK/US scientists on the Swift telescope, one of many observatories called on to study the US space agency’s Deep Impact event. Swift’s X-ray Telescope (XRT) saw the comet continue to release water […]

 

"Now war is declared — and battle come down"

The UK, having already abolished liberty, is now hard at work on abolishing any relevance Parliament might have. See SaveParliament.org.uk. In “Who wants the Abolition of Parliament Bill,” David Howarth writes: The boring title of the Legislative and Regulatory Reform Bill hides an astonishing proposal. It gives ministers power to alter any law passed by […]

 

DHS Spokesman Brian J. Doyle Arrested

The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff’s detective who he thought was a 14-year-old girl, the Polk County Sheriff’s Office said. Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. […]

 

2nd Underhanded C Contest Begins

This year’s challenge: ridiculous performance degredation For this year’s challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor’s OS. The program is supposed to read a set of words on stdin, and print […]

 

Lab-Grown Bladders

I’m a little behind in posting this, but modern medical science can be so cool: US scientists have successfully implanted bladders grown in the laboratory from patients’ own cells into people with bladder disease. The researchers, from North Carolina’s Wake Forest University, have carried out seven transplants, and in some the organ is working well […]

 

Low-quality DATA

The other day, I wrote about the Data Accountability and Trust Act (DATA), which has been received well by consumer and privacy advocacy organizations. For example, “We’re pleased with the compromise ‘trigger’ language relating to when a business must notify individuals of a breach of their personal information,” said several privacy advocacy groups in a […]

 

Readability of Financial Privacy Notices

Federal regulators today released Evolution of a Prototype Financial Privacy Notice… The report’s release concludes the first phase of an interagency project […] to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies […]

 

Startup Opportunity: Revive Systems

My friend Robert Stratton has taken the CTO role at Revive Systems. He’s both a serial startup guy (Wheel Group and UUNet) and has been on the investor side In-Q-Tel. We’ve spent some time talking about the technology, too, and it sounds very intriguing. The remainder of this post is his job description for their […]

 

Quick! Before the Trademark Lawyers Strike!

Get Pac Man for the Smartphone before it’s too late. Doubtless the lawyers will come in and remove this version, too. Because, you know, if they didn’t, Midway wouldn’t be able to make any money on Pac-man.

 

Better ID Theft Statistics: 3% of US households in first half 2004

The 2004 National Criminal Victimization Survey includes ID theft data, for the first time. From a CSOOnline blog post, “DOJ Study: ID Theft Hit 3.6M In US:” About 3 percent of all households in the U.S., totaling an estimated 3.6 million families, were hit by some sort of ID theft during the first six months […]

 

Competition among laws

Declan McCullagh writes cogently on the matter of national security breach legislation. His article makes many important points, and should be read widely. However, his overall thrust — that federal legislation is inferior to state legislation as a means of addressing security breaches — touches too briefly on an important point: we can have both. […]

 

HotSec, 31 July (Or, Vancouver is shaping up very interestingly)

HotSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas in all aspects of systems security. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are discouraged. Papers will be selected for their potential to stimulate discussion in the workshop. […]

 
 

Google to Acquire Choicepoint

Mountain View, CA., April 1 /PRNewswire/ — Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the “Lifetime Acheivement” Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. “Google’s mission is to “organize the world’s information and make it universally […]