Shostack + Friends Blog Archive

 

Mangle those cell phones?

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was […]

 

Several On MS Software

First, don’t miss the great series of posts on the “Excel 2007 Trust Center.” There’s some really good thought on security and usability in there. (While I’m at it, after two months of using ribbons, the idea of going back pains me. It really does. I had that “WTF did you do to my screen […]

 

On Terror and Terrorism

“Is There Still a Terrorist Threat” asks Foreign Affairs. Bruce Schneier considers “What the Terrorists Want,” and also offers up a useful roundup of “Details on The British Terrorist Alert.” In that details space, Phil offers up thoughts on what a “Temporary Flight Restriction” meant to his travel. Meanwhile Kung-Fu Monkey asks “Wait, Aren’t You […]

 

Blog finds

I’ve come across some blogs I find interesting. Maybe others will, too. Statistical Modeling, Causal Inference, and Social Science Weblog of a Syrian Diplomat in America Decision Science News Social Science Data and Software (SSDS) Blog SecuritySauce (Marty “Snort” Roesch’s blog) Plus, a special bonus non-blog: UCSB’s Cylinder Preservation and Digitization Project

 

Outsiders! Insiders! Let's call the whole thing off.

I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction. I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments […]

 

Are Things Out of Whack?

In North Dakota, the state agricultural commissioner, Roger Johnson, has proposed allowing () farming, and has been working with federal drug regulators on stringent regulations that would include fingerprinting farmers and requiring G.P.S. coordinates of () fields. “We’ve done our level best to convince them we’re not a bunch of wackos,” Mr. Johnson said. The […]

 

Air Safety: Terrorism and Crashes

There have been two fatal air accidents this week, one in Ukraine in which 170 people died, and one in Kentucky, in which 50 people died. In neither case is terrorism being blamed as I write this. The safety engineering that makes air travel so safe is astounding. The primary activities, from pilot training to […]

 

Poll: 58% approval rating for Bush among voting machines

WASHINGTON – Despite mounting public criticism of his administration’s handling of Iraq and the war on terror, 58 percent of voting machines approve of the way Bush is handling his job according to the latest poll by Shamby and Associates. This is in contrast to the 42% approval rating he has among human beings from […]

 

Hamming it Up

(or “The New York Times Gets Self-Referentially Ironic“) … he recognizes that plenty of people must think that rounding up friends and family members to go in on a thousand-dollar ham that he envisions hanging in his living room is crazy. But food lovers like him understand, he says. And in the end, the elaborate […]

 

Nasty, Poor, Brutish and Short: Somalia

Life in Somalia seems truly awful, and, like Hobbes, many are willing to turn to a very powerful government to fix it. See Ethan Zuckerman’s “Somalia Update,” which points to “The Path to Ruin” in the Economist.

 

Gloria Gaynor’s Threat Levels

At first I was afraid, I was petrified. I kept thinking I could never live without you by my side. But then I spent so many nights thinking how you did me wrong. I grew strong. Via Accordion Guy.

 

Mea Maxima Culpa

In posting yesterday about Debix, I should have disclosed that I have personal and financial relationships with the company. In addition, I was one of the 54 people in the test, and my fraud alerts did not set properly. I should have disclosed that as well. I apologize for the oversight. My thanks to Mr. […]

 

An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?” Since this is part of a continuing conversation, let me summarize by stating […]

 

Who's next?

                            Now that ISS has been purchased by IBM? Or is consolidation not really happening?

 

40% of Fraud Alerts Don’t Propagate

[Update 3: I should have disclosed affiliations with Debix in this post. See “Mea Maxima Culpa.”] Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret. […]

 

Nick Szabo is on a Roll

When I started blogging, I wanted to say one interesting and insightful thing per day. I still do, and so say several things in the hopes that one of them is interesting. Nick Szabo, on the other hand, has apparently been storing them up, and is on a roll lately: “Book consciousness,” on the effects […]

 
 

New Airport Security Procedures

RyanAir of England is decidedly non-plussed by the UK security theater, and is threatening to sue. (Via Boingboing.) Remember, emptying the planes not only hurts the airlines, but when it pushes people to drive instead of fly, it kills people. Not in as newsworthy a fashion, but more people die driving than flying.

