2006 Underhanded C Contest
long unsigned int maxwordsize(char *inputFromStdIn) { long unsigned int tmpwordsize=0,maxword=1,i; for (i=0; i
long unsigned int maxwordsize(char *inputFromStdIn) { long unsigned int tmpwordsize=0,maxword=1,i; for (i=0; i
In “SecureWorks Backs Out of Macbook Demo,” Brian Krebs writes: David Maynor, the SecureWorks researcher who was set to demonstrate how wireless driver flaws could be used to compromise an Apple Mac laptop, suddenly has been yanked from the ranks of Toorcon presenters. At around 12:50 p.m. PT, SecureWorks issued the following press release: “SecureWorks […]
Yesterday, Mary Ann Davidson had a fascinating post about the classics of Western literature. As usual for Mary Ann, the apparent basis of the post is really just exposition for her main point. In this case, the thrust of her post is the need for developers to have more training in secure coding at the […]
Social Security Administration officials believe computerization of files has contributed to their security. In the manual era, the applicant’s record was an individual ledger sheet. Thus if a person could get to the file drawer and then the ledger, he could check any record. Although entry to the files area was restricted by guards who […]
No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgement of his equals or by the law of […]
Mike Cook, author of the ID Analytics report referred to in a recent Breach Tidbit post, has responded in the comments.
Stupid bills before legislatures seem to be a target rich environment which is to say, its hard to even say where to start. So allow me to offer a suggestion: California’s SB768 will slow RFID stupidity. Take a look at EFF’s fact sheet, and then, if you’re in California, call your local Governator, and tell […]
Ed Felten, who has been doing research into security issues with Diebold’s voting machines, is testifying today at a House Administration Committee hearing. He’s posted his written testimony on his website. Check it out. [Edit: Corrected the spelling of Ed’s name.]
Most readers of these words are probably familiar with at least one of the lists of data breaches commonly referenced in the media and in specialized blogs. Among these are Attrition.org’s Dataloss, and Privacyrights.org’s Breach Chronology. The ID Theft Center also maintains a list (available, it seems, only as a PDF), and various academic researchers […]
“Everybody personally and professionally that I know who is afraid to fly gets their hands on Xanax,” said Jeanne Scala, a psychotherapist in Roxbury, N.J., adding that she has seen an increase in patients and friends talking about taking medication for flying jitters. “They’ll do anything to take the edge off the anxiety of sitting […]
Our very own Chris Walsh was featured today on Dark Reading. In “Financial Firms Losing Data”, they profile Chris and his research using the Freedom of Information Act to better quantify the nature of privacy breaches in New York. The results may surprise you…
So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money: Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP […]
Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular: […]
In a comment on “What’s Next in Breach Analysis,” Ian Grigg pointed out the very interesting “Handling Security Breaches Under European Law:” There are as yet no direct equivalents of the mandatory security breach reporting legislation we have seen in the U.S., either at a European Union level or within Europe itself. That is not […]
So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to […]
Photo credit: eecue.com
One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud. ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability […]
Read “Google is Watching You” for the worksafe details. Via Sivacracy.
“Until Solaris became open, students were only interested in Solaris for the same reason they were interested in NextStep Unix — because it was this arcane, old-fashioned thing,” said Asheesh Laroia, a graduate student in computer science at Johns Hopkins University. Via NetworkWorld.
..’cause she’s Dunn! What’s the over/under on how long Hurd lasts? Image credit: progodess
I started this week asking “Is It Time To End the Breaches Category” and “What’s Next In Breach Analysis?” I talked about “Emergent Breach Research,” Chris talked about the theme of the “19th Annual FIRST Conference” including data being out of control. Arthur followed that up with “CSO Breach SOP == FUD?” and pointed out […]
I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.
I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, […]
This story just keeps getting more entertaining. “HP targeted reporters before they published.” They tried to install spyware on target’s computers, as CNET reported in “HP Spying More Elaborate Than Reported.” They engaged in physical surveillance of targets, as reported by the Washington Post in “Extensive Spying Found At HP.” And the Post reports that […]
Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business […]
The Forum of Incident Response and Security Teams (FIRST) has put out a call for papers for its nineteenth annual conference. The theme for 2007 is “Private Lives and Corporate Risk: Digital Privacy – Hazards and Responsibilities”. Full details at: http://www.first.org/conference/2007/call_for_papers.html FIRST 19th Annual Conference, June 17 – 22, 2007, Melia Seville hotel, Seville, Spain […]
I talk about research and next steps, but what do I mean? We’re starting to see academics taking a serious look at the data sets we’ve accumulated here and at Attrition, and that’s awesome. I want to see more papers like: “Notification of Data Security Breaches,” by Paul M. Schwartz and Edward J. Janger, forthcoming […]
Me calendar tells me it be Talk Like a Pirate Day! Yarrr!
