Shostack + Friends Blog Archive


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004

Let’s look at some data

Paul Murphy has made some predictions for 2007. EC readers can judge their value.
Mr. Murphy makes one comment on data breaches that I can’t resist reacting to (after the jump), however.


I knew those Bratz were trouble

As if Barbie isn’t a bad enough role model, it seems that at least one Bratz doll came complete with actual marijuana as an after-market accessory. The unlucky recipient’s mom quickly called 911 when she found the contraband packaged with the doll she received in the mail, having thought it was an identical doll she […]


Fingerprinting Visitors

In a scary story, the Christian Science Monitor reports “US creates terrorist fingerprint database:” Last year, the Department of Homeland Security (DHS) announced the completion of a database system that collects electronic fingerprints of both the index and middle fingers of every noncitizen entering the US. The system now documents 64 million travelers. The Homeland […]


The Price of Nothing and the Value of Everything

In the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version. I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally […]


Liechtenstein Expands

The BBC reports that Modern measuring methods proved that Liechtenstein’s borders are 1.9km (1.2 miles) longer than previously thought. The border has been changed in some of the more remote corners of the mainly mountainous state, which has now grown in size by 0.5sq km (123 acres). Black Unicorn tattoo by Monique’s Euro Tattoo and […]


Trusting Privacy Promises

Michael Arrington writes at Techcrunch about a former law firm, all of whose records are going to be opened to the public: Brobeck, Pleger & Harrison LLP was a well known law firm in silicon valley during the first Internet boom. They had thousands of startup and public company clients and handled all aspects of […]


Would You Do Me A Favor?

Nick Owen posts his favorite blog posts of the year. I have my favorites, but I’m curious. What are yours? What do you remember? We’d love to know.


OCR and License Plate Cameras

In “The Vehicular Thomas Crowne Affair: how to creatively defeat photo radar,” Scrollin On Dubs points out that: I just got my plate from AZ DMV and happily installed it this morning. It can still be read by the keen eye but from one of those crappy photo radar pictures it will be a non-trivial […]


All Privacy Invasion Fears Come True: Thanks, Alec

In March of 2005, Alec Muffett predicted “National loyalty cards,” and I mocked him for it. Since then, I’ve decided that all non-trivial privacy fears come true. And since then, Alec’s plan has taken another step. The BBC reports about a new “Blair plan for ‘people’s panels’.” No, I didn’t make that up, Comrade. He […]


Mrs. Claus Gets Tired of It via Canadian Privacy Law blog (who’s had a good series of privacy and liberty cartoons up lately).


Chip, Pin and Tetris

Saar Drimer and Steven Murdoch will be getting lumps of coal from the banking industry, and amused laughter from the rest of us: It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent […]


Relentless Navel Gazing, Part 10

I’ve made explicit that that email addresses are optional when commenting. I’ve added easy links to, Digg, Reddit, Furl, YahooMyWeb and NewsVine.     If you have a bookmark system you’d like me to add, let me know. [Update: More navel gazing: added dates to post footers, and fixed underlining for links in the […]


DHS says one thing, does another. Film at 11.

The Department of Homeland Security (DHS) Privacy Office conducted a review of the Transportation Security Administration’s (TSA) collection and use of commercial data during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA Privacy Officer of preliminary […]


Radical Transparency and Society

In “Radical Transparency to improve resilience,” John Robb posts about Chris Anderson’s ‘radical transparency:’ Think about how these tactics can be applied to societal resilience: Show who we are. Show what we are working on. “Process as Content.” Privilege the crowd. Let readers decide what is best (aka: wisdom of the crowd) Wikify (this another […]


50 Greatest Cartoons

If you’re coming here on a holiday weekend, you might be bored. So why not take advantage of this list of online video of 46 of “The 50 Greatest Cartoons?”   PS: I can’t believe they put Gertie the Dinosaur above the Rabbit of Seville. Critics.


That wasn't so bad after all…

There’s an article in Wall Street and Technology, “When Risk Managers Cry Wolf.” It opens: Avoiding “reputation risk” is a common justification for increasing security measures, protecting customers’ financial information and reporting security breaches in a timely manner. But now more than 18 months after the big ChoicePoint incident when 163,000 bogus accounts were created […]


Akaka-Sununu Bill Repeals Key Aspects Of The Real ID Act

Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release: The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher […]


I’ll See Your Randomness, And Raise You a Protocol

In “Stellar Lavarand,” Ben Laurie writes: Some crazy people think they can make a business of this, only using the solar wind, the clouds of Venus, the Northern Lights, Jupiter’s shortwave emissions and other cosmic events as their random source. Just like lavarand, this causes a moment of “oooo, shiny”, rapidly followed by “but why […]


Aspen Privacy Breach

The Wall Street Journal reported yesterday that “Stars Find Privacy Breached In Aspen by Phone Book” (behind paywall, sorry). According to the Journal: When the Yellow Book directory for Aspen, Colo. came out recently, residents of this ultra-chic ski town found it contained more than the usual list of local bars, hair salons and ski […]


Fines, Settlements in Privacy Invasions

Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin. On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers […]


My Advice for the Pragmatic CSO

Mike Rothman writes: On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & […]


Million Dollar Blog Post

My friend Austin Hill has put up the Million Dollar Blog Post. They, and their sponsors, will donate up to a million dollars to charity, at $1 per comment. I think charity is tremendously important. I’ve been lucky enough to have a set of skills that are well rewarded in today’s world. (I’m reminded of […]


Read any good books lately?

Do share your opinions and suggestions. Personally, I don’t read enough, and I stay within a too-narrow comfort zone of UNIX geek material. Help me, and other EC readers similarly situated. It’d be nice if the techie side of infosec was not the subject (Rich Bejtlich has that covered anyway) I wrote up a review […]


Gifts for the Cryptological Mind

Cryptological in this case meaning those who like thinking about the hidden. Authorized Da Vinci Code Cryptex from The Noble Collection. It’s very nice, made of good, solid brass. It avoids many combination lock issues. I tried some obvious ways you can cheat a letter from such a device and it was well-made enough that […]


Breach Bills, and the Role of Encryption

In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively: The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal […]


Have Some Soma, and Don’t Mind The Cameras

The BBC reports that “Prozac ‘found in drinking water’” in Britain, and that: In the decade leading up to 2001, the number of prescriptions for antidepressants went up from nine million per year to 24 million per year, says the paper. They point to a Observer story, “Stay calm everyone, there’s Prozac in the drinking […]


Seattle Weather

In “Threatening Winds Likely to Close Major Bridges,” the Washington State department of transportation declares: WSDOT has never closed Tacoma Narrows Bridge for high winds. I don’t know that I’d be braggin’ about that. Picture from Wikipedia. [Update: They did in fact close the bridge. And I’m fine. Never lost power, no trees fell on […]


A Moment of Silence

Ahmet Ertegun has passed away. Ertegun founded Atlantic Records because he loved music, and at 83, the BBC reports: He suffered a head injury when he fell at a Rolling Stones concert at New York’s Beacon Theatre in October, and died after slipping into a coma. (Emphasis added.) His book “What I’d Say: The Atlantic […]


Infosec Incentives for People

So there’s been discussion here recently of how to motivate security professionals to do better on security. I think it’s also worthwhile to look at normal people. And conviniently, Bruce Schneier does so in his Wired column this month, “MySpace Passwords Aren’t So Dumb.” He looks at how MySpace users do in their passwords versus […]


One passport, please…

hold the RFID. I just got my US passport renewed, and I was pleasantly surprised when it came back Old Skool — no RFID.  I’m happy…until 2016 anyway.


When Security Collides With Engineering (Responsible Disclosure Redux)

Stefan Esser announced earlier this week that he was retiring from citing irreconcilable differences with the PHP group on how to respond to security issues within PHP. Of particular interest is that he will be making changes to how he handles security advisories for PHP (emphasis mine): For the ordinary PHP user this means […]


Cost-Benefits, Incentives, and Knowing What to Do

Adam quoted some interesting thinking about infosec incentives. However, I’m not sure it’s that simple. Gordon and Loeb say that you shouldn’t spend more than 37% of an expected loss. However, at last summer’s WEIS (Workshop on the Economics of Information Security), Jan Willemson published a paper, “On the Gordon & Loeb Model for Information […]


Introducing Mordaxus

Mordaxus is a longtime former cypherpunk with interests in anonymity, security and usability. He’s been involved in some of the biggest brands in security, and has entertaining stories about some of the most interesting events in information security history. He can’t tell those without giving away his secret identity, and so will focus on adding […]


Wikid cool thinking on Infosec incentives

First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per […]


Information Exposed For 800,000 At UCLA

Apparently it’s Identity Theft Tuesday here on Emergent Chaos. CNN reports that a “Hacker attack at UCLA affects 800,000 people”, which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it […]


When The Fox Is In The Henhouse

“Protectors, Too, Gather Profits From ID Theft” in today’s New York Times tells the tale of woe of Melody and Steven Millett and her husband who despite a subscription Equifax’s Identity Theft protection service still had Steven’s SSN readily abused. Privacy consultant Robert Gellman summed up one of the problems with these services nicely: Identity […]


Corruption-Free Anguilla?

There’s a new blog, “Corruption-free Anguilla.” Long time cypherpunks will remember the joys of the Cable and Wireless contract with Anguilla. From the blog’s inaugural post: The need for such a site is based on the perception that there is much discussion in hushed tones about corruption. No one discusses the matter publicly. The press […]


Quotable quotes

History teaches you that dictators never end up well. Augusto Pinochet, November 25, 1915 – December 10, 2006


New Cookery: Emergent Chaos in the Kitchen

Ferran Adria, Heston Blumenthal, Thomas Keller and Harold McGee have issued a statement on the New Cookery: In the past, cooks and their dishes were constrained by many factors: the limited availability of ingredients and ways of transforming them, limited understanding of cooking processes, and the necessarily narrow definitions and expectations embodied in local tradition. […]


The Antikythera Machine

So it was a busy week, and I was behind everyone and their brother blogging about the Antikythera machine. Most of the articles only gave a few pictures. The one shown here is from Philip Coppens, who has great background. Also, courtesy of Stefan Geens, here are 3d views, courtesy of HP and Scientific American.



Ben Laurie has some knots from Second Life. Pretty.


Medical Privacy

There’s a really interesting story in the New York Times last Sunday, “Health Hazard: Computers Spilling Your History.” Money quote: Some patients are so fearful that they make risky decisions about their health. One in eight respondents in a survey last fall by the California HealthCare Foundation said they had tried to hide a medical […]


So I’m Idly Curious…

“Please put your bra in the bin,” at Flyertalk: items used to augment the body for medical or cosmetic reasons such as mastectomy products, prosthetic breasts, bras or shells containing gels, saline solution, or other liquids; and, … 1. Separate these items from the liquids, gels, and aerosols in your quart-size and zip-top bag. 2. […]


Farts on a plane!

Or, “It’s not the crime, it’s the coverup”. It may be one problem airline security officials never envisioned — a passenger lighting matches in flight to mask odors from her flatulence. The woman’s actions resulted in an emergency landing on Monday in Nashville of an American Airlines flight bound for Dallas from Washington, D.C., said […]


Rocket Powered Mini

Can a rocket powered mini match the distance of an olympic ski jumper? Watch and see. For a full explanation of the results read Popular Science’s breakdown of the experiment.


Privacy For Hedge Funds

In “Citadel, Sensitive Data, and Plusfunds’ Bankruptcy” Paul Kedrosky looks at the impact of youthful chattiness on an industry: Apparently hedge fund Citadel is trying to purchase data from bankrupt Plusfunds that would detail trading strategies at some of its major competitors. The latter company had run a hedge fund index underlying which were trading […]


Gift Giving Advice: Cash Trumps Cards

At MSNBC, Bob Sullivan writes about Gift Cards: Why Cash is Still Better: I’ll show you how a $50 bank card will cost you $60 and could easily be worth only $40 to the recipient. We know, it’s the practical tips that keep you coming back day after day. Image by rgluckin.


The Pat-Downs at Public Stadiums

Two Seattle Seahawks fans are suing the stadium for unreasonable searches: “There’s no specific reason, or identifiable credible threat to Seahawks fans and because the stadium is a public stadium, it is unconstitutional to require these pat-downs,” said Chris Wion, one of the Seattle lawyers representing the plaintiffs. “I think this is the same type […]


NIST and Voting Machines

Ed Felten points out that “NIST Recommends Decertifying Paperless Voting Machines:” In an important development in e-voting policy, NIST has issued a report recommending that the next-generation federal voting-machine standards be written to prevent (re-)certification of today’s paperless e-voting systems. … The new report is notable for its direct tone and unequivocal recommendation against unverifiable […]


You Make Me Look Good. Thanks!

In “Our Tax Dollars at Work,” Phil writes: After half an hour I gave up on figuring out how to do my civic duty, and leveraged Adam for some help. He’s my go-to guy for this kind of thing. He has the kind of readership that provides answers in as little as forty earth minutes, […]


Live Poultry!

If you’ve ever lived in Cambridge, Mass, you’ve probably seen the sign. I recognized it instantly, seven years after I left Boston. It’s on Cambridge St, in East Cambridge. Boston’s Weekly Dig dug in: It’s one of the more puzzling quirks of the local cultural consciousness that Gould’s shop is almost universally known, yet few […]


Bacon of the Month Club

There are days when I wish I was Boingboing. No, really. Because if I were Boingboing, I could blog about friggin’ Bacon of the Month Clubs all day long, and have a everybody on the planet clicking on my ads while I sat in my hot tub dictating posts. But we’re not. We have self-respect, […]


Security 1.27?

Security 2.0 indeed….. Thanks Illiad…. s/WEB/SECURITY/g Happy Saturday


Sample Comments for TSA?

Last night, I blogged about the ridiculous TSA Scores and how hard it is to comment on them. Then I realized that I don’t have a good sample comment. Well, I have lots of comments, but now and then we pretend that this is a family blog, and that anyone under 21 might be interested […]


Dear TSA, How Do We Contact Thee?

Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments: I tried for 30 goddamn minutes to figure out how to comment. That’s why there are only 15 comments. All I could find was a Privacy […]


The New Transparency

Sometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not […]



How’d you like to be the person at British Airways who has to write the letter to 30,000 people explaining that they might have been exposed to a radioactive poison while traveling on BA flights? Remarkably, authorities will not confirm that the substance detected was Polonium, yet passengers on the flights are being asked to […]


More on Godin and Tufte

There’s another good article on Juice Analytics, “Godin, Tufte, and Types of Infographics:” (hey, guys, where are the author names? Author names only show in RSS, not the web page?) Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with […]


The Two Minute Rule for Email and Slides?

So I’ve been discomfited by the thoughts expressed by Tom Ptacek and the Juice Analytics guys over what presentations are for, and a post over at Eric Mack’s blog, “A New Two Minute Rule for Email.” The thing that annoys me is the implicit assumption that all issues should be broken down into two minute […]


Fanning the flames, security metrics style

Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following.  The saying often quoted from Lord Kelvin (though the substance, I believe, ismuch older) that “where you […]


Halvar on Vulnerability Economics

Back in July, I wrote: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting […]


Banksy Videos: Security Is Everyone’s Responsibility

Following on Arthur’s post about Banksy, and for your weekend amusement, videos of Banksy installing his artwork are at his site. I had to hand-enter URLS to get the videos to display, they’re of the form, with the others being 1, 3, and 4. Via Alec Muffet.


Small Bits of Chaos

Michael Giest is covering Canadian Parliamentary hearings over that country’s privacy law in “PIPEDA Hearings – Day 01 (Industry Canada)” “PIPEDA Hearings – Day 02 (B.C. Privacy Experts)” Bakelblog vents about the petty tyranny of immigration bureaucrats in “Welcome to America, Fuckwads!” Alec Muffet has interesting and detailed comments about the broken security of the […]


Banksy Again

Or how museum security is like information security. Or as Sivacracy put it “Involuntary Art Acquisitions”. Call it what you will, but in all cases it highlights the fact that most security programs be they physical or information focused, tend to be unidirectionally focused. In the case of museums, it is to ensure that nothing […]


Happy Geeky Thanksgiving

Hey everyone, it’s time to celebrate Thanksgiving here in the U.S. Or in the words of Anya, engage in “ritual sacrifice with pie.” If pie isn’t your thing, perhaps cookies are. kung-foodie points us to Joseph Hall’s Ubuntu and


England and Wales to fingerprint motorists at traffic stops

Via the Beeb: Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities. A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints. Police say they will save time because […]


Selling Security?

Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying: I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident […]


On Awareness

Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness. It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in […]


Carole King said it best

“It’s too late, baby” Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops. Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is […]


The Kristian Von Hornsleth of the Blogosphere?

Apparently, artist Kristian Von Hornsleth has been paying Ugandans to rename themselves Hornsleth, as a way of drawing attention to aid failures. His exhibit is sub-titled “We want to help you, but we want to own you.” I think it’s brilliant. Regular readers know that we talk a lot about identity, id cards, and economics. […]


Frito-Lay’s New Snack Line

Frito-Lay spokeswoman Lisa Greeley, who said that the company made a commitment in 2004 to develop a healthier line of snacks but “never thought it would actually come to this,” described the Flat Earth brand as “tailor-made for the small, vocal minority of health-conscious consumers who apparently can’t just be content with salads, bananas, apples, […]


Guidance Software, Evidence and Software Provenance

So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software? There’s also […]


SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too. Anyway, it seems like the SANS people have a bit of competition. Check out this list: Failing to assess adequately the vulnerability of its […]


Tufte, Godin, Juice Analytics

Juice Analytics comments on “Godin’s take on Tufte:” (Godin) I think this is one of the worst graphs ever made. He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words. I don’t think that is what graphs […]


Privacy and "Required, not used"

So, I was commenting over on Econlog, and noticed this: “Email Address (Required. Your email address will not display to the public or be used for any other purpose.)” So, umm, what is it being used for? This is both snarky (obviously) and serious (less obviously). The less obvious part is that information is being […]


Bag Matching and Lost Bags

Every now and then, it seems like TSA can do something right. I’ll let you know. In the meantime, the New York Times tells us that “Frustration Grows at Carousel as More Baggage Goes Astray:” The Transportation Department reported that 107,731 more fliers had their bags go missing in August than they did a year […]


Vulnerability Game Theory

So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things […]


All Non-Trivial Privacy Fears Come True

A few months back, I said “Ironically, privacy advocates warned that the number would become a de facto national ID, and their concerns were belittled, then proven right, setting a pattern that still goes on today.” In thinking about Alec Jeffrey’s come-to-Jesus moment, I realized that we can state that another way: All non-trivial privacy […]


Cypherpunks, Sameer make the Oxford English Dictionary

cypherpunk, n. Computing slang. A person who uses encryption when sending emails in order to ensure privacy, esp. from government authorities. For the full text, see his post, The OED. Me, I’m disappointed that they didn’t quote the Forbes article.


Reason #2453 Not To Mug Magicians

On Friday, BoingBoing linked to a great story about some kids mugging magician David Copperfield. Copperfield used sleight-of-hand to hide the items in his pockets: The assistants handed over money and a cellphone, but the illusionist turned his pockets inside out to reveal nothing, although he was carrying his passport, wallet and cell phone. So […]


Two On Identity

There’s the Budapest Declaration on Machine Readable Travel Documents: By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies […]


New Zealand to literacy: "l8r!"

Via CNN: WELLINGTON, New Zealand (AP) — New Zealand’s high school students will be able to use “text-speak” — the mobile phone text message language beloved of teenagers — in national exams this year, officials said. Text-speak, a second language for thousands of teens, uses abbreviated words and phrases such as “txt” for “text”, “lol” […]


Better Dead than Red?

Via the Beeb, writing about a county board election in South Dakota: Marie Steichen, who died of cancer in September, beat a Republican rival by 100 votes to 64 and became a county commissioner posthumously. The election list closed on 1 August, but Ms Steichen’s name was kept on the list for Tuesday’s election. Voters […]


Popping pills

Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person. So, […]


Mike Howard beats me to the punch

His posts on “Microsoft hosts OEM partners for a crash-course in SDL (Day Two)” and “Microsoft hosts OEM partners for a crash-course in SDL (Day Three)” cover much of what I wanted to say: My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very […]


One Graph, Zero Credibility

Let’s see..we’ve got shadows, random colors, and the colors are graduated, and so is the background. Displaying 13 digits takes 109,341 bytes (in the original), for a remarkable data density of .0001 digit per byte. Anti-phishing working group? You can, I hope, do better. Via the F-Secure blog, who don’t have per-post links.


Talking to OEMs

My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)” As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for […]


"Mission Accomplished"

The White House has been gloriously editing history for the edification of the people. Or, as Roger Bakel points out: Remember Bush’s speech on the aircraft carrier three and a half years ago, in which he declared an end to major combat in Iraq while standing under that instantly notorious ‘Mission Accomplished’ banner? Well, the […]


On Elections

I heard on the radio last night that these are the most expensive elections in US history. (It was not clear if that was accounting for inflation, or considering Presidential elections as well.) They also said that only about 50 of the 454 Congressional seats are considered to be in play. This years after McCain-Fiengold […]


Invade Privacy in Haste, Repent at Leisure

A pioneer of Britain’s DNA database said on Wednesday it may have grown so far beyond its original purpose that it now risks undermining civil rights. Professor Alec Jeffreys told BBC radio that hundreds of thousands of innocent people’s DNA was now held on the database, a disproportionate number of them young black men. … […]


Participatory Security

Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]


Giant Elephants in London, Redux

I found this beautiful set of photos of the Sultan’s Elephant show in London. (Mentioned previously.) Photos by Simon Crubellier. Found while searching for a photo to go with “If you’d seen the things I’ve seen with these eyes of yours…” Since we’re being slightly political, can you imagine this show being put on anywhere […]


More things to Do With the "Last 4"

Apparently, in Ohio, you’ll be able to vote if you know the last 4 digits of an SSN. As the Cleveland Plain Dealer reports: Voters who don’t have identification will be able to vote at next week’s election by presenting the last four digits of their Social Security number and casting a provisional ballot. Will […]


"Keep Defect Data Public"

The National Highway Traffic Safety Administration (NHTSA) is again bending to the will of the auto industry as the agency is proposing to restrict access to information about consumer complaints, warranty claims and service reports. NHTSA was ordered by Congress to make information about problems with vehicles public after it withheld information about the blowout […]


What a Sad Waste

Someone who likes his privacy sent me this link to an “Encyclopedia of Privacy.” It’s 672 pages, for $199. How many people are going to read that? How many copies are they going to sell? Its sad that they’ve chosen to lock up all that work that way, rather than putting it somewhere where the […]


Topology Editors Resign En Mass

The New York Sun reports, “A Rebellion Erupts over Journals of Academia:” “Elsevier’s prices are very high,” said an emerita mathematics professor at Barnard College, Joan Birman, who resigned a few years ago from the board of an Elsevier journal, Topology and Its Applications. She said her feeling was, “We do the work, we check […]


Public Library of Science and The Journal System

Dave Weinstien has a really interesting article, “PLOS – Open Access science:” PLoS has an “intrinsic tension” [Hemai Parthasarathy] says because most of the people who started the journal don’t believe in elite publishing. “We think it’s wrong for tenure committees to pass the buck” to the editors of the top-tier journals. That’s why they’ve […]


How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.” What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, […]


Happy Halloween

                   Sometimes it’s OK to take candy from strangers.


Giant Waves

Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting: More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected […]


The Hugo Chavez Test for Voting Machines

At first I thought that the stories around Sequoia Voting Systems and Smartmatic having connections to Hugo Chavez were silly. I still do think that, but I also think that they’re coming out for an important reason: we have lost trust in the machinery of voting, and that is a criminal shame. The right to […]


On Printing Boarding Passes, Christopher Soghoian-style.

Yesterday, I blogged about Christopher Soghoian’s print your own boarding pass tool. Quite a few people (including the FBI) are taking the wrong lesson from this. Wrong lessons include “we shouldn’t be allowed to print boarding passes,” “we should check ID at the gate,” and “Christopher Soghoian should be arrested.” The right lesson is that […]


"You’re doing a heck of a job, Kip"

Sure, it’s all over the web, but you might be living under a rock, or in a reality-free zone, and have missed “Make Your Own Fake Boarding Pass” at 27b/6. The short version of the story is that someone has automated the process of creating your own fake boarding passes. Don’t worry, though, Osama isn’t […]


Risk Management Redux

Earlier this week, Mike Rothman took a swipe at Alex Hutton’s What Risk Management Isn’t by saying: But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall […]


Health Care Privacy

Bob Sullivan has an article at Red Tape, “Health care privacy law: All bark, no bite?” and focuses on the lack of penalties. Two years ago, when Bill Clinton had heart surgery performed in New York’s Columbia Presbyterian Medical Center, 17 hospital employees — including a doctor — peeked at the former president’s health care […]


Congratulations to Counterpane and Bruce Schneier

Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. […]


BT buys Counterpane

And so it continues…. Reuters has a few details. Unsurprisingly, Bruce Schneier also has a blog entry up on this.


Remembering the Hungarian Revolution

I like to celebrate moments of human freedom, even when they are not as successful as we would hope. And so, it’s worth remembering the Hungarian revolution against Soviet rule. Nick Szabo has a fine post about it, which started fifty years ago yesterday, and it was the featured article on Wikipedia yesterday, “The Hungarian […]


Long Term Impact of Youthful Decisions

There’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records. I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they […]


Contactless Credit Cards Cracked

Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and […]


A Very Silly Idea: #privacy, and

With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to […]


Diebold goes open source

Well, not intentionally. Seems that multiple versions of source code (including the one used to run the 2004 primaries in Maryland) were delivered anonymously to a former legislator who has been critical of Diebold. Note that this is not the same source examined by Avi Rubin, et. al., and found wanting from a security perspective. […]


Gettin’ Real Security? No.

I came prepared. I knew I would be walking in to the lion’s den with my spartan Thinkpad running Windows and Ubuntu. Sure enough there was an eerie sea of glowing white Mac logos in the conference room which reminded me vaguely of Wyndham’s Midwich Cuckoos. I surreptitiously covered the IBM logo with a white […]


Use The Logo Luke

“Decaf” over on DeadBeefCafe, relates the story of a colleague whose response to yet another virus outbreak is to convince management to purchase Macintoshes, with the following justification: We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems. Decaf breaks down the several fallacies of this […]


Star Wars Spoof video

Click the picture to be taken to Google video. (Don’t forget to remove the flash cookies when you’re done.)


A Picture (or Three) Is Worth A Thousand Words

Iang over at Financial Cryptography talks about the importance of not just which cryptographic algorithm to use, but which mode it is implemented with. He uses three pictures from Mark Pustilnik’s paper “Documenting And Evaluating The Security Guarantees Of Your Apps” that are such a great illustration of the problem, that I have to include […]


More on the Military Commissions Act

At the Volokh Conspiracy, Jonathan non-Alder points to the John Yoo op-ed which …argues that Congress sent a message to the Supreme Court with the passage of the Military Commissions Act: Mind your own business and leave the war on terror alone. In this regard, Yoo argues, the law was, above all else, a “stinging […]


More on Data Reservoirs

Nick Szabo takes issue with an article I pointed to in “Reservoirs of Data” in his post, “Citron’s ‘data reservoirs:’ putting liability at the wrong end of the problem:” Bottom line: liability should be put on the low-cost avoider. This is not merely a rule of negligence but a guideline for determining where any kind […]


Tearing Steve Wynn a New One

Wynn stepped away from the painting, and there, smack in the middle of Marie-Therese Walter’s plump and allegedly-erotic forearm, was a black hole the size of a silver dollar – or, to be more exactly, the size of the tip of Steve Wynn’s elbow — with two three-inch long rips coming off it in either […]


Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer: These are leadership level positions in a growing company with great financial resources. Each of these team members will have the chance to […]


Debix Launches

I’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up. The way it works is that they put a lock on […]


Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach

I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy […]


Powerpoint Plans

It’s the scenes Lucas was too scared to film! The actual presentation, with voice overs. At


I can’t believe they’d say that!

. It’s the Nietzsche Family Circus, which pairs a randomized Family Circus cartoon with a randomized Friedrich Nietzsche quote. Hours of fun!


Those Who Can’t Remember The Past…

Are condemned to be mocked for it. See what happens when Australia’s “The Chasers War On Everything” build their own Trojan Horse and haul it around town.


Periodic Spiral

The periodic table is under-appreciated as a design masterpiece, and as an iconic representation of science. The table works as a taxonomy, showing someone who knows how to read it a great deal of information about the elements based on their arrangement in space. So it’s pretty audacious to come out with a re-design: The […]


No soup for you!

Harkening back to Adam’s post a while back concerning EC being blocked or miscategorized by various “security” products, tk of nCircle posts that has been blocked from some security vendor sites. This reads to me like the equivalent (speaking of analogies) of Toyota blocking, rather than the categorization of as evil in […]



So Chandler offers up “The Last Security Analogy You’ll Ever Need.” I’d like to pile on: Analogies are like fish. Sometimes they just don’t make sense.


Certification Shmertification

So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor […]


Do Kings Play Chess on Folding Glass Stools?

Over at the OSVDB blog, blogauthor writes: On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software […]



There are a bunch of ways to estimate how many people have died in the Iraq war.  One is to keep track of news stories and official reports of combatant and civilian deaths, and add them up. Another is to employ the tools of epidemiology and demography.  Until now, we’ve had essentially only the former […]


The Crap in Credit Reports

On August 10, after his family was refused a home loan, an Arcata man was mortified to find the phrase “son of Saddam Hussein” included on his credit report. “I looked at it and couldn’t believe my eyes!” Said the Arcata man who asked that only his middle name, Hassan, be divulged. The routine credit […]


Real ID Will Waste $11 Billion

What could you do with $11 billion? How many ways could we make the world a better place with that money? I know! Let’s spend it on a national ID card! The $11 billion figure comes from the National Conference of State Legislatures, and doesn’t include wasted time by productive members of society. On the […]


New, Non-Obvious, and umm, Useful?

Orin Kerr has an interesting post over at Volokh Conspiracy, “Government Responds in United States v. Ziegler,” which contains this interesting bit: But that’s simply not how the Fourth Amendment works. The “reasonable expectation of privacy” test is actually a system of localized rules: the phrase is simply a label, and what it actually means […]


On the Plane

I forgot to turn my wifi card off on the plane last night, and saw this: Kids today! Back in my day, man in the middle attacks were hard.


"Reservoirs of Data"

Danielle K. Citron has put a new paper on SSRN, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of […]


BOOM, there it is

If, as is being suggested, North Korea has tested a nuke, things will be getting mighty interesting. I don’t know what to make of it, frankly. Update, 2350 CDT: Looks increasingly like there was, indeed, a test.


More on RFID Zappers

This seems to be the weekend of redux posts and back tracking to earlier in the year. Way back in January, Adam wrote about the RFID Zapper created by the folks at the annual Chaos Computer Club conference. Along a similar vein, Julian of, has also produced an RFID Zapper made from a disposable […]


Google Code Search

Back in July, I posted about online code searching and static analysis in “Meet The Bugles“. Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could […]


No Expectation of Privacy

Here in the U.S., one of our Old Order Amish communities has recently suffered an infamous crime — the murder of several schoolchildren.  Interest in this case has been high.  Naturally, the public’s right to know has been ably served, as journalists took plenty of funeral photographs, despite the fact that the Amish, on strict […]


Information Warfare

As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this: 1. Exploratory hacking 2. Vandalism 3. Hactivism 4. Cyber crime 5. Information Warfare It turns out that this hierarchy is also a predictive time line. Obviously we are […]


The Canadian Privacy Landscape

There’s a really interesting article at Blogging on the Identity Trail, “Bouquets and brickbats: the informational privacy of Canadians:” In the course of our investigations, I frequently found myself reflecting on two broader questions: first, I wondered how best law could protect the personal information of Canadians—and by extension the privacy of Canadian citizens—in the […]


RSS Feeds

Thanks for the emails. We’re aware of some problems with the RSS and comments feeds, and will be working through them asap. [Update: Should be fixed, as of Oct 05, 2006 at 05:01:36PM -0400. cw] [Update 2: When Chris said “fixed,” he was of course using the term in the sense of a Vegas prize […]


Detecting Election Fraud

Thanks to my lovely spouse, I came across a series of fascinating papers by Walter R. Mebane, Jr. a professor of Government at Cornell. These papers use statistics, specifically Benford’s Law, to detect election fraud. Now I know statisticians, and I am no statistician (and boy howdy is my higher level math rusty), but the […]


The Value of Location Privacy

There is a Workshop on Privacy in The Electronic Society taking place at the beginning of November. We (George Danezis, Marek Kumpost, Vashek Matyas, and [Dan Cvrcek]) will present there results of A Study on the value of Location Privacy we have conducted a half year back. We questioned a sample of over 1200 people […]


Less than zero-day

[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.] OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day. These gents claim to have […]


Is That Lack of Data Keeping You Safer?