 

Breach numbers

I just got a response from North Carolina to my freedom of information request, asking for records pertaining to security breaches resulting in the exposure of personal information. North Carolina requires that such breaches be reported centrally. The data were sent in printed form, in a table obviously derived from a spreadsheet. I hope to […]

 

AOL data release fallout

AOL’s CTO has “decided to leave” the company, “effective immediately”, according to an email message sent to remaining employees by CEO Jon Miller. Additionally, CNet news reports that the researcher who posted the data, and the researcher’s supervisor (a direct report of ex-CTO Maureen Govern) have been fired.

 

Identity 2.1

Dave Weinberger absolutely nails why I worry about the whole Identity 2.0 plan, in “Anonymity as the default, and why digital ID should be a solution, not a platform.” If you know what Identity 2.0 means, you owe it to yourself to read this post. If you build Identity 2.0 platforms/solutions/best-of-breeds, you owe it to […]

 

Nothing To Fear Except Fear Itself

Last night, passengers on a Malaga-Manchester flight misbehaved until the airline took two “Asian” men off the flight. See “Mutiny as passengers refuse to fly until Asians are removed” in the Daily Mail. For me, this raises a number of questions, in no particular order: Why weren’t the unruly passengers arrested? Who was forcing them […]

 

Biometrics Enable Guilty Men to Go Free?

Don’t miss the picture that Jerry Fishenden paints in “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences:” Outside, armed policemen, guard dogs and riot barriers prevent the curious crowds pushing too close. On the office rooftops – police marksmen. In the Victorian drains below the courtroom – boiler-suited […]

 

New (Oracular) Blogs

While we’re celebrating, let me tip the hat to three new bloggers: Mary Ann Davidson has a blog, confusingly headlined “Sandra Vaz Blog (en Portuguese!)” I suspect it’s a template issue, but then again, I’ve seen Mary Ann with–oh, I shouldn’t tell you what she put on her name badge at the Exec Women’s Forum […]

 

Happy Birthday to Us!

Emergent Chaos was launched two years ago today. My very first post was “Why Did Google Pop.” I could go through and talk about my favorite posts, but I’m more interested in your favorites. In the 2 years of operation, we’ve averaged just over 2.5 posts per day, and I think we’ve only been silent […]

 

Dell Batteries and Privacy?

Kip Esquire has a blog post about liabilities and restatments and product liabilities with an interesting twist for the capture-everything crowd: As for the costs of warning: How geographically diverse are the customers? How easy or difficult would it be to communicate the warning — would a press release be sufficient? Is the product likely […]

 

Ed Moyle is on a Roll

“Why’s Everybody Pissed at Consumer Reports?” and “Thoughts About OpenOffice” are both great posts.

 

Ruling issued in NSA wiretap case

The Permanent Injunction of the TSP requested by Plaintiffs is granted inasmuch as each of the factors required to be met to sustain such an injunction have undisputedly been met. The irreparable injury necessary to warrant injunctive relief is clear, as the First and Fourth Amendment rights of Plaintiffs are violated by the TSP. See […]

 

New Security Measures: Effective, Non-intrusive

Or not. The BBC reports that “10,000 bags misplaced at airports,” and a “Boy boards [a] plane without tickets (sic).” Meanwhile, here at home, we have a program that engages in behavioral profiling in some airports. How effective is it? The New York Times reports in “Faces, Too, Are Searched at U.S. Airports:” In nine […]

 

Voyager 1 passes 100 AU

            Voyager 1 has passed 100 AU. It’s a stunning feat of engineering. (Story via Slashdot.)

