Shostack + Friends Blog Archive

 

Department of Pre-blogging

Make sure to check out the blog posts Bruce Schneier and a host of others will soon make regarding the paralyzing effect that silly Blinkenlights ads for Aqua Teen Hunger Force had in Boston. The coordinated response by all departments proves the system we have in place works. Boston Mayor Thomas Menino Behold the power […]

 

Security Cameras and the Obedience Imperative

“People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,” said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, […]

 

Non-Tangible Security

eBay is stopping all sales of “virtual artifacts.” Maybe. This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says: “The seller must be the owner of the underlying intellectual property, or authorized to distribute it […]

 

Mordaxus, redux

We’ve enjoyed having Mordaxus with us for the last month or so, and are pleased that he’ll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts. First, why do I have pseudonymous co-bloggers? There’s a long history of artists appearing under names not their own, […]

 

Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]

 

Speaking of Secret Events You’re Not Invited To

There’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now. Remember, this will be the most blogged event of RSA. If you want in, blog about the event and trackback Martin McKeay. […]

 

Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.” First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer. Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II […]

 

From the "A Child Shall Lead Them" Desk

Response #24 in a discussion on FlyerTalk: My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work. Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening. On the return flight, at JFK T-9, they found 2 more, both […]

 

It’s a Flawless Plan for Making Money

First, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you’re better off selling the monopoly rights to the highest bidder. It’s what Illinois is doing with their state lottery. […]

 

There are three types of authentication

They are: Something you’ve lost, Something you’ve forgotten, and Something you used to be. Here is a sad tale of a man who has a failure on (3), realizes he’s done (2), and his solution to the problem. It’s a classic tale of how more is often less when it comes to security. Lest you […]

 

I'm Glad I'm a Beta!

27B Stroke 6 tells us of a story. The domain SecLists.org was removed from the net by GoDaddy, its registrar. Why? Because MySpace complained. He’s got a mailing list archive and it has some stuff in it that pissed MySpace off — security information about phishing attacks. That’s well and good, but GoDaddy yanked the […]

 

Rely only on the secrecy of that which can be easily changed

The title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every […]

 

When a 0% Success Rate is Worthwhile

There’s an article in Zaman.com, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]

 

Old-Fashioned Values

This is probably the most important minute of video you’ll see this week, but on a better week, it won’t be. Thanks to manfromlaramie for finding this.

 

Funniest Spam of the Week

Hmmm, what to do, what to do? This is so funny on so many levels. How can you not like a phishing attack where the hook is a poll based on eBay being closed because of so many phishing attacks? January 19, 2007 Dear eBay Community: We have decided to close eBay on 27 February […]

 

Two Quickies on Credit

“The spread of the credit check as civil rights issue,” in the Christian Science Monitor: Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance. and “Insurers […]

 

Information Security Needs

The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years. However, a computer was seized, sources were roughed up and possibly jailed or killed: Since then it […]

 

Everything Old is New Again

“They are a handful of miserable resuscitators of a degenerate dead religion who wish to return to the monstrous dark delusions of the past,” said Father Efstathios Kollas, the President of Greek Clergymen. Hundreds of followers of Zeus, Hera, Poseidon, Artemis, Aphrodite and Hermes stood in a circle, a mile from the Acropolis, in what […]

 

Habeas Corpus? What Habeas Corpus?

On January 18th, Attorney General Alberto Gonzales testified in front of the Senate Judiciary Committee. As part of the hearings, there was a discussion of habeas corpus. As part of that discussion, Gonzales said: There is no express grant of habeas in the Constitution. Yes that’s right, our own Attorney General thinks that there is […]

 

A compromising position

Does Pete Lindstrom need to buy a dictionary? You make the call. In a recent post at Spire Security Viewpoint, he suggests that the folks at Privacyrights.org might be liars: I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it […]

 

Liberty Bags

Phil offers up some thoughts on Liberty Bags, named in the tradition of patriot bins and freedom tables. Phil, I think you need to wrap your items in bacon.  

 

BenL on OpenID and Phishing

Ben Laurie (of Apache-SSL fame) posted a great analysis of a major design problem with OpenID calling it a “Phishing Heaven“. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens. I had hoped that by constantly bringing this up […]

 

More on the CIPPIC Report

A few days ago, Chris covered the release of a report from the Canadian Internet Policy and Public Interest Clinic, “Approaches to Security Breach Notification” (PDF). This is highly readable and important analysis. If you care about breaches, read it. I’d like to add some notes from my reading of it. First, the report talks […]

 

CIBC, 470,000 Canadians, lost tape

I’d attribute our knowledge that “CIBC loses info on 470,000 Canadians” (reported in the Globe and Mail) to the new transparency imperative, but as the CIPPIC survey makes clear, privacy regulators are finding notice requirements in extant laws. (More on that excellent survey soon.) Also note that the Globe and Mail seems to think that […]

 

It's Amazing What A Little Oversight Can Do

Two in the Washington Post today: “Secret [FISA] Court to Govern Warrantless Taps” and “Vast Data Collection Plan Faces Big Delay:” In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks’ […]

 

"Not Having a Discussion About What I'm Buying? Priceless."

