Shostack + Friends Blog Archive


Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]


Journal of Terrorism and Cyber Insurance

At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this is not the case with terrorism risk. Even if insurance professionals learn about terrorism in […]


What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]


Security Lessons from C-3PO

C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]


RSA Planning

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]


Secure Code is Hard, Let's Make it Harder!

I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]


Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]


The Evolution of Secure Things

One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]


What Good is Threat Intelligence Going to do Against That?

As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]


Adam's new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]


An Infosec lesson from the "Worst Play Call Ever"

It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]


IOS Subject Key Identifier?

I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]


Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]


RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  […]


What to do for randomness today?

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]


The Psychology of Password Managers

As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]


1Password & Hashcat

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]


Does 1Password Store Passwords Securely?

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]


Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]


Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I […]


The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]


Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]


Telephones and privacy

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]


What's Wrong and What To Do About It?

Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]


Emergent Effects of Restrictions on Teenage Drivers

For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]


Heaven Forbid the New York Times include Atheists

In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]


Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]


TSA News roundup

Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]


The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]


The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]


"Towards Better Usability, Security and Privacy of Information Technology"

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]


Grope-a-thon: Today's TSA roundup

Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]


UC San Francisco Faculty on Nudatrons

A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.


Quantum Crypto is Quantum Backdoored, But It's Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]


Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.


Hacker Hide and Seek

Core Security Ariel Waissbein has been building security games for a while now. He was They were kind enough to send a copy of his their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his […]


SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]


Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]



We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]


J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]


Head of O'Hare Security says it sucks

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once. […]


Elevation of Privilege: the Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).


Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]


Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]


Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]


Another Week, Another GSM Cipher Bites the Dust

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]


768-bit RSA key factored

The paper is here. The very sane opening paragraph is: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for […]


The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]


Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]


St. Cajetan's Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well. The major reason for my thinking is that I never heard […]


TSA Security Operating Procedures

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]


Eight Million? Eight Million?!?!

Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US. Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of […]


An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]


Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]


RSnakes On A Plane

or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]


Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]


Sunday Linkage Security/Privacy In The UK

Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]


Moore's Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]


What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]


ID Theft Risk Scores?

A bunch of widely read people are blogging about “ Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]


TSA Kills Bad Program!

The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]


I wrote code for a botnet today

There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]


Security is about outcomes, not process (RSA edition)

So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?


Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.


Security is about outcomes, not about process

Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]


Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]


Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]


Boundary Objects and Threat Modeling

Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]


Will Proof-of-Work Die a Green Death?

In the Cryptography mailing list, John Gilmore recently brought up and interesting point. One of the oft-debated ways to fight spam is to put a form of proof-of-work postage on it. Spam is an emergent property of the very low cost of email combined with the effect that most of the cost is pushed to […]


"EPC RFID Tags in Security Applications"

I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]


The New Openness?

This photograph was taken at 11:19 AM on January 20th. It’s very cool that we can get 1 meter resolution photographs from space. What really struck me about this photo was.. well, take a look as you scroll down… What really struck me about this is the open space. What’s up with that? Reports were […]


A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]


Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]


Patch and Pray…

..or, Spaf‘s DVD players get bricked. In which, lies a tale…


Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]


Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]


Now will you believe MD5 is broken?

I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]


Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]


Privacy Rights & Privacy Law

First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]


Eric Drexler blogging

At Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]


Videos of me

The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]


SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]


Cheetah Delays Luggage

A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed. I would like to be able to link to the full story, […]


Responses to Terror: Boston and Ashdod, Israel

An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]


Insecurity Theatre

“It’s been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?” federal Judge William Pauley III asked. Sachs, from West Babylon, said cops just laughed as he passed through the Queens Midtown Tunnel on his way into the city Sept. 8. Sachs […]


Fake Fish and Security

There was a very interesting article in the New York Times, “Fish Tale has DNA Hook,” in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors: Dr. Stoeckle was willing to divulge the name […]


Buffer Overflows and History: a request

One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in James P. Anderson’s Computer Security Technology Planning Study: The code performing this function does not check the source and […]


The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]


Elections Are Done For Me

Forty Percent of California voters are “permanent absentee” voters. Oregon runs entirely by mail-in votes. Other US states have some sort of mail-in or absentee status that people can assign themselves to. For those people, including me, elections are a slice of time that ends on election day. This isn’t new, until relatively recently, it […]


Security is an Empirical and Social Science

In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment: It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.” Firstly, security is almost always an outcome […]


Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!


Quantum Crypto Broken Again

The New Scientist reports that researchers Vadim Makarov, Andrey Anisimov, and Sebastien Sauge have broken quantum key distribution. The attack is described in their paper, “Can Eve control PerkinElmer actively-quenched single-photon detector?” Spoiler Warning: Yes. She can. The attack is brilliant in its elegance. They essentially jam the receiver. A bright pulse of laser light […]


The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]


The Discipline of "think like an attacker"

John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]


TSA Badges

9Wants to Know has uncovered a new policy that allows airport screeners at Denver International Airport to bypass the same security screening checkpoints that passengers have to go through. … The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed. … At DIA, […]


This Week in Petard-Hoisting, the Palin Edition

If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not […]


University of Lake Wobegon?

Spaf has an excellent post up about Purdue’s decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that “excellence” loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum […]


Think Like An Attacker?

One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]


SDL Press Tour Announcements

Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]


Applied Security Visualization

Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. […]


Hans Monderman and Risk

Zimran links to an excellent long article on Hans Monderman and then says: When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly […]


Lessons for security from "Social Networks"

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]


Write Keyloggers Professionally! has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]


Disaster Recovery Drills Aren't Just For IT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting: Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning […]


I’m Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker: Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation […]


Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]


What do you want to know about SDL Threat Modeling?

Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]


On Gaming Security

Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens. Since I have the ability to comment here, I shall. This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues. […]


Want Real Homeland Security?

All around cool guy, and former provost of the University of Chicago, Geoffrey Stone (the Edward H. Levi Distinguished Service Professor at the University of Chicago Law School), posted earlier this week proposed that “The next president should create a brand new position, which should become a permanent part of the Executive Branch in the […]


Medeco Embraces The Locksport Community

Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]


Quantum Pride

One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.” It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum […]


Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]


Quanta In Space!

What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when […]


Security Prediction Markets: theory & practice

There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]


Because it is the weekend and I am lazy

Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice


RIM speaks out on BB security

El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give. The India times says: BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as […]


This May Be FUD

You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days. The gist of the article is that the Indian Government has told RIM that if […]


The Difference Between Knowledge and Wisdom

If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]


Quantum Debate

The debate about Shor’s Algorithm (which I blogged about a couple days ago) continues. Rod Van Meter has a good blog post about it here. While there are plenty of people who have just wholesale dismissed the Hill/Viamontes paper outright, apparently because they know Shor’s algorithm works and that building a working quantum computer is […]


Quantum Uncertainty

Technology Review has a pair of articles on D-Wave‘s adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in “Riding D-Wave” about quantum computing in general, adiabatic quantum computing, and D-Wave’s efforts to show that they’ve actually built a quantum computer. Linked to that is Scott Aaronson’s article, “Desultory D-Wave,” in which Lloyd’s nail-biting is made […]


Security Metric?

Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]


Quantum Cryptography Broken and Fixed

Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership). The announcement says: Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen […]


The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]


More Hardware Security Shown to be Bunk

After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk: Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy […]


Economist Debates Security V Privacy

The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]


How To Fly With An Expired License

Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston […]


A Cha-cha all the way to the bank

On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]


Stupid Safety Feature Of The Week

I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. […]


Banksy Would Be Proud

In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered […]


How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]


Security is never static

There’s a story in the Wall St Journal, “London’s Congestion Fee Begets Pinched Plates:” This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates. Thieves are pinching plates by the dozens every day […]


Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies: The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band […]


Bank Note of the Year

Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.” Don’t miss […]


Emergent Breasts Handled By Ohio’s Finest

Yesterday CNN reported that Ohio State Representative Matthew Barrett was giving a presentation to a group of High School students a photo of a naked woman appeared instead of the expected graphic. The State Highway Patrol seized the USB drive containing the presentation and in less than 24 hours determined that the image had been […]


Obligation to Secure

Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.” A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches. This is important because there have […]


86%: Would you buy an IDS this good?

A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments: [C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of […]


Camouflage as Security

This is a new twist on an old trick. SFGate reports in, “‘I didn’t eat and I didn’t sleep’ — Coin dealer flies dime worth $1.9 million to NYC’” that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to […]


Canon Says Over 50% of Cameras Repaired in First Three Years

In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took. From this, we lean that it was a Canon, likely […]


Should we stop faking phishing data?

In “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites: Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated?? It creates havoc for those monitoring the drop since it’s […]


A Small Breath of Sanity in Airline Regs

The New York Times reports, “U.S. Will Allow Most Types of Lighters on Planes” Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded. The ban was imposed at the insistence of Congress […]


Wretched Term of the Week: Best Practice

This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why: Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are […]


More controls creates more risk?

Over at his excellent blog, Chandler Howell referenced an interesting risk analysis performed by a home inspector: “The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.” That is to say, the switch is right next […]


Security Tradeoffs

This is from Non Sequitur by Wiley. Since I’ve shrunk it to fit, the guard says to the other: Accept the security breach, or clean a litter box. Take your pick. Click the picture for the full-size one.


Quantum Cryptography Cracked!

Nature reports that, “Simulation proves it’s possible to eavesdrop on super-secure encrypted messages.” A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn’t a real attack, but as […]


Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.


Cleaning Up

If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security. John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in […]


If I Screw Up, It’s Your Fault!

I can’t help but wonder how many bits have died to hold disclaimers like this one: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are […]


Jennifer Granick's awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]


Rootkit on a Stick

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]


Information Leaks

I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of […]


Let’s Stop Cutesy Names for Attacks

Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them: Each of these passages has faults of its own, […]


Party like it's 1994

A 0-day in Solaris {10,11} telnetd is reported. SANS has some details. Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one. (h/t to KK on this one)


Must-Read Article: The Ecstasy of Influence

This is in Harpers, “The Ecstasy of Influence.” It is an interesting meditation on the nature of art itself and how art is composed of other art. However, not only must you read this, you must read it all the way through to understand it and why it is important.


Coviello: RSA 2010 Will be Last Conference

Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]


If You Blow Hard, You Can Find a Disclosure Debate

So there’s a video of how to “Unlock A Car With a Tennis Ball.” I advise turning the sound off-there’s no value to a bad pseudo-rock soundtrack, and no information in it (all the narration is in text in the video). There’s also precious little information in the video. It’s not clear what make or […]


DRM, digitally coded music, and information

Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]


Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]


Rely only on the secrecy of that which can be easily changed

The title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every […]


When a 0% Success Rate is Worthwhile

There’s an article in, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]


New Year's Resolution Dept. — Protecting Against Identity Theft

It’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions! If yours is to get better control over your information privacy, […]


Joanna on Stealth Malware

Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]


One passport, please…

hold the RFID. I just got my US passport renewed, and I was pleasantly surprised when it came back Old Skool — no RFID.  I’m happy…until 2016 anyway.