I asked recently “Is It Time To End the Breaches Category?” I think we, amongst others, have driven real change in expectations. Organizations outside the US, not compelled by any law, have chosen to notify customers. (Examples include a Bank of Montreal latop, the Government of British Columbia, KDDI, a Japanese phone company, the Bank […]
Looking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint’s dedication to bringing about public debate on the issue, the outstanding reporting […]
There’s a fascinating discussion of the intersection of cryptanalysis, specification and flexibility, all of it stemming from yet another SSL attack by Bleichenbacher. The best posts are over at Matasano: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere Mozilla Falls to RSA Forgery Attack RSA Signature Forgery Explained (with Nate Lawson) – Part […]
Real construction sites were transformed into LEGO-like universes, simply by adding a few colorful containers shaped as overdimensional LEGO bricks. Sometimes the marketing driven designers spew irks me. “transformed into Lego-like universes?” Please. It would be like security folks telling you we made your application/network/business secure. Via Guerrilla Innovation. I’d link more, but can’t find […]
Analysis shows that a small number of users have been impacted by this issue. Given the documented workaround, it may be addressed in a future service pack. Photo: Adam, the entrance to a Microsoft garage.
Ethan Leib blogs about being the victim of a fraudster: An individual in California posing as “Ethan Leib” (with phony ID to match) has been walking into branches of my bank across the state and taking all my money — despite a fraud alert on my accounts. They even stole thousands from my 6-week old […]
Metricon 1.0 papers and a remarkable digest are available at the security metrics web site. Dan Geer took extensive notes, and has turned them into a very useful document for those who weren’t able to make it.
In “Walt Disney World: The Government’s Tomorrowland?” Karen Harmel and Laura Spadanuta discuss how Disney has moved from finger geometry (to constrain ticket re-sale) to fingerprinting their customers. I think the most important bit about this is about the links between Disney and the government: Former Disney employees have filled some of the most sensitive […]
$50 Million Verdict for Violating Drivers’ Privacy in FL A Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust purchased 656,600 names and addresses from the Florida DMV for use in direct marketing. The purchase violated the Drivers Privacy Protection […]
Via Stupid Security, I learned of a gent whose T-shirt was deemed a security risk because it showed crossed pistols and could upset passengers. He was allowed to board the plane, but only after turning his shirt inside out. Good thing he wasn’t wearing a Zeppelin shirt. I guess Bush would be OK (ironic, given […]
It may seem hard to believe, but a nuclear-armed power has made peace with al-Qaeda. I know, with the Bush administration’s stunning competence, as demonstrated in the aftermath of Katrina, in keeping gas below a dollar a gallon, in containing Iraq while keeping North Korea from getting nuclear weapons, it’s hard to believe that they’d […]
See “Leak Scandal Costs HP’s Dunn Her Job.” [Update: It’s only her chairwoman job. Somehow the board members at HP don’t see action that leads to criminal investigation as all that bad. See Paul Kedrosky’s “HP Splits the Boardroom Baby,” which is an awful title for a great article. Solomon’s splitting of the baby was […]
If you’ve not been paying attention, HP’s Chairwoman hired private investigators who lied their way to the phone records of board members and journalists. HP then lied to the SEC about why Silicon Valley eminence Tom Perkins resigned from the board, and Mr. Perkins, being a standup guy, called them on it. If you haven’t […]
Eric Rescorla ties HP’s use of traffic analysis to that of the NSA in “I told you traffic analysis was useful.” Apparently, HP didn’t just chase down directors and reporters, but also the father of at least one journalist. See “HP Leak Investigation Extended Beyond Reporters, Directors.” (I say HP rather than HP’s investigators because […]
Pseudonymous contributor “DK”, of Josh Marshall’s blog expresses several worthy thoughts about national character with a brevity and nuance I envy: OK, I’ll admit to a bias here. I think the Netherlands is one of the best places on the planet. They have our entrepreneurial spirit, but with good taste. Like us, they have completely […]
It’s only with the understanding that privacy has many meanings that I can comprehend people on Facebook complaining about privacy. (People interested in this should read Alessandro Acquisti’s work.) That’s not what I wanted to post about. What I wanted to post about was the great way the CEO of Facebook took the wind out […]
The best posts I’m seeing are coming from Paul Kedrosky, who has posts like “Patricia Dunn Lectures on Corporate Governance,” and Playing Truth or Dare with HP’s Patricia Dunn” and Robert Scoble, with posts like “HP Story Keeps Getting Worse,” and “HP Has Major Ethical Problem, Day 2.” I’m using Scoble’s picture here. Don’t miss […]
So Chris’ post “Are they stupid, or just lying?” got me thinking. Chris was talking about the spectacle of the House voting to ban the sale of horsemeat. But he had this quote: Added Rep. Christopher Shays, R-Conn.: “The way a society treats its animals, particularly horses, speaks to the core values and morals of […]
The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees. […]
On the recent House of Representatives vote to ban the slaughter of horses: “It is one of the most inhumane, brutal, shady practices going on in the U.S. today,” said Rep. John Sweeney, R-N.Y., a sponsor of the ban. Sweeney argued that the slaughter of horses is different from the slaughter of cattle and chickens […]
The Payment Card Industry Digital Security Standard, version 1.1, has been released [pdf]. This was widely anticipated, and has been remarked upon here at EC. A noteworthy change is that stored card numbers needn’t be encrypted: Compensating Controls for Requirement 3.4 For companies unable to render cardholder data unreadable (for example, by encryption) due to technical […]
Bob Blakely used to be fond of saying that privacy is the ability to lie and get away with it. To have to hide one’s name is considered deeply shameful. But with sectarian violence surging, Iraqis fear that the name on an identification card, passport or other document could become an instant death sentence if […]
Nick Owen brings us the story of how passengers on a Paris-Mauritius flight are suing Air France, because Bonnie Tyler sang “Total Eclipse of the Heart.” (He also brings us the headline, and the closing thought, “I assumed that first class was always filled with song. If the first class can’t sing love ballads, then […]
Bob Dylan’s latest album debuts at number one on the US charts.
