When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]
At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this is not the case with terrorism risk. Even if insurance professionals learn about terrorism in […]
Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]
C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]
Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]
I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]
Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]
One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]
As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]
A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]
It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]
I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]
For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]
One of the most effective ways to improve your software is to use it early and often. This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready. […]
In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]
As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]
The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]
In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]
The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]
There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I […]
Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]
Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]
Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]
Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]
For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]
In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]
Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]
Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]
“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]
National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]
“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]
Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]
A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on NPR.org, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.
Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]
My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.
Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]
This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]
I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]
We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]
JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]
In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once. […]
In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]
When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]
Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]
Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]
The paper is here. The very sane opening paragraph is: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for […]
As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]
Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]
For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well. The major reason for my thinking is that I never heard […]
Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]
Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US. Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of […]
Thanks, Nicko!
Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]
In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]
or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]
Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]
Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]
Which I’m not — but if I were, now would be the time. ‘Unbreakable’ quantum cryptography hacked without detection using lasers
I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]
Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]
A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]
The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]
There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]
So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?
Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.
Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]
While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]
In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]
Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]
In the Cryptography mailing list, John Gilmore recently brought up and interesting point. One of the oft-debated ways to fight spam is to put a form of proof-of-work postage on it. Spam is an emergent property of the very low cost of email combined with the effect that most of the cost is pushed to […]
I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]
This photograph was taken at 11:19 AM on January 20th. It’s very cool that we can get 1 meter resolution photographs from space. What really struck me about this photo was.. well, take a look as you scroll down… What really struck me about this is the open space. What’s up with that? Reports were […]
Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]
There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]
..or, Spaf‘s DVD players get bricked. In which, lies a tale…
Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]
Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]
I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]
Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]
First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]
At Metamodern.com. Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]
The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]
I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]
A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed. I would like to be able to link to the full story, […]
An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]
“It’s been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?” federal Judge William Pauley III asked. Sachs, from West Babylon, said cops just laughed as he passed through the Queens Midtown Tunnel on his way into the city Sept. 8. Sachs […]
There was a very interesting article in the New York Times, “Fish Tale has DNA Hook,” in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors: Dr. Stoeckle was willing to divulge the name […]
One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in James P. Anderson’s Computer Security Technology Planning Study: The code performing this function does not check the source and […]
Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]
Forty Percent of California voters are “permanent absentee” voters. Oregon runs entirely by mail-in votes. Other US states have some sort of mail-in or absentee status that people can assign themselves to. For those people, including me, elections are a slice of time that ends on election day. This isn’t new, until relatively recently, it […]
In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment: It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.” Firstly, security is almost always an outcome […]
A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!
The New Scientist reports that researchers Vadim Makarov, Andrey Anisimov, and Sebastien Sauge have broken quantum key distribution. The attack is described in their paper, “Can Eve control PerkinElmer actively-quenched single-photon detector?” Spoiler Warning: Yes. She can. The attack is brilliant in its elegance. They essentially jam the receiver. A bright pulse of laser light […]
According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]
John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]
9Wants to Know has uncovered a new policy that allows airport screeners at Denver International Airport to bypass the same security screening checkpoints that passengers have to go through. … The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed. … At DIA, […]
If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not […]
Spaf has an excellent post up about Purdue’s decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that “excellence” loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum […]
One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]
Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]
Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. […]
Zimran links to an excellent long article on Hans Monderman and then says: When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly […]
There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]
Wonderful graffiti art by Mau Mau at the Cans Festival II. Photo taken by Alan Bee.
GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]
The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting: Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning […]
So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker: Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation […]
Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]
Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]
Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens. Since I have the ability to comment here, I shall. This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues. […]
All around cool guy, and former provost of the University of Chicago, Geoffrey Stone (the Edward H. Levi Distinguished Service Professor at the University of Chicago Law School), posted earlier this week proposed that “The next president should create a brand new position, which should become a permanent part of the Executive Branch in the […]
An amusing comic from POPsickleSTRIP.
Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]
One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.” It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum […]
Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]
What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when […]
There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]
Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice
El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give. The India times says: BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as […]
You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days. The gist of the article is that the Indian Government has told RIM that if […]
Delightful!