How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights? Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to […]


Banksy Again

Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing […]


Bag Matching and Lost Bags

Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:” The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year […]


Participatory Security

Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]


Those Who Can’t Remember The Past…

Are condemned to be mocked for it. See what happens when Australia’s “The Chasers War On Everything” build their own Trojan Horse and haul it around town.


Google Code Search

Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could […]


Less than zero-day

[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]


One For The Money, Two For The Show, Three For The Ballot

Ping over at Useable Security has a great analysis of Rivest’s ThreeBallot voting system. The delightful thing about ThreeBallot is that it should be incredibly easy to implement on a small scale and not much harder on a large scale and has in built in provisions to prevent voter error, counter fraud and vote buying. […]


U.S. versus E.U. Audits

Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular: […]


When Security Systems Attack

A £40,000 teddy bear formerly owned by Elvis Presley was destroyed when a guard dog which was supposed to protect it went on the rampage. “Dog chews its way through Elvis’ £40,000 teddy.” Photo, “Elvis With Teddy Bear” is not the bear that was destroyed, but is a better picture. Thanks Nicko!


The Down Side of "Strong" Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]


Yet Another Coding Standard?

Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this: There are already a myriad of good sources of information about secure programming, including books targeted specifically to developers […]


Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]


Meet the Bugles

Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit. [Via FIRST News.]


Actual Data Sharing!

Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it. Thanks […]


gcc -Wall -WeReallyMeanIt

Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]


A Few More Thoughts on Disclosure

Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues […]


CSI/FBI Survey considered harmful

The latest 2006 CSI-FBI Computer Crime and Security Survey has been released. Already, it is making waves, as it does each year. I want to simply state that there is no reason to give this survey any credence. The survey instrument is sent only to CSI members. This time, it was sent to 5,000 of […]


Skype reverse-engineered?

According to Charlie Paglee, Skype has been cracked, and a compatible client implemented. This promises to have wide ramifications, about which Charlie writes at length.


And Yet, It Transmits!

Ian Goldberg likes to state Kerckhoffs’ principle as “The security of a system shouldn’t rely on anything that’s hard to change.” So it is with deep amusement that I report on what’s probably one of the hardest to change systems out there. And I do mean out there: 23,222 km out there. Let me back […]


The SSN Is Also A Poor Identifier

There’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and […]


Threat Modeling The Library

In a long interesting article in Wired on “The RFID Hacking Underground,” I came across this quote: While it may be hard to imagine why someone other than a determined vandal would take the trouble to change library tags, there are other instances where the small hassle could be worth big bucks. The article went […]


The Iron Fist in a Cute Glove

The BBC reports on Sweet Dreams Security in “Safe, Secure, and Kitsch:” A German artist is trying to change the way people think about security, by replacing barbed wire with heart-shaped metal, and pointed railings with animal shapes. Thanks to N. for the pointer.


Consumer-Grade RFID Analysis

In “Why Some People Put These Credit Cards In the Microwave,” the Wall St. Journal incidentally captures everything you need to know: Makers of products using RFID say privacy and security safeguards are being built into the chips to prevent abuses. MasterCard International says multiple layers of security are available to prevent MasterCard data from […]


2nd Underhanded C Contest Begins

This year’s challenge: ridiculous performance degredation For this year’s challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor’s OS. The program is supposed to read a set of words on stdin, and print […]


Lapel Pin, Redux

Dear Arthur, In Re: your post, “Die Struck Lapel Pins From Collinson Enterprises.” They’ve some neat ones for sale too, if you’d like to be spotted as a Fed at Defcon.


Security Flaws and The Public Conciousness

In “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests: “Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)…. “Another red flag was the wire-transfer […]


Security & Orientation

When Larry Ellison said “We have the security problem solved,” a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“) That level of dripping sarcasm is fairly widespread amongst the security experts I talk […]


Security and Usability

Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and […]


Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]


Mary Worth

Michael Howard over at Microsoft, has a great post, on why security analogies are usually wrong, that has a beautiful analogy of his own that aptly makes his point. Also, note that Ed Felten, is currently teaching a class, InfoTech & Public Policy, at Princeton. Students are required to post weekly, and non-students are encouraged […]


40 Million Pounds Sterling Stolen from British Bank

As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued […]


Branded Security

For quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.) I am FORCED to ask, HOWEVER , what the average consumer is supposed to […]


Hasta La Vista Secure Flight

As mentioned on Freedom To Tinker and by Lauren Gelman, at the Center for Internet and Security, the TSA has mothballed it’s plans to deploy Secure Flight. Though the TSA will surely come up with something else, this is definitely a step in the right direction.


Mossberg's Mailbox

This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic […]


Star Wars and Least Common Mechanism

Today, in Friday Star Wars Security blogging, we continue with Saltzer and Schroeder, and look at their principle of Least Common Mechanism: Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information […]


Don't Tell People What Not To Do!

[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.] It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he […]


Small Bits on Security

“Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.” Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could […]


New Orleans is Not a Morality Play

Enter narrator I pray you all give your audience, And here this matter with reverence, By figure a moral play- The Flooding of New Orleans called it is, That of our lives and ending shows How transitory we be all day. Enter preacher, sturm and drang… It has nothing to do with Southern Decadence, despite […]


ID Card Program Stopped Over Security Concerns

So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.


