"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.

(From Richard Bejtlich’s TaoSecurity.)

This feels wrong to me. Investigating computer crimes is still a very labor-intensive process.
(I’m experimenting to see how MarsEdit handles extended entries.)

Continue reading “"You will eventually be caught"”

Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don’t know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like “Your browser will issue a warning. To use this site, click “please screw me.” Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.

Browsers have become big complex technologies. That’s not a slam at the browser folks–users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.

Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not.

Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland Security Department.

From The New York Times. Use BugMeNot if you need a login.

In other “guns on planes” news, John Miller, the head of the LAPD’s counter-terror unit was detained Thursday after forgetting about a gun in his bag.

It’s interesting that Miller got where he is via a PR and reporting background. The obvious charge is security as theater. However, reporters often end up knowing a huge amount about their subjects, and so I don’t want to throw that charge without more research than I can do before dinner.

Verisign's Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which Verisign has been trying, and failing, to flog to consumers for years. (It may be this.)

What’s unclear is the privacy implications. If this is a X.509 cert on a USB token, then what this means is that children will not have privacy in these “kid only” spaces. They’ll be subject to monitoring under their real name. This damages one of the best features of the internet, which is the ability of kids to go online and explore different identities fearlessly. Read their chatroom rules of use: Cyberdating is dangerous!

At least they’re up front in their terms of service: You are being watched. Your name will follow you. Yeah, I wanna go play there.

What's In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.”

Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said.

How can you argue with messing with the entire English language?

(From AP via Languagehat.)

"Post-Totalitarian Stress Disorder"

This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking and trust hard to find, and if the population seems apathetic and disengaged, it’s just the fallen regime having its final chuckle from beyond the grave.

is a fascinating piece in Chrenkoff (via Iraq The Model.)

Acceptable ID

Virginia Postrel writes about flying without ID:

Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked a more senior guard. The elder guard sternly insisted that I must have a photo.

“This is a little weird,” I said to the young guard, as I opened my bag and pulled out one of the extra paperbacks I’d snagged from my publisher. “I wrote this book, and here’s my photo in it.” He laughed and let me through. This time, they didn’t even search my bags.

Below, I wrote about discretion for screeners. This is a great example of that discretion being used in a harmless and entertaining way. Of course, since anyone can get a book published, this can’t last.

account.management@gmail.com

So when Google Mail started up, I managed to register “account.management@gmail.com.” I didn’t have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time we saw each other.) Google has just closed the account.

The termination clause of their terms of use clearly allow this: “Google may at any time and for any reason terminate the Services, terminate this Agreement, or suspend or terminate your account.”

So, I’m not really complaining. I do wish I’d gotten a good prank from it.

I do hope they don’t terminate the accounts that were associated with it, because a bunch of family members are using their accounts more in line with the way Google wants you to. But this raises a real worry. The lack of consideration for your account, along with that clause, may allow them to shut you out of your email. I’m glad I’m not seriously using the service.

There’s a great business in selling gmail appliances for corporate email, I think. Google’s reconsideration of the use of email was well overdue, and I’d like to be able to use their work without such worries.