Shostack + Friends Blog Archive

 

Inside Carnivore

Ryan Singel has a long article in Wired: “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates.” I was pretty stunned at some of the numbers: FBI endpoints on DCSNet have swelled over the years, from 20 “central monitoring plants” at the program’s inception, to 57 in 2005, according to undated pages in the […]

 

Heresy of the Day

Riffing on Adam’s last post, it has been amusing to watch the whole problem with Senator Craig. However, as I’ve chomped my popcorn, there’s been one thing I keep thinking: what if the guy’s telling the truth? What if he was stupidly caught for not doing much of anything, and the stupidly plead guilty in […]

 

Senator Craig and the Behavior Detection Officers

…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door. Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame. After a man in the […]

 

Evolve or Die

Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages […]

 

Harvard Business Review on Breaches

Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.” The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses […]

 

Security Advantage? I Don’t Buy It.

As quoted in Ken Belva’s blog, Larry Gordon writes: However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing […]

 

The "Too Many Notices" Meme

There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a […]

 

Trespass and Forgiveness

A man in the UK has been arrested somewhat dramatically for illegally using a WiFi connection. The BBC reports it here as “Man arrested over wi-fi ‘theft’” and El Reg as “Broadbandit nabbed in Wi-Fi bust.” Each is worth reading. The police statement is worrying. El Reg says: Despite not having secured a conviction yet […]

 

No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out: You know data security breaches are way too common when a company builds a business around customer notification of stolen information. and he ends: I applaud companies that comply with notification requirements. It’s the […]

 

Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]

 

Steganography in the News

In Australia, Jeffrey Ismail has been convicted of “using a carriage service to menace, harass or offend” meaning using his mobile to coördinate reprisal attacks against a rival gang. Despite registering his phone under the name “John Gotti” and being careful enough to tell his “clerics” to “bring ‘ankshays’ and ‘atbays’” police recorded his calls […]

 

I am not an eyeball, I am a free man!

Kim Cameron has a very interesting article on the distinction between accounts and credentials, “Grab them eyeballs! Any cred at all!:” s this logical? It all escapes me. Suppose I start to log in to Dare’s blog using an AOL OpenID. Does that make money for AOL? No. I don’t have to give AOL two […]

 

Typical British overstatement

I saw a BBC headline, “Huge payout in US stuttering case“, and figured that somebody who stutters must have been harassed at work or something, and got a settlement of $5 mil. WRONG. What happened is this: Six US citizens who, as children, were used in an experiment that tried to induce stuttering have been […]

 

Second Breach Closure: Verus?

I’ve been fond of saying that no company goes under because of a breach. It used to be there was one exception, CardSystems Solutions. There now appears to be a second, Verus, Inc, a medical information processor that revealed information on customers of at least five hospitals. “Medical IT Contractor Folds After Breaches.” So that […]

 

NYT Reporter Has Never Heard of Descartes

Or perhaps more correctly, did not internalize Descartes when he heard of him. In “Our Lives, Controlled From Some Guy’s Couch,” John Tierney writes: Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent […]

 

Cost of a Breach: $6, not $187?

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per […]

 

Examining Wikipedia Anonymous Edits

It’s recently been amusing to look at where Wikipedia’s anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources. I am most amused by this selfless edit which came from IP address 132.185.240.120, which translates to webgw0.thls.bbc.co.uk. I can only think that had the […]

 

Breach outliers: $118m charge for TJX

The Associated Press reports that “TJX profit plunges on costs from massive data breach:” FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data […]

 

Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]

 

I can't concieve of a better use for anonymity

There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:” Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such […]

 

British House of Lords gets it

From a report published August 10 by the House of Lords select committee on science and technology: 5.55.  We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at […]

 

ChoicePoint's data quality

In a comment, Tom Lyons asked: I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a “pattern and practice” on the part of Choice Point. I don’t know Mr. […]

 

I love the emergent chaos of breach analysis

[Updated: see below] Over at Storefront backtalk, Evan Schuman writes “TJX Kiosk Rumors Re-Emerge:” Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged. Could both be true? It’s unlikely, as both […]

 

Pseudonyms in the News: Fake Steve Jobs Outed

Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it’s all good that his employer was so delighted that FSJ is going to be hosted by them, now, […]

 

In Honor of the New Wiretap Law

I’ve been too busy with travel to Blackhat, WOOT and Metricon to really cover the new wiretap law, or the very encouraging results of de-certifying electronic voting machines. I hope to be less buried soon. In the meanwhile, Photo is “Dan Perjovschi´s installation at the Moma, NYC” by Tibau1.

 

Obscenities in Passwords

El Reg reports that “Pipex invites customer to get ‘c**ted’” in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article. There is, however, a second obscenity here that is far more subtle. That obscenity is in the password selection advice and suggestions. The […]

 

Welcome iouhgijudgviujs, please log in!

Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you. I also know that there are people I respect […]

 

Obligation to Secure

Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.” A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches. This is important because there have […]

 

German Biometric Trials

The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in […]