Shostack + Friends Blog Archive


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004

WMF Vuln fix

Courtesy of IDA Pro developer Ilfak Guilfanov. Details are available via his web log, the existence of which I learned via the seemingly indefatigable Thomas Ptacek of Matasano.


Totally unforeseeable.

Herbicide-resistant genetically-modified crops cross-breeding with weeds? Shocking. Via Slashdot.


The New York City Police Riots

… The arrest of Mayor Wood was ordered. Captain Walling of the Metropolitan Police was sent to arrest the Mayor but was promptly thrown out on his ear. Wood occupied City Hall protected by 300 of his Municipals who resisted a force of 50 Metropolitans sent there to arrest him. Later that day 50 Metropolitan […]


Gartner to Visa, MasterCard: Play fair

Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard: Recommendations […] * MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly […]


Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]


How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.] Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, […]


Mossberg's Mailbox

This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic […]


Two on the Iraqi Army

A spokesman for the American military command that oversees training of the Iraqi forces also said that while he did not know the security forces’ ethnic mix, he believed that there were more Sunni troops than the election data suggested. From the New York Times, “Election Results Suggest Small Role For Sunnis in Security Forces.” […]


Mariott Vacation Club, 206,000 records, backup tape

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, […]


London and Terror Threats

The BBC reports that the Mayor of London says “there had been 10 attempted attacks since 11 September 2001, two of which had come since the 7 July bombs.” (“Threat to London ‘disorganised’“) Where are the perpetrators? Are they free, because of insufficient evidence? Are they in jail? Were they killed by security forces? Claims […]


Those Boy Scouts…Always Building Nuclear Reactors

Now 17, David hit on the idea of building a model breeder reactor, a nuclear reactor that not only generates electricity, but also produces new fuel. His model would use the actual radioactive elements and produce real reactions. His blueprint was a schematic in one of his father’s textbooks. Ignoring safety, David mixed his radium […]


13 Meter Straw Goat Met His Match

I am deeply saddened to have missed this story until now: Vandals set light to a giant straw goat Saturday night in a central Swedish town, police said, an event that has happened so frequently it has almost become a Christmas tradition. It was the 22nd time that the goat had gone up in smoke […]


Relentless Navel Gazing, Part 6

I’ve made a bunch of changes to style and template stuff. Most noticeable should be that post titles are now links to the posts. There’s also a whole lot of consistency improvements for the Moveable Type 3.2 software. The one remaining change is to bring full (extended) entries into the RSS feed. That Mt3.2 software […]


BancorpSouth, 6500 debit cards, unknown

In a report remarkable for what it doesn’t say, WLBT TV of Jackson, MS reports: A possible security breach has one bank giving customers new debit cards. BancorpSouth is sending out new cards to about 6500 customers. The vice president of the banks security department says account numbers were either lost or they were somehow […]


USA 0, UK 1

We get Mystery Science Theater 3000, they get Badly Dubbed Porn: Badly Dubbed Porn showcases vintage soft porn movies re-dubbed with a wickedly funny soundtrack by some of Britain’s most talented comedy actors. Via the lovely and very funny Ms. Kitka.


Holiday Charity

I’d like to draw your attention to two worthy causes: Tor, and the Creative Commons. Larry Lessig is looking to raise money to ensure that the Creative Commons maintains their non-profit status, and the fine folks who bring you the Tor Internet privacy tool are looking for donations so they can continue their important work.


Merry Chrisma EXEC!

(I got it from Mikko at F-Secure. If you don’t understand, click here.)


Florida workers claim outsourced HR system reveals PII, lacks audit trail

The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm. From the article: In an affidavit taken for a lawsuit by five […]


US Department of Justice, several SSNs, Process Errors

The federal government is responsible for issuing Social Security numbers, but it may not be doing enough to protect these critically personal pieces of information on its own Web sites. Acting on a tip, InformationWeek was able to access Web pages that include the names and Social Security numbers of people involved in Justice Department-related […]


Apollo 8

From the good old days, when science was not a matter of press releases, perception management or “long held beliefs.” Click the picture for a larger version at Astronomy Picture of the Day.


Dodo bones

Scientists have discovered the “beautifully preserved” bones of about 20 dodos at a dig site in Mauritius. Little is known about the dodo, a famous flightless bird thought to have become extinct in the 17th century. No complete skeleton has ever been found in Mauritius, and the last full set of bones was destroyed in […]


Nuclear Surveillance

In search of a terrorist nuclear bomb, the federal government since 9/11 has run a far-reaching, top secret program to monitor radiation levels at over a hundred Muslim sites in the Washington, D.C., area, including mosques, homes, businesses, and warehouses, plus similar sites in at least five other cities, U.S. News has learned. In numerous […]


Friday Star Wars and Psychological Acceptability

This week’s Friday Star Wars Security Blogging closes the design principles series. (More on that in the first post of the series, “Economy of Mechanism.”) We close with the principle of psychological acceptability. We do so through the story that ties the six movies together: The fall and redemption of Anakin Skywalker. There are four […]


Shark Video

Watch this astounding video of a shark in the Seattle aquarium. I suggest turning down the volume, the only really useful thing you’ll learn is that the shark in question was about 3-4 feet long. Via TEDBlog        


More on Snow's Assurance Paper

This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:” None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, […]


It's Chaos Out There!

In “Play Break,” Hilzoy writes: Here’s what it’s about: as most parents know, little boys tend to be more interested in toys like trucks, and little girls in toys like dolls. (I was an exception: someone gave me a doll once, and I dissected it.) There is no obvious way to decide whether this is […]


Do Wiretap Revelations Help the Terrorists?

The question is a fair and natural one to ask, and I’d like to examine it in depth. I think my intuitive answer (“revelations about wiretaps don’t help the terrorists”) is wrong, and that there are surprising effects of revealing investigative measures. Further, those are effects I haven’t seen discussed. Allow me to explain the […]


Ford, 70,000 Employee SSNs, Stolen Computer

Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility. From the WSJ, “Ford Computer Holding Staff Data Is Reported Stolen.” “Where Identity Theft is Job #1!”


Epstein, Snow and Flake: Three Views of Software Security

Among those who understand that software is, almost without exception, full of security holes, there are at least three major orientations. I’ve recently seen three articles, all of which I wanted to talk about, but before I do I should explain how I’m using the word orientation, and the connotations it carries. As used by […]


Update on ABN Amro (Lasalle Bank) tape

Lasalle Bank’s tape of mortgage-related information on 2 million customers has been found by DHL. (Thanks to Adam for the heads-up) No word on whether the tape was in a container which would show evidence of tampering, so this doesn’t foreclose (pardon the pun) the possibility of PII being stolen: […]the tape had been located […]


Even More on the $100 Laptop

I’ve discussed the $100 laptop in “Freedom To Tinker, Freedom to Learn,” and “More on ‘Freedom To Tinker, Freedom to Learn’.” In “Tech Delusions and The Trouble with Christmas,” Kerry Howley discusses many reasons why this is a bad idea: For now, OLPC plans to sell only to governments of poor countries, not individuals here […]


Emergent Properties of the Long Tail

Chris Anderson warms the cockles of our heart as he discusses the psychological acceptability of “The Probabilistic Age:” When professionals–editors, academics, journalists–are running the show, we at least know that it’s someone’s job to look out for such things as accuracy. But now we’re depending more and more on systems where nobody’s in charge; the […]


Software Usability Thoughts: Some Advice For Movable Type

I’d like to talk a bit about usability as it intersects with software design. I’m motivated by three things: Firstly, my own attempts to be comprehensible and understandable, not only in this blog, but also in software whose design I participate in. Years ago, Steve Karkula provided me the phrase “design from interface” while doing […]


I'll have to check with my manager

If you watch “The Simpsons”, you’ve probably seen “Puberty Boy“, the pimply-faced kid who appears in many episodes in a variety of menial jobs. Well, it looks like he may be working for the NSA: Q If FISA didn’t work, why didn’t you seek a new statute that allowed something like this legally? ATTORNEY GENERAL […]


Guidance Software, 4,000 CC+CCV, Hacker

Or, “I Wonder How They Figured It Out.” Online attackers breached the security of a server at digital forensics firm Guidance Software and stole the account information of nearly 4,000 customers, the company acknowledged on Monday according to news reports. From Rob Lemos, “Customer Data Stolen From Guidance Software.”


Legal Analysis of the Wiretaps

One of the really cool things about blogs is that very smart, knowledgeable people can offer up their opinions on topics of the moment. In this case, it’s Orin Kerr and Daniel Solove offering up extended legal analyses of the wiretaps. (Well, extended from the lay perspective, anyway.) Professor Kerr has posted “Legal Analysis of […]


Snarfer RSS Reader

Some friends have just launched Snarfer, a new Windows RSS reader, designed to be fast, efficient, and easy to use. Check it out! If you’re not familiar with RSS Really Simple Syndication, it’s a way to bring lots of content, like blogs, into one place. If I didn’t have NetNewsWire (a Mac client) I couldn’t […]


Reeves Namepins, Unknown # Cop Credit Cards, Hacker, a company that manufacturers the plastic and metal name tags that police officers around the country wear on their uniforms, had its customer database hacked recently, exposing credit card and other personal data for a number of police departments. So writes Brian Krebs in “Database Hack Exposes Police Financial Data.”


OSVDB Needs Programmers

The Open Source Vulnerability DataBase (OSVDB) is in need of additional programmers. If you’re not familiar with it because you’ve been hiding in a cave somewhere, OSVDB is a tremendous project that dramatically enhances the quality and availability of vulnerability information. Today, they posted a teaser, “OSVDB is Closing:” That said, OSVDB could substantially benefit […]


Torturing The Norms

Of a Financial Times online >poll about torture, Alice Marshall asks “ How did this even get to be part of the conversation?” Meanwhile, the BBC reports on the investigation of a Swiss Senator in “CIA abduction claims ‘credible:’” He went on: “Legal proceedings in progress in certain countries seemed to indicate that individuals had […]


" L'état c'est moi"

Via USA Today: Days after the Sept. 11 attacks, the head of the National Security Agency met his workforce at the nation’s eavesdropping and code-breaking headquarters at Fort Meade, Md., near Washington, for a pep talk. “I told them that free people always had to decide where to draw the line between their liberty and […]


America Needs a Full Time President

Ryan Singel has a post “Bush Wiretaps Supremely Illegal,” in which he discusses how this aspect of wiretaps are settled law. Perry Metzger’s excellent “A small editorial about recent events” is also worth reading: As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the […]


Meth Addicts and ID Theft

There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable: One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just […]


Managing and the Red Cross

The other day on “On Point,” I heard some astoundingly clear exposition of executive management, in the words of Dr. Bernadine Healy, the former CEO of the Red Cross. The program, Examining The Red Cross was promoted as: When 9/11 came, the Red Cross was there — with mountains of Americans’ donations and support for […]


Bugger Frequent Flyer Miles

I want Frequent Flyer Hours. They’d work almost the same. You’d get 550 or so points per hour from gate to gate. So all that time, sitting on the runway, circling in a holding pattern, waiting for the previous plane to vacate your gate? All would be paid back in some small way to the […]


The shame of it all

[Adam updates: The reporter has recanted his story, “Federal agents’ visit was a hoax .”] Apparently, the Staasi are watching what we read. A senior at UMass Dartmouth was visited by federal agents two months ago, after he requested a copy of Mao Tse-Tung’s tome on Communism called “The Little Red Book.” Two history professors […]


Government Secrecy and Wiretaps

I’d like to respond to Dan Solove’s article “How Much Government Secrecy Is Really Necessary” with the perspective of a veteran of the 1990s crypto wars, in which we fought the NSA for the practical right to build and use encryption to protect sensitive data. A central tenat of the government’s position was that there […]


Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape

From Crain’s Chicago Business: LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas. The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or […]


Friday Star Wars: Open Design

This week and next are the two posts which inspired me to use Star Wars to illustrate Saltzer and Schroeder’s design principles. (More on that in the first post of the series, Star Wars: Economy Of Mechanism.) This week, we look at the principle of Open Design: Open design: The design should not be secret. […]


NSA Spying on Americans Without Warrants

“Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say.” A 10 page story in the New York Times opens: Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without […]


"What if Copyright law were strongly enforced…"

I can’t tell you how strongly tempted I am to just steal Daniel Solove’s “What If Copyright Law Were Strongly Enforced in the Blogosphere?” It’s a great article, and it would be deeply, deeply ironic for that article to be at the center of a lawsuit over copyright infringement.


No good deed goes unpunished

The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach. As we’ve commented on previously, information concerning […]


White Wolf, Unknown number of Passwords, Hackers

The game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks. Dear White Wolf Users, Like many other well-known companies of the last few years, White Wolf was […]


Conference News

Shmoocon has announced their 2006 speaker list. Today is the last day to submit to Codecon.


Insurance Claims and Privacy

One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:” TAMPA – Andrea Davis can’t understand what two flat tires and […]

Via Bejtlich, I learned that SANS is now offering degree programs. I have not been able to determine whether they are an accredited institution of higher learning, however.


Firm breached in Scottrade incident to sell business unit

From the press release: SALT LAKE CITY, Dec. 13 /PRNewswire-FirstCall/ — silex technology america, Inc. and TROY Group, Inc. signed a definitive agreement effective today stating that silex technology america will acquire the Wireless & Connectivity Solution Business of TROY Group, Inc. […] “We are pleased to announce this transaction as we believe that the […]


Fake Fingerprints

Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then “read” by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They […]


Torturing People

Last week, Secretary of State Condoleezza Rice made a speech in which she made apparently definitive statements about our policies towards torture. See Jack Balkin, “Rice: ‘U.S. Personnel’ Don’t Enage in Cruel, Inhuman and Degrading Treatment ”Wherever They Are.’” Then be sure to see Marty Lederman’s follow-up, “Condi Rice’s ‘No Torture” Pledge: Don’t Believe the […]


"Aid to the Church in Need", 2000 donors to charity, "personal details"

Not sure if the personal details obtained by hackers include CC#s, but names and addresses are certainly involved in this breach at a UK charity. A couple of interesting twists to this one, as reported at First, the thieves weren’t content with just stealing the info — they used it to extort victims directly: […]


Web Certificate Economics

In a comment on “Build Irony In,” “Frank Hecker writes:” First, note that the “invalid certificate” message when connecting to using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain (note the dash) and thus doesn’t match […]


Tracking Graz (Austria)

Speaking of tracking and databases: Mobile Landscape Graz in Real Time harnesses the potential of mobile phones as an affordable, ready-made and ubiquitous medium that allows the city to be sensed and displayed in real-time as a complex, pulsating entity. Because it is possible to simultaneously ‘ping’ the cell phones of thousands of users – […]


Planespotters vs. the CIA

Ever-increasing requirements that every item be uniquely identifiable are combining with the power of the internet to invade everyone’s privacy. The Guardian (UK) has a story about how ‘planespotters’ are gathering data that allows the after-the-fact tracking of CIA torture planes. (“How planespotters turned into the scourge of the CIA.”) Paul last saw the Gulfstream […]


Passwords: Lessons for Japan Airlines from Harry Potter

This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member […]


Star Wars and Separation of Privilege

As we continue the series, illustrating Saltzer and Schroeder’s classic paper, “The Protection of Information in Computer Systems,” we come to the principle of separation of privilege. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter […]


Estimating breach size by fraud volume

Much is being made of a press release from ID Analytics. Based on results from that firm’s fraud detection products, a conservative estimate is that one of every 1000 pieces of PII lost in a data breach results in an actual fraud. An additional finding is that the likelihood of a fraud being committed using […]


Is the Database Half-Wrong, or Half-Right?

More than 8,000 people have been mistakenly tagged for immigration violations as a result of the Bush administration’s strategy of entering the names of thousands of immigrants in a national crime database meant to help apprehend terrorism suspects, according to a study released on Thursday. The study, conducted by the Migration Policy Institute, a research […]


0Day on Ebay

“Brand new Microsoft Excel Vulnerability:” The lot: One 0-day Microsoft Excel Vulnerability Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It […]


Elements of Blogging Style

I’ve often thought that I over-analyze some things. But as I enjoy blogging, I’ve come to realize that having standards about the little things helps me write faster and more effectively. More importantly, I hope, they allow you to skim here faster, and retain more of what you’re reading. Bloggers who want to be read […]


Deborah Davis Charges Dropped, Rally to Proceed

Ann Harrison reports: The government dropped all charges against Deborah Davis yesterday for failing to show her ID on a Denver public bus. Officials claim that passengers still have to show ID to transit through the Denver Federal Center, but said there were no clear signs to inform them of this requirement. Davis’ lawyers are […]


EPIC on RFID Passports

According to documents (pdf) obtained by EPIC under the Freedom of Information Act, a government report found significant problems with new hi-tech passports. Tests conducted last year revealed that “contactless” RFID passports impede the inspection process. At a meeting of a Privacy Advisory Committee today in Washington, EPIC urged (pdf) the Department of Homeland Security […]


Muffett on Passwords

In “OpenSolaris, Pluggable Crypt, and the SunMD5 Password Hash Algorithm,” Alec Muffett writes: Several years ago now, Darren Moffat, Casper Dik and I started swapping e-mail about how pathetic it was to still be using the traditional 8-character-password unix crypt() routine in Solaris, and how we could architect something to be much better. You’d have […]


Sam's Club, CC #'s and more?, they're not saying

American Banker(12/7/2005) reports [warning: paywall] on the tight-lipped reaction of Sam’s Club, MasterCard, and Visa to a recent data breach involving credit and debit card mag stripe data from Sam’s Club gas stations. The affected cards seem to have been primarily from two issuers, and hundreds of actual frauds have already occurred. Nobody is talking […]


A little knowledge is a dangerous thing

Bruce Schneier demonstrates the truth of the old saying in a must-read blog entry. In a nutshell, Nature published an article written by a physicist with little or no background in cryptography, claiming to have devised a mechanism foroptically transmitting encrypted messages using a “chaotic carrier”. Bruce trains his skeptical and expert eye on the […]


Tens of Thousands Mistakenly on Watchlists

[Important update below] Nearly 30,000 airline passengers discovered in the past year that they were mistakenly placed on federal “terrorist” watch lists, a transportation security official said Tuesday. Jim Kennedy, director of the Transportation Security Administration’s redress office, revealed the errors at a quarterly meeting convened here by the U.S. Department of Homeland Security’s Data […]


Hey, Look, It's Matasano!

Tom Ptacek’s blog is full of smart people introducing themselves, and their new company, Matasano. They’re talking about the new mix, which is to be consultants while you build your startup and look for funding. I hope that Window, Dave, and Jeremy all get the blogging bug. Heck, I hope Dino does too, because with […]


Economics of Fake ID (Kremlin Edition)

Russian security agents have arrested a group of policemen and civilians suspected of forging Kremlin passes. The items seized included identity cards guaranteeing entry to President Vladimir Putin’s offices, the FSB security service said. … According to security officials, some of the items were being sold at a car market in the south of Moscow, […]


Fighting Terror: Police, not Armies

Democracies do not fare well with military dictators, nor when entrusted to overpowering and internally focused armies. Armies are trained, quite rightly, to kill and ask questions later. Police forces are trained to exercise discretion, sustain the rule of law, respect human rights, understand the freedoms we have embodied neatly in a Bill of Rights […]


Speaking of Ethical: Brad Feld on Philanthropy

I’d like to draw attention to venture capitalist Brad Feld’s post, “Doing Good By Doing Well:” I’ve strongly encouraged my portfolio companies to incorporate “philanthropic activities” into their businesses early in their life. I don’t advocate any particular focus – I simply encourage founders and leadership teams to think about what they can do to […]


Ethical Behavior

Chuck Tanowitz has an interesting post “Ethicist in the Boardroom?” in which he expounds on … a discussion with Phil Libin a while back he suggested that companies should have an ethicist on board. More specifically, he suggested an outside ethics consultant to help keep them on track. The post is worth reading in its […]


American Torture Chambers

After the Second World War, Germans claimed they didn’t know what was being done to Jews, Catholics, Gays, Gypsies and others by their government. We, as Americans, have no such excuse. We know what’s being done in our name, and have failed to stop it. The American government is torturing prisoners, and sending prisoners to […]


Like Taking Candy from a Database

Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data. Many people might assume that only cops can look up this type of information, but Smith was granted access to the […]


Build Irony In

Secure operation of a site is hard. Really, I’m not looking to pick on CERT. They’re doing some very good work, and Build Security In is important. At the same time, this message is only appearing because SSL certificates are focused on identity, and that identity needs to be “rooted” at a certificate authority. That […]


Guerrilla Identity Protection

Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt since this probably isn’t completely out of the ordinary) let them know that you are keeping […]


More on What Not To Get Me, Or Anyone

Bob Sullivan has a good post, “Gift card fees still playing Scrooge:” How much is that $50 gift card really worth? Well, it’s hard to say. The art of irritating and sneaky fees has reached new heights in this 21st century version of gift certificates. There are sign-up fees, transaction fees, dormancy fees and outright […]


Disclosure Rules are Changing (Salem, MA Schools, 'several dozen psych profiles')

A school psychologist’s records detailing students’ confidential information and personal struggles were accidentally posted to the school system’s Web site and were publicly available for at least four months. … The psychological profiles, some dating back more than a decade, contained children’s full names, birthdays and, in many instances, IQ scores and grades, the newspaper […]


It's Christmas Time in New Orleans

It’s no ordinary holiday season in the Gulf Coast this year, so Frank Evans built an unconventional holiday display at a suburban New Orleans shopping mall to match. He thought the tiny blue-tarped roofs, little toppled fences and miniature piles of hurricane debris in the display he builds annually for the mall struck just the […]


Cornell, 900 SSNs, "breach"

Cornell employees this past summer discovered a security breach on a computer that contained personal information, such as names, addresses, social security numbers and bank names and account numbers. After conducting an analysis of the breach, Cornell Information Technology (CIT) did not find evidence that any information stored on the computer had been inappropriately accessed. […]


Nick Szabo Blogging

Nick is a premier thinker about history, law and economics, and the lessons they have for security. Take this brief sample from “Origins of the joint-stock corporation:” The modern joint-stock corporation has many sources in medieval Europe. First among these was corporate law itself. Although the era is commonly referred to as “feudalism,” for the […]


Star Wars and Least Common Mechanism

Today, in Friday Star Wars Security blogging, we continue with Saltzer and Schroeder, and look at their principle of Least Common Mechanism: Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information […]


The Future of Scientific Research

There’s a fascinating set of articles in Nature this week on openness, sharing, and new publication models. From “Science in the web age: Joint efforts:” “Science is too hung up on the notion of ‘the paper’ as the exclusive means of scientific communication,” says Leigh Dodds, a web expert at the publisher Ingenta. Publication and […]


DMCA vs. Security Research

Last month, I commented on how the DMCA was preventing research on spyware: …the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when […]


Costs of Breaches

The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they’re doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what’s the real cost of the brand damage done to Choicepoint? Along with several […]


Fake ID Markets

Social Security cards run about $20, green cards about $70 and a California driver’s license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft. … “You name it, they can make it,” said Los Angeles Deputy City […]


More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group. According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, […]


EFF: Why Bother With DMCA comments?

The EFF has decided that the DMCA “rulemaking process is simply too broken” for them to bother commenting on it any further. See “DMCA Triennial Rulemaking: Failing Consumers Completely:” EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful […]


Netgear WGPS606 and Mac Printing

I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package. It turned out to be something of […]


NJ's Strong Privacy Law

Apparently, I woke up on the right side of the bed, and am just handing out kudos left and right today. Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses. Social Security numbers will be out as […]


UNC Addresses Risk Systemically, Rather than Piecemeal

Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system. Kudos to […]


TSA to Revise Rules

[Updated with data from NYT] A new plan by the Transportation Security Administration would allow airline passengers to bring scissors and other sharp objects in their carry-on bags because the items no longer pose the greatest threat to airline security, according to sources familiar with the plans. The TSA’s internal studies show that carry-on-item screeners […]


Centers for Disease Control Want To Track All Travel

In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes: Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted. In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. […]


Web Browser Developers Work Together on Security

Adam’s post earlier today on efforts to improve browser security, reminded me about this post on George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines: […]


More on Deborah Davis

The story of Deborah Davis is getting lots of attention. Rob sent me Refusal to present ID sparks test of rights, which includes: “I boarded the bus and spoke with the individual, Deborah N. Davis . . . asking why she was refusing,” wrote the first Federal Protective Service officer in an incident report posted […]


Meet The New Browser Security, Same as the Old Browser Security?

There’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which […]


Effective Privacy Law Requires Penalties

Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”) Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim […]


Don't Tell People What Not To Do!

[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.] It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he […]


Hoder's Denial

Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that […]


Defensive driving

As most parents of young children would no doubt attest, when driving with “precious cargo” — lives you particularly want to protect — you typically take extra precautions. Special safety seats with five point harnesses, specialized mounting hardware, taking that bit of extra care that maybe you wouldn’t if driving alone. Well, that may all […]


On Torture

I sometimes feel that I have nothing to add to the “debate” around torture, other than the formerly-obvious “torture is ineffective and morally repugnant.” Nevertheless, I feel that keeping silent, or even allowing the debate to occur without adding my voice to the chorus of reason. So, some others’ posts this past week: In Jack […]


Scottrade, Millions of "E-secure" system users, SSNs, account numbers, etc, "hacker"

Info is spotty on this, but according to a WFMY TV News report, Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands. Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders. A letter […]


Books: "Innocent Code" and "19 Deadly Sins"

I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out […]


Make Mine Sony-Free

As the holiday and gift-shopping season arrives, I’d like to talk about what not to get me (or really, anyone on your list). A bad gift is really painful to receive. You have to put on a fake smile and pretend to be happy, and then go return the thing at the first opportunity. My […]


No Friday Star Wars Security Blogging Today

Blame Tom Ptacek for ignoring my heroic efforts. My being off with family this week has nothing to do with it. Friday Star Wars Security posts will return next week, with the principle of Least Common Mechanism.


Happy Thanksgiving!

As you enjoy your Turkey, recall that the Pilgrims who ended up in Plymouth were fleeing the Anglican church, England’s state religion. The English church, of course, split from the Roman church so that Henry VIII could get a divorce. The little people, however, were not allowed the chance to split their churches in quite […]


My Software is Mine.

People often become emotionally entangled with the software they use. It’s not a geek-only thing, although geeks often become more entangled with a broader range of the software they use. Normal people speak of “My Excel is screwed up,” or feel bad that their Sony CD has messed things up for them. One of the […]


Australian Minister Vanstone on Stupid Security

An Australian Senator has created a bit of a kerfuffle by saying what everyone has thought in private. Bruce Schneier comments: During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy. Implied? I’ll say it outright. It’s stupid. For all its faults, I’m always pleased when […]


Book: Who Becomes a Terrorist and Why

I found “Who Becomes a Terrorist and Why” in a used bookstore for $2.99, and it was worth every depressing penny and more. The book is a US government funded study from 1999. It’s not clear if this work would be possible today or not. Much of the body of the book is a an […]


Aspirin and the Regulation of Medicine

As we discuss the effects of various laws designed to protect us from various and sundry, we often lose track of the real, tangible benefits of liberty that we’re giving up. They’re sometimes hard to see, in the same way the Internet was hard to see in the early 90s. It was here, but most […]


Deborah Davis and the Denver "Public" Transit System

On the 9th of December 2005, a Denver woman is scheduled to be arraigned in U.S. District Court. Her crime: refusing to show ID on a public bus. At stake is nothing less than the right of Americans to travel freely in their own country. The woman who is fighting the good fight is named […]


A great idea whose time has come

Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not […]


Book: Secure Architectures with OpenBSD

Jose Nazario gave me a copy of Secure Architectures with OpenBSD this summer. I’m way behind with book reviews, and I wanted to start with this one. I’m a fan of the OpenBSD project. Not only for their efforts around security, but also because they put a great deal of effort into the documentation. I’ve […]


More on "Freedom To Tinker, Freedom to Learn"

In “Freedom To Tinker, Freedom to Learn,” I made some assumptions about the user interface for the $100 laptop. In “Alan Kay at WSIS,” Ethan Zukerman explains that Alan Kay will be doing much of the user interface design work: Kay began by explaining that most people aren’t using computers to do the most important […]


Google buys Riya, Steamrollers Your Pictures' Anonymity

Riya is a Redwood City startup that makes facial recognition software. Rumor from Om Malik says Google is buying them. I believe that this purchase has some of the farthest reaching privacy implications we’ve yet seen from Google. Anonymity, in its most literal meaning of “without a name,” is the current state of many photographs […]


Boeing, 161,000 SSNs, Stolen laptop

A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. From “Boeing says laptop with employee info stolen.” A bit more in the Seattle Post-Intelligencer.


Indiana University, 5300 students, malware

According to an Associated Press article appearing in the Indianapolis Star, Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said. Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said […]


Star Wars and the Principle of Least Privilege

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of least privilege: Least privilege: Every program and every user of the system should operate using the least set of privileges necessary […]


Wilcox Memorial Hospital (Kauai), 120,000 SSNs+ Medical Records, misplaced computer disk

Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives — and now, according to a letter sent home, the drive was […]


ex-MI5 Head: ID Cards are a Bogus National Security Measure

Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”. “But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards. From the BBC, “Ex-MI5 chief sparks ID card row.” Normally, a “row” requires two sides, with arguments. […]



How did Sivacracy manage to rope in the sponsorship dollars? I really need to monetize some sticky eyeballs here. Meanwhile, click the image for more on Panexa.


The Importance of Due Process to Gary Gordon Smith, Abu Bakker and Adel ?

The United States is holding captive at Guantanamo Bay at least two men it knows are innocent of any wrongdoing. These men were cleared by the military courts, almost two years ago, and they are still in captivity. It makes me too angry to write about, so go read Requiem: In the comments to an […]


Sony's Rootkit and the DMCA

Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are […]


Industry to Customers: "You're Reckless and Apathetic"

It’s a long standing “joke” that only drug dealers and the computer industry call their customers “users.” But at least drug dealers pretend that your behavior is ok. Not so the Universities educating our next generation of programmers, such as Carnegie Mellon. Their student news source, the Tartan, reports in “Study shows students cause computer […]


Delicious, Feed Me! is a ‘social bookmark manager.’ It’s a way to bookmark things, and let you see that I’ve bookmarked, and perhaps commented on them. I’m using it more like a “clip blog,” with short commentary on many of the things dropped there. If you read it via the RSS feed, you get my commentary. But […]


Torture and the "Ticking Bomb" Argument

Alex Tabarrok has some interesting arguments as to why torture should be made illegal in “Torture, terrorism, and incentives.” I’d like to extend his argument: President Bush, Dick Cheney and others who support the use of torture by the United States and its agents usually rely on the ticking time bomb argument. Sometimes torture is […]


What I Want From A Log Analyzer

I’m becoming less and less satisfied with AWStats as a log analyzer. There are some things that it does reasonably well. But I’d really like a lot more. I’d like to be able to see how things have changed day to day (for example, how many new unique visitors did I get today?) I’d like […]


Choicepoint's Custom Products

I appreciate all the notes you’ve been sending me telling me about “FBI, Pentagon pay for access to trove of public records.” I’d love to have something insightful to add to this, but I don’t. Ryan Singel has a bit more: The article, which relies on heavily redacted documents acquired through an open government request, […]


Epic Problems With Phone Privacy

In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart: …Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her […]


Under The Weather

I’m feeling under the weather today, and so I’m sitting on the morning posts until I have a chance to re-read them. Expect posting to be heavy today, because I can’t do much real work, and have to entertain myself somehow. I’m hopeful that you’ll either be entertained as well, or forgive me for what […]


Unintended Consquences of Blackhat '05

(by arthur) I’m back from travels, so it’s time to post some more…. As Adam just posted, Jeff Moss sold Blackhat to CMP Media. Presumably, this sale is partially (largely?) a result of the various lawsuits that Blackhat was dealing with as fallout of “Cisco-gate”. Fortunately, these were recently settled in an equitable fashion, but […]


BlackHat Pwned!

MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and […]


568,200 DNS servers Know Sony

Dan Kaminsky has done some digging into the Sony rootkit: It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows…unsurprisingly, they are not particularly communicative. But at that scale, it doesn’t take much to make this a […]


Freedom To Tinker, Freedom to Learn

In “The $100 Laptop Moves Closer to Reality,” the Wall St Journal discusses a project to provide very inexpensive laptops to millions of poor children around the world. I think its a great idea, and wish them the best of luck. Delivering internet connectivity to millions of poor children will be a world-altering project. One […]


"To none will we sell, to none deny or delay, right or justice."

The United States senate voted today to deny habeas corpus to prisoners at Guantanamo. The United States Supreme Court had recently held that United States courts have jurisdiction to consider challenges to the legality of the detention of foreign nationals captured abroad in connection with hostilities and incarcerated at Guantanamo Bay. The vote today would […]



The sad passing of Peter Drucker, and Paul Kedrosky’s post on it brought something into sharp focus for me. It’s the value of working hard to make yourself understood, as opposed to making your audience work hard to understand you. One of my goals in blogging here is to learn to be understandable to the […]


NISCC Does It Their Way: Poorly

A post by Paul Wouters to the DailyDave list drew attention to “Vendor response of the Openswan project” to “NISCC Vulnerability Advisory 273756/NISCC/ISAKMP.” I feel like its 1997 again. The Oulu University Secure Programming Group (OUSPG) discovered a number of flaws with the ISAKMP/IKE portions of the IPSec protocols. OUSPG built a tool, and either […]


New, Useful, and Non-Obvious

My friend Sharon, who is an excellent patent attorney, showed me this, her favorite U.S. patent. You should hire her![1] She’s really good, even if she does a lot of work for an empire of questionable morals, but is not yet so evil as to have written anything like US Patent 4,646,382, “Lottery Ticket Scraper:” […]


Gordon Johnston vs. The NFL Who Cried Wolf

Gordon Johnston didn’t want to be frisked. So as the 60-year-old high school teacher approached the gates of Raymond James Stadium here for a Buccaneers football game last month, he lifted the team jersey he was wearing to show it wasn’t necessary. He was concealing no bombs. It didn’t work. So reports the Washington Post […]


Kill Bill's Browser (and Comments)

Some folks have put up a site, “Kill Bill’s Browser,” based on Google’s offer to pay up to $1 for each Firefox/Google Toolbar install. It offers up both good and entertaining reasons to switch: 7. It will make Bill Gates soooooooooo mad. Seriously– super, super mad. And even more than Bill, let’s think about Steve […]


MIT Researchers on Radio Shielding

Abstract: Among a fringe community of paranoids, aluminum helmets serve as the protective measure of choice against invasive radio signals. We investigate the efficacy of three aluminum helmet designs on a sample group of four individuals. Using a $250,000 network analyser, we find that although on average all helmets attenuate invasive radio frequencies in either […]


Friday Star Wars and the Principle of Complete Mediation

This week in Friday Star Wars Security Blogging, we examine the principle of Complete Mediation: Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes […]


Macs and Sony's Rootkit

[Update: Welcome Wired readers! If you enjoyed Bruce Schneier’s article on who’s responsible for security flaws, please explore a little. The economics of security and privacy issues are an ongoing theme.] It wasn’t a plan that I was going to slag Apple this week. Really, I’m fond of my Mac, I’m just tired of claims […]


R-E-S-P-E-C-T! Find Out What It Means to Tom Peters

Tom Peters has a magnificent article, “Simple.” Go read the article. It’s really beautiful. Don’t mistake simple for easy, but this is an easy read about the need for respect in winning the cooperation of whomever you’re dealing with: “We were friendly and respectful whenever we met a Bedouin or farmer, often sharing tea with […]


This is convergence, too :^)

The Amazon Mechanical Turk. Basically, you have your code do a remote procedure call, where the bulk of the work on the remote side is performed by a human being.


Preserving the Internet Channel Against Phishing, Part 2

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it […]


Kudos to Microsoft, Brick-brats to Apple

MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls. As a result of these changes that we made for security sake, for a limited amount of […]


This is convergence

A gamer who spent £13,700 on an island that only exists in a computer game has recouped his investment, according to the game developers. The 23-year-old gamer known as Deathifier made the money back in under a year. The virtual Treasure Island he bought existed within the online role-playing game Project Entropia. He made money […]


Digital Pearl Harbor

[U]se of commercial products with unbreakable cryptography could seriously undermine the ability of law enforcement to perform critical missions such as protecting against threats posed by terrorists, organized crime, and foreign intelligence agents This from a rather lightweight report prepared by the Congressional Research Service. I may have read it with a jaundiced eye, but […]


Canadian Air Transport Security Authority to Hire Angelina Jolie

In the midst of a CBC story about how a consultant went through “door after door” in Toronto’s Pearson airport (“Investigation highlights security concerns at Canadian airports“), we’re treated to these lovely tidbits: Mark Duncan, chief operating officer for the Canadian Air Transport Security Authority, the agency tasked with providing security at Canadian airports, says […]


The Approaching Apple OSX86 Security Nightmare

In the midst of an excellent long article on how the Wine Windows emulation layer will interact with OSX86, (“I invite you to wine“), Wil Shipley writes: When you can run Windows apps on Mac OS X, you’ll still be protected by Mac OS X. Viruses are going to be dead. D-E-D. Ok, yes, there […]


Transunion, 3,623 SSNs, Stolen Computer

Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was […]


How Much Goodwill is 17,000 Letters Worth?

The Seattle Post Intelligencer reports that “ChoicePoint warns consumers about fraud:” ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud. The story […]


University of Tennessee, 1,900 SSNs, Bad Policies

The University of Tennessee notified about 1,900 students and employees yesterday that their names and Social Security numbers inadvertently were posted on the Internet. … A University of Tennessee student made the discovery about two weeks ago when she searched the Internet for her name and found it listed with her Social Security number on […]


Are You Selling This Computer to Me or the RIAA?

(I wrote this a few weeks back, and forgot to post it. It’s even more fun with the bruhahaha about Sony/BMG screwing with your computer if you buy their “music.”) In conversation with Lucky Green, he commented that “You won’t be able to buy a laptop w/o a TPM in a few years.” This doesn’t […]


Macromedia Flash Critical Update

There’s apparently a critical flaw in Macromedia Flash 7. (You know, the software that plays annoying ads in your browser?) This affects at least PCs and Macs. Macromedia’s advisory is here. eeye has an advisory which makes it sound like a PC-only issue. Sec-Consult has published POC code. It’s unclear to me why, 130 days […]


Freedom to Develop

Two related posts from last week that I’d like to tie together. Jeff Veen writes about the lack of either Mac software or standards compliance in Polar Heart Rate Monitors in “Polar Heart Rate Monitors: Gimme my data,” and Bob Frankston writes about how the telcos use the regulators to stifle competition and innovation in […]


Choicepoint Roundup

Well, I’ve tried going cold turkey, but wasn’t getting positive reinforcement, so I stopped. Let’s start from the positive, shall we? Chris Hoofnagle of EPIC is quoted in a positive light in “ChoicePoint says it’s securing public’s personal data better” in the Atlanta Journal Constitution. Now that that’s out of the way. Science Daily tells […]


Iraq-al Qaeda Link Questioned

The New York Times has a story, “Report Warned Bush Team About Intelligence Doubts:” “It is possible he does not know any further details; it is more likely this individual is intentionally misleading the debriefers,” the February 2002 report said. “Ibn al-Shaykh has been undergoing debriefs for several weeks and may be describing scenarios to […]


The Tories Just Don't Understand Art

Audiences at the Government-funded Chapter arts centre in Canton, Cardiff, see Miss Takahashi arrive on stage in high heels and a smart black business suit. For the next three hours, they watch her drink bottle after bottle, periodically lurching towards her beam and seeing how much of it she can negotiate without falling off. … […]


Froomkin and Vladeck on Roberts

Ann Bartow describes it as “completely awesome pedantic weeniedom, and I mean that in the best possble way.” I would have just tossed this in my feed, but wanted to boost Michael Froomkin’s page rank for pedantic weeniedom. I hope he doesn’t mind. (Via Volokh)


Strategy In Iraq: Stay the Course vs Partial Disruption

Global Guerrillas has a fascinating post, “PARTIAL vs. COMPLETE SYSTEM DISRUPTION.” The thesis is that Iraqi guerrillas and terrorists have the ability to complete the collapse of Iraq into anarchy, but have chosen not to, for reasons that he lays out. As van Creveld predicted in “The Transformation of War,” we lack a good way […]


Data Destroying Anonymity

New Scientist reports “Anonymous sperm donor traced on internet:” LATE last year, a 15-year-old boy rubbed a swab along the inside of his cheek, popped it into a vial and sent it off to an online genealogy DNA-testing service. But unlike most people who contact the service, he was not interested in sketching the far […]


Miss McDonald's Halloween

Miss McDonald has an art project at Livejournal: Or perhaps Miss McDonald is an art project. Hard to say with any certainty. But why would you want to?


15% of Oregonians at Risk from DMV

Police have a warning for anyone who did business with the Oregon Department of Motor Vehicles in 1999 or 2000. They say as many as a half-million stolen DMV records were found on a laptop during a methamphetamine bust Wednesday night at a southeast Portland apartment complex. They allegedly discovered evidence of meth distribution and […]


Business Process Hacking

Business process hacking is the act of using weaknesses in the way an application is exposed to garner information or break in. Recent examples include the ChoicePoint and Lexis-Nexis attacks. Here is a new one. A couple of young traders at an Estonion bank got a Businesswire account and proceeded to dig around until they […]


We want it all, and we want it now

Bob Sullivan provided excellent “mainstream media” ChoicePoint coverage, and is doing some good blogging about breach legislation. From the blog post cited above, it’s clear that Sullivan considers the Act in question to be nigh-on to a total cave-in to industry. That things would have taken this turn is not surprising, but is nonetheless somewhat […]


Oh what a tangled web we weave…

Sony’s DRM rootkit has been harnessed by folks selling a program which hides game cheats from detective measures shipped with WoW and affectionately known as The Warden. Somehow, I am reminded of a Simpson’s quote [.mp3]


Friday Star Wars: Principle of Fail-safe Defaults

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of fail-safe defaults: Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965 means […]


10m (or more) Stolen Passports

Arab News picks up an Agency France Presse story, “Terrorist Access to Stolen Passports Alarms Interpol:” (Via Flogging the Simian’s Nov 4 PDB.) NEW YORK, 4 November 2005 — With 10 to 15 million stolen passports in use around the world at the present time, the global struggle against terrorism is seriously hampered, Interpol Secretary-General […]


Hashes: The High Cost of Deployment

Thanks for great intro Adam!. Steven Bellovin and Eric Rescorla recently released a paper, “Deploying a New Hash Algorithm.” This is a great analysis of both the operational and protocol issues with changing which hash algorithms get used by various security protocols. For instance, S/MIME has no real mechanism for negotiating which hashes (and this […]


Introducing Arthur

I’d like to introduce Arthur, our newest guest. I was going to say Arthur is not his real name, but that would be a lie. It is his real name for purposes of this blog. It might, however, not be what his wife calls him. (“Sweetie.”) Arthur is, however, the chief information security officer for […]


Joseph Ansanelli, Brad Smith on Privacy Law

The [Stearns] bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company’s security program. “But it needs better enforcement language,” said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently […]


The CIA's "Prisons"

Yesterday’s Washington Post had a long, sickening article on “CIA Holds Terror Suspects in Secret Prisons:” The hidden global internment network is a central element in the CIA’s unconventional war on terrorism. It depends on the cooperation of foreign intelligence services, and on keeping even basic information about the system secret from the public, foreign […]


The Cost of Following The Money

[Update: There’s a fairly long clarification in the middle of the post, which expands on a sentence that was too brief to be understandable.] One of the fond dreams of the counter-terror community is to be able to take Deep Throat’s advice, and follow the money. In “New Anti-Money Laundering Regulations and Compliance Solutions Announced,” […]


Episode III Released on DVD

Q. Do friends and family ever ask you [Frank Oz] to do Yoda on their phone answering machines? A. Yep. And I always say no. He’s not a party trick. He’s not a trained monkey. And I’m not a man like Mel Blanc, who’s a brilliant man of voices. I’m a man of characters; I […]


Relentless Navel Gazing, Part 2

Upgraded the blog software, added a fair number of little tidbits, including lots more archive indexes, better per-post options, and will be tweaking lots of little stuff over the next few days. Also, added automated “posted by” bits, and am going through older posts and cleaning out those bits. Which means that RSS will get […]


Speaking Of Worms

Following up on Chris’s worm post, Red Database Security has an advisory on an Oracle worm. On 31-october 2005 an anonymous poster ( released a proof-of-concept PL/SQL source code of an Oracle worm on the full disclosure mailing list. The worm is using the utl_tcp package to find other Oracle databases in the same subnet […]


Properties of National ID Systems

In “learning from others,” Jerry Fishenden writes at length about National ID systems and their impact on society. His post includes a list of properties an ID system should have, (originally from Niels Bjergstrom). His theme that these systems don’t only have ‘features,’ but properties is an important one. I’d like to suggest two additions: […]


Sony, Respecting Their Customer

Over at Sysinternals, Mark posts “Sony, Rootkits and Digital Rights Management Gone Too Far.” [Update: If that doesn’t work, try Sysinternals Blog; when I checked, it was the first post.] If you’re at all technical, read it closely. If you’re not, you should at least skim it. The story is that Mark (who knows more […]


American Express and Privacy

There’s a fascinating story at imedia connection, “Why Consumers Trust American Express:” How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that “American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy.” Moreover, she felt that American Express had done a […]


Imperial Ambition, Poor Execution

In “The endgame on Iraq began a long time ago,” Thomas Barnett writes some shocking things: This is Musab al-Zarqawi’s worst nightmare: the Americans safe behind their compound walls and everyday he’s doing battle against Iraqis, or-more to the point-against Shiites increasingly backed by Iran, no friend to the global Salafi jihadist movement, being as […]


First Hand Report about New TSA Indignities

In “GE Puffer Stinks of Dr. Strangelove,” Kim Cameron writes about his experiences with the new explosive detection machines: People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt. I had been told there […]


Fall Back

Its that time of year again, when Congress decrees that you shift your clock back an hour to save miniscule amounts of energy. The fine folks of Arizona and Indiana have noticed that Congress doesn’t really have the power to regulate time, and don’t like playing along. But if you think about it, time is […]


Porsches make you healthy

Well, I don’t know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don’t own Porsches. Maybe you have to control for age. Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure. Jaquith handily, yet unwittingly, […]


Quick pointer to virtual worminess

If Nick Weaver and Jose Nazario are writing about it, it’s probably way over my head, or interesting, or both. I am happy to say this is in the second category.


Ahmadinejad and Wiping Israel Off The Map

Posted by Adam It seems that most everything that one could say about the President of Iran calling for Israel to be wiped off the map has been said. Good articles include Daniel Drezner’s “How crazy is Mahmoud Ahmadi-Nejad?” (about the strategy behind the statement), Hossein (Hoder) Derakhshan’s “The fundamentalist minority” (about how Iranians feel […]


The Importance of Attitude

Tom Peters has a blog, and in “The Days of Our Lives,” writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility: This may be day 45 and mile 76,000 for me, but for the Client it is […]


Star Wars: Economy Of Mechanism

Before I start on the Star Wars part of today’s Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That […]


Check images increase forgery and ID theft risks?

The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?” The overall point is that since banks store check images and provide […]


White Sox futures market

For the last couple of weeks, peddlers have set up shop just outside Chicago’s Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon. Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 […]


Dog bites man really is boring

Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000. Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada. Alternative headlines […]


Lowering Ourselves

It occurs to me that when a senior US governement lawyer says: foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to “gross physical abuse.” that they are in direct contradiction to the US Constitution […]


Flogging The Simian Is Back

In “A Life, Observed,” I mentioned that I’d been enjoying “Flogging The Simian,” and that she’d left due to privacy issues. Well, she’s back, and so are her “PDBs,” her summaries of what’s interesting: ‘” read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events.” […]


Trick-Or-Treaters To Be Subject To Random Bag Searches

America’s Finest News source reports, “Trick-Or-Treaters To Be Subject To Random Bag Searches:” “Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of ‘tricks’ to extort ‘treats’ from unsuspecting victims,” Chertoff said. “Such scare tactics may have been tolerated in the past, but they will […]


Code/Data Separation

As I mentioned in my “Blue Hat Report,” I want to expand on one of my answers I gave to a question there. My answer involved better separation of code and data. I’ve since found, in talking to a variety of folks, that the concept is not so obvious as it seems to me. The […]


The President Endorses This Blog

You might have thought that the White House had enough on its plate late last month, what with its search for a new Supreme Court nominee, the continuing war in Iraq and the C.I.A. leak investigation. But it found time to add another item to its agenda – stopping The Onion, the satirical newspaper, from […]


Delicious Offload

I’ve set up a Delicious feed for stuff that I want to point to, but don’t have either anything to add, or time to add it. I feel sort of bad doing this; I’d like to discuss John Gilmore on the New York Times, but all I have to say is bravo!


Counting In Computer Security

Last week in “Notes from the Security Road,” Mike Nash wrote: My favorite moment on the trip — which actually resulted in my circumnavigating the entire globe in just a week — was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise […]


Rosa Parks

Rosa Parks passed away this evening. She was 92.


Business lobbies engage in rent-seeking. Masses not moved. Film at 11.

Various data protection bills to be consolidated? [P]ressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories […]


How Not To Train Users

To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. […]


Flock's Progress

Posted by Adam Lots and lots of people are commenting on the first public release of flock. After I met Bart Decrem, he was nice enough to let me into the alpha, and so I’d like to offer a slightly different perspective, about what’s changed, and the rate of change. I think that examining what’s […]


Sessions Bill/Breach Monday

In ‘honor’ of the Sessions bill (see “The hand is quicker than the eye” and “Adding Silent Insult to Injury (Senator Sessions’ ‘privacy’ act)“), we offer up stories about three breaches. Under Sessions’ bad law, the state of Georgia would not be coming clean with its residents, nor would the California school system. I think […]


5.2% of Georgia residents to get Notice of Stolen Personal Data

State officials on Friday began notifying 465,000 Georgians that they might be at risk of identity theft because of a government security breach detected in April. Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. But she said officials are […]


California Schools, "tens of thousands" of Student Records, Default Passwords

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system. … The problem occurs when […]


Montclair State University, 9,100 SSNs, Exposed Files

Due to what Montclair State University officials are calling an “inadvertent error,” the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud. Etc, etc, files found by a student ego-surfing on Google. Read “Negligence At MSU […]


Archimedes' Death Ray, Take 2

Earlier this month, I posted “Archimedes’ Death Ray,” about the MIT team trying to replicate Archimedes’ legendary defense of Syracuse, setting fire to ships with polished mirrors. Now Mythbusters has brought MIT Professor David Wallace to San Francisco to: …attempt to set fire to an 80-year-old fishing boat with a contraption made of 300 square […]


People Hate Being Laughed At

Omid Sheikhan has been sentenced by the Iranian court to one year in prison and 124 lashes. Omid was first arrested last year, confined for two months, including one in solitary confinement, and tortured, due to his blog which featured satire on the Iranian situation. When he was brought to court on October 8 he […]


Adding Silent Insult to Injury (Senator Sessions' "privacy" act)

I just skimmed the Sessions’ bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system: 3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a […]


The hand is quicker than the eye

Arlen Specter and Pat Leahy have proposed the “Personal Data Privacy and Security Act of 2005“. This is a comprehensive proposal, and is opposed big-time by various industry lobbies. As reported in the October 21, 2005 American Banker, this bill has hit a snag, and is languishing in Committee. Meanwhile, another bill, courtesy of Jeff […]


Critical Map of Alaska Disappears

‘There is a Party slogan dealing with the control of the past,’ [O’Brien] said. ‘Repeat it, if you please.’ ‘”Who controls the past controls the future: who controls the present controls the past,”‘ repeated Winston obediently. ‘”Who controls the present controls the past,”‘ said O’Brien, nodding his head with slow approval. ‘Is it your opinion, […]


Snotty Worm Coming?

Posted by Adam Richard Bejtlich predicts that the Snort network monitoring tool will be hit with a worm shortly in “The Coming Snort Worm.” He has some good qualitative analysis, and Tom Ptacek disagrees with him in “Opposition Research.” I find it fascinating that we know so little that two smart guys like Tom and […]


Don't Have a Cow!

Or, perhaps, in this instance, having a cow would be a perfectly fine response, as it is revealed that the average European cow gets a subsidy of $2.62 a day. About 3,000,000,000 people live on less than that. Doubtless, if cows could call their representatives and vote, the subsidy would be higher. (Research by Oxfam, […]


Horton Hears a Heart

Brilliant retelling of the Tell-tale Heart, by Poe, in the style of Dr. Suess. True, I’ve been shaken – and true, I’ve been bad. But how can you say that this elephant’s mad? This Loopidy sickness has sharpened my brain! My ears are quite large, and I hear things quite plain. So before you pass […]



As we now know courtesy of the Philippines’ National Capital Regional Police Office, a typical terrorist is “a man aged 17 to 35, wearing a ball cap, carrying a backpack, clutching a cellular phone and acting uneasily” []. This critical piece of intelligence, I am sorry to report, seems to have taken a step closer […]


Map of London

OpenStreetMap is a project aimed squarely at providing free geographic data such as street maps to anyone who wants them. This is because most maps you might think of as free actually have legal or technical restrictions on their use, holding back people from all walks of life who would like to use a map […]


Pop!Tech ('Pointer' post by Adam)

I don’t know how Ethan Zuckerman is finding time to enjoy the conference, but his series of posts from Pop!Tech make me jealous that I’m missing it.


"The Force Is Strong In My Family"

In Friday Star Wars Security blogging, I was planning to start on Saltzer and Schroeder this week. But I’m going to detour a bit into genetic privacy (and Star Wars, of course). I’m inspired in part by an interview over at GeneForum with bioethicist Insoo Hyun. Hyun is studying cloning with the South Korean team […]


Following up "Liability for Bugs"

Chris just wrote a long article on “Liability for bugs is part of the solution.” It starts “Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write.” Chris talks about market failures, but I’d like to take a different direction and talk about organizational failures. Security […]


Liability for bugs is part of the solution

Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth — alot of code stinks, and people are damaged by it. The reason good programs (which means those […]


The prescience of the Beeb

Via Alec Muffett’s dropsafe, I learned of a British SF television program which eerily predicted a future Britain in which a sinister governmental department that has abolished individual rights and introduced ID cards for all citizens, rationing and sophisticated electronic surveillance I would have preferred to have gotten a transdimensional police box.


Your Printer, Tool of the Man

The EFF has done some great work on how high resolution color printers are embedding tracers in every document they print. It’s at “DocuColor Tracking Dot Decoding Guide.” I’d call them high quality printers, but how could I? They intentionally distort every document they print on the off-chance it contains evidence of thoughtcrime. The work […]


How To Notify Customers After a Breach

I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. Now there’s more data, in a survey sponsored by the law firm of White and Case. They have a press release, and you can download the full survey. As Chris pointed out, knowledge is good. According to the survey, […]


Interesting Tidbits (Adam)

John Gruber has an interesting article on the economics of being a one-man software shop, “The Life.” He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard. Jeff Veen of Adaptive Path has announced “MeasureMap,” a new blog-focused log analysis […]


Here's to you, New York…



MS Security 360 Webcast archive

The roundtable I did as part of the Security 360 (with Amy Roberts, Peter Cullen, and Gerry Gebel) is now archived at “Microsoft Executive Circle Webcast: Security360 with Mike Nash: Managing Privacy in Your Organization.” Since I’ve been posting a lot recently, I’ll repeat: after filming I participated in Microsoft’s Blue Hat, you can read […]


UK ID Cards a Doubly Bad Idea

Microsoft UK National Technology Officer Jerry Fishenden warns that the push for a national ID card in Great Britain could lead to identity fraud on a gigantic scale unlike anything that has been seen before. The Register reports… and Charles Clarke confirms that ID cards will be a massive waste of both time and money […]


Security Costs of Logging

In “Online Dirty Tricks at American Airlines ” Gary Leff reports: The Wikipedia entry on the Wright Amendment (the law which restricts destinations of flights taking off from Dallas’ Love Field, which serves — and was intended — to protect American Airlines from Southwest) was edited by someone using an American Airlines domain. Someone using […]


Thanks, Adam

I’ll confess to some stage fright, since this blog’s readership is probably two or three orders of magnitude larger than what my fortnightly rants over at my place probably garner. Anyway, I hope to have posts forthcoming about a few things, among them CVSS, and research into estimating the impact of security events (variously defined) […]


Introducing Chris Walsh

One of the things that happens as a blog takes on a personality is that readers start to send you links to things that are “more your blog than theirs.” Over the last few months, Chris has fed me something between a third and a half of the breaches listed in my breaches archive. At […]


Now Headlining: The Emergent Chaos Jazz Combo

As I experiment with bringing in guest bloggers, the old subtitle of the blog, ‘Musings from Adam Shostack on security, privacy, and economics’ is now inaccurate. Now I could simply declare this “Adam Shostack and friends,” but that is both boring and, with no offense to my invitees, inaccurate. (I’ve never met the fellow who […]


Watch our webcast!

Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]


First Shmoocon Speaker List

Shmoocon was a great get-together last year, and I look forward to being there this year, especially now that they’ve announced a first batch of speakers. Via the Shmoocon RSS feed. No, just kidding, they don’t have an RSS feed.


Blue Hat Report

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great […]


Security 360 With Mike Nash (and Adam)

Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]


AOL and DHS: Where's the Proof?

Several folks have sent me a link to a Free Market News article “HOMELAND SEC. SURVEIL ALL AOL FILES,” with a suggestion I link to it. I thought it was squirrelly, but when the normally quality Chief Security Officer Magazine picks it up, I felt a need to respond. And frankly, I call bull. by […]


Small Travel Annoyances

I’ve slept in three different hotels in the last ten days or so, and noticed a number of things that (seemingly) could be done a lot better. The first is voice mail spam. I get no warm fuzzy from picking up a pre-recorded voice mail welcoming me to the hotel. But I do get to […]


Dangerous Meme

If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure. This meme must be eradicated from the gene pool. So writes Rich Stiennon in “Dangerous meme.” He’s absolutely right. Training […]


Who's On Drugs?

Over at the History News Network, Keith Halderman reports on medical marijuana. It seems that the cool kids don’t want to be taking any drug that old geezers use: “Nine years after the passage of the nation’s first state medical marijuana law, California’s Prop. 215, a considerable body of data shows that no state with […]


Daniel Cuthbert's Chewbacca Defense

We take a break from our regularly scheduled, deeply-movie-focused, Friday Star Wars security blogging to mention the Chewbacca defense, and its interplay with a story that’s floating around. First, if you’re not familiar with it, “The ‘Chewbacca Defense‘ is a satirical term for any legal strategy that seeks to overwhelm its audience with nonsensical arguments […]


Blue Hat

I’m at Microsoft’s ‘Blue Hat’ event, and it’s been fascinating. Very senior folks got briefed today while I sat in the back of the room and (mostly) listened. I’ll blog some thoughts shortly, but I expect to continue to be mostly unresponsive through Sunday.


Codecon 2006 Call For Papers

February 10-12, 2006 San Francisco CA, USA codecon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what’s going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one […]


A Profusion of Taxonomies

In “In the Classification Kingdom, Only the Fittest Survive,” Carol Kaesuk Yoon writes about the profusion of naming schemes for animals: Then there’s uBio, which has sidestepped the question of codes and regulations altogether and instead aims to record every single name ever used for any organism, scientific or common, correct or incorrect, down to […]


Editorial Parameters?

One of the things that I’ve meant to do here is have a little chaos now and then, and see what emerges. One type of chaos that I’ve been aiming for is carefully selected guest bloggers. In talking to someone about that, he asked: What are the editorial parameters? Looking to avoid a possible “I […]


Businesses For Privacy

Some prominent business organizations are complaining to Congress that the Patriot Act makes it too easy for the government to get confidential business records. These groups endorsed proposed amendments that would require investigators to say how the information they seek is linked to individual suspected terrorists or spies. The changes also would allow businesses to […]


Airport Screening Is Not A Game?

A few weeks ago, I reported on PlayMobil’s airport screening playset in “From The Mouths of Toymakers.” Dan Solove shows his true commitment by buying one, and documenting his hours of fun in “The Airline Screening Playset: Hours of Fun!” Read it.


The Future of Government: Exclusive and Effective?

In Balkinization, Stephen Griffin writes about the efforts to get government and society functional again in New Orleans in “The Katrina Experiment.” In a pair of posts that are, to me, closely related, Michael Froomkin writes about “My notes from the ‘The Great Debate’ at State of Play III” and “Summing Up ‘The Great Debate’ […]


The Nation-State: Violent and Exclusive

I usually call my collections of links ‘small bits,’ rather than roundups, because I make no effort to round up all of what’s interesting about a subject. But today’s subject, especially the first items, I can not call small. I start with the most horrific, Rebecca MacKinnon’s “Chinese activist bludgoned to death in front of […]


Bank of America, some credit card numbers, laptop

In a letters sent to Buxx [prepaid debit cards] users and dated Sept. 23, [Bank of America] warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped […]


Mount Sinai Hospital, 10,000 Ground Zero worker SSNs, Disgruntled Ex-Employee

Letters have gone out to about 10,000 Ground Zero rescue and cleanup workers, notifying them that a computer containing Social Security numbers and health records was stolen, leaving them vulnerable to identity theft. The letters were sent by the World Trade Center Medical Monitoring Program, which is providing free health-care services to the workers. Workers […]


Thomas Schelling, Nobel Laureate

Congratulations to Thomas Schelling, who was awarded the Nobel Prize in economics (with Robert Aumann). Schelling, amongst many accomplishments which Tyler Cowan discusses here, put forth the notion that there are questions with answers which are correct because those are the answers everyone would choose. (The canonical example is where do you meet in New […]


Security Roundup: Build Security In Edition

David Litchfield lets rip at Oracle in “Complete failure of Oracle security response.” Such questions need to be directed to more vendors than just Oracle. Andrew Jaquith writes about “Hamster Wheels of Pain” in security company presentations. The Seattle Times has an article on those new fancy, radio controlled cockpit doors, “Glitch forces fix to […]


FedEx and Resiliency

There’s some fascinating tidbits about how Federal Express plans for the unforseen in a New York Times story, “Have Recessions Absolutely, Positively Become Less Painful?” I wonder what (if anything) information security could take away from this sort of approach? It had been a busy day for Georgia businesses, and FedEx’s regular nightly flights from […]


Kill The Smurfs

The people of Belgium have been left reeling by the first adult-only episode of the Smurfs, in which the blue-skinned cartoon characters’ village is annihilated by warplanes. The short but chilling film is the work of Unicef, the United Nations Children’s Fund, and is to be broadcast on national television next week as a campaign […]


"A Reader Writes…"

Rob Sama IM’d me a link to some Mac launch rumors at “” He then commented: Rob: I was the one who pointed that out to Cringley, and Calzone had pointed it out to me Adam: and you got no cred? Rob: I guess. I mean, columnists like that often say “a reader told me…” […]


Archimedes' Death Ray?

Boingboing directs us to “Archimedes Death Ray: Idea Feasibility Testing,” in which an MIT class decides to test Archimedes’ ray: The use of mirrors to set warships on fire. Mythbusters claimed it was a myth, that the idea couldn’t be made to work. Well, the MIT class gave it a shot, and it turns out […]


"Where is that Shuttle Going?"

