Shostack + Friends Blog Archive

 

Quantum Cryptography Cracked!

Nature reports that, “Simulation proves it’s possible to eavesdrop on super-secure encrypted messages.” A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn’t a real attack, but as […]

 

A Market To Be Tapped

I’ve often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article “Phone Taps in Italy Spur Rush Toward Encryption” is fascinating: Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to […]

 

WOOT! Looks Exciting

Via Nate, “WOOT = Usenix + Blackhat:” The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks. I was recently saying that vulnerability research […]

 

Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.

 

Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention. Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you […]

 

Gartner Discovers Offshoring

According to CIO Forum, Gartner has discovered some amazing things. There’s offshoring to India, and it’s growing at a “staggering” 16% per year. And lots of manufacturing is being done in China now. And the US better wake up ASAP because it is “in imminent danger of becoming an industry of failure.” This is a […]

 

One Third of McAfee Survey Respondents Are Not Paying Attention

So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: “Companies Say Security Breach Could Destroy Their Business:” One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee. The security […]

 

Save Chocolate

“Don’t Mess With Our Chocolate,” says Guittard. Summary: the FDA is considering changing the definitions of “chocolate” and “chocolate flavored” and “chocolaty” so that they don’t have to put as much cocoa solids in it to make it be “chocolate.” The FDA is soliciting comments, and the cutoff is April 25, so that’s not much […]

 

When Do Customers Flee?

So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches. In the CSO blog, “What, When and How to Respond to a […]

 
 

Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not […]

 

Buy Gas, Get Busted for Pedophilia?

The BBC reports “Motorists hit by card clone scam:” Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn […]

 

On Liquid Explosives

Wired’s Danger Room blog has an interesting quote from the inventor of a liquid explosive in “‘Liquid Landmine,’ Qaeda Tool?:” My advice would be to stick with PETN [a high explosive] and rattlesnakes.

 

"What security people won't share with each other"

Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike’s post, “it never ceases to amaze me what security people won’t share with each other,” and go understand why you should give Scott a demerit. (I’d meant to post this months ago, when Scott did the interview. Oops!)

 

Users force Dell to resurrect XP

The Beeb reports. This means that if you want to start speculating in copies of XP, you probably have even longer to wait.

 

Weak Crypto Contest

The 2007 Underhanded C Contest has a marvelous theme — weak crypto. The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library. […] Your challenge: write […]

 

Credentica White Paper & Presentation

The title of Stefan Brands’ blog post, “New Credentica white paper and other materials,” pretty much says it all. If you think about identity management, you should go check these out. Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; […]

 

Frontiers of Data Disclosure

Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop […]

 

More on Crappy Credit Reports

In October, 2006, I commented on the story of a man in Acarta, California whose credit report bizarrely includes a claim he’s the son of Saddam Hussein. (“The Crap in Credit Reports“) Now, via Educated Guesswork, “If OBL can buy a used car, the terrorists have won” we learn of a fellow who can’t buy […]

 

Month of Owned Corporations

Richard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the “Month of Owned Corporations“: Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest […]

 

Micropayments Company Bought or is that Sold?

Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will “increase consumer ‘stickiness’ and brand affinity” and “increase average ticket price more than 12%.” Okay…. I thought that the reason for bearer-level micropayments was the opposite. Right here […]

 

Psychology & Security & Breaches (Oh My!?)

I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing […]

 

Bejtlich gets it: It's about empiricism

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt 60 percent of the incidents involved organizational mismanagement as a way to question my assertion that insiders […]

 

The Visual Display of Quantitative Lawsuits

So the Boston Globe has this chart of who’s suing whom over failures in the “Big Dig:” (Click for a bigger version) What I find most fascinating is that it’s both pretty and pretty useless. Since just about everyone is suing everyone else, what would be perhaps more interesting is a representation of who’s not […]

 

Bad Advice on Tax Shelter Patents

Techdirt carries marvelous coverage of the increasing devolution of our intellectual property system. However there is some bad advice in “Be Careful Not To Use Any Patented Tax Shelters This Tax Season.” The bad advice is in the last sentence: So as we get to tax day, besides going over all your tax forms and […]

 

How Long To Be Identified?

Today I spent nine (9) (no, that’s not a typo) hours in line to apply for a passport. What happened was, since the U.S. changed the rules to say everyone’s gotta have a passport, a lot of Americans and Canadians who were used to going back and forth between the countries suddenly needed passports, and […]

 

Investment Opportunity of the Year

El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP. No fewer than three people told me yesterday, “This means I have to buy that Mac Book Pro this year. They can’t be alone. I have several co-workers running Vista running on laptops, and even without the overhead of […]

 

Your Bribe, Should You Choose to Accept It

In the secret language of corruption in India, an official expecting a bribe will ask for Mahatma Gandhi to “smile” at him. The revered leader of the independence movement is on all denominations of rupee notes. With rampant dishonesty ingrained in the bureaucratic culture, an anticorruption group has decided to interpret the euphemism literally by […]