There’s a fascinating article in Sunday’s New York Times, “Money Doesn’t Talk.” The money quote: Through her store, Pesca, Ms. Azizian has earned her financial independence, but to avoid the disapproval of her husband of 27 years, she adopts a low profile by using cash. “His tastes aren’t as expensive as mine, and he doesn’t […]

 

Security Through Obscurity, The Next Big Thing

PCMesh, a Canadian company, has something Better Than Encryption. Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, […]

 

New Year's Resolution Dept. — Protecting Against Identity Theft

It’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions! If yours is to get better control over your information privacy, […]

 

Report: Approaches to Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf]. From the Introduction: This White Paper considers the need for an explicit obligation in Canadian privacy law to notify affected individuals of a breach in an organization’s security that places those individuals’ […]

 

New York Times on DRM

“Want an iPhone? Beware the iHandcuffs” says The New York Times in today’s edition of “Your Money”. Unfortunately it doesn’t really say much about the iPhone and crippleware beyond saying that it will be limited in music playing in effectively the iPod. However the article does a very nice job of covering the state of […]

 

Going the extra mile

As a control against identity theft, firms operating on-line often send snail mail confirmations to their customers when such things as site passwords, beneficiaries, or customer addresses have been changed. This allows the customer to review such changes and catch any that may have been unauthorized. I was the recipient of two such pieces of […]

 

Credit Card Data Over AOL IM

From the files of “too good to make up”, DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data […]

 

Full Disclosure == Torture

Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well. I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be […]

 

Robert Anton Wilson Defies Medical Experts

Robert Anton Wilson Defies Medical Experts and leaves his body @4:50 AM on binary date 01/11. All Hail Eris! On behalf of his children and those who cared for him, deepest love and gratitude for the tremendous support and lovingness bestowed upon us. (that’s it from Bob’s bedside at his fnord by the sea) RAW […]

 

A Pleasure Doing Business With You!

The BBC reports that the United Kingdom’s 1945 war debt to US [is] ‘almost paid’ and [was] paid off at the end of last year: The final payment of £45m will be made by the 31 December, meeting a 1945 obligation to repay the debt in full. In unrelated news, I’m told that neither the […]

 

What Congress Can Do To Prevent Identity Theft

Seventy Percent of Americans think we need more laws to protect them from identity theft and all that. I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to […]

 

Bay Area Security Incident Exercise

For those who are located in the SF Bay Area (or will be there on February 21st), the Silicon Valley ISSA Chapter is hosting a one day mock security incident exercise. The goal of the exercise is to explore how different organizations and industries must work together to respond to events based on their organizational […]

 

FTC Accepting Comments on ID Theft

The President’s Identity Theft Task Force announced that it is seeking public comment on various possible recommendations to improve the effectiveness and efficiency of the federal government’s efforts to reduce identity theft. The Task Force is chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras and participants […]

 

Secret Laws, Obnoxious Laws … No Law's Not Looking So Bad

First, from 27B/6, we learn that “Supremes Won’t Hear Secret Law Challenge,” and that the administrative agencies such as TSA are free to propogate laws and regulations we can’t see or challenge. Second, via Kansas City Newzine, we learn about the totally screwed up set of rules which are ‘REAL ID,’ featuring this chilling quote: […]

 

Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:” ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005. Choicepoints losses are a severe outlier. As I said in March, 2005, […]

 

That’s Funny….

Over the last week, I’ve read several things involving poor Lind Weaver. In case you missed it, she’s a 57-year-old owner of a horse farm. She got a bill for the amputation of her right foot. As you should expect if you’re a regular reader here, it wasn’t her. Comic hijinks ensue which conclude with […]

 

Pragmatic Redux

Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is: The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he […]

 
 

A Pledge

Having thought about my previous post, “On airport advertising,” I’d like to see what content-based restrictions are in place. If the ACLU applies and is accepted, I’ll donate $500 for the ACLU to buy bins that advise people of their rights when passing through airport screening. [Update/clarification: I’ll pay for the ACLU to inform travellers […]

 

On airport advertising

Via Eric Rescorla, who has insightful comments, and Boingboing, we learn that “TSA Pilot Would Offer Ads at Airport Security Checkpoints.” A few chaotic comments: What authority does TSA have to sell advertising? Isn’t Congress supposed to fund their operations? The advertisers will “who will provide divestiture bins, divestiture and composure tables, and metal-free bin […]

 

United Airlines Customer Service

I was wondering what United Airlines customer service did. This screen capture seems to make it all clear. United Airlines has been featured before, in “Dear United.” To be fair, I met a very nice and human supervisor while I was stuck in Denver due to their crew change, but he maintained the claim that […]

 

Insuring Against Data Loss Losses

Matt Hines reports on a growing market for corporate insurance, responding to concerns about breach laws, in “Dark Day Planning: Insuring Against Data Loss:” As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another […]

 

Joanna on Stealth Malware

Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]

 

A Request

My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so. The nice folks in NY made […]

 

Hmmm…Breach Notification…Australia…

So there’s an article in ZDNet Australia, “Establish a strategy for security breach notification.” All well and good, but Australia doesn’t have a breach notice law. (As far as I know.) So all you ‘new normal’ skeptics, who don’t believe me that standards are changing ahead of laws…why did a competent journalist writing for editor […]

 

Goat Security

It seems that the Gavle goat survived the holiday this year. Giant goats in Gavle seem to have about a 20% survival rate, with this year’s being only the 11th to survive the holiday season since 1966. No word on what fire-retardant was used, which is too bad. How are other 13 meter straw goats […]

 

The Pragmatic Reviewer

Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. […]

 

When Planes Fell From the Sky

The excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:” In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the […]

 

Five Things You Don't Know About Me

Dear Bob, You may think I’ve been ignoring your post, but I’ve been trying to decide how to approach it. This morning, courtesy of Scoble, I found Hugh McLead’s post on the subject: I dislike you intensely. I love it when bad things happen to you. When your name is mentioned I immediately try to […]