Shostack + Friends Blog Archive

 

Privacy Policy

“Among other changes, the revisions to our Privacy Policy may have changed your preferences for receiving postal mailings from Alaska Airlines and its partners.” Now that’s the power of policy! Photo, text from “Privacy policy update from Alaska Airlines, received March 24, 2007” by JasonJT, on Flickr. He has great outraged commentary.  

 

Worst Breach Ever?

There’s a lot of headlines about how the TJX “Data Theft Grows To Biggest Ever” (Washington Post). The trouble is, that claim is wrong, and it’s wrong even amended to “Biggest reported ever.” The biggest reported theft of person data is Scott Levine’s theft of over a billion records from Axciom. As the Department of […]

 

The Sky Is Not Falling–What Can We Learn?

I’d like to respond to two questions posted to my “Security Breaches Are Good For You” post. Antonomasia writes “there are security events other than customer data disclosure – any thoughts on how those can be subjected to evidence-based assessment?” Blivious writes: “What about other kinds of breaches? The apparent moral standard only applies to […]

 

Names Don’t Matter, Accountability Does

Riffing on what Arthur has said, I’ll take a slightly different exception to Mike Rothman’s rant on anonymity. Kathy Sierra’s been treated pretty shabbily. The problem isn’t anonymity, it’s a lack of accountability. These people are behaving unacceptably, and we don’t know who they are. However, there are cases where people have acted in similarly […]

 

Security Breaches Are Good for You: My Shmoocon talk

At Shmoocon, I talked about how “Security Breaches are Good for You.” The talk deviated a little from the proposed outline. I blame emergent chaos. Since California’s SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. […]

 

On Anonymity

So Mike Rothman thinks that anonymity is for cowards: During the discussion last night, one guy pointed out that sometimes things are too sensitive or controversial or unpopular to say, so anonymity allows folks to do that. I call bullshit on that. Anonymity is the tool of a coward. And while I agree with Mike […]

 

Portuguese Got to Australia in 1522

Portuguese seafarer Christopher de Mendonca led a fleet of four ships into Botany Bay in 1522. No one noticed before because the map was oriented wrong when it was copied. This is a nice article from news.com.au.

 

Holding a Lighted Brand up to Damage

Adam comments on some breach commentary, and quotes Nick Owen saying that breaches are a sign of incompetence. I can’t let this stand un-commented-upon. I believe that that is a dangerous comment, and one that needs to be squashed early. It’s like saying that a bug tracking system with lots of bugs in it is […]

 

Breaches and Brand Damage

Tim Erlin runs some numbers in “Is Brand Damage a Myth” at Ncircle, and Nick Owen piles follows on with some diplomatically presented thoughts in “Brand Damage, Stock Price and Cockroaches:” My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are […]

 

Privacy's Other Path

Dan Solove writes: Professor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been […]

 

Thumbing A Ride…

The DailyBreeze tells us about how Lorna Herf discovered South Bay BMW in Torrance’s sales policy of “No fingerprint, no car.” The dealership claims that this is an effort to prevent identity theft, though how this would help the customer is unclear. Additionally, this effort is being actively supported by the sheriff’s office. I think […]

 

A Different X-Box Hack

Back in the day, I was a member of FIRST. (Btw, rumor has it Chris and Adam are presenting at their annual conference this summer). At the time, one of the more prolific posters to the mailing list was Robert Hensing from Microsoft (Adam, if you haven’t met Rob, you should look him up). Anyways, […]

 

DoS == Vulnerability?

I think that a Denial of Service condition is a vulnerability, but lots of other people don’t. Last week Dave G. over at Matasano posted a seemingly very simple explanation that nicely sums up the way I’d always been taught to think about these sorts of issues: The ability to halt or shutdown most modern […]

 

Off to Shmoocon!

Where I’ll be explaining that “Security Breaches are good for you.” Come see me speak at 5 PM on Friday. It’ll be … entertaining.

 

Why BitLocker Won't Help Most Companies

A couple of weeks ago, Mike Rothman linked to an article by George Ou about using EFS and BitLocker under Vista. There he made an extraordinary claim: Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes […]

 

From the Heresy Desk

Before Bruce Schneier started using the term, “Security Theatre” was a term I heard from what I call Real Security People. I was designing a security-oriented NOC, and I interviewed people who built secure sites for a couple of governments, banks, and others. They said that what The Adversary thinks you can do is more […]

 

Anarchy in the UK?

Via Silicon Strategy, we learn that “Pressure grows for UK data loss disclosure:” The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts. Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do […]

 

Ptacek scores, Pre-Blogging Department with the assist!

Matasano’s Thomas Ptacek had a Groucho-like reaction to being included as a “Top 59” infosec influencer in ITSecurity.com’s recent list. EC’s Pre-Blogging Department was initially caught flat-footed on this, but predicted in an update that Tom’s view would gain traction. And it has. Meanwhile, Mark Curphey has stirred the pot by leaving the Security Bloggers’ […]

 

Backus Having Drinks with Hopper

John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp. Back in the days when I would rather have died than work for […]

 

Emerging at the Intersection of Art and Commerce

I never really thought much of Hamilton, either. I’m glad this wasn’t done on one of the New Ten Dollar bills. If it was, the Constellation EURion might have prevented me from scanning it for your amusement. (Today, that “feature” is mostly in copiers, but expect it to spread.) In other looking at money news, […]

 

If I Screw Up, It’s Your Fault!