 

From The "Wish I'd Posted That" Files

Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I’d […]

 

On Credit Cards and Being Behind

Just a quick note–you’ve convinced me that my thoughts on credit cards were wrong. (“The Cost of Disclosures, and a Proposal.”) Iang, rG0d and Nick are right. I should have remembered that disclosure is a moral imperative. I’ve also enjoyed the debate with Ken Belva, and will have one final closing post to respond to […]

 
 

New Hampshire joins the club

The Granite State requires that security breaches involving PII be reported to the Attorney General: Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office. […]

 

UK Story On Breaches and Silence

IT Week in the UK writes, “Companies keep silent on data breaches.” There are a couple of interesting quotes: Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about […]

 

Daft Bloggers’ Code of Conduct

Tim O’Reilly with the help of others has posted a “Draft Blogger’s Code of Conduct” in reaction to l’affaire Sierra. Forgive me the pedantry, but I’ve corrected the plural in my derivative topic line above. There have been other comments about this in many other places. I’m not a friend of Sierra’s, but I have […]

 

Disclosure Laws, State-by-State

Philip Alexander writes in Intelligent Enterprise about “Data Breach Notification Laws: A State-by-State Perspective.” The article is short and readable, and points to his new book, which is likely a good read.

 

The Cost of Disclosures, and a Proposal

So there’s a spectre haunting my arguments for disclosure, the spectre of cost. I’m surprised none of my critics have brought it up yet. Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don’t care that much. When it’s medical data, […]

 

See, it can be done

I’ll keep this short since you should all be reading Mordaxus’ latest, not this, but speaking of data… This breach report [pdf] from Community National Bank wasn’t sent to consumers, but you can’t say it was short on details.

 

Cleaning Up

If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security. John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in […]

 

Replacing Evite

So I hate Evite, even when it brings me to cool parties. You know who you are. Encouraging my friends to enter social network information, and then using it to contact me feels tremendously invasive. Failing to understand that annoys me. Their lame privacy policy infuriates me. Their success at co-opting my friends to sucking […]

 

Three on Information Sharing

The New York Times has a story, “Teaching the Police to Stay a Step Ahead of Car Theft:” The police have traditionally kept such conversations quiet, fearing they could tip off aspiring thieves. Mr. Bender’s mission is to bring investigators into the digital age and get them to share information, just as their adversaries are […]

 

Phriday Phish Blogging: Randomly Flagged

One of the things I really appreciate about phishing is that we pay people to discover the zeitgeist and share it with us. There’s little spam advertising fallout shelters or other ways to deal with the Red Menace. I rarely see advocacy about bimetallism in the currency in my inbox. We see what we see […]

 

We Have Nothing to Fear But Fear Itself

So Ken Belva suggests that we should cordially agree to disagree. (“My Response to Adam Shostack’s Reply on Transparency & Breaches“) I’m happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing […]

 

Another Side Of Copyright

These days when you read an article about copyright that involves students, it also involves the RIAA or the MPAA. This article in the Chronicle of Higher Education, on the other hand, is about two high-school students taking on Turnitin. The students specifically asked that certain papers of theirs not be included in Turnitin’s database […]

 

How to Allocate Resources

The other day, I wrote: I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly. So here’s the experiment. It works better in person than in blog comments. Ask two experts to write down how they’d allocate […]

 

UK NHS & Disclosure: A Moral Imperative Example

From Silicon.com, “Pressure grows for UK data loss disclosure:” As a spokeswoman for the Information Commissioner’s Office told silicon.com last year: “There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.” But, from the BBC, “Children’s details taken in theft:” Health bosses in Nottinghamshire have issued […]

 

Stop REAL-ID From Wasting Real Money and Liberty

Welcome to the Stop Real ID Now blog. Not surprisingly, we’ll be talking a lot here about the Real ID Act of 2005… and more specifically about an activism campaign that will use the power of blogs, social networks and art as well as creating partnerships and using media outreach to, we hope, stop the […]

 

Response to Ken Belva on Transparency & Breaches

Over at bloginfosec, Ken Belva takes issue with my claim that “security breaches are good for you,” in the aptly titled “Why security breaches are still bad for you…” His summary and response are well thought out, and I’d like to respond to a few of his points. This is a long post because I […]

 

TJX Commentary

I keep trying to avoid commenting on TJX, and keep getting drawn back in. The amount of news and analysis out there is large, and I’m selecting islands in the clickstream. (Any advice on who’s covering it well would be appreciated.) In “TJX Lawsuits — 45 Million Credit Cards,” Pete Lindstrom mentions that there are […]

 

Secure Flight @ Home

Prof. R. H. Anssen of the Univeristy of Florence, Colorado working under a Department of Homeland Security Advanced Research Projects grant has released a new paper discussing improvements to SecureFlight that make it much more scalable, while adding in grid-computing and privacy-friendly aspects as well. Expanding upon the ideas of K. P. Hilby and J. […]