Shostack + Friends Blog Archive

 

Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:” “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” […]

 

Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains: In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 […]

 

There’s got to be an IT secret handshake

I’ve been in the hotel I am in for over a week now. It is a European hotel that has wireless, and you have to get an access card and type a six-character string into an access web page. That authenticates you, and you can go. The problem I have today is that I can […]

 

Banksy Would Be Proud

In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered […]

 

Is 2,100 breaches of security a lot?

There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors: THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone. And […]

 

HMRC Data discs on EBay

Quite possibly the funniest infosec joke seen in 2007. Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to “Her Majesties Audit Office – Child Benefits Section” and marked “Sensitive HM […]

 

A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:” Alistair Darling has apologised for the “extremely serious […]

 

Breach Disclosure of the Zeroeth Millennium

The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings. The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome. Although their home address has been made public, it is unclear if the […]

 

Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment: Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose […]

 

The costs of liability

It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems. I don’t think this is a trouble-free idea. There are lots of complexities. As one example, […]

 

Why can't the CIA hire guys like this?

The Telegraph is concerned that The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends. www.telegraph.co.uk The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand […]

 

Controlling Water

In Controlling Water, Dana writes: …Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song. With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away. This simple phrase had the power of a plot changing hollywood one […]

 

Bye-Bye Pay By Touch!

I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus: Pay By Touch, which has made a major push in POS biometric payments, is backing […]

 

How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker. I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.” I did something similar after “Security Breaches Are Good for You: […]

 

Wednesday Privacy Roundup

Privacy in the EU has been hugely in the news in the last week. Check these out: European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic […]

 

Splunk'd?

I have been playing with Splunk, for about 45 minutes. So far, I like it. I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy […]

 

How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]

 

Security is never static

There’s a story in the Wall St Journal, “London’s Congestion Fee Begets Pinched Plates:” This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates. Thieves are pinching plates by the dozens every day […]

 

Total Kabab Awareness

In a May, 2006 post entitled Codename: Miranda, I joked about having my grocery purchases linked to another Chicagoan due to poor schema design. There, I joked about buying: … granola, yogurt, hummus — the healthy stuff which probably alerts Admiral Poindexter’s Bayesian classifier to my fifth-column status. Maybe this wasn’t jocular after all, as […]

 

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things: Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove […]

 

"A duty of care" to notify?

Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said: “There was a thorough search for the item, which went missing at the end of September, but it has not been found. We […]

 

The Magic Phone

The “gPhone” was announced today. I put gPhone in quotes, because there was no actual phone announcement. What was announced was the “Open Handset Alliance” and their toolkit, Android. They are “…committed to commercially deploy handsets and services using the Android Platform in the second half of 2008.” and “An early look at the Android […]

 

Gordon Brown on liberty

While this great tradition can be traced back to the Magna Carta, it was the rise of the modern state with all the new powers at its disposal that made the 17th century the pivotal period in the struggle against arbitrary and unaccountable government —— as Britain led the way in the battle for freedom […]

 

No Parking, Really

Via Michael Froomkin, who points out that if this were an intellectual property license, people would seriously argue that parking there gave the owners the right to spraypaint your car.”

 

Informed discussion? Cool!

David Litchfield examines some public breach data and concludes that Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. He further surmises that the proportion may be even higher, since […]

 

WEIS 2008 Call for papers

The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth’s Tuck School of Business in late June, has just been issued. […] The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. […]

 

Today's Free Advice from David Litchfield

Just because you can’t see it, doesn’t mean it’s not there. Also it doesn’t mean you can’t figure out what it is…. Much like traffic analysis what you show and how you show it, can reveal a lot about what is going on behind the scenes.