If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]
The debate about Shor’s Algorithm (which I blogged about a couple days ago) continues. Rod Van Meter has a good blog post about it here. While there are plenty of people who have just wholesale dismissed the Hill/Viamontes paper outright, apparently because they know Shor’s algorithm works and that building a working quantum computer is […]
Technology Review has a pair of articles on D-Wave‘s adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in “Riding D-Wave” about quantum computing in general, adiabatic quantum computing, and D-Wave’s efforts to show that they’ve actually built a quantum computer. Linked to that is Scott Aaronson’s article, “Desultory D-Wave,” in which Lloyd’s nail-biting is made […]
Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]
Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership). The announcement says: Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen […]
The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]
After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk: Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy […]
By now, you’ve probably seen the news that “A Heart Device Is Found Vulnerable to Hacker Attacks.” Bruce Schneier has some good analysis, “Hacking Medical Devices.” I just wanted to shock Jerry Lee Lewis fans.
Diebold Accidentally Leaks Results Of 2008 Election Early
The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]
Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston […]
On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]
I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. […]
In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered […]
In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]
There’s a story in the Wall St Journal, “London’s Congestion Fee Begets Pinched Plates:” This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates. Thieves are pinching plates by the dozens every day […]
Carl Ellison has been doing some really interesting work on what he calls Ceremonies: The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band […]
Thanks Les!
Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.” Don’t miss […]
Yesterday CNN reported that Ohio State Representative Matthew Barrett was giving a presentation to a group of High School students a photo of a naked woman appeared instead of the expected graphic. The State Highway Patrol seized the USB drive containing the presentation and in less than 24 hours determined that the image had been […]
Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.” A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches. This is important because there have […]
A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments: [C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of […]
This is a new twist on an old trick. SFGate reports in, “‘I didn’t eat and I didn’t sleep’ — Coin dealer flies dime worth $1.9 million to NYC’” that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to […]
In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took. From this, we lean that it was a Canon, likely […]
In “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites: Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated?? It creates havoc for those monitoring the drop since it’s […]
The New York Times reports, “U.S. Will Allow Most Types of Lighters on Planes” Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded. The ban was imposed at the insistence of Congress […]
This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why: Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are […]
Over at his excellent blog, Chandler Howell referenced an interesting risk analysis performed by a home inspector: “The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.” That is to say, the switch is right next […]
This is from Non Sequitur by Wiley. Since I’ve shrunk it to fit, the guard says to the other: Accept the security breach, or clean a litter box. Take your pick. Click the picture for the full-size one.
Nature reports that, “Simulation proves it’s possible to eavesdrop on super-secure encrypted messages.” A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn’t a real attack, but as […]
My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.
If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security. John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in […]
I can’t help but wonder how many bits have died to hold disclaimers like this one: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are […]
Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]
The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]
I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of […]
Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them: Each of these passages has faults of its own, […]
A 0-day in Solaris {10,11} telnetd is reported. SANS has some details. Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one. (h/t to KK on this one)
This is in Harpers, “The Ecstasy of Influence.” It is an interesting meditation on the nature of art itself and how art is composed of other art. However, not only must you read this, you must read it all the way through to understand it and why it is important.
Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]
So there’s a video of how to “Unlock A Car With a Tennis Ball.” I advise turning the sound off-there’s no value to a bad pseudo-rock soundtrack, and no information in it (all the narration is in text in the video). There’s also precious little information in the video. It’s not clear what make or […]
Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]
With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]
The title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every […]
There’s an article in Zaman.com, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]
It’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions! If yours is to get better control over your information privacy, […]
Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]
hold the RFID. I just got my US passport renewed, and I was pleasantly surprised when it came back Old Skool — no RFID. I’m happy…until 2016 anyway.
How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights? Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to […]
Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing […]
Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:” The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year […]
Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]
Are condemned to be mocked for it. See what happens when Australia’s “The Chasers War On Everything” build their own Trojan Horse and haul it around town.
Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could […]
[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]
Ping over at Useable Security has a great analysis of Rivest’s ThreeBallot voting system. The delightful thing about ThreeBallot is that it should be incredibly easy to implement on a small scale and not much harder on a large scale and has in built in provisions to prevent voter error, counter fraud and vote buying. […]
Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular: […]
I am beyond words, I’ll let others say it for me. [Via: Bruce Schneier]
A £40,000 teddy bear formerly owned by Elvis Presley was destroyed when a guard dog which was supposed to protect it went on the rampage. “Dog chews its way through Elvis’ £40,000 teddy.” Photo, “Elvis With Teddy Bear” is not the bear that was destroyed, but is a better picture. Thanks Nicko!
Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]
Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this: There are already a myriad of good sources of information about secure programming, including books targeted specifically to developers […]
There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]
Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit. [Via FIRST News.]