VADER: Where is that shuttle going? PIETT (into comlink): Shuttle Tydirium, what is your cargo and destination? PILOT VOICE (HAN)(filtered): Parts and technical crew for the forest moon. VADER: Do they have a code clearance? PIETT: It’s an older code, sir, but it checks out. I was about to clear them. In modern cryptography, a […]


The Memory Hole

As an aside in a longer article, Dan Markel writes: As a matter of blogging ethics, I think the way to handle it is to post an apology and clarification and to remove the inaccurate material, with a followup email that clarified the situation. This is dangerously wrong. The inaccurate material needs to stay, because […]


Concurring Opinions Has a Privacy Policy

Daniel Solove and company have launched a new blog, “Concurring Opinions.” Today, they posted their privacy policy. I think they’ll be sued shortly by Experian, for copyright infringement.


IT Harvest IT Security Summit

I should also mention that I had a good time at the Detroit IT Security Summit. I thought there was an interesting and broad selection of panelists, including some technical people and some senior managers. I didn’t get to talk to as many folks as I might have liked, but that’s always the case.


Today, I Publicly Praised Microsoft

On the “Meet the Bloggers” panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005. Also on the panel, Ed Vielmetti brought up a really good point that I hadn’t heard recently, that of […]


Bankers 1, Privacy 0

A federal judge on Tuesday struck down a California law that restricts banks from selling consumers’ private information to their affiliates, ruling that the state law is pre-empted by federal rules. The American Bankers Association, the Financial Services Roundtable and Consumer Bankers Association had sued California Attorney General Bill Lockyer, arguing that the federal Fair […]


The Big Privacy Picture

“Smart Borders: A wholesale information sharing and surveillance regime” is Krista Boa’s overview of the amorphous and opaque ‘Smart Border’ program: Smart Borders encompasses a range of individual and cooperative initiatives, including US-VISIT, biometric passports in both nations, automated passenger risk assessment, and no fly lists among many others, all of which put privacy rights […]


Thoughts on RSS Feeds

I spent a lot of energy to make Emergent Chaos look nice. And how do you all repay me? You read the RSS feeds. Most of my readership (85% or so) are reading via RSS. Which is nice. It says that there’s a core of folks who are interested in what I have to say, […]


Who Has Fingers That Short?

PaybyTouch has arrived, and that finger in their logo looks awfully short to me. Maybe subconsciously, they know the truth? See my “Fingerprint Privacy” or “A Picture is Worth A Thousand Words” for some actual analysis, rather than silly sniping. (via Silicon Beat, who has notes on their unusual financing techniques.)


Congrats to Brent Simmons

NewsGator Technologies has acquired NetNewsWire, along with Ranchero Software founder Brent Simmons. Simmons joins NewsGator as product architect. I discovered this via Brent’s NetNewsWire, and am blogging it with his MarsEdit. See the interview with Brent and Greg Reinacker. For consistency’s sake, I ought to be confusing Newsgator with someone else.


Who Obeys the Laws of War?

There’s a fascinating article on, a Kurdish site: “Emergence of a better Kurdish 4GW frightens Turkey:” An interesting observation is that HPG is now playing by all the rules set up by international conventions, treaties and war-laws [Jus in Bello] (which ARGK unfortunately occasionally broke). People in the military or with a military background […]


Privacy Enhancing Technologies Workshop call for papers

6th Workshop on Privacy Enhancing Technologies will be held at Robinson College, Cambridge, United Kingdom, June 28 – June 30, 2006. Paper submissions are due March 3, 2006. See for more details. [Also note that this will be colocated with the workshop on economics and information security. Thanks to Allan Friedman for reminding me.]


Web 2.0: What Will Emerge From Chaos?

Over at Infectious Greed, Paul Kedrosky responds to a reader about the “Web 2.0” meme: As much as I love trying the new technology and services, very little has changed in how I use the web. Only RSS aggregation has truly offered me value. Everything else I enjoy trying out and then utterly forget it […]


Disaster Planning

Since Katrina, I’ve been trying to spend about $25 a week on disaster preparedness. Fortunately, I already own some basic camping gear, so I’m starting out by storing more food and water. My pantry tends to be thin on food that can be eaten without preparations. I have powerbars and snack bars so I’ve been […]


CounterTerrorism and Bureaucracy

In “Bureaucracy Kills,” Daveed Gartenstein-Ross writes (quoting CNN): FEMA halted tractor trailers hauling water to a supply staging area in Alexandria, Louisiana[.] The New York Times quoted William Vines, former mayor of Fort Smith, Arkansas, as saying, “FEMA would not let the trucks unload. . . . The drivers were stuck for several days on […]


Shmoocon 2006

Today is the last day to get the stunningly low $75 rate for Shmoocon in Washington DC Jan 13-15, 2006. Remember to bow to Bruce’s firewall (largish video download). I understand this years con will culminate in a deathmatch between a new, armed Shmoo robot and the speaker who gets the worst ratings. The speaker […]


National Poison A Database Day?

The fine folks at BugMeNot (free registration required) are sponsoring “Internet Advertiser Wakeup Day.” I think it’s a cool, but flawed, idea. If you believe that paying for service is better than kneeling before the advertisers and giving up your privacy, then poisoning the databases is good. However, to be effective, the poisoning needs to […]


Harper's Privacy Framework for DHS

Jim Harper writes: At this week’s meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the California Office of Privacy Protection, and I circulated and presented a draft ‘Framework’ for assessing homeland security programs in terms of their consequences for privacy and related values. Members of the […]


Fishermen's Friend, Breathalyzers

It comes after a 24-year-old driver was found to be over the legal drink-drive limit during a routine control in Munich. He was taken to the police station where blood tests found he had no alcohol in his system. The man was released after officers found the strongest thing he had taken was a Fisherman’s […]


"Remains Safely Anonymous"

People seem to dig Star Wars posts. I could probably blog for a month on security lessons, illustrated with Star Wars quotes, but I’d need to buy the DVDs and get some video capture technology, and … …ok. You’ve convinced me. Friday Star-Wars-security-lessons-blogging it is. Ben: The “other” he spoke of is your twin sister. […]


Bugger Productivity

It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But: Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting […]


University of Georgia, 2400 SSNs, Hacker

ATHENS – A hacker broke into a computer database at the University of Georgia, gaining access to the Social Security numbers of employees in the College of Agricultural and Environmental Sciences and people who are paid from that department. More than 2,400 numbers, belonging to roughly 1,600 people, may have been exposed, UGA spokesman Tom […]


FinCEN Effectiveness

At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:” The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases. The system, enacted under […]


What About My Needs?

While everyone (FCC, FBI, RIAA) is lining up to decide what software you can run, I’d just like to ask that I be included in the list. The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves. No, really. In an obscure “policy” document released […]


RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee

The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc. The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter […]


CUNY, Hundreds of SSNs, Exposed Files

The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web. City University of New York officials detected the unprotected payroll link for Hunter College Campus […]


New Ten Dollar Bills

The US has unveiled new ten dollar bills, and, unsurprisingly, they contain Constellation EUrion in an entertaining spot: That’s right. Big Alexander Hamilton is watching you. Close up from Money


More On Cardsystems Lawsuit

Joris Evers continues to report well on the Cardsystems lawsuit, this time in “Judge looks for links in credit card case:” Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to […]


Google VPN, Macs, and Privacy

NudeCybot (hey, you’re blogging again!) asked me for opinions on Google Secure Access (or just GSA), and sent me a link to Kevin Stock’s Google Secure Access on Mac OS X. There’s a lot of critiques of Google’s Privacy policy around GSA: “Hide what you’re doing from everyone but us! And, umm, anyone who asks […]


North Fork Bank, 9000 mortgageholders (Not SSNs), stolen laptop

Data relating to about 9,000 mortgages that were originated by Countrywide Home Loans but sold to North Fork were in the laptop, according to a letter received by a customer on Thursday. The laptop was one of several stolen over the July 24 weekend, the letter said without identifying the office. The data included the […]


What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay […]


A Life, Observed

A blogger who I’d recently discovered has retired: I’ve always had my two lives separated – my offline world and my online one. That’s the way I wanted it and that’s the way I set it up and I’ve got my own reasons for it. And someone decided to ruin all the fun and be […]


Sweet Land of Databases

In “Stuck on the No-Fly List,” Ryan Singel discusses the procedure for, no not getting off the list [1], but for getting onto yet another “cleared” list.[2] Confused? I was too. The head of the Terrorist Screening Center [3] told me recently that I’d mixed up “No-Fly” and “Selectee.” As Daniel Solove explains in “Secure […]


Cardsystems Breach and Notice

On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people. Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in […]


Never Enough

After the 7/7 London bombings, France decided it was not enough. So, even though France has already one of the toughest anti-terrorism judicial arsenal in Europe, it is adding to it. Indeed, French newspaper Le Monde just revealed the clauses of the new anti-terrorist law due to be formally presented to the government on October […]


Judging Wines By Their Labels

Stefan Geens has an entertaining post about “how to judge a wine by its label:” Therein lies the secret as to why you really can judge wine by its label: Companies where the management has an atrocious taste in labels tend to be the old-school type, uncertain about innovation, parochial about marketing and under the […]


More Toys: Suicide Bomber Barbie

Yes, its suicide bomber Barbie! Click the picture for a few more views. Toy supplier Shuki Toys, responsible for the distribution of the stickers, said in response, “We were very surprised to see the stickers in the shop, the several sheets of stickers have been pulled of the shelves.” “We check all the stickers, thousands […]


From The Mouths of Toymakers

We all understand that Ryan Singel deserves a break from reporting on stories like “TSA Chief Nixes Commercial Databases” or “Advisory Panel: Delay Secure Flight” or even “[TSA] Advisory Panel Report Made Public.” Reporting on the duckspeakers and their plans to grope us all in the name of liberty is enough to wear anyone down. […]


Apple Security Update 2005-08

There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data […]


Chinese Censorship

Rebecca MacKinnon has the story on how AOL is refusing to collaborate on blocking freedom in China, in “Internet Censorship & Corporate Choices.” Companies do have a choice, and the choices they make matter a great deal. Security technologies that help protect people from their governments are not yet internationalized and easy to use. So […]


Real ID, Real Unfunded Mandate, Real Unnecessary

It seems to be standard that major new government programs cost more than we expect. Federal Computer Week has a story, “Real ID costs rising:” Earlier this year, Congressional Budget Office officials said nationwide implementation of the Real ID Act would cost $100 million in five years. The act requires minimum national standards and physical […]


Security Implications of Economics of ID Cards

Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.” These are attractive notions, but will not be borne out in reality. Actually, the […]


"Every Valid Vote?"

Kip Esquire continues his coverage in “ACLU Sues to Block Georgia Voter ID Law,” and closes, like he did a comment on my last post on the subject: Always remember, it’s not about “making every vote count,” but rather “making every valid vote count.” I don’t think this works as a requirements statement. First, it […]


Small Bits on Security

“Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.” Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could […]


Jetblue Flight 292

Congratulations to the pilot who brought it down safely.


You Don’t Need To See His Identification

If you’re a jack-booted thug, one of the saddest moments in Star Wars is when Obi-Wan Kenobe and Luke Skywalker slip past the Imperial Stormtroopers, out looking for stolen property. Had the Stormtroopers been a little more on the ball, all of those innocents on the Death Star would still be alive. You may not […]


Thoughts on Chapell's View

Alan Chapell has some interesting thoughts in “CONSUMER WATCH: Localities put private data in harm’s way:” As an aside, some might argue that there’s little distinction between “evil doer” and “data broker”. I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. […]


2005 MacArthur Fellows Announced

I always find it fascinating to see who the foundation chooses to honor and support. The list of 2005 Winners is worth reading. Hey! No, really! Even if this is a short post, go click the link. Hmm, I should add a picture or something.


Palo Alto Children's Health Council, 6,700 SSNs, Thief

A backup tape containing the names, Social Security numbers and detailed health information of as many as 6,000 current and former clients of the Children’s Health Council was stolen from the nonprofit agency’s offices, officials confirmed Sunday. From SignonSandiego, “Thousands of health records stolen from Palo Alto agency.” via Cotse Privacy Watch. The Children’s Health […]


Investigating New Orleans Failures

In “Bush Aide Will Lead Hurricane Inquiry,” the New York Times chronicles the sort of petty bickering we’ve come to expect from kindergarteners America’s leadership. Today’s subject-of-bickering is who is to investigate the failures in New Orleans: On Capitol Hill, Congressional Republicans continued their efforts Monday to persuade Democrats to take part in a special […]


Yahoo & China

Yahoo! co-founder Jerry Yang said the company was merely following Chinese law – it had no choice. But as human rights groups have been pointing out, Yahoo! has been going above and beyond the strict legal requirements for some time. In 2002 it signed the Internet Society of China’s Public Pledge on Self-Discipline for the […]


Voter ID Cards

Kip Esquire, who I enjoy reading, writes: The voter ID proposal, already causing a stir in Georgia, is a reasonable compromise. ID cards help deter voter fraud, yet if the cards are free, then the “poll tax” histrionics evaporate (see, e.g., my previous post). I agree that some histrionics may go away, but the real […]


Parental Privacy

My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby’s due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not […]


Command-Q Getting Me Down

The Mac’s is way too easy to quit; it seems to absorb any command-Q typed near it, even if the menubar is showing you that you’re in another app. (This may be an interaction with the preference FocusFollowsMouse.) Anyway, having just lost a bunch of terminals with useful data in them, I went and […]


2005 Underhanded C Contest Winners Announced

Congratulations to the three winners: M Joonas Pihlaja and Paul V-Khuong (who had a joint entry) and Natori Shin. Code is here. I previously blogged about the contest here.


Miami University of Ohio, 21,762 SSNs, Staff

Miami University is notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet. University officials said that at this point they have no evidence of illegal use of the information, which included […]


"Iran's Nuclear Ambitions" Pitch

Earlier, I mentioned the Powerpoint deck being used to pitch the idea of Iran’s Nuclear ambitions. Now, courtesy of Edward Tufte’s forums, we have links to the presentation (PDF). This is mentioned in “U.S. Deploys Slide Show to Press Case Against Iran ” in the Washington Post. The presentation is a nearly classic example of […]


Small Bits on Usability

Thomas Barnett comments that “The U.S. is pushing a secret PowerPoint briefing to allies on Iran, trying to convince them that the WMD question is drawing to a head there.” Maybe they’ve read “The Cognitive Style of Powerpoint,” and would prefer data to being pitched? I’ll (ahem) pitch my lesser-known Hamlet in Powerpoint. Jacob Nielsen […]


Security Bloggers Spit-Polish DHS

Or maybe just spit on them, and then rub it in. Not Bad For a Cubicle has “’t Plan on It: From what I can tell, the best way to keep a building from catching fire would be put these clowns in charge of burning it down. They truly are The Gang That Couldn’t Shoot […]


Musings After the Dali Museum

I took a little time away from the conference to visit the Salvador Dali Museum in St. Petersburg, Fl. It’s an impressive museum, and worth seeing. One of the strongest impressions I got from the experience was that of Dali’s sheer technical skill. From paintings that he made as a child (as young as 9), […]


Roberts on the Right to Privacy

The term “right to privacy” has, in the debate over the Supreme Court, become a code-word for a woman’s right to abortion (or more specifically, to a liberty to choose without government interference.) As someone who believes that privacy is broader than that, I was very pleased to see that Roberts said: “Senator, I do. […]


More on Preserving the Internet Channel Against Phishers

A new survey is reported in “Privacy and Security Concerns Flatten Interest in Online Banking” (Government Technology): After years of dramatic growth in online banking penetration, the percentage of Americans who conduct personal banking activities online remained unchanged during the 12-month period ending August 2005. According to results from a new survey of 1,000 American […]


Soldier Readiness Processing Center, "1000s" of SSNs, Thieves

COLORADO SPRINGS – Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman […]


Skype, EBay, and Communications Privacy

EBay has bought Skype, for reasons that I don’t quite understand. Perhaps all that cash was burning holes in their pockets. The BBC reports: “Communications is at the heart of e-commerce and community,” said eBay chief executive Meg Whitman. “By combining the two leading e-commerce franchises, eBay and PayPal, with the leader in internet voice […]


"Protecting Society By Protecting Information"

Today, I’m at the National Institute of Justice’s National Conference on Science, Technology, and the Law, and am participating in a panel on “Balancing Information Sharing and Privacy.” I’ll present “Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing” (Or get the powerpoint slides. I don’t know why Powerpoint makes all the speaker […]


Director, Malicious Code and Malware

My friend and former boss at Radialpoint is looking for a malicious code and malware expert: The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, […]


On RSS Security

I’ve been mystified for a while by people talking about a need for RSS security products, as if those were somewhat different than other HTTP security products. Apparently, I wasn’t alone in this, Greg Reinacker, CTO of Feedburner Newsgator writes: I was on a call the other day with some folks in the industry, and […]


Some Good News From New Orleans

John Quarterman tells of airlines sending planes to New Orleans without contracts or guarantee of payment. And the New Orleans Times Picayune tells stories of those who stayed to man the pumps in “Pace of drainage is rare bright spot.” Incidentally, while I hate ads, the work done by the staff of the Times Picayune […]


"Taking Stock of the Forever War"

The New York Times Magazine has a long (14 screen) article, “Taking Stock of the Forever War,” reflecting on the four years since the attacks on New York and Washington. It seems fairly even-handed overall: any article that long will have points people contest. I’m in full agreement with the general thesis, that the United […]


Special Administrative Improvement District?

An article in the BBC, “Uniform row rocks HK Disneyland” has great quotes from Chinese officials: Financial Secretary Henry Tang said: “We welcome Disney to come to Hong Kong to invest in Disneyland, but in the process of building Disneyland, no-one has special rights. Everyone is equal before the law.” An editorial in the Ming […]


A Cry for Help

…I have determined that this incident is of such severity and magnitude that effective response is beyond the capabilities of [Louisiana] and affected local governments, and that supplementary Federal assistance is necessary to save lives, protect property, public health, and safety, or to lessen or avert the threat of a disaster. I am specifically requesting […]


Can You Hear Me Now?

Ed Felten reports on a new technique to turn go from a recording of typing to the sequence of keystrokes: Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can […]


Small Bits: Clearance, Security Legislation, Schneier Pointers, Get Me An Operator

Richard Bejtlich comments on a Federal Computer Week article, “Security clearance delays still a problem” in “Feds Hurry, Slow Down.” “ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent.” I’m glad to see […]


Tor GUI Contest Update

I’m very excited to say we’ve added two more outstanding judges to the Tor GUI contest: Edward Tufte and Bruce Schneier. I’m honored and excited to be working with both. As a reminder, you have at least until October 31 for submissions, and all qualifying entrants will receive a t-shirt.


More on Bureaucracy

This is a follow-on to “Who Will Rid Me of This Meddlesome Bureaucracy?” and the same disclaimers apply. I’ll note that Time Magazine has an article “How Reliable Is Brown’s Resume:” The White House press release from 2001 stated that Brown worked for the city of Edmond, Okla., from 1975 to 1978 “overseeing the emergency […]


Capture The Flag Too Boring?

Max Dornsief complains that “Capture the Flag is getting somewhat boring.” That’s too bad, so with all due haste, here are some suggestions: Capture the Business: …is a slight variation on the Ghetto Hackers game. The Ghetto hackers were all about simulating a real business, with its need for uptime. In capture the business, teams […]


More on Opera

It has a lot to recommend it, but there are a number of niggling annoyances: Saved pages are poorly named. (Safari gives the page a name based on its title; Opera uses the filename, often “index.html.”) Since I save a lot of web pages, this is an issue. Cookie management doesn’t seem as good as […]


What's Wrong With Fingerprints?

It’s not a question you’ll hear me ask often, but when PrestoVivace sends me a link to “DOD plans to recognize more than just fingerprints:” “We’re looking for new technologies, innovators and companies that recognize that the biometrics enterprise in the Defense Department and the U.S. government in five years is going to be very […]


Journalist Shi Tao Jailed For 10 Years, after Yahoo! Helped

Both T-Salon and RConversation are reporting a Reporters Without Borders story, “Information supplied by Yahoo ! helped journalist Shi Tao get 10 years in prison:” The text of the verdict in the case of journalist Shi Tao – sentenced in April to 10 years in prison for “divulging state secrets abroad” – shows that Yahoo […]


Who Will Rid Me of This Meddlesome Bureaucracy?

One of the facets of the response to and analysis of Katrina is that the disaster is large enough that everyone can choose an aspect of it to look at from the comfortable heights of their favorite hobby-horse. Be it the incompetence of (state, federal, or local) government, the evils of (small or big) government, […]


Bring Back The 9/11 Commission

As historians, they did a fantastic job of gathering information. They have credibility and stature. They have the perspective to tie the destruction of New Orleans to the destruction in New York, Washington, and Pennsylvania, and to consider the failures of leadership and the failures of response in the context of massive new spending to […]


New Orleans Roundup

Michael Froomkin points to a claim that “Long before FEMA dropped the ball, local authorities decided they didn’t need one: See See LENIN’S TOMB: Everything has gone according to plan.” For more, the City of New Orleans web site is still operational, and has a section on Emergency Preparedness. Bruce Sterling, with only a small […]


Katrina Roundup

Suzette Haden Elgin has an interesting essay on the “biblical proportions” construct, and its meaning. Thomas Barnett has written “The art of the long view,” which is an interesting perspective to be able to maintain right now. Another useful perspective comes from Bill west at the Counterterrorism blog in “Katrina Response – Another Quick Observation,” […]


New Orleans Times-Picayune Open Letter To The President.

…Every official at the Federal Emergency Management Agency should be fired, Director Michael Brown especially. In a nationally televised interview Thursday night, he said his agency hadn’t known until that day that thousands of storm victims were stranded at the Ernest N. Morial Convention Center. He gave another nationally televised interview the next morning and […]


Bush Fires Cherntoff

(CNN reports🙂 President Bush told reporters on Friday that millions of tons of food and water are on the way to the people stranded in the wake of Hurricane Katrina — but he said the results of the relief effort “are not acceptable.” He then went on to fire DHS Secretary Cherntoff. I’m such a […]


Asif Siddiqui Update

In May, I blogged “Georgia DMV, employee Asif Siddiqui, “hundreds of thousands.”” An anonymous tipster sent me a link to “Unemployment Appeal Decision:” The following is the decision of Appeals Tribunal of Georgia Department of Labor ruling that Asif Siddiqui is entitled to unemployment benefits as employer Georgia Technology Authority failed to prove their allegations. […]


Some Good News from New Orleans

It seems that both the French Quarter may have survived, and Fats Domino definitely has, despite earlier reports he was missing. It also seems that the National Guard is finally getting food to some people, and evacuating others, although there’s a lot more to do. Oh, and just when I try to get in a […]


Katarina, Looking Longer Term

There’s a very long post on the public health implications of Katrina at Dave Farber’s IP list, “Hurricane Katrina Analysis – CFR Global Health Program.” I hope that we respond better to these threats than we have to the hurricane. Thomas Barnett takes a look at the long term effects of “Katrina’s System Pertubation.” (I […]


New Orleans Roundup

There’s a lot of amazing things being written out there. One of the more fascinating would be Interdictor’s LiveJournal. He’s keeping a New Orleans ISP running, and blogging as he and his co-workers do. He asks that we link with, but that’s been intermittent. Use Livejournal as a backup. Michael Froomkin has a roundup, […]


"This is Our Tsunami"

Before I get into this post, I’d like to say I have a great deal of sympathy for the individuals whose lives, but nothing else, have been saved. However, I find the comparisons to the Indian ocean tsunami to be irresponsible and wrong. Sample quote: Biloxi Mayor A.J. Holloway said the storm’s damage was overwhelming, […]


Four Alleged Terrorist Plotters Indicted in LA

The head of a radical Islamic prison gang and three others were “on the verge” of carrying out attacks against U.S. military sites, synagogues or other Los Angeles-area targets when police foiled the alleged plot, prosecutors said. From “Four indicted in alleged terrorist plot against LA-area targets.” The Counterterror blog has some analysis and links […]


Disaster Preparedness

Researchers from the non-profit Rand Corp. looked at the ability of local agencies to meet federal standards for responding to urgent-case reports of infectious diseases like bubonic plague, anthrax or botulism. Of 19 local public health agencies called in 18 states, only two met the U.S. Centers for Disease Control and Prevention’s standards, which include […]


New Orleans is Not a Morality Play

Enter narrator I pray you all give your audience, And here this matter with reverence, By figure a moral play- The Flooding of New Orleans called it is, That of our lives and ending shows How transitory we be all day. Enter preacher, sturm and drang… It has nothing to do with Southern Decadence, despite […]


"The Offending Articles Will Be Disposed Of"

Our Saudi allies, displaying their tolerance: Paper cups with Hebrew writing disturbed both employees and medical staff at King Khaled National Guard Hospital on Saturday. The catering subcontractor for the hospital coffee shops began using them on Saturday after their usual supply ran out. “We were shocked and angry,” said an employee. “How can Israeli […]


The Gulf Coast

The scale of destruction from Katrina is simply staggering. The Red Cross, and other good organizations could use your help. I do wonder if Pompeii isn’t a better analogy than others being brought up, such as the Indian Ocean Tsunami or Hiroshima. As an aside, I expect there will be fake charity sites set up, […]


Impressions of Opera

Having taken advantage of Opera’s offer (still valid for a few hours!) I must say, I’m impressed. Opera is snappy in a way that Safari (with all the plugins I’ve added) is not. There’s some small bits of things not working as I expect, things that should be controlled differently*, as I move, but there […]


Happy Birthday Opera

The Opera browser, which some friends rave about, is now ten years old! To celebrate, they’re offering free full copies if you send a note to “ before midnight tonight. The registered copies do not have the ad bar. Woot! Blackjack Cracked

An article in the summer 2005 issue of 2600 magazine (“The Hacker Quarterly”) discusses a timing attack on the Paradise Poker Blackjack game. In essence, the game reveals when the dealer’s hole card is a 10, because it takes longer to process that situation. (The article isn’t online, near as I can tell.) There’s more […]


Companies Helping Phishers

Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning. I had an experience with Citi Mastercard. After some problems, I was […]


Colossus, Anon Blogging, and International Blogging

In PGP’s CTO Corner, Jon Callas draws attention to the second world war Colossus computer: The Colossus Rebuild Project took 10 years and 6,000 hours of effort. The resulting machine is not a replica of a Colossus, but an actual Colossus that uses some of the actual parts. The team finished a Mark II Colossus […]


Oxford No Longer Accepting "Child Prodigies"

Yinan Wang, the 14-year-old Chinese boy who clinched a place at Oxford University last week, will be the last child prodigy to study there under reforms being considered by admissions tutors. Despite an almost perennial flurry of headlines on children barely in their teens being offered places, the university is considering an unprecedented blanket rule […]


Cease and Desist, or I Shall Embarrass Myself Some More!

It used to be that to mock lawyers sending cease and desist letters, you had to be elite Swedish file traders. (Or Phrack. Phrack used to mock their correspondants, too, before they got all corporate.) But now, even gadget blogs can play, and play Gizmodo does, when some bunch of lawyers sends them a letter […]


Homeland Security Blanket

By Amy Franceschini. See the complete work at Future Farmers.   It’s not new, but Gizmodo picked it up and reminded us.


ChartOne, 3,851 SSNs+Medical Records, System Administrator

On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area. […]


Enforcement and Incentives

In “Getting Serious about Smog,” Virginia Postrel writes: After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, […]


WiKID Goes Open Source

WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter […]


"Preserving the Internet Channel Against Phishers"

I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel Against Phishers,” and is designed to be shared with marketing folks without insulting them. Alternate title: […]


Speaking of Hot Knives, Butter

It seems that Zylon “bulletproof” vests are not nearly as effective as Kevlar ones, and the Justice department may pull funding for purchasing them. (All the press releases and reports are at the DOJ site.) They are, however, more effective than not wearing a vest. I am routinely outraged here by poor technology decisions that […]


Robertson Lies In Apology

The dominant headline around Robertson’s attempt to retract his comments is that he “apologized.” That is false. He claimed to have not called for an assassination: “I said our special forces could take him out. Take him out could be a number of things including kidnapping.” Mark, at Cutting Edge of Ecstasy takes out goes […]


Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉 Curt Hopkins points to a fascinating story about the folks who run the great […]


No Child Left Untagged

CSO’s Security Feed has a story “RFID Technology Prevents Infant Abduction.” The story reads like a press release: VeriChip Corporation, a subsidiary of Applied Digital (ADSX), a provider of security and identification technology, stated that its “Hugs” RFID infant protection system prevented the abduction of a baby at Presbyterian Hospital in Charlotte, North Carolina. A […]


From the "Who Will Rid Me Of This Meddlesome Priest" Department…

Television evangelist Pat Robertson told viewers the U.S. should kill Venezuelan President Hugo Chavez to prevent the Latin American country from becoming a “launching pad” for extremism, the Associated Press said. From Bloomberg. Ezra Klein has comments in It Was The Christian Thing To Do. Apparently, Venezuela is upset. Thanks to Nick for distracting me […]


Caption Contest

I took this picture of a sign, lying on its side, near gate A12 of the Atlanta airport on August 16th, 2005. The photo is what I saw; it has not been retouched. It needs a caption, and I am simply flabbergasted.                



Captchas are those annoying, spamatuer “type this so we can stop spam” things that you see on some blogs. PWNtcha stands for “Pretend We’re Not a Turing Computer but a Human Antagonist”, as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations. For an overview on why visual […]


Blogroll Rolls On

I’ve deleted Geoff’s ScreenDiscussion for negligent posting, and added Mario’s blog, Ed and Diana at Security Curve and TQBF and his service-oriented chargen 19/udp.


"FBI: Businesses (Still) Reluctant To Report Cyber Attacks"

Volubis picks up stories in Information Week and Computer World: Roughly 20% of businesses report computer intrusions annually, a figure the agency believes is low. Director Robert Mueller urged businesses to step forward, promising greater sensitivity from the FBI in return. This reluctance has become especially important at a time when identity theft is growing […]


Demand Your Records

In her “On the Record” blog, Ann Harrison (Hi Ann!) covers how to use the privacy act to request the records TSA collected, illegally, on millions of innocent people. Incidentally, Arthur Anderson was shut down for destroying data like this.


US Air Force Hack and TSA

I just blogged about a breach of data which could be used for ID theft in “US Air Force, 33,000 SSNs, Hacker.” I’d like to tie that to a story I mentioned earlier this week, “TSA May Loosen Ban on Razorblades, Knives:” The Aug. 5 memo recommends reducing patdowns by giving screeners the discretion not […]


US Air Force, 33,000 SSNs, Hacker

In : Half of USAF’s officers’ PII stolen, Chris points to stories about “AFPC notifies Airmen of criminal activity exposing personal info,” and “Air Force investigates data breach.” AMS, an online program used for assignment preferences and career management, contains career information on officers and enlisted members as well as some personal information like birth […]


"Its Precious Patents Disclosed"

In Lee Kuan Yew is usually worth reading, Tyler Cowen discusses a Lee Kuan Yew interview, where Lee mentions ‘intellectual property’ law as a place Singapore can stay ahead of its competitors. Mr Lee says: Such as where the rule of law, intellectual property and security of production systems are required, because for them to […]


No Child Left Alone

The EFF is directing attention to the Leave My Child Alone! colalition. Did you know that President Bush’s No Child Left Behind Act mandates that public high schools turn over private student contact information to local military recruiters or risk losing federal education funding? Not only that, but the Pentagon has compiled a database of […]


TSA to Look Through Your Clothes

[Update: Welcome Buzzflash readers! If you enjoy this post, please have a look around, you might enjoy the air travel or privacy category archives.] USA Today reports “TSA hopes modifications make X-ray not so X-rated.” The TSA now hopes to test modified “backscatter” machines in a few airports this fall that will solve the privacy […]


I'm a Spamateur

In private email to Justin “SpamAssassin” Mason, I commented about blog spam and “how to fix it,” then realized that my comments were really dumb. In realizing my stupidity, I termed the word “spamateur,” which is henceforth defined as someone inexperienced enough to think that any simple solution has a hope of fixing the problem.


