Shostack + Friends Blog Archive

 

Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]

 

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“) I don’t want to minimize the issue here. Assuming the allegations are correct, the […]

 

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]

 

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]

 

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]

 

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]

 

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]

 

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]

 

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]

 

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer […]

 

Credit Checks are a Best Practice in Hiring

The New York Times reports that “As a Hiring Filter, Credit Checks Draw Questions:” In defending employers’ use of credit checks as part of the hiring process, Eric Rosenberg of the TransUnion credit bureau paints a sobering picture. […] Screening the backgrounds of employees “is critical to protect the safety of Connecticut residents in their […]

 

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports […]

 

How to Make Your Dating Site Attractive

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]

 

The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]

 

Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]

 

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]

 
 

Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]

 

ID Theft Risk Scores?

A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]

 

The Cost of Anything is the Foregone Alternative

The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]

 

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]

 

More on Privacy Contracts

Law Prof Dan Solove took the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality: Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach […]

 

Synthetic Identity "Theft" – The Mysterious Case of Prawo Jazdy

The BBC tells the tale of a Polish immigrant flouting traffic regulations across the emerald isle: He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines. However, each time the serial offender was stopped he managed to evade justice by giving a different address. As it […]

 

A-Rod had a privacy contract, and so did you

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004. But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any […]

 

Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]

 

The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]

 

Travel Chaos

NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should […]

 

Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]

 

Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]

 

Identity Theft is more than Fraud By Impersonation

In “The Pros and Cons of LifeLock,” Bruce Schneier writes: In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information […]

 

The Costs of Security and Algorithms

I was struck by this quote in the Economist special report on international banking: There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your […]

 

Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]

 

Hiring Fraudsters?

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm. Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee […]

 

Who Watches the Watchlists?

The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]

 
 

Algorithms for the War on the Unexpected

Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that. Each category is analyzed to determine patterns […]

 

HSPD-12 Does Not Require JPL Background Checks

Adam writes about the brouhaha at NASA over HSPD-12 background checks. A friend of a friend who is in the business of implementing HSPD-12 sent me a tidbit about it, along with a link so that you can read the primary source — something always needed when you get emails from FOAFs. In paragraph 3, […]

 

The Fight Against HSPD12

There’s a fascinating court fight, being run by people at the Jet Propulsion Lab. See “JPL Employees File Suit to End Background Investigations” From the press release: The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA’s most successful recent programs, including leading engineers and […]

 

Buy Gas, Get Busted for Pedophilia?

The BBC reports “Motorists hit by card clone scam:” Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn […]

 

More on Crappy Credit Reports

In October, 2006, I commented on the story of a man in Acarta, California whose credit report bizarrely includes a claim he’s the son of Saddam Hussein. (“The Crap in Credit Reports“) Now, via Educated Guesswork, “If OBL can buy a used car, the terrorists have won” we learn of a fellow who can’t buy […]

 

Dating & Background Checks in China

Shimrit sends in this Shanghai Daily story, “Matchmaking site works to cut down deception:” A LEADING Chinese matchmaking Website is to check the age, marital status and other personal details of prospective cyber daters against an official database to prevent deception. Beginning today, Baihe.com will screen its eight million online daters against an ID authentication […]

 

Dating and Background Checks in the UK

My friend Shimrit saw Cluechick’s post on the dating (“Emerging Dating Paranoia“) and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at “Everyone’s Guide to Online Dating.” She writes: With all the current craziness surrounding online dating background […]