The Carpenter Case

On Wednesday, the supreme court will consider whether the government must obtain a warrant before accessing the rich trove of data that cellphone providers collect about cellphone users’ movements. Among scholars and campaigners, there is broad agreement that the case could yield the most consequential privacy ruling in a generation. (“Supreme court cellphone case puts free speech – not just privacy – at risk.”)

Bruce Schneier has an article in the Washington Post, “How the Supreme Court could keep police from using your cellphone to spy on you,” as does Stephen Sachs:

The Supreme Court will hear arguments this Wednesday in Carpenter v. United States, a criminal case testing the scope of the Fourth Amendment’s right to privacy in the digital age. The government seeks to uphold Timothy Carpenter’s conviction and will rely, as did the lower court, on the court’s 1979 decision in Smith v. Maryland, a case I know well.

I argued and won Smith v. Maryland when I was Maryland’s attorney general. I believe it was correctly decided. But I also believe it has long since outlived its suitability as precedent. (“The Supreme Court’s privacy precedent is outdated.”)

I am pleased to have been able to help with an amicus brief in the case, and hope that the Supreme Court uses this opportunity to protect all of our privacy. Good luck to the litigants!

Celebrating Alt-Left Lawlessness

Lately, I’ve tried to stay away from the tire fire that American politics has become. I’m reasonably certain that I have more to contribute in other areas. But when the President tries to equivocate between those waving the Nazi flag and those protesting against them, we need to speak about what’s acceptable.

It ought to go without saying that when literal Nazis are on one side of a debate, the other side is in the right.

But apparently, that’s not obvious, so I felt I could share a plan for a march by the alt-left, under the ominous name of “Operation Overlord.” They were planning to overthrow the legitimate government all along the coast, and, through force, replace it with their own puppets.

More seriously, we can have disagreements about what’s best for the country, and it’s bad when we demonize those who disagree with us. Civilized society requires us to accept civil disagreement. It accepts that no one is privileged or disadvantaged by an accident of birth: “race, creed or color,” as the expression goes. But civil disagreement, by definition, precludes violence, advocacy of violence or threats of violence.

The Nazi flag is one such threat. Waving it has no purpose except declaring oneself outside society and at odds with the ideals and principles of good people everywhere.

If you’re in a crowd of Nazis, you should be asking why, and walking away.

If you have doubts about what a President should say, here’s a sample:

Voter Records, SSN and Commercial Authentication

Verifiedbyvisa

A Wednesday letter from the Presidential Advisory Commission on Election Integrity gives secretaries of state about two weeks to provide about a dozen points of voter data. That also would include dates of birth, the last four digits of voters’ Social Security numbers… (NYTimes story) Of this writing, 44 states have refused.

I want to consider only the information security aspects of the letter, which also states that “Please be aware that any documents that are submitted to the full Commission will also be made available to the public.”

Publishing a list of SSNs is prohibited by 42 USC 405(c)(2)(C)(Viii), but that only applies to “SSNs or related record[s].” Related record means “any record, list, or compilation that indicates, directly or indirectly, the identity of any individual with respect to whom a social security account number or a request for a social security account number is maintained pursuant to this clause.” So its unclear to me if that law prohibits publishing the last 4 digits of the SSN in this way.

So, if a list of names, addresses, datas of birth and last four digits of the SSN of every voter are made available, what does that to to they myth that those selfsame four digits can be used as an authenticator?

I’d like to thank the administration for generating so much winning in authentication, and wish the very best of luck to everyone who now needs to scramble to find an alternate authentication technique.

Image credit: Jeff Hunsaker, “Verified by Visa: Everything We Tell Folks to Avoid.”

Hospital Ransomware

[Update, May 22, added link to “Observing”.]

Good posts by Ross Anderson, George Danezis and Steve Bellovin say much of what I’d wanted to say, and more. So go take a read. [Also worth reading “Observing the WannaCry fallout: confusing advice and playing the blame game.”]

To what Bellovin says, I would add that 15 years ago, Steve Beattie, Crispin Cowan and I did some math for Timing the Application of Security Patches for Optimal Uptime, and estimated that likelihood of attack starts to exceed likelihood of damage from the patch at around 10 days. To my knowledge, no one has updated the dataset or re-run the numbers, but I would expect that improvements in test automation and improvement in attack frameworks make that closer to patch release, not further from it. My experience is that many organizations with dependencies on older technology also have not invested in test automation that enables even fast ‘smoke testing’ of their systems. Such test rigs allow you to quickly start the clock that Steve hypothesizes.