SEC on Internal Controls

Pete Spire Lindstrom* points to a press release from the SEC on “Commission Statement on Implementation of Internal Control Reporting Requirements:” “Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404.” “A one-size fits all, bottom-up, check-the-box […]


Bluetooth vs Infrared

John Early has an interesting editorial over at Computer Weekly “Infrared meets speed and security needs:” Famously associated with applications such as personal digital assistant to laptop synchronisation, PDA business card exchange and short-haul mobile phone data transfer; IRDA, with its short range and relatively low 4mbps throughput, was understandably discounted by the IT community […]


I Could Kill You With These Nose Hair Clippers!

Like I said, I do like rules, rules that make sense. But this is a form of institutional insanity, and someone needs to do an intervention. When a soldier in full uniform, in the company of nothing but other soldiers, is allowed to retain the bayonet for his M-16 and his M-16, yet has to […]


Emergent Bits of Security

(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]


Small Bits: Airport Security, Tax Web Bugs

Stupid Security covers an AP story: Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude. None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph: “A lot of people will […]


Anti-Terror Funds Earning Interest

Over drinks, I like to enrage my computer security colleagues by suggesting that we’re spending too much on computer security. My evidence for this is that, despite all the attacks and break-ins and worms and what-have-you, no one’s going out of business. But the news in Saturday’s Washington Post, “Most Area Terrorism Funding Not Spent,” […]


Small Bits: Caller-ID, FBI Lies, Intel Reform, and GCC

Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller […]


Small Bits: Avoid Brink's, Code Metrics, Privacy Regs, Blackstone

Ed Foster writes about Brink’s contract provisions with contracts that don’t go month to month, but year to year when you try to leave. Brink’s is fully within their right to write such contracts, and I’m free to suggest that you should consider shopping elsewhere. (Via Dan Gillmor.) Mark Miller suggests a new code metric, […]


More on Watch Lists

To follow up to my post on Terror Suspects and Firearms, I’d like to take a moment to rail against the Kafka-esque implementation of “watch lists” in the United States. For the FBI, or other investigative or intelligence agencies, to have lists of “interesting people” makes perfect sense. You’ll always have people who you suspect […]


Terror Suspects and Firearms

The New York Times is running a somewhat alarmist article, Terror Suspects Buying Firearms, Report Finds. The report says that At least 44 times from February 2004 to June, people whom the F.B.I. regards as known or suspected members of terrorist groups sought permission to buy or carry a gun, the investigation found. In all […]


Small Bits: Art, Chopsticks, Security

Stefan Geens points to It Takes More Than Money to Buy a Hot Piece of Art. I Came to Japan Because of the Chopstick makes dinner plates fascinating. Thanks Rosa! Two shorts at AntiTerrorism & Security: The firm running airport security at SFO has been accused of cheating by a former manager. The lawsuit is […]


Small Bits of Chaos: Tempest Tents, Medical Records, Openness

One of the neat things about talking to different sorts of conferences is that you find neat stuff that you don’t otherwise see. At the Southeast Cybercrime Summit, I was supposed to talk about “Reducing Crime In Cyberspace, a Privacy Industry View.” (The talk I used to give for Zero-Knowledge.) Due to a small error […]


Gordon on Security

There’s a good interview with Larry Gordon at SecurityPipeline. It came out in April of last year, but I’d missed it. Gordon has hosted the Security and Economics workshop. “I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says […]


The Real-ID Theft Act of 2005

The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]


Purpose of a System Is What it Does?

Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the […]


Small Bits of Irony: Secure Flight, Insecure Borders

Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]


Small Bits of Chaos: Brazilian Democracy, Traffic Cameras, Locks, Hamas, and Curtains

Lessig discusses what democracy looks like in Brazil: I remember reading about Jefferson’s complaints about the early White House. Ordinary people would knock on the door, and demand to see the President. Often they did. The presumption of that democracy lives in a sense here. And you never quite see how far from that presumption […]


CCS Industry Track

I’m excited to be a part of the ACM’s 2005 Computer and Communication Security Conference, which has an Industry Track this year. We’re working to foster more interplay and collaboration between industry, the public sector, and academia: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of […]


Winning the Battles, Losing the War

A historian, Isaiah (Ike) Wilson III, Ph.D, gave a talk a few months ago at Cornell, entitled “Thinking Beyond War: Civil-Military Operational Planning in Northern Iraq.” His basic thesis seems to be that, in contrast to a carefully planned and executed war campaign, there were no definitive plans for what to do after the Iraqi […]


Banks issue 2 factor auth

There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues. While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by […]


Delta Blood bank

Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. … In addition to the letter…The blood bank will no longer require Social Security numbers from its donors… No longer require […]


TSA Backs Down

Starting today, the federal Transportation Security Administration is telling its screeners to keep their hands to the “chest perimeters” of women unless handheld metal detectors beep when waved over their breasts. I’ve mentioned outrage at TSA intrusiveness in the past. (From, via CSOOline.)


Ripping into ROI

Over at TaoSecurity, Richard Bejtlich writes: ‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group… Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary […]


Econ and Security papers

Ross Anderson has added three papers to his Economics and Security Resource page: Fetscherin and Vlietstra’s DRM and music: How do rights affect the download price? shows that the prices of music tracks sold online are mostly determined by the rights granted to the purchaser – including the right to burn, copy or export the […]


Signalling by Counting Low Hanging Fruit?

I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product. I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static […]


Thoughts on Kerik's withdrawl

Kerik issued a statement saying: “In the course of completing documents required for Senate confirmation, I uncovered information that now leads me to question the immigration status of a person who had been in my employ as a housekeeper and nanny,” he said. “It has also been brought to my attention that for a period […]


Kerik Withdraws

The BBC is reporting that Kerik has withdrawn, citing personal reasons. The BBC also mentions controversy over his link to Taser, Inc, and a possible nannygate issue.