Tor GUI Contest

The announcement says: Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 50,000 Tor users currently, routing their traffic through about 250 volunteer Tor servers on five continents. However, Tor’s current user interface approach — running as a […]


300,000 words and counting

It’s my one year blogiversary. In that time, about 300,000 words including comments and trackbacks have been posted in 957 articles. That’s a little over 2.6 articles a day, some of which some of you seem to have enjoyed reading. Moveable type added about 40,000 words of html tags, colon tagged junk etc. So, really, […]


Avoid Parkhill's Waterfront Grill in Allenhurst, NJ

Two diners on a date at a fancy Jersey Shore restaurant were furious when they saw the check — which listed their table as that of the “Jew Couple.” … Stein said he took the offensive bill and showed it to Jewish friends seated nearby who said they could not believe it. When the group […]


Your Questionable Content (redux)

Thanks for your patience, I think we’ve solved the problem. Some comments may be moderated, but the rejection should be done. Please email if there’s any more rejections.


TSA Sued by Real Americans

A group of Alaskans have gotten tired of being jerked around by TSA and filed suit in the US District Court in Anchorage. Read the story at TSA Secrecy Must Stop.


Where's the Evidence?

Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details. None of the attacks I saw used are less than five years old. More seriously, I […]


TSA Roundup

Allow me to begin by shocking my regular readers with a few words of praise for TSA: Ryan Singel reports that they found a bomb, in “ Screeners ID IED .” Of course, that’s 1 bomb:1,000,000 nail clippers, but still. It’s good to see that they can find the bombs. When they’re not harassing babies […]


Your Questionable Content

A couple of people have mentioned that something in the comment posting code is rejecting their comments for “questionable content.” I’m very sorry, and am working with my fine technical support staff to try to solve it. If this happens to you, please email me: emergentchaos & gmail & com, and I’ll try to post […]


The Malaysia Option

Sunday’s Washington Post has a story, “U.S. Lowers Sights On What Can Be Achieved in Iraq:” The Bush administration is significantly lowering expectations of what can be achieved in Iraq, recognizing that the United States will have to settle for far less progress than originally envisioned during the transition due to end in four months, […]


The Death of Jean Charles de Menezes

Remember that bulky jacket-wearing, fare-skipping young foreigner who taught the world that it’s a bad idea to act suspiciously near public transportation after a terrorist attack? The UK’s Observer investigates, and among other things finds: Initial claims that de Menezes was targeted because he was wearing a bulky coat, refused to stop when challenged and […]


More on Using Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] There have been lots of good comments, both here and over at Nielsen Hayden’s Making Light. There’s a few points left dangling that I wanted to respond to further. Those are the “ignore the marketing department” view and the “train the customer view.” […]


Don't Use Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] In his talk at Defcon, David Cowan talked about how he doesn’t bank online anymore. Banks are now facing the imminent destruction of their highest bandwidth, lowest cost way to interact with customers. Actually, its worse than that. Bankers are killing online banking, […]


On Vacation

I’m on vacation through Sunday, and won’t be blogging until next week.


Lindstrom's Indemnification

Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the city of Tokyo…No, I’ve never worked for the city of Tokyo. Now, as I’ve said repeatedly, […]


Sonoma State, 61,709 SSNs, Hacker

Hackers have broken into Sonoma State University’s computer system, where they had access to the names and Social Security numbers of 61,709 people who either attended, applied, graduated or worked at the school from 1995 to 2002, university officials disclosed Monday. So says SF Chronicle. Sonoma State has a page.


Costco Employees and "Market Analysts"

The job of a shareholder-owned company is to make money for shareholders, not to coddle its employees. But sometimes, being good to your employees can be good for the shareholders. In “Living the Dog’s Life at Costco,” Kevin Carson takes to task Wall St analysts who are trying to run Costco’s business for them: “He […]


New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication. And Mario’s comments on tor vs the Freedom Network are interesting: Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w! While I agree with this, […]


University of North Texas, 34,000 SSNs, Bad Design + Google

The UNT server storing the electronic university housing records of about 34,000 current, former and prospective students was accessed by a computer hacker. In addition, an Internet-based form available to students to make inquiries to the UNT financial aid office mistakenly created a file containing personal information of the current and former students who used […]


Cal Poly, 31,077 SSNs, Hacker

Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June. “We got hit by a hacker,’ said Debra Brum, interim vice president of instructional and information technology. Personal data, including names and Social Security numbers […]


Microsoft's "monkeys" find first zero-day exploit

Microsoft ‘s experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors’ computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month. So reports Rob Lemos, in “Microsoft’s “monkeys” find first zero-day exploit.” We’ve […]


Balancing Information Sharing and Privacy Concerns

I’ll be at the National Conference on Science, Technology and the Law, A National Institute of Justice Conference sponsored by the National Clearinghouse for Science, Technology, and the Law, September 12-14, 2005, St. Petersburg, Florida. I’m on a panel with a great group of folks on “Balancing Information Sharing and Privacy Concerns.” We haven’t put […]


Life Imitates Art

America’s Finest News source reports that “Our Global Food-Service Enterprise Is Totally Down For Your Awesome Subculture” while the New York Times covers “Hip-Hop Argot Meets Corporate Cant, All to Sell Chryslers.” One story or the other contained the line: Sometimes it feels like nobody understands your rebellious, genre-defying crew of goth-rocker pals—am I right? […]


Two on Security Clearance

Richard Bejtlich talks about the backlog in security clearances in “Opportunity Costs of Security Clearances,” using an anecdote about an unnamed agency trying to hire someone “clearable” to train to do complex work that requires particular skills and orientation. Meanwhile, at Cutting Edge of Ecstacy, Mark writes about “A Mexican man who used a fake […]


Two On ID Theft

Newsfactor has a long story, “U.S. Passes the Buck on Identity Theft,” which discusses the Identity Theft Penalty Enhancement Act of 2004, some of a current crop of products designed to reduce ID theft risks at businesses, and the need to shift liability. Speaking of shifting liability, in “Despite Claims of “Exceptional” Security, Acxiom’s Defenses […]


Make Fire With Water, Electricity

This Aqueon Fireplace, from Heat and Glo separates water into hydrogen and oxygen, and then burns them. Because the hydrogen burns cleanly (unlike, say wood or gas), there’s no need to ventilate. As if you needed more proof that science trumps idiocy. I look forward to having six hydrogen burners in my stove. Because that […]


Passport Forgery Legal in UK?

The arrest of the Algerian-born Britain with 452 forged European passports at Bangkok’s Don Muang airport is only the latest in incidences of document forging in Thailand. … But here’s the rub: The suspect, 35 year old Mahieddine Daikh, may not be charged with any crime. To date none of the government’s whose forged passports […]


The Control Impulse, The Security Canard, and The Boy Who Cried Wolf

Flyertalk brings us the story of Continental Airlines and Boston’s Logan Airport having a little spat. The core of the dispute is that Continental offers its customers Wifi access for free. But Boston wants to charge for it. Boston has always had a bit of a control thing. That’s not unique. There are lots of […]


Short Bits on Terrorism

Thurston points to “London blasts – expert comments” at the London School of Economics. I know you all come here for the bombast and snark, so be warned: These are trained professionals. Do not try this on your blog. Boyodite William Lind reports on the “Modern Warfare Symposium,” organized by (ret) Colonel Mike Wyly. The […]


Flag Desecrations?

Over at Sivacracy, Ann Bartow is running a series of pictures on flag desecration.


Real American Heroes

Marty Lederman has a long post, “The Heroes of the Pentagon’s Interrogation Scandal — Finally, the JAG Memos” about the Judge Advocate Generals of the Armed Forces, who took a stand against the President’s position that the United States could behave as it has at Guantanamo and elsewhere: The memos are extraordinary. They are written […]


Defcon Coverage?

Defcon is better experienced than read about. How could I argue with a slogan like “What happens in Vegas gets posted to thousands of blogs? stays in Vegas?” But when those involved blog about it, I’ll admit to a little involvement: I recruited Brian Krebs onto team Shmoo. Because everyone knows I’m a Shmoo wannabe. […]


The Fifth Workshop on the Economics of Information Security (WEIS 2006)

Ross Anderson has announced that the fifth WEIS will be held in Cambridge (England) 26-28 June 2006. Papers due March of next year. I’m sad that I’ve only made one of the WEIS workshops so far. (Life keeps interfering.) What’s there is amongst the most interesting bits being done in security. I hope they continue […]


CalTech, One Planet, Hacker

In the spirit of my personal information breach posts, I present to you the South African Sunday Independent’s story, “Hacker ‘outs’ news of the 10th planet of our solar system:” Brown has submitted a name for the new planet to the International Astronomical Union, which has yet to act on the proposal, but he did […]


Question Authority: The Life You Save May Be Your Own

Gary Wolf has an article in Wired this month: In fact, the people inside the towers were better informed and far more knowledgeable than emergency operators far from the scene. While walking down the stairs, they answered their cell phones and glanced at their BlackBerries, learning from friends that there had been a terrorist attack […]


The Alexis Park ATMS are Perfectly Safe

Hackaday posts pictures in “defcon day 2 – don’t use the atm.” I don’t trust the ATMs at any Defcon haunt anymore, and was surprised to see a fellow I respect stick his ATM card into the machine at Hamburger Mary’s. I do wonder if any of the well-dressed guys using the ATMs were adding […]


Long Bits of Stuck in McCarran International Airport

Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net. Tech Policy points to Bill West at Counterterror blog, in “Liberty & Security vs. Terror – an American Perspective.” Its worth reading in […]


At Black Hat

I’m at Black Hat and Defcon through Sunday, and blogging will be light, and slightly error-prone.


Why Not Accept Random Searches?

In comments, Izar asks why we feel that having policemen check up on us is an affront to our liberty. He also asks that we call him a “serf of the totalitarian state machine,” so I shall. I suppose I might feel differently if, regularly, people around me were being murdered by terrorists. But the […]


Job Openings

My friend and colleague Scott Blake is looking for smart people: I have openings for 5 information security analysts. Level of seniority is negotiable, but I prefer senior-level folks. I’m looking for the following specialties: security awareness training/communications, secure application development, risk assessment, network architecture, and security policy development. I also have an opening for […]


Are Police the Best Response?

A few weeks ago, it came out that the MTA wasn’t spending their security budget: In December 2002, the Metropolitan Transportation Authority announced it had completed a lengthy assessment of potential threats to the city’s transportation infrastructure, from subway lines to major bridges. The authority, which had begun the study in the weeks after the […]


Canadian Telco Telus Blocks access to Union Website, How to Access

Michael Geist has the scoop at “Telus Blocks Subscriber Access to Union Website.” Short version: Telus and their union are fighting. Telus has chosen to prevent their customers from reaching “Voices for Change, the union website. I urge Telus customers to call and customer support and ask what’s up. Repeatedly. Voices for change also suggests […]


Risks of Data Collection and Use

David Cowan tells a sad story about his experience with unauthorized data collection and use in “Freshman Week.” Speaking of unauthorized data collection and use, Jonathan Krim reports that “License-Screening Measure Could Benefit Data Brokers:” Jason King, spokesman for the American Association of Motor Vehicle Administrators, said commercial data brokers are notorious for refusing to […]


If You Have Nothing to Hide…

In “Behind-the-Scenes Battle on Tracking Data Mining,” the New York Times reports that the Department of Justice really does care about privacy, and really doesn’t want those nosy Congressional committees poking about how the government operates. So, why should they care? Are they hiding something? Of course, this being a New York Times article, there’s […]


105°. But It's a Dry Heat

It’s going to be 105 (or so) in Las Vegas for Blackhat, and, as always, a little hotter for Defcon. Tickets for the DC702 Summit/EFF Benefit are for sale online through Monday. As a smaller, private event, I expect the AC will work. So you should be there, instead of say, lolling about by the […]


Officer, Arrest that Man! He's Blogging Subversive Thoughts!

Carl Ellison has a blog. There’s other bloggers listed, but no recent posts by them. The title, of course, is a reference to Carl’s long-used signature file, of “Officer, arrest that man, he’s whistling a dirty tune!“


What Do You Have to Do To Get Fired Here?

Ryan Singel has the scoop. The GAO report to Congress is also covered in the New York Times, “Flight Database Found to Violate Privacy Law:” “Careless missteps such as this jeopardize the public trust and D.H.S.’ ability to deploy a much-needed, new system,” Senator Susan Collins, Republican of Maine, wrote on Friday to Secretary Michael […]


Consent, Submit, Forest, Trees

Kip Esquire has a good post, “On ‘Consenting’ versus ‘Submitting’ to a Search.” The upshot is: If you happen to be stopped for a search such as this, you should not say “Yes I consent” or “Sure, go ahead.” Rather try saying something like “I consent to nothing, but if you are requiring me to […]


Iowa State, 2037 SSNs and 2,379 CC, "Hacker"

The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site. A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information. … By tapping into the computer, […]


New York to Randomly Beat People In Hopes of Beating Terrorists

Police will begin randomly beating people entering city subways, officials announced Thursday after a new series of bomb attacks in London. “We just live in a world where, sadly, these kinds of security measures are necessary,” Mayor Michael Bloomberg said. “Are they intrusive? Yes, a little bit. But we are trying to find that right […]


"Not the Blitz"

So says SteveC, and he’s right: Its a relatively small group of criminals. At the same time, I can’t agree with his feeling that “These bombings occured in all probability because of our unprovoked invasion.” The United States was attacked before we invaded Iraq or Afghanistan. People who will kill civilians on the tube are […]


Small Bits: Privacy for Infringers, IEEE Cipher, Oracle, Footnotes, and a Mug

Michael Geist continues to take the Privacy Commissioner’s office to task for protecting the privacy of infringers: Moreover, the Commissioner canvassed other banks and found that at least two others did allow their customers to opt-out of such marketing. Now if only the Commissioner would reveal which banks respected their customers’ privacy and which decided […]


These cruel, wanton, indiscriminate bombings

With London being attacked again, I am heartened to see that the attacks were (apparently) less effective, and otherwise defer to the wisdom of Sir Winston Churchill: These cruel, wanton, indiscriminate bombings of London are, of course, a part of Hitler’s invasion plans. He hopes by killing a large number of civilians, women and children, […]


Happy Moon Day!

36 years ago today, two Americans landed on the moon before returning safely to Earth.   It’s a feat worth celebrating.


Elizabeth Blodgett Hall, 1909-2005

Elizabeth Blodgett Hall, 95, founder of Simon’s Rock College, died July 18 at Geer Nursing and Rehabilitation Center in Canaan, Conn. In 1964, with 200 acres of her family’s land and a grant of $3 million from the Margaret Kendrick Blodgett Foundation — a charitable educational trust established by her mother — she founded America’s […]


Who Has Time For This, Indeed?

David Cowan has a nice post on technologies he won’t fund, and why. It’s a great post. More investors should be up front about what they’re not interested in. Bessemer has funded 16 security startups–more than any other traditional VC firm–but there are some areas of security that even we have never funded, despite the […]


Cardsystems Death Penalty?

“CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts,” said Tim Murphy, Visa’s senior vice president for operations in a memorandum sent to several banks. “Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system.” So […]


More on the FBI and ACLU

Over at Volokh, Orin Kerr writes “The New York Times ACLU Story Begins to Look A Bit Fishy.” The essence of Kerr’s argument is that with the ACLU’s request for any document mentioning the ACLU, of course they’re going to get a lot of documents: I should point out that it is at least theoretically […]


Oh, That's Why

Last week, I asked, Now, if Evan Kohlmann can get to this gathering, and if John Walker-Lindh can meet bin Ladin, why haven’t we penetrated and shut down more groups which are openly calling for murder? Today’s New York Times has the answer in “Large Volume of F.B.I. Files Alarms U.S. Activist Groups:” WASHINGTON, July […]


Acxiom, 8.2 gb of love, Bad Password

In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data. “According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through […]


Fingerprints at Disney: The Desensitization Imperative

The Walt Disney Corporation has started fingerprinting all visitors to their parks. They claim, incorrectly, that the fingerprint scans can’t be turned into pictures of fingerprints. True Americans understand that fingerprinting is for criminals. A presumption of guilt — of criminality — underlies a company taking your fingerprints. In “Welcome to Disney World, please let […]


Dear Adium People…

You make a very nice client. But the “Remove Contact” menu item in the Contact menu is fucking broken. It is not clear that “Remove Contact” means “Blow away this entire group of contacts.” How about (1) making the item name plural, and (2) adding the list of contacts to be deleted to the warning […]


David Cowan Blogging

David Cowan (Hi David!) is the partner at Bessemer Ventures who is responsible for their security portfolio. So I’m hoping that he sticks with his new blog, “Who has time for this.” His post about Too Many Security Startups? is fascinating: The night I closed our investment in my 12th data security deal, Cyota, my […]


A New Birth of Freedom in Iraq?

The Committee to Protect Bloggers reports that prominent Iraqi blogger Khalid Jarrar has been taken into custody by the Iraqi mokhabarat, or secret service. Jarrar is author of Secrets in Baghdad and is the brother of Raed from Raed in the Middle. B.L. Ochman has the scoop. Raed has more. If the United States is […]


Small Bits of Irony

CSO Magazine’s Security Feed juxtaposes two stories, “Stolen Data Worries Financial Institutions” and “EU Ministers Promise Data Retention Agreement.” The Privacy Law has an article on fingerprinting at Disney. His blog won’t allow anonymous comments, so I’ll say read “Fingerprint Privacy.” (I’m with Nancy Kerrigan, anyway.) Chris Hoofnagle has a story about a new database […]


Small Bits: Silver Linings, Presidential Game Theory, Disclosure, War

Privacy Law lists the 16 states that now have notification laws. Thanks, Choicepoint! At Balkin, ‘JB’ has a long discussion of why 2nd term Presidents all seem to be scandal ridden…since the 22nd Amendment took away what game theorists call ‘the long uncertain shadow of the future.’ I nearly said something about ‘experimental confirmation’ here, […]


Nothing to Hide, but "Nothing to Hide"

You’ve heard of the tube, of lorries and bobbies, but “cleanskins?” It’s a word that has emerged from London after last week’s bombings. The English police believe the suspects in the case are “cleanskins” – young operatives with no background of terrorism or crime. It’s more difficult to investigate cleanskins because they have no criminal […]


Pre-Defcon Summit, Get Your Tickets Now

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. According to email organizers sent, they’re fast running out of tickets, so get your tickets now, and […]


Blue Cross of Arizona, 57,000 SSNs + Medical Data, Arizona Biodyne

The Arizona Republic brings us the news that “Medical firm’s files with personal data stolen:” The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company. Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday […]


Nelson-Smith Data Protection Bill

Kim Zetter reports in Wired, Bill Strives to Protect Privacy : Another bill introduced in the Senate judiciary committee about two weeks ago addresses some of the same issues in a comprehensive way, and several other bills address individual issues, such as notification to consumers. The commerce bill, however, is likely to go the distance […]


Blind Signature Patent Expiration Party

Friends, colleagues, and co-conspirators, It has been 17 long years and now the time is finally here to celebrate at the: BLIND SIGNATURE PATENT EXPIRATION PARTY WHAT: A party to celebrate the expiration of the Blind Signature patent. WHY: U.S. Patent 4,759,063 (“Blind Signature Systems“) to David Chaum is the core invention enabling privacy-protecting electronic […]


Alberta Health and Wellness, 670,000 Health Care Numbers, Tape

Frank Work, Alberta’s Information and Privacy Commissioner, released a report on his investigation into missing Health and Wellness computer data storage tape. Work stated the incident is a low risk for potential fraud. As soon as the incident was reported, Alberta Health and Wellness changed practices and eliminated the related tape transfer business process. … […]


Homegrown Bombers, ID Cards, Intelligence Activity, and Profiling

The folks over at The Counterterrorism Blog have been doing a great job the last week or so. Lots of very high quality posts, good roundups around the London attacks. I wanted to point and comment on several of their recent posts. First is Where do Homegrown British Suicide Bombers Come From?, a first person […]


"Israeli Style Profiling"

Less useful is another call for “Israeli style profiling,” in Bill West’s Bolstering Transit Security the Old Fashioned Way: The more such officers there are, and the better trained they are, especially if they are trained in behavioral profiling techniques like the Israeli security services have used for decades, the better protected these transportation systems […]


On Phishing

Item: OCC Guidance on Phishing Websites, Ethan Preston writes about The Office of the Comptroller of the Currency provided guidance for banks on appropriate countermeasures against phishing websites. The guidance provides fairly common sense advice: designate employees to respond to phishing threats, cultivate contacts with the FBI to expedite law enforcement’s response, prepare to identify […]


My Bleeding Snort Rules Just Alerted Me to TERRORISM!

Err, no. But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:” I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email: (jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york) But such rules […]


Comrade Sarbanes Remains Uncorrupted

The latest critic of Sarbanes-Oxley? Michael Oxley told the International Corporate Governance Network (ICGN) annual conference yesterday that, ‘if I had another crack at it, I would have provided a bit more flexibility for small- and medium-sized companies.’ Always nice to see a fellow own up to his mistakes. From Accountancy Age, via Volubis Infosec […]


New Security Blogs

Jeff Moss takes blogging into thematically and visually new territory with The Black Pages, with Jeff posting on a theme, and then his speakers adding details. Now if only they had an RSS feed. Or my post. I wonder which they’ll get first? I have a soft spot for the word “chaos.” I like the […]


Small Bits of Liberty

Rebecca MacKinnon’s “Response to Scoble” is worth reading in its entirety. I have just one small comment: In justifying Microsoft’s filtering of politically sensitive Chinese words on MSN spaces, Microsoft’s uber-blogger Robert Scoble writes: “I have ABSOLUTELY NO BUSINESS forcing the Chinese into a position they don’t believe in.” He continues… Except Scoble Microsoft is […]


Pre-Defcon Summit, and some small bits

The fine folks at DC702 are going to be hosting a “pre-Defcon Summit” and fundraiser for the EFF. I’m pleased to be a featured guest, and urge you to show up, contribute to the EFF, and hang out. Hmmm, this needs some extra text to balance the icon. Dumb stylesheet. Who the heck wrote that […]


Random Thoughts on Specter-Leahy

Senators Specter and Leahy have proposed a new law on identity theft and privacy. Some thoughts as I read it. But first, what the hell are they doing preventing me from copying sections? Frigging DRM. Quotes shall be shorter than they otherwise would. Title III, 301.b.1 (pg21): “A data broker shall, upon the request of […]


Gaze Into Navels!

There’s a new feed, of posts + comments, available here: RSS. (It’s also on in the little “blog tech stuff” list, if you want to come back to see it later.) Thanks to Lisa for setting this up!


MSU, 27,000 SSNs, "intrusion"

More than 27,000 students were informed by e-mail on Tuesday that their Social Security numbers could have been compromised by an attack on the College of Education’s server. The server housed information that included student names, addresses, student courses and personal identification numbers. After the intrusion was discovered at the beginning of April, the server […]


Small Bits on Privacy

Larry Ponemon has a good article in Computerworld, “After a privacy breach, how should you break the news?:” We learned that about one-third of subjects believed that the notification was truthful. Another 41% believed that the notice they received failed to communicate all the facts. The remaining 26% were unsure about the integrity or honesty […]


ID Card Program Stopped Over Security Concerns

So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.


Small Bits: Government, Government, Government, Bill Scannell and Christopher Hitchens

Kip Esquire has a great roundup in “Linkfest — Special “Hear/See/Speak No Evil” Edition,” guaranteed to boil the blood of anyone who thinks that sometimes government goes too far. Then again, sometimes government doesn’t go far enough. In the case of New York’s MTA, they’ve spent $30m of the $600m they have available for security, […]


"Declaration of Repudiation?"

Dave Belfer-Shevett points to a Declaration Of Repudiation by Will Frank. It starts out pretty well, but then degenerates into complaining about gay rights, abortion, sex ed and Kyoto. Yes, I say degenerates, even if I might agree with some of these, because they’re a distraction. Reagan and Bush Sr. were opposed to abortion rights […]


London, Perspective

At the end of a long, thoughtful post, Thurston writes: One final thought. Four bombings in London are front-page, stop-the-presses news for two days straight. If that was Baghdad, only four bombings would have been a slow day. What message does that send the the Third World?


Backup Tapes?

Allan Friedman asks for comments on Lauren Weinstein’s post to Interesting People: (Lauren W) Ironically, it’s true that the probability of lost backup tapes being used opportunistically for ID theft is probably fairly low, at least in comparison to all the “ID theft supermarkets” that are out there — crooked commercial and government employees willing […]


An Israeli Friend in London Writes…

(This entire post is by my friend Shimrit, an Israeli living in London, and is posted with permission.) I felt the need to write down my thoughts about today so I did. Seeing as I have nowhere to publish them, I am sending them round instead. Once again, it seems my terrorist attack luck has […]


On "Bringing To Justice"

First, let me say that the response from not only Blair, but all of London is inspiring. They are refusing to panic after these attacks. The underground is open and running this morning (with some nervousness). At Balkanization, Kim Lane Scheppele makes an interesting point about “Britain’s State of Emergency, and the anti-terrror laws in […]


Ping Flood

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top of his blog. Who knew he’d invent a new denial of service attack?


"These cruel, wanton, indiscriminate bombings of London…"

My sympathies to the people of London, and all those around the world who are worried about their loved ones in London. Wikipedia has a clear summary of what’s happened, along with this translation from the pigs responsible: We continue to warn the governments of Denmark and Italy and all the crusader governments that they […]


Citi National Bank, Thousands of Millionaires, Iron Mountain

In the San Francisco Chronicle, David Lazurus reports “Personal data lost — again:” Today I bring news of yet another security breach involving potentially thousands of people’s personal info, and this is the first anyone’s hearing of it. The latest company to drop the data ball is City National Bank, based in Los Angeles and […]


USC Admissions, 320,000 SSNs, SQL Injection

A programming error in the University of Southern California’s online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday. “Sap,” discoverer of the vulnerability in USC’s Web application The flaw could have allowed an attacker to send commands to the […]


Russia's Information Market

Bruce Schneier mysteriously titles a post “Russia’a Black-Market Data Trade.” But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail: At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner […]


What Is Terrorism?

A quirk in how the U.S. government defined terrorism meant that when Chechen rebels blew up two airliners almost simultaneously over Russia last year, only one was counted in an annual tally of terrorist attacks. On board one plane were 46 Russians. But the other had 43 Russians and an Israeli citizen — a foreign […]


Hoder, US: Ahmadinejad not Hostage Taker

On June 30th, Hoder says: “As much as I dislike Ahmadinejad, I don’t think the guy in this picture is him. They look similar, but have differenet eyes and eyebrows.” The LA Times. I reported on the story in “Iran’s New President a “Moderate”.”


Choicepoint Roundup

At MSNBC, Bob Sullivan covers the loss of confidence in ecommerce that leaks are causing: The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer […]


"The Great Equalizer"

Pittsburgh Mayor Tom Murphy tells the Post Gazette that “Eminent domain ‘is a great equalizer when you’re having a conversation with people…’” Indeed it is. Pictured is another “great equalizer.” (Quote via John Tierney in “Your Land Is My Land,” in the New York Times.)


Two Minutes Hate in the Blogosphere

Fred, who did graphic design for RECon, is doing a comic book of 1984. (The copyright on 1984 has expired in Canada.) He also had great “Big Brother is Watching You” posters, one of which I bought. Fred (pictured, left) was also good enough to introduce my talk, and provide a hanging banner. You can […]


Small Segments Stolen From Some People Surnamed "S"

The first two are from Scrivener, because he’s going on vacation, they’re good, and I’m shameless. “Iraq Swede vows to catch kidnappers, reports “The Local:” A Swede held hostage in Iraq for 67 days and released a month ago has vowed to take revenge on his captors and has hired bounty hunters to capture them, […]


The unanimous Declaration of the thirteen united States of America

The Declaration of Independence of the Thirteen Colonies In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the […]


Deep Impact

We’re about 4 hours from Deep Impact making a large hole in Comet Tempel 1. The National Business Review in New Zealand has an excellent links roundup in “Comet impact: See it online.”


Why I Read Blogs

In a post titled “Why Blog, Anyway, Mark makes a really good point: And what about the audience? Readers who don’t blog may not be aware of how much bloggers want readers. Part (I suspect a very big part for most) of it’s an ego thing, like people on soapboxes at the town square with […]


Small Bits: Adam Sah on Startups, RECon, Irony and Biometrics

Adam Sah (hi Adam!) has a great page of startup advice I hadn’t seen before. Presentations from RECon are now online. The University of Connecticut will be offering a Masters in Homeland Security. That’s a database I’d like to steal. Thanks to Chris Walsh for pointing it out. I’ve been meaning to followup on Juxtaposition’s […]


The Next PR Speciality?

Over at Presto Vivace, Alice suggests that “Security breaches and violations of privacy are going to be the next speciality in crisis communications.” I suspect that she’s right, and hope she’s wrong. In cases like Cardsystems or Choicepoint, where the organization is violating policy, contract, or law with its data, the impact on the company […]


Well Said!

“IRS announces plans to be the butt of three consecutive days of “Daily Show” jokes.” So headlines John Paczkowski’s post at Good Morning Silicon Valley.


Doing the Devil's Work

The Internet, with its freedom of communication, scares a lot of people. Some people argue that this is “just political,” but its not. Chinese repression includes information about health issues, such as the abuse of antibiotics to control avian flu. (See, for example, “Bird Flu Drug Rendered Useless in the Washington Post.) The companies that […]


Inviting Cockroaches to the Feast?

