Shostack + Friends Blog Archive

 

Jennifer Granick's awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]

 

HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag. Additionally, Nicole […]

 

Medical Privacy News

There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:” The leader of a federal panel charged with providing privacy recommendations for […]

 

No, seriously

Somebody — I want to say Rich Mogull, but I cannot find the reference — wrote sarcastically about breach notices almost always saying “At $COMPANY we take security seriously….” as they report how, well…you know. I just finished scanning 183 notice letters I got from New York, covering the last half of 2006. Using an […]

 

Rootkit on a Stick

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]

 

Vote Positively With Your Pocketbook

Adam Frucci at Gizmodo is calling for action, “Putting Our Money Where Our Mouths Are: Boycott the RIAA in March.” I don’t disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don’t believe me, I can prove it with one TLA: DAT. If your response to that […]

 

Blackhat Do It Again

Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it. Chris Paget a well respected researcher is going to present at Blackhat Federal […]

 

It’s "privacy," Jim, but not as we know it.

The Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says: requirements of personal identification, such as a driver’s license, in order to change the […]

 

Emergent Meanings of Privacy

There’s a really fascinating article in New York Magazine, “Say Everything:” And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street […]

 

A telling remark

In the “inconvenient coincidences” category, it seems that Al Sharpton’s great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond. Thurmond’s niece, Ellen Senter (via an AP report) provides an interesting perspective: I doubt you can find many native South Carolinians today whose family, if you traced them back far […]

 
 

Information Leaks

I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of […]

 

On the TJX Breach

So there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer […]

 

"A trade founded in iniquity"

At Balkinization, Scott Horton discusses how “Two Hundred Years Ago Today, the Global Campaign for Human Rights Achieved Its First Victory:” “As soon as ever I had arrived thus far in my investigation of the slave trade, I confess to you sir, so enormous, so dreadful, so irremediable did its wickedness appear that my own […]

 

Department of Pre-Blogging: Waziristan

Back in September, we covered how Pakistan and Waziristan had a peace deal, essentially, a deal with al Qaeda. In it, I commented on how people would get medals for “convincing al Qaeda to get a territorial base which we can bomb.” Now, in “Al Qaeda Chiefs are seen to regain power,” the Times reports: […]

 

Not Selling But Marketing

As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need […]

 

Why We Fight

TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier. Store closings led TJX […]

 

Wretched Word of the Week: Trust

Where to start on this one? Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I […]

 

Data Collection about Breaches

In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing. Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.” Should that entry in a breach list be removed? I think that the […]

 

Award-winning scrotum

The New York Times writes about “The Higher Power of Lucky“, a children’s book which recently won the Newbery Medal. As someone who has purchased his share of kids’ books, I assure you that the Newbery — and its companion the Caldecott Medal — signal quality to buyers. In this case, though, some parents and […]

 

Visualizing Breach Data

Using IBM’s cool “Many Eyes” service (now in alpha), I played for a few minutes with some breach data. Nothing more than the size of each entry in Attrition’s database, and its date. Looks kinda cool, I think.

 

There’s A List?

I received the following in the mail the other week and while I was initially amused that I was getting this without asking for it, it took my wife pointing out the irony of there being an actual directory at all:

 

More On Selling Security

Chandler says that “would rather be understood than perfect” in response to Mordax’s call to stop cutesy names for attacks. In doing so, he says: Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a […]

 

Advances in Conference Usability

A little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I’m told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I’m always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash […]

 

DVD Player Advice?

I’d like to buy a cheap DVD player, and bet someone reading can tell me: Who’s the Apex of 2007? That is, who’s making cheap, consumer-friendly DVD players? I’d like one that’s: region-free fully controllable (none of that “we’re sorry, you have to watch the ads” crap) good at error-correcting for scratched up DVDs.

 

Let’s Stop Cutesy Names for Attacks

Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them: Each of these passages has faults of its own, […]

 

Professional Ethics

Cutaway’s post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard’s expert moderation, I remain under-whelmed […]

 

Credentica Launches U-Prove

Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is […]

 

Ignite Seattle

I attended Ignite Seattle last night. It was awful. Don’t attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I’m inspired to put a talk together for next time. My favorites from last night were: Elisabeth Freeman gave a great talk on how the Head First […]

 

Identity theft numbers: Javelin vs. FTC

So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that “FTC Findings Undercut Industry Claims that Identity Theft Is Declining.” I think that there’s an interesting possibility which isn’t […]

 

Department of pre-blogging, II

A bit of background. Sun recently got hit with a 0-day that was 13 years in the making, by seemingly repeating a coding worst practice that bit AIX back in 1994 — trusting environment variables under the control of an attacker. A slightly more complex variant bit Solaris’ telnetd in 1995. From the advisory (NSFW) […]

 