Google Groups, Privacy and Spam

Writing to Farber’s Interesting People list, Lauren Weinstein writes: Their new system is obscuring *all* e-mail addresses in *all* netnews messages in the archive (including the vast numbers of messages that do not originate within the Google environment and/or that predate the existence of Google Groups). This includes not only the addresses of individual netnews […]


Optimizing acceptable bugs?

In a recent comment, Pete Lindstrom asks: So do you think this can be modeled using a version of the El Farol’s Bar you post about in the future? Maybe we can optimize the number of acceptable bugs… How does/should the policies of Microsoft and Oracle affect this model? I’ve been thinking about this, and […]


What Sci/Tech books are worthwhile?

Ed Felten writes about a library survey in which few tech books, and none worthwhile, made the top-1000 list. He concludes: It’s the technology books that really disappoint. These books are useful, to be sure, and it’s not surprising that libraries have them. What’s really sad is that no book about the intellectual content or […]


Kerik for DHS?

The New York Times is reporting that Bernard Kerik, formerly of the NYPD, has been tapped for homeland security secretary. [Update: VikingZen has an alternate suggestion that shouldn’t be missed!],br> [Update 2: Declan has found a more relevant set of links than I did. Thanks to Secondary Screening.]


The metrics quest

There’s an interesting article on metrics over at CSO Online. The comments are great, too. Now if you’ll excuse me, I need to go ring a gong.


Training is not the answer

Florence Olsen writes in Federal Computer Week about security training: Last year, for example, officials at a federal financial institution tested employees’ adherence to the agency’s computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. [Kathy Coe, regional director of educational services at Symantec] […]


Amateurs study cryptography; professionals study economics.

Ian has a fine post over at financial cryptography: The only thing I’m unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public’s mind, the popular definition of economics is closer to the image that we […]


Worms swamp security

Security experts take it as a truism that you can’t defend everything. So you have to make choices about what attacks to worry about, and which ones to ignore. A study released today claims that unprotected hosts are attacked once per second. (USA Today reports on the study, and is utterly swamped. So I […]


Lycos' attack spammers@home

I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it: This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad […]


Bad Security = Bad UI?

Allan Schiffman has sorted through the papers from the DIMACS Workshop on Usable Privacy and Security Software, and has summaries and recommendations in “Bad Security = Bad UI?.” [Update: Oh, the irony of a conference on usability naming all their files things like “blaze.pdf” or “garfinkel.ppt”– how about “blaze-usable-privsec.pdf,” so I can easily archive the […]



America’s Secret War, by George Friedman, is reviewed in the Australian: The Americans had established and then strengthened a military presence in countries surrounding Saudi Arabia – Yemen, Oman, Qatar, Bahrain and Kuwait. Invasion of Iraq would complete the encirclement. “From a purely military view,” Friedman adds, “Iraq is the most strategic single country in […]



The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.” These chips can be read from 30 feet away, today. That’s the opinion […]


A lemons market for … anti-spyware

Anti-spyware software has many of the issues that other privacy software has had.* It’s hard to understand the technical means by which privacy is invaded. It’s hard to see that you have (some) spyware. And it’s hard to evaluate what anti-spyware software works, and what doesn’t. Well, it was. Eric Howes has started testing anti-spyware, […]


Travel Plans: Shmoocon

Crispin Cowan and I will be running a BOF at Shmoocon, on Evidence Based Security. Shmoocon is in DC, Feb 4-6 of next year.


No fly list

A man with an expired passport got onto Air France flight 26 on Saturday, November 19th: Flight 026 from Paris to Washington Dulles International Airport was diverted to Bangor, Maine, after U.S. officials discovered that the man was listed on the government’s no-fly list. The man’s name also was on the State Department’s terrorist watch […]


Security and diplomacy

…Mr. Bush had to wade into a group of security agents to pull his lead Secret Service agent out of a shoving match with the Chilean police. The tape showing the president assuring the Chileans that his agent could come with him played over and over on television screens in the region this weekend. By […]


Cost, Value of government

After the election, I asked What’s a Free Election worth?.” John Robb over at Global Guerrillas has a partial answer, which is what the 2nd intifada has cost both sides over 4 years: 10% of Israel’s GDP (roughly 2.5% of GDP per year), and a stunning 300% of GDP over 4 years for the Palestinians. […]



There’s a 3 page article in the Washington Post on phishing, the use of fake email and web sites to capture usernames and passwords. The phishers often target financial institutions. Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not […]


Deworming the Internet

The always engaging Doug Barnes has a new paper out, “Deworming the Internet“. The paper is more interesting because Doug is technically and legally savvy. (Always a dangerous combination.) The paper evaluates regulations, markets, government intervention, litigation, and finally, a set of suggestions for what is most likely to work. Its perhaps the most comprehensive […]


Security & Outsourcing

[Inland Revenue] learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated. Computing has a good basic article on security issues in outsourcing of IT […]


TSA's identity obsession

US Homeland Security undersecretary Asa Hutchinson said the current practice of airlines giving the names of passengers to US officials 15 minutes after take-off did not make sense. … “If we have to have information 60 or 45 minutes before, you’ve got to close off the passengers that come in at the last second,” he […]


Glad to be a perfect straight man

In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better: Legislate/enforce the law Buy exploits now and then Create Software security data sheets More honeypots I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information […]