[Via: Yahoo News]
Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it. Thanks […]
Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]
Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues […]
The latest 2006 CSI-FBI Computer Crime and Security Survey has been released. Already, it is making waves, as it does each year. I want to simply state that there is no reason to give this survey any credence. The survey instrument is sent only to CSI members. This time, it was sent to 5,000 of […]
According to Charlie Paglee, Skype has been cracked, and a compatible client implemented. This promises to have wide ramifications, about which Charlie writes at length.
Ian Goldberg likes to state Kerckhoffs’ principle as “The security of a system shouldn’t rely on anything that’s hard to change.” So it is with deep amusement that I report on what’s probably one of the hardest to change systems out there. And I do mean out there: 23,222 km out there. Let me back […]
There’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and […]
In a long interesting article in Wired on “The RFID Hacking Underground,” I came across this quote: While it may be hard to imagine why someone other than a determined vandal would take the trouble to change library tags, there are other instances where the small hassle could be worth big bucks. The article went […]
The BBC reports on Sweet Dreams Security in “Safe, Secure, and Kitsch:” A German artist is trying to change the way people think about security, by replacing barbed wire with heart-shaped metal, and pointed railings with animal shapes. Thanks to N. for the pointer.
In “Why Some People Put These Credit Cards In the Microwave,” the Wall St. Journal incidentally captures everything you need to know: Makers of products using RFID say privacy and security safeguards are being built into the chips to prevent abuses. MasterCard International says multiple layers of security are available to prevent MasterCard data from […]
This year’s challenge: ridiculous performance degredation For this year’s challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor’s OS. The program is supposed to read a set of words on stdin, and print […]
Dear Arthur, In Re: your post, “Die Struck Lapel Pins From Collinson Enterprises.” They’ve some neat ones for sale too, if you’d like to be spotted as a Fed at Defcon.
In “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests: “Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)…. “Another red flag was the wire-transfer […]
When Larry Ellison said “We have the security problem solved,” a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“) That level of dripping sarcasm is fairly widespread amongst the security experts I talk […]
Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and […]
Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]
Michael Howard over at Microsoft, has a great post, on why security analogies are usually wrong, that has a beautiful analogy of his own that aptly makes his point. Also, note that Ed Felten, is currently teaching a class, InfoTech & Public Policy, at Princeton. Students are required to post weekly, and non-students are encouraged […]
As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued […]
For quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.) I am FORCED to ask, HOWEVER , what the average consumer is supposed to […]
As mentioned on Freedom To Tinker and by Lauren Gelman, at the Center for Internet and Security, the TSA has mothballed it’s plans to deploy Secure Flight. Though the TSA will surely come up with something else, this is definitely a step in the right direction.
This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic […]
Today, in Friday Star Wars Security blogging, we continue with Saltzer and Schroeder, and look at their principle of Least Common Mechanism: Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information […]
[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.] It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he […]
“Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.” Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could […]
Enter narrator I pray you all give your audience, And here this matter with reverence, By figure a moral play- The Flooding of New Orleans called it is, That of our lives and ending shows How transitory we be all day. Enter preacher, sturm and drang… It has nothing to do with Southern Decadence, despite […]
So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.
Pete Spire Lindstrom* points to a press release from the SEC on “Commission Statement on Implementation of Internal Control Reporting Requirements:” “Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404.” “A one-size fits all, bottom-up, check-the-box […]
John Early has an interesting editorial over at Computer Weekly “Infrared meets speed and security needs:” Famously associated with applications such as personal digital assistant to laptop synchronisation, PDA business card exchange and short-haul mobile phone data transfer; IRDA, with its short range and relatively low 4mbps throughput, was understandably discounted by the IT community […]
Like I said, I do like rules, rules that make sense. But this is a form of institutional insanity, and someone needs to do an intervention. When a soldier in full uniform, in the company of nothing but other soldiers, is allowed to retain the bayonet for his M-16 and his M-16, yet has to […]
(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]
Stupid Security covers an AP story: Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude. None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph: “A lot of people will […]
Over drinks, I like to enrage my computer security colleagues by suggesting that we’re spending too much on computer security. My evidence for this is that, despite all the attacks and break-ins and worms and what-have-you, no one’s going out of business. But the news in Saturday’s Washington Post, “Most Area Terrorism Funding Not Spent,” […]
Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller […]