Over at “The Security Samurai,” Eric Marvets posts on “How Do I Get My Company To Take Security Seriously? Will Liability Work?” I’ve posted my thoughts on liability (“ Avoiding Liability: An Alternative Route to More Secure Product) and hope to develop those further sometime. One thing Eric says jumped out at me: Today I […]


Choicepoint Roundup, June 30

We open with two articles from “ChoicePoint overhaul falls behind,” (June 24) and “ChoicePoint overhaul completed, company says” (June 30). From the latter: “In fact, we’ve gone beyond our announced commitments to make substantial changes in the past 90 days,” ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday. The Alpharetta, Ga.-based data […]


Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes: “Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or […]


Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless: In December […]


The Funeral of an American Soldier

I don’t care what you think of the conduct of a war. What you think of the reasons we’re involved in that war. The funeral of a soldier is no place for political portest, except, perhaps, maybe, if that soldier is a direct family member. The behavior of a dozen assholes from Kansas at the […]


Iran's New President a "Moderate"

“After all, he didn’t kill his hostages…” London, Jun. 29 – Iran Focus has learnt that the photograph of Iran’s newly-elected president, Mahmoud Ahmadinejad, holding the arm of a blindfolded American hostage on the premises of the United States embassy in Tehran was taken by an Associated Press photographer in November 1979. Prior to the […]


The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah […]


Equifax CEO: ID Theft is an epidemic

But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said. “It’s not going to help and the public is starting to learn that,” Chapman said. He decried the […]


Fingerprint Privacy

There have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like it is not possible to recreate the […]


UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“: Personal details […]


A Privacy-Openness Tradeoff

In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” reports on a dispute between the parents and children, mediated by the state: A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause […]


Choicepoint, Two Minutes Hate

This was going to be a roundup, but heck, There’s a backlog of hate, and I must post. Under the headline, “Who let Jeb Bush and ChoicePoint into the UK?” ‘Brother Rail Gun of Desirable Mindfulness’ points to a BBC story, “Hundreds wiped off vote register.” An oldy-but-I-Hadn’t-linked, Adrift at Sea comments in “Bleeding Edge […]


U Connecticut, 72,000 SSNs, Hacker

A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk. … The breach occurred on October 26, 2003. […]


TSA Lies, Could Face Time Fines

Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed. Read “TSA Lies, Could Face Fines” at Secondary Screening. Pictured […]


FinCen (IRS), Potentially tens of thousands, Complacent Bureaucrats

The U.S. tax agency — whose databases include suspicious activity reports from banks about possible terrorist or criminal transactions — launched the probe after the Government Accountability Office said in April that the IRS “routinely permitted excessive access” to the computer files. The GAO team was able to tap into the data without authorization, and […]


CVE Content Decisions

The fine folks at MITRE have published “CVE Abstraction Content Decisions: Rationale and Application:” This document is intended for use by Candidate Numbering Authorities (CNAs)and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and technical consumers of vulnerability information on a large scale. Via OSVDB Blog, […]


Two There Are Always (Plus a Freebie)

Gizmodo asks “Am I the only one extremely disappointed by the fact that these upcoming Lucas-approved USB keys don’t offer a Han model?” No, you’re not. I’d get me Han in Carbonite to protect my data any day. I bet Wil Shipley would to. Anyone who can explain why Anakin went to the dark side […]


Dear Gmail

Thank you so much for your recent letter, telling me that We’ve noticed that you haven’t used your Gmail account,, for quite some time. In order to make Gmail better for our users, we’ve added a lot of things in the last few months and we hope you’ll want to start using your account […]


Identity Thieves Drain Unemployment

But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims. It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve […]


Suntrust, 75? SSNs, Employee Jonathan Bryan Adair

This post updated to replace the Suntrust logo with “You can’t shut me up by Jennifer Moo, after a bunch of bozos called “Internet Identity” sent vaguely scary letters that chilled my web hosting company. The Atlanta Journal Constitution reports that “Ex-SunTrust employee charged in check scam.” (Use Bugmenot for a login.): The U.S. attorney’s […]


Equifax Canada, 600 credit histories, hacker

CBC is reporting “Hacker accesses files at Equifax:” A computer hacker has accessed the files of about 600 consumers at Equifax Canada, one of Canada’s major credit bureaus. Most of the files are for consumers from British Columbia. Better Business Bureau spokesperson Sheila Chernesky said personal financial information is being gathered all the time, and […]


Florida Hospitals, "40 pages" of medical histories, mis-dialed fax

ALTAMONTE SPRINGS, Fla. — The private medical information for hundreds of people ended up at a Seminole County airplane parts business. The information was about patients at Florida Hospital East and Florida Hospital Altamonte. It included hundreds of names, birth dates, social security numbers and medical diagnosis information. … The 40-page fax included appointment information […]


Ed Moyle on "MasterCard Lays Down the Law"

In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications […]


Stupid Privacy Invasion Fatigue

This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.” Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports: Among the report’s most interesting findings: only 14 percent of consumers who […]


China's Internet Blocking and Ethics

Rebecca MacKinnon has a post about US companies which are selling internet censorship technologies to China, “Confirmed: All Typepad blogs blocked in China:” It’s a complicated issue. We need greater scrutiny of U.S. tech companies in China by bloggers, journalists, human rights activists, and anybody who cares about free speech and corporate accountability. We need […]


Uncle Sam's Privacy Polices (TSA, SSA)

Daniel Solove has posts on “If It’s Against Your Privacy Policy, Just Change It” (Social Security Administration): This feeds distrust about the government’s law enforcement activities as well as makes people unsure that they are ever being given the complete story about what the government is doing with their personal data. And what good is […]


Trial By Fire

Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad: This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – […]


Kaiser Permanente, 150 patients, $200,000 fine

Computerworld reports that “Kaiser Permanente division fined $200k for patient data breach:” The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web […]


"Dear Mastercard,"

Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder. Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell […]


Small Bits of Privacy

CSO has a “Do it Yourself Disclosure.” Hey, you skimped on security, you might as well skimp on the PR. Wired News comes out in favor of a data protection and privacy law for the US in “Conress Must Deal with ID Theft.” The Financial Times has an article on [UK] “Regulator urges tougher laws […]


CardSystems and Choicepoint

Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that. That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point […]


CardSystems Cards Being Exploited

The Denver Channel reports that “Stolen Credit Card Data Now Being Sold On Internet:” CardSystems Solutions Inc. is admitting it made a huge mistake after some 40 million credit card accounts ended up in the wrong hands. Some of those account numbers are already being sold on a Russian Web site, and some consumers are […]


Schneier, Solove on Medical Privacy

In U.S. Medical Privacy Law Gutted, Bruce Schneier analyzes the new rules on who gets prosecuted for violating your medical privacy. Answer: fewer people than you’d think or hope: I’ve been to my share of HIPAA security conferences. To the extent that big health is following the HIPAA law — and to a large extent, […]


FDIC, 6,000 employee SSNs, "security failure"

Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases. In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial […]


Why I Blog

Inspired in part by Daniel Solove’s “How Blogging Changed My Life,” in part by a number of emails I’ve just sent saying “Sorry, I’ve been heads down with product release,” and the contrasting reality that I’ve found energy to write twelve blog posts in that time, I thought I’d talk about the muses. I started […]


Spaceman Bicycle Flask Holster

Because no one’s ever said “Is that a hip flask in your bike shorts, or are you happy to see me?” Available from Aherne Cycles.


CardSystem Solutions, 40,000,000 CC, hacker

The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.” MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the […]


Thanks, but…

The Open Mind kindly writes: Adam Shostack who is in the computer security side of business always has informed and interesting news on the security vs privacy front. (Another great blog via Harry’s world of interesting links. ) If you read anything vaguely connected to security or privacy in the mainstream media, Adam has probably […]


More on North Korean Online Warfare

I wrote about this in “North Korean Hacking Story,” and more detail emerges from a mail (or perhaps its a website? Hard to tell.) Anyway, this was eventually forwarded to Dave Farber’s IP list, Anyway, Brooks Isoldi, edidor of Intellnet writes: North Korea has trained a small army of computer hackers whose capability is equal […]


Minnesota, 2,000 medical records, hacker

The Duluth News Tribue is carrying a story, “State’s Web systems bogged down:” [Monicq] Feider, [manager of the Health Professionals Services Program] disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals. “The case management system database includes private and public information about you,” she wrote. “The security company believes that […]


On Real ID, and Hearings

Privacy Law has a post, “Senate to Hold Security Breach and ID Theft Hearings” about a June 16 2005, Senate Committee on Commerce, Science and Transportation hearing on identity theft. The DailyBulletin editorializes against the Real ID act, “


Motorola, 34,000 Employee SSNs, Outsourcer ACS

In an article titled “Stolen PCs contain Motorola HR data“, Reuters is reporting that: In the latest example of hardware theft putting data security at risk, two computers containing personal information on Motorola employees were stolen from the mobile phone maker’s human resources services provider, Affiliated Computer Services (ACS). The data on the stolen computers […]


Star Wars Posts

Lileks bleats: When you switch to the Dark Side, do you have to go to Sith HR to fill a bunch of forms? If the Jedi Council finds out you’re looking to switch sides, they send guards to make you empty out your desk and escort you out – or at least they used to. […]


2005 Underhanded C Contest

Inspired by Daniel Horn’s Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward […]


More Terrorist Slander Against Heroic Prison Guards

Except this time, the “terrorists” are American veterans working for a private company in Iraq: “I never in my career have treated anybody so inhumane,” one of the contractors, Rick Blanchard, a former Florida state trooper, wrote in an email quoted in the Los Angeles Times. “They treated us like insurgents, roughed us up, took […]


Small Bits: Soviet Realism at DHS and in China, Going Public, Lameness, and Curves

Artiloop reports on a security poster on the Marc commuter trains. Its clearly the work of a thoughtcriminal, encouraging ironic responses. I want to heroically help plan the tractor factory. I’ve been meaning to discuss the Chinese blog crackdown, but instead I’ll just juxtapose it with Soviet Realism. The Supreme Court of Canada has ruled […]


Emerging From Chaos

The server that Emergent Chaos lives on is at Server Beach, who have had serious problems with power. If you saw the Most Significant Bit home page, that’s Dwight Ernest, who kindly provides the space for me. Thanks Dwight!


The Open Society Paradox: Companies Have Privacy, You Don't

For those who, during the ChoicePoint outcry, (see Secondary Screening) were critical of me for not supporting a notification law for companies who maintain databases of personal information I point you to a couple of facts. First, today’s news that tapes with the sensitive data of 4 million Americans are missing is just the latest […]


ACM Computer & Communications Security

Industry and Government Track of CCS ’05 is now accepting submissions: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of the research community. Audience members would like to learn about pressing security vulnerabilities and deficiencies in existing products and Internet-facing systems, and how these should motivate […]


Teland and Wattal on Insecurity and Stock Price

At the Workshop on Information Security Economics, Rahul Telang and Sunil Wattal presented “Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation.” I’m pretty busy, so I’ll point to comments by Ed Moyle, and hefty analysis by Tom Ptacek. [Private to DM: If I say its a workship, […]


"Well, umm, He Had Valid ID"

AP is reporting “Man With Chain Saw, Sword Is Let Into U.S.:” On April 25, Gregory Despres arrived at the U.S.-Canadian border crossing at Calais, Maine, carrying a homemade sword, a hatchet, a knife, brass knuckles and a chain saw stained with what appeared to be blood. U.S. customs agents confiscated the weapons and fingerprinted […]


Markets in Social Security Numbers

Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they’ve created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit […]


Terminal Futility

I think I had also noticed that there are not enough plastic bins or tables to line them up on, and that “X-ray machines that examine carry-on baggage sit idle as much as 30 per cent of the time.” The time elapsed between Sept. 11, 2001, and today’s writing (1,364 days) is only slightly less […]


Madison, The Bill of Rights, Raich

The Supreme Court today handed down a decision in “Gonzales vs. Raich.” Larry Solum has done outstanding work blogging it. The essence of the case was the limits of the commerce clause, and the case was decided that the commerce clause places, essentially, no limits on what Congress may legislate. Respondents nonetheless insist that the […]


Citibank, 3,900,000 SSNs, unencrypted tape

[Update: Bruce Schneier has an important update in “E-Hijacking.” Thanks to Chris for pointing this out.] CNN is reporting that Info on 3.9M Citigroup customers lost. Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau — the […]


Polk Community College, 3 SSNs, Professor Bradley Neil Slosberg

Professor Bradley Neil Slosberg asked students in his anatomy and physiology class to sign in with their name and social security numbers. They did. CNN quotes student Amanda Bracewell: “We all signed it. We figured, ‘He’s a teacher, what is he going to do with it?’” news has the only non-AP story, at Professor […]


New Law Protects You, Shredder Makers

At MSNBC, Bob Sullivan reports “Got a nanny? You need a shredder:” Even if you ordered a background check on your kid’s coach, or nanny, or — as is the latest trend in online dating — on a prospective blind date, the law applies to you. Transgressions — such as tossing paperwork containing personal information […]


Cakeeater on Tiananmen

CakeEater has a beautiful post on the man in front of the tanks: Then the tank tried to get around him. And he moved in concert with it, shifting to stay directly in its path. I remember being stunned when this happened. I remember saying, “Holy Shit!” to no one in particular in the family […]


Duke, 9,000 partial SSNs, Hacker. (With Commentary.)

In Hacker hits Duke system, the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school’s “Security Incident at Duke” page states: On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke […]


Moxie CrimeFighter Jillette

Its all over the web that Penn Jillette and his wife Emily have named their new baby Moxie CrimeFighter. I’m sorta disappointed that they didn’t go all the way, and name her “Moxie CrimeFighter™ Jillette, a member of the Jillette family of people.”


Breach Laws

The Washington Post reports: States Keep Watchful Eye on Personal-Data Firms: Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the […]


The Voting-Industrial Complex

The fine folks over at Black Box Voting demonstrate that Diebold can’t even build an optical scan voting machine without screwing it up in “Optical scan system hacked (3 ways).” If we existed in a reality-driven world, these people would be permanently disqualified from participating in the vote counting process. Vote counting is, as Stalin […]


June 4th, 1989

At our best, the United States inspires people around the world to reach for freedom and democracy. In the student led rallies in Tiananmen Square, the students built a statue of liberty as one of the centerpieces of their protest. I remember watching the protests on TV, being thrilled by the power of people to […]


North Korean Hacking Story

The Korea Herald has done an awful job of reporting in “N.K. hacking ability matches that of CIA, analyst says.” Normally, I ignore awful reporting as roughly par for the course, but this is egregious. “Our electronic warfare simulation indicates that North Korea’s capability has reached a substantial level, unlike what is generally known to […]


Small Bits: Wives Vs. The Dark Side, Diamonds, FRCA, Brill & Lexis-Nexis

VikingZen posts her Two Cents about Revenge of The Sith, and closes with: My big question: Why didn’t Padme just release a can of whoop-ass on her husband? I mean, they’re secretly married, the guy’s off in some outer galaxy playing space cowboy while she’s lugging around a pregnant belly full of twins? How about […]


More on Deep Throat

The Telegraph has a roundup story, “FBI Deep Throat branded a traitor by Nixon aides:” Charles Colson, Nixon’s chief counsel who served seven months in jail for his role in the Watergate scandal, confessed to understanding the dilemma Mr Felt faced. But he added: “When any president has to worry whether the deputy director of […]


University of Cincinnati, 7,000 SSN, Hacker

Cincinnati’s Channel Cincinnati reports that “Hacker Steals Personal Data From UC System:” UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system. “This was obviously a serious breach,” Siff said. “This is a very sophisticated hack. I hope that goes without question. It wasn’t just […]


Omega World Travel, 80,000 CCs, Laptop

The Washington Post reports, “FBI Probes Theft of Justice Dept. Data” The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was […]


SEC on Internal Controls

Pete Spire Lindstrom* points to a press release from the SEC on “Commission Statement on Implementation of Internal Control Reporting Requirements:” “Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404.” “A one-size fits all, bottom-up, check-the-box […]


Reporters without…Mathematics

DM pointed me to this Register story, “Fraud expert becomes victim of credit card crime.” Its a nice bit of irony, but my favorite bit is the very end: CNP (Cardholder Not Present) fraud in the UK has grown nearly 50 times between 1994 and 2003 to £116.4 million. Goodwill wants the government to recognise […]


W. Mark Felt aka Deep Throat

For more than 30 years, W. Mark Felt, and three co-conspirators have protected his privacy after one of the most spectacular whistleblowing act in history. He’s admitted to being Deep Throat in this Vanity Fair article. The Washington Post has coverage in “FBI’s No. 2 Was ‘Deep Throat’“, and “Conflicted and Mum For Decades.” I’ve […]


Breach Disclosure Laws

The National Conference of State Legislatures has a “2005 Breach of Information Legislation” summary page: Summary: Legislation was introduced in at least 34 states as of May 18, 2005. Legislation enacted in at least six states in 2005: Arkansas, Georgia, Indiana, Montana, North Dakota and Washington. Thank you, masked man Choicepoint. (Via The HIPAA blog.)


Bluetooth vs Infrared

John Early has an interesting editorial over at Computer Weekly “Infrared meets speed and security needs:” Famously associated with applications such as personal digital assistant to laptop synchronisation, PDA business card exchange and short-haul mobile phone data transfer; IRDA, with its short range and relatively low 4mbps throughput, was understandably discounted by the IT community […]


Choicepoint Roundup

Household Watch has a story: When Ms. Marshall got a $6,000 home-improvement loan from a credit union in April 2003, she had to pay relatively high interest because of a weak credit score. The credit check had showed a court ruling ordering her to pay overdue rent to a former landlord in a Washington, D.C., […]


Choicepoint vs CIA

The New York Times has a long article on the successors to Air America, “C.I.A. Expanding Terror Battle Under Guise of Charter Flights.” The bit that really caught my attention was: On closer examination, however, it becomes clear that those companies appear to have no premises, only post office boxes or addresses in care of […]


The FBI Goes Undercover

The New York Times is reporting on a number of undercover investigations that have lead to charges against people accused of helping or trying to help terrorists. in “Trying to Thwart Possible Terrorists Quickly, F.B.I. Agents Are Often Playing Them.” The use of undercover agents is an excellent move by the FBI, and should be […]


Privacy and Courage

I met Hossein Derakhshan at Blognashville. He and I respectfully disagree about the value of privacy to bloggers in oppressive regimes. He points out (correctly) that a blogger who has the courage to use his or her own name gains credibility. While I don’t disagree, I think there are people out there who don’t blog […]


Speaking of Usability: Privacy and Openness

Jon Mills, who has been heading up Florida’s Committee on Privacy and Court Records. He has an article in the HeraldTribune: How do we balance the competing values of privacy and openness? The Internet makes possible greater openness, so indispensable to good government, and allows for greater convenience in accessing government services, including court records. […]


Usability Testing

Nat Friedman has a good post on usability testing: Over the last several months we at Novell have sent a team of people around the world with a portable usability testing lab… It is amazing to watch the ways that people fall on their face. We’ve all read about the benefits of usability testing, but […]



The French have apparently rejected the EU Constitution. With 83% of the votes counted, it’s 57% Non, according to ABC news. The draft constitution was, from my perspective, the worst of the new Europe: Opaque, complex and undemocratic. We can hope that new blood in the EU will press for a simpler, more transparent, and […]


French Elections

You might not know it if you read only the American press, but the French voted today in a referendum on the European Union’s proposed Constitution. It’s an awful document, and the French are expected to reject it, plunging the EU into crisis, and leading to the Chancellor being made Emperor. If the EU would […]


Social Security

I try to stay out of debates that have devolved into the red and blue halves of the Demopublican party screaming soundbites at each other. The party hopes that the American people won’t notice that they’re the same if they yell and scream a lot, and I try not to play their game. C. Eugene […]


Only Two Cheers for the Jedi?

Bryan Caplan takes issue with his mentor, Tyler Cowen over “The public choice economics of Star Wars: A Straussian reading. (I also commented on that post). Caplan says: After Anakin’s betrayal, the remnant of surviving Jedi reveal their “secret and mysterious ends.” They turn out to be neither secret nor mysterious. Yoda and Obi-wan take […]


My Navel, it is Fascinating!

I’ve played with the stylesheet for the web version of the blog, added an individual-i logo, removed the calendar and put the search bits in what seems like a more rational order. Some other general tweaks, too, in the hopes of making the web version aesthetically pleasing. I knew you’d be thrilled. [Update: fixed link. […]


Sport Utility Bike?

[The] Freeradical S.U.B conversion kit … makes your favorite ride into the baddest sport utility bike on the planet. Forget pantiers and racks on the front, or over the back tire that bump your knees and feet. Rather than relying on the strength of a single peg or gimbal on a bike trailer, the Freeradical […]


Small Bits: Xrays, Free Speech, Law, Cowards and Crypto School

Justin Mason has a good post on the new backscatter radiation xray machines that TSA would like to deploy. My favorite part: They create child pornography. Interestingly, these are one of the relatively few places that a privacy invasion makes us safer. Also interesting is that different people perceive either the hand-pat or the naked […]


Purdue University, 11,360 SSNs, hacker

Purdue University is alerting current and former employees that their Social Security numbers and other information may have been illegally accessed from at least one of four campus computer workstations. “Our investigation of a recent information technology security breach shows that the records of 11,360 current and former employees may have been accessed electronically,” said […]


University of Chicago, 24,000+ SSNs, Unsecured File server

The action is motivated by the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site. He had pointed this out last November, at which time all of the several dozen files […]


Those Who Forget History

Some folks calling themselves “American Rhetoric” have put up a page entitled “Top 100 Speeches.” On further examination of the site, it’s the 100 most significant American political speeches of the 20th century, according to a list compiled by Professors Stephen E. Lucas and Martin J. Medhurst. Dr. Lucas is Evjue-Bascom Professor in the Humanities […]



Over at “Statistical Modelling,” Sam discusses “Sabermetricians vs. Gut-metricians:” There’s a little debate going on in baseball right now about whether decisions should be made using statistics (a sabermetrician is a person who studies baseball statistics) or instincts. Two books are widely considered illustrative of the two sides of the debate. Moneyball, by Michael Lewis, […]


Small Bits of Chaos: Continuity, Texas, Stealth Bomber

Todd Seavey has a well-written and entertaining long article on continuity in long series. I’ll leave the continuity error as an exercise for readers. In fact, so many necessary plot details of Episode III are already known that the ticket-selling site already has a lengthy summary of the film on its site, as if […]


Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

Hal Stern has a blog! Hi, Hal! Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up. The BBC has an article on British reactions […]


Valdosta State University (Georgia) , 40,000 SSNs, hacker

The Associated Press reports “Identity theft risk widens at Valdosta State:” VALDOSTA — A computer identity breach at Valdosta State University has widened, with authorities now saying up to 40,000 people could have had their Social Security numbers accessed by a computer hacker last week. The breach was larger than originally thought, said school spokesman […]


676,000 Victims

I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio […]


Stanford, 9,900 SSNs, Insecure Career Center computer

The San Jose Mercury News reports that “Computer system hacked at Stanford:” The FBI and Stanford University are investigating how someone hacked into a computer system containing information about people looking for work through the university’s Career Development Center. University spokesman Jack Hubbard said there was no evidence that any data had actually been acquired […]


Don't Be So Proud Of This Technological Terror You've Created

The New York Times reports on the “Customs-Trade Partnership Against Terrorism” in “U.S. Effort to Secure Foreign Ports Is Faulted:” The Department of Homeland Security’s effort to extend its antiterrorism campaign overseas by enlisting help from importers and foreign ports has been so flawed that the program may have made it easier at times to […]


Global Internet Freedom Act in House

… SEC. 5. SENSE OF CONGRESS. It is the sense of Congress that the United States should… (3) deploy, at the earliest practicable date, technologies aimed at defeating state-sponsored and state-directed Internet jamming by repressive foreign governments and the intimidation and persecution by such governments of their citizens who use the Internet. Rebecca MacKinnon has […]


Breaches List at Privacy Rights Clearing House

The Privacy Rights Clearinghouse have been tracking breaches too. They’ve tallied 5,476,150 people affected, and have a better list than I do. I’ll continue to cover as I see things, since their list isn’t complete either.


I Could Kill You With These Nose Hair Clippers!

Like I said, I do like rules, rules that make sense. But this is a form of institutional insanity, and someone needs to do an intervention. When a soldier in full uniform, in the company of nothing but other soldiers, is allowed to retain the bayonet for his M-16 and his M-16, yet has to […]


Two On Secure Software

There’s a placeholder page at NIST for their SAMATE project, (“Software Assurance Metrics and Tool Evaluation”). Interesting stuff if you wonder why its so hard to release secure software. Also, Lauri@Schedler writes, in Making correct code look good Reading the article I was wondering what is the point of leaving information about safe and unsafe […]


New Books

Two new books that may be of interest are blogger Wendy McElroy’s “National Identification Systems, Essays in Opposition” and Choicepoint CISO Richard Baich’s “Winning as a CISO.” I was going to add clever text juxtaposing the texts, but really. hmmm, I really must make this post longer, or the blog looks really bad.     […]


Jackson (Mich) Community College, 8,000 SSNs, Bad Policy

The Detroit Free Press reports that “Hacker may have stolen Social Security numbers from Jackson Community College:” A hacker who broke into the computer system at Jackson Community College may have accessed as many as 8,000 Social Security numbers, the college said Monday. The hacker broke into the system Wednesday. College officials are still investigating […]


MCI, 16,500 employees, ironically anonymous employee

Reuters is reporting “MCI: employee data was on stolen laptop:” A laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI Inc. was stolen last month, the Wall Street Journal reported on Monday. The computer was stolen from a car that was parked in the garage at […]


Emergent Bits of Security: Analyzing Binaries, Code

If you think that an application is more secure because it’s undocumented, you should read Salman A. Baset and Henning Schulzrinne’s “An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol.” (Thanks, DM) Network Computing also discusses the idea, in the context of How Dangerous Was The Cisco Code Theft?. Gunnar Peterson mentions a Richard Clark […]


The Altered Deal

In “…And Another Thing: Those Jedi Children Were a Threat,” Gene Healy refers to the Weekly Standard review of Attack of the Clones, with its famous defense of the Empire. Make no mistake, as emperor, Palpatine is a dictator–but a relatively benign one, like Pinochet. It’s a dictatorship people can do business with. They collect […]


Adopt a Chinese Blog

To help folks in places like China blog, there’s the obvious problems of protecting their privacy against the local authorities. But often, the audience that a blogger seeks is not the international, but the local. A blogger in China should be able to write in Chinese and share their thoughts with the people around them. […]


Housing Bubble?

Kip Esquire discusses “Housing Bubble: The Non-Lessons of the Past:” Today, we get some unhelpful noise from TCS Overlord James “Always Wrong” Glassman. (Remember “Dow 36,000”? The only thing dumber than the book was his half-hearted non-apology for it.) Now he’s fanning the flames of “What, us worry?” for the housing market: Since 1950, according […]


More on Bridge Blogging

Recently, I discussed bridge bloggers, folks who make an effort to make their posts comprehensible to those outside their country. In that post I mentioned a few information security bridge bloggers; folks who try to make our profession understandable to those outside. Something that I wanted to mention, if only it had fit into an […]


About Episodes 7, 8 and 9

Stuart Berman reminded me of the original plan, which was a 9-episode epic cycle for Star Wars. At some point, Lucas made the decision to allow others, the novelists, the game creators, and even the fans to define what happens after Return of the Jedi. It was a brilliant choice. The original Star Wars was […]


Darth Vader Doesn't Use a Keyboard

But if he did, he’d be all over the new Das Keyboard, in pure modernist black, without any decoration, like letters printed on the keys. Because sometimes you just need to signal that you’re so…ummm….cool…that you don’t need letters on the keys. (Via Daring Fireball, who points out that it’s “marketed to “übergeeks” who might […]


Arrests in T-Mobile, Lexis-Nexis

The Washington Post reports on Computers Seized in Data-Theft Probe: According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department’s account at Accurint, a LexisNexis service provided […]


Alien Spacecraft Captured…in Orbit Around Mars

NASA’s Mars Odyssey spacecraft appears twice in the same frame in this image from the Mars Orbiter Camera aboard NASA’s Mars Global Surveyor. The camera’s successful imaging of Odyssey and of the European Space Agency’s Mars Express in April 2005 produced the first pictures of any spacecraft orbiting a foreign planet taken by another spacecraft […]


Can We Talk Sith Yet?

I mean, really. If you mind spoilers, you’ve seen Revenge of The Sith already. Ok, maybe not. So I’ll just throw a few comments out. Marginal Revolution discusses The public choice economics of Star Wars: A Straussian reading. I’m surprised that Tyler misses the Hayekian aspect. That is, other people’s choices are so complex that […]


Emergent Bits: Iranian Blogger, Economics, Security myths

Iranian blogger Mojtaba Saminejad has declared a hunger strike to protest his imprisonment. The Committee to Protect Bloggers has asked that we observe a media fast next Thursday, May 26th and not blog. There are also email addresses to write to to ask that Mojtaba be released. Ethan Zuckerman has some fascinating comments on the […]


Choicepoint, Axciom Highly Accurate

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive […]


Real ID Roundup

The fair and balanced Real ID Sucks blog (“A clearinghouse of stories about how the states will be required to spend $250 million to create standardized, machine-readable driver’s licenses, to make it easier for hackers, thieves and credit bureaus to track your every move.”) points to a San Jose Mercury News editorial, “Real ID Act […]


The Force Is Strong In This One.

I don’t know if it was better than A New Hope or The Empire Strikes Back. It was certainly better than I or II by a long margin. More on the politics after I’ve seen it several more times, and perhaps slept.


This Will Be A Day Long Remembered

It has become cliche to go on about how Greedo shooting first nearly destroyed Episode IV. For characters not to mature and grow through the course of Star Wars makes it just an action flick. But what makes Star Wars truly great is the conflict within Anakin Skywalker. And tonight’s episode is all about Anakin. […]


Emergent Bits of Security

(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]


Private to CIBC: That wasn't a challenge

Last month, I asked “What Do You Need To Do To Get Fined?” in reference to CIBC’s improper disclosure issues. Now the Ottawa Citizen is reporting that “Bank springs another privacy leak:” Fresh off fax blunders that earned it a rebuke from the federal privacy commissioner, the Canadian Imperial Bank of Commerce admitted yesterday that […]


Welcome to the 21st Century

Only 14 years after they were liberated by American-led forces, our ally Kuwait…gives women the vote. The Chicago Tribune reports: KUWAIT CITY — Parliament extended political rights to Kuwaiti women Monday, but religious fundamentalists who opposed women’s suffrage succeeded in attaching a clause requiring future female politicians and voters to abide by Islamic law. The […]


About Those Insiders, Again

Way back in August, I mentioned the CERT/CC collaboration with the Secret Service in analyzing insider threats. They’ve just released a second report, “Computer System Sabotage in Critical Infrastructure Sectors” (163k PDF). I haven’t had a chance to read it, but that’s no reason not to blog about it. Tip of the hat to Dan […]



Knight Errant has a long post, “Tipping My Tinfoil Hat,” in which he makes mention of Choicepoint. And Consumer Affairs has a long article “USA PATRIOT Act Rewards ChoicePoint.” The IntegraSys corporation’s ID Verification software, for example, cross-checks and references 23 billion data records, including everything from credit report headers to “warm address lists” that […]


Emergent Privacy Bits

TechDirt points to a Cnet story by Declan McCullagh, “Kiss your old SSN goodbye:” Rep. Joe Barton, another Texas Republican who happens to chair the House Energy and Commerce Committee, said last week that he plans to “outlaw the use of Social Security numbers for any purposes other than government purposes.” … “The time has […]


San Jose Medical Group, 185,000, Joseph Nathaniel Harris (update)

Joseph Nathaniel Harris has been arrested and charged with the April break-in to the San Jose Medical Group, and stealing two computers with 185,000 medical records on them. The San Francisco Chronicle reports: “During Harris’ employment at San Jose Medical Group, there were several incidents of reported theft of money and medications,” according to an […]


Merlin Information Systems, 9,000, Lying customers

If these data brokers had any ability to deliver on their marketing, these things would never happen. Some assistant DA somewhere is going to close a data broker on false advertising, and make a name for themselves. The Daily Interlake reports “Thief nets personal information from Kalispell company:” About 9,000 people have been notified that […]


Hinsdale Central High School (Chicago), unknown #, 2 students

ABC7Chicago reports “Two students investigated for identity theft at high schoo” May 12, 2005 — Criminal charges might be filed against two students for stealing personal information at a west suburban high school. The students at Hinsdale Central are accused of hacking into the school’s computer system and obtaining Social Security numbers for students and […]


Michigan State Wharton Center, 40,000 CCs, Hacker

The Detroit Free Press reports “Michigan State’s Wharton Center says computer security breached:” EAST LANSING, Mich. (AP) — Michigan State University has warned more than 40,000 Wharton Center patrons that a hacker broke into a computer server involved in credit card processing for the performing arts venue. But so far, there has been no indication […]


Primary Colors, Author Unknown

In discussing private blogging at Blognashville, the idea of identifying bloggers by their writing style kept coming up. The example that was used (at least) twice was the “computerized” identification of the anonymous author of Primary Colors. The trouble is, the identification wasn’t done by computer. It was done by Vassar English Professor Don Foster. […]


Georgia DMV, employee Asif Siddiqui, "hundreds of thousands"

The Atlanta Journal Constitution reports Georgia driver’s license data put at risk (Use Bugmenot if you need a login.): Georgia Technology Authority said Friday that Asif Siddiqui, a 43-year-old Pakistani who worked for GTA, could have downloaded information on “hundreds of thousands” of drivers before he was arrested and fired late last month. … The […]


20Q: Emergent Databases

20Q is a website and now a handheld electronic toy that plays 20 questions. But the web site doesn’t just play 20 questions, it learns as it goes. It decides which questions are good, and which questions are bad. Alex Tabarrok writes on Marginal Revolution: I was skeptical when my wife handed me a small […]


The Strange Case of Syed Maswood

A year after federal agents raided his home in a terrorism investigation, Muslim businessman Syed Maswood is lucky to get on an airplane without being detained and searched. But that didn’t stop him from getting an invitation to dine with U.S. President George W. Bush. Maswood, a nuclear engineer who has not been charged with […]


Small Bits of Chaos: Airports, Junk Mail and Employment Law (Context-free)

Scared Monkeys asks “Could Iris Scanning be Coming To an Airport Near You?” (As if the TSA hadn’t wasted enough money on machines that don’t work, or seizing zippo lighter cameras.) Maybe the camera in their iris scanner was busted? New blog “The Dunning Letter” claims to be from a long-time junk mailer, now repentant. […]


Safari Enhancers

I’ve mentioned using PithHelmet. One of the most annoying remaining behaviors in Safari is that the close button closes all your tabs, and its very close to the minimize button. D’oh! Holy usability errors without a warning batman! Taboo comes to the rescue, adding that warning. (While I’m blathering about my web browser, let me […]


The Right to Self-Treatment

The Mutualist Blog has a great article on how and why the right to choose your own medical treatments was removed, and what that means to you.