Bob Sullivan has an interesting article, “Is that picture keeping your money safer” in which he takes dueling quotes over the Bank of America Sitekey deployment. Rather than arguing again about Sitekey (see “Easy Pickings for Bank Robbers,”) I’d like to ask why a respected and competent reporter like Bob can’t get a straight answer […]


Marty: It's All About Transparency

Marty Roesch writes “Miracle Weapon in the War on Terror Discovered!.” You’d think he’d have more sympathy for the need for standardized transports while doing high-speed inspection.


One For The Money, Two For The Show, Three For The Ballot

Ping over at Useable Security has a great analysis of Rivest’s ThreeBallot voting system. The delightful thing about ThreeBallot is that it should be incredibly easy to implement on a small scale and not much harder on a large scale and has in built in provisions to prevent voter error, counter fraud and vote buying. […]


Dear Secure Computing: Screw You, Too.

A loyal reader reports that we’ve hit the big time, and Secure Computing’s censorware has banned us at their dozens of customers’ sites. Now, it’s their right to make software that prevents you from getting the best in security news and analysis, and my right to wonder how they get their heads up there. I’m […]


2006 Underhanded C Contest

long unsigned int maxwordsize(char *inputFromStdIn) { long unsigned int tmpwordsize=0,maxword=1,i; for (i=0; i


Extra! Extra! Read Nothing About It! (Latest on Apple V. Maynor)

In “SecureWorks Backs Out of Macbook Demo,” Brian Krebs writes: David Maynor, the SecureWorks researcher who was set to demonstrate how wireless driver flaws could be used to compromise an Apple Mac laptop, suddenly has been yanked from the ranks of Toorcon presenters. At around 12:50 p.m. PT, SecureWorks issued the following press release: “SecureWorks […]


TRUSTing Mary Ann Davidson

Yesterday, Mary Ann Davidson had a fascinating post about the classics of Western literature. As usual for Mary Ann, the apparent basis of the post is really just exposition for her main point. In this case, the thrust of her post is the need for developers to have more training in secure coding at the […]


Computers Will Make Our Lives More Private

Social Security Administration officials believe computerization of files has contributed to their security. In the manual era, the applicant’s record was an individual ledger sheet. Thus if a person could get to the file drawer and then the ledger, he could check any record. Although entry to the files area was restricted by guards who […]


Words to live by

No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgement of his equals or by the law of […]


Comment pointer

Mike Cook, author of the ID Analytics report referred to in a recent Breach Tidbit post, has responded in the comments.


Which Stupidity to Stop?

Stupid bills before legislatures seem to be a target rich environment which is to say, its hard to even say where to start. So allow me to offer a suggestion: California’s SB768 will slow RFID stupidity. Take a look at EFF’s fact sheet, and then, if you’re in California, call your local Governator, and tell […]


Ed Felten's Testimony

Ed Felten, who has been doing research into security issues with Diebold’s voting machines, is testifying today at a House Administration Committee hearing. He’s posted his written testimony on his website. Check it out. [Edit: Corrected the spelling of Ed’s name.]


Breach Datasource Design Criteria

 Most readers of these words are probably familiar with at least one of the lists of data breaches commonly referenced in the media and in specialized blogs.  Among these are’s Dataloss, and’s Breach Chronology.  The ID Theft Center also maintains a list (available, it seems, only as a PDF), and various academic researchers […]


Well, At Least TSA Isn’t Driving People to Drink

“Everybody personally and professionally that I know who is afraid to fly gets their hands on Xanax,” said Jeanne Scala, a psychotherapist in Roxbury, N.J., adding that she has seen an increase in patients and friends talking about taking medication for flying jitters. “They’ll do anything to take the edge off the anxiety of sitting […]


Chris Walsh on Dark Reading

Our very own Chris Walsh was featured today on Dark Reading. In “Financial Firms Losing Data”, they profile Chris and his research using the Freedom of Information Act to better quantify the nature of privacy breaches in New York. The results may surprise you…


Worse Than Choicepoint: The FTC?

So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money: Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP […]


U.S. versus E.U. Audits

Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular: […]


"Handling Security Breaches Under European Law"

In a comment on “What’s Next in Breach Analysis,” Ian Grigg pointed out the very interesting “Handling Security Breaches Under European Law:” There are as yet no direct equivalents of the mandatory security breach reporting legislation we have seen in the U.S., either at a European Union level or within Europe itself. That is not […]


International Breach Notices: The Future Is Unevenly Distributed

So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to […]


Breach Tidbit

One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud. ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability […]


Darn kids! Get off my lawn!!

“Until Solaris became open, students were only interested in Solaris for the same reason they were interested in NextStep Unix — because it was this arcane, old-fashioned thing,” said Asheesh Laroia, a graduate student in computer science at Johns Hopkins University. Via NetworkWorld.


Stick a fork in her…

..’cause she’s Dunn! What’s the over/under on how long Hurd lasts? Image credit: progodess


The Future’s So Bright, Let’s Not Wear Blinders

I started this week asking “Is It Time To End the Breaches Category” and “What’s Next In Breach Analysis?” I talked about “Emergent Breach Research,” Chris talked about the theme of the “19th Annual FIRST Conference” including data being out of control. Arthur followed that up with “CSO Breach SOP == FUD?” and pointed out […]


10-second MBA, por favor?

I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.


Breach Data

I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, […]


HP: The Kind of Security Theater We Like To Watch

This story just keeps getting more entertaining. “HP targeted reporters before they published.” They tried to install spyware on target’s computers, as CNET reported in “HP Spying More Elaborate Than Reported.” They engaged in physical surveillance of targets, as reported by the Washington Post in “Extensive Spying Found At HP.” And the Post reports that […]


CSO Breach SOP == FUD?

Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business […]


CfP: 19th Annual FIRST Conference

The Forum of Incident Response and Security Teams (FIRST) has put out a call for papers for its nineteenth annual conference.  The theme for 2007 is “Private Lives and Corporate Risk: Digital Privacy – Hazards and Responsibilities”. Full details at: FIRST 19th Annual Conference, June 17 – 22, 2007, Melia Seville hotel, Seville, Spain […]


Emergent Breach Research

I talk about research and next steps, but what do I mean? We’re starting to see academics taking a serious look at the data sets we’ve accumulated here and at Attrition, and that’s awesome. I want to see more papers like: “Notification of Data Security Breaches,” by Paul M. Schwartz and Edward J. Janger, forthcoming […]


What’s Next In Breach Analysis?

I asked recently “Is It Time To End the Breaches Category?” I think we, amongst others, have driven real change in expectations. Organizations outside the US, not compelled by any law, have chosen to notify customers. (Examples include a Bank of Montreal latop, the Government of British Columbia, KDDI, a Japanese phone company, the Bank […]


Is It Time To End the Breaches Category?

Looking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint’s dedication to bringing about public debate on the issue, the outstanding reporting […]


This Post Brought to You By The Number 3, and The Letters and S and L

There’s a fascinating discussion of the intersection of cryptanalysis, specification and flexibility, all of it stemming from yet another SSL attack by Bleichenbacher. The best posts are over at Matasano: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere Mozilla Falls to RSA Forgery Attack RSA Signature Forgery Explained (with Nate Lawson) – Part […]


Lego Advertising

Real construction sites were transformed into LEGO-like universes, simply by adding a few colorful containers shaped as overdimensional LEGO bricks. Sometimes the marketing driven designers spew irks me. “transformed into Lego-like universes?” Please. It would be like security folks telling you we made your application/network/business secure. Via Guerrilla Innovation. I’d link more, but can’t find […]


On Building Patches

Analysis shows that a small number of users have been impacted by this issue. Given the documented workaround, it may be addressed in a future service pack. Photo: Adam, the entrance to a Microsoft garage.


Because That's Where The Money is: Ethan Leib's ID Theft

Ethan Leib blogs about being the victim of a fraudster: An individual in California posing as “Ethan Leib” (with phony ID to match) has been walking into branches of my bank across the state and taking all my money — despite a fraud alert on my accounts. They even stole thousands from my 6-week old […]


Metricon 1.0 Papers and Digest Available

Metricon 1.0 papers and a remarkable digest are available at the security metrics web site. Dan Geer took extensive notes, and has turned them into a very useful document for those who weren’t able to make it.


Fingerprinting At Disney: The Police-Entertainment Complex

In “Walt Disney World: The Government’s Tomorrowland?” Karen Harmel and Laura Spadanuta discuss how Disney has moved from finger geometry (to constrain ticket re-sale) to fingerprinting their customers. I think the most important bit about this is about the links between Disney and the government: Former Disney employees have filled some of the most sensitive […]


$50 Milion for Violating Driver's Privacy in Florida

$50 Million Verdict for Violating Drivers’ Privacy in FL A Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust purchased 656,600 names and addresses from the Florida DMV for use in direct marketing. The purchase violated the Drivers Privacy Protection […]


Does anyone remember laughter?

Via Stupid Security, I learned of a gent whose T-shirt was deemed a security risk because it showed crossed pistols and could upset passengers. He was allowed to board the plane, but only after turning his shirt inside out. Good thing he wasn’t wearing a Zeppelin shirt. I guess Bush would be OK (ironic, given […]



It may seem hard to believe, but a nuclear-armed power has made peace with al-Qaeda. I know, with the Bush administration’s stunning competence, as demonstrated in the aftermath of Katrina, in keeping gas below a dollar a gallon, in containing Iraq while keeping North Korea from getting nuclear weapons, it’s hard to believe that they’d […]


Dunn Done

See “Leak Scandal Costs HP’s Dunn Her Job.” [Update: It’s only her chairwoman job. Somehow the board members at HP don’t see action that leads to criminal investigation as all that bad. See Paul Kedrosky’s “HP Splits the Boardroom Baby,” which is an awful title for a great article. Solomon’s splitting of the baby was […]


HP Spying on Their Board

If you’ve not been paying attention, HP’s Chairwoman hired private investigators who lied their way to the phone records of board members and journalists. HP then lied to the SEC about why Silicon Valley eminence Tom Perkins resigned from the board, and Mr. Perkins, being a standup guy, called them on it. If you haven’t […]


Interesting Posts on HP, Sept 10

Eric Rescorla ties HP’s use of traffic analysis to that of the NSA in “I told you traffic analysis was useful.” Apparently, HP didn’t just chase down directors and reporters, but also the father of at least one journalist. See “HP Leak Investigation Extended Beyond Reporters, Directors.” (I say HP rather than HP’s investigators because […]


I couldn't have said it better, myself

Pseudonymous contributor “DK”, of Josh Marshall’s blog expresses several worthy thoughts about national character with a brevity and nuance I envy: OK, I’ll admit to a bias here. I think the Netherlands is one of the best places on the planet. They have our entrepreneurial spirit, but with good taste. Like us, they have completely […]


The Facebook Privacy Scandal

It’s only with the understanding that privacy has many meanings that I can comprehend people on Facebook complaining about privacy. (People interested in this should read Alessandro Acquisti’s work.) That’s not what I wanted to post about. What I wanted to post about was the great way the CEO of Facebook took the wind out […]


HP Roundup

The best posts I’m seeing are coming from Paul Kedrosky, who has posts like “Patricia Dunn Lectures on Corporate Governance,” and Playing Truth or Dare with HP’s Patricia Dunn” and Robert Scoble, with posts like “HP Story Keeps Getting Worse,” and “HP Has Major Ethical Problem, Day 2.” I’m using Scoble’s picture here. Don’t miss […]


The Core Values and Morals of Our Citizens

So Chris’ post “Are they stupid, or just lying?” got me thinking. Chris was talking about the spectacle of the House voting to ban the sale of horsemeat. But he had this quote: Added Rep. Christopher Shays, R-Conn.: “The way a society treats its animals, particularly horses, speaks to the core values and morals of […]


Compliance for auditors?

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees. […]


Are they stupid, or just lying?

On the recent House of Representatives vote to ban the slaughter of horses:  “It is one of the most inhumane, brutal, shady practices going on in the U.S. today,” said Rep. John Sweeney, R-N.Y., a sponsor of the ban.     Sweeney argued that the slaughter of horses is different from the slaughter of cattle and chickens […]


New PCI DSS is out

The Payment Card Industry Digital Security Standard, version 1.1, has been released [pdf].  This was widely anticipated, and has been remarked upon here at EC. A noteworthy change is that stored card numbers needn’t be encrypted: Compensating Controls for Requirement 3.4 For companies unable to render cardholder data unreadable (for example, by encryption) due to technical […]


Ali, by Any Other Name

Bob Blakely used to be fond of saying that privacy is the ability to lie and get away with it. To have to hide one’s name is considered deeply shameful. But with sectarian violence surging, Iraqis fear that the name on an identification card, passport or other document could become an instant death sentence if […]


A Total Eclipse of Rational Thought

Nick Owen brings us the story of how passengers on a Paris-Mauritius flight are suing Air France, because Bonnie Tyler sang “Total Eclipse of the Heart.” (He also brings us the headline, and the closing thought, “I assumed that first class was always filled with song. If the first class can’t sing love ballads, then […]


Congratulations to Mozilla

EWeek has the story: Window Snyder has joined Mozilla as Security Chief. Congratulations all around. PS: Just when Window and I were gonna live in the same city, again, too. Bugger. PPS: Apparently, it’s from Mike Schroepfer’s blog post.


Wells Fargo to laptop-losing auditor: buh-bye

Via David Lazarus, writing about yet another lost laptop, this one belonging to an an outside auditor working for Wells Fargo: “The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants,” said Julia Tunis, a Wells spokeswoman. “The auditor is […]


If I want your opinion…

…I’ll beat it out of you: President George W. Bush’s proposal for trying suspected terrorists captured overseas would allow the use of evidence obtained by coercion and let judges bar defendants from hearings where classified evidence is discussed, a Senate Republican aide who has been briefed on the plan said. Or, as Firesign Theatre put […]


ID Theft as a Not-For-Profit Activity

The New York Times has an article, “Some ID Theft Is Not for Profit, but to Get a Job,” about immigrants using other people’s SSNs so they can get jobs, and the impact that this has (because of the databases that run our lives): “All that was happening was that the illegal alien who had […]


The "Seal" that Doesn't

From this photoessay, it appears that the seal Diebold places on its electronic voting machines doesn’t do a darn thing.  It is possible to remove the card from which the thing boots, and replace it with one of your choosing, leaving no trace — the seal itself remains unchanged.  Elapsed time, a bit over four […]


On The Curious Incident Lately in Apple v. Maynor and Ellch

So John Gruber, who has written quite a bit on the whole did-they-didn’t-they spat between Apple and Dave Maynor and Jon Ellch, offers up “An Open Challenge to David Maynor and Jon Ellch,” offering them a Macbook if they can root it. I’d like to mention something that hasn’t happened lately. By not happening, it […]


Video Killed the Radio Star

Or, the times, they are a-changin’: To a certain extent I admire this. It’s a way of making the physical object worth more than the digital download. But it can also be seen as yet another example of DRM. In this case, the stronger DRM present on a DVD than the unprotected audio CD. The […]


A Thousand Tiny Shackles on Innovation

In many cities, real estate agents have tried to restrict access to M.L.S. information or to limit its use on the database. Some have asked state legislatures to pass laws forcing brokers to offer certain levels of service, a move that Mr. Kelman [CEO of Redfin, an online brokerage] sees as intended to squeeze out […]


Google whitewash

The Tom Sawyer kind, that is, known formally as Google Image Labeler: You’ll be randomly paired with a partner who’s online and using the feature. Over a 90-second period, you and your partner will be shown the same set of images and asked to provide as many labels as possible to describe each image you […]


On Requirements

Roger Cauvin has some really interesting points on “Requirements and Apple’s “Time Machine”:” CRUD requirements assume that users actually want to create, update, and delete information. But users don’t really want to create, update, and delete information. They want to access it to achieve some larger goal. Enabling the user to create, update, and delete […]


Data Dilemma

Various folks at Northwestern’s Medill School of Journalism have done some great work, which they call Data Dilemma: Privacy in an Age of Security. I was led to this by various stories about the US Department of Education feeding information on financial aid applicants to the DHS for five years without bothering to inform those […]


The Jazz Cryptographer

How can we resist blogging about Rudresh Mahanthappa’s latest album, as covered in “From Crypto to Jazz” at Wired News: To the uninitiated, modern jazz can sound like a secret language, full of unpredictable melodies and unexpected rhythms. For alto saxophonist Rudresh Mahanthappa, however, the idea of jazz as code is more than just a […]


Choicepoint, while we're correcting errors

A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see “Job seeker loses opportunity after inaccurate background check” for details: “Well, first they said, ‘Something was wrong with your background check,’” she said. “I said, ‘What is wrong with it? What is wrong with my background […]


Inconceivable Levels of Destruction

There’s been a great deal of talk around the London plot about the impact of the destruction of ten airliners. Senior US officials called it inconceivable. Now, destroying 10 planes might be murder on the scale of 9/11. It would certainly be shocking and despicable. I’d like to point out that the Iraqi people can […]


Mangle those cell phones?

