Shostack + Friends Blog Archive

 

How To Fly With An Expired License

Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston […]

 

A Cha-cha all the way to the bank

On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]

 

ANSI on Identity Fraud

Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel. Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can […]

 

Adam’s Law of Perversity in Computer Security

Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed: I think the key is that it’s hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it’s possible. I think this […]

 

"We have to be careful we don't release the wrong person"

Hence, we imprison and deport American citizens for immigration violations. Thomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia. Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he’s […]

 

How dumb do we think spammers are?

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”? Kudos to the first person who puts such a […]

 

Welcome, SecurityFocus readers

The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, “on Internet time”. Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog’s title. Anyway, Adam, EC’s bandleader, is away from […]

 

Programming World Going to Hell Because of Java and Grace Hopper

Ekinoderm writes in “Who did Kill the Software Engineer?” that schools today are ruining software engineering by teaching people Java. He references Joel Spolsky’s rant on the same. I agree completely, except neither went far enough! Java is just the replacement for Pascal, a pedagogical language designed because it was more fun and understandable than […]

 

The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.” “In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the […]

 

Why some companies hire PR staff

2008, for us, is a big change because up to now we have been more like a terrorist group, threatening to do something and making big claims. Nicholas Negroponte, of the One Laptop Per Child program, speaking on his own web site. Wow. There’s a stunning analogy for you. Maybe “we’ve been more like a […]

 

Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security: I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain […]

 

Microsoft Has Trouble Programming the Intel Architecture

Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.) Most of the whining comes because Office 2008 does not include Visual […]

 

How taxing is it to read a tape?

In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it […]

 

Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:” The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data: Attrition.org, the […]

 

One man's vulgarity is another's lyric

DOYLESTOWN, Pennsylvania (AP) — A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him. David Binner sent the check after receiving a $5 parking ticket. He calls it “a […]

 

Hurricane Ivan From the Space Station

Every now and then, an “Astronomy Picture of the Day” is just breathtaking. Today’s is Hurricane Ivan from the Space Station. Click for the larger view.

 

TSA's insecure "Traveller Identity Verification" site slammed by Oversight Committee

First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report: TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services […]

 

Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper: The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs. He wanted to prove the story was a fuss […]

 

The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s […]

 

How about a little fire?

At WD-50 I saw something done to the potatoes that makes a cook scream, “yes!” A method of cooking the potatoes with an explanation using true understanding of the molecules inside the potatoes and the effects of heat on them. The potatoes are peeled, sliced, and cooked in a water bath at 65 degrees celsius […]

 

Andy Olmsted

Andy Olmsted, who posted as G’Kar on Obsidian Wings, was killed yesterday in Iraq. I always enjoyed his posts, especially when I disagreed with them, because he was so clearly thoughtful. I find myself terribly sad for the death of a man who I only knew through his words. He asked that we not politicize […]

 

Ohio Voters May Demand Paper Ballots

Ohio Secretary or State Jennifer Brunner announced yesterday that paper ballots must be provided on request. Poll workers won’t be told to offer the option to voters but must provide a ballot if requested to help “avoid any loss of confidence by voters that their ballot has been accurately cast or recorded,” a directive from […]

 

Citibank limiting ATM withdrawals in NYC?

Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank’s ATM machines in […]

 

Send data leakers to jail? Heck, no!

In “Data breach officials could be sent to the big house,” we learn: In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. “These will take account of the need not […]

 

New breach blog

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition. As I looked at it, I had a couple of thoughts. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was […]