Choicepoint, May 12 has an article “Lawyers See Data ‘Fear Factor’ Rising:” The suits, which have been consolidated in federal court in Los Angeles and are requesting class action status, seek monetary, statutory and punitive damages, including compensation for the anxiety of waiting and wondering. They also aim to represent consumers regardless of whether their data were […]


Undertow of Totalism

Orcinus has a great, long post on “Undertow Of Totalism.” He starts with Two Minutes Hate, and goes from there. Read it, and then ask yourself, does your blood boil when someone mentions Ann Coulter? Michael Moore? If it’s one or the other, ask yourself if you’re being played, and stop. Pay no attention. Participate […]


Sogreni Bicycle Trouser Clip

Via Gizmodo, we learn of the mysterious and wonderous Sogreni Bicycle Trouser Clip. I’m not sure what a bicycle trouser clip is, but I bet you could get it spinning pretty fast to, you know, enhance a frank exchange of views with the bikes-are-just-for-Friday crowd.


Advances in Financial Cryptography – "First Issue"

I have a long list of issues with the academic publishing process. I’m a big fan of the Public Library of Science model. So when Ian Grigg asked me if I’d be interested in helping with his new publishing model, I was pretty excited. And now, I have an essay in the first issue: I’m […]


Minh: Great Vietnamese in Arlington, VA

I had lunch yesterday at Minh, at 2500 Wilson Blvd, Arlington, VA, and it was excellent. The spring rolls were crispy, tender, and not greasy. I had mint scallops as a main, and they were subtle and well prepped. The dessert, which I think was made offside was a hollowed out tangerine filled with tangerine […]


Small Bits of Chaos

Thomas Schelling is, without a doubt, one of the smartest people I’ve ever been privileged to meet. There’s a long interview with him at the Federal Reserve Bank of Richmond. (Via Marginal Revolution.) Ryan Singel has a long excerpt from Joe Lieberman. Normally, I don’t agree with much he has to say, but this is […]


A few Typographies of Bloggers

First, a very brief bit of terminology: A typography is a way to organize things, much like a taxonomy. Each item within a typography has clearly distinguishing characteristics, but there’s no hierarchy such as animal, vertebres, mammals, hominids, humans. To be honest, I’m not sure if this is a typography or just some categories. But […]


Well, Hello Nurse!

The fine folks over at NCircle seem to have been given a directive from on high: Let there be blogs! And there were. And ncircle saw, and they were good. And someone said, let the bloggers be prolific, and behold, they were, with 18 or more posts in 5 days. Great coverage of CanSecWest, and […]


"It's the Medicine Talking"

Dr Jim Swan, a consultant to the drinks industry, said: “There has been much in the news about the health benefits of antioxidants in red wine. By contrast, very little has been said about malt whisky distillery science. “However, research has shown that there are even greater health benefits to people who drink single malt […]


$4.5 Billion and Whaddaya Get?

If you’re the Department of Homeland Security, another day older and deeper in debt. The New York Times reports on “U.S. to Spend Billions More to Alter Security Systems:” Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry […]


On Being Fully Present

Right before Mark Glasser started his talk on protecting bloggers (which Nashville files covers really well), Mark asked to borrow my laptop (picture by Nashville Files.) [Update, May 11, Mark’s column about BlogNashville is now online, and he mentions this as his pet peeve.] We got into a discussion of me having just attempted to […]


Real ID, Real Problems

Bill Scannell writes: We have less than 48 hours to stop our nation from having a National ID card scheme. Do we really want to have the same ID system as Communist China? I think not. The US Senate is scheduled to vote this Tuesday on the Real ID Act. They’ve never debated the bill. […]


Emerging from BlogNashville

I have about 30 tabs open from Blognashville, and probably not enough time to sort through them all. Also, I really want to spend time thinking about what I heard and learned at the anonymous blogging roundtable and the protecting bloggers session (well covered by the Nashville Files.) So a link dump: The New York […]


Customer Relationships, Data Relationships

The computer industry is good at coming up with Orwellian names for things. The software that call center operators and others use is called a “Customer Relationship Management” system (or ‘CRM.’) The goal of such systems is to help you decide which of your customers are profitable, and give them better service. Cynics might add: […]


Making Money Blogging

I was unfortunately late to the Making Money Blogging session at BlogNashville. It was run by Henry Copeland of Blogads. There was a lot of discussion on driving ads, targeting ads, complaining that RSS doesn’t allow you to demographic your audience. There was some great discussion of how Major League Baseball is drawing baseball bloggers […]


BlogNashville was Great

I didn’t expect to have quite such a good time at BlogNashville. I mean, really. But I did. I felt really energized, and learned an awful lot from conversations. I left before the tailgating and evening dinners because I was already pretty worn down at 5PM, and it was going to be a long drive […]


When Was The Last Time You Linked Outside the US?

In Hoder’s session on Building a Blogosphere, Rebecca MacKinnon asked “what can we do to encourage people to link to bloggers internationally?” Thats been sort of a theme today. I think its challenging, because often bloggers in different places have very different orientations; that combination of cultural, educational, and training background that acts as a […]


Texas DMV, hundreds, mailing errors

An agency that warns Texans not to share personal information with strangers because of the risks of identity theft mistakenly mailed hundreds of driver’s licenses to the wrong people. The Texas Department of Public Safety (DPS) blamed the mixup on a malfunctioning machine that was recently installed to sort licenses for mailing. Statewide, at least […]


Anonymous Blogging Roundtable

I think the roundtable went well. Mark Glasser started us off with a review of the state of the world, with China having 67 bloggers in jail, Bahrain requiring bloggers to register, Cuba having a black market in email accounts with one costing $240, out of an average annual income of $1700. We talked a […]


Off To BlogNashville

I’m finishing my coffee, and about to hop in the car for BlogNashville, and the Anonymous Blogging Roundtable.


SafeNet, hundreds, paper in a briefcase

An employee hoping to get extra work done over the weekend printed out 2004 payroll information for hundreds of Safenet’s U.S. employees, snapped it into a briefcase and placed the briefcase in a car. The car was broken into over the weekend and the briefcase stolen – along with the employees’ names, bank account numbers […]


Corporate Welfare from TSA

USA Today reports “U.S. asks for more data on travelers” The federal government plans to begin collecting the full names and birth dates of air travelers this summer in its latest effort to screen passengers for possible links to terrorism. In a few weeks, the Transportation Security Administration will notify airlines, travel agents and online […]


The Coming Privacy Law

Perspectives from the gossip industry are presented by Information Week, in “Execs Testify In Favor Of National Data-Security Law:” In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California’s law requiring companies to notify customers about security breaches. ChoicePoint […]


Software Design Pointers

Gunnar Peterson asks “How far can software architects get using a purely rational approach to software development,” and Michael Howard points to Dave Leblanc’s “Another Look at the SafeInt Class.” If you write in C++, check out the SafeInt stuff. It’s the sort of “close off a class of vulnerabilities” approach that I love.


Copyright, Aggregators, and Readership

I’ve been thinking lately about licensing my content under a Creative Commons license, maybe non-commercial, attribution. As I think about such things, I look for scenarios where I’d be sad I’d done such a thing. While I haven’t come up with any, I’ve been noticing lately that more and more of my readership comes via […]


SHIFT Bicycle

Scott S. Shim, an assistant professor in the Purdue College of Liberal Arts, along with students Ryan Lightbody and Matt Grossman have won the 9th International Bicycle Design Competition in Taiwan, according to this press release. (Unfortunately, the web site isn’t going to win any design awards.) “None of us had ever designed a bicycle […]


Choicepoint Analyses

Today’s Wall Street Journal has an good summary article, “For Big Vendor of Personal Data, A Theft Lays Bare the Downside” (Thanks, Nick!. Also, the Pittsburgh Post-Gazette has picked up the story, and made it available): The vulnerability of the company’s data and its difficulty in tracking the breach point to a paradox. ChoicePoint and […]


Time Warner, 600,000 employees, Iron Mountain Backup Tape

Time Warner Inc. on Monday said data on 600,000 current and former employees stored on computer back-up tapes was lost by an outside storage company, which the U.S. Secret Service is now investigating. Time Warner’s data storage company, Boston-based Iron Mountain Inc., lost the tapes during transport, Time Warner said. reports the New York Times. […]


Single Serving Friend: Technology For Staying In Touch

Following up on my earlier post about staying in touch, there’s a bit of technology that I’ve been meaning to build for, well, over a year now, and haven’t gotten to it. I was in Portland, Oregon for business, and someone I was speaking with said “Hey, you know Lucas Nelson is there this week?” […]


Perspectives on "Identity Theft"

WYFF-TV, “The Carolina Channel,” interviews two fraudsters who made money impersonating others. If you have any doubt these people are scum, one impersonated his own brother, and stole $71,000. In another, on Dave Farber’s list, victim Tom Goltz writes: Speaking as a victim of identity theft, there is absolutely nothing that an individual can do […]


Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been […]


Small Bits of Chaos all Starting with Names

Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.) Alan Chapell (whose blog is looking much […]


Portland Withdraws Support from Terror Task Force

Mayor Potter, a former Portland police chief, earlier this year requested that the federal government grant him, the police chief and the city attorney top-secret security clearance — the same as task force officers — so that city leaders could have access to case files and more frequent updates. Potter said he wanted the ability […]


Drivers License Fraud

As the trust and reliance people place in drivers licenses, the greater the incentive to get fraudulently issued ones. FoxNews reports on “Workers Charged With Taking Payoffs for IDs ” (via JihadWatch.) “With a valid driver’s license, you establish an identity,” said Michael Garcia, assistant secretary of the Homeland Security Department. … The three Florida […]


Way To Debate!

Since Choicepoint demonstrated that screening is hard, they’ve been repeating the phrase “We look forward to a national debate.” But at yesterday’s annual meeting, they once again failed to engage in that debate. The LA Times has an AP story “No Answers for ChoicePoint Shareholders” (Bugmenot, because no other paper has picked up the story, […]


Choicepoint Annual Meeting

But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders. … Lauren Waits, who oversaw ChoicePoint’s charitable giving program before leaving earlier this year, describes her former boss as a visionary who also […]


National Legislative Roundup

In “Proposed Legislation Limiting PI Access to Data“, Private Investigator News and Information provides the National Council of Investigation and Security Services’s roundup of legislation that would affect the private investigator business. Naturally, the private investigators are up in arms; their job is about to be made a lot harder over something that wasn’t their […]


Hofmeyr on Legislation

1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they […]


Blockbuster, 65, Employee Miles N. Holloman

A former employee of a Blockbuster video store in Washington, D.C., has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods. Miles N. Holloman is charged with stealing credit card numbers, Social Security numbers and other private financial information from the application […]


Victory Against RFID Passports is Near

“The State Department seems to be putting down the purple Kool-Aid and looking at the serious problem this technology presents,” said Mr. Scannell, who runs an Internet site called; the first part of the name stands for radio frequency identification chips. “But no matter how much stuff you layer on the technology, it is […]


Small Bits: Labelling Software, People, Aaron Weisburd's Foreign Policy

Gunnar Peterson offers up a label for software that he stole from Jeff Williams. I had a good, if short, back and forth with Geoff, of Screen Discussion, in his comments, on using photographs to enhance criminal background checks, by including photos with the records of criminals, so the viewer of a report can compare. […]


Banks as Big Brother

“AML software will change international banking forever,” said Suheim Sheikh of SDG Software, an Indian software firm hoping to tap into the big new market. “Governments across the world will have their eyes on bank customers,” he added. “Since the software can monitor so many accounts, so many transactions, all kinds of people will be […]


Usability as a Security Concern

Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security […]


What Are You Hiding, Democrat?

Time Magazine reports: The State Department has traditionally put together a list of industry representatives for these [Inter-American Telecommunication Commission] meetings, and anyone in the U.S. telecom industry who had the requisite expertise and wanted to go was generally given a slot, say past participants. Only after the start of Bush’s second term did a […]


Choicepoint: April 24

The Privacy Law Site posted on the Schumer-Nelson Comprehensive Privacy bill on April 13, but I just found it. The author summarizes the bill. Richard Clarke has a column in the New York Times, “You’ve Been Sold,” in which he outlines some reasonable parts of a new law. [Added shortly after first posting.] The Seattle […]



After a recent hard drive failure on my Mac, I realized just how much I hate the web. No, that’s not really true. I don’t hate the web. I think the web is great. Advertising on the web, that drives me to distraction. And so I realized how much I appreciate Mike Solomon’s PithHelmet plug-in […]


Cool Music

While denying being a member of the ruling class, Asteroid points to some pretty cool music, including DJ Earworm, which helped me track down another site Asteroid mentioned: DJ Cal, at, whose “Hendrix vs Jackson – Foxy Jean Haze” is a masterpiece.



Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.” When the patch comes out, many people […]


MBP On Impatience

Martin Pool, whose blog lacks a comment facility, quotes a history of Windows NT: The first two weeks of development were fairly uneventful, with the NT team using Microsoft Word to create the original design documentation… Finally, it was time to start writing some code. (I wish I’d seen this line a couple of days […]


Distributed Innovation

In the New York Times, Virginia Postrel writes about the work of Eric von Hippel, head of the Innovation and Entrepreneurship Group at the Sloan School of Management at MIT, who has a new (academic) book, “Democratizing Innovation.” But a lot of significant innovations do not come from people trying to figure out what customers […]


"£155,000 per instance of fraud"

Bruce Schneier writes: The UK government tried, and failed, to get a national ID. Now they’re adding biometrics to their passports. Financing for the Passport Office is planned to rise from £182 million a year to £415 million a year by 2008 to cope with the introduction of biometric information such as fingerprints. A Home […]


Small Bits: Airport Security, Tax Web Bugs

Stupid Security covers an AP story: Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude. None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph: “A lot of people will […]


Small Bits: Ameritrade, Tax & web privacy, revolution, medicine

It turned out someone I had dinner with last night had gotten an Ameritrade letter. According to her, Amertrade is not offering credit monitoring service.* “Lotus, Surviving A Dark Time,” has some good analysis: Well, duh with a PR stamp. How could they have heard of any such “misuse?” If customers had any bad experiences, […]


CMU, 5,000+, Hacker

A hacker who tapped into business school computers at Carnegie Mellon University may have compromised sensitive personal data belonging to 5,000 to 6,000 graduate students, staff, alumni and others, officials said yesterday. … There is no evidence that any data, including Social Security and credit card numbers, have been misused, officials said. But they have […]


Choicepoint Earnings

ChoicePoint Inc. (NYSE: CPS), today reported first quarter total revenue growth of 19 percent compared to 2004. First quarter total revenue for 2005 was $259.3 million. … These expenses included approximately $2.0 million for communications to, and credit reports and credit monitoring services for, individuals receiving notice of the fraudulent data access and approximately $3.4 […]


Small Bits of Security Chaos: Airports (2), Bastille Linux adds metrics

The Department of Homeland Security Office of Inspector General has written a report on TSA security: Improvements are still needed in the screening process to ensure that dangerous prohibited items are not being carried into the sterile areas of airports, or do not enter the checked baggage system. In our report on the results of […]


Choicepoint, April 20

Presto Vivace reports that: During the April NCC AIIM meeting, a member of the audience asked how the IRS’ Free-File could avoid becoming another ChoicePoint, clearly a reference to recent security breaches. Everyone in the room immediately understood the reference; no explanation was needed. CBS Marketwatch reports “For now, little way to halt firms’ leaks […]


Trackbacks vs. Technorati?

Kip Esquire points to WILLisms, who wants to “Save the trackback.” I think I’m running about 10-to-1 spam trackbacks to real ones. It’s clearly because I talk about nothing but poker and viagra. I have to say, I love getting real trackbacks. I like it when people take what I’ve said and expand on it. […]


Ameritrade, 200,000 SSNs, Backup Tape

Some days I feel like I’m playing Clue…It was Mr. Mustard, in the study with the lead pipe. Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing their personal information has been lost, has learned. The tape contained information spanning the years 2000-2003, and included both current and […]


Removing Excel Macros?

I have a document where I started to create a macro, then realized that some clever search and replace would work. So I stopped creating the macro. But now, the document (which I share with others) has a macro in it. Sure, its possible to open with macros disabled, but I’d like to remove the […]


Hasbrouck on RFID Passports

In his closing CFP keynote, Bill Scannell of asked for voice votes by the audience on whether a series of government measures including the use of secretly and remotely-readable RFID chips in passports were stupid or evil. “Both” seemed to be the predominant response. I and some others (including Ryan Singel of Wired News […]


DSW, IRS Security Failures

What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed. In other news, the General Accounting Office reports [The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition […]


Lebanese Democracy

The fine folks at Spirit of America are blogging their time in Lebanon. Yesterday, they point to Pulse of Freedom, where folks working towards real democracy in Lebanon are blogging. Very cool.


What Do You Need To Do To Get Fined?

As I covered in “Canadian Privacy Law and CIBC,” CIBC spent years faxing information to, amongst others, a West Virginia scrap yard. Today, the Privacy Commissioner released her report, and asks that they please, pretty please do better next time. See the press release, if you really want to. Via Dave Akin.


Housing Bubble?

Tyler Cowen asks, does DC have a housing bubble, and asks how can we justify the price rise: Housing can be lived in, most buyers have only one home, transaction costs are relatively high, and rarely are homes sold and resold in a matter of days. All those features militate against a housing bubble. Yet […]


Relentless Navel Gazing, in the blogger syle

I’ve made a couple of CSS changes. (CSS is the Content Style Sheet which controls how this page looks in your browser.) Mostly making the CSS fully valid, and adding some padding around list items so they don’t scrunch together quite as much. Aren’t you thrilled? Do let me know if it looks messed up, […]



Speaker B: And the helmets are shaking their purple-dyed crests, and for the wearers of breast-plates the weavers are striking up the wise shuttle’s songs, that wakes up those who are asleep. is a pretty unexceptional line of a play, unless you happen to be a classicist, familiar enough with the works of Sophocles to […]


Apple Security Update 10.3.9, Analyzed

I have a confession to make. I’ve spent way too much time thinking about patching, and secure programming technique. This week’s Apple security update is interesting to me for a few reasons. Two side comments before I delve into the nitty-gritty. What’s with releasing this at 5.30PM on a Friday? If Microsoft had done that, […]


Polo Ralph Lauren Breach: The Rules Have Changed.

The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands: [An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine […]


Small Bits: Turing Test, Keynote HTML!, individual i, zipcar,

Students need volunteers: Back in the 1930s, Alan Turing proposed a “Gender Guessing Game” in which a judge, connected to two people in closed rooms with a teletype each, would attempt to guess which was a man and which was a woman. Turing then proposed extending the game into his infamous “Turing Test” where a […]


DNA Dragnets Not Needed

In January, I blogged about the city of Truro, Mass, trying to get DNA samples from all 790 residents. (“DNA Dragnets” and “DNA Dragnets and Criminal Signaling.”) The New York Times reports that they’ve arrested someone: Mr. McCowen was first considered a possible suspect in April 2002, three months after the murder, Mr. O’Keefe said, […]


Choicepoint, April 15

Inside Bay Area claims “Protecting consumers’ personal information may not be possible.” Former Congressman Bob Barr, writing for Findlaw, disagrees in an insightful article. Robert Gelman suggests that government only buy from vendors who voluntarily follow fair information practices in the second half of his DMNews editorial, “ . . And Into the Fire” Businessweek […]


Congratulations, Choicepoint!

You’ve won the Big Brother award for Lifetime achievement! It was a tough battle for top place this year, and while Choicepoint was the people’s fave, we all know that those privacy elitists don’t really care about the little people. Other winners included California’s Brittan Elementary. The Department of Education got worst government department, despite […]


Small Bits of Chaos: Video, Anonymous Blogs, Real ID Act dead

This New York Times article on Videos Challenge Accounts of Convention Unrest covers the fascinating conflict between the video and human memories of an event; the issues raised by transparent video editing, and other issues. Worth reading. During a recess, the defense had brought new information to the prosecutor. A videotape shot by a documentary […]


Choicepoint, April 14

Following yesterday’s Congressional testimony, there’s analysis by Thomas Greene in The Register, also in Internet News. The Atlanta Journal Constitution reports that Choicepoint VP Doug Curling, and LexisNexis President Kurt Stanford both seemed to come out as accepting of extending fair information practices to their businesses. The testimony prompted editorials in USA Today, and the […]


Dear Canon

Dear Canon, Why do you make it harder for me to download the software for my camera than to download a brochure? Is it because I’m stuck and have already bought your camera? Do you hope I’ll forget this experience? Because I can’t figure out how to make either of my web browsers suck enough […]


Ed Felten on Passports

Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government’s point man on this issue … In the Q&A session, I asked Mr. Moss directly why the decision was made to use a remotely readable chip rather than […]


Breaches: Tufts, GM/HSBC/Ralph Lauren

Infoworld reports 106,000 Tufts Alumni getting letters, and Cnet reports that “A bank tells 180,000 people who used their GM MasterCards at Polo Ralph Lauren that their data may have been stolen.” (That sounds like a strange set of circumstances. Who sorts their data by credit card issuer?)


Orientation and Supreme Court Rulings

Over at Volokh, Orin Kerr has a beautiful analogy which illustrates orientation issues in reading Supreme Court cases. By orientation, I mean the sum of cultural, educational, and training experience that come together to influence the way people interpret the things they observe. (In other words, what Boyd meant.) Kerr writes (emphasis mine):  I think […]


Rational Response?

Sitting at a coffeeshop today, I listened to the fellow behind me try to get Dell and Equifax to agree to fix his credit. It seems that his father passed away recently, in debt to Dell over a computer. That debt is now on his credit report, despite his not being a co-signer for the […]


Small Bits: Iran annoyed, Academic Publishing, Immigration law, Iraqi Justice

Iran seems to be annoyed that Canada is engaged in a minimal attempt to find out who murdered Zahra Kazemi, and see that they’re brought to justice. It seems that more and more academics are getting the word: Access to your research is good. I wonder when the computer scientists at IEEE and ACM will […]


Choicepoint Roundup, April 13

Internet News has one of many reports on the latest breaches, this one titled “Feinstein Tightens ID Theft Proposal” Bob Sullivan at MSNBC reports on background checks: But experts say the nationwide tallies are often full of holes, and contain as few as 70 percent of all felony conviction records, leading in turn to a […]


Choicepoint's "Privacy" Officer

Declan has some choice words about Choicepoint’s new Credentialling, Compliance and privacy officer, in “Sidelining Homeland Security’s privacy chief:” DiBattiste sounded like she was replying to a pesky reporter when she wrote back [To TSA Privacy Officer Nuala O’Conner Kelly]: “TSA Public Affairs has no information in response to your request.” How fitting, then, that […]


59 breaches at Lexis-Nexis

[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said. (From CNN, or see the statement here.) So, let’s review. A slew of […]


Choicepoint, April 9-12

The Daily Caveat tells us that “Choicepoint Changes Access to Personal Data, and Research News has more. No word on what level of audits Choicepoint will be doing. It sounds like there will be a pulldown menu or checkboxes for “allowable uses,” perhaps causing people to think for a bit, then get used to selecting […]


Happy Gagarin Day!

Forty-four years ago today, Yuri Alexeyevich Gagarin became the first person to fly in space. There’s a fascinating anecdote from Doug Higley at the Encyclopedia of Astrobiology, Astronomy, and Spaceflight. Higley was with the US Army Security Agency unit tasked with monitoring Russian missiles on the day Gagarin flew. Or read up on the Yu. […]


Lexis Nexis, Tenfold

Lexis Nexis is saying that they understated the number of victims in last month’s incident. It is not 32,000, but 310,000. Kudos to them for stepping up and admitting to it. It’s the right thing both ethically and strategically. Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during […]


A Picture is Worth A Thousand Words

I’ve briefly mentioned the story of a fellow getting his finger hacked off so the thieves could make off with his S-Class Mercedes. But images are far more powerful than words. Google claims that the German reads “Forest worker…or S-Class owner?” I’d love it if someone could offer a translation of the German text in […]


AdScam in Canada

Apr. 10 – People who compare Adscam to Watergate are missing a vital difference. Whereas the Watergate hearings began with the use of private donations to President Nixon’s re-election campaign for illegal operations, Adscam is increasingly exposing the use of public, taxpayer money to fund the election campaigns of the Liberal Party. So says Being […]


Anti-Terror Funds Earning Interest

Over drinks, I like to enrage my computer security colleagues by suggesting that we’re spending too much on computer security. My evidence for this is that, despite all the attacks and break-ins and worms and what-have-you, no one’s going out of business. But the news in Saturday’s Washington Post, “Most Area Terrorism Funding Not Spent,” […]


Dear American Airlines

Over at Boing-Boing, Cory posts the latest in his saga of having American Airlines ask for a written list of his friends. As I thought about this story, I realized something very worrisome. I fly American! I also realized that I don’t know if I’ll have the right papers with me when I do. So […]


Small Bits: Digitizing Art, Making Sense, Wages of Sin, Pookmail

Capturing the Unicorn is an article at the New Yorker about the hubris of technologists trying to capture art. (The technologists win, but the archivist in me asks: CDs?) 13 things that do not make sense is a New Scientist article about, well, 13 things that don’t make sense. Some foolish people might look at […]


Workers Steal PINs, Cash

BANGALORE, India — Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis […]


Choicepoint, April 8

Choicepoint has been nominated for a lifetime Big Brother award. Best of luck, folks! Prophet or Madman points to an article at Knowledge@Wharton about the issues raised by the case. Robert Gellman has a column in DMnews “Out of the Frying Pan.” Choicepoint has announced their earnings call and webcast, on April 21. (Is ‘before […]


Small Bits: Hezbollah, Blowhards, Shit & Cookie Monster

JihadWatch points to a Sunday Times article: PALESTINIAN fighters have revealed that Hezbollah, the militant Lebanese group backed by Iran, is offering to pay for attacks aimed at shattering the fragile truce with Israel. Maciej Ceglowski has some harsh words for Paul Graham’s essay “Hackers and Painters,” in an essay “Dabblers and Blowhards. However, he […]


Small Bits

Newsday reports on Orange County, Florida Sheriff Kevin Beary abusing law enforcement access to records. He sent a letter to Alice Gawronski’s home, objecting to her letter to a local neswpaper. He claims it was “legitimate use of public records.” Dan Farmer’s new company, Elemental Security, has launched. Speaking of launched, Steve Hofmeyer, of Sana […]


Interim Pope

Normally, I try to avoid comment on religious matters, but I think its important to be aware that Samablog has taken the first step to becoming an anti-Pope by declaring himself Interim Pope. The blogosphere shall elect the next pope! Or something. We bloggers didn’t cause the Thirty Years war.


Choicepoint, April 3-7

Diebold, Choicepoint Partner to Offer Innovative Voting Technology was an April Fools item I forgot to blog: Alpharetta, GA – Diebold Election Systems and Choicepoint, Inc., today announced a joint venture that could revolutionize the voting market. The concept is simple: combine Diebold’s demonstrated expertise in voting systems with Choicepoint’s superior data-mining techniques to produce […]


Anonymous Blogging Project

I’ve mentioned the Spirit of America anonymous blogging project before. To help move things forward, I’ve offered Jim Hake my assistance as a project coordinator. As Jim describes the project: The project is to review all available technologies and techniques and get the input of the best minds available to put together a plan for […]


More on AIM & Privacy

Recently, I griped about AOL’s privacy policy. Today, PGP Corp announced their second public beta of PGP 9, which includes support for encrypting AIM sessions. Its not clear if this will be in the personal edition. I sure hope so.


5th Privacy Enhancing Technologies Workshop

The program has been posted for The Fifth Privacy Enhancing Technologies Workshop, which will be held in Drubrovnic , Croatia, 30 May – 1 June. (Corrected spelling.) There’s an affiliated executive briefing, 2-3 June.


4th Workshop on the Economics of Information Security

The Fourth Workshop on the Economics of Information Security will be held in Boston, June 2-3. The schedule is now online. I’ll be presenting a short essay on “Avoiding Liability: An Alternative Route to More Secure Products” at the rump session. I’d love feedback. Ian Grigg has talked about alternate review systems.


Student Database

Both Blog*on*Nymity and Kip Esquire are covering a massive student database, that seems to be there to ensure that, well, you know, look! A terrorist! More compulsory privacy invasions for little apparent benefit to anyone, except the newly fully employed bureaucrats. And you thought Berkeley losing a laptop was bad?


Relentless Navel Gazing

I never really liked the bar down the side of my blockquotes, and have finally replaced them, with a style stolen from Simple Thoughts. They’re in 52pt Copperplate as transparent background gifs. Does anyone know how to add a second image, at bottom right? Putting background: url( no-repeat bottom right; url( no-repeat top left; into […]


Small Bits: Canada, DNA, Microsoft and Tea

While publicly recalling their Ambassador over the brutal murder of Zahra Kazemi, the Canadian government was playing host to Iranian officials, looking for security information, reports the CBC: In dozens of e-mails, there is no mention of Kazemi, and no one questions why Canada would help Iran, considered by some to be a brutal police […]


Making Steady Progress, Keep Paying Us

In this New York Times article on NASA’s “broken safety culture,” we find: In the months after the Columbia disaster in February 2003, the space agency started several initiatives to enhance safety, including the creation of an Engineering and Safety Center at its Langley Research Center in Virginia. It has worked with Behavioral Science Technology, […]


Clueless about ID Theft

I’m not sure if Jon Ostik’s column “Want to prevent ID theft? Get back to basics” is a brilliant April Fool’s Day joke, or, an example of, as the Identity Theft blog claims, “Many “security professionals” are clueless about identity theft.” Before anyone panics, the logical first step in any security process is an audit. […]


One Nice Thing About a Written Constitution

A legal principle which prevents people being tried for the same crime twice is being scrapped in England and Wales. The ban on “double jeopardy”, which has existed for around 800 years, will be consigned to history from Monday. The Court of Appeal can now quash an acquittal and order a retrial when “new and […]


Cool Tech Not at RSA

Quick! Someone get these folks a marketing department! Someone showed me a cool password storage token from Mandylion Labs. You can load passwords over a little electronic interface, and then keep long lists of superuser passwords in your pocket. I had to mail my buddy to get their name. It seems somewhat better than a […]



My local supermarket has Stroopwafels! They’re cleverly hidden in the cookie section, which I carefully avoid (due to a lack of willpower). But next time someone gripes about global free trade, I have a miniature stroopwafel to throw at them. Yes, I got the mini ones. No, I’m neither illiterate, nor smoking anything. I got […]



I’ve added Screendiscussion to the blogroll. I don’t always agree with Geoff, but he seems insightful, interesting, and genuinely willing to grapple with the questions that his profession raises. He also posts actual posts, rather than a clipblog. For example, this morning’s post is “Background Checks Must Be Relevant, and points out a case where […]


Choicepoint, April 2

The Atlanta Journal Constitution has an editorial “ChoicePoint’s offer not enough :” The better solution would be to prohibit companies such as ChoicePoint from warehousing personal information in the first place, since security has proved so problematic. Computerized collections of consumers’ Social Security numbers, credit information, driving histories, medical and court records may make commerce […]


Information Security Magazine on Choicepoint

Information Security Magazine has an interview with Choicepoint CISO Richard Baich. It’s behind a subscriber-wall, so I’m excerpting bits of it after the read more.. (Via Run-DMZ.)


