Shostack + Friends Blog Archive

 
 

UK Passport Photos?

2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could. Really? This is a really creepy image. Does anyone know if […]

 

You Have Confused Me for the Last Time!

I love these boots, via “BoingBoing gadgets.” They’re transgressive on so many levels. Star Wars geek versus fashion. Military versus sexy. I’m glad George Lucas isn’t an obsessive control freak who hunts down anyone who adopts the visual language that he created.

 
 

Network Security Podcast #109, featuring Adam

I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]

 

Game Theory and Poe

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle: Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game? The paper discusses a game that Poe describes in The Purloined […]

 

I’d bet on security prediction markets

In his own blog, Michael Cloppert writes: Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn’t be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies. I’m glad my readers […]

 

Not quite clear on the subject

Slyck News has a story, “SSL Encrpytion Coming to The Pirate Bay” a good summary of which is in the headline. However, may not help, and may hurt. Slyck says: The level of protection offered likely varies on the individual’s geographical location. Since The Pirate Bay isn’t actually situated in Sweden, a user in the […]

 
 

Science isn't about Checklists

Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]

 

Water on Mars!

Mars Phoenix Tweets: “We Have ICE!” And yes, they really did announce on Twitter and a press release.

 

Medeco Embraces The Locksport Community

Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]

 

R-E-S-E-P-C-T! Find out what it means to me

The TSA apparently is issuing itself badges in its continuing search for authority. The attire aims to convey an image of authority to passengers, who have harassed, pushed and in a few instances punched screeners. “Some of our officers aren’t respected,” TSA spokeswoman Ellen Howe said. … A.J. Castilla, a screener at Boston’s Logan Airport […]

 

Identity Theft is more than Fraud By Impersonation

In “The Pros and Cons of LifeLock,” Bruce Schneier writes: In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information […]

 

How much work is writing a book?

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit: I can’t tell you how many times I asked […]

 

Iowa breach law arrives a bit early

On May 10, Iowa became the 42nd U.S. state (counting D.C. as a state) with a breach notification law. The law itself is not remarkable. If anything, it is notably weaker than many other states’ laws. When can we expect to see the last stragglers finally pass their laws? Here’s a plot of each state’s […]

 

L'affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]

 

Quantum Pride

One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.” It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum […]

 

Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]

 

Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification: Several bills now before Congress […]

 

Quanta In Space!

What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when […]

 

Paper Breach

The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]

 

What’s up with the "New and Used" Pricing on Amazon?

So having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School. There’s a new copy for 46.43. A mere 54% premium over […]

 

Debix Publishes Data on Identity Theft

Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud […]

 

Hats Banned in Yorkshire to Aid CCTV Identification

The Telegraph reports in “Hats banned from Yorkshire pubs over CCTV fears” that Pubs in Yorkshire have been ordered to ban people from wearing flat caps or other hats so troublemakers can be more easily recognised. And in other news this weekend, MPs have stamped their little feet insisting that Britain is not a surveillance […]

 

Security Prediction Markets: theory & practice

There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]

 

Praises for the TSA

We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports. The People’s Anonymous Commissar announced: This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining […]

 

Messing with the RIAA and MPAA

Some very smart people at the University of Washington figured out how to leverage the bittorrent protocol to cause the RIAA and MPAA to generate takedown notices. From the website: * Practically any Internet user can be framed for copyright infringement today. By profiling copyright enforcement in the popular BitTorrent file sharing system, we were […]

 

Terms and Conditions for Accepting Email

Some time ago, I wrote about the absurdity of email disclaimers. It is therefore with great amusement I pass on the “Terms & conditions for acceptance of email messages by Andrews & Arnold Ltd” by a small ISP and IT company in Bracknell. The best part of it is the last term. Check out their […]

 

Security Prediction Markets?

In our first open thread, Michael Cloppert asked: Considering the contributors to this blog often discuss security in terms of economics, I’m curious what you (and any readers educated on the topic) think about the utility of using prediction markets to forecast compromises. So I’m generally a big fan of markets. I think markets are, […]

 

The Emergent Chaos of the Elections

First, congratulations to Barack Obama. His organization and victory were impressive. Competing with a former President and First Lady who was the shoo-in candidate is an impressive feat. I’d like to talk about the Obama strategies and a long chaotic campaign in two ways. First in fund-raising and second, on the effects of a long […]

 

Supreme Court Narrows "Money Laundering"

The Supreme Court narrowed the application of the federal money-laundering statute on Monday, ruling for criminal defendants in two cases in which prosecutors had employed broad definitions of two of the law’s major provisions. The two rulings are likely to crimp the government’s ability to bring money-laundering cases, although not necessarily to the degree that […]

 

In the "couldn't have happened to a better set of people" department…

Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground. The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane. And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. […]

 

8th Pet Symposium Early Registration Deadline

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]

 

Open thread

What the heck. Let’s see what happens. Comment on what you will.