Shostack + Friends Blog Archive

 

"Internet isolationism is bad for business"

Dan Kaminsky has a good essay on internet isolationism, which is his name for the opposite of net neutrality. It starts: Oh, sure, there’s UPS and DHL and the US Postal Service. But imagine if they were all proposing that, because people make money based on the contents of packages other people shipped, that they […]

 
 

Questions about 'Ignoring The "Great Firewall of China"'

Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they […]

 

Indistinguishable from magic

The press relase you won’t see. For Immediate Release CATAWBA COUNTY SCHOOL SYSTEM, June 26 — The Catawba County Public School System (NC) announced today that district web site administrators have remedied a configuration error which accidentally resulted in the social security numbers and names of several hundred students being made available via the popular […]

 

I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this […]

 

More on Risk Tolerance

There’s a number of good comments on “Risk Appetite or Volatility Appetite,” and I’d like to respond to two of the themes. The first is “risk appetite is an industry-standard term.” I don’t dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend […]

 

Breach Roundup: 6/17 – 6/24

This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.

 

Proud Comments About Bank Spying

Over at the Counterterrorism Blog, Dennis Lormel writes “Initial Comments about Terrorist Financing and “The One Percent Doctrine”” and “U.S. Government Terrorist Financing Initiative Involving SWIFT:” …I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we […]

 

Gartner to Google: Learn to read minds

Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in: They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content […]

 

SWIFT spies

The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities. The Washington Post has more.

 

The FBI's Use of Data Brokers

Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com. A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still […]

 

Presentations and the Web

It’s easy to put presentations on the web, just like it’s easy to create them. Neither is easy to do well. I’d like to talk not only about good slide creation, but how to distribute a presentation in a useful way. It’s not easy to create good presentations, even when you have good content. Simson […]

 

Adam Travel Plans: Cambridge, England

June 26-July 1, I’ll be at the the Workshop on Economics of Information Security, and then Privacy Enhancing Technologies next week. Mindless ranting on the blog will be replaced by mindless ranting over beer.

 

Risk Appetite or Volatility Appetite?

Over at “Not Bad For A Cubicle,” Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in “A super-size risk appetite?” No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced […]

 

Responsible Transparency?

Over at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for “Responsibility and Disclosure.” His argument is solid: We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years – the point is simply that, while disclosure forces everyone to be responsible, sometimes, […]

 

The "Privacy-Enhanced Data Mining" Trap

The Associated Press pushed a story to the wires about the Data Surveillance workshop which I’d mentioned a while back: As new disclosures mount about government surveillance programs, computer science researchers hope to wade into the fray by enabling data mining that also protects individual privacy. Largely by employing the head-spinning principles of cryptography, the […]

 

Background Checks for Chemists, Too?

Is something a little off balance when we background check people trying to learn about computer security, but not chemists or nucular physicists?

 
 

Metricon: The Agenda

Andrew Jaquith has posted the Metricon Agenda. We had a lot of good papers, and couldn’t accept them all. (We’ll provide, umm, numbers, at the workshop.) If you’ve submitted a paper, you should have heard back by now. Thanks to all the submitters, and we look forward to seeing you at the workshop.

 

Happy Juneteenth!

I’m deeply in favor of holidays which celebrate freedom. We need more of them. Juneteenth, also known as Freedom Day or Emancipation Day, is an annual holiday in the United States. Celebrated on June 19, it commemorates the announcement of the abolition of slavery in Texas. The holiday originated in Galveston, Texas; for more than […]

 

Men Without Pants

To protect the rights of the official beer they were denied entry, so the male fans promptly removed the trousers and watched the game in underpants. The BBC asserts that up to 1,000 fans were told to strip off their orange pants in “Fans Lose Trousers to Gain Entry.” Markus Siegler, the control-freak in charge […]

 

Remembering the Maine

From Maine’s Public Law, Chapter 583, passed April 2006: Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read: 5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information […]

 

Scottish and Procedural Liberty

In “Scots Crush Cars Over ‘Document Offenses,’” Rogier van Bakel writes about bad new UK law: Now cars can be seized and crushed if document offences are detected — and the region’s top police officer said yesterday a “clear message” is being sent to would-be offenders. … Tough new powers in the Serious Organised Crime […]

 

Avant-Garde: A game for three players

(From Bram Cohen and Nick Mathewson.) The players are three reclusive artists. Their real names are Anaïs, Benoît, and Camille, but they sign their works as “A,” “B,” and “C” respectively in order to cultivate an aura of mystery. Every week, each artist paints a new work in one of two styles: X and Y. […]