How not to find vulnerabilities (2)

Pete Lindstrom has argued that we need to end the bug-hunt: Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences. There is a rarely mentioned upside to all this bugfinding, which is that researchers use the exploit code to […]


How not to report vulnerabilities

This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2. Robert Lemos at CNET writes: “We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.” However, Microsoft’s […]


Kaspersky Labs switches to a new naming scheme

Kapersky Labs makes some of the best anti-virus software out there, as analyzed by the Virus Test Center at the University of Hamburg. They recently announced a new naming scheme. I’ve been thinking a lot about naming schemes recently, and I think this one could be better. Let me take it apart, and explain why. […]


Selling Security

The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor. Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in […]


"An abundance of caution"

Hundreds of passengers were evacuated briefly Thursday from the main terminal at Dulles International Airport outside Washington after airport screeners thought a suspicious image on an X-ray monitor might be a gun. Screeners spotted the image about 4:40 p.m. EST Thursday and the terminal reopened about an hour later. Passengers went through security checkpoints again, […]


More on 700 Arrests

Yesterday, I mentioned the 700 arrests [in the United States] in an attempt to deter terrorist activity. Also yesterday, several residents of The Hauge violently objected when the police showed up to arrest them. This is a pattern in the arrest of Al Qaeda suspects: Some of them decide that shooting the police is the […]


DETER testbed

There’s a coalition of universities working on a security testbed, called DETER. It’s an excellent idea, and apparently, they’re up and running. I look forward to the output from the conference. I hope they’ll ensure that all papers are online and available to the public.


Rushed Security

Samablog, irked that Rush has stolen his joke, explains that you can get at all of Rush’s $7 a month content, just by turning off all the scripting stuff in your browser. He then goes on to say: “What it says that a celebrity of Limbaugh’s stature keeps his site so insecure, I don’t know.” […]


Easier to get forgiveness than permission

So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing? Asks Nudecybot. And the answer is…NOW! Why wait? Generate some keys and use them!


"Better Than Nothing Security"

Eric Rescorla has a great post reporting from the IETF on the “Better Than Nothing Security BOF.” As I see it, this boils down to an understanding that paying for digital signatures is very expensive, while we’ve known for ten years that “keys are cheap.” (Thanks, Eric!) The SSH folks got this very right: You […]


Garbage In…

There’s a post over at BoingBoing, laughing at some poor software transcription of Jabberwocky. Hello? What do you expect? The poem is full of nonsense words. If my speech recognition program starting putting brilling and slithy toves in my text, I’d be pissed off. So of course it gets this wrong. C’mon, folks, you want […]


700 arrests made to avert election terrorist attack

Jihad Watch points to an AP story: More than 700 people were arrested on immigration violations and thousands more subjected to FBI interviews in an intense government effort to avert a terrorist attack aimed at disrupting the election. As with past unrealized al Qaeda threats, law-enforcement officials said yesterday they don’t know for sure whether […]


Richard Clarke says get over 'cyberterror'

Overuse of the term ‘cyber-terrorism’ is confusing board directors and preventing much needed investment in IT security, says former White House security advisor Richard Clarke. Now if we could just get rid of the term “cyber,” we’d be all set to have a mature discussion. (From VNUnet, via InfoSecNews.)


Computer Security and The Human Factor

Nudecybot has a thoughtful post on Computer security and the human factor. He takes a discussion we had, and organizes it well. He talks about airline safety vs computer safety, and how an anonymous reporting system has helped in the airline case. I think there’s two bits that he misses that make the airline safety […]


Corporate governance goals impossible

There’s a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. “CIOs are now relying on convoluted processes rather than using sound business judgement based […]


Corporate governance goals impossible (II)

Further quoting from that same article in the Register about the impact of new rules: Business managers becoming fed up with FUD In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security […]


Al Qaeda's use of cryptography – scant evidence

Not too long ago, I gave a talk on privacy technology to the Atlanta chapter of the High Tech Crime Investigators Association. It was a talk that several of us at Zero-Knowledge had learned to give. The basic method for talking to police about privacy is to start from the need to reduce and prevent […]


Return Addresses

Canada Post has apparently told the world that they’ll only deliver mail with a return address. This is clearly silly, phone books are full of valid return addresses for your city. Over at StupidSecurity, nrh asks: Part of the reason I delayed was that I was trying to find out if this was even legal. […]


Obfuscated Voting Redux

No, not the elections, silly, the contest! And now the results are up, and it seems that Michal Zalewski is in the lead.


Microsoft pre-warning of patches

[Microsoft] will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release… The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected. This has been available to select customers for a while. […]


Morris Worm is Sweet 16

Sixteen years ago, the first worm spread across the Internet. It used password cracking, a buffer overflow in fingerd, and a flaw in sendmail to spread. At least today, sendmail seems more secure. Passwords and buffer overflows, check back in sixteen more.


