Shostack + Friends Blog Archive

 

ID Theft and the 18-24 Set

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:” A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is […]

 

EU Courts Rule Against PNR Sharing with USA

The European Court has ruled the US/EU treaty on data sharing around air travelers is not legal. (I’m not saying “about air travelers” because I read Ed Hasbrouck, and thus know that PNRs contain data on more than just the travelers.) That’s not why I’m posting. I’m posting because of this choice quote from the […]

 

Words of Wisdom

We live in a society of laws. Why do you think I took you to all those “Police Academy” movies? For fun? Well, I didn’t hear anybody laughin’, did you? — Homer Simpson Marge Be Not Proud

 

(Adam In Seattle)

I’m in Seattle this week for some work-related stuff, and have some free evenings. If you’re in Seattle and would like to get together, drop me a note.

 

The SSN Is Also A Poor Identifier

There’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and […]

 

Maybe they can borrow a few million from the IRS

[T]he VA’s inspector general, George Opfer, said that the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.” via the Bradenton Herald Now that the funny part is out of the way… Asked the cost for preventing and covering potential losses from identity theft, [VA Secretary] Nicholson […]

 

Compartmentalization of Identity

Kim Cameron has a post, “IBM Researcher Slams UK Identity Card Scheme” in which he writes: He couldn’t be more right. My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected […]

 

Jangl, Private Phone Numbers

SiliconBeat has a story, “Jangl’s new angle on phone calling:” Jangl is a new phone service that, initially anyway, will allow people to anonymize their phone numbers the same way they can their email addresses when posting on places such as craigslist. When you sign up with Jangl, you get access to disposable phone numbers […]

 

Illinois credit freeze now law

Public Law 094-0799 now allows Illinois residents to have a freeze applied to their credit reports. The maximum fee (not applicable to those 65 and over) is $10.00. The law, according to a press release from the governor’s office, takes effect January 1, 2006. Look for other states to continue to pile on, now that […]

 

Sign Design

I came across this sign while I was attending a software design methodology course at an IBM building in London. After wondering several times why each time I tried to go to the toilets I ended up in the restaurant, I looked carefully at the sign. Which way would you go at a glance? Which […]

 
 

A small, but hopeful sign in state breach legislation

A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications: 5 (815 ILCS 530/25 new) 6 Sec. 25. Annual reporting. Any State agency that collects 7 personal data and has had a breach of security of the system 8 data […]

 

Marketing Privacy as a Feature

Paxx Telecom has issued a press release that they’ll hand over records only when given a court order: The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree […]

 

Never say die?

I’m not sure what to expect out of this story of a guy who, left behind in a crazed state and presumed to have died, overnighted above 8000 meters on Everest and was found alive the next day, prompting a rescue effort expected to take three days. (Note that this is a different climber from […]

 

Make that 12% of Adults

Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, […]

 

8.9%

8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws […]

 

"Encryption is hard, let's go shopping!"

On upcoming changes to the Payment Card Industry Data Security Standard: “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes […]

 

Voting Registration Fraud

One of the motivators often discussed for voter ID card requirements is voter registration fraud. I believe that ID card requirements are like poll taxes, and are not justified. I believe that they’re not justified even if they’re free, because of personal privacy concerns, regarding addresses. You know, like Gretchen Ferderbar had before her 911 […]

 

Sitting on the Fence

Last week Dan Gillmor talked about Verisign’s monopoly wishes, stating: This deal would be great for VeriSign, but terrible for the marketplace. It would consolidate one company’s control over an essential part of the Internet infrastructure. Is the sky falling? I don’t think so. This sounds a whole lot like before GeoTrust was launched. GeoTrust […]

 

Blogrolling Kim Cameron

I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID. Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. […]

 
 

The Human Element

In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes: The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human […]

 

Counting In Background Checks

There’s some fascinating presentation of numbers in the BBC’s “Criminal records mix-up uncovered:” Education Secretary Alan Johnson told the BBC only 0.03% of the nine million “disclosures” the agency makes had been wrong, so the issue had to be put “into context”. He is so right! Let’s put those numbers in context, shall we? The […]

 

Restaurant Recommendation: Queen Sheba, Seattle

Not only was the Ethiopian food at Queen Sheba quite good, but when I went back, they had my jacket, and my somewhat expensive camera was still in the pocket. Doubly recommended. Queen Sheba is at 916 East John St, a block from Broadway, 206-322-0852. Thanks to W. for introducing me. [Updated to fix spelling. […]

 

Vulnerability Markets: Under a Cloud

After some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:” So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for […]

 

Personal Data on 26,500,000 Veterans Stolen (Including SSNs)

Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday. The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information […]

 

911 Dispatcher Kills Woman by Abusing Database

An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them. See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal […]

 

Breach round-up

Ohio University I: On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes. Ohio University II: 300,000 alums and friends. […]

 

Homeland Security Privacy Office Slams RFID

Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.” This is an important report. The money quote is useful because it comes out of DHS: Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated […]

 

Dear TSA,

You’re incompetent. We don’t trust you. Please stop wasting our time. Love, El Al Israel Airlines. No, really. Ok. Maybe the quote isn’t precisely their words, but that’s the message. See “El Al wants to do its own bag screening at Newark airport.” (Via Gary Leff.)

