Akaka-Sununu Bill Repeals Key Aspects Of The Real ID Act

Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release:

The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher standards for drivers’ licenses and identification cards by requiring that the new guidelines be developed by a shared rulemaking process that would involve all key stakeholders, including state governments and privacy experts.

It’s really great to see some bi-partisan support for our rights for a change. I particularly like the fact that both state governments and privacy experts will be involved. It gives me hope that should this bill pass we’ll actually end up with something sane.
[Via EFF: Deep Links]

I’ll See Your Randomness, And Raise You a Protocol

aurora.jpgIn “Stellar Lavarand,” Ben Laurie writes:

Some crazy people think they can make a business of this, only using the solar wind, the clouds of Venus, the Northern Lights, Jupiter’s shortwave emissions and other cosmic events as their random source.

Just like lavarand, this causes a moment of “oooo, shiny”, rapidly followed by “but why would I want someone else to see my randomness?”. So, kids, feel free to point and laugh at anyone foolish enough to use this service for anything real, but don’t try it at home.

I can imagine a number of protocols that rely on a source of random bits that both Alice and Bob get at the same time, and which can be independently verified to have been outside the control of a third party.

Is it a business? Seems doubtful, but it’s interesting that it’s being tried. Who knows what might emerge?

Photo: “The Last One” by J.C. Freakshow.

Aspen Privacy Breach

The Wall Street Journal reported yesterday that “Stars Find Privacy Breached
In Aspen by Phone Book”
(behind paywall, sorry). According to the Journal:

When the Yellow Book directory for Aspen, Colo. came out recently, residents of this ultra-chic ski town found it contained more than the usual list of local bars, hair salons and ski shops.
It also included the previously unpublished addresses of actor Jack Nicholson, former Walt Disney Co. boss Michael Eisner and the deceased ex-chairman of Enron Corp. Kenneth Lay, among other celebrities and executives accustomed to keeping their contact information unpublished. The incident was first reported in the Aspen Daily News.

Yellow Book has stated that they used a third-party marketing service for the data for the phone book. I guess someone forgot to double-check that the requests for not having a number listed were being honored prior to publication. Oops….
[Edit: A commentator pointed me to the original article in the Aspen Daily News]
[Edit: America’s Finest News source covered this issue years ago. (Thanks Adam)]

Fines, Settlements in Privacy Invasions

peeping-dog.jpgTopping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin.

On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. (“Driver Data Lawsuits Settlement Proposed.”)

Pop quiz: Which do you think will influence behavior more?

Photo: Peeping Dog, by ErinV.

My Advice for the Pragmatic CSO

gordon-and-loeb.jpgMike Rothman writes:

On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & Loeb’s book, so maybe there is a reason it’s 37% and not 50%. Obviously you need to show a “return” on the security investment, so it isn’t going to be 100% – but whatever.

“Whatever?” “Maybe there’s a reason?” It’s not like this is a $200 book. It’s $40 and 225 pages.

My advice for the pragmatic CSO is to read Gordon and Loeb instead.

PS: Now I know why it’s called the Security Incite, not the Security Insight.

Million Dollar Blog Post

My friend Austin Hill has put up the Million Dollar Blog Post. They, and their sponsors, will donate up to a million dollars to charity, at $1 per comment.

I think charity is tremendously important. I’ve been lucky enough to have a set of skills that are well rewarded in today’s world. (I’m reminded of a joke Warren Buffet tells, of what would have happened if he were a cave man: as he runs from a saber-toothed tiger, he yells, “But I can allocate capital efficiently!”) I’m lucky enough to have missed many of the horrors of the twentieth century.

Some of the organizations I give to include:

If you’re reading this blog, odds are good you’re employed in the sort of job that allows you to surf the Internet. Which puts you in an excellent position to spend a few more minutes surfing the web, and donating to worthy causes and those less fortunate than you.

Why not start with the Million Dollar Blog Post, and go on from there?

[Update: closed comments due to spam]

Read any good books lately?

Do share your opinions and suggestions.
Personally, I don’t read enough, and I stay within a too-narrow comfort zone of UNIX geek material. Help me, and other EC readers similarly situated. It’d be nice if the techie side of infosec was not the subject (Rich Bejtlich has that covered anyway)
I wrote up a review of Bryan Skyrms’ The Stag Hunt and the Evolution of Social Structure a while back, and I recommend it highly (the book, not the review).
I also liked Amartya Sen’s Rationality and Freedom.