Ed Foster writes about Brink’s contract provisions with contracts that don’t go month to month, but year to year when you try to leave. Brink’s is fully within their right to write such contracts, and I’m free to suggest that you should consider shopping elsewhere. (Via Dan Gillmor.) Mark Miller suggests a new code metric, […]
To follow up to my post on Terror Suspects and Firearms, I’d like to take a moment to rail against the Kafka-esque implementation of “watch lists” in the United States. For the FBI, or other investigative or intelligence agencies, to have lists of “interesting people” makes perfect sense. You’ll always have people who you suspect […]
The New York Times is running a somewhat alarmist article, Terror Suspects Buying Firearms, Report Finds. The report says that At least 44 times from February 2004 to June, people whom the F.B.I. regards as known or suspected members of terrorist groups sought permission to buy or carry a gun, the investigation found. In all […]
Stefan Geens points to It Takes More Than Money to Buy a Hot Piece of Art. I Came to Japan Because of the Chopstick makes dinner plates fascinating. Thanks Rosa! Two shorts at AntiTerrorism & Security: The firm running airport security at SFO has been accused of cheating by a former manager. The lawsuit is […]
One of the neat things about talking to different sorts of conferences is that you find neat stuff that you don’t otherwise see. At the Southeast Cybercrime Summit, I was supposed to talk about “Reducing Crime In Cyberspace, a Privacy Industry View.” (The talk I used to give for Zero-Knowledge.) Due to a small error […]
There’s a good interview with Larry Gordon at SecurityPipeline. It came out in April of last year, but I’d missed it. Gordon has hosted the Security and Economics workshop. “I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says […]
The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]
Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the […]
Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]
Lessig discusses what democracy looks like in Brazil: I remember reading about Jefferson’s complaints about the early White House. Ordinary people would knock on the door, and demand to see the President. Often they did. The presumption of that democracy lives in a sense here. And you never quite see how far from that presumption […]
I’m excited to be a part of the ACM’s 2005 Computer and Communication Security Conference, which has an Industry Track this year. We’re working to foster more interplay and collaboration between industry, the public sector, and academia: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of […]
A historian, Isaiah (Ike) Wilson III, Ph.D, gave a talk a few months ago at Cornell, entitled “Thinking Beyond War: Civil-Military Operational Planning in Northern Iraq.” His basic thesis seems to be that, in contrast to a carefully planned and executed war campaign, there were no definitive plans for what to do after the Iraqi […]
There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues. While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by […]
Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. … In addition to the letter…The blood bank will no longer require Social Security numbers from its donors… No longer require […]
Starting today, the federal Transportation Security Administration is telling its screeners to keep their hands to the “chest perimeters” of women unless handheld metal detectors beep when waved over their breasts. I’ve mentioned outrage at TSA intrusiveness in the past. (From Boston.com, via CSOOline.)
Over at TaoSecurity, Richard Bejtlich writes: ‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group… Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary […]
Ross Anderson has added three papers to his Economics and Security Resource page: Fetscherin and Vlietstra’s DRM and music: How do rights affect the download price? shows that the prices of music tracks sold online are mostly determined by the rights granted to the purchaser – including the right to burn, copy or export the […]
I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product. I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static […]
Kerik issued a statement saying: “In the course of completing documents required for Senate confirmation, I uncovered information that now leads me to question the immigration status of a person who had been in my employ as a housekeeper and nanny,” he said. “It has also been brought to my attention that for a period […]
The BBC is reporting that Kerik has withdrawn, citing personal reasons. The BBC also mentions controversy over his link to Taser, Inc, and a possible nannygate issue.
Writing to Farber’s Interesting People list, Lauren Weinstein writes: Their new system is obscuring *all* e-mail addresses in *all* netnews messages in the archive (including the vast numbers of messages that do not originate within the Google environment and/or that predate the existence of Google Groups). This includes not only the addresses of individual netnews […]
In a recent comment, Pete Lindstrom asks: So do you think this can be modeled using a version of the El Farol’s Bar you post about in the future? Maybe we can optimize the number of acceptable bugs… How does/should the policies of Microsoft and Oracle affect this model? I’ve been thinking about this, and […]
Ed Felten writes about a library survey in which few tech books, and none worthwhile, made the top-1000 list. He concludes: It’s the technology books that really disappoint. These books are useful, to be sure, and it’s not surprising that libraries have them. What’s really sad is that no book about the intellectual content or […]
The New York Times is reporting that Bernard Kerik, formerly of the NYPD, has been tapped for homeland security secretary. [Update: VikingZen has an alternate suggestion that shouldn’t be missed!],br> [Update 2: Declan has found a more relevant set of links than I did. Thanks to Secondary Screening.]
The call for papers for Blackhat Europe and Asia are now online.
There’s an interesting article on metrics over at CSO Online. The comments are great, too. Now if you’ll excuse me, I need to go ring a gong.
