Shostack + Friends Blog Archive

 

Happy Halloween

                   Sometimes it’s OK to take candy from strangers.

 

Giant Waves

Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting: More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected […]

 

The Hugo Chavez Test for Voting Machines

At first I thought that the stories around Sequoia Voting Systems and Smartmatic having connections to Hugo Chavez were silly. I still do think that, but I also think that they’re coming out for an important reason: we have lost trust in the machinery of voting, and that is a criminal shame. The right to […]

 
 

On Printing Boarding Passes, Christopher Soghoian-style.

Yesterday, I blogged about Christopher Soghoian’s print your own boarding pass tool. Quite a few people (including the FBI) are taking the wrong lesson from this. Wrong lessons include “we shouldn’t be allowed to print boarding passes,” “we should check ID at the gate,” and “Christopher Soghoian should be arrested.” The right lesson is that […]

 

"You’re doing a heck of a job, Kip"

Sure, it’s all over the web, but you might be living under a rock, or in a reality-free zone, and have missed “Make Your Own Fake Boarding Pass” at 27b/6. The short version of the story is that someone has automated the process of creating your own fake boarding passes. Don’t worry, though, Osama isn’t […]

 

Risk Management Redux

Earlier this week, Mike Rothman took a swipe at Alex Hutton’s What Risk Management Isn’t by saying: But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall […]

 

Health Care Privacy

Bob Sullivan has an article at Red Tape, “Health care privacy law: All bark, no bite?” and focuses on the lack of penalties. Two years ago, when Bill Clinton had heart surgery performed in New York’s Columbia Presbyterian Medical Center, 17 hospital employees — including a doctor — peeked at the former president’s health care […]

 

Congratulations to Counterpane and Bruce Schneier

Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. […]

 

BT buys Counterpane

And so it continues…. Reuters has a few details. Unsurprisingly, Bruce Schneier also has a blog entry up on this.

 

Remembering the Hungarian Revolution

I like to celebrate moments of human freedom, even when they are not as successful as we would hope. And so, it’s worth remembering the Hungarian revolution against Soviet rule. Nick Szabo has a fine post about it, which started fifty years ago yesterday, and it was the featured article on Wikipedia yesterday, “The Hungarian […]

 

Long Term Impact of Youthful Decisions

There’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records. I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they […]

 

Contactless Credit Cards Cracked

Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and […]

 

A Very Silly Idea: #privacy, and poundprivacy.org

With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. PoundPrivacy.org is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to […]

 

Diebold goes open source

Well, not intentionally. Seems that multiple versions of source code (including the one used to run the 2004 primaries in Maryland) were delivered anonymously to a former legislator who has been critical of Diebold. Note that this is not the same source examined by Avi Rubin, et. al., and found wanting from a security perspective. […]

 

Gettin’ Real Security? No.

I came prepared. I knew I would be walking in to the lion’s den with my spartan Thinkpad running Windows and Ubuntu. Sure enough there was an eerie sea of glowing white Mac logos in the conference room which reminded me vaguely of Wyndham’s Midwich Cuckoos. I surreptitiously covered the IBM logo with a white […]

 

Use The Logo Luke

“Decaf” over on DeadBeefCafe, relates the story of a colleague whose response to yet another virus outbreak is to convince management to purchase Macintoshes, with the following justification: We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems. Decaf breaks down the several fallacies of this […]

 

Star Wars Spoof video

Click the picture to be taken to Google video. (Don’t forget to remove the flash cookies when you’re done.)

 
 

A Picture (or Three) Is Worth A Thousand Words

Iang over at Financial Cryptography talks about the importance of not just which cryptographic algorithm to use, but which mode it is implemented with. He uses three pictures from Mark Pustilnik’s paper “Documenting And Evaluating The Security Guarantees Of Your Apps” that are such a great illustration of the problem, that I have to include […]

 

More on the Military Commissions Act

At the Volokh Conspiracy, Jonathan non-Alder points to the John Yoo op-ed which …argues that Congress sent a message to the Supreme Court with the passage of the Military Commissions Act: Mind your own business and leave the war on terror alone. In this regard, Yoo argues, the law was, above all else, a “stinging […]

 
 

More on Data Reservoirs

Nick Szabo takes issue with an article I pointed to in “Reservoirs of Data” in his post, “Citron’s ‘data reservoirs:’ putting liability at the wrong end of the problem:” Bottom line: liability should be put on the low-cost avoider. This is not merely a rule of negligence but a guideline for determining where any kind […]

 

Tearing Steve Wynn a New One

Wynn stepped away from the painting, and there, smack in the middle of Marie-Therese Walter’s plump and allegedly-erotic forearm, was a black hole the size of a silver dollar – or, to be more exactly, the size of the tip of Steve Wynn’s elbow — with two three-inch long rips coming off it in either […]

 

Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer: These are leadership level positions in a growing company with great financial resources. Each of these team members will have the chance to […]

 

Debix Launches

I’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up. The way it works is that they put a lock on […]

 

Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach

I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy […]

 

Powerpoint Plans

It’s the scenes Lucas was too scared to film! The actual presentation, with voice overs. At http://lay-uh.ytmnd.com/.

 

I can’t believe they’d say that!

. It’s the Nietzsche Family Circus, which pairs a randomized Family Circus cartoon with a randomized Friedrich Nietzsche quote. Hours of fun!

 

Those Who Can’t Remember The Past…

Are condemned to be mocked for it. See what happens when Australia’s “The Chasers War On Everything” build their own Trojan Horse and haul it around town.

 

Periodic Spiral

The periodic table is under-appreciated as a design masterpiece, and as an iconic representation of science. The table works as a taxonomy, showing someone who knows how to read it a great deal of information about the elements based on their arrangement in space. So it’s pretty audacious to come out with a re-design: The […]

 

No soup for you!