 

ID Theft, meet IRS

One of the things that makes building secure products such a challenge is how hard people will work to steal. Clever criminals who come up with new attacks will spread them around. Today’s attacks often seem to center on identity. “Identity” seems to be hard-wired into our brains (or at least our society) as a […]

 

Economics of Vulnerabilities: Markets?

When I drew that picture for Don Marti, he suggested a market in software vulnerabilities. People who had invested in knowledge about a program could then buy or sell in that market. I think that the legal threats and uncertainties are probably sufficiently market-distorting to make such a market hard to operate and hard to […]

 

The French Chef Model Of Intellectual Property

For the week since Brad Feld published it, I’ve been trying to find something to enhance “Norms-based IP and French Chefs:” Norms-based IP systems are an alternative (or a complement) to legal based IP systems. The Case of French Chefs is a superb example of how this works. If you care a lot about IP […]

 

6th Workshop On Privacy Enhancing Technologies

We’ve announced the program for the 6th Workshop on Privacy Enhancing Technologies, and space is still available for registrants. The program is so cool that I’m not going to try to summarize it, but rather quote Kim Cameron (“SEE IF YOU CAN MAKE PET 2006“): Here’s one conference I definitely won’t miss. I’ve been lucky […]

 

Cartoon

Chickweed, thanks to Xeger.

 
 

President Bush Calls for National ID Card

[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law. Of course, that means the rest of us will need the cards, too, […]

 

The Internet Channel, at Risk

Lack of trust in online banking among U.S. consumers is a serious constraint because of doubts about banks’ security measures, according to eMarketer’s new report, “Online Banking: Remote Channels, Remote Relationships?” The result is a slowing rate of adoption, with online banking households increasing by only 3.1% in the last quarter of 2005 — the […]

 

An Apollo Program for our times

Teach Florida’s alligators to feed on sharks. Unfortunately, this would deprive CNN of much of its material, so they will oppose it strenuously.

 

US reporters under surveillance

Looks like the Bush administration is tracking reporters’ phone calls. Also, the FBI admits that it uses the Patriot Act to obtain journalists’ phone records in an attempt to determine to whom they have been speaking. Read more here and here, from an ABC News reporter who has received some “attention” from the government. Photo: […]

 

Economics of Vulnerabilities

Lately, I’ve been playing with an idea. Work by both Microsoft and certain open source projects has made finding and exploiting vulnerabilities in their code substantially harder. So, the effort needed to find a vulnerability has gone up. The effort needed to build a working exploit has gone up. Thus, the willingness of a vulnerability […]

 
 

Happy Mother’s Day!

“The NSA would like to remind everyone to call their mothers this Sunday. They need to calibrate their system.” (Quip from Bruce Schneier, poster by Tom Tomorrow, for RSA Data Security, at archive.org.)

 

That didn't take long

Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December. Interestingly enough, when you don’t take […]

 

Two Minutes Hate: Choicepoint

This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration’s Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI — though […]

 

Tip of the iceberg

A former intelligence officer for the National Security Agency said Thursday he plans to tell Senate staffers next week that unlawful activity occurred at the agency under the supervision of Gen. Michael Hayden beyond what has been publicly reported, while hinting that it might have involved the illegal use of space-based satellites and systems to […]

 

NSA Call Tracking Legality

There are times you just have to defer to the lawyers. So I shall. Orin Kerr, “Thoughts on the Legality of the Latest NSA Surveillance Program,” (his blog) then later, “More Thoughts on the Legality of the NSA Call Records Program” (at Volokh, it’s keeping him up at night!) and “How The Latest NSA Surveillance […]

 

DaveG On Apple Security Advisory

So if you have a Mac, you really want to open software update now. You can read about Apple Security Update 2006-0003 after you’ve installed it and the Quicktime patch. In “Apple Security Update RoundUp,” DaveG explains: So, in short, without the latest update, OS X is secure as long as you don’t look at […]

 

Metricon

Because of the lack of proceedings, we have removed the no-dual-submission rule. That is, work submitted elsewhere is ok. Best: Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be […]

 

Cell phone records market seemingly no longer important?

Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users’ privacy has been sent to a “legislative ‘Guantanamo Bay’” in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.

 

"NSA Has Massive Database of Americans’ Phone Calls"

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY. The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary […]

 

Alberta Driving Law

Members of an Alberta Hutterite colony have won the right to carry driver’s licences that don’t carry their photographs. The Wilson Colony, near Coaldale, 12 kilometres east of Lethbridge, took the province to court after the government introduced a new licence that must have a driver’s photo on it. The colony argued in a Lethbridge […]

 
 

Data Surveillance Workshop

On June 3, 2006 Harvard University’s Center for Research on Computation and Society will hold a day-long workshop on Data Surveillance and Privacy Protection. Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could […]

 

Half empty

I think Adam is too kind to Arizona’s new breach law. My issues have to do with how various elements of the law might be interpreted: “materially compromises”: Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this […]

 

Spammers Win? 6Apart Loses? TrackBacks are Off

To a first approximation, all inbound trackbacks here have been spam for a while. As such, they’ve been turned off, and I’ve now made that official by turning them off in the MT layer, so you should no longer see trackback URLs. I thought about this a while back in “Trackbacks vs. Technorati?”