Also, see “Rejection Letter” by Charlie Stross, and “How to Accidentally Stop a Global Cyber Attacks.”

On Immigration and Refugees

NewImage Sergey Brin and baby
The ban on refugees is illegal, immoral and un-American, and as an American, I want to add my voice.

The ban is illegal. (“Trump’s Immigration Ban Is Illegal.”) I suspect that the United States also has legal obligations under treaties to accept refugees, but Google isn’t my lawyer, and I am no expert.

The ban is immoral. Those who have gone through our immigration process and gotten green cards are being restricted from returning to the US. Those people have followed the legal path to immigration and built lives here. We made a deal with them and we’re breaking it, suddenly and without warning. Those people might have jobs, school, or family to return to, and their lives are upended and uncertain. These are not illegal aliens, they are people who have gone through a complex, and sometimes kafka-esque immigration process.

I have worked with engineers from Syria. (I’m not going to name them in today’s climate.) They did good work, and were good people. They were dealing with the horror of hearing family back home was missing, and they did good work anyway.

The President is hurting America with this ban. By telling those here legally that their status can be upended at a whim, he makes a strong argument against coming here by following the rules as they exist on a given day. Some people will continue to come here in violation of the law; others will go elsewhere, and another country will get both the risk and the reward from that set of refugees.

It’s worth noting that the protests and court orders yesterday, while welcome, “Despite growing dissent, Trump gives no sign of backing down from travel ban.” I guess we need to keep calling this what it is: un-American.

Pictured is John von Neumann, refugee, and inventor of the von Neumann architecture that’s at the heart of the computer on which you’re reading this, and Sergey Brin, co-founder of Google, on his way to protest in San Francisco.

[Update: The hawks at Lawfare blog have an analysis, Malevolence Tempered by Incompetence:.]

Election 2016

This election has been hard to take on all sorts of levels, and I’m not going to write about the crap. Everything to be said has been said, along which much that never should have been said, and much that should disqualify those who said it from running for President. I thought about endorsing Jill Stein, the way we endorsed McCain-Palin in 2008, but even the Onion is having trouble being funny.

One thing which makes the American election system less functional is the electoral college system, which means that essentially a small number of states decide the election.

There is an effort underway to change that to a national popular vote, and there’s a group working towards that by getting states to agree amongst themselves to allocate their electoral college votes towards the winner of the national popular vote, once enough states have made that commitment to control the results of the elections. Its a pretty neat approach to patching the Constitution, and you can learn more at National Popular Vote.

Also in the spirit of nice things to see today, WROC in Rochester is streaming from the resting place of Susan B Anthony, whose tombstone has been covered with “I voted” stickers, and as I watch, people are reading the Seneca Falls Declaration.

Happy Independence Day!

Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words:

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation. [Ed: That article is jargon-laden, and interesting if you can wade past it.]

So, while it may be chaotic in the most negative of senses, there’d be some succor should we see a succinct success as England secedes from the United Kingdom. Of course, London, West-Virginia-style, secedes from said secession. Obviously, after this, the United Kingdom of Scotland, Northern Ireland and London should remain a part of the EU, dramatically simplifying the negotiation.

Or, perhaps, in light of the many British who were apparently confused about the idea that Leave meant Leave, or the 2% margin of the vote, it would be reasonable and democratic to hold another election to consider what should happen. A problem with democracy is often that a majority, however slim, votes in a way that impacts the rights of a minority, and, whilst we’re waxing philosophic, we would worry were the rights of that minority so dramatically impacted as the result of a non-binding vote. Perhaps a better structure to reduce chaos in the future is two votes, each tied to some super-majority. A first to negotiate, and a second to approve the result.

It doesn’t seem like so revolutionary an idea.

An Infosec lesson from the "Worst Play Call Ever"

It didn’t take long for the Seahawk’s game-losing pass to get a label.

But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game in which the Patriots had no interceptions, it was worth the extra play before the clock ran out.

We can all see the outcome, and we judge, post-facto, the decision on that.

Worst play call ever

In security, we almost never see an outcome so closely tied to a decision. As Jay Jacobs has pointed out, we live in a wicked environment. Unfortunately, we’re quick to snap to judgement when we see a bad outcome. That makes learning harder. Also, we don’t usually get a chance to see the logic behind a play and assess it.