Florence Olsen writes in Federal Computer Week about security training: Last year, for example, officials at a federal financial institution tested employees’ adherence to the agency’s computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. [Kathy Coe, regional director of educational services at Symantec] […]
Ian has a fine post over at financial cryptography: The only thing I’m unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public’s mind, the popular definition of economics is closer to the image that we […]
Security experts take it as a truism that you can’t defend everything. So you have to make choices about what attacks to worry about, and which ones to ignore. A study released today claims that unprotected hosts are attacked once per second. (USA Today reports on the study, and avantgarde.com is utterly swamped. So I […]
I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it: This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad […]
Allan Schiffman has sorted through the papers from the DIMACS Workshop on Usable Privacy and Security Software, and has summaries and recommendations in “Bad Security = Bad UI?.” [Update: Oh, the irony of a conference on usability naming all their files things like “blaze.pdf” or “garfinkel.ppt”– how about “blaze-usable-privsec.pdf,” so I can easily archive the […]
America’s Secret War, by George Friedman, is reviewed in the Australian: The Americans had established and then strengthened a military presence in countries surrounding Saudi Arabia – Yemen, Oman, Qatar, Bahrain and Kuwait. Invasion of Iraq would complete the encirclement. “From a purely military view,” Friedman adds, “Iraq is the most strategic single country in […]
The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.” These chips can be read from 30 feet away, today. That’s the opinion […]
Anti-spyware software has many of the issues that other privacy software has had.* It’s hard to understand the technical means by which privacy is invaded. It’s hard to see that you have (some) spyware. And it’s hard to evaluate what anti-spyware software works, and what doesn’t. Well, it was. Eric Howes has started testing anti-spyware, […]
Ed Felten has an insightful analysis of Identification Codes on Printer Output over at Freedom To Tinker.
Crispin Cowan and I will be running a BOF at Shmoocon, on Evidence Based Security. Shmoocon is in DC, Feb 4-6 of next year.
A man with an expired passport got onto Air France flight 26 on Saturday, November 19th: Flight 026 from Paris to Washington Dulles International Airport was diverted to Bangor, Maine, after U.S. officials discovered that the man was listed on the government’s no-fly list. The man’s name also was on the State Department’s terrorist watch […]
…Mr. Bush had to wade into a group of security agents to pull his lead Secret Service agent out of a shoving match with the Chilean police. The tape showing the president assuring the Chileans that his agent could come with him played over and over on television screens in the region this weekend. By […]
After the election, I asked What’s a Free Election worth?.” John Robb over at Global Guerrillas has a partial answer, which is what the 2nd intifada has cost both sides over 4 years: 10% of Israel’s GDP (roughly 2.5% of GDP per year), and a stunning 300% of GDP over 4 years for the Palestinians. […]
There’s a 3 page article in the Washington Post on phishing, the use of fake email and web sites to capture usernames and passwords. The phishers often target financial institutions. Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not […]
The always engaging Doug Barnes has a new paper out, “Deworming the Internet“. The paper is more interesting because Doug is technically and legally savvy. (Always a dangerous combination.) The paper evaluates regulations, markets, government intervention, litigation, and finally, a set of suggestions for what is most likely to work. Its perhaps the most comprehensive […]
[Inland Revenue] learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated. Computing has a good basic article on security issues in outsourcing of IT […]
US Homeland Security undersecretary Asa Hutchinson said the current practice of airlines giving the names of passengers to US officials 15 minutes after take-off did not make sense. … “If we have to have information 60 or 45 minutes before, you’ve got to close off the passengers that come in at the last second,” he […]
In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better: Legislate/enforce the law Buy exploits now and then Create Software security data sheets More honeypots I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information […]
Pete Lindstrom has argued that we need to end the bug-hunt: Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences. There is a rarely mentioned upside to all this bugfinding, which is that researchers use the exploit code to […]
This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2. Robert Lemos at CNET writes: “We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.” However, Microsoft’s […]
Kapersky Labs makes some of the best anti-virus software out there, as analyzed by the Virus Test Center at the University of Hamburg. They recently announced a new naming scheme. I’ve been thinking a lot about naming schemes recently, and I think this one could be better. Let me take it apart, and explain why. […]
The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor. Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in […]
Hundreds of passengers were evacuated briefly Thursday from the main terminal at Dulles International Airport outside Washington after airport screeners thought a suspicious image on an X-ray monitor might be a gun. Screeners spotted the image about 4:40 p.m. EST Thursday and the terminal reopened about an hour later. Passengers went through security checkpoints again, […]
Yesterday, I mentioned the 700 arrests [in the United States] in an attempt to deter terrorist activity. Also yesterday, several residents of The Hauge violently objected when the police showed up to arrest them. This is a pattern in the arrest of Al Qaeda suspects: Some of them decide that shooting the police is the […]
There’s a coalition of universities working on a security testbed, called DETER. It’s an excellent idea, and apparently, they’re up and running. I look forward to the output from the conference. I hope they’ll ensure that all papers are online and available to the public.