 

Breach Notification, the New Normal, and a New Metaphor

Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not. Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an […]

 

On "Feds' Watch List Eats Its Own"

Ryan Singel opens an excellent article “Feds’ Watch List Easts Its Own,” with a pertinent question. The article is worth reading for its enumeration of how the watch list catches senior military and State Department officials, who also can’t get off the list. It opens: What do you say about an airline screening system that […]

 

Apple’s Message

Over at Security Curve, Ed Moyle has some good thoughts on “the Gigantic ‘Bull’s Eye’ on Apple’s Forehead:” Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much […]

 

Here’s to you, New York

I’ve mentioned before that other than New York, only New Jersey requires that security breaches involving personal identifying information be reported centrally. I hazarded a guess at the time that, unlike NY, NJ would not respond favorably to a freedom of information request for such records, because the mandated reporting is to the state police, […]

 

Comments

Oops. My bad, I’d turned off comments on a bunch of posts. I think its fixed.

 

Free At Last!

“The United States said on Friday it had flown five Chinese Muslim men who had been held at the Guantanamo Bay prison to resettle in Albania, declining to send them back to China because they might face persecution. The State Department said Albania accepted the five ethnic Uighurs — including two whose quest for freedom […]

 

Code Name: Miranda

I admit it, probably ten or more years ago I actually signed up for a supermarket affinity card. Of course, I promptly lost it during the great migration to the suburbs, and for a good while I would simply claim to have left it at home and the cashier would cheerfully use a “store card”, […]

 

Threat Modeling The Library

In a long interesting article in Wired on “The RFID Hacking Underground,” I came across this quote: While it may be hard to imagine why someone other than a determined vandal would take the trouble to change library tags, there are other instances where the small hassle could be worth big bucks. The article went […]

 

Thoughts on Metricon

I was talking to a CISO friend recently about Metricon, and encouraging him or his team to submit a paper. He told me about a concern, which was that it sounded like we’re looking for “how do we give indications so we can pat ourselves on the back,” or “how can we terrify execs?” He’d […]

 

The Costs of Torture

I usually try to cut down quotes. This essay by Siva Vaidhyanathan in Slate’s Altercation is worth quoting at length: I was wondering something. Maybe somebody could help me out here. Yesterday a federal jury decided appropriately that this country shall not execute Zacarias Moussaoui, a wanna-be-mass murderer who also happens to be a mentally […]

 

Han Shot First: DVDs, Debugged.

In response to overwhelming demand, Lucasfilm Ltd. and Twentieth Century Fox Home Entertainment will release attractively priced individual two-disc releases of Star Wars, The Empire Strikes Back and Return of the Jedi. Each release includes the 2004 digitally remastered version of the movie and, as bonus material, the theatrical edition of the film. That means […]

 

Boarding Passes, Privacy, and Threat Models

There’s a great article in the Guardian, “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much:” This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing […]

 

The Teddy Bears’ Parachutes

IMABARI, Ehime [Japan] — A paint firm here is hoping to add color to wedding receptions in Japan with a new device it has jointly developed — a gun-shaped party [favor] that shoots out a teddy bear. Sunamiya, a paint firm based in Imabari, Ehime Prefecture, announced the development of the device, which blasts a […]

 

Some Government-Issued-ID is More Government-Issued Than Others

So Representative Julia Carson discovered when she tried to use her United States House of Representatives ID card to vote: Carson’s card does not have an expiration date as the new law requires of valid voter IDs, and Indianapolis poll workers tried to reach election officials before allowing the five-term Democratic congresswoman to cast her […]

 

Automated code scanners do have their uses

Slashdot is carrying the story of a rather large bug find in the X11 code. Judging by the patch, it looks like the problem was due to a lack of caffeine: if (getuid() == 0 || geteuid != 0) The OpenBSD code auditors seem to have found this one independently: This is one of those […]

 

Security Development Lifecycle, the Book

Michael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner: This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to […]

 

High Assurance Certificates and the Fake NEC

So I’ve seen the story in a bunch of places, but something about Bruce Schneier’s posting on “Counterfeiting an Entire Company” made me think about certificates, and the green URL bar. In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – […]

 

Time to Patch

Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes: Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks […]

 

I Would Prefer Not

First, apologies to Kim Cameron for taking a while to get to posting this. Being at a conference in Montreal, I was distracted from in-depth blog entries. Go figure. Anyway, in a back and forth on to develop a short explanation of Infocard, we are at: The relying party states what assertions it wants, the […]