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was […]


Several On MS Software

First, don’t miss the great series of posts on the “Excel 2007 Trust Center.” There’s some really good thought on security and usability in there. (While I’m at it, after two months of using ribbons, the idea of going back pains me. It really does. I had that “WTF did you do to my screen […]


On Terror and Terrorism

“Is There Still a Terrorist Threat” asks Foreign Affairs. Bruce Schneier considers “What the Terrorists Want,” and also offers up a useful roundup of “Details on The British Terrorist Alert.” In that details space, Phil offers up thoughts on what a “Temporary Flight Restriction” meant to his travel. Meanwhile Kung-Fu Monkey asks “Wait, Aren’t You […]


Blog finds

I’ve come across some blogs I find interesting. Maybe others will, too. Statistical Modeling, Causal Inference, and Social Science Weblog of a Syrian Diplomat in America Decision Science News Social Science Data and Software (SSDS) Blog SecuritySauce (Marty “Snort” Roesch’s blog) Plus, a special bonus non-blog: UCSB’s Cylinder Preservation and Digitization Project


Outsiders! Insiders! Let's call the whole thing off.

I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction. I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments […]


Are Things Out of Whack?

In North Dakota, the state agricultural commissioner, Roger Johnson, has proposed allowing () farming, and has been working with federal drug regulators on stringent regulations that would include fingerprinting farmers and requiring G.P.S. coordinates of () fields. “We’ve done our level best to convince them we’re not a bunch of wackos,” Mr. Johnson said. The […]


Air Safety: Terrorism and Crashes

There have been two fatal air accidents this week, one in Ukraine in which 170 people died, and one in Kentucky, in which 50 people died. In neither case is terrorism being blamed as I write this. The safety engineering that makes air travel so safe is astounding. The primary activities, from pilot training to […]


Poll: 58% approval rating for Bush among voting machines

WASHINGTON – Despite mounting public criticism of his administration’s handling of Iraq and the war on terror, 58 percent of voting machines approve of the way Bush is handling his job according to the latest poll by Shamby and Associates. This is in contrast to the 42% approval rating he has among human beings from […]


Hamming it Up

(or “The New York Times Gets Self-Referentially Ironic“) … he recognizes that plenty of people must think that rounding up friends and family members to go in on a thousand-dollar ham that he envisions hanging in his living room is crazy. But food lovers like him understand, he says. And in the end, the elaborate […]


Nasty, Poor, Brutish and Short: Somalia

Life in Somalia seems truly awful, and, like Hobbes, many are willing to turn to a very powerful government to fix it. See Ethan Zuckerman’s “Somalia Update,” which points to “The Path to Ruin” in the Economist.


Gloria Gaynor’s Threat Levels

At first I was afraid, I was petrified. I kept thinking I could never live without you by my side. But then I spent so many nights thinking how you did me wrong. I grew strong. Via Accordion Guy.


Mea Maxima Culpa

In posting yesterday about Debix, I should have disclosed that I have personal and financial relationships with the company. In addition, I was one of the 54 people in the test, and my fraud alerts did not set properly. I should have disclosed that as well. I apologize for the oversight. My thanks to Mr. […]


An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?” Since this is part of a continuing conversation, let me summarize by stating […]


Who's next?

                            Now that ISS has been purchased by IBM? Or is consolidation not really happening?


40% of Fraud Alerts Don’t Propagate

[Update 3: I should have disclosed affiliations with Debix in this post. See “Mea Maxima Culpa.”] Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret. […]


Nick Szabo is on a Roll

When I started blogging, I wanted to say one interesting and insightful thing per day. I still do, and so say several things in the hopes that one of them is interesting. Nick Szabo, on the other hand, has apparently been storing them up, and is on a roll lately: “Book consciousness,” on the effects […]


New Airport Security Procedures

RyanAir of England is decidedly non-plussed by the UK security theater, and is threatening to sue. (Via Boingboing.) Remember, emptying the planes not only hurts the airlines, but when it pushes people to drive instead of fly, it kills people. Not in as newsworthy a fashion, but more people die driving than flying.


Breach numbers

I just got a response from North Carolina to my freedom of information request, asking for records pertaining to security breaches resulting in the exposure of personal information. North Carolina requires that such breaches be reported centrally. The data were sent in printed form, in a table obviously derived from a spreadsheet. I hope to […]


AOL data release fallout

AOL’s CTO has “decided to leave” the company, “effective immediately”, according to an email message sent to remaining employees by CEO Jon Miller. Additionally, CNet news reports that the researcher who posted the data, and the researcher’s supervisor (a direct report of ex-CTO Maureen Govern) have been fired.


Identity 2.1

Dave Weinberger absolutely nails why I worry about the whole Identity 2.0 plan, in “Anonymity as the default, and why digital ID should be a solution, not a platform.” If you know what Identity 2.0 means, you owe it to yourself to read this post. If you build Identity 2.0 platforms/solutions/best-of-breeds, you owe it to […]


Nothing To Fear Except Fear Itself

Last night, passengers on a Malaga-Manchester flight misbehaved until the airline took two “Asian” men off the flight. See “Mutiny as passengers refuse to fly until Asians are removed” in the Daily Mail. For me, this raises a number of questions, in no particular order: Why weren’t the unruly passengers arrested? Who was forcing them […]


Biometrics Enable Guilty Men to Go Free?

Don’t miss the picture that Jerry Fishenden paints in “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences:” Outside, armed policemen, guard dogs and riot barriers prevent the curious crowds pushing too close. On the office rooftops – police marksmen. In the Victorian drains below the courtroom – boiler-suited […]


New (Oracular) Blogs

While we’re celebrating, let me tip the hat to three new bloggers: Mary Ann Davidson has a blog, confusingly headlined “Sandra Vaz Blog (en Portuguese!)” I suspect it’s a template issue, but then again, I’ve seen Mary Ann with–oh, I shouldn’t tell you what she put on her name badge at the Exec Women’s Forum […]


Happy Birthday to Us!

Emergent Chaos was launched two years ago today. My very first post was “Why Did Google Pop.” I could go through and talk about my favorite posts, but I’m more interested in your favorites. In the 2 years of operation, we’ve averaged just over 2.5 posts per day, and I think we’ve only been silent […]


Dell Batteries and Privacy?

Kip Esquire has a blog post about liabilities and restatments and product liabilities with an interesting twist for the capture-everything crowd: As for the costs of warning: How geographically diverse are the customers? How easy or difficult would it be to communicate the warning — would a press release be sufficient? Is the product likely […]


Ed Moyle is on a Roll

“Why’s Everybody Pissed at Consumer Reports?” and “Thoughts About OpenOffice” are both great posts.


Ruling issued in NSA wiretap case

The Permanent Injunction of the TSP requested by Plaintiffs is granted inasmuch as each of the factors required to be met to sustain such an injunction have undisputedly been met. The irreparable injury necessary to warrant injunctive relief is clear, as the First and Fourth Amendment rights of Plaintiffs are violated by the TSP. See […]


New Security Measures: Effective, Non-intrusive

Or not. The BBC reports that “10,000 bags misplaced at airports,” and a “Boy boards [a] plane without tickets (sic).” Meanwhile, here at home, we have a program that engages in behavioral profiling in some airports. How effective is it? The New York Times reports in “Faces, Too, Are Searched at U.S. Airports:” In nine […]


Voyager 1 passes 100 AU

            Voyager 1 has passed 100 AU. It’s a stunning feat of engineering. (Story via Slashdot.)


"Faux" Disclosure

I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says: Full disclosure is the only thing that forces […]


Emergent Effects of Security Rules

In London, and apparently some other parts of Europe, you can no longer bring electronics on board, including laptops, which are this here Jazz Combo’s instruments of choice. It’s much worse for actual musicians, many of whom have antique and irreplacable instruments which they usually carry on board. The NY Times reports in “Tighter Security […]


Birthday paradox bites FEMA

Via the SacBee: WASHINGTON (AP) – FEMA will replace locks on as many as 118,000 trailers used by Gulf Coast hurricane victims after discovering the same key could open many of the mobile homes. One locksmith cut only 50 different kinds of keys for the trailers sold to FEMA, officials said Monday The article continues: […]


Choicepoint Correction

In response to “Choicepoint Spins off Three Businesses,” Choicepoint spokesperson Matt Furman sent the following: It is factually incorrect to describe ChoicePoint or its subsidiary, Bode Technology Group, as attempting to “amass a DNA database.” Bode’s clients are almost entirely government laboratories that are trying to solve crimes and identify victims as well as felony […]


Fear Wears Off: More UK Liquid Explosives Plot

As the shock and awe wears away, we learn more about what happened and why. Perhaps this plot was not about to go operational, as MSNBC reports that “U.S., U.K. at odds over timing of arrests.” Meanwhile, after years of debate over warrantless surveillance, the Washington Post reports that a “Tip Followed ’05 Attacks on […]


Amazing Circles

Amazing Circles is a photoset on Flickr. This is #2 in the series, “Cornflower Circle.” If you’re curious, there’s instructions on “How to create amazing circles.”


Clue me in?

I have to fly (from PDX to MDW) Sunday AM. Anybody flown domestically who can tell me what the real-world impact of the new rules has been in terms of delays at security? As Leslie NielsenLloyd Bridges might say “I picked the wrong four days to go on vacation”. Updated: Lloyd, not Leslie. Thanks, Asteroid.


Marketing Points Fingers

Over at the CSO blog “Brand Loyalty Hinges On Security,” we learn that: In 2005, more than 52 million account records were reportedly stolen or misplaced, according to a study by CMO Council and Opinion Research. … “Security is what I call the 800-pound gorilla of reputation,” Jeffrey Resnick, EVP and global managing director of […]


Ryan Russel, A Sample Please

Over at the Open Source Vulnerability Database blog, we learn that Ryan Russel has won the “Oldest Vulnerability Contest.” It is in the interests of science that I ask how Mr. Russel was able to come from behind like this. And much as I like and respect Mr. Russel, it’s quite a last minute leap […]


Airline Threats: Nothing to Fear Except Fear Itself

I’m glad to hear that they caught a set of people with real plans and capabilities to carry out an act of mass murder. Too many of the recent groups arrested have fit better into the “round up some suspects” line of thinking. I don’t have a lot to add to FDR’s fine words, but […]


Performing Code Reviews

My co-worker Mike Howard has a really good article on “A Process for Performing Security Code Reviews” in IEEE Security & Privacy. It’s chock full of useful advice.



Is that enough acronyms yet? In Adam’s previous post, Justin Mason commented: There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging […]


The Assignment of a Mandatory Identifier

So two stories came out recently, and they’re connected by a thread, which is the assignment of identifiers. The first was in Government Computer News, “IG: U.S. Visit RFID needs better security controls,” which opens: The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which […]


Attack of the Clones?

EKR is the voice of reason when he points out that of course RFID passports are clonable, when he responds to all the press brouhaha about, Lukas Grunwald’s demonstration at Black Hat showing that an RFID passport can be duplicated using off the shelf parts. This outcome is hardly surprising, this is yet another side […]


AOL search records 'research'

Most readers will have read by now of America Online publicly releasing a large sample of search records. From the README supplied with the data: The data set includes {AnonID, Query, QueryTime, ItemRank, ClickURL}. AnonID – an anonymous user ID number. Query – the query issued by the user, case shifted with most punctuation removed. […]


Emerging from Network Black Holes

Sorry about the downtime. The fine folks who host this blog for us have been having hardware troubles. They’re swapping components around, and we hope it all heals up soon. Photo: Waiting to Breathe, from Stock.xchng.


Transparency Is Good for the Soul (of Our Profession)

In “Legislating Virtue,” Phill takes me to task for being unclear in “So, this, ummm, friend of mine, umm has a problem with security.” That’s fair. I’ve been saying similar things a lot, and I forget that I need to back up and frame it from time to time. Phill spends a lot of his […]


Dear Hooters Hotel, Las Vegas

Whadda ya mean, you won’t pre-fill the bathtub with jello? (Actually, I stayed at the San Remo for Defcon last year. It was a long walk, but walkable, to the Alexis Park, and it was a great little dive hotel. I did find the rent-a-cops roughing up the vagrant a little disturbing. Maybe now they […]


Dear Sandman Hotel, Vancouver

Thanks for understanding that after a day and a half hiking through Garibaldi Provincial Park, all I want is a quiet room that doesn’t cost an arm and a leg, and a shower. At first I shuddered at having a room between the elevators and the ice machine, but it was quiet as a tomb. […]


RSS vulnerable?

Well, yeah. Of course. The perfect storm for a new wave of attacks: 1. New protocol catching on fast that involves completely trusting clients. 2. Insecure servers maintained by inexpereinced sys-admins. 3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?) A report out of SpiDynamics at BlackHat this week: Attackers […]


The butler did it

There’s a feeling you get when you watch a formulaic movie. After seeing a half-hour’s worth, you just know how it will end. You can see the decision points characters reach, and you know they’ll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or […]


Dear Fairmont Hotel Vancouver,

Please stop sucking. For $250 a night, give me a shower which doesn’t fluctuate in temperature and pressure. Give me a door which keeps out hallway noise and light. Don’t have your cleaning staff re-arrange my things so your things (like the room-service menu) can take up space on the desk I rented from you. […]


When Security Systems Attack

A £40,000 teddy bear formerly owned by Elvis Presley was destroyed when a guard dog which was supposed to protect it went on the rampage. “Dog chews its way through Elvis’ £40,000 teddy.” Photo, “Elvis With Teddy Bear” is not the bear that was destroyed, but is a better picture. Thanks Nicko!


RFID Passport Security Clarified

Not that it needed clarification. RFID passports have been a boondogle without a purpose for a long time. It’s been clear that they make us less secure. Now it turns out they can be easily cloned: German computer security consultant has shown that he can clone the electronic passports that the United States and other […]


Metricon 1.0

Yesterday at Metricon, Gunnar Peterson felt a need to mock me over not blogging from the conference. I really enjoyed Metricon. There was a lot of good discussion, and because Dan Geer took extensive notes, I didn’t have to. I was able to pay attention and consider the talks as I heard them. Gunnar, however, […]


Macintosh Genuine Advantage™

See “Mac OS X Server Firewall Serial Hole:” …What they haven’t noticed yet is Mac OS X Server 10.4 overrides an explicit administrator firewall security setting to keep its copy protection functional. OSXS 10.4’s “Server Admin” lists “Serial Number Support” on UDP port 626 under its firewall pane, with an option to turn it off. […]


So, this, ummm, friend of mine, umm has a problem with security

In a comment on “Drowning In Notices,” Phill Hallam-Baker writes: My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them. I don’t think people should be more embarrassed about […]


Anyone Can Be An Expert, All It Takes Is…

In “More Thoughts On Blogging,” Richard wrote about the upsides and downsides: The upside, there’s great information, the downside, there’s more to sift through. It feels to me, before I run to Metricon, that that’s exactly the value: The filters are in everyone’s hands. You do have to look at more, but in doing so, […]


More thoughts on blogging

Thanks for the kind introduction Adam. This has been an interesting summer as I reach out to various security bloggers. I hope my “Meet The Bloggers” podcast series will help people to get to know the various “personalities” out there. We are an interesting bunch. The one question I have for everyone, bloggers and blog […]


The Down Side of "Strong" Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]


Don’t Cross the Streams?

