How To Fly With An Expired License

Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston Daily Mail adds that the same license was sufficient to allow him to check his bags. However, Mayor Jones did have a copy of a magazine that had a photo of him in downtown Charleston which was deemed by the local agents to sufficient ID. So, what we have (quelle surprise!) is inconsistency in how security is applied between the ticket agents and the security guards, security guards who didn’t seem to properly understand the process of handling people without proper ID and finally agents who were willing to accept a worse form of ID than an expired drivers license. I feel safer, how about you?

A Cha-cha all the way to the bank


On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.

First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a fortnight. That’s not bad. If you think about Deep Crack and what you’d expect from normal semiconductor advances.

The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you’re clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight’s of computing, you can generate any one-time password the real owner can.

Maddeningly, there are other systems based on AES or some other crypto that aren’t at all vulnerable to this attack — because they have better keys. People who are vulnerable to this attack need not be.

Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It’s also negligent, when it’s so easy to get shot.

Photo courtesy of Imagem Compartilhada.

ANSI on Identity Fraud


Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel.

Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can help to minimize the scope and scale of identity theft and fraud.

The new report, which will be published on January 31, 2008, helps to arm businesses, government agencies, and other organizations with the tools needed to protect themselves and their customers against the theft and misuse of personal and financial information.

My colleagues Jeffrey Friedberg (Microsoft) and Julie Fergerson (Debix) co-chaired one of the working groups, and I’m pleased to see that they’ve focused on businesses and governments, not consumers. I thinkwe often spend too much time trying to blame the consumer. It’s important to understand the role that organizations play in using identifying information, and how that interacts with identity fraud, and I hope that this report will advance both that understanding, and the understanding of solutions.

To access the report or webinar, “Identity Theft Prevention and Identity Management Standards Panel: Report and Webinar.”

Adam’s Law of Perversity in Computer Security

Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed:

I think the key is that it’s hard for the average person to read tapes
if they found/stole them, but for a moderately-large
organization/attacker, it’s possible.

I think this is a great example of what I call perversity in computer security. When a fellow with the best of intentions is trying to do something, it’s hard, and when the bad guy tries it, it’s easy. It’s like when you want your computer to keep data, it loses it. But when you’re trying to delete it, it’s awfully hard. Similarly, your computer often behaves in seemingly random ways. But when you’re trying to get what cryptographers call good randomness, it’s perversely hard.

There’s another place this routinely shows up, and that’s around the question of “are IP addresses personal information?” If you want to use IP addresses for security purposes, they’re notoriously poor. But if you want to use them to invade privacy, they’re often good enough. As Eric Rescorla writes in “Uh, yeah IP addresses are identifying:”

It’s certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they’re dynamic, but that doesn’t mean that you don’t regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they’re semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it’s still possible to cross-correlate activities at multiple sites at the same time.

This is up there with my other law: “All Non-Trivial Privacy Fears Come True.”

"We have to be careful we don't release the wrong person"

Hence, we imprison and deport American citizens for immigration violations.

Thomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia.
Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he’s never seen. His jailers shrugged off Warziniack’s claims that he was an American citizen, even though they could have retrieved his Minnesota birth certificate in minutes and even though a Colorado court had concluded that he was a U.S. citizen a year before it shipped him to Arizona.
During a deportation hearing Thursday morning, pleas by Warziniack’s family and lawyer to release him, as well as a copy of his birth certificate proving his citizenship, did little to deter the government.
“The immigration agents told me they never make mistakes,” Warziniack said in a phone interview from jail. “All I know is that somebody dropped the ball.”
The story of how immigration officials decided that a small-town drifter with a Southern accent was an illegal Russian immigrant illustrates how the federal government mistakenly detains and sometimes deports American citizens.

The whole article (which is a must read) makes The Trial seem like a due process Shangri-La by comparison.
The title quote, BTW, is from Ernestine Fobbs, whom McClatchy describes as a spokeswoman for “ICE, the federal agency that oversees deportations”.

Welcome, SecurityFocus readers

The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, “on Internet time”. Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog’s title.
Anyway, Adam, EC’s bandleader, is away from the keyboard. Hopefully, this brief introduction to the blog will suffice in his absence.
Emergent Chaos is a group blog on security, privacy, liberty, and economics. We write on each of these topics singly (except the last — too much high-quality competition), and in various combinations. Perhaps the best way to become familiar with Emergent Chaos is to take a look at the highlight reel.
I’d say (not speaking for EC, the President of the United States, or the National Football League) that you could do worse than to start with:

Thanks for your time. Hopefully, you’ll like what you see and become a regular.

Programming World Going to Hell Because of Java and Grace Hopper


Ekinoderm writes in “Who did Kill the Software Engineer?” that schools today are ruining software engineering by teaching people Java. He references Joel Spolsky’s rant on the same.

I agree completely, except neither went far enough!

Java is just the replacement for Pascal, a pedagogical language designed because it was more fun and understandable than FORTRAN. So was BASIC, and APL. Heck, C is really just PDP-11 assembler code for people who can’t allocate stack variables by hand. Come on, it’s just subtraction! Oh, and don’t get me started about how RATFOR screwed people up my making them not compute the gotos in their IF statements.

However, I have to sneer at their examples in Scheme. Scheme! That’s also part of the problem. Scheme is a dumbed-down version of MACLISP for people who can’t handle a real LISP, for Pete’s sake! They should be doing their work in that, if not MDL or LISP 1.5.

The world has already gone to hell in a handbasket because of this continued coddling of the next generation of software engineers. Engineers need to learn how to twist transistors together to make flip-flops and make adders out of discrete components before they should go write computer programs. So-called high-level languages have been ruining the competitiveness of America since the mid 1950s!

Let’s face it, when Jim Backus started on FORTRAN, that was compounding on the mistakes that Grace Hopper started with AUTOCODER, which made it so that you could use so-called “opcodes” in your machine language instead of typing in the binary, and worse, far worse to have macros. Macros make people fat and lazy. Transfats and sugar only make it worse. They stereotype of programmers being fat and unkempt is a product of macros, transfats and sugar over time.

Since I now realize that it’s actually all the Commodore’s fault, I’m going to throw away my nanosecond. Her use of tools that help people understand has ruined computer science. I also promise never to write another line of COBOL.

Photo Grace Hopper’s nanosecond courtesy of Shiny Things.

The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.”

“In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the records of just over three million candidates for the driving theory test.”

The records contained the driver’s name, postal address, phone number, the test fee paid, the test center, a code indicating how the test was paid for, and an email address, Kelly said.

I think this is an interesting disclosure, because most of the laws we see are of the form “if you disclose information about our citizens” rather than “if you disclose in our state.” Sometimes, like with Choicepoint, this serves to get notice out. Other times, perhaps this being one of them, it acts as a loophole.

As Canada, the UK, and other places look to write new laws or regulations, it would be good for them to consider if they’d like to have laws which cover more breaches. It strikes me as a tremendously good idea.