 

Breach Roundup

Expedia/Ernst & Young, 250,000 CC, Lost Laptop. Ed Hasbrouck has a great analysis of Expedia’s privacy policy at “Expedia auditors lose laptop with customer credit card numbers.” Japanese Telco KDDI, 4million names, address, phone numbers, mechanism unknown. “KDDI Suffers Massive Data Leak.” Why is a Japanese telco owning up? New expectations. AIG (American Insurance Group), […]

 

Breach Roundup: "We’re From The Government" Edition

State of Colorado, 150,000 voter records, “missing.” “Records for 150,000 Colo. voters missing,” via Dataloss. State of Oregon, 2,200 tax records, ex-employee getting trojan’d by a porn site. “State says taxpayer files may have been compromised.” AP via dataloss. Minnesota State Auditor, numbers about unknown number of state and local employee, stolen laptops. “3 laptops […]

 
 

Breach Quickies

Well, now that America’s Finest News Source is getting into breach coverage, I guess I can move on. See “Hotels.com Information Stolen” in the Onion. Also, Nick Owen has some good analysis of the Ohio State comedy of errors in “Repurcussions of data loss at Ohio University.” I’m hoping Chris will cover the N+1 Ohio […]

 

There Will Be No Privacy Chernobyl

Ed Felten asks: What would be the Exxon Valdez of privacy? I’m not sure. I don’t think it will just be a loss of money — Scott explained why it won’t be many small losses, and it’s hard to imagine a large loss where the privacy harm doesn’t seem incidental. So it will have to […]

 

The New Transparency Imperative

…in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said. … “That’s hogwash,” Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. “You report directly […]

 

Dear News Media,

Recently, you had a very interesting story on your web site. I left a browser tab open, so I could read it on the plane. But your very interesting story meta-refreshed itself so you could serve me more ads. Then the airport’s wireless portal showed up, and it stopped refreshing. And I couldn’t read your […]

 

Boycott Sivacracy!

I have a proposal for all British and American faculty who care about global justice: Please boycott me. Siva Vaidhyanathan asks that we boycott him in “A Modest Proposal: Boycott me.” I think its the best response I’ve seen to the British boycott of Israeli academics.

 
 

Prediction

A merchant is going to feel some pain from the FTC. Visa and MC are going to look bad for not talking about who this merchant is. Jun. 8–Federal officials cannot disclose what national merchant or merchants were involved in a recent debit card security breach that spurred at least two local banks to reissue […]

 

80% of Active Duty Military, 2.2 million SSNs

Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as […]

 

Medical "Privacy" "Law"

Pop quiz time! What do you call a set of regulations that the government won’t enforce? HIPAA. In the three years since Americans gained federal protection for their private medical information, the Bush administration has received [nearly 20,000] complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal […]

 

Is encryption worth it?

Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate. The problem? Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if […]

 

Volcano From Space

Don’t miss this stunning picture of the Cleveland volcano, in the Alaskan Aleutian Islands. You can click for the larger original at Astronomy Picture of the Day:

 
 

Breach Roundup

Where two organizations are implicated, the first is the one which collected the data, the second is Ernst and Young the one that lost it. Texas Guaranteed Student Loan/Hummingbird, 1.3m SSNs, “lost equipment.” “Toronto firm at centre of security breach” Hotels.com/Ernst and Young, 243,000 credit cards, lost laptop. “Hotels.com customer info may be at risk” […]

 

How Damaging is a Breach?

Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories. For example, we know of 800 ID thefts from the […]

 

Jurisdiction as Property

Nick Szabo has a fascinating article on “Jurisdiction as property and peer-to-peer government.” I’m not going to attempt to summarize it, but will simply quote the opening: Modern civics and political science is often taught as an absurd dichotomy: that government is a “monopoly over the use of force” and that the absence of government […]

 

Small Bits of Chaos

“Los Angeles Consumers File Class Action Lawsuit Against Used-Car Dealer Drive Time For Allegedly Leaking Their Private Financial Information to Unauthorized Third Parties.” “Down To Business: Time To Get Tough On Security Slackers” Rob Preston in Information Week, “Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security […]

 

The Persistence of SSNs, and The Persistence of Thieves

Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort. He’s right. […]

 

Why Johny Can’t Precipitate

There’s a great story in Wired “Don’t Try This at Home,” about how our obsessions with terrorism and safety have destroyed the ability of our children to learn chemistry: The chemophobia that’s put a damper on home science has also invaded America’s classrooms, where hands-on labs are being replaced by liability-proof teacher demonstrations with the […]