So this week I’m off to Metricon and Usenix Security. Many of my co-workers are off (to present an entire track) at Blackhat. What I find really interesting is that there are these two separate streams of security research, one academic and one hacker, in the most positive sense of the word. Both have produced […]


Introducing Richard Stiennon

I’m pleased to introduce the Jazz Combo’s first actual rocket scientist guest blogger, Richard Stiennon. Before founding IT Harvest, a startup dedicated to re-inventing IT research, Richard worked at Gartner and PriceWaterHouseCoopers. He usually blogs at Threat Chaos, and was kind enough to feature Chris and I as his first podcast, in Meet The Security […]


Drowing in Notices?

In “Access controlled by a password,” Phillip Hallam-Baker writes: It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices. I must say, I don’t get this objection. Does it apply to any other bit of information […]


Yet Another Coding Standard?

Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this: There are already a myriad of good sources of information about secure programming, including books targeted specifically to developers […]


Indiana's Breach Law

Indiana’s breach notification law went into effect on July 1, 2006. An excerpt relevant the “lost laptop” phenomenon: Sec. 2. (a) As used in this chapter, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local […]


DHS Has Nothing Better To Do, Apparently

A federal Department of Homeland Security agent passed along information about student protests against military recruiters at UC Berkeley and UC Santa Cruz, landing the demonstrations on a database tracking foreign terrorism, according to government documents released Tuesday. From San Francisco Chronicle, “Terror database tracks UC protests U.S. agent reported on ’05 rallies against military […]


Return on (Other People’s) Investment

‘The Australian’ has a great story on “Focus key to crack money-laundering.” Its focused on the testimony of a British expert on “money laundering” and includes: Last year, British banks, accountants and lawyers made some 200,000 reports to the authorities. But in the three years since Britain’s law was implemented, there had been only one […]


It's Getting Worse All The Time?

So there’s a post over at F-Secure’s blog: There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if […]


On Provable Security

Eric Rescorla writes: Koblitz and Menezes are at it again. Back in 2004, they published Another Look at “Provable Security” arguing that the reduction proofs that are de rigeur for new cryptosystems don’t add much security value. (See here for a summary.) Last week, K&M returned to the topic with Another Look at “Provable Security” […]


Sky Marshalls Have Suspicious Behavior Quotas?

The air marshals, whose identities are being concealed, told 7NEWS that they’re required to submit at least one report a month. If they don’t, there’s no raise, no bonus, no awards and no special assignments. Even better, the people who are “suspicious” are put into secret databases with no way to find out why their […]


I don't know if this or the 'White Pages' breach is worse

Via America’s Finest News Source: Postmaster General Loses Laptop; Zip-Code Data Of Millions At Risk July 25, 2006 | Issue 42•30 WASHINGTON, DC—The U.S. Postal Service has confirmed that a laptop computer issued to Postmaster General John Potter and containing the zip-code information of over 280 million Americans was allegedly left in a taxicab Monday […]


"Privacy" International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]


Fu-Sec, Dunbar Numbers, and Success Catastrophes

In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA. So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed? I think there are […]


Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]


Security, Privacy and A Digression into Copyrights

(Via Caspar and Nicko.) I hesitated before posting this. I’m pretty sure it’s a Dr. Fun cartoon, but the jerks in “my confined space” have obscured the signature. I try hard to attribute all the images I use here. I’ve given credit to Galerie which we use to produce the frames. (They even added a […]


Are You Human or Not?

An reader who wants to remain anonymous points us to “Another CAPTCHA — But I failed (partly)” and “” I cracked up when I saw this. It uses “the hotornot API” (Web 2.0 is getting out of hand!) to offer up pictures of nine women (or men) and asks you to prove you’re human by […]


Meet the Bugles

Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit. [Via FIRST News.]


I smell a movement

No, not that kind, silly. I just read over at Bejtlich’s blog, that he has decided to start NoVA Sec, having been inspired by Chisec, which was begun by Matasano honcho Thomas Ptacek. ChiSec is fun, and has been rapidly imitated by other Matasano folks, yielding Seasec and NYsec (I’m hoping it will go next […]


Greed is Gummy

Wiedmaier over at Flickr, has a series of the “seven deadly sins” shot with gummy bears. Who knew sinning could be so cavity forming? Aside from gluttony of course. [via Slashfood]


Church 2.0

Check out Benjamin Sternke’s “Church 2.0: Emergence/Chaos theory.” Itn’s an interesting examination of how churches need to evolve to respond to a different type of parishoner: Church 2.0 will leave room for the Holy Spirit in its planning and structuring and strategizing. She’ll leave room for happy accidents to emerge. She’ll be patient with chaos, […]


Buggy Advice from Adam

So in the “Code Review Guidelines” which I wrote a long time back, I quote a bit of code by Peter Guttmann, on how to open a file securely. Last week, Ilja van Sprundel got in touch with me, and said that the lstat/open/fstat chain is insecure, because you can recycle inodes by creating a […]


ACLU: Feds snooping on Fedwire?

Press release describes a FOIA request seeking info on governmental surveillance of Fedwire, among other programs. This would be troubling. It is difficult to overstate the extent to which the Federal Reserve System values its reputation for ethical behavior and fair play. A reputation, I might add, that based on my observations it deserves.


We Have A Favicon!

Because Emergent Chaos cares about your privacy, we employ industry standard measures to protect the security of our site, and convince you to provide us with personal data we don’t need, which we shall carelessly sling around. Our compliance is monitored by Ernst and Young, we ship backups via UPS to Iron Mountain, and our […]


Actual Data Sharing!

Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it. Thanks […]


SMS to Email?

I’m looking for a service that will give me a US phone number capable of accepting SMS messages, and forwarding those messages to an email account. I’m happy to pay for the service, but my searches have come up blank. I don’t want a service where the user has to add the destination email manually. […]


Job Hunting for Security Executives

Like everyone, there comes a time in every CSOs career where they need to look for a new job. I’ve reached that point in my career and in looking around, I’ve run into several challenges. The first problem I’ve found is that there are a lot of different titles for the person who owns all […]


North Carolina is in the club

From North Carolina’s breach notification law, which took effect on December 1, 2005: (f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that […]


Choicepoint Spins off 3 Businesses

From their press release: ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ — ChoicePoint (NYSE: CPS – News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the […]


gcc -Wall -WeReallyMeanIt

Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]


A Few More Thoughts on Disclosure

Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues […]


What Me Data Share?

I completely have to support Chris in his analysis of the latest CSI/FBI Survey. He sums it up nicely with: “there is no reason to give this survey any credence.” The survey, does an excellent job of highlighting a general problem within the security industry, the sharing of data. If we’re to make real progress […]


CSI/FBI Survey considered harmful

The latest 2006 CSI-FBI Computer Crime and Security Survey has been released. Already, it is making waves, as it does each year. I want to simply state that there is no reason to give this survey any credence. The survey instrument is sent only to CSI members. This time, it was sent to 5,000 of […]


In every dream home, a heartache

Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist: On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York’s Adirondacks, soldiers readied for deployment halfway across […]


With the Advice and Consent of The Blogosphere?

So I’ve been too busy to blog the Spector bill, but the astounding quality of analysis that’s been applied to Spector’s “”Judical Review” for Spying On Americans” bill has been really astounding. Early reports in (say) the Washington Post were really positive, saying that the bill was quite a positive development. Then legal bloggers got […]


Becoming More Straight-Laced

Shoelaces got you down? Constantly tripping over your own laces? Your bows off kilter? Everything you could possibly want to know about shoelaces, courtesy of Ian’s Shoelace Site.


Skype reverse-engineered?

According to Charlie Paglee, Skype has been cracked, and a compatible client implemented. This promises to have wide ramifications, about which Charlie writes at length.


The "Box Switching" Game

I have two boxes. Each has some positive amount of money in it, but I will give you no information about the possible dollar amounts other than the fact that one box has exactly twice the amount of money in it as the other. You randomly select one of the two boxes, open it, and […]


ThreatChaos Podcast Featuring Emergent Chaos

This week marks the first installment of a series of podcasts I am producing called “Meet The Security Bloggers”. I asked Adam Shostack and Chris Walsh to be the guinea pigs for the first one and it turned out really well. These guys write for EmergentChaos, a blog that Adam started. When he got it […]


Belated happy birthday

…to the United States’ Freedom of Information Act, a national law signed on July 4, 1966, by a reluctant Lyndon Johnson, after having been championed by U.S. Representative John Moss.


New rules, you say?

Vystar Credit Union was hit by “hackers”, who obtained personal info on 10% or so of their 334,000 customers. The information included “names, addresses, social security numbers, birth dates, mothers’ maiden names and e-mail addresses”, according to Credit union CEO Terry West took a rather old school approach: West said the company noticed the […]


Well, He Had Valid ID (Houston Edition)

Houston police and the federal Transportation Security Administration disagree over who is responsible for allowing a man with what appeared to be bomb components board an aircraft at Hobby Airport last week. Although the FBI eventually cleared the man of wrongdoing, police officials have transferred the officer involved and are investigating the incident while insisting […]


Debian CVS server compromised

Here’s news of a breach that (I presume) involved no PII, but which could be significant. I wrote about a previous Debian breach back in December, 2003. I hadn’t realized it had been so long! Update: Local vuln used to elevate privs. Local access gained due to weak developer password. Details here.


Spying As a "Lifestyle Choice"

“The Plot to Hijack Your Computer” in Business Week lays out some of the history of “Direct Revenue,” a spyware company whose products are so beloved of their customers that DR receives regular death threats. Cryptome presents an except from a complaint in a lawsuit against AT&T, claiming that “NSA/AT&T Spying Began 8 Months beofre […]


Bye, Syd

Syd Barrett has died.


UK ID Cards Dead?

Via Charlie Stross we learn that the Sunday Times reports, “ID cards doomed, say officials:” TONY BLAIR’S flagship identity cards scheme is set to fail and may not be introduced for a generation, according to leaked Whitehall e-mails from the senior officials responsible for the multi-billion-pound project. … [Peter Smith, acting commercial director at the […]


And Yet, It Transmits!

Ian Goldberg likes to state Kerckhoffs’ principle as “The security of a system shouldn’t rely on anything that’s hard to change.” So it is with deep amusement that I report on what’s probably one of the hardest to change systems out there. And I do mean out there: 23,222 km out there. Let me back […]


Human Powered Blender

Nothing says “prepared for power outages” at your summer parties like a human powered blender, so you can crush that all ice into frothy goodness before it melts. And thanks to the wonders of capitalism, now you don’t have to build your own. (Forgot to the picture to go to their site.)



People whine about Sarbanes-Oxley as if it were government accountants with a sense of neither humor nor proportion watching everything an executive does, 24/7. Thing is, much of the actual regulation is courtesy of the Public Company Accounting Oversight Board, a private corporation. My hat is off to the accounting profession, which successfully met an […]


DOD Monitoring of Students Extended to Email

The Department of Defense monitored e-mail messages from college students who were planning protests against the war in Iraq and against the military’s “don’t ask, don’t tell” policy against gay and lesbian members of the armed forces, according to surveillance reports released last month. While the department had previously acknowledged monitoring protests on campuses as […]


What Choicepoint Learned

Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company’s CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly “to ensure we’re hitting every aspect of security and privacy,” says DiBattiste. “One of the lessons we […]


Do Lost Computers Matter?

Over at Concurring Opinions, Dan Filler asks a question that a lot of people are asking: We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses – most obviously identity fraud – but I […]


Chivalry isn't dead

Regarding the theft of Coca Cola intellectual property and its attempted sale to arch-rival Pepsico, we learn PepsiCo was offered a new product sample and confidential documents in May, in a letter from someone calling himself ‘Dirk’. But instead of taking the bait it tipped off Coca-Cola, which brought in the FBI. […] Coca-Cola’s chairman […]


Does Lost Data Matter?

At WEIS last week, Allan Friedman presented “Is There a Cost to Privacy Breaches? An Event Study.” The study looked at the effect of a privacy breach on stock value, and roughly concluded that it doesn’t do any harm to the shareholders after a few days. Tom Espiner of ZDNet has an article that explains […]


Never Say Never

Over at Security Incite, Mike Rothman discusses the recovery of the VA laptop: In other good news, they found the missing VA laptop, evidently with all the data intact. That really is great news, but I guess we’ll never get to test Adam Shostack’s contention (link here) that identity thieves could get to all 26 […]


Hamdan Analysis

On the plane home from England, I watched V for Vendetta. (If you haven’t seen it, the basic story is that terror attacks cause turn England into a police state, and a masked freedom fighter terrorist blows things up and kills people and makes it all better. Oh, he plays with Natalie Portman’s head, too. […]


In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]


Sorry for not posting this earlier…

…but my internet tube was flooded. If you want to know what the heck that means, the good folks at 27B Stroke 6 (easily the best blog name I’ve seen this year), provide the details. The short and sweet is that U.S. senator Ted Stevens ain’t exactly Vint Cerf: I just the other day got, […]


Innovation, Emerging From Chaos

Following up on Friday’s internet innovation post, I’d like to clarify a few things: First, net neutrality is about regulating a set of regulated monopolies, whose services and profits are protected by the state against new entrants. The regulatory apparatus has fairly clearly been captured by the regulated. The discussion about larger packets misses the […]


Flippin' sweet!

Maybe IBM does have a sense of humor. “Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!”. This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year’s Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory […]


"Internet isolationism is bad for business"

Dan Kaminsky has a good essay on internet isolationism, which is his name for the opposite of net neutrality. It starts: Oh, sure, there’s UPS and DHL and the US Postal Service. But imagine if they were all proposing that, because people make money based on the contents of packages other people shipped, that they […]


Questions about 'Ignoring The "Great Firewall of China"'

Later today at the Privacy Enhancing Technologies workshop, , Richard Clayton will be presenting a talk on “Ignoring the Great Firewall of China.” I’ll be the ‘session chair’ for the session, which usually means I make sure the speaker is in the room, has some slides on a computer, and knows how much time they […]


Indistinguishable from magic

The press relase you won’t see. For Immediate Release CATAWBA COUNTY SCHOOL SYSTEM, June 26 — The Catawba County Public School System (NC) announced today that district web site administrators have remedied a configuration error which accidentally resulted in the social security numbers and names of several hundred students being made available via the popular […]


I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this […]


More on Risk Tolerance

There’s a number of good comments on “Risk Appetite or Volatility Appetite,” and I’d like to respond to two of the themes. The first is “risk appetite is an industry-standard term.” I don’t dispute this. I do question if I should care. On the one hand, terms that an industry picks up and uses tend […]


Breach Roundup: 6/17 – 6/24

This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.


Proud Comments About Bank Spying

Over at the Counterterrorism Blog, Dennis Lormel writes “Initial Comments about Terrorist Financing and “The One Percent Doctrine”” and “U.S. Government Terrorist Financing Initiative Involving SWIFT:” …I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we […]


Gartner to Google: Learn to read minds

Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in: They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content […]


SWIFT spies

The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities. The Washington Post has more.


The FBI's Use of Data Brokers

Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still […]


Presentations and the Web

It’s easy to put presentations on the web, just like it’s easy to create them. Neither is easy to do well. I’d like to talk not only about good slide creation, but how to distribute a presentation in a useful way. It’s not easy to create good presentations, even when you have good content. Simson […]


Adam Travel Plans: Cambridge, England

June 26-July 1, I’ll be at the the Workshop on Economics of Information Security, and then Privacy Enhancing Technologies next week. Mindless ranting on the blog will be replaced by mindless ranting over beer.


Risk Appetite or Volatility Appetite?

Over at “Not Bad For A Cubicle,” Thurston (who is always worth reading) manages to tickle a pet-peeve of mine in “A super-size risk appetite?” No rational business has a risk appetite. They accept risk. They may even buy risk in fairly explicit ways (some financial derivatives) if they think that those risks are mis-priced […]


Responsible Transparency?

Over at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for “Responsibility and Disclosure.” His argument is solid: We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years – the point is simply that, while disclosure forces everyone to be responsible, sometimes, […]


The "Privacy-Enhanced Data Mining" Trap

The Associated Press pushed a story to the wires about the Data Surveillance workshop which I’d mentioned a while back: As new disclosures mount about government surveillance programs, computer science researchers hope to wade into the fray by enabling data mining that also protects individual privacy. Largely by employing the head-spinning principles of cryptography, the […]


Background Checks for Chemists, Too?

Is something a little off balance when we background check people trying to learn about computer security, but not chemists or nucular physicists?