EWeek has the story: Window Snyder has joined Mozilla as Security Chief. Congratulations all around. PS: Just when Window and I were gonna live in the same city, again, too. Bugger. PPS: Apparently, it’s from Mike Schroepfer’s blog post.
Via David Lazarus, writing about yet another lost laptop, this one belonging to an an outside auditor working for Wells Fargo: “The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants,” said Julia Tunis, a Wells spokeswoman. “The auditor is […]
…I’ll beat it out of you: President George W. Bush’s proposal for trying suspected terrorists captured overseas would allow the use of evidence obtained by coercion and let judges bar defendants from hearings where classified evidence is discussed, a Senate Republican aide who has been briefed on the plan said. Or, as Firesign Theatre put […]
The New York Times has an article, “Some ID Theft Is Not for Profit, but to Get a Job,” about immigrants using other people’s SSNs so they can get jobs, and the impact that this has (because of the databases that run our lives): “All that was happening was that the illegal alien who had […]
From this photoessay, it appears that the seal Diebold places on its electronic voting machines doesn’t do a darn thing. It is possible to remove the card from which the thing boots, and replace it with one of your choosing, leaving no trace — the seal itself remains unchanged. Elapsed time, a bit over four […]
So John Gruber, who has written quite a bit on the whole did-they-didn’t-they spat between Apple and Dave Maynor and Jon Ellch, offers up “An Open Challenge to David Maynor and Jon Ellch,” offering them a Macbook if they can root it. I’d like to mention something that hasn’t happened lately. By not happening, it […]
Or, the times, they are a-changin’: To a certain extent I admire this. It’s a way of making the physical object worth more than the digital download. But it can also be seen as yet another example of DRM. In this case, the stronger DRM present on a DVD than the unprotected audio CD. The […]
In many cities, real estate agents have tried to restrict access to M.L.S. information or to limit its use on the database. Some have asked state legislatures to pass laws forcing brokers to offer certain levels of service, a move that Mr. Kelman [CEO of Redfin, an online brokerage] sees as intended to squeeze out […]
The Tom Sawyer kind, that is, known formally as Google Image Labeler: You’ll be randomly paired with a partner who’s online and using the feature. Over a 90-second period, you and your partner will be shown the same set of images and asked to provide as many labels as possible to describe each image you […]
Roger Cauvin has some really interesting points on “Requirements and Apple’s “Time Machine”:” CRUD requirements assume that users actually want to create, update, and delete information. But users don’t really want to create, update, and delete information. They want to access it to achieve some larger goal. Enabling the user to create, update, and delete […]
Various folks at Northwestern’s Medill School of Journalism have done some great work, which they call Data Dilemma: Privacy in an Age of Security. I was led to this by various stories about the US Department of Education feeding information on financial aid applicants to the DHS for five years without bothering to inform those […]
How can we resist blogging about Rudresh Mahanthappa’s latest album, as covered in “From Crypto to Jazz” at Wired News: To the uninitiated, modern jazz can sound like a secret language, full of unpredictable melodies and unexpected rhythms. For alto saxophonist Rudresh Mahanthappa, however, the idea of jazz as code is more than just a […]
A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see “Job seeker loses opportunity after inaccurate background check” for details: “Well, first they said, ‘Something was wrong with your background check,’” she said. “I said, ‘What is wrong with it? What is wrong with my background […]
There’s been a great deal of talk around the London plot about the impact of the destruction of ten airliners. Senior US officials called it inconceivable. Now, destroying 10 planes might be murder on the scale of 9/11. It would certainly be shocking and despicable. I’d like to point out that the Iraqi people can […]