Small Bits: Biometrics in Drivers Licenses, Cars, Privacy Art

Grits for Breakfast writes about his testimony before the Texas House in Biometrics debate hinged on ID theft: The committee also seemed surprised that DPS had included facial recognition technology in their drivers license re-engineering RFP, even though the Legislature did not approve it. My understanding is that the AAMVA (American Association of Motor Vehicle […]


Iranian Treatment of Journalists

Rape, Torture, and Lies An ongoing Canadian saga has a sad new twist today: photojournalist Ziba Zahra Kazemi was likely brutally tortured and raped before her death in Iran in 2003. Arrested after a demonstration, the official Iranian line has been that her death was an accident due to injuries from a fall. The ER […]


Choicepoint Acquires Emergent Chaos

Alpharetta, Georgia, April 1 /PRNewsWire/ Alpharetta-based information broker Choicepoint today announced its intent to acquire the blog “EmergentChaos,” citing market synergies, cost reductions, and new revenue opportunities. Financial terms of the deal were not disclosed, but Choicepoint CEO Derek Smith said “We knew just which buttons to push.” Emergent Chaos is a weblog, or “blog,” […]


Choicepoint, March 29-31

Alacrablog discusses a Morgan Stanley research report: Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers. There’s also an interesting post rounding up the SIA Anti-Money Laundering conference. The Atlanta Business Journal […]


"Public Availability of Private Information"

Screendiscussion makes a case for criminal records searching as an adjunct to a background check: One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty […]


Three Times is Enemy Action

With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they’re not to be trusted; students have no choice but to provide that […]


P2P, Filenames

The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names (“2 yo getting raped during diaper change”). He doesn’t download any files, but takes this as evidence for his title. […]


Optimism about the Future

I was talking to someone about a New York Times story “U.S. Is Examining a Plan to Bolster the Rights of Detainees.” The story contains the line: Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said. I made a […]


Choicepoint, March 27-28

EPIC has obtained documents which… … reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and […]


Emergent Predictions

By the end of 2005, we will have had a month with at least 30 disclosures of serious security breaches, making private information about people available. At least 10 of these breaches will involve data which organizations are required by law to store and protect. This will cause a set of Congressional hearings, in which […]


Watch Lists: Juan Carlos Merida

Juan Carlos Merida is an unusual victim of the watch lists. He knows why he’s on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of […]


RFID Kills

The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it. Want to see if there are more Americans on the right or left side of the plaza? No […]


Microsoft Security Lifecycle

Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security. Slag all you want, but I don’t see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, “We should emulate Microsoft…” or “Even Microsoft does…” It’s a win. Thanks for […]


Framing Effects & Law Reviews

Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it’s just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr […]


Small Bits: Long tunnels, Marburg virus, Cyber Cons

Iraqi prisoners have dug a 200m tunnel out of one of the US run prisons in Iraq. The BBC has pictures. The Marburg is spreading in Angola. Marburg is an Ebola-like heamorraghic agent. Some analysis. Charles Cooper has some commentary ranting about the state of the information security industry at cnet: It’s tempting to become […]


Lying to Congress, Murdering Prisoners Now Legal

Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. “Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency’s actions.” In other news, the Pentagon will ignore the recommendation of the Army Criminal […]


Choicepoint, March 24/25

The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches. Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart: “A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards.” [Choicepoint CEO] Derek […]


Security In a Changing Nation

Screendiscussion responds to my comments about “Three Privacy Breaches” in Security In a Changing Nation. He sums up his argument as “Why? The reason is that we, as a nation, have become extremely security conscious in the past few years.” I think this is only partially correct. I suspect that this is part of it. […]


Small Bits of Chaos: Anonymity, Citizenship

Ed Felten summarizes Wendy Seltzer’s comments on the NYT “Open Wifi is evil” article: “anonymous sources claim anonymity is evil.” The Department of Citizenship amends their terms and conditions. (Via Michael Froomkin.)


Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison. Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August. Baas was a systems administrator for Market Intelligence […]


Disclosure Laws & Regulations

Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators. A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on […]


"A Unified Theory of VC Suckage"

Brad Feld pointed to an essay by Paul Graham, entitled “A Unified Theory of VC Suckage.” (VC is short for venture capitalist, the folks who invest in certain types of startup companies.) I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to […]


"What Would Gandhi do?"

“What would Gandhi do?” is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer’s memoir of his time with Gandhi. I’d like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi’s visit to England, and in […]


Three Privacy Breaches

“DMV hopes to reassure clients about security.” The DMV on Wednesday will send out letters describing the incident and new driver’s licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV. “Audit: State voter system left information vulnerable:” The state elections […]


Small Bits: Hell, TSA, Insurance, Mutual Funds, Telephone Privacy

Asteroid analyzes Sisyphean volunteers and the modern condition in a brilliant essay. It just goes to show, the Greeks really did invent everything. Robert Poole and Jim Harper debate the TSA in “Transportation Security Aggravation” at Reason. Tyler Hamilton looks at two schemes to cut your auto insurance premiums by monitoring your driving, and their […]


Choicepoint, March 22/23

The Daily Caveat rounds up the five shareholder lawsuits against Choicepoint. The Atlanta Business Journal has an article on Choicepoint’s executive compensation. Kim Zetter at Wired has a 3 page story on Choicepoint’s Checks Under Fire. CNN reports that only 11% of id theft occurs online. Well, actually, there might be some methodological problems. It’s […]


Those Exemplars of Ethics at the UN

Read this transcript about former UN Oil-for-Food program lead, Benon Sevan. Apparently the UN is paying his legal fees. Question: The other question was a follow-up to a story in the New York Sun today. The United Nations has been paying Benon Sevan’s legal fees. Is this appropriate? Is this normal practice? And why did […]


Electronic Voyeurism

Jason Young has a great, thoughtful post at Blog*on*nymity: Like other nations, Canada has moved to adopt criminal sanctions for electronic voyeurism, a social problem that has become acute with the availability of cheap and inobtrusive surveillance technologies. The legislative efforts are welcome and yet I cannot help but wonder if we are missing the […]


How Many Home Pages?

I was trying to enter someone’s web address into Apple’s Address book recently. Unfortunately, Apple believes that you have a home page. This is at odds with almost all the other fields in Address Book. You can have lots of phone numbers. A profusion of email addresses. And one home page. Me? I have a […]


Choicepoint, March 21

Businessweek has an editorial, saying strong regulation is unlikely, but credit freezes, mandatory disclosure, and liability for breaches should come. (I’d argue that liability for inaccuracy, creating a duty to the subjects of a database should also be considered a floor for a new law.) EPIC has written to the FTC, critiquing their testimony. (Via […]


Small Bits: Caller-ID, FBI Lies, Intel Reform, and GCC

Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller […]


Kyrgystani Democracy

The BBC is reporting that Opposition demonstrators in Kyrgyzstan have taken control of a town, as protests continue a week after the second round of disputed elections. In Jalal-Abad, a police station was set on fire, and protesters took control of the airport to prevent reinforcements being flown in. Protesters say President Askar Akayev’s party […]


Response to Solove & Hoofnagle

As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free […]


Choicepoint, March 20

Susan Kuchinskas writes “No Security in SSNs?” for Internetnews. Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to. “They had their chance. They weakened the legislation, and, as a result, more […]


Small Bits: Avoid Brink's, Code Metrics, Privacy Regs, Blackstone

Ed Foster writes about Brink’s contract provisions with contracts that don’t go month to month, but year to year when you try to leave. Brink’s is fully within their right to write such contracts, and I’m free to suggest that you should consider shopping elsewhere. (Via Dan Gillmor.) Mark Miller suggests a new code metric, […]


Choicepoint, March 19

Not In Chicago Anymore comments on Handling of Credit Related Information, and some of the possible repercussions of new law. Ryan Singel at Secondary Screening points out in “Popcorn, popcorn” that (Choicepoint Vice President) McGuffey testified under oath that he told (CPS President) Doug Curling about the investigation in November, which would mean that Curling […]


Screening the Open Society Paradox

If you’ve been enjoying the Chaos-Paradox spat, Ryan Singel’s Paradox Still a Paradox is not to be missed: But when it comes to big data brokers that compile dossiers on Americans and list marketing firms that enhance their lists with data bought from data brokers, Bailey thinks they should be immune from the return gaze, […]


Bad advice on SSNs

Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan’s research: Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or […]


Choicepoint, March 18

ChoicePoint’s data bonanza lures thieves , in the Atlanta Journal Constitution. The Q Speaks asks what have we wrought in “ID theft writ large” In another example of what we have wrought, “the Fairfax County’s School Board awarded a contract Thursday night to ChoicePoint, Inc., for testing student athletes and bus drivers for drug and […]


Colleges and SSNs

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet: Dunn said [Boston] college […]


Chris Allen and Socializing

Chris Allen has been doing a series of posts on the sizes of social groups, what factors can make groups work and not work, and related bits, like the use of software to help manage groups of friends. His latest post is Dunbar, Altruistic Punishment, and Meta-Moderation. It concludes: In summary this research offers me […]


Small Bits: Simson, Maoists, and a £219m Heist Attempt

Simson Garfinkel has won a Neal award for his writing for CSO. Congratulations! (His latest column is on Skype.) Whiskey Bar has a comparison between Maoists and American Conservatives in Scenes From the Cultural Revolution. Willie Sutton finds the Internet, according to this story. Israeli police are investigating with British forces an attempted robbery […]


Choicepoint, March 17

Choicepoint’s 10K warns of danger to profits. (AJC) The full filing is about a megabyte; Yahoo has excerpts. Kip Esquire at A Stitch in Haste offers practical advice to Choicepoint on how to make an apology sound sincere in Linkfest — Special “While You Were Out” Edition. Daniel Munz transcribes more of the Senate hearings, […]


Google Makes It Look Easy

Google Labs has done an OSX Dock style home page. It’s pretty cool. What makes it cool is not the graphical style it presents, but the brilliance of the icon design. If you know what services Google offers, the icon makes sense. (I had to mouse over local, video and options to see what they […]


DHS Planning Better

Cryptome publishes “Homeland Security Council: 15 Attack Scenarios“, “DHS Universal Task List v.2.0“, and “DHS Target Capabilities List v.1.0.” It looks like a well executed set of planning docs. Some quotes from the New York Times: The agency’s objective is not to scare the public, officials said, and they have no credible intelligence that such […]


Lessig on Academic Publishing

Academic publishing is an interesting racket. An academic, probably paid by government grants, writes a paper. They submit this paper to various venues, in the hopes of getting it published. The people who review the paper are volunteers, paid in prestige. The paper is then put into a volume costing gobs of money, which goes […]


Choicepoint, March 16

The House Energy and Commerce committee held hearings. Thanks to Ryan Singel for letting me know they were webcast. Payments News points to the written testimonies of Choicepoint and LexisNexis “Let me begin by offering an apology on behalf of our company and my own personal apology to those consumers whose information may have been […]


My Categories Suck

The categories I’ve set for this blog are non-functional. I have 16 categories, of which maybe 4 are ever exclusive. Do you look at my categorization of posts? Do you look at the category archives? Should I create a new set of categories? If so, what? (mmm, Choicepoint! Not.) Should I abandon categories and go […]


Choicepoint, March 15

The LA Times has more on what happened, and Choicepoint’s controls. A great many people feel that this is a compelling story. I enjoyed reading the spouter inn. Finally, today’s Two Minutes Hate comes to you from Futurismic. I’ve been covering Choicepoint issues since the scandal broke.


"Taxation Ventage"

Justin Mason has a great rant, titled “taxation ventage.” In the US, every worker is required to prepare and file their own taxes, in detail. Nowhere outside of India can do bureaucracy quite like the US, as far as I can tell — even the brits have embraced simplicity to a greater degree — so […]


Choicepoint Roundup, March 14

Omari Norman takes issue with the term identity theft. It’s a good point. Paul Syverson has pointed out that correct terms are “fraud,” “misrepresentation” and “libel,” but those don’t seem to have caught on. This ABC News story about how Americans think there’s too much government secrecy doesn’t relate directly to Choicepoint, except the government […]


Privacy and Background Checks

In a comment, Axinar writes: Is it reasonable for an employer to know whether or not a potential employee has a history of violence or theft? Well, probably. And with our liability situation the way it is, generally any company with deep pockets is virtually REQUIRED to run background checks because if an employee “goes […]


What to do, What to do?

Over at Open Society Paradox, Dennis Bailey challenges me: Emergent Chaos documents some problems but ends with a personal slam against ChoicePoint’s CEO. [Ed Note: Technically, we call that the “middle,” not the end.] What would Emergent Chaos have us do? Should we follow the Fair Information Practices and allow 300 million citizens to be […]


Emergent Uses of Technology

I love navel gazing. I try not to expose my readers to too much of it, but this post by Seth Schoen at EFF’s Deep Links captures the spirit I think about when talking about emergent chaos: The Business Models working group‘s mission has been based on the premise that “no system can be properly […]


Why Choicepoint Resonates

It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it? There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. (It’s useful […]


Choicepoint Roundup, March 13

Axiomlounge talks about public records, outsourcing, and the public records laws that cause all of this. Joseph Menn has a great story at the LA Times called “Did Choicepoint End Run Backfire?” Menn asks questions about the effect of Choicepoint’s choices in avoiding regulation. Public Domain Progress notes is not archival quality. Speaking of which, […]


More on Nevada DMV

In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver’s licenses in Nevada, told her Thursday the information was not encrypted, and […]


Leaving AIM

Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on […]


Choicepoint Roundup, March 12

Ryan Singel has interesting analysis of the FTC’s Congressional testimony. Ellen Simon of the AP has a story about her Choicepoint and Lexis Nexis files. Hint: They’re imperfect, but that won’t stop them from screwing up your life. Others (nothing to see here, Scott C Smith) touch on the same theme. The Daily Caveat points […]


France Imitates Art, Stalin

Boing Boing comments on a French stamp with an airbrushed picture of Sarte, sans cigarette. However, the French are way behind on this. Uncle Sam led the way in airbrushing cigarettes, but not people, out of pictures, as these two images of blues pioneer Robert Johnson show. The Honolulu Star got a great quote from […]


Hank Asher

Dennis Bailey at The Open Society Paradox objects to my characterization of Hank Asher, and says: Rather than debate the merits of the program, they have to make this a personal attack on the man. Well, let’s talk about the programs. DBT, the first company Asher founded, was deeply involved in disenfranchising Florida voters. MATRIX […]


Small Bits: ID Angel, Books and Garbage

Latanya Sweeney has announced a new tool, Identity Angel, to crawl the web and discover if there’s enough information to steal an identity. Stefan Brands has made the first four chapters of a book on Electronic Money available. This will be a great reference for people wanting to think about privacy and payments. I’d like […]


No Fly List: Welcome, Salman Rushdie

D Magazine is looking for a private plane to transport Salman Rushdie so he can speak at an event in Dallas. Apparently, he’s been denied the ability to board a plane. Maybe someone realized he’s associated with Islamic Terrorists? (Via Virginia Postrel.) In other news, the Coalition of Airline Pilots Association has released an airline […]


Choicepoint Roundup, March 11

Today is the “Legislative truckroll” edition. The Motley Fool says: Barring a miracle — or a busload of lobbyists and two truckloads of money (yeah, same difference) — regulation looks to be inevitable at this point. ChoicePoint’s breach alone might not have tipped the scales, but if many other businesses are being ransacked as well, […]


New American Privacy Law: What Could It Say?

With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one? Some disclaimers: I’m not entirely in favor of a new law. There’s a lot of potential for harm when […]


New Security Blog

I like the cynicism displayed at, by a squinty fellow who seems to want to remain anonymous.


What's Wrong With Lexis-Nexis?

It seems that Lexis Nexis’s breach was because of bad passwords: The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers. I don’t mean to be snide. No, that’s a lie. I do. It’s 2005. You’re making all this data available via a password? Are your auditors telling you […]


"Rendition" or Openness?

Juan Non-Volokh writes: Ignatius notes that espionage and interrogation experts tend to doubt that torture works. As a friend with experience in that area put it to me: Torture makes people tell you what they think you want to hear, when what you want is the truth. Nonetheless, rendition may result in the torture of […]


Alec Muffet on ID Cards

Alec Muffet provides the best way I’ve seen to get people to take up National ID Cards: Loyalty points. He claims to be kidding, but I’ve already picked up a dozen citizenship points by turning him in for Mocking the Crown. That brings me nearly halfway to an upgraded room next time I’m in the […]


Choicepoint Roundup, March 10

Harry Weber of the Associated Press is looking to talk to Choicepoint employees. Email him at He’s been covering the story since it broke. The readers of Chief Security Officer Online have spoken, and not one opposes more disclosure laws. (As of noon, Thursday.) Bruce Schneier asks why Choicepoint seems to be saying “Please […]


Financial Privacy Regulations, 5 Years Behind?

The American Banker has a long story about how some regulations from GLB are now five years behind schedule: Ironically, both bankers and consumer advocates panned the agencies when they proposed guidelines on identity theft prevention in August 2003. The 25-page guidelines were based on Section 501 of the Gramm-Leach-Bliley Act of 1999, which required […]


1,700 Drivers Licenses stolen

The theft occurred early Monday in a remote industrial area, authorities said. The thieves took blank licenses and laminated covers, a digital license camera, a camera computer and a license printer. … “It’s been pondered that this has national security interests,” [police spokesman Tim] Bedwell said. “But it’s easier to pass a fake ID to […]


Small Bits: How to live, drive, be identified, and stuck in a database.

A great essay on living and working creatively by Milton Glaser (via BoingBoing) What it takes to get a drivers license in Germany. Stefan Brands On Quintessenz and the Biometric Consortium. Quintessenz is an Austrian civil liberties group that’s learned about how NSA is driving the biometrics industry. What may be the largest database on […]


Attackers, Disclosure and Expectations

In both military or information security situations, the position of the attacker is very powerful. An attacker can choose when, where, and how to attack. Attackers are not constrained by change management committees, operational risk, or a need to make economic tradeoffs within a budget. [1] Attackers don’t need to consider other work that needs […]


More on Watch Lists

To follow up to my post on Terror Suspects and Firearms, I’d like to take a moment to rail against the Kafka-esque implementation of “watch lists” in the United States. For the FBI, or other investigative or intelligence agencies, to have lists of “interesting people” makes perfect sense. You’ll always have people who you suspect […]


Choicepoint Roundup, March 9

Tara Wheatland has a long post Un-Spinning the ChoicePoint Scandal. (Via Personal Democracy Forum.) Local TV station WXIA Atlanta says ChoicePoint Management Under Fire Not actually Choicepoint, but DSW Shoes and Seisint, makers of the massively overhyped MATRIX database for law enforcement have both announced breaches. I wonder when the attackers are going to start […]


Terror Suspects and Firearms

The New York Times is running a somewhat alarmist article, Terror Suspects Buying Firearms, Report Finds. The report says that At least 44 times from February 2004 to June, people whom the F.B.I. regards as known or suspected members of terrorist groups sought permission to buy or carry a gun, the investigation found. In all […]


Small Bits: Risk Management by Law, Domain Names, and Cats

Not bad for a Cubicle has a good post on the credit card industry replacing their risk management efforts with bad law: Bad laws instead of good Risk Management. I like what he’s saying enough that I’ve added him to the blogroll. Daring Fireball links to this article on How to Snatch a Domain Name, […]


Choicepoint Roundup, March 8

Today’s roundup takes a different turn with more about privacy-invasive infrastructures. Also, previous scammer gets 5½ years, and Choicepoint appoints a new officer to deal with compliance and credentials. Deep in the Heart of … France discusses the move to hosted applications, and ties in Choicepoint as an example of the new security issues, like […]


Small Bits: Art, Chopsticks, Security

Stefan Geens points to It Takes More Than Money to Buy a Hot Piece of Art. I Came to Japan Because of the Chopstick makes dinner plates fascinating. Thanks Rosa! Two shorts at AntiTerrorism & Security: The firm running airport security at SFO has been accused of cheating by a former manager. The lawsuit is […]


Choicepoint Roundup, March 7

Saturday’s New York Times reports (thanks Alex for the pointer): Lt. Ronnie Williams, project director of the Southern California Identity Theft Task Force, which is investigating the ChoicePoint case, said that the breach was brought to his agency’s attention in late October, and that on Nov. 23, the agency asked the company to delay notifying […]


More on CVSS

Erik Rescorla takes note of my CVSS post, and comments that he’s not sure he likes some technical aspects of the system (emphasis added): CVSS does have a formula which gives you a complete ordering but the paper doesn’t contain any real explanation for where that formula comes from. The weighting factors are pretty obviously […]


Identity Trail

There’s some great blogging at the Identity Trail conference. I wish I’d been there. Read the official blog for Friday, Saturday AM, Saturday PM, or Michael Froomkin‘s post.


Choicepoint Roundup, March 6

The Atlanta Journal Constitution contains the first MSM discussion I’ve seen of Derek Smith losing his job over this. Evan Hendricks of Privacy Times has a good article in the Washington Post, discussing who owns data, how we’ve gotten here. Axel, of comments “that ChoicePoint does NOT state in that Form 8-K that they […]


Economics of Fake IDs

Some states will begin using new watermark technology akin to that used on currency for drivers’ licenses next year… While the backers of these efforts say they herald the demise of the fake ID, officers on the beat have doubts. “They find a loophole and exploit it,” said Sergeant Planeta of the New York document […]


Small Bits of Chaos: Advertising and The Gulag Evolution

Scrivner points out that the Golden Palace is winning all bids to advertise on people’s bodies, and asks “What is all this telling us? Ummm, Scrivner, it’s telling us…Visit Golden Palace! These foxes are being bred for tameness by scientists in Siberia. (I hope that URL is resilient?) I guess that’s what happens when you’re […]


Choicepoint Roundup, March 5

My big question for the day: When Choicepoint announced a re-screening of their small business customers, that segment was 5% of their $900m revenue. Today’s announcement of closing that segment is $15-20m, or about 2%. So it seems that the exceptions that they list in their 8K account for 60% of their small business sales. […]


Has Hezbollah Studied Boyd?

Iraq The Model points to this WorldNetDaily article: Designating Hezbollah a terror group in Europe will mean “the sources of [our] funding will dry up and the sources of moral, political and material support will be destroyed,” Nasrallah told Al Manar, Hezbollah’s satellite television station. Boyd discusses war as having moral, mental, and physical dimensions, […]


Congrats, Microsoft

“On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins,” the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. (Via Information Week, via ISN)


Choicepoint Roundup, March 4

The focus of today’s roundup is “an object lesson in how not to manage a crisis.” Call Choicepoint CEO Derek Smith at home, 770 667 5775, and tell him what you think. Remember, Atlanta is on Eastern Standard Time. On to the roundup: Not Bad For a Cubicle points out that “This is the first […]


Google, Flat Earthers?

I visited, and tried going east from the default view. A press of the “right” button seems to move you about 1,500 miles east. A second press takes you, err, nowhere. Another 16 or so clicks should be bringing you to the West coast of the US, but no luck. (25000 miles/1500 miles per […]


Small Bits: Teen Drinking, TSA Databasing, hope, and trust.

This New York Times story discusses the “need” to submit high school students to Breathalyzer tests to ensure they’re not drinking. It’s a good thing we have all those mandatory ID checks. It seems they’re highly effective at stopping teen drinking, so there’s no need for such tests. The TSA is maintaining a secret database […]


MMR & Autism

There’s a belief out there that the measles, mumps and rubella (MMR) vaccination is linked to autism, with some scientific sounding hypothesis as to what the causal link is. The BBC is reporting on a study done by Hideo Honda of the Yokohama Rehabilitation Center, along with Yasuo Shimizu and Michael Rutter of the Institute […]


Common Vulnerability Scoring System

At RSA, Mike Schiffman presented a Common Vulnerability Scoring System. Brian Erdelyi has taken that, and made a web page to generate numbers. It’s at SecurityHive. (The page requires Javascript be turned on to function.)


It's Not About Not Feeling Pain

On Monday, I had the opportunity to see Ed Tufte teach. Much of his analysis revolves around failures to think clearly. Things like poor presentation of data, or selection of data to not include enough context. He said he was in Houston last week, giving a class to the people who were responsible for the […]


Choicepoint Roundup, March 3

Chris Walsh provides this AP story about prior frauds. In light of Choicepoint CISO Baich saying “That’s such a negative impression that suggests we failed to provide adequate protection,” these stories are going to have legs. Reporters will chase down the inadequate protection. And Choicepoint has yet to say they’re sorry. Blog or Die comments […]


Astrologers and National ID Cards

I often hear folks who believe in astrology saying things like “That’s just the scorpio in her.” Or, “All Leos act that way.” I rarely hear them say “That’s so unlike a scorpio.” Underlying this is a mind-set which searches for ‘evidence in favor’ of a proposition. This search is a fundamental, and common, misunderstanding […]


Small Bits of Chaos: Tempest Tents, Medical Records, Openness

One of the neat things about talking to different sorts of conferences is that you find neat stuff that you don’t otherwise see. At the Southeast Cybercrime Summit, I was supposed to talk about “Reducing Crime In Cyberspace, a Privacy Industry View.” (The talk I used to give for Zero-Knowledge.) Due to a small error […]


Gordon on Security

There’s a good interview with Larry Gordon at SecurityPipeline. It came out in April of last year, but I’d missed it. Gordon has hosted the Security and Economics workshop. “I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says […]


Cultural Imperialism at its Best

Thomas Barnett has some links and analysis about the effect of Iraq on the middle east: Yes, there will dangers along the way. But tell me that any of this happens when it does without the invasion of Iraq. Bush is engineering his own serious change in the Middle East, with the simplest and most […]


500th Post

In the 195 days since I started this blog, I’ve posted 499 times: This is the 500th. I’d planned, when I started, for about one long post a day. It hasn’t always worked that way. I’m posting slightly more than 2.5 posts a day. I’m think I’m now getting more comments than I post, but […]


Choicepoint Roundup, March 2

A Canadian blogger, PIPEDA, points to Scott Bradner’s column at Network World, as well as an LA Times story (at Yahoo News) on an earlier breach. It’s a good thing California gave us 1386, or this would have been swept under the rug, too. Stephan Brands at Identity Corner points to a column at DM […]


(T)ourism (S)uppression (A)gency

Webflyer has a good post about the economics of new security rules that the TSA wants to impose: Requiring information to be submitted an hour before flight takeoff involves a full 75 minutes greater notice than currently provided. This will mean passengers turning up at the airport at least an additional hour in advance of […]


Choicepoint Roundup (1 March)

KnobBoy, demonstrating that the new media can do research, points out that Choicepoint execs didn’t trade like that before. In an AP Interview, Choicepoint CEO “Smith said he believes his company is as much a victim in the episode as the roughly 145,000 Americans whose personal information may have been viewed by criminals.” The Los […]


Software Liability by Contract, Not Regulation

While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts. “I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s […]


Emergent Chaos Choicepoint Posts

I have added a Choicepoint category, which is great if you want to see all my posts on Choicepoint on one long page, and I am no longer updating this roundup. I’ve been posting a lot on Choicepoint. I’ve done a number of roundup posts listing things I find interesting around the web, and a […]


Choicepoint Roundup ($16,600,000 edition)

Having already posted a Feb 28th roundup a day early, I was forced to think about a new title for today’s edition, and what better than the $16.6 million dollars that ChoicePoint CEO Derek Smith and President Douglas Curling have made selling 472,000 shares of CPS since the day before the first arrest in the […]


Choicepoint Roundup (Feb 28)

I accidentally published this too early, but given the nature of trackbacks, and other such privacy-invasive technologies, its too late. You know my secret. I accumulate and then (try to) post in the morning. Midnight Special asks “Where’s the accountability” and talks about government outsourcing and incentives in a well written post. Why Now has […]


Publishing a List of SSNs Will Not Fix Anything

Pete Lindstrom suggests: My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news. The net result is to eliminate the notion that perhaps SSNs are “secure enough” for […]


Good Folks Looking for Help

A group that wants to assist free speech in authoritarian nations is looking for a technically savvy person — a CTO or lead engineer type — who can do a short term study, possibly leading to a longer-term job. This is a paying gig for the right person. The project is intended, in its intitial […]



Blah blah, Choicepoint blather blah.


Choicepoint Roundup for Today (27 Feb)

Choicepoint doesn’t make an appearance in the June, 2003 Congressional testimony of Leonard Bennett, (or PDF), but the testimony is on how hard it is to get your credit files corrected with those companies that follow the Fair Credit Reporting Act. Given that Choicepoint believes that they don’t even have to do that, it will […]


Choicepoint's Orientation

As Choicepoint’s little error threatens to grow into a full-blown scandal, with Attorneys-General posturing, Congressional hearings, and daily press coverage in every state of the Union, it may be worth stepping back, and asking, “Why is this happening?” It’s not just the size of the exposure, both Bank of America and PayMaxx are larger. It […]


Choicepoint Won't Benefit from Bank of America Leak

I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on: In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to […]


Choicepoint Roundup for Today (Feb 26)

Chris Walsh has a really good comment on yesterday’s roundup. HCS asks, was Choicepoint going to be the data provider for the new national ID card? Ed Bott finds that birds of a feather flock together: A company that falsely claimed that ICSA labs had certified their tool has an SSL certificate issued by everyone’s […]


What's with this Dialog?

This dialog box is modal. It has no “take me there” button. Even having taken notes, I couldn’t figure out how to follow the instructions. You can “clear formatting” and make spell checking work again. A double-feh at Redmond. I take back all the mean things I said about Firefox this morning.


Two Minutes Hate

So everyone seems to be accepting at face value the claim that Choicepoint was scammed by Olatunji Oluwatosin and colleagues not yet named. But let’s step back, and ask, was there a scam? Why did these folks need to cheat? Was it habit, or necessity? What was really needed to get a Choicepoint account of […]


Quick Followups

David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.


Choicepoint Roundup for Today

The Associated Press has a story “Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance” (actually, we all face a lifetime of vigilance, as these companies make buckets of money by gossiping about us.). The money quote: Many victims are dumbfounded by the dearth of federal and state laws aimed at […]


Roger McNamee on Sarbox

Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be. It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year.  […]


Finding Security Issues

In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled. The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, […]


Small Bits of Chaos: Conferences and What Would Dylan Do?

This Concealled I conference in Ottawa March 4-5 looks really good. Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework: “I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.) Who did this: Privacy Enhancing Technologies, May 30-June […]


Today's Choicepoint Roundup

The Privacy Rights Clearninghouse has an extensive sheet on what to do if you’re a victim of Choicepoint’s failure to secure data. SoftReset calls for banning the use of SSNs for non-government purposes. I take a slightly more moderate view: Anyone using the SSN is already subject to GLB liability. Random Thoughts on Politics comments […]


Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis: Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks […]


Oh, there it is.

Back in October, I asked, “where’s the 8-in-1 media reader to take photos directly from your camera.” From today’s Apple press release: The new iPod Camera Connector is an optional accessory that enables customers to connect their digital camera to iPod photo and import their photos into the iPod. By simply connecting the iPod Camera […]


When The Future Has No Shadow

I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you. The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded […]


Today's Choicepoint Roundup

Google is running an ad when you search on Choicepoint: “ChoicePoint letter says your identity stolen? Learn your rights.” On clicking through, its just a form, asking someone to contact you. Renaissancemen has a good roundup, including the fact that only 5% or perpetrators are arrested, and a pointer to Kevin Drum arguing for […]


More on Choicepoint

Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched. starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you […]


The Open Passport

Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.” writes […]


Cool Tech at RSA: i-Mature

At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company. There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits […]


Small Bits of Chaos: Passports, Financial Crypto

Ryan Singel has a good post on chipped passports: Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure. But, the chips create a new […]


Free Mojtaba and Arash!

