Shostack + Friends Blog Archive


Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]


Nymwars: Thoughts on Google+

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]


Rights at the "Border"

“I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester. Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration […]


How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]


A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]


Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer […]


News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]


Puerto Rico: Biggest Identity Theft ever?

Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer. A law enacted by Puerto Rico in December mainly to combat identity […]


Abdulmutallab/Flight 253 Airline Terror links

Air Canada is canceling US flights because of security. (Thanks, @nselby!) The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link. ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight […]


Abdulmutallab/Flight 253 Airline Terror links

The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.” Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President […]


Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]


Some thoughts on the Olympics, Chicago and Obama

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been […]


Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]


Rebellion over an ID plan

What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of […]


Can't Win? Re-define losing the TSA Way!

We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities […]


Need ID to see Joke ID card

A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing: Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID. It’s probably a bad idea to present a novelty version of a DHS document to law enforcement. […]


The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]


Authenticating Alan Shimel is Certifiably Hard

Alan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us. One of the themes of […]


Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]


UK Passport Photos?

2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could. Really? This is a really creepy image. Does anyone know if […]


Praises for the TSA

We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports. The People’s Anonymous Commissar announced: This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining […]


The Costs of Security and Algorithms

I was struck by this quote in the Economist special report on international banking: There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your […]


Apparently The State Department Didn’t Learn From Regular Passports

The Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean. About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about […]


Saving the Taxpayers Money

The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter. Interesting comments: The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put […]


Because RealID Isn't Good Enough

Apparently we need not one, but two national ID cards. Illinois Reps. Mark Kirk and Peter Roskam (may they not get re-elected in November) are introducing legislation that would mandate that Social Security cards have “a photograph and fingerprint, as well as a computer chip, bar code and magnetic strip.” The cards would be modeled […]


Australia dumps National ID

Opponents of Australia’s controversial Access Card received an early Christmas present earlier this month when the incoming Rudd Labor Government finally axed the controversial ID program. Had it been implemented, the Access Card program would have required Australians to present the smart card anytime they dealt with certain federal departments, including Medicare, Centrelink, the Child […]


Paddigton Bear, Illegal Immigrant

In the new book [Paddington] bear, who arrived in the country as a stowaway, is interviewed about his right to stay in England. He has no papers to prove his identity as his Aunt Lucy arranged for him to hide on a ship’s lifeboat from Peru when she went to live in the Home for […]


Sammer at Officer Candidate School

Those of you who don’t know Sameer Parekh can ignore this message. For those of you who do, he’s joined the Marines and is attending Officer Candidate School, and would appreciate your letters: He does not have access to email or phone. Please send him snail mail (US mail) as often as you can. He […]


Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]


Stop Real ID, again

Apparently, the forces of evil have inserted themselves a national ID clause into the immigration bill (two bad bills, risen from the dead together?) Please go to Unreal ID’s action page to send a fax. It only takes a minute.


Global Biometrics Database, Coming to Soon to You

Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:” MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security. Secretary General Noble exposed the global problem of prison escapes […]


Federal Computer Week on SSN Purges

There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’ Agencies can eliminate some SSN uses by asking employees not to write their SSNs on […]


Stop Real ID

So I was a little curt in my bloviation the other day about the REAL ID forum. There’s good people doing real work to stop this thing, and they deserve your help and support. Over 40 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national […]


DHS Sends a Flunky to Do A Man's Job

So DHS has managed to cancel all but one “Town Hall Meeting” about REAL ID. They’re sending a “Richard Barth, Assistant Secretary, Office of Policy Development” to talk to the fine people of San Francisco about the travesty of a national ID card which is REAL ID. We’ll waste $20 billion dollars on this nonsense, […]


How Long To Be Identified?

Today I spent nine (9) (no, that’s not a typo) hours in line to apply for a passport. What happened was, since the U.S. changed the rules to say everyone’s gotta have a passport, a lot of Americans and Canadians who were used to going back and forth between the countries suddenly needed passports, and […]


Stop REAL-ID From Wasting Real Money and Liberty

Welcome to the Stop Real ID Now blog. Not surprisingly, we’ll be talking a lot here about the Real ID Act of 2005… and more specifically about an activism campaign that will use the power of blogs, social networks and art as well as creating partnerships and using media outreach to, we hope, stop the […]


"Voluntary" ID Cards

Anybody who objects to their personal details going on the new “Big Brother” ID cards database will be banned from having a passport. James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out – but in return they must “forgo the ability” to have a travel […]


No RFID In Real ID

So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including: While some expected Homeland Security to require the licenses to […]


It’s "privacy," Jim, but not as we know it.

The Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says: requirements of personal identification, such as a driver’s license, in order to change the […]


Akaka-Sununu Bill Repeals Key Aspects Of The Real ID Act

Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release: The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher […]


Small Bits of Chaos

Michael Giest is covering Canadian Parliamentary hearings over that country’s privacy law in “PIPEDA Hearings – Day 01 (Industry Canada)” “PIPEDA Hearings – Day 02 (B.C. Privacy Experts)” Bakelblog vents about the petty tyranny of immigration bureaucrats in “Welcome to America, Fuckwads!” Alec Muffet has interesting and detailed comments about the broken security of the […]


The Kristian Von Hornsleth of the Blogosphere?

