Shostack + Friends Blog Archive

 

86%: Would you buy an IDS this good?

A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments: [C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of […]

 

Noh Entry: Halvar’s experience and American Legalisms

He writes: It appears I can’t attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company. A little background: For the last 7 years, I have attended / presented at the […]

 

Maybe if I yell at you, you'll trust in what I'm saying

Tourists visiting the White House must now adhere to a dress code which bans jeans, sneakers, shorts, miniskirts, T-shirts, tank tops, and flip-flops. Since this is an extremely important rule, signs were posted and emails sent White House staff (writes Al Kamen in the Washington Post). A telling detail, per the WaPo: The e-mail reminder […]

 

Camouflage as Security

This is a new twist on an old trick. SFGate reports in, “‘I didn’t eat and I didn’t sleep’ — Coin dealer flies dime worth $1.9 million to NYC’” that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to […]

 

System Admin Appreciation Day

…is today, July 27. Pizza and beer retailers are standing by, much as florists do on Valentine’s Day. You know what to do.

 

Help EFF Analyze Formerly Secret FBI Docs

In “Help EFF Examine Once-Secret FBI Docs,” the folks at EFF ask for your help doing what Congress won’t. Engaging in oversight of our civil servants: We’ve already started scouring newly-released documents relating to the misuse of National Security Letters to collect Americans’ private information. But don’t let us have all fun — you, too, […]

 

Metricon 2.0 Registration Closes Friday

Metricon 2.0 looks to be a great set of papers. I’d tell you what I’m looking forward to, but really, I’m looking forward to the whole day. And it’s only $225, but you have to register by Friday.

 

Full Disclosure debate, 2.0

A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign. Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors. We are calling […]

 

The first salami attack?

A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up. I’m trying to find the first actual documented theft or attempted theft using this attack. […]

 

Canon Says Over 50% of Cameras Repaired in First Three Years

In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took. From this, we lean that it was a Canon, likely […]

 

Should we stop faking phishing data?

In “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites: Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated?? It creates havoc for those monitoring the drop since it’s […]

 

Hamster Wheel of Pain™, FOIA edition

So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors. Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina — a state known for tobacco production. That […]

 

A Small Breath of Sanity in Airline Regs

The New York Times reports, “U.S. Will Allow Most Types of Lighters on Planes” Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded. The ban was imposed at the insistence of Congress […]

 

You can't spell "Really pointless flamefest" without R-O-I

Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people. EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing […]

 

Other comments on the GAO Report

[Added July 21] Roger Grimes, “Identity theft? What identity theft:” Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget […]

 

Analysis of GAO report “Personal Information Data Breaches are Frequent”

(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.) I am writing to you today to comment on your recent report, “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is Unknown” I found GAO’s report and its implied […]

 

Wretched Term of the Week: Best Practice

This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why: Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are […]

 

Emergent Chaos and Pirates

… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.” Leeson is fascinated by pirates because they flourished outside the state—and, […]

 

You can’t change your fingerprint

One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This […]

 

What If The Hokey Pokey Is What It's All About?

I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap. Last night, Mary Ann Davidson […]

 

Pseudonyms In The News

The Wall Street Journal reports that the CEO of Whole Foods, John Mackey, posted on the Yahoo! Finance board for Whole Foods under the pseudonym Rahodeb, which is an anagram of Mackey’s wife’s given name. (It’s also an anagram of “A Bread Ho,” but since the WSJ doesn’t stoop to that sort of cheap joke, […]

 

Wretched Word of the Week: Killer

The word “killer” gets used in two wretched ways. The first is Killer Application, and the second is product-killer. They’re each wretched in their own special way. It’s not only cliché to use each term, but in using it, you are nearly guaranteed to be wrong. The original killer application was Lotus 1, 2, 3. […]

 

The Greek Wiretapping Scandal

“The Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t? Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered. Hah-ha! […]

 

Whose Line Is It Anyway?

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether […]

 

It’s about more than identity theft

Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that “Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.” (“The ‘Insider Statistic’, Good Data, & Risk.”) Alex’s main point is that it’s not insiders, […]

 

Irony at the BBC

The headline, and warning, of a story about how data formats change, “Warning of data ticking time bomb,” BBC web site, 3 July 2007.

 

Pete Seeger strikes again

The New York Times Magazine with a long article about swimming the Hudson River. Image:Clearwater.org

 

Electronic data: you can sell it and have it

Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident: So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because […]

 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

PET Award

For the last several years, Microsoft has worked with the Privacy Enhancing Technologies community to support a prize for the best work done in the field. I’ve been involved as a member of the selection committee, but when I joined Microsoft, stepped away from that. It’s important to us that the prize is independent. This […]

 

152:1

As governor of Texas, George Bush didn’t see fit to commute any of the 152 death sentences brought before him. (Wikipedia) Good thing Scooter Libby ain’t no poor Texan, because if he was, Bush wouldn’t have ruined his law and order record. (Noted at Discourse.net.) Update: 6 days later, the New York Times notes that […]

 

More controls creates more risk?

Over at his excellent blog, Chandler Howell referenced an interesting risk analysis performed by a home inspector: “The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.” That is to say, the switch is right next […]

 

The CIA’s Family Jewels

Last week, the CIA released a document they called ‘The Family Jewels.’ This compendium of shameful acts has gotten a lot of press, and I have not a lot to add. I did like this bit, mentioned in the Washington Post, “Trying to Kill Fidel Castro:” Maheu made the pitch on Sept. 14, 1960, at […]