 

"Faux" Disclosure

I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says: Full disclosure is the only thing that forces […]

 

Emergent Effects of Security Rules

In London, and apparently some other parts of Europe, you can no longer bring electronics on board, including laptops, which are this here Jazz Combo’s instruments of choice. It’s much worse for actual musicians, many of whom have antique and irreplacable instruments which they usually carry on board. The NY Times reports in “Tighter Security […]

 
 

Birthday paradox bites FEMA

Via the SacBee: WASHINGTON (AP) – FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes. One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday The article continues: […]

 

Choicepoint Correction

In response to “Choicepoint Spins off Three Businesses,” Choicepoint spokesperson Matt Furman sent the following: It is factually incorrect to describe ChoicePoint or its subsidiary, Bode Technology Group, as attempting to “amass a DNA database.” Bode’s clients are almost entirely government laboratories that are trying to solve crimes and identify victims as well as felony […]

 

Fear Wears Off: More UK Liquid Explosives Plot

As the shock and awe wears away, we learn more about what happened and why. Perhaps this plot was not about to go operational, as MSNBC reports that “U.S., U.K. at odds over timing of arrests.” Meanwhile, after years of debate over warrantless surveillance, the Washington Post reports that a “Tip Followed ’05 Attacks on […]

 

Amazing Circles

Amazing Circles is a photoset on Flickr. This is #2 in the series, “Cornflower Circle.” If you’re curious, there’s instructions on “How to create amazing circles.”

 

Clue me in?

I have to fly (from PDX to MDW) Sunday AM. Anybody flown domestically who can tell me what the real-world impact of the new rules has been in terms of delays at security? As Leslie NielsenLloyd Bridges might say “I picked the wrong four days to go on vacation”. Updated: Lloyd, not Leslie. Thanks, Asteroid.

 

Marketing Points Fingers

Over at the CSO blog “Brand Loyalty Hinges On Security,” we learn that: In 2005, more than 52 million account records were reportedly stolen or misplaced, according to a study by CMO Council and Opinion Research. … “Security is what I call the 800-pound gorilla of reputation,” Jeffrey Resnick, EVP and global managing director of […]

 

Ryan Russel, A Sample Please

Over at the Open Source Vulnerability Database blog, we learn that Ryan Russel has won the “Oldest Vulnerability Contest.” It is in the interests of science that I ask how Mr. Russel was able to come from behind like this. And much as I like and respect Mr. Russel, it’s quite a last minute leap […]

 

Airline Threats: Nothing to Fear Except Fear Itself

I’m glad to hear that they caught a set of people with real plans and capabilities to carry out an act of mass murder. Too many of the recent groups arrested have fit better into the “round up some suspects” line of thinking. I don’t have a lot to add to FDR’s fine words, but […]

 
 

Performing Code Reviews

My co-worker Mike Howard has a really good article on “A Process for Performing Security Code Reviews” in IEEE Security & Privacy. It’s chock full of useful advice.

 

RFID IED QED

Is that enough acronyms yet? In Adam’s previous post, Justin Mason commented: There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging […]

 

The Assignment of a Mandatory Identifier

So two stories came out recently, and they’re connected by a thread, which is the assignment of identifiers. The first was in Government Computer News, “IG: U.S. Visit RFID needs better security controls,” which opens: The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which […]

 

Attack of the Clones?

EKR is the voice of reason when he points out that of course RFID passports are clonable, when he responds to all the press brouhaha about, Lukas Grunwald’s demonstration at Black Hat showing that an RFID passport can be duplicated using off the shelf parts. This outcome is hardly surprising, this is yet another side […]

 

AOL search records 'research'

Most readers will have read by now of America Online publicly releasing a large sample of search records. From the README supplied with the data: The data set includes {AnonID, Query, QueryTime, ItemRank, ClickURL}. AnonID – an anonymous user ID number. Query – the query issued by the user, case shifted with most punctuation removed. […]

 

Emerging from Network Black Holes

Sorry about the downtime. The fine folks who host this blog for us have been having hardware troubles. They’re swapping components around, and we hope it all heals up soon. Photo: Waiting to Breathe, from Stock.xchng.