Samablog, irked that Rush has stolen his joke, explains that you can get at all of Rush’s $7 a month content, just by turning off all the scripting stuff in your browser. He then goes on to say: “What it says that a celebrity of Limbaugh’s stature keeps his site so insecure, I don’t know.” […]
So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing? Asks Nudecybot. And the answer is…NOW! Why wait? Generate some keys and use them!
Eric Rescorla has a great post reporting from the IETF on the “Better Than Nothing Security BOF.” As I see it, this boils down to an understanding that paying for digital signatures is very expensive, while we’ve known for ten years that “keys are cheap.” (Thanks, Eric!) The SSH folks got this very right: You […]
There’s a post over at BoingBoing, laughing at some poor software transcription of Jabberwocky. Hello? What do you expect? The poem is full of nonsense words. If my speech recognition program starting putting brilling and slithy toves in my text, I’d be pissed off. So of course it gets this wrong. C’mon, folks, you want […]
Jihad Watch points to an AP story: More than 700 people were arrested on immigration violations and thousands more subjected to FBI interviews in an intense government effort to avert a terrorist attack aimed at disrupting the election. As with past unrealized al Qaeda threats, law-enforcement officials said yesterday they don’t know for sure whether […]
Overuse of the term ‘cyber-terrorism’ is confusing board directors and preventing much needed investment in IT security, says former White House security advisor Richard Clarke. Now if we could just get rid of the term “cyber,” we’d be all set to have a mature discussion. (From VNUnet, via InfoSecNews.)
Nudecybot has a thoughtful post on Computer security and the human factor. He takes a discussion we had, and organizes it well. He talks about airline safety vs computer safety, and how an anonymous reporting system has helped in the airline case. I think there’s two bits that he misses that make the airline safety […]
There’s a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. “CIOs are now relying on convoluted processes rather than using sound business judgement based […]
Further quoting from that same article in the Register about the impact of new rules: Business managers becoming fed up with FUD In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security […]
Not too long ago, I gave a talk on privacy technology to the Atlanta chapter of the High Tech Crime Investigators Association. It was a talk that several of us at Zero-Knowledge had learned to give. The basic method for talking to police about privacy is to start from the need to reduce and prevent […]
Canada Post has apparently told the world that they’ll only deliver mail with a return address. This is clearly silly, phone books are full of valid return addresses for your city. Over at StupidSecurity, nrh asks: Part of the reason I delayed was that I was trying to find out if this was even legal. […]
No, not the elections, silly, the contest! And now the results are up, and it seems that Michal Zalewski is in the lead.
[Microsoft] will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release… The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected. This has been available to select customers for a while. […]
Sixteen years ago, the first worm spread across the Internet. It used password cracking, a buffer overflow in fingerd, and a flaw in sendmail to spread. At least today, sendmail seems more secure. Passwords and buffer overflows, check back in sixteen more.
The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and […]
However, Engler thinks the security explanation should be taken with a grain of salt. His research in the late 1990s aimed to improve the reliability of software. Security analysis was part of the story, he says, but “basically, we just didn’t want stuff to crash.” (writes Jon Udell in Infoworld.) But Crispin Cowan has a […]
Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading. The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m […]
There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.) The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever […]
Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?: Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According […]
Statistics gleaned from the labs’ Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland. So far, 100 percent of the products evaluated have been approved, she said. The testing […]
According to a new report from the Department of Homeland Security’s inspector general, airport screeners still Need Improvement. That will not come as a surprise to anyone who travels, but some of the details, as reported by A.P., are still disturbing: -Screeners aren’t tested on when they should pat down passengers and what the passengers’ […]
My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure: I think that Dave has a valid […]
One of the worse bits of law to come out of the Clinton years was the “Digital Millennium Copyright Act,” (DMCA). The law made it a crime to break any copy protection scheme, even if the data it was protecting was subject to some form of fair use. The law had lots of nasty chilling […]
But the real issue is that the explosives can be used against civilians and soldiers in Iraq and around the world. Consider that only five grams of RDX, for example, is enough to kill a person when used in an anti-personnel land mine. When 1,000 pounds of explosives were set off by a suicide bomber […]
Michael Froomkin has a long post on the 350 tons of stolen high explosives, which I’m excerpting at length: If all that matters is our safety and security, then today’s news makes it clear beyond peradventure that the Bush administration is horribly dangerous to our national security. Josh Marshall’s blog today runs an extensive quote […]
People trying to infringe our privacy often claim that they’re making a tradeoff between security and privacy. Sometimes they’re even right. But I think today, we’re trading security for “security,” giving up real protection for an illusion. For example, the TSA is spending lots of money to build and connect databases all about travelers. For […]
WASHINGTON — The Transportation Security Administration was lax in overseeing a $1.2 billion contract to install and maintain explosives-detection machines at U.S. airports, resulting in excess profit of about $49 million for Boeing Co., a Department of Homeland Security review found. (From a Wall St Journal article, October 19th. (Sorry, subscriber-only link.)
Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions. He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats […]
There’s an alarmist headline at MacSlash about a new mac virus. Its been picked up in a bunch of places. The commenters correctly identify it as a rootkit, not a virus. A rootkit is a program you install, after break in, to hide your tracks. Its not even a sophisticated rootkit. Its stunningly primitive. Reading […]
Another interesting article from Peter Merholz closes with: Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest […]
Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system “is no more than 53 percent effective in matching fingerprints with poor image quality against the government’s biometric terrorist watch-list.” Turner said the system falls far short of keeping the country secure. Its not clear to me why […]
Signaling is a term from the study of lemons markets. A lemons market is a market, such as in used cars, where one party (the seller) knows more than the buyer. There are good cars (peaches) and bad ones (lemons). The buyer is willing to pay a fair price, but can’t distinguish between the cars. […]
The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1] This technique helps settle the question of “Is Astraptes fulgerator […]
Larry Poneman writes: Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals: What is the security return on investment? What is the probability of a catastrophic security failure? What is the cost of self-insuring against security risks? What are the tangible benefits of being an […]
Each aircraft operation … with a MTOW of more than 12,500 pounds, must conduct a search of the aircraft before departure and screen passengers, crew members and other persons, and all accessible property before boarding in accordance with security standards and procedures approved by TSA. … [Seperately, charter aircraft run as clubs…] These clubs transport […]
Looking for a link to SB 1386, I noticed that of the first 10 Google hits, 2 are legislative, 2 are law firms, 3 are information security portals, and 3 are for security companies. Three of the security companies, (Verisign, Threatfocus and Watchfire) are simply adding “SB 1386” to existing products, and claiming to provide […]
To date, the government has wasted over $100 million in a flawed effort to improve airport security by identifying passengers and, well, doing something to the naughty ones. Meanwhile, the reality is that airport screeners continue to miss items like knives, guns and bombs. Meanwhile, there’s lots of good work in computer vision systems, which […]
Household Finance, a unit of HSBC, has sent me a $5,000 check out of the blue. Big verbage on the front indicates that “Signing this check will result in a loan…” at 23%, which over 5 years comes to an estimated $3,500 in finance charges. Most attractive. Now, ignoring Household’s record of fraud, and ignoring […]
WVLT VOLUNTEER TV Knoxville, TN reports: ” Accused Domestic Terrorist Arrested In Knox County.” According to the criminal complaint, the FBI says that Ivan Braden was planning to enter this Armory Friday, armed with guns and bombs. … The feds say the former 278th soldier planned to take people hostage at the Lenoir City Armory and […]
Ed Hasbrouck, who in a more perfect world would be paid to be the TSA’s chief privacy officer, writes RFID passport data won’t be encrypted: So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able — without ever having actually seen you or your passport — to […]
Attorney General John Ashcroft has announced a major new effort to crack down on intellectual property theft, by which he apparently means illegally-copied DVDs, CDs, and software. (I refuse to use the term piracy to refer to illegal copying. Piracy is the violent boarding and theft of property on ships, and is a major problem […]
A woman said she drove home to San Diego from Denver rather than submit to what she viewed as an intrusive search by airport security screeners. Ava Kingsford, 36, of San Diego said she was flagged down for a pat-down search at Denver International Airport last month as she prepared to board a flight home […]
Ok, you know I’m being sarcastic with the title. The New York Times titles its article “Security Grants Still Streaming To Rural States.” And the message is politics remains more important than ensuring that those cities likely to be hit next are well prepared. The article goes on to cite politics as usual as the […]
“Wherin links between a number of disparate ideas are put forth for the amusement of our readers” Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on […]
Do you want to save American lives? Stop senseless deaths? Here’s some ideas: Require real driver training, and enforce traffic laws. Ration the sale of alcohol to prevent the nasty diseases over-indulgence causes. Ban tobacco. Ban firearms. Require calisthenics in the morning, by neighborhood, and in the afternoon, at work. Ban the use of corn […]
I just got a fascinating email. No, not really. It was a simple little email, from someone who’s being very helpful on a project that I’ll speak of in excrutiating detail later. What was fascinating about it was that it was PKCS 7 signed, and Apple’s Mail.app told me so. It told me so with […]
IDC’s research director, Lars Vestergaard, said their research found interest by businesses in WLAN usage was widespread, but not many of them were particularly interested. “Unfortunately IT managers are being uncertain about using this technology, but they use a lot of bad excuses,” he said. “This is because they often fear a lack of security […]