Symposium on Usable Privacy and Security (CFP)

The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and […]


Reliability and Security

However, Engler thinks the security explanation should be taken with a grain of salt. His research in the late 1990s aimed to improve the reliability of software. Security analysis was part of the story, he says, but “basically, we just didn’t want stuff to crash.” (writes Jon Udell in Infoworld.) But Crispin Cowan has a […]


Ian Grigg on SSL

Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading. The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m […]


Online Extortion

There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.) The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever […]


Bejtlich on Intrusion Data

Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?: Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According […]


Common Criteria

Statistics gleaned from the labs’ Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland. So far, 100 percent of the products evaluated have been approved, she said. The testing […]


DHS Inspector Report

According to a new report from the Department of Homeland Security’s inspector general, airport screeners still Need Improvement. That will not come as a surprise to anyone who travels, but some of the details, as reported by A.P., are still disturbing: -Screeners aren’t tested on when they should pat down passengers and what the passengers’ […]


Piscitello on Bugtraq

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure: I think that Dave has a valid […]


Sixth Circuit Reverses Lexmark

One of the worse bits of law to come out of the Clinton years was the “Digital Millennium Copyright Act,” (DMCA). The law made it a crime to break any copy protection scheme, even if the data it was protecting was subject to some form of fair use. The law had lots of nasty chilling […]


Some explosives links

But the real issue is that the explosives can be used against civilians and soldiers in Iraq and around the world. Consider that only five grams of RDX, for example, is enough to kill a person when used in an anti-personnel land mine. When 1,000 pounds of explosives were set off by a suicide bomber […]


Mistakes, Incompetence, and Coverup Beyond Fevered Imaginings

Michael Froomkin has a long post on the 350 tons of stolen high explosives, which I’m excerpting at length: If all that matters is our safety and security, then today’s news makes it clear beyond peradventure that the Bush administration is horribly dangerous to our national security. Josh Marshall’s blog today runs an extensive quote […]


The Security/Security Tradeoff

People trying to infringe our privacy often claim that they’re making a tradeoff between security and privacy. Sometimes they’re even right. But I think today, we’re trading security for “security,” giving up real protection for an illusion. For example, the TSA is spending lots of money to build and connect databases all about travelers. For […]


TSA Wastes More of Your Money

WASHINGTON — The Transportation Security Administration was lax in overseeing a $1.2 billion contract to install and maintain explosives-detection machines at U.S. airports, resulting in excess profit of about $49 million for Boeing Co., a Department of Homeland Security review found. (From a Wall St Journal article, October 19th. (Sorry, subscriber-only link.)


Nielsen on Security

Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions. He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats […]


Mac "Virus"

There’s an alarmist headline at MacSlash about a new mac virus. Its been picked up in a bunch of places. The commenters correctly identify it as a rootkit, not a virus. A rootkit is a program you install, after break in, to hide your tracks. Its not even a sophisticated rootkit. Its stunningly primitive. Reading […]


Organization in the way: how decentralization hobbles …

Another interesting article from Peter Merholz closes with: Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest […]


2-Fingerprint Border ID System Called Inadequate (

Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system “is no more than 53 percent effective in matching fingerprints with poor image quality against the government’s biometric terrorist watch-list.” Turner said the system falls far short of keeping the country secure. Its not clear to me why […]


Security Signaling

Signaling is a term from the study of lemons markets. A lemons market is a market, such as in used cars, where one party (the seller) knows more than the buyer. There are good cars (peaches) and bad ones (lemons). The buyer is willing to pay a fair price, but can’t distinguish between the cars. […]


The Tree of Life, COI-ly

The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1] This technique helps settle the question of “Is Astraptes fulgerator […]


"What your CEO thinks about security"

Larry Poneman writes: Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals: What is the security return on investment? What is the probability of a catastrophic security failure? What is the cost of self-insuring against security risks? What are the tangible benefits of being an […]


Must … extend … grasp!

Each aircraft operation … with a MTOW of more than 12,500 pounds, must conduct a search of the aircraft before departure and screen passengers, crew members and other persons, and all accessible property before boarding in accordance with security standards and procedures approved by TSA. … [Seperately, charter aircraft run as clubs…] These clubs transport […]


Thoughts on SB 1386

Looking for a link to SB 1386, I noticed that of the first 10 Google hits, 2 are legislative, 2 are law firms, 3 are information security portals, and 3 are for security companies. Three of the security companies, (Verisign, Threatfocus and Watchfire) are simply adding “SB 1386” to existing products, and claiming to provide […]


$103 Million

To date, the government has wasted over $100 million in a flawed effort to improve airport security by identifying passengers and, well, doing something to the naughty ones. Meanwhile, the reality is that airport screeners continue to miss items like knives, guns and bombs. Meanwhile, there’s lots of good work in computer vision systems, which […]


Security and Economics

Household Finance, a unit of HSBC, has sent me a $5,000 check out of the blue. Big verbage on the front indicates that “Signing this check will result in a loan…” at 23%, which over 5 years comes to an estimated $3,500 in finance charges. Most attractive. Now, ignoring Household’s record of fraud, and ignoring […]


Why Profiling Won't Work

WVLT VOLUNTEER TV Knoxville, TN reports: ” Accused Domestic Terrorist Arrested In Knox County.” According to the criminal complaint, the FBI says that Ivan Braden was planning to enter this Armory Friday, armed with guns and bombs. … The feds say the former 278th soldier planned to take people hostage at the Lenoir City Armory and […]


RFID passport data won’t be encrypted

Ed Hasbrouck, who in a more perfect world would be paid to be the TSA’s chief privacy officer, writes RFID passport data won’t be encrypted: So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able — without ever having actually seen you or your passport — to […]


Department of Justice to Focus On Key Problems!

Attorney General John Ashcroft has announced a major new effort to crack down on intellectual property theft, by which he apparently means illegally-copied DVDs, CDs, and software. (I refuse to use the term piracy to refer to illegal copying. Piracy is the violent boarding and theft of property on ships, and is a major problem […]


"A Sign Of The Times?"