If only we had a way to shorten those feedback loops, then maybe we could assess what the worst play call in infosec might be.

And in fact, despite my use of snarky linkage, I don’t think we know enough to judge Sony or ChoicePoint. The decisions made by Spaltro at Sony are not unusual. We hear them all the time in security. The outcome at Sony is highly visible, but is it the norm, or is it an outlier? I don’t think we know enough to know the answer.

Hindsight is 20/20 in football. It’s easy to focus in on a single decision. But the lesson from Moneyball, and the lesson from Pete Carroll is Really, with no second thoughts or hesitation in that at all.” He has a system, and it got the Seahawks to the very final seconds of the game. And then.

One day, we’ll be able to tell management “our systems worked, and we hit really bad luck.”

[Please keep comments civil, like you always do here.]

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. I went to a tiny school, Simon’s Rock, and on December 14, 1992, Wayne Lo murdered my friend Galen Gibson and Professor Ñacuñán Sáez. He also shot my friend Tom McElderry. I can still remember the phone call from my friend Chi, telling me that Tommy had been shot and was in the hospital. I remember being up all night, spreading what little information we had by phone, and wondering what the hell was going on. I remember that weeks later, I’d get emails from co-workers whose local papers in places like Japan finally carried the story. For years after, I took December 14th as a day off, because it was hard to handle life with that weighing on you.

It’s a sad reality that we now have enough school shootings that one of them was going to fall on an anniversary of another. (Statisticians call this the birthday problem.) It’s also a sad reality that we have enough of them that schools, police and emergency responders have plans for them.

What a fucking world.

Some people like to say things like “time heals all wounds,” but you know? Greg Gibson isn’t going to get his son back. Ñacuñán’s family isn’t going to get him back. And twenty or more families in Sandy Hook will never again be the same. I’m having trouble editing this more than a month later because of how the memories flood back.

All that to say that I have some understanding of these events, and I think I can talk about them differently than a random observer.

A lot of people are using this tragedy to say we need gun control. I understand where they’re coming from, and I disagree. We’ve had a lifetime of marijuana control, and it didn’t work. We suffered under crypto controls, and they didn’t work. Assholes who want a gun will likely to be able to get a gun whatever regime we put in place. There’s some truth to the claim that if guns are outlawed, only outlaws will have guns. Maybe we’d gain some ability to catch these nuts early, but maybe not. Those who say that easy availability of guns drives murder rates must do better than simply cherry picking data. What makes the US worse than Switzerland or Israel?

Yesterday, the President outlined a set of proposals including expanded background checks, and signed executive actions including one to “encourage federal agencies and state governments to share more information.” And now I find it hard to speak, and hard to remain silent.

Infringing privacy would not have stopped the events at Sandy Hook, and I worry that reducing privacy around mental health care is going to deter people who need health care from getting it. That may mean that more people will end up hurt or dead. I’m confident that no one wants that, and we need to rationally consider the tradeoff.

I also see a lot of people who are worried about gun control being so strident that they’re undercutting their own case. I agree that gun control is a poor response, and I think the NRA are coming off like a bunch of idiots. I’m trying not to be strident, just add a voice to say that even from a position of grief, it’s possible to see that what’s proposed probably will not meet the goals.

I don’t know what we should do. I do think that taking the entire TSA budget and moving it to mental health care would be a fine start.

Another fine way to proceed would be to threat model and try to judge the efficacy of the mitigation techniques. (For those who don’t know me, I spent a few years designing threat modeling tools and techniques which you can read about here.) Perhaps that starts from data on how people who use guns to hurt themselves or others get them. There’s an easy trope of “buys a gun and shoots someone.” Is that because it’s common, or because the stories are highly “available” and spring to mind? I don’t know, and in that vein, more studies of gun ownership and gun violence are probably going to help. Whatever approach to threat modeling we take should also include the hundreds of millions of guns owned by hundreds of millions of people and not misused.

We can and should do better than bringing back ideas that didn’t pass muster in calmer times. We should be cautious about trading a little liberty for a little safety. And whatever we do, we should do so respectful of the victims.

Comments are closed.

Paul Ryan open thread

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts:

IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to a vote, the pick of Paul Ryan as Mitt Romney’s running-mate likely would’ve gained support from both parties.

Please, continue. Was it a hail mary move? Will Ryan energize the Republican base enough to get out more votes? Will he drive votes to the Democrats?

What do you think?

Oh, and bonus points if you can tie in internet security.