Harkening back to Adam’s post a while back concerning EC being blocked or miscategorized by various “security” products, tk of nCircle posts that nCircle.com has been blocked from some security vendor sites. This reads to me like the equivalent (speaking of analogies) of Toyota blocking Honda.com, rather than the categorization of nCircle.com as evil in […]

 

Analogies

So Chandler offers up “The Last Security Analogy You’ll Ever Need.” I’d like to pile on: Analogies are like fish. Sometimes they just don’t make sense.

 

Certification Shmertification

So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor […]

 

Do Kings Play Chess on Folding Glass Stools?

Over at the OSVDB blog, blogauthor writes: On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software […]

 

Measurement

There are a bunch of ways to estimate how many people have died in the Iraq war.  One is to keep track of news stories and official reports of combatant and civilian deaths, and add them up. Another is to employ the tools of epidemiology and demography.  Until now, we’ve had essentially only the former […]

 

The Crap in Credit Reports

On August 10, after his family was refused a home loan, an Arcata man was mortified to find the phrase “son of Saddam Hussein” included on his credit report. “I looked at it and couldn’t believe my eyes!” Said the Arcata man who asked that only his middle name, Hassan, be divulged. The routine credit […]

 

Real ID Will Waste $11 Billion

What could you do with $11 billion? How many ways could we make the world a better place with that money? I know! Let’s spend it on a national ID card! The $11 billion figure comes from the National Conference of State Legislatures, and doesn’t include wasted time by productive members of society. On the […]

 

New, Non-Obvious, and umm, Useful?

Orin Kerr has an interesting post over at Volokh Conspiracy, “Government Responds in United States v. Ziegler,” which contains this interesting bit: But that’s simply not how the Fourth Amendment works. The “reasonable expectation of privacy” test is actually a system of localized rules: the phrase is simply a label, and what it actually means […]

 

On the Plane

I forgot to turn my wifi card off on the plane last night, and saw this: Kids today! Back in my day, man in the middle attacks were hard.

 

"Reservoirs of Data"

Danielle K. Citron has put a new paper on SSRN, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of […]

 

BOOM, there it is

If, as is being suggested, North Korea has tested a nuke, things will be getting mighty interesting. I don’t know what to make of it, frankly. Update, 2350 CDT: Looks increasingly like there was, indeed, a test.

 

More on RFID Zappers

This seems to be the weekend of redux posts and back tracking to earlier in the year. Way back in January, Adam wrote about the RFID Zapper created by the folks at the annual Chaos Computer Club conference. Along a similar vein, Julian of exremflug.de, has also produced an RFID Zapper made from a disposable […]

 

Google Code Search

Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could […]

 

No Expectation of Privacy

Here in the U.S., one of our Old Order Amish communities has recently suffered an infamous crime — the murder of several schoolchildren.  Interest in this case has been high.  Naturally, the public’s right to know has been ably served, as journalists took plenty of funeral photographs, despite the fact that the Amish, on strict […]

 

Information Warfare

As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this: 1. Exploratory hacking 2. Vandalism 3. Hactivism 4. Cyber crime 5. Information Warfare It turns out that this hierarchy is also a predictive time line. Obviously we are […]

 

The Canadian Privacy Landscape

There’s a really interesting article at Blogging on the Identity Trail, “Bouquets and brickbats: the informational privacy of Canadians:” In the course of our investigations, I frequently found myself reflecting on two broader questions: first, I wondered how best law could protect the personal information of Canadians—and by extension the privacy of Canadian citizens—in the […]

 

RSS Feeds

Thanks for the emails. We’re aware of some problems with the RSS and comments feeds, and will be working through them asap. [Update: Should be fixed, as of Oct 05, 2006 at 05:01:36PM -0400. cw] [Update 2: When Chris said “fixed,” he was of course using the term in the sense of a Vegas prize […]

 

Detecting Election Fraud

Thanks to my lovely spouse, I came across a series of fascinating papers by Walter R. Mebane, Jr. a professor of Government at Cornell. These papers use statistics, specifically Benford’s Law, to detect election fraud. Now I know statisticians, and I am no statistician (and boy howdy is my higher level math rusty), but the […]

 

The Value of Location Privacy

There is a Workshop on Privacy in The Electronic Society taking place at the beginning of November. We (George Danezis, Marek Kumpost, Vashek Matyas, and [Dan Cvrcek]) will present there results of A Study on the value of Location Privacy we have conducted a half year back. We questioned a sample of over 1200 people […]

 

Less than zero-day

[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]

 

Is That Lack of Data Keeping You Safer?

Bob Sullivan has an interesting article, “Is that picture keeping your money safer” in which he takes dueling quotes over the Bank of America Sitekey deployment. Rather than arguing again about Sitekey (see “Easy Pickings for Bank Robbers,”) I’d like to ask why a respected and competent reporter like Bob can’t get a straight answer […]

 

Marty: It's All About Transparency

Marty Roesch writes “Miracle Weapon in the War on Terror Discovered!.” You’d think he’d have more sympathy for the need for standardized transports while doing high-speed inspection.

 

One For The Money, Two For The Show, Three For The Ballot

Ping over at Useable Security has a great analysis of Rivest’s ThreeBallot voting system. The delightful thing about ThreeBallot is that it should be incredibly easy to implement on a small scale and not much harder on a large scale and has in built in provisions to prevent voter error, counter fraud and vote buying. […]

 

Dear Secure Computing: Screw You, Too.

A loyal reader reports that we’ve hit the big time, and Secure Computing’s censorware has banned us at their dozens of customers’ sites. Now, it’s their right to make software that prevents you from getting the best in security news and analysis, and my right to wonder how they get their heads up there. I’m […]