I can’t help but wonder how many bits have died to hold disclaimers like this one: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are […]

 

"You Don’t Need to See His Identification"

Well, here we are, on a list of top influencers in information security, and we’ve barely said welcome to any new readers! Welcome! If you’re just showing up, we’d like to influence you to understand that identification rarely solves security problems by itself. I posted “You Don’t Need to See His Identification,” using a famous […]

 

We're number 18, but we try harder…

Adam (or perhaps EC?) is one of the top 59 infosec influencers, sayeth itsecurity.com Cool. 18. Adam Shostack http://www.emergentchaos.com/ Emergent Chaos is a group blog on security, privacy, liberty and economics – a self-declared “Emergent Chaos jazz combo of the blogosphere. ” While the EC bloggers tend to drift off topic with political posts, they […]

 

Dating & Background Checks in China

Shimrit sends in this Shanghai Daily story, “Matchmaking site works to cut down deception:” A LEADING Chinese matchmaking Website is to check the age, marital status and other personal details of prospective cyber daters against an official database to prevent deception. Beginning today, Baihe.com will screen its eight million online daters against an ID authentication […]

 

Reports on Reporting, Compliance

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes: One important outcome of […]

 

Mommas, Don’t Let Your Babies Grow Up to be County Clerks

At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing. However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social […]

 

Ignorance is Strength

Via a Stitch in Haste, we learn about more members of the ‘sweep it under the rug’ club: David Oliver Burleson, 49, an anesthesiologist whose license was suspended for two years in October 2005 … acknowledged to the Oregon Board of Medical Examiners that he inappropriately touched women whom he had sedated before surgery. The […]

 

"Terrorists Proving Harder to Profile"

…terrorism suspects from atypical backgrounds are becoming increasingly common in Western Europe. With new plots surfacing every month, police across Europe are arresting significant numbers of women, teenagers, white-skinned suspects and people baptized as Christians — groups that in the past were considered among the least likely to embrace Islamic radicalism. The demographics of those […]

 

Dating and Background Checks in the UK

My friend Shimrit saw Cluechick’s post on the dating (“Emerging Dating Paranoia“) and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at “Everyone’s Guide to Online Dating.” She writes: With all the current craziness surrounding online dating background […]

 

"Voluntary" ID Cards

Anybody who objects to their personal details going on the new “Big Brother” ID cards database will be banned from having a passport. James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out – but in return they must “forgo the ability” to have a travel […]

 

"ist nicht verfgbar"

So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future. Oh, and we lost the SSNs of everyone who had […]

 

Dennis Lormel's Authoritarian Streak

In a post at the Counter-terrorism blog, “National Security Letters…An Important Investigative Tool for the FBI” Dennis Lormel writes: The Inspector General (IG), U.S. Department of Justice, has issued a report delineating audit findings identifying significant deficiencies in NSL recordkeeping and reporting processes. This determination is quite troubling and inexcusable. Troubling and inexcusable? Well, you’d […]

 

Power Tends to Corrupt

The Justice Department’s inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval. The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do […]

 

If It feels so wrong, how can it be so right?

Emacs users get addicted to the standard key bindings (which are also available in Cocoa apps). Microsoft Word doesn’t support these by default, but you can add them through customization. Here are the ones I find most useful: StartOfLine: Control-A EndOfLine: Control-E To set these up in Word… …you’ll have to read “Add emacs key […]

 

Choicepoint’s Error Rate

Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.” Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:” At his insurance […]

 

Privacy Fears Come True, Again

Two reports in the New York Times: “Driver’s License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry” and “Warnings Over Privacy of U.S. Health Network.” Naturally, we’ll have that sorted out by the time the system ships. No reason for you to be worried that your health records will be automatically scanned to see if […]

 

Responsible Disclosure and Months of Bugs

I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying: I whole-heartedly back these projects as […]

 

Emerging dating paranoia

When Adam asked me to guest blog on “Dinner, Movie — and a Background Check — for Online Daters“, I promised him I would do it. And then I read the article and couldn’t think of what to say about it. I’m something of a self-proclaimed expert of internet hookups (as anyone who reads ClueChick, […]

 

"Free the Grapes" Externalizes Risk

Or so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.” The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions […]

 

Chaos and Piracy on the High Seas

“This repo man drives off with ocean freighters” “I’m sure there are those who would like to add me to a list of modern pirates of the Caribbean, but I do whatever I can to protect the legal rights of my clients,” said Hardberger, whose company, Vessel Extractions in New Orleans, has negotiated the releases […]

 

Iggy Pop on Chaos

[Iggy] wouldn’t tell me who he was talking about specifically, he said, but he believes that the rock business is too big, run by people who know nothing about it. Wasn’t that always the case? “No,” he said, decisively. “The people I met at the top in 1972 tended to be crackpots from the fringes […]

 
 

DST is Coming, Run For Your Lives!

In a week, the US and Canada are changing when they go to Daylight Savings Time. It must also be a slow news time, as well, because I’ve read several articles like this, “Daylight-Saving Time Change: Bigger than Y2K?” When Y2K came around, a number of us quoted Marvin the Martian (now of the Boston […]

 

No RFID In Real ID

So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including: While some expected Homeland Security to require the licenses to […]

 

More On Secure Banking

Continuing our tradition of bringing you the news before it’s fit to print, Chris covered “The Emperor’s New Security Indicators” in “Why Johnny Can’t Bank Safely.” Don’t miss Andrew Patrick’s “Commentary on Research on New Security Indicators,” Alan Schiffman’s “Not The Emperor’s New Security Studies,” or Alex’s “Bad Studies, Bad!” As an aside, Chris used […]