Apparently, artist Kristian Von Hornsleth has been paying Ugandans to rename themselves Hornsleth, as a way of drawing attention to aid failures. His exhibit is sub-titled “We want to help you, but we want to own you.” I think it’s brilliant. Regular readers know that we talk a lot about identity, id cards, and economics. […]


On Printing Boarding Passes, Christopher Soghoian-style.

Yesterday, I blogged about Christopher Soghoian’s print your own boarding pass tool. Quite a few people (including the FBI) are taking the wrong lesson from this. Wrong lessons include “we shouldn’t be allowed to print boarding passes,” “we should check ID at the gate,” and “Christopher Soghoian should be arrested.” The right lesson is that […]


Real ID Will Waste $11 Billion

What could you do with $11 billion? How many ways could we make the world a better place with that money? I know! Let’s spend it on a national ID card! The $11 billion figure comes from the National Conference of State Legislatures, and doesn’t include wasted time by productive members of society. On the […]


Which Stupidity to Stop?

Stupid bills before legislatures seem to be a target rich environment which is to say, its hard to even say where to start. So allow me to offer a suggestion: California’s SB768 will slow RFID stupidity. Take a look at EFF’s fact sheet, and then, if you’re in California, call your local Governator, and tell […]


Ali, by Any Other Name

Bob Blakely used to be fond of saying that privacy is the ability to lie and get away with it. To have to hide one’s name is considered deeply shameful. But with sectarian violence surging, Iraqis fear that the name on an identification card, passport or other document could become an instant death sentence if […]


New Security Measures: Effective, Non-intrusive

Or not. The BBC reports that “10,000 bags misplaced at airports,” and a “Boy boards [a] plane without tickets (sic).” Meanwhile, here at home, we have a program that engages in behavioral profiling in some airports. How effective is it? The New York Times reports in “Faces, Too, Are Searched at U.S. Airports:” In nine […]



Is that enough acronyms yet? In Adam’s previous post, Justin Mason commented: There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging […]


The Assignment of a Mandatory Identifier

So two stories came out recently, and they’re connected by a thread, which is the assignment of identifiers. The first was in Government Computer News, “IG: U.S. Visit RFID needs better security controls,” which opens: The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which […]


RFID Passport Security Clarified

Not that it needed clarification. RFID passports have been a boondogle without a purpose for a long time. It’s been clear that they make us less secure. Now it turns out they can be easily cloned: German computer security consultant has shown that he can clone the electronic passports that the United States and other […]


"Privacy" International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]


Well, He Had Valid ID (Houston Edition)

Houston police and the federal Transportation Security Administration disagree over who is responsible for allowing a man with what appeared to be bomb components board an aircraft at Hobby Airport last week. Although the FBI eventually cleared the man of wrongdoing, police officials have transferred the officer involved and are investigating the incident while insisting […]


UK ID Cards Dead?

Via Charlie Stross we learn that the Sunday Times reports, “ID cards doomed, say officials:” TONY BLAIR’S flagship identity cards scheme is set to fail and may not be introduced for a generation, according to leaked Whitehall e-mails from the senior officials responsible for the multi-billion-pound project. … [Peter Smith, acting commercial director at the […]


President Bush Calls for National ID Card

[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law. Of course, that means the rest of us will need the cards, too, […]


Alberta Driving Law

Members of an Alberta Hutterite colony have won the right to carry driver’s licences that don’t carry their photographs. The Wilson Colony, near Coaldale, 12 kilometres east of Lethbridge, took the province to court after the government introduced a new licence that must have a driver’s photo on it. The colony argued in a Lethbridge […]


Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

Hal Stern has a blog! Hi, Hal! Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up. The BBC has an article on British reactions […]


New Books

Two new books that may be of interest are blogger Wendy McElroy’s “National Identification Systems, Essays in Opposition” and Choicepoint CISO Richard Baich’s “Winning as a CISO.” I was going to add clever text juxtaposing the texts, but really. hmmm, I really must make this post longer, or the blog looks really bad.     […]


Real ID, Real Problems

Bill Scannell writes: We have less than 48 hours to stop our nation from having a National ID card scheme. Do we really want to have the same ID system as Communist China? I think not. The US Senate is scheduled to vote this Tuesday on the Real ID Act. They’ve never debated the bill. […]


Texas DMV, hundreds, mailing errors

An agency that warns Texans not to share personal information with strangers because of the risks of identity theft mistakenly mailed hundreds of driver’s licenses to the wrong people. The Texas Department of Public Safety (DPS) blamed the mixup on a malfunctioning machine that was recently installed to sort licenses for mailing. Statewide, at least […]


Drivers License Fraud

As the trust and reliance people place in drivers licenses, the greater the incentive to get fraudulently issued ones. FoxNews reports on “Workers Charged With Taking Payoffs for IDs ” (via JihadWatch.) “With a valid driver’s license, you establish an identity,” said Michael Garcia, assistant secretary of the Homeland Security Department. … The three Florida […]


Economics of Fake IDs

Some states will begin using new watermark technology akin to that used on currency for drivers’ licenses next year… While the backers of these efforts say they herald the demise of the fake ID, officers on the beat have doubts. “They find a loophole and exploit it,” said Sergeant Planeta of the New York document […]