Metricon: The Agenda

Andrew Jaquith has posted the Metricon Agenda. We had a lot of good papers, and couldn’t accept them all. (We’ll provide, umm, numbers, at the workshop.) If you’ve submitted a paper, you should have heard back by now. Thanks to all the submitters, and we look forward to seeing you at the workshop.


Happy Juneteenth!

I’m deeply in favor of holidays which celebrate freedom. We need more of them. Juneteenth, also known as Freedom Day or Emancipation Day, is an annual holiday in the United States. Celebrated on June 19, it commemorates the announcement of the abolition of slavery in Texas. The holiday originated in Galveston, Texas; for more than […]


Men Without Pants

To protect the rights of the official beer they were denied entry, so the male fans promptly removed the trousers and watched the game in underpants. The BBC asserts that up to 1,000 fans were told to strip off their orange pants in “Fans Lose Trousers to Gain Entry.” Markus Siegler, the control-freak in charge […]


Remembering the Maine

From Maine’s Public Law, Chapter 583, passed April 2006: Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read: 5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information […]


Scottish and Procedural Liberty

In “Scots Crush Cars Over ‘Document Offenses,’” Rogier van Bakel writes about bad new UK law: Now cars can be seized and crushed if document offences are detected — and the region’s top police officer said yesterday a “clear message” is being sent to would-be offenders. … Tough new powers in the Serious Organised Crime […]


Avant-Garde: A game for three players

(From Bram Cohen and Nick Mathewson.) The players are three reclusive artists. Their real names are Anaïs, Benoît, and Camille, but they sign their works as “A,” “B,” and “C” respectively in order to cultivate an aura of mystery. Every week, each artist paints a new work in one of two styles: X and Y. […]


Breach Roundup

Expedia/Ernst & Young, 250,000 CC, Lost Laptop. Ed Hasbrouck has a great analysis of Expedia’s privacy policy at “Expedia auditors lose laptop with customer credit card numbers.” Japanese Telco KDDI, 4million names, address, phone numbers, mechanism unknown. “KDDI Suffers Massive Data Leak.” Why is a Japanese telco owning up? New expectations. AIG (American Insurance Group), […]


Breach Roundup: "We’re From The Government" Edition

State of Colorado, 150,000 voter records, “missing.” “Records for 150,000 Colo. voters missing,” via Dataloss. State of Oregon, 2,200 tax records, ex-employee getting trojan’d by a porn site. “State says taxpayer files may have been compromised.” AP via dataloss. Minnesota State Auditor, numbers about unknown number of state and local employee, stolen laptops. “3 laptops […]


Breach Quickies

Well, now that America’s Finest News Source is getting into breach coverage, I guess I can move on. See “ Information Stolen” in the Onion. Also, Nick Owen has some good analysis of the Ohio State comedy of errors in “Repurcussions of data loss at Ohio University.” I’m hoping Chris will cover the N+1 Ohio […]


There Will Be No Privacy Chernobyl

Ed Felten asks: What would be the Exxon Valdez of privacy? I’m not sure. I don’t think it will just be a loss of money — Scott explained why it won’t be many small losses, and it’s hard to imagine a large loss where the privacy harm doesn’t seem incidental. So it will have to […]


The New Transparency Imperative

…in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said. … “That’s hogwash,” Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. “You report directly […]


Dear News Media,

Recently, you had a very interesting story on your web site. I left a browser tab open, so I could read it on the plane. But your very interesting story meta-refreshed itself so you could serve me more ads. Then the airport’s wireless portal showed up, and it stopped refreshing. And I couldn’t read your […]


Boycott Sivacracy!

I have a proposal for all British and American faculty who care about global justice: Please boycott me. Siva Vaidhyanathan asks that we boycott him in “A Modest Proposal: Boycott me.” I think its the best response I’ve seen to the British boycott of Israeli academics.



A merchant is going to feel some pain from the FTC. Visa and MC are going to look bad for not talking about who this merchant is. Jun. 8–Federal officials cannot disclose what national merchant or merchants were involved in a recent debit card security breach that spurred at least two local banks to reissue […]


80% of Active Duty Military, 2.2 million SSNs

Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as […]


Medical "Privacy" "Law"

Pop quiz time! What do you call a set of regulations that the government won’t enforce? HIPAA. In the three years since Americans gained federal protection for their private medical information, the Bush administration has received [nearly 20,000] complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal […]


Is encryption worth it?

Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate. The problem? Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if […]


Volcano From Space

Don’t miss this stunning picture of the Cleveland volcano, in the Alaskan Aleutian Islands. You can click for the larger original at Astronomy Picture of the Day:


Breach Roundup

Where two organizations are implicated, the first is the one which collected the data, the second is Ernst and Young the one that lost it. Texas Guaranteed Student Loan/Hummingbird, 1.3m SSNs, “lost equipment.” “Toronto firm at centre of security breach” and Young, 243,000 credit cards, lost laptop. “ customer info may be at risk” […]


How Damaging is a Breach?

Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories. For example, we know of 800 ID thefts from the […]


Jurisdiction as Property

Nick Szabo has a fascinating article on “Jurisdiction as property and peer-to-peer government.” I’m not going to attempt to summarize it, but will simply quote the opening: Modern civics and political science is often taught as an absurd dichotomy: that government is a “monopoly over the use of force” and that the absence of government […]


Small Bits of Chaos

“Los Angeles Consumers File Class Action Lawsuit Against Used-Car Dealer Drive Time For Allegedly Leaking Their Private Financial Information to Unauthorized Third Parties.” “Down To Business: Time To Get Tough On Security Slackers” Rob Preston in Information Week, “Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security […]


The Persistence of SSNs, and The Persistence of Thieves

Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort. He’s right. […]


Why Johny Can’t Precipitate

There’s a great story in Wired “Don’t Try This at Home,” about how our obsessions with terrorism and safety have destroyed the ability of our children to learn chemistry: The chemophobia that’s put a damper on home science has also invaded America’s classrooms, where hands-on labs are being replaced by liability-proof teacher demonstrations with the […]


ID Theft and the 18-24 Set

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:” A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is […]


EU Courts Rule Against PNR Sharing with USA

The European Court has ruled the US/EU treaty on data sharing around air travelers is not legal. (I’m not saying “about air travelers” because I read Ed Hasbrouck, and thus know that PNRs contain data on more than just the travelers.) That’s not why I’m posting. I’m posting because of this choice quote from the […]


Words of Wisdom

We live in a society of laws. Why do you think I took you to all those “Police Academy” movies? For fun? Well, I didn’t hear anybody laughin’, did you? — Homer Simpson Marge Be Not Proud


(Adam In Seattle)

I’m in Seattle this week for some work-related stuff, and have some free evenings. If you’re in Seattle and would like to get together, drop me a note.


The SSN Is Also A Poor Identifier

There’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and […]


Maybe they can borrow a few million from the IRS

[T]he VA’s inspector general, George Opfer, said that the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.” via the Bradenton Herald Now that the funny part is out of the way… Asked the cost for preventing and covering potential losses from identity theft, [VA Secretary] Nicholson […]


Compartmentalization of Identity

Kim Cameron has a post, “IBM Researcher Slams UK Identity Card Scheme” in which he writes: He couldn’t be more right. My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected […]


Jangl, Private Phone Numbers

SiliconBeat has a story, “Jangl’s new angle on phone calling:” Jangl is a new phone service that, initially anyway, will allow people to anonymize their phone numbers the same way they can their email addresses when posting on places such as craigslist. When you sign up with Jangl, you get access to disposable phone numbers […]


Illinois credit freeze now law

Public Law 094-0799 now allows Illinois residents to have a freeze applied to their credit reports. The maximum fee (not applicable to those 65 and over) is $10.00. The law, according to a press release from the governor’s office, takes effect January 1, 2006. Look for other states to continue to pile on, now that […]


Sign Design

I came across this sign while I was attending a software design methodology course at an IBM building in London. After wondering several times why each time I tried to go to the toilets I ended up in the restaurant, I looked carefully at the sign. Which way would you go at a glance? Which […]


A small, but hopeful sign in state breach legislation

A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications: 5 (815 ILCS 530/25 new) 6 Sec. 25. Annual reporting. Any State agency that collects 7 personal data and has had a breach of security of the system 8 data […]


Marketing Privacy as a Feature

Paxx Telecom has issued a press release that they’ll hand over records only when given a court order: The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree […]


Never say die?

I’m not sure what to expect out of this story of a guy who, left behind in a crazed state and presumed to have died, overnighted above 8000 meters on Everest and was found alive the next day, prompting a rescue effort expected to take three days. (Note that this is a different climber from […]


Make that 12% of Adults

Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, […]



8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws […]


"Encryption is hard, let's go shopping!"

On upcoming changes to the Payment Card Industry Data Security Standard: “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes […]


Voting Registration Fraud

One of the motivators often discussed for voter ID card requirements is voter registration fraud. I believe that ID card requirements are like poll taxes, and are not justified. I believe that they’re not justified even if they’re free, because of personal privacy concerns, regarding addresses. You know, like Gretchen Ferderbar had before her 911 […]


Sitting on the Fence

Last week Dan Gillmor talked about Verisign’s monopoly wishes, stating: This deal would be great for VeriSign, but terrible for the marketplace. It would consolidate one company’s control over an essential part of the Internet infrastructure. Is the sky falling? I don’t think so. This sounds a whole lot like before GeoTrust was launched. GeoTrust […]


Blogrolling Kim Cameron

I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID. Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. […]


The Human Element

In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes: The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human […]


Counting In Background Checks

There’s some fascinating presentation of numbers in the BBC’s “Criminal records mix-up uncovered:” Education Secretary Alan Johnson told the BBC only 0.03% of the nine million “disclosures” the agency makes had been wrong, so the issue had to be put “into context”. He is so right! Let’s put those numbers in context, shall we? The […]


Restaurant Recommendation: Queen Sheba, Seattle

Not only was the Ethiopian food at Queen Sheba quite good, but when I went back, they had my jacket, and my somewhat expensive camera was still in the pocket. Doubly recommended. Queen Sheba is at 916 East John St, a block from Broadway, 206-322-0852. Thanks to W. for introducing me. [Updated to fix spelling. […]


Vulnerability Markets: Under a Cloud

After some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:” So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for […]


Personal Data on 26,500,000 Veterans Stolen (Including SSNs)

Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday. The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information […]


911 Dispatcher Kills Woman by Abusing Database

An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them. See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal […]


Breach round-up

Ohio University I: On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes. Ohio University II: 300,000 alums and friends. […]


Homeland Security Privacy Office Slams RFID

Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.” This is an important report. The money quote is useful because it comes out of DHS: Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated […]


Dear TSA,

You’re incompetent. We don’t trust you. Please stop wasting our time. Love, El Al Israel Airlines. No, really. Ok. Maybe the quote isn’t precisely their words, but that’s the message. See “El Al wants to do its own bag screening at Newark airport.” (Via Gary Leff.)


ID Theft, meet IRS

One of the things that makes building secure products such a challenge is how hard people will work to steal. Clever criminals who come up with new attacks will spread them around. Today’s attacks often seem to center on identity. “Identity” seems to be hard-wired into our brains (or at least our society) as a […]


Economics of Vulnerabilities: Markets?

When I drew that picture for Don Marti, he suggested a market in software vulnerabilities. People who had invested in knowledge about a program could then buy or sell in that market. I think that the legal threats and uncertainties are probably sufficiently market-distorting to make such a market hard to operate and hard to […]


The French Chef Model Of Intellectual Property

For the week since Brad Feld published it, I’ve been trying to find something to enhance “Norms-based IP and French Chefs:” Norms-based IP systems are an alternative (or a complement) to legal based IP systems. The Case of French Chefs is a superb example of how this works. If you care a lot about IP […]


6th Workshop On Privacy Enhancing Technologies

We’ve announced the program for the 6th Workshop on Privacy Enhancing Technologies, and space is still available for registrants. The program is so cool that I’m not going to try to summarize it, but rather quote Kim Cameron (“SEE IF YOU CAN MAKE PET 2006“): Here’s one conference I definitely won’t miss. I’ve been lucky […]



Chickweed, thanks to Xeger.


President Bush Calls for National ID Card

[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law. Of course, that means the rest of us will need the cards, too, […]


The Internet Channel, at Risk

Lack of trust in online banking among U.S. consumers is a serious constraint because of doubts about banks’ security measures, according to eMarketer’s new report, “Online Banking: Remote Channels, Remote Relationships?” The result is a slowing rate of adoption, with online banking households increasing by only 3.1% in the last quarter of 2005 — the […]


An Apollo Program for our times

Teach Florida’s alligators to feed on sharks. Unfortunately, this would deprive CNN of much of its material, so they will oppose it strenuously.


US reporters under surveillance

Looks like the Bush administration is tracking reporters’ phone calls. Also, the FBI admits that it uses the Patriot Act to obtain journalists’ phone records in an attempt to determine to whom they have been speaking. Read more here and here, from an ABC News reporter who has received some “attention” from the government. Photo: […]


Economics of Vulnerabilities

Lately, I’ve been playing with an idea. Work by both Microsoft and certain open source projects has made finding and exploiting vulnerabilities in their code substantially harder. So, the effort needed to find a vulnerability has gone up. The effort needed to build a working exploit has gone up. Thus, the willingness of a vulnerability […]


Happy Mother’s Day!

“The NSA would like to remind everyone to call their mothers this Sunday. They need to calibrate their system.” (Quip from Bruce Schneier, poster by Tom Tomorrow, for RSA Data Security, at


That didn't take long

Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December. Interestingly enough, when you don’t take […]


Two Minutes Hate: Choicepoint

This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration’s Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI — though […]


Tip of the iceberg

A former intelligence officer for the National Security Agency said Thursday he plans to tell Senate staffers next week that unlawful activity occurred at the agency under the supervision of Gen. Michael Hayden beyond what has been publicly reported, while hinting that it might have involved the illegal use of space-based satellites and systems to […]


NSA Call Tracking Legality

There are times you just have to defer to the lawyers. So I shall. Orin Kerr, “Thoughts on the Legality of the Latest NSA Surveillance Program,” (his blog) then later, “More Thoughts on the Legality of the NSA Call Records Program” (at Volokh, it’s keeping him up at night!) and “How The Latest NSA Surveillance […]


DaveG On Apple Security Advisory

So if you have a Mac, you really want to open software update now. You can read about Apple Security Update 2006-0003 after you’ve installed it and the Quicktime patch. In “Apple Security Update RoundUp,” DaveG explains: So, in short, without the latest update, OS X is secure as long as you don’t look at […]



Because of the lack of proceedings, we have removed the no-dual-submission rule. That is, work submitted elsewhere is ok. Best: Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be […]


Cell phone records market seemingly no longer important?

Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users’ privacy has been sent to a “legislative ‘Guantanamo Bay’” in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.


"NSA Has Massive Database of Americans’ Phone Calls"

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY. The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary […]


Alberta Driving Law

Members of an Alberta Hutterite colony have won the right to carry driver’s licences that don’t carry their photographs. The Wilson Colony, near Coaldale, 12 kilometres east of Lethbridge, took the province to court after the government introduced a new licence that must have a driver’s photo on it. The colony argued in a Lethbridge […]


Data Surveillance Workshop

On June 3, 2006 Harvard University’s Center for Research on Computation and Society will hold a day-long workshop on Data Surveillance and Privacy Protection. Although there has been significant public attention to the civil liberties issues of data surveillance over the past few years, there has been little discussion of the actual techniques that could […]


Half Empty

I think Adam is too kind to Arizona’s new breach law. My issues have to do with how various elements of the law might be interpreted: “materially compromises”: Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this […]


Spammers Win? 6Apart Loses? TrackBacks are Off

To a first approximation, all inbound trackbacks here have been spam for a while. As such, they’ve been turned off, and I’ve now made that official by turning them off in the MT layer, so you should no longer see trackback URLs. I thought about this a while back in “Trackbacks vs. Technorati?”


Breach Notification, the New Normal, and a New Metaphor

Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not. Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an […]


On "Feds' Watch List Eats Its Own"

Ryan Singel opens an excellent article “Feds’ Watch List Easts Its Own,” with a pertinent question. The article is worth reading for its enumeration of how the watch list catches senior military and State Department officials, who also can’t get off the list. It opens: What do you say about an airline screening system that […]


Apple’s Message

Over at Security Curve, Ed Moyle has some good thoughts on “the Gigantic ‘Bull’s Eye’ on Apple’s Forehead:” Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much […]


Here’s to you, New York

I’ve mentioned before that other than New York, only New Jersey requires that security breaches involving personal identifying information be reported centrally. I hazarded a guess at the time that, unlike NY, NJ would not respond favorably to a freedom of information request for such records, because the mandated reporting is to the state police, […]



Oops. My bad, I’d turned off comments on a bunch of posts. I think its fixed.