 

Transparency Is Good for the Soul (of Our Profession)

In “Legislating Virtue,” Phill takes me to task for being unclear in “So, this, ummm, friend of mine, umm has a problem with security.” That’s fair. I’ve been saying similar things a lot, and I forget that I need to back up and frame it from time to time. Phill spends a lot of his […]

 

Dear Hooters Hotel, Las Vegas

Whadda ya mean, you won’t pre-fill the bathtub with jello? (Actually, I stayed at the San Remo for Defcon last year. It was a long walk, but walkable, to the Alexis Park, and it was a great little dive hotel. I did find the rent-a-cops roughing up the vagrant a little disturbing. Maybe now they […]

 

Dear Sandman Hotel, Vancouver

Thanks for understanding that after a day and a half hiking through Garibaldi Provincial Park, all I want is a quiet room that doesn’t cost an arm and a leg, and a shower. At first I shuddered at having a room between the elevators and the ice machine, but it was quiet as a tomb. […]

 

RSS vulnerable?

Well, yeah. Of course. The perfect storm for a new wave of attacks: 1. New protocol catching on fast that involves completely trusting clients. 2. Insecure servers maintained by inexpereinced sys-admins. 3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?) A report out of SpiDynamics at BlackHat this week: Attackers […]

 

The butler did it

There’s a feeling you get when you watch a formulaic movie. After seeing a half-hour’s worth, you just know how it will end. You can see the decision points characters reach, and you know they’ll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or […]

 

Dear Fairmont Hotel Vancouver,

Please stop sucking. For $250 a night, give me a shower which doesn’t fluctuate in temperature and pressure. Give me a door which keeps out hallway noise and light. Don’t have your cleaning staff re-arrange my things so your things (like the room-service menu) can take up space on the desk I rented from you. […]

 

When Security Systems Attack

A £40,000 teddy bear formerly owned by Elvis Presley was destroyed when a guard dog which was supposed to protect it went on the rampage. “Dog chews its way through Elvis’ £40,000 teddy.” Photo, “Elvis With Teddy Bear” is not the bear that was destroyed, but is a better picture. Thanks Nicko!

 

RFID Passport Security Clarified

Not that it needed clarification. RFID passports have been a boondogle without a purpose for a long time. It’s been clear that they make us less secure. Now it turns out they can be easily cloned: German computer security consultant has shown that he can clone the electronic passports that the United States and other […]

 

Metricon 1.0

Yesterday at Metricon, Gunnar Peterson felt a need to mock me over not blogging from the conference. I really enjoyed Metricon. There was a lot of good discussion, and because Dan Geer took extensive notes, I didn’t have to. I was able to pay attention and consider the talks as I heard them. Gunnar, however, […]

 

Macintosh Genuine Advantageā„¢

See “Mac OS X Server Firewall Serial Hole:” …What they haven’t noticed yet is Mac OS X Server 10.4 overrides an explicit administrator firewall security setting to keep its copy protection functional. OSXS 10.4’s “Server Admin” lists “Serial Number Support” on UDP port 626 under its firewall pane, with an option to turn it off. […]

 

So, this, ummm, friend of mine, umm has a problem with security

In a comment on “Drowning In Notices,” Phill Hallam-Baker writes: My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them. I don’t think people should be more embarrassed about […]

 

Anyone Can Be An Expert, All It Takes Is…

In “More Thoughts On Blogging,” Richard wrote about the upsides and downsides: The upside, there’s great information, the downside, there’s more to sift through. It feels to me, before I run to Metricon, that that’s exactly the value: The filters are in everyone’s hands. You do have to look at more, but in doing so, […]