As anyone who takes advice from the Vice President now knows, he didn’t really mean to tell you to go to factcheck.com, but factcheck.org, whose article still doesn’t fully support his point. This little glitch lead the owners of factcheck.com, a small site that lists sellers of dictionaries and encyclopedias, to suffer a massive denial […]
There’s a set of interesting conferences looking for papers: Privacy Enhancing Technologies Economics of Information Security Codecon [update: closed html list tag]
Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can […]
Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press. (It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the […]
Bruce Schneier has a blog: http://www.schneier.com/blog/.
I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts: Ellyn believes that companies should strive for a […]
0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability. Less than 60 […]
But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place. says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly […]
That said: my home directory is now encrypted which should make any further hardware maintenance a doddle (no more erase/flood before mailing) and I’ve blown-away the old UFS partition which although useful was tying up a few too many Gb. Alas the rebuild doesn’t seem to have fixed the lack-of-sleep-on-lid-closure problem. One more for Applecare. […]
The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office. … The new proposal would create […]
Matt Cordes modified the Zombie simulators to give humans a chance to fight back. Its fascinating, because with some small mods to the source, you get a much more interesting simulation. (Unfortunately, I don’t see Matt’s source anywhere, so I can’t say how long it might have taken.) The simulation makes viscerally clear how chains […]
One of the best signs that things are going down the tubes is that officialdom tries to control information flow. I now know that things in Iraq are officially going to hell, because the security situation is bad enough that they’re trying to prevent people from learning about it. Kroll, a large physical and investigative […]
Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single’s day notice of his intentions to leave. Yoran said Friday he ”felt the timing was […]
The cost of last minute ticket doesn’t seem to be enough for airlines to break even. How much of this is due to a lingering fear of flying? How much of it is the extra cost to travelers, in inconvenience and hassle, of being bit players on the security stage? As long as a carrier […]
I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation. The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. […]
Ed Felten has a great post over at Freedom To Tinker about Rather-Gate: In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, […]
I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.) One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique […]
I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual […]
his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file! Firefox 1.0PR now includes code to deal with this. Here’s how […]
Omar writes about A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side. According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in […]
Don’t read this if you’re easily annoyed.
I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It’s great when you land in a new city. It hasn’t been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. […]
The New York Times reports: he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress. A senior […]
The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!
Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps. I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their […]
Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make. […]
Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon. From the New York Times story. Or, Google News has more. The […]
SecurityFocus points to a nice short article over at Silicon.com suggests that Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give […]
Some Singaporean students have figured out how to use Bluetooth to turn off the cameras in Nokia’s phones, according to an article in Gizmodo, via a long chain to a now deleted newspaper article. I wonder if they turn it back on when you leave the area? However, Loosewire, the earliest still working link, implies […]
The Webflyer points to a great David Rowell column, including: An argument ensued. Ms O’Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested […]
Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin’s have moved to email.) “Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own […]
In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria. The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale […]
Bruce Schneier has written insightfully about Olympic security. They’ve spent $1.5 billion, and today’s marathon race was marred by some idiot leaping into the path of the front-runner, and dragging him into the crowd. Its always tempting, and usually wrong, to say that any failure of security could be prevented. However, this Olympics has seen […]
Frank Sanache was one of eight Meswaski code talkers. He served in North Africa, and was captured by the Germans. I’m fairly interested in the history of code talkers, and had missed the Army’s use of them. It turns out that there were codetalkers in the First World War, that German civilains had travelled to […]
So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain. A […]
In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day. NIST […]