Free At Last!

“The United States said on Friday it had flown five Chinese Muslim men who had been held at the Guantanamo Bay prison to resettle in Albania, declining to send them back to China because they might face persecution. The State Department said Albania accepted the five ethnic Uighurs — including two whose quest for freedom […]


Code Name: Miranda

I admit it, probably ten or more years ago I actually signed up for a supermarket affinity card. Of course, I promptly lost it during the great migration to the suburbs, and for a good while I would simply claim to have left it at home and the cashier would cheerfully use a “store card”, […]


Threat Modeling The Library

In a long interesting article in Wired on “The RFID Hacking Underground,” I came across this quote: While it may be hard to imagine why someone other than a determined vandal would take the trouble to change library tags, there are other instances where the small hassle could be worth big bucks. The article went […]


Thoughts on Metricon

I was talking to a CISO friend recently about Metricon, and encouraging him or his team to submit a paper. He told me about a concern, which was that it sounded like we’re looking for “how do we give indications so we can pat ourselves on the back,” or “how can we terrify execs?” He’d […]


The Costs of Torture

I usually try to cut down quotes. This essay by Siva Vaidhyanathan in Slate’s Altercation is worth quoting at length: I was wondering something. Maybe somebody could help me out here. Yesterday a federal jury decided appropriately that this country shall not execute Zacarias Moussaoui, a wanna-be-mass murderer who also happens to be a mentally […]


Han Shot First: DVDs, Debugged.

In response to overwhelming demand, Lucasfilm Ltd. and Twentieth Century Fox Home Entertainment will release attractively priced individual two-disc releases of Star Wars, The Empire Strikes Back and Return of the Jedi. Each release includes the 2004 digitally remastered version of the movie and, as bonus material, the theatrical edition of the film. That means […]


Boarding Passes, Privacy, and Threat Models

There’s a great article in the Guardian, “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much:” This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing […]


The Teddy Bears’ Parachutes

IMABARI, Ehime [Japan] — A paint firm here is hoping to add color to wedding receptions in Japan with a new device it has jointly developed — a gun-shaped party [favor] that shoots out a teddy bear. Sunamiya, a paint firm based in Imabari, Ehime Prefecture, announced the development of the device, which blasts a […]


Some Government-Issued-ID is More Government-Issued Than Others

So Representative Julia Carson discovered when she tried to use her United States House of Representatives ID card to vote: Carson’s card does not have an expiration date as the new law requires of valid voter IDs, and Indianapolis poll workers tried to reach election officials before allowing the five-term Democratic congresswoman to cast her […]


Automated code scanners do have their uses

Slashdot is carrying the story of a rather large bug find in the X11 code. Judging by the patch, it looks like the problem was due to a lack of caffeine: if (getuid() == 0 || geteuid != 0) The OpenBSD code auditors seem to have found this one independently: This is one of those […]


Security Development Lifecycle, the Book

Michael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner: This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to […]


High Assurance Certificates and the Fake NEC

So I’ve seen the story in a bunch of places, but something about Bruce Schneier’s posting on “Counterfeiting an Entire Company” made me think about certificates, and the green URL bar. In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – […]


Time to Patch

Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes: Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks […]


I Would Prefer Not

First, apologies to Kim Cameron for taking a while to get to posting this. Being at a conference in Montreal, I was distracted from in-depth blog entries. Go figure. Anyway, in a back and forth on to develop a short explanation of Infocard, we are at: The relying party states what assertions it wants, the […]


What Does Rumsfeld Need to Do To Be Fired?

Law prof. Marty Lederman explains (in great detail) that “Army Confirms: Rumsfeld Authorized Criminal Conduct:” On November 27, 2002, Pentagon General Counsel William Haynes, following discussions with Deputy Secretary Wolfowitz, General Myers, and Doug Feith, informed the Secretary of Defense that forced nudity and the use of the fear of dogs to induce stress were […]


Security Breach Roundup

State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss. Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that […]


DoD Tricare Management Activity system, SSNs, credit card numbers, health info, 14K people

Via Army Times: The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not […]


Big Brother Has Your Best Interests At Heart

So pay no attention to the thoughtcriminals who are not bored, and their ridiculous propaganda documenting “Abuses of surveillance cameras.” We all know that cameras never lie, film can’t be edited or mis-interpreted, the police would never use cameras to look in your bedroom window, and that the videos taken will be strictly controlled. Those […]


Live Free or Die: New Hampshire Rejects National ID

Be it Enacted by the Senate and House of Representatives in General Court convened: Prohibition Against Participation in National Identification System. The general court finds that the public policy established by Congress in the Real ID Act of 2005, Public Law 109-13, is contrary and repugnant to Articles 1 through 10 of the New Hampshire […]


Two on Presenting

“Making a (Power)Point of Not Being Tiresome,” in the LA Times, via Paul Kedrosky. But more usefully, “The Many Uses of Power Point”


aetna insurance,38K customers, names+SSNs, health info, stolen laptop

Report via Reuters. Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense. Stars and Stripes has the scuttlebutt from HQ: The laptop was stolen from an employee’s personal car […]


The Iron Fist in a Cute Glove

The BBC reports on Sweet Dreams Security in “Safe, Secure, and Kitsch:” A German artist is trying to change the way people think about security, by replacing barbed wire with heart-shaped metal, and pointed railings with animal shapes. Thanks to N. for the pointer.


Purdue University, 1351 applicants+students, SSNs, "unauthorized electronic access"

“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what. Press release today. Happened in February. Notices sent at some unspecified time. Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies. Quoth “Mark Smith, head and […]


Tony Chor on Presenting at MIX

Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive: Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I […]



I’m in Montreal at SIGCHI. (Pronounced “Kai.” Who knew?) I realize haven’t gotten in touch with a slew of people I’d like to see. If you’re one of them, or think you’re one of them, or would like to be one of them, let me know!


Slippery Slope, Gaping Chasm and Torture

In February of last year, I told you about Lester Eugene Siler, a Tennessee man who was literally tortured by five sheriff’s deputies in Campbell County, Tennessee who suspected him of selling drugs. The only reason we know Siler was tortured is because his wife had the good sense to start a recording device about […]


Infocard: Have I Started a Trend?

After I posted “Infocard, Demystified,” I’m finding a whole lot of articles about it. Mario posted links to “A First Look at InfoCard” and “Step-by-Step Guide to InfoCard” in MSDN magazine, which are useful, but longer descriptions. In “What InfoCard Is and Isn’t,” Kim Cameron reprints an article from Computer Security Alert. So now I […]


Bin Laden Tape

Walid Phares summarizes the new Bin Laden tape at “New Bin Laden Tape: Ten Main Points,” and analyzes it in “Bin Laden’s ‘State of the Jihad’ Speech:” One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on […]


Man Charged For Notifying USC of Vulnerability

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June […]


Homo Economicus?

Researchers have identified brain cells involved in economic choice behavior: The scientists, who reported the findings in the journal Nature, located the neurons in an area of the brain known as the orbitofrontal cortex (OFC) while studying macaque monkeys which had to choose between different flavours and quantities of juices. They correlated the animals’ choices […]


Have the Terrorists Won?

On Wednesday, officials closed down all security checkpoints at the Hartsfield-Jackson Atlanta International Aiport when a “suspicious device” was detected in a screening machine. … All departing flights were stopped, and arriving flights were delayed 90 minutes, affecting 120 flights during the day’s peak travel time, according to the Associated Press. However, after two hours, […]



I second Alec Muffett’s recommendation of ThePartyParty. In particular, the cover of Imagine is dumbfoundingly bittersweet. Happy Earth Day. [Image: NASA]



In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing: These crooks get away with it, and that’s why they keep doing it. They’ve got about […]


Vengeful God Hurts Those With Demands

I forgot to blog this at the time, so will simply say that “Long-Awaited Medical Study Questions the Power of Prayer,” as reported in the NY Times and elsewhere, demonstrates that if there is a god, he prefers those who help themselves.


The law is an ass

Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law. To wit: NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: 1. Prevent, impede, delay or disrupt […]


State disclosure laws

I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently. I’m experimenting with Blosxom, so I posted this over here. The executive summary is all the state laws could use […]


How Low The Bar

The 2nd Circuit Court of Appeals upheld a ruling against a Ms. Cassano, who feared that providing her SSN placed her “in dire jeopardy of having her identity stolen,” refused to provide it, and was terminated. The decision states that “There is no doubt that laws requiring employers to collect SSNs of employees have a […]


Giant Elephants in London

The Sultan’s Elephant Theatre Show will be in London May 4-7. Eric Pouhier has photos of another event, or you can click the photo for his full-size image. Thanks to S. for the link.


US Travel ID to have RFID Readable at 25 feet

Declan McCullagh and Anne Broache have the story in “New RFID travel cards could pose privacy threat:” Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the […]


Metricon 1.0 Call For Papers

MetricCon 1.0 – Announcement and Call for Participation First Workshop on Security Metrics (MetriCon 1.0)August 1, 2006 Vancouver,B.C., Canada Overview Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may […]


"The Far Enemy"

I’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time. The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” […]


Infocard, Demystified

For every product, there are thousands of sentences which result in the reply “well, why didn’t you just say that?” The answer, of course, is that there are thousands, and often its not clear which is the right one. For me, the useful sentence is that ‘Infocard is software that packages up identity assertions, gets […]


What Would Jesus Compile?

Generally, when I talk about religion, it’s in the Emacs vs. vi sense. One of my RSS bookmarks contained a somewhat thought-provoking article about the similarities between the philosophy advanced by Free Software Foundation, and certain aspects of Catholic doctrine, and ‘Christian charity’ more broadly. It’s an interesting take on Open Source, and perhaps appropriate […]


Animal Farm

Animal Farm is a 30-acre family farm in Orwell, Vermont. We are certified organic for milk, butter, eggs, and hay and pasture. Some things you just can’t make up, because someone else already has.


Lady Liberty

These folks would like to put a monument to the Bill of Rights in every state. Clearly a better use of cash than a ginourmous diamond in New York’s harbor.


Kudos to Avis

I happened to look recently at the little card that Avis puts in the cars of frequent renters. The idea is that you land, get to Avis, see your name on a board, and walk directly to the car with one fewer line to stand in. So as you drive away, the fellow who checks […]


I Bet He Failed The Background Check

Staff Sgt. Daniel Brown is having trouble getting on a plane. He’s apparently known to work in close proximity to terrorists: A Minnesota reservist who spent the past eight months in Iraq was told he couldn’t board a plane to Minneapolis because his name appeared on a watch list as a possible terrorist. Marine Staff […]


Internet Explorer Flaw, Transparency, and App Compat

“After IE Attacks, Microsoft Eyes Security Betas” is by Al Sacco at CSOOnline. He has a lot of good orientation and background. Then take a look at Mike Reavy’s “Third party solutions to the Internet Explorer CreateTextRange vulnerability.” Mike runs MSRC, and it’s a pleasant surprise to see him acknowledging customer fears with a post […]


Matt Murphy on Microsoft & Transparency

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s […]


British National ID

“You may have heard that legislation creating compulsory ID Cards passed a crucial stage in the House of Commons. You may feel that ID cards are not something to worry about, since we already have Photo ID for our Passport and Driving License and an ID Card will be no different to that. What you […]


Perspective on Brian Doyle, Background Checks

“We try to weed out those who pose a security risk,” Chertoff said in a briefing with reporters. “I don’t know … that background checks with people hired will predict future behavior.” Well, golly, Mr. Secretary, I don’t know…that either. So will you please cancel CAPPSIII/Secure Flight/Free Wheelchairs for Paraplegic Children, rather than invading the […]


Consumer-Grade RFID Analysis

In “Why Some People Put These Credit Cards In the Microwave,” the Wall St. Journal incidentally captures everything you need to know: Makers of products using RFID say privacy and security safeguards are being built into the chips to prevent abuses. MasterCard International says multiple layers of security are available to prevent MasterCard data from […]


Breach Notices Round Up

Because of the volume, I’m going to consolidate these: US Marine Corp/Naval Postgraduate School, 207,750 SSNs, dismal process. From Stars and Stripes, “Thousands of Marines may be at risk for identity theft after loss of portable drive,” via Dataloss list. Marines affected should know there’s an “active duty military” alert you can add to their […]


Palestinian TV and Regulatory Capture

There’s an article about the chaos of Palestinian TV on Wired News, “Live From the West Bank,” which starts: Helga Tawil Souri reclines on the couch at a friend’s house in the Palestinian West Bank, getting sucked into an Egyptian movie about a woman in an insane asylum. Right before the climactic face-off, though, the […]


Why trackback spam is bad

% prstat PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 14135 nobody 16M 12M sleep 60 0 0:00:11 4.2% mt-tb.cgi/1 14207 nobody 14M 11M run 55 0 0:00:08 4.1% mt-tb.cgi/1 14203 nobody 14M 11M run 56 0 0:00:08 4.1% mt-tb.cgi/1 14209 nobody 14M 11M run 54 0 0:00:08 4.1% mt-tb.cgi/1 14215 nobody 14M […]


Market Efficiency from an Evolutionary Perspective

I missed this article when it first came out, but Andrew W. Lo’s “Market Efficiency from an Evolutionary Perspective” is fascinating and readable. The abstract: One of the most influential ideas in the past 30 years of the Journal of Portfolio Management is the Efficient Markets Hypothesis, the idea that market prices incorporate all information […]


Emergent Geodata about San Francisco

This Cabspotting project reminds me a lot of the Open Geodata work that Steve Coast is working on. The map, in particular, reminds me of their map of London. (Cabspotting via Boingboing.)


Metasploit blogging

“Official blog of the Metasploit Project.” Either you know who Metasploit is, in which case you’ve already clicked through, or you’re unlikely to understand their subject matter. PS to Vinnie: Where’s the Smallpox-making post?


"Security To The Core"

In a post titled “self-evidently wrong post title” “Blog Posts Do Not Include The Words ‘dizzying array of talent,’” Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario’s “The Market-Driven (Vulnerability) Economy” post is pretty good. However, I think we need video of Dug Song reading this text, which in “News Flash: […]


Bad neighbor policy?

Many years ago, I needed to deploy a bunch of UNIX machines very quickly. When I created the golden system image, it included an ntp.conf file that pointed to a nearby public stratum 2 server not under my administrative control. This was dumb, because I could (and should) have just had my boxen chime against […]


Presidential Power, At Its Lowest Ebb

Attorney General Alberto R. Gonzales left open the possibility yesterday that President Bush could order warrantless wiretaps on telephone calls occurring solely within the United States — a move that would dramatically expand the reach of a controversial National Security Agency surveillance program. From the Washington Post, “Warrantless Wiretaps Possible in U.S..” It used to […]


Microsoft and Rootkits

Earlier this week, there was a story “Microsoft Says Recovery from Malware Becoming Impossible.” I’m not sure why this is news: Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel […]


Deep Impact, Deep Analysis

The Nasa projectile that slammed into Comet Tempel 1 last year kicked out at least 250,000 tonnes of water. The figure comes from UK/US scientists on the Swift telescope, one of many observatories called on to study the US space agency’s Deep Impact event. Swift’s X-ray Telescope (XRT) saw the comet continue to release water […]


"Now war is declared — and battle come down"

The UK, having already abolished liberty, is now hard at work on abolishing any relevance Parliament might have. See In “Who wants the Abolition of Parliament Bill,” David Howarth writes: The boring title of the Legislative and Regulatory Reform Bill hides an astonishing proposal. It gives ministers power to alter any law passed by […]


DHS Spokesman Brian J. Doyle Arrested

The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff’s detective who he thought was a 14-year-old girl, the Polk County Sheriff’s Office said. Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. […]


2nd Underhanded C Contest Begins

This year’s challenge: ridiculous performance degredation For this year’s challenge, imagine you are an application developer for an OS vendor. You must write portable C code that will inexplicably taaaaaake a looooooong tiiiiime when compiled and run on a competitor’s OS. The program is supposed to read a set of words on stdin, and print […]


Lab-Grown Bladders

I’m a little behind in posting this, but modern medical science can be so cool: US scientists have successfully implanted bladders grown in the laboratory from patients’ own cells into people with bladder disease. The researchers, from North Carolina’s Wake Forest University, have carried out seven transplants, and in some the organ is working well […]


Low-quality DATA

The other day, I wrote about the Data Accountability and Trust Act (DATA), which has been received well by consumer and privacy advocacy organizations. For example, “We’re pleased with the compromise ‘trigger’ language relating to when a business must notify individuals of a breach of their personal information,” said several privacy advocacy groups in a […]


Readability of Financial Privacy Notices

Federal regulators today released Evolution of a Prototype Financial Privacy Notice… The report’s release concludes the first phase of an interagency project […] to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies […]


Startup Opportunity: Revive Systems

My friend Robert Stratton has taken the CTO role at Revive Systems. He’s both a serial startup guy (Wheel Group and UUNet) and has been on the investor side In-Q-Tel. We’ve spent some time talking about the technology, too, and it sounds very intriguing. The remainder of this post is his job description for their […]


Quick! Before the Trademark Lawyers Strike!