Flying Without an ID

I’ve been inspired by Christopher Soghoian’s efforts to fly without having to show ID. I figured that my return flight from RSA was the perfect time to try it for myself. I was flying without my family and had lots of time to spare. Chris has previously reported on fun flying out of SFO, I […]

 

When I Hear "Precise Machining," Iran Springs to Mind

The New York Times has an article “U.S. Presents Evidence of Iranian Weapons in Iraq.” It contains this gem: They said that at least one shipment of E.F.P.’s was captured as it was being smuggled across the border from Iran into southern Iraq in 2005. The precise machining, the officials said, is another feature that […]

 

Party like it's 1994

A 0-day in Solaris {10,11} telnetd is reported. SANS has some details. Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one. (h/t to KK on this one)

 

Astronaut Screening & Privacy

Following up on the issue of astronaut screening, there’s an article at MSNBC, “Former NASA doctor says agency must do more,” in which “NASA flight surgeon and professional psychiatrist Patricia Santy” discusses the screening which takes place. It’s an interesting article, in which she discusses the tension between NASA’s organizational culture and psychological screening. What […]

 

Breach irony

According to Courtney Manzel, Counsel – Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY’s notification law: A laptop computer was stolen from the human resources department of Velocita Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area. The laptop computer was one of many items stolen. It […]

 

Best Sign at RSA?

Ryan Russell shows his loyalty by claiming this is only the second-best ad at RSA. The words beneath the sign read “Beware of false positives:” Incidentally, this is an advertisement, trafficking in stolen property, referring to another ad campaign which caused mass hysteria, and flipping off its audience. What’s not to love? Kudos to Cyberdefender […]

 

Astronauts and Terrorists: Limits of Screening

So we here at Emergent Chaos have carefully refrained from using the phrase “astronaut in diapers” not because we think that it is now incumbent apon the blogosphere to maintain what little dignity remains in American journalism, but because, within about nine minutes of the arrest of Lisa Nowak, the blogosphere had thoroughly digested the […]

 

Must-Read Article: The Ecstasy of Influence

This is in Harpers, “The Ecstasy of Influence.” It is an interesting meditation on the nature of art itself and how art is composed of other art. However, not only must you read this, you must read it all the way through to understand it and why it is important.

 

Coviello: RSA 2010 Will be Last Conference

Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]

 

Telephone Privacy

Privacy, being the right to be left alone, is hard to get with a telephone. Two interesting stories make a trend, and we report on trends here. Or something. I think that the profusion of new services around telephone privacy are the start of an interesting market backlash against the cell phone’s effect of making […]

 

If You Blow Hard, You Can Find a Disclosure Debate

So there’s a video of how to “Unlock A Car With a Tennis Ball.” I advise turning the sound off-there’s no value to a bad pseudo-rock soundtrack, and no information in it (all the narration is in text in the video). There’s also precious little information in the video. It’s not clear what make or […]

 

Why Johnny Can’t Bank Safely

Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer have written a paper which examines the behavior of persons doing on-line banking under various experimentally-manipulated conditions. The paper is getting some attention, for example in the New York Times and at Slashdot. What Schechter, et. al. find is that despite increasingly alarming indicators that […]

 

I Was Wrong

I’ve had a conversation recently with a CSO about breach disclosure. His shop had screwed up and exposed, well, an awful lot of social security numbers. They feel really bad about it, and they don’t think anyone will really be hurt. Gosh darn it, he was really sincere. So I take it back. We should […]

 

Defend Traditional Marriage In Washington

The Washington Defense of Marriage Alliance seeks to defend equal marriage in this state by challenging the Washington Supreme Court’s ruling on Andersen v. King County. This decision, given in July 2006, declared that a “legitimate state interest” allows the Legislature to limit marriage to those couples able to have and raise children together. Because […]

 

DRM, digitally coded music, and information

Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]

 

Jim Gray Missing, please help

[Updated: This has somehow come to #3 on Google. The best place for up to date news is the Tenacious Search blog.] On Sunday, January 28th, 2007, Jim Gray, a renowned computer scientist was reported missing at sea. As of Thursday, Feb. 1st, the US Coast Guard has called off the search, having found no […]

 

Friday Phish Blogging: Bank of America

Today’s Friday Phish blogging comes to you pretending to be from Bank of America: It appears here in our system that you or a wrong person is usually trying to log into your account, in nine differnt occasions have you or (person) provided us a nearly correct answer to your site-key challenging question, of which […]

 
 

Dave Molnar, Call Matt Blaze

Dave Molnar has some good comments on ‘Stolen ID Search.’ He writes, starting with a quote from “ben:” “I can’t believe you are advocating typing your ssn or credit card into a mystery box.” That’s “ben”, commenting at TechCrunch on Stolen ID Search, a service from Trusted ID that will tell you if your social […]