A woman said she drove home to San Diego from Denver rather than submit to what she viewed as an intrusive search by airport security screeners. Ava Kingsford, 36, of San Diego said she was flagged down for a pat-down search at Denver International Airport last month as she prepared to board a flight home […]


Federal Anti-terror Money Well Spent

Ok, you know I’m being sarcastic with the title. The New York Times titles its article “Security Grants Still Streaming To Rural States.” And the message is politics remains more important than ensuring that those cities likely to be hit next are well prepared. The article goes on to cite politics as usual as the […]


Bush, Socrates, and Information Security

“Wherin links between a number of disparate ideas are put forth for the amusement of our readers” Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on […]


Want to Save American Lives?

Do you want to save American lives? Stop senseless deaths? Here’s some ideas: Require real driver training, and enforce traffic laws. Ration the sale of alcohol to prevent the nasty diseases over-indulgence causes. Ban tobacco. Ban firearms. Require calisthenics in the morning, by neighborhood, and in the afternoon, at work. Ban the use of corn […]


Apple Security UI

I just got a fascinating email. No, not really. It was a simple little email, from someone who’s being very helpful on a project that I’ll speak of in excrutiating detail later. What was fascinating about it was that it was PKCS 7 signed, and Apple’s told me so. It told me so with […]


How Banning Wireless Reduces Security

IDC’s research director, Lars Vestergaard, said their research found interest by businesses in WLAN usage was widespread, but not many of them were particularly interested. “Unfortunately IT managers are being uncertain about using this technology, but they use a lot of bad excuses,” he said. “This is because they often fear a lack of security […], the story

As anyone who takes advice from the Vice President now knows, he didn’t really mean to tell you to go to, but, whose article still doesn’t fully support his point. This little glitch lead the owners of, a small site that lists sellers of dictionaries and encyclopedias, to suffer a massive denial […]


Calls for Papers

There’s a set of interesting conferences looking for papers: Privacy Enhancing Technologies Economics of Information Security Codecon [update: closed html list tag]


Ranum on the root of the problem

Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can […]


Economics of Information Security

Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press. (It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the […]


How about "Align with the business?"

I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts: Ellyn believes that companies should strive for a […]


0wned in 60 seconds

0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability. Less than 60 […]


"What's The Cybersecurity Czar's Job?"

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place. says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly […]


Cool Mac Utility

That said: my home directory is now encrypted which should make any further hardware maintenance a doddle (no more erase/flood before mailing) and I’ve blown-away the old UFS partition which although useful was tying up a few too many Gb. Alas the rebuild doesn’t seem to have fixed the lack-of-sleep-on-lid-closure problem. One more for Applecare. […]


More on Amit Yoran

The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office. … The new proposal would create […]


A Million Deaths Is A Statistic

Matt Cordes modified the Zombie simulators to give humans a chance to fight back. Its fascinating, because with some small mods to the source, you get a much more interesting simulation. (Unfortunately, I don’t see Matt’s source anywhere, so I can’t say how long it might have taken.) The simulation makes viscerally clear how chains […]


That settles it

One of the best signs that things are going down the tubes is that officialdom tries to control information flow. I now know that things in Iraq are officially going to hell, because the security situation is bad enough that they’re trying to prevent people from learning about it. Kroll, a large physical and investigative […]


Amit Yoran resigns

Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single’s day notice of his intentions to leave. Yoran said Friday he ”felt the timing was […]


Why Is Air Travel So Cheap?

The cost of last minute ticket doesn’t seem to be enough for airlines to break even. How much of this is due to a lingering fear of flying? How much of it is the extra cost to travelers, in inconvenience and hassle, of being bit players on the security stage? As long as a carrier […]



I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation. The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. […]


"A Roadmap for Forgers"

Ed Felten has a great post over at Freedom To Tinker about Rather-Gate: In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, […]


The Two 9/11 Commisson Reports

I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.) One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique […]


"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual […]


Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file! Firefox 1.0PR now includes code to deal with this. Here’s how […]


Iraqis Target Forigners

Omar writes about A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side. According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in […]


AT&T Wireless time service

I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It’s great when you land in a new city. It hasn’t been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. […]


Bin Laden Unit downsided?

The New York Times reports: he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress. A senior […]


Mozilla Patches

The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!


Microsoft JPG Bug, Patch, Tool

Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps. I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their […]


Apple Security Updates

Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make. […]


Holy Lousy Security, Batman!

Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon. From the New York Times story. Or, Google News has more. The […]


"Want more Secure Software?"

SecurityFocus points to a nice short article over at suggests that Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give […]


Bluetooth and phone security

Some Singaporean students have figured out how to use Bluetooth to turn off the cameras in Nokia’s phones, according to an article in Gizmodo, via a long chain to a now deleted newspaper article. I wonder if they turn it back on when you leave the area? However, Loosewire, the earliest still working link, implies […]


Airline "security"

The Webflyer points to a great David Rowell column, including: An argument ensued. Ms O’Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested […]


Taxonomies are hard

Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin’s have moved to email.) “Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own […]


Airline Security

In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria. The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale […]


Olympic Security

Bruce Schneier has written insightfully about Olympic security. They’ve spent $1.5 billion, and today’s marathon race was marred by some idiot leaping into the path of the front-runner, and dragging him into the crowd. Its always tempting, and usually wrong, to say that any failure of security could be prevented. However, this Olympics has seen […]


In memory of Frank Sanache

Frank Sanache was one of eight Meswaski code talkers. He served in North Africa, and was captured by the Germans. I’m fairly interested in the history of code talkers, and had missed the Army’s use of them. It turns out that there were codetalkers in the First World War, that German civilains had travelled to […]



So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain. A […]


Time for DES to go?

In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day. NIST […]