Get Pac Man for the Smartphone before it’s too late. Doubtless the lawyers will come in and remove this version, too. Because, you know, if they didn’t, Midway wouldn’t be able to make any money on Pac-man.


Better ID Theft Statistics: 3% of US households in first half 2004

The 2004 National Criminal Victimization Survey includes ID theft data, for the first time. From a CSOOnline blog post, “DOJ Study: ID Theft Hit 3.6M In US:” About 3 percent of all households in the U.S., totaling an estimated 3.6 million families, were hit by some sort of ID theft during the first six months […]


Competition among laws

Declan McCullagh writes cogently on the matter of national security breach legislation. His article makes many important points, and should be read widely. However, his overall thrust — that federal legislation is inferior to state legislation as a means of addressing security breaches — touches too briefly on an important point: we can have both. […]


HotSec, 31 July (Or, Vancouver is shaping up very interestingly)

HotSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas in all aspects of systems security. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are discouraged. Papers will be selected for their potential to stimulate discussion in the workshop. […]


Click before midnight tonight!

As April Fool’s hoaxes go, this search engine results aggregator for credit card numbers is a good one.


Google to Acquire Choicepoint

Mountain View, CA., April 1 /PRNewswire/ — Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the “Lifetime Acheivement” Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. “Google’s mission is to “organize the world’s information and make it universally […]


National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16. I haven’t read the full text of the bill (and it […]


Metricon 1.0 Announced

At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended. One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a […]


Privacy Enhancing Technologies Award/Call for Nominations

We’re looking for nominations of great work in Privacy Enhancing Technologies: The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Workshop (PET). The PET Award carries a prize of 3000 […]


Lapel Pin, Redux

Dear Arthur, In Re: your post, “Die Struck Lapel Pins From Collinson Enterprises.” They’ve some neat ones for sale too, if you’d like to be spotted as a Fed at Defcon.


Lapel Pins?!?

There is an AP article in todays Washington Post about Cynthia McKinney, a Georgia Congresswoman who was in a scuffle with the police today after refusing to identify herself upon entering one of the House buildings in the “Capitol Complex”. The truly scary part of the article was this: Members of Congress do not have […]


How New Ideas Emerge From Chaos

There’s an interesting contrast between “The Problem With Brainstorming” at Wired, and “Here’s an Idea: Let Everyone Have Ideas” at the New York Times. The Problem with Brainstorming starts out with some history of brainstorming, and then moves to its soft underbelly: The tendency of groupthink to emerge from groups: Thinking in teams, and pitching […]


Security Flaws and The Public Conciousness

In “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests: “Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)…. “Another red flag was the wire-transfer […]


"Suffering in Silence With Data Breaches"

That’s a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case “under investigation,” he said. “Only about […]


Privacy Grants from the Canadian Privacy Commissioner

The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the renewal of funding through her Office’s Contributions Program which, for the last three years, has allowed some of Canada’s brightest privacy experts to develop a wealth of information on various privacy challenges of the 21st century. From “Privacy Commissioner’s Office renews its cutting-edge privacy research […]


196,000 HP Employee SSNs, Fidelity Laptop

A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night. “This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and […]



By Banksy, via Saar Drimer.


How Private Are Your Tax Records?

In “How private are your tax records? You’ll be surprised,” Bob Sullivan illustrates why the “opt-in/opt-out” way of discussing privacy is so destructive: Any information you give to a company that helps you prepare your taxes can be sold to anyone else. Only a single signature on a permission slip stands between you and the […]


Congratulations, Professor Ian!

I’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. […]


Destructive Chaos

Sorry about the unavailability over the last (unknown time period) My DNS registrar, was under DDOS attack. If you’re reading this, you either have a cache, or the attack has been mitigated in some way. We now return you to your regularly scheduled list of stolen laptops, lost backup tapes, and who knows, maybe […]


Laptop theft

The Register has been on Ernst & Young’s case. The latest Exclusive! talks about a laptop stolen in early January, and how we now know it had info on BP employees, along with those from IBM and others. The article also observes that: It’s difficult to obtain an exact figure on how many people have […]


I’m Sure I Don’t Want to Continue

When I try to drop files in the Trash, the Finder gives me this awful[1] dialog box. I really don’t want to delete files immediately, and am not sure why it wants to. Does anyone know what I do to fix this? [1] It’s awful for two reasons: First, it gives me no advice on […]


You can't buy publicity like this!

UCSB has a project to digitize wax cylinder recordings. They have thousands cataloged, with the majority downloadable as mp3s. It’s awesome. Naturally, I wanted to see what software they used. Being archivists, they of course go into great detail, including this gem: We’d like to use this space as a soapbox to say that Cleaner […]


Sprint "Security"

So the other day, I called up Sprint, my illustrious cell phone provider, to make some changes to my service plan. The very nice agent asked me to identify myself with either the last 4 digits of my SSN or my password. Now, I’ve never set up a password for use over the phone and […]


Many Meanings of Privacy

I regularly talk about how privacy has many meanings, but haven’t put those in a blog posting. Since this blog has more readers than most of my talks have attendees, I figure it’s a sensible thing to blog about. The point of this list is to illustrate the dramatically different things people mean when they […]


Art Imitating Life?

Many laughs, and perhaps a tear or two, from The Cubes              


Breach notification escape mechanisms

In a somewhat incendiary piece published today at, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company […]


Government Issued Data and Privacy Law

I’d like to say more about the issue of privacy law, and clarify a bit of jargon I often use. (Alex Hutton pointed out it was jargon in a comment on “There Outta be a Law“.) As background, some people have objected to privacy laws as being at odds with the First Amendment guarantees of […]


Relentless Walking

You two and your obsession with modern entertainment. Get out, and go for a walk to Rivendell. If you are going to insist on watching movies, at least go see some real ones. (Image is “Descent to Rivendell, by John Howe, from


Relentless Navel Gazing, Pt 9

I’ve made the text darker, and hope its a tad easier to read, and thanks to N, have finally added a closing quote to blockquotes: blockquote { background: url(“”) no-repeat bottom right; } blockquote:before { content: url(“”); display: run-in ; padding-right: 10px;} The tricky part was to ensure that the closing quotation mark stayed within […]


I find your faith disturbing

Adam, I learned of the flick via a blog unrelated to either Star Wars or computing, so no need for Google. Not to get all “vi vs. emacs” on you, but I never understood the fascination with Star Wars. :^) Photo cred: kemikore


You Have Failed Me For the Last Time

Chris, I can’t believe you mentioned Snakes on a Plane, and failed to link to a blog called “I Find Your Lack of Faith Disturbing,” whose article, “Snakes on a Motherfucking Plane” is like the 3rd hit on Google. I mean, really! Its not like you had to look hard to find that. Do I […]


Beautiful Evidence

Edward Tufte’s new book, Beautiful Evidence, is now at the printer and should be available in May 2006. The book is 214 pages, full color, hard cover, and at the usual elegant standards of Graphics Press. (Thanks, Mr. X!)


Security & Orientation

When Larry Ellison said “We have the security problem solved,” a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“) That level of dripping sarcasm is fairly widespread amongst the security experts I talk […]


St. Patrick would know what to do

The movie “Jaws” made a lot of money. People like money. Hence, people made derivative movies, “Orca” for example. One copycat, IMO, was so dreadfully bad that it was good. That movie was “Grizzly“, which I saw on its first run. It told the tale of a rogue bear which, you know, basically roamed around […]


TSA: 0 for 21 in a Game They Rigged

“In all 21 airports tested, no machine, no swab, no screener anywhere stopped the bomb materials from getting through. Even when investigators deliberately triggered extra screening of bags, no one stopped these materials,” the report said. … The Transportation Security Administration (TSA) had no comment on the report but said in a statement that detecting […]


Virtual Machine Rootkits

Eweek covers a paper (“SubVirt: Implementing malware with virtual machines“) coming out of Microsoft and UMichigan in “ VM Rootkits: The Next Big Threat?. Joanna Rutkowska gives some thoughts in a post to Daily Dave, “redpill vs. Microsoft rootkit….” My take is its good to see Microsoft working on this sort of research, and thinking […]


Macs Vulnerable to Wolverine Attack

Crazy Apple Rumors has the scoop: “Macs Just As Vulnerable To Wolverine Attack.”             (Picture from SamCat.)


Slightly Unique Identifiers

One of the neat things about Blue Hat is that people get pulled aside and introduced to people who have problems that they’d like your thoughts on. In one of those meetings, it came out that the person I was meeting with was destroying lots of data before it came to his group. Very cool. […]


There Outta be a Law

A reader wrote in to ask why I’m not more forcefully advocating new laws around information security. After all, we report on hundreds of failures with deeply unfortunate consequences for people. Those people have little say in how their data is stored, so shouldn’t we have a law to protect them? We probably should, and […]


Security & Usability, Workshops

This was supposed to be a part of my book review post, but early user testing showed us confusion and a desire for a more tightly focused blog post experience… It may also help to attend events like the “Security User Studies Workshop at SOUPS 2006” or the “Workshop on Psychological Acceptability and How to […]


David Litchfield Asked Me

At Blue Hat, David Litchfield of NGS asked me ‘how many of the issues we see are related to SQL injection?’ I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates: State of Rhode Island, 4,118 or 53,000 CC, Hacker Reeves Namepins, Unknown # Cop […]


NJ prosecutor reports debit card ring has been busted

Story at CNET. In related news, OfficeMax says there’s no evidence they were broken into, and back it up with help of outside experts. I’m done being a Kremlinologist on this one, for now. With as little solid info as has made it into the press, it’s just not worth it. Perhaps some facts will […]


Identity Theft and Child Pornography

The CBC has a story on how “Global child porn probe led to false accusations:” An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and […]


Security and Usability

Simson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and […]


Blue Hat Pictures

J. in the Windows Build room, and some labels on a cabinet. And baby, that’s all you’re gonna see of the pictures. We value everyone else’s privacy, unless you were there. In which case, its all groovy. Drop me a note and you’ll get the super-double-secret URL. As to the picture honoring ‘patch Tuesday,’ I […]


Stolen Ernst and Young laptop had 84,000 SSNs

Information courtesy of the Reporting Form E&Y filed pursuant to New York state law. The consulting firm has been criticized for the delay in reporting this breach, which occurred on January 4.


Some additional info on the debit card breach

American Banker has a useful article about the debit card/PIN breach that has been making news. Unfortunately, it is behind a paywall. After reciting the background, the article presents some additional info in Q and A form. Herewith, some fair-use excerpts. All italics emphasis is added. If you have access, I urge you to read […]


Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]


Social Security Administration, 300 Million Americans Not Exposed

I just got my “Your Social Security Statement” in the mail. The very first words on the top of it are “Prevent identity theft—protect your social security number.” Inside, it only prints the password to my cell phone last 4 digits. If your bank, school, or employer does worse, ask them why they’re less enlightened […]


Private Thoughts on Blue Hat

As I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy. Unfortunately, that makes it hard to properly attribute this bit of genius: 1 bottle of beer on the wall, 1 bottle of […]


New Jersey's breach law

New Jersey’s breach notification law went into effect in mid-December 2005. Like New York’s, it requires that a state entity be notified, in addition to the persons whose info was exposed: c. (1) Any business or public entity required under this section to disclose a breach of security of a customer’s personal information shall, in […]


Audio Surveillance Can Be Cool, or a Hoax

[Update: Everyone says I’m being taken, in the comments.] French archaeologists have taken pottery from ancient Pompeii and played the grooves back like a record to get the sounds of the pottery workshop, including laughter. Click “Telecharger la video” to play the short video which contains a sample of the audio. Audio from ancient Pompeii, […]


"I've turned into my mother!"

…or, more generally, “I’m now doing that weird thing I saw an influential elder do, but now it seems to make sense”. I have several examples from my own life (generally rather predictable for a balding 40-something suburbanite), but just today I found another one, and I didn’t see it coming.


Chip and Pin Point-of-Sale Interceptor

Mike Bond at Cambridge University has a page “Chip and PIN (EMV) Point-of-Sale Terminal Interceptor,” in which he documents: Our interceptor is a prototype device which sits between a Point-of-Sale (POS) terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – “the conversation” […]


CIBC, One Customer's Wire Transfers, Data They Didn't Use

The federal Privacy Commissioner is looking into a faxing incident involving Canadian Imperial Bank of Commerce and one of its clients. The case began last October when CIBC was told by Christine Soda that she had been receiving faxes at her home in Mississauga that were supposed to be going to Gerry McSorley, who runs […]


Ehime Prefectural Police (Japan), Data on unknown # Suspects, Virus

A massive amount of investigation data kept by Ehime Prefectural Police has been leaked onto the Internet, apparently after the computer that kept the data was infected with a virus through the file exchange software Winny, it has been learned. The amount of information leaked from the Ehime police computer is about four times that […]


Toyama Japan Hospital, 2,800 patients, file sharing

Information on about 2,800 patients who had surgery at a privately-run hospital in Toyama between 1997 and December 2004 was unintentionally uploaded to the Internet. According to the hospital, the man in charge of data on surgery transferred the information–consisting of patients’ names, sexes, birthdates and information on surgical procedures for which they were hospitalized–to […]


SSL Survey over at Matasano

Jeremy Rauch over at Matasano is running a survey on how companies are using HTTPS/SSL. I encourage you to go there resond. My answers are below the cut.


North Carolina Transportation Department, 16,000 credit card #s, outside intruder

The Associated Press is reporting that: An Internet server used by the state Transportation Department’s Ferry Division to process credit card payments for ferry fares may have been breached by outsiders, the agency said Friday. The computer database contained 16,000 credit card numbers, the DOT said. The Office of the State Controller has notified its […]


The wall starts to crack

Merchants and credit card processors are not allowed to store a host of sensitive data, according to Visa and MasterCard. That includes personal identification numbers, or PINs, used to withdraw cash, the three-digit code on the signature panel, and data on the magnetic stripe on the back of credit cards. A Visa spokeswoman would not […]


Mary Worth

Michael Howard over at Microsoft, has a great post, on why security analogies are usually wrong, that has a beautiful analogy of his own that aptly makes his point. Also, note that Ed Felten, is currently teaching a class, InfoTech & Public Policy, at Princeton. Students are required to post weekly, and non-students are encouraged […]


Worth Reading, 2.0

The news that one of “Saturn’s moons is spewing water vapor” is worth reading because the universe is cool, Enceladus will have life found on it, and life will get more interesting. “Fix My Settings in IE7” is worth reading for user interface designers. I hope to see the idea exposed to some user testing […]


"Worth Reading" (Elements of Blogging Style)

The phrase worth reading is a crutch for lazy writers. I use it a lot, and shall use it less. Please call me, and anyone else you read on this bit of spinelessness in our writing. At least, I’ll endeavor to say why I find something worth reading, and try to suggest which readers might […]


The Pursuit of Wow and the Virtue of Shipping

I’ve just finished reading “The Pursuit of Wow!” by Tom Peters. The essential message is that if you’re not enthused by what you’re doing, change things until you’re enthused. It’s a great reminder of the importance of passion for delivering great products and services. Unfortunately, as a startup veteran, there’s a conflict that I run […]


Citibank card cancellations are likely due to Sam’s Club

So says Gartner analyst Avivah Levitan, as reported in Computerworld. Much has been made recently about a purported “class break” of Citi’s ATMs. A class break being “an attack that breaks every instance of some feature in a security system”. The term was popularized by Bruce Schneier, in Beyond Fear, from which this definition comes. […]


Dear United

It would be so nice if you could put the same information on the web, the departures board, and the gate. I’d like to now say