Gifts for the Cryptological Mind

Cryptological in this case meaning those who like thinking about the hidden.

The Cryptex
Hakone Box
Authorized Da Vinci Code Cryptex from The Noble Collection. It’s very nice, made of good, solid brass. It avoids many combination lock issues. I tried some obvious ways you can cheat a letter from such a device and it was well-made enough that they didn’t work. It’s a nice bit of work.
Also, Japanese Hakone puzzle boxes from Pandora’s Puzzle Boxes. These are beautiful inlaid wooden boxes that you have to open up by sliding pieces of the box around. They’re rated by both size of the box and the number of moves needed to open it.

The puzzle box is both harder and easier than the Cryptex. You can brute-force the Cryptex in 265 moves, but you know what the moves are. It’s still a bit of a trick to know just how to slide the letters in place (that’s a good thing) as well. I found that pleasing in the Cryptex. The sliders for each ring are analog with no wussy little ratchets.

If you have a 27-move Hakone box, it’s only 27 moves, but you have to know what the moves are, and that’s a challenge in and of itself. The boxes go all the way up to 78 moves. New boxes are a bit stiff, and so there’s also a manual dexterity aspect to solving it, even if you know how to.

I recommend getting one of each. If the recipient has been naughty, put the solution for the Hakone box in the Cryptex and the Cryptex solution in the Hakone box. If the recipient has been very naughty, there are many opportunities for crypto-sadism. You can put a crib in the Cryptex’s setting of the initials of some significant person or place. You can put a clue to the Cryptex solution rather than the solution itself in the Hakone box. Add more boxes for more fun.

Breach Bills, and the Role of Encryption

In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively:

The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal information, potentially including breaches where only veterans’ names were exposed, said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA), a trade group representing cybersecurity vendors.

The bill, passed by Congress late last week, requires the VA to report breaches of sensitive personal information to Congress and requires VA Secretary R. James Nicholson to create plans for notifying affected veterans, as well as offering credit monitoring and identity theft insurance to affected veterans.

Hey, another law! I’d missed it!

“Essentially, the loss of a list of names on a piece of paper constitutes a data breach under the law, which seems far too broad,” she said. “Clearly, your name is not sensitive personal information.”

Perhaps Congress has figured out that there’s more reasons to know about breaches than identity theft risk. If the VA can’t control data entrusted to it, Congress wants to know, has a right to know, and has a responsibility to know. I’m glad they’re taking interest, and will be able to evaluate the effectiveness of FISMA.

In addition to its potentially broad definition of sensitive personal data, the bill does not exempt the VA from reporting data breaches if the information was encrypted, Gasster said. In supporting a national data breach notification bill, CSIA and other groups have called on Congress to exempt encrypted data from notification rules, saying the exemption would encourage companies and government agencies to encrypt more data.

The lack of an exemption “seems like it deprives the benefit of encryption from the VA,” Gasster said.

This is an odd perspective, perhaps an artifact of the way the conversation is reported. The benefit of encryption is that the data is protected, and the organization that’s encrypted it is protecting those that have entrusted it from privacy infringements. There’s a secondary benefit of not having to report about the breach, but it should be secondary in the minds of civil servants.

Although the bill’s language on personal sensitive information and encrypted data is too broad, in some ways the bill doesn’t do enough to protect consumers, Gasster added. The bill only addresses VA data breaches, not breaches at other government agencies or private companies.

And that really is a shame.

Have Some Soma, and Don’t Mind The Cameras

its-rude-to-stare.jpgThe BBC reports that “Prozac ‘found in drinking water’” in Britain, and that:

In the decade leading up to 2001, the number of prescriptions for antidepressants went up from nine million per year to 24 million per year, says the paper.

They point to a Observer story, “Stay calm everyone, there’s Prozac in the drinking water.”

So, 24 million people taking prozac out of a population of 60 million. Now its clear to me how people cope with all those cameras.



Photo “It’s rude to stare” by Gilgono.

[Update: Thanks to Philll-prescriptions are a month at a time. So it’s “only” 3% of the population at any one time. Which begs the question of how people cope.

Incidentally, do you read comments? We have awesome commenters here, and an RSS feed for comments.]