Sending people to jail for expressing their opinions is wrong. In the west we’ve understood why it was wrong since John Stuart Mill wrote On Liberty. So please, for the betterment of Iran, and the entire world: Mojtaba and Arash are Iranian bloggers jailed for their ideas. What ideas is almost not relevant. Even if […]


Cool Tech At RSA

One of the best bits at RSA was at the HP booth. Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to […]


Security So Good, No One Could Login

One of the ironic bits about the RSA conference was the wireless network. Your username was your email and the password was on your badge. However, I had trouble logging in, so they gave me this username and password. I’m pretty sure that they didn’t record who I was as they did it. Even once […]


Hunter S. Thompson, 1937-2005

Hunter S. Thompson killed himself last night. While I enjoyed his books, for me, his ultimate work wasn’t reading about times I hadn’t experienced, but when his writing was live and raw, about the day, when he wrote the definitive obituary of Richard Nixon. He’s gone, and I am poorer for it.


Openness: Maps

After RSA, some friends and I went up to Russian River. I was looking at some old maps at the Quinvera Quivira Vineyard, and the caption under one said “The author of this map is believed to have had access to Drake’s secret maps.” Today, large scale maps of everywhere are easily available. But there […]


Small Bits on Programming

Max Dornseif asserts it’s easy to find bugs. (Perhaps even easier than figuring out trackbacks for his blog?) In an article in ACM Queue, Ioannis Samoladas, Ioannis Stamelos, Lefteris Angelis, Apostolos Oikonomou examine some measures of code quality between open and closed source apps.


What do Apple's Common Criteria Tools Do?

Apple has made available a set of “Common Criteria” tools. The “evaluation” page is here. The evaluation criteria is “EAL 3, CAPP, version 1.d, October 8, 1999.” (The README is a bit better.) If anyone would care to explain to me what I’ve just said, or, really, what the tools package does, I’d be much […]


Small Bits: T-Mobile, Google, Passports, Terrorism

Jack Koziol has a long post on security issues with T-Mobile’s web site. (Via /.) Did you know that Google’s “Dissatisfied? Help us improve” link only appears on the first page of a search? That’s fascinating–they expect their search to be so good that they get what you want on page 1, and you’ll complain […]


An Open Society?

Eric Rescorla discusses this account: Officer Primiano expressed extreme frustration with me as soon as I began speaking of my rights to photograph in public places. She wanted to debate the wisdom of my taking pictures and asserted that in the wake of the Sept 11th attacks on our country, I should be more interested […]


Two More on Choicepoint

See Taosecurity, on IDS and Choicepoint, and this choice excerpt from Reuters, relayed by Dave Evans at Corante’s Online Dating: U.S. investigators notified the company of the breach in October, but ChoicePoint did not send out the consumer warnings until last week. It’s fascinating that the company didn’t detect the breach, and that they seem […]


More on Choicepoint

The Atlanta Journal Constitution (use Bugmenot) reports: “We know that there is a national number that is much larger than that,” said Lt. Paul Denny of the [Los Angeles County] sheriff’s department. “We’ve used the number 400,000, but we’re speculating at this point.” Executives at ChoicePoint, which maintains one of the largest databases of personal […]


Felten on The Record Industry

Ed Felten has a great post today, asking “How Competitive Is the Record Industry?” How can we tell whether the record industry is responding competitively to DRM? An interesting natural experiment is about to start. MP3Tunes, a new startup headed by serial entrepreneur Michael Robertson, is launching a new music service that sells songs in […]


More on Fighting Terrorist Ideas

I liked how my previous post on this subject read. It was very positive, and I like being positive about the future. (I’m not very good at it.) However, there’s a contrast which needs to be drawn, between the way Yemen (Yemen? Yemen!?!) is handling some prisoners and the way the US is handling some […]


How Many Choicepoint Victims Are at Risk?

Choicepoint is a large credit bureau who denies being one. Yesterday, MSNBC reported that “more than 30,000 Californians” had been notified of problems. Now, no one opts-in to Choicepoint. No one can opt-out. They maintain files on you without your knowledge or permission. Now we know that at least 30,000 people were put at risk […]


The Real-ID Theft Act of 2005

The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]


JAG Heroics

Michael Froomkin applauds those “Military lawyers at the Guantanamo Bay terrorist prison tried to stop inhumane interrogations, but were ignored by senior Pentagon officials.”


Purpose of a System Is What it Does?

Over at POSIWID, Richard comments on airline security, with some economic analysis of bad security and why it stays around. (I think I don’t like his title, preferring ‘systems are maintained for what they do,’ which gives more credit to the emergent qualities of systems, but I digress.) He accurately assesses some positives of the […]


Dave Eggers and the Pirate Store

By reading this post, you agree not to do anything to get the author or Dave Eggers in trouble, even if those actions that lead to trouble are entirely their own, and you’re just commenting on them, even in a sort of approving way that happens to continue the unfortunate chain of events that were […]


What Did TSA Know, and When Did They Know It?

Recently, Slate had an article on how to alter your boarding passes and bypass the silly watch lists. It was picked up by BoingBoing, and it turns out that Bruce Schneier talked about it 18 months ago. Recently, I was talking to a friend who started telling me about…how to alter your boarding passes. What […]


Proof Of Concept Code, Boon or Bane

Microsoft has come out swinging against researchers who publish code: Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code. This generally accepted […]


Charlie Wilson's War

I’ve recently finished Charlie Wilson’s War, which Jeff Moss suggested to me. Charlie Wilson was a Congressman from Texas. Gust Avrakotos was a CIA officer. Together, they conspired to get hundreds of millions of dollars funneled to the Afghanistan resistance. The story is simply astounding–at times you think this can’t be true, but it all […]


US National ID Card

This was first created in December 2004’s Intelligence bill, loosely called the Patriot II act because it snuck in provisions like this without the Representatives knowing it. The deal is basically a no-option offer to the states: either you issue all your state citizens with nationally approved cards, or all federal employees are instructed to […]


Could We Trade Judges?

NPR is reporting that The Bush administration is seeking to justify the imprisonment of an American citizen using secret evidence. The Justice Department has asked a federal judge to throw out the case based on evidence that is being withheld from the man’s lawyers. Perhaps we could trade judges with Yemen. (Via Hit & Run.) […]


Small Bits of Chaos: Passwords, Metrics, Self-Awareness, Mozilla

Bruce Schneier has a nice article on the risks of e-commerce sites that make you establish an account, rather than just giving them money. Pete Lindstrom has an article in Information Security magazine about security metrics. Roger McNamee has an insightful post at his new blog about the importance of self-awareness generally. It’s especially applicable […]


Security Planning

Gunnar Peterson (who has a new blog) points to the public release of the worksheets from “Misson Critical Security Planner.” I haven’t read that book, but the worksheets look like useful planning documents.


Fighting Terrorist Ideas

I believe that the Wahabbi-inspired terrorist strain of Islam represents a great material danger to the ideals of liberty and equality, as well as to free inquiry and science. (The state’s response to this danger also creates a great threat to those goods.) It is thus a pleasure to see a Yemini judge taking to […]


Small Bits of Chaos: How to Present, ID Theft Victims List

higB at secureme has good advice for presenters at security cons. Ian G has a good post explaining that government only illegally links their databases when they want to, not when it could help the citizenry. No privacy story is ever truly complete without a tool of the man talking out both sides of their […]


Shmoocon Slides

At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled “Evidence Based Security.” The feedback I got from the audience was all positive. I was hoping that things would have gone more towards the question of what is good evidence, and how you evaluate questions, but that’s the joy of you […]


Wachovia Misdirects Customer Information

Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140. … Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one […]


Good Thing We're Checking IDs

Normally, I try hard to bring you only the freshest news. This has been all over the blogosphere, but I can’t resist: Slate on bypassing airport ID checks. [Other commentary on why they’re bad in the “air travel” category of this blog. Are you listening, David Neslon?]


Stefan Brands Blogging

Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]


SSNs and Drivers Licenses

JihadWatch is upset because (9/11 hijacker) Nawaf Alhazmi got a CA drivers license with a fake SSN. But so did 184,000 other people, most of whom have not turned terrorists. Perhaps we should focus on things other than SSN fraud in tracking down terrorists?


Top 30 Papers in Infosec

Max Dornseif has a post titled “Top 18 Papers in Information Security,” with 28 papers. But who’s counting? Its a fascinating exercise, and I’m glad to see papers from Phrack. I’d suggest that they define top: Most influential? Most cited? Most important? I do think that no paper which isn’t available to the public via […]


Liveblogging Shmoocon: Patching

I’m at Shmoocon, and trying to liveblog a little. There’s network trouble, so it may not quite be live. I’m at Tina Bird’s talk on patching, and she mentioned that in the Teragrid attack, the attackers were hitting supercomputer centers, and there’s some evidence that they were 1) using 0day and 2) using the big […]


Vaclav Havel on the EU

For some reason, enemies of Václav Havel want him to waste his astounding moral authority by becoming Secretary General of the UN. I prefer he remain a private citizen, where there is nothing to hold him back from this most elegant dressing down of the European Union: I vividly remember the slightly ludicrous, slightly risqué […]


CEOBlogger on "IT Propaganda"

There’s a new blog, from a fellow claiming to be the CEO of a public company, experimenting with blogging. Welcome! In his second post, he responds to the WikID Thoughts, Emergent Chaos, Financial Crypto series on IT breaches, calling it an example of “IT Propaganda.” I love the ‘IT propaganda’ phrase–one of the themes that […]


Small Bits: ICANN, Mock Trials, S.116, etc

Ian Grigg and I have a letter to ICANN about Verisign. See his post. Eric Rescorla has a Kafka-esque excerpt from the “trial” of Mustafa Ait Idr, who wasn’t allowed to see the evidence against him. Mort points me to US Senate Bill 166116, introduced by Diane Feinstein, making it a crime to sell social […]


One more thing in the -We-really-mean-all department

Martin Pool says “gcc makes my day.” If the sentence “Generate traps for signed overflow on addition, subtraction, multiplication operations” means anything to you, read his post. (I’ve discussed gcc in the past here.


A Few Ideas Connected by the Tag "Folksonomy"

Nude Cybot, in an email in which he promises to emerge soon, presumably to be exceptionally cold, mentions that folksonomies have hit Wired News. The Wired article points out that there are more “cat” (16,297) tagged images than “dog” (14,041) in Flickr. But the conclusion they draw from this, “If the photo-sharing site Flickr is […]


Eating Your Own Dogfood?

Two posts this morning grabbed my attention. They are “Hide Your Ipod, Here Comes Bill,” (at Wired) and “Sanyo asks workers to buy goods to ease loss” (Hindustan Times via BoingBoing.) In a presentation at, Chet Richards applies Boyd to business. One of his suggestions, which isn’t new, is to get inside the mind […]


Sarbox and Venture Capital

The Sarbanes-Oaxley act is driving up the costs of being a public company. Its driving up both direct costs, in terms of investing in assurance technologies, audit, and new processes to produce (slightly) more reliable accounting. But much more important, it imposes a highly risky cost on CEOs and financial officers who must sign off […]


Small Bits: Research, Web Security, Saturn's Moon

Uncle Sam is trying to restrict basic research. This approach comes from such a foreign orientation I’m not even going to comment. Jerimiah Grossman has an article on easy things to do to protect your locally developed application. I still think you should look at your code, but that’s still unfortunately expensive and difficult. Finally, […]


Privacy and Obscenity?

Put bluntly, the law of obscenity, no matter how longstanding, has never satisfied constitutional requirements, and it never will. Finally, a judge has been brave enough to say as much. This opinion is notable for that reason – and for Judge Lancaster’s novel approach. His opinion attacks the obscenity laws on privacy grounds – and […]


Small Bits of Irony: Secure Flight, Insecure Borders

Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]


More on Nothing to Hide

Chapell points out a very interesting correction at the top of this Seattle Times story: A previous version of this story on Tukwila firefighter Lt. Philip Lyons being charged with first-degree attempted arson incorrectly stated that police reports indicated he had used his Safeway Club Card to purchase 16 fire-starters between June and August. Lyons […]


Small Bits of Hope

Some moving blog posts from Iraq include Hammorabi, Messopotamian, and Iraq the Model The first thing we saw this morning on our way to the voting center was a convoy of the Iraqi army vehicles patrolling the street, the soldiers were cheering the people marching towards their voting centers then one of the soldiers chanted […]


Good Luck to Iraqis!

In tomorrow’s elections. I have to say that despite a great deal of skepticism in the feasibility, and disappointment over the execution, of Bush’s vision for the Middle East, it represents the one of the core American beliefs. Lincoln called the ideas of democracy the last, best hope of mankind, and in that, he was […]


New York Times Links

Aaron Swartz has produced a link generator for the New York Times. It takes a URL and makes it archival, so that it doesn’t expire, and you should be able to visit it after two weeks are up. Its a lazy Saturday afternoon; Atlanta is shut down by the half inch of snow that fell […]


More on Economic Analysis of Vulnerabilities

Dave Aitel has a new presentation (“0Days: How Hacking Really Works“) on what it costs to attack. The big cost to attackers is not vulnerability discovery, but coding reliable exploits. (There’s an irony for you: Attackers are subject to the same issues with bad software as their victims.) The presentation is in OpenOffice format only […]


Small Bits of Chaos: Vidal, SP2, Iraq

Gore Vidal has a few choice words about the President’s Inaugural address, at DemocracyNow. A Russian company, MaxPatrol, has published a paper on bypassing heap and stack protection for Microsoft Windows XP with SP2. Winterspeak has an interesting summary of Iraq: The big bet that President Bush placed all these months ago, the bet that […]


Nothing to Hide, Plenty to Fear

Longtime security and privacy researcher Richard M. Smith tells Farber’s IP list about Philip Scott Lyons, a Tukwila, Washington firefighter. Lyons was accused of arson because he’d bought the same type of fire starters at Safeway. Or, that’s what Safeway’s “Club Card” records show. How or why they were obtained isn’t clear. The charge was […]


"Analysis of the Texas Instruments DST RFID"

A group at Johns Hopkins and RSA security have interesting new attacks on the RFID chips used in Mobil Speedpass. They’ve put up a web site at, and gotten some press at the New York Times.   [Edited 29/4/2017 to unlink because Google claims its distributing malware.]


Folksonomies, Tested

I’ve just stumbled across this abstract comparing full-test searching to controlled vocabulary searching. The relevance to Clay’s posts on controlled vocabularies is that our intuitive belief that controlled vocabulary helps searching may be wrong. Unfortunately, the full paper is $30–perhaps someone with an academic library can comment. …In this paper, we focus on an experiment […]


Small Bits of Chaos: Brazilian Democracy, Traffic Cameras, Locks, Hamas, and Curtains

Lessig discusses what democracy looks like in Brazil: I remember reading about Jefferson’s complaints about the early White House. Ordinary people would knock on the door, and demand to see the President. Often they did. The presumption of that democracy lives in a sense here. And you never quite see how far from that presumption […]


"The Arthur Andersen Of Banking?"

Over at The CounterTerrorism Blog, Andrew Cochran accuses Riggs Bank of being “the Arthur Andersen of banking.” Riggs is apparently pleading guilty to violating the Bank Secrecy Act, by “failing to file reports to regulators on suspicious transfers and withdrawals by clients.” I’d like to address the comparison to Arthur Andersen, and through that lens, […]


Small Bits of Chaos: Taxes, Orientation, Liberty, Fraudulent Licenses

Scrivner writes about the perverse nature of the AMT. Chuck Spinney at D-N-I asks “Is America Inside Its Own OODA Loop?” The article contains some very clear writing on the meaning of orientation, and applies that idea: He showed why the most dangerous internal state of an OODA loop occurs when the Orientation process becomes […]


Ben Rothke on Best Practices

Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight. Writes Ben Rothke in a short, incisive […]


Towards an Economic Analysis of Disclosure

In comments on a my post yesterday, “I Am So A Dinosaur“, Ian asks “Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?” I believe that the answer is no, and so will give it a whack. The costs I see associated with a vulnerability discovery and disclosure, in chronological […]


I Am So A Dinosaur…

…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage: Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS […]


Patterns of Conflict, Easier on the Eyes

I’ve been posting a fair bit about Boyd. Boyd’s wrote very little. Most of his communication was in the form of briefs. At least two of you have publicly admitted to getting the slides, and, if you’re like me, struggled with the form of the presentation: A scan of a typed, hand-annotated presentation book. There’s […]


More on Do Security Breaches Matter?

In responding to a question I asked yesterday, Ian Grigg writes: In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large […]


Small Bits of Chaos: Blind overflows, National ID, and Looney Tunes

SecurityFocus has a new article on blind buffer overflows. I’m glad these techniques are being discussed in the open, rather than in secret. Julian Sanchez has the perfect comment on Congressman Dreier’s new national ID plan, at Hit & Run. And finally, don’t visit this Looney Tunes site if you’re busy. (Via Steven Horowitz at […]


Do Security Breaches Matter?

Nick Owen posts about the stock valuation impact of security breaches. This UMD study found that a firm suffering a breach of ‘confidential information’ saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact. I read it as the market over time learning the difference between a DOS attack […]


Catastrophe and Continuation

Dr. David Ozonoff, a professor of environmental health at the Boston University School of Public Health who originally supported the new laboratory but now opposes it, argues that biodefense spending has shifted money away from “bread-and-butter public health concerns.” Given the diversion of resources and the potential for germs to leak or be diverted, he […]


California Privacy Law

CIO Magazine has an article “Riding The California Privacy Wave,” reviewing California’s new and pending privacy laws. There’s bits I wasn’t aware of, such as SB 186 168, preventing “businesses from using California residents’ Social Security numbers as unique identifiers.” There’s a slew of new laws in California, a great many of which affect IT […]


Economics of Taxonomies

In his latest post on folksonomies, Clay argues that we have no choice about moving to folksonomies, because of the economics. I’d like to tackle those economics a bit. (Some background: There was recently a fascinating exchange between Clay Shirky and Louis Rosenfeld on the subject of taxonomies versus “folksonomies,” lightwieght, uncontrolled terms that users […]


Mac Software: Memento

Memento is an application that helps you find web pages you’ve stumbled across and forgotten where the site is. It does this by searching the cache (copies that Safari keeps locally). Very cool, and free.


Congrats to David Akin

I first met David Akin when he was covering Zero-Knowledge Systems, where I worked. David was always insightful, and even when he thought he saw us blowing smoke, he was pleasant about it. So I’m both disappointed and excited to see that he “will join CTV’s Ottawa bureau as a Parliamentary Reporter.” I sincerely hope […]


Application Layer Vulnerability, an Orientation Issue

Richard Bejtlich comments on a new “@RISK: The Consensus Security Alert“, which starts: “Prediction: This is the year you will see application level attacks mature and proliferate.” He says: You might say that my separation of OS kernel and OS applications doesn’t capture the spirit of SANS’ “prediction.” You might think that their new warning […]


All Good Things Must End

Phrackstaff is pleased to bring you _our_ LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. … Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available […]


CCS Industry Track

I’m excited to be a part of the ACM’s 2005 Computer and Communication Security Conference, which has an Industry Track this year. We’re working to foster more interplay and collaboration between industry, the public sector, and academia: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of […]


Secure Programming

Dave Wheeler has a new article out “Call Components Safely.” Developers should take a few minutes to read it.


"Just the Standard Rhetoric"

…Iran’s supreme leader, Ayatollah Ali Khamenei, told Muslims making the annual pilgrimage to Mecca that Rushdie was an apostate whose killing would be authorised by Islam, according to the Iranian media. How very reassuring and level-headed of the British to respond by saying: The Foreign Office said: “The key thing from our point of view […]


Software Security: What's Your Next Move?

I met Gunnar Peterson after attending one of his talks at BlackHat. It was very well done, and it looks like he’s now offering longer versions. If you’re concerned about the security of your software, and want to improve your development process, you should consider this. If you produce software, and aren’t concerned about the […]


Rob Slade Ben Rothke Writes a Positive Review (Forensic Discovery) [Ooops!]

Rob Slade reviews security books. No, more generally, Rob Slade points out in excruciating detail the flaws in security books. So when he I misread a post from ISN and think it says Slade, rather than Rothke, I look like a real fool who can’t find the flaws in my own writing. Really, Ben Rothke, […]


Small Bits: Secret Law and Security, Root-Fu, New Blog, and Canadians Stagnate

Cory Doctrow points to a letter he’s sent American Airlines about The security officer then handed me a blank piece of paper and said, “Please write down the names and addresses of everyone you’re staying with in the USA.” and his Kafka-esque experience in trying to find out why they were asking. Good on Cory […]


Attackers Are Evolving, Are You?

When I was getting into computer security, back in the dark ages, when Nirvana was releasing albums, hacking was an art. It was passed along in hard to find text ‘philes’, which were a mixture of technology and philosophy. 2600 Magazine remains an example of this sort of old-school hackerdom. The world-view that accompanied the […]


Why I Want HTML Export (from Keynote)

Lately, I’ve been complaining that Keynote still can’t export to the web. Now, I’ve been remiss in ensuring all of my writing is in HTML. I’ve been slowly going back and converting things, as I have a few minutes, or as I want to link to something I’ve said. Today, in posting a comment to […]


"Thinking WiKID Thougts"

Nick Owen has a new corporate blog up. His very first post is “Why ROI is a crappy measure for Information Security.” I look forward to more.


Canada, Land of Rugged Individualists?

Well, for the sake of our non-Canuck visitors, a brief primer is in order. The post 1960’s Canada can be better described as Trudeaupia – a progressive-era dream that just kept on chugging along. The stage in our history where good liberals had become bad Liberals and were well past the point of no return. […]


Small Bits of T-Mobile

A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets. Customer, Please see the press release below regarding the hacker investigation with T-Mobile’s customer information. If your information was compromised you would have […]


Symposium on Usable Privacy And Security CFP

The Symposium on Usable Privacy and Security will be July 6-8 at CMU: The Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and discussion sessions.


Small Bits of Chaos

The Globe and Mail has a good story on how copyright law is preventing the re-release of “Eyes On the Prize:” The makers of the series no longer have permission for the archival footage they previously used of such key events as the historic protest marches or the confrontations with Southern police. Given Eyes on […]


Mac Software Updates

Devosquared has a new release of PowerCard. If you need project management, check this out. It fixes a “bug” where you couldn’t mark days as “weekend.” As a startup person, I’m not sure why that needed fixing, but maybe it matters. Apple has a announced new release of Keynote, which still can’t export to the […]


The Iron Fist and the Orange Revolution

There’s a fascinating and moving article in the New York Times about how elements of Ukranian intelligence aided Yushchenko in his bid to overturn the first, fraudulent election: Whether the collaboration was a convergence of political aims, or a pragmatic understanding by the siloviki that Mr. Yushchenko’s prospects were rising, is subject to dispute. Yulia […]


Trouble with Surveying Cybercrime

In a comment yesterday, Chris Walsh said: In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence. In theory, I agree with Chris. In […]


Students for an Orwellian Society

These heroic students have made many sacrifices in the name of IngSoc. They stand as a stirring example to us all. They have denounced the crimes of Davis Sos, who promised over 100 IngSoc posters, but have shirked their duty, and squandered the money provided to them. Those students are now hard at work being […]


DHS to Survey Cybercrime

In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents. This is a really exciting development. DHS seems to be taking a good approach, and in a […]


Giving New Meaning to "You Can't Get There From Here"

Microsoft MapPoint helpfully suggests this scenic route from Haugesund, Rogaland, Norway to Trondheim, Sør-Trøndelag, Norway, when asked for the quickest. This route may well be the quickest that includes England, France, Belgium, the Netherlands, Germany, Denmark, and Sweden. James Tyre (who credits David Flint) told Eugene Volokh.


More on DNA Dragnet

Chapell nails the “why you might have nothing to hide, but hide anyway” angle: Even more troubling is the possibility that the person who’s DNA was inside this woman may very well have had nothing to do with the crime. But rest assured, that won’t matter to the hundreds of police, FBI, press, and other […]


More on TMobile

The LA Times has a story on Jacobsen, the hacker, and the AP has a story with more technical details. The Infosec Potpourri blog has some analysis of the AP story.


Model Checking One Million Lines of C Code

Hao Chen, Drew Dean, and David Wagner have a paper of that name in Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171–185, San Diego, CA, February 2004. Hao Chen’s papers page has powerpoint, PDF and PS, as well as this abstract: Implementation bugs in security-critical software are pervasive. Several […]


On Torture

The New York Times reported yesterday that the White House fought for the CIA’s right to torture. In a letter to members of Congress, sent in October and made available by the White House on Wednesday in response to inquiries, Condoleezza Rice, the national security adviser, expressed opposition to the measure on the grounds that […]


Small Bits of Chaos

Scrivner points out a basic lack of agreement amongst the pundits: Damn that Bush, cleverly whipping up this fantasy of a threat to scare people into voting for him. … Damn that Bush, ineptly bungling America’s defense against the most dangerous threat Ian has a post about Ron Paul trying to ban the government issuance […]


What Makes Good Science?

Over at the Volokh conspiracy, Jim Lindgren writes: Crichton then describes scientific consensuses that turned out to be wrong. I don’t think that there is anything wrong with talking about the consensus of scientists or social scientists (and I certainly do so myself), but one must remember that it is the quality of the evidence […]


Financial Cryptography

The conference, not the blog, is now accepting registrations. The program looks really good this year.


Hotel Rwanda

I saw Hotel Rwanda this weekend. It’s a true story of a hotel manager who saved over 1,000 people from genocide. If you’ll allow me a moment of disgusted sarcasm, I look forward to the sequel, Hotel Darfur, now in pre-production. The story is the same: No one is bothering to intervene in African genocide, […]



A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. … T-Mobile, which apparently knew of the intrusions […]


Blog Spam

Stefan Geens has a long post on why SixApart’s TypeKey system is not a good solution to blog spam. He points out that the system has bad economies of scale: Here too, the spammer needs to sit down, get a key, pretend to be human for a minute and behave until he gets a comment […]


Penny-Wise, Pound-Foolish?

The Supreme Court has just heard a case, Tenet vs Doe, over promises allegedly made to spies: Two former Soviet-bloc diplomats recruited to spy for the CIA during the Cold War say the agency later reneged on promises to compensate them for the dangerous missions they performed.  The husband and wife team are bringing this […]


DNA Dragnets and Criminal Signaling

In responding to my comments about Truro’s DNA dragnet, with a fascinating discussion of signaling, Eric Rescorla writes: Even if they’re not the perp, they may have other reasons not to have their DNA collected–for instance they’ve committed another crime that their DNA might match to. (The police say they’re only going to use the […]


Private Lives and Psychology

“In a very deep sense, you don’t have a self unless you have a secret, and we all have moments throughout our lives when we feel we’re losing ourselves in our social group, or work or marriage, and it feels good to grab for a secret, or some subterfuge, to reassert our identity as somebody […]



In a post to the patch management mailing list, Jay Woody mentions Threatcode, a site dedicated to tracking and shaming badly written code. Cool! I wish the site was a little easier to read, but nice going!



The “back” button is Safari is way too close to the “close” button. Safari would be a much better browser if there was an option to not close (or confirm closing) the window if there are multiple tabs open. Bugger it!


Ban Windows, Not Cell Phones

Scrivner has another great post, this one to a study at Virginia Commonwealth University. (My link is to the study, not the press summary Scrivner links.) The press summary claims that rubbernecking accounts for 16% of accidents, looking at scenery or landmarks 10%, while cell phones account for only 5%. Clearly the answer is to […]


DNA Dragnet

The city of Truro, Massachusetts is trying to collect DNA from all 790 residents to solve a crime, reports the New York Times. Its not clear why they believe that residents are more likely to be the criminal than non-residents, and it is clear that they don’t get the 4th amendment, against dragnet searches, or […]


Small Bits of Chaos

Simson Garfinkel announces a new article analyzing the security of Skype. JihadWatch comments on a story on NPR yesterday, bemoaning the descriptivist reality that Jihad is now used to describe violent acts of terror. I heard this story on the radio, and the commentator’s prescriptivist bias of “Darn it, this is what the word means!” […]


Economics of Price Discrimination

Scrivner points out that the airlines, masters of price discrimination are giving up: In response they’ve become perhaps the world’s most expert practitioners* of price discrimination, mastering the art of charging the business traveler $1,000 more than the tourist in the next seat in exchange for a short-notice booking with few restrictions. But even that […]


Does Ryan Singel Need A Privacy Policy?

Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.” Not to pick […]


Framing Effects and Apple

Until I read John Gruber’s latest Daring Fireball on “The Rumor Game,” I was firmly in the “Apple is being Ridiculous” camp, and “Apple is chilling free speech” camp. The essence of the story is Apple is suing a rumors site because they’re leaking product details. What Gruber points out, and a quick Google search […]


Presentation of Risk

The Wall Street Journal posted this table today, in an article on how risks are presented. Note the lack of a time scale. Is that a lifetime risk of a heart-attack? Are there lifetime stats for Vioxx takers? How does that risk compare to the risk of winning the lottery? Those odds are (I’m guessing) […]


Small Bits of Chaos

Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]


Help! Mac Project Management Software

I need project management software for a small project (20-50ish tasks, 8-10 people come and go and need to be assigned tasks.) I’d like software that will assign resources to time blocks, handle dependencies, and be easy to use. I’ve spent the morning testing apps, going until I found something either I or the software […]


Boyd's Relevance Today

In a comment, Ian Grigg asks, “I haven’t got to the modern stuff yet, so quite what he has to say that is currently relevant eludes me for now.” Over at Defense and the National Interest, there’s an article that draws heavily on Boyd: In a new briefing [1.7 MB PPT], three retired officers—each hailing […]



Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we’re safe? Bluetooth is different from internet vulns, […]


Small Bits of Chaos

Ed Felten announced a “Clip Blog,” of short articles with no or small comments. Hmmm. Neat idea. Ian Grigg gives us his thoughts on the Abagnale controversy: [Clausewitz] said something to the extent of “Know yourself and you will win half your battles. Know your enemy and you will win 99 battles out of a […]



John Boyd was arguably the best fighter pilot in American history. While at the Air Force Fighter weapons school, he was not only undefeated, he won every fight so fast he was known as “Forty second Boyd.” While there, he wrote the “Arial Attack Study,” which transformed the study of fighter combat from an art […]


Educated Pat-Downs

Eric Rescorla has two good posts on screening at Educated Guesswork. I’d still like to expand the range of questions, and ask, is intense personal screening effective or needed? Can we use air marshals, different aircraft designs, and armed pilots so that we don’t need to compare rub-downs to millimeter-wave xrays?


Small Bits of Chaos

Much as I hate blogging anything from Slashdot, Why the Space Station Almost Ran Out of Food is great. (The previous crew had permission to borrow the current crews’ food, but didn’t record how much they’d eaten.) Maybe they could get jobs working for the Social Security administration. John McWhorter has a new book out, […]


Evaluating Security

The study, published in the January issue of the journal Emerging Infectious Diseases, concluded that the estimated $7.55 million spent on [SARS] screening at several Canadian airports failed to detect one case of the disease. … “Sometimes what seems like a reasonable thing to do doesn’t turn out that way,” the report’s lead author, Dr. […]


370,000 Absconders

Buried in this story about tracking illegal immigrants is the interesting item that as of early 2003, of 6,000 Muslims who absconded within the US after being told to leave the country, only 38 percent had been found. That left over 3,500 still at large. How many have been caught since then? Where are the […]


Ratty Signals

So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed? There are a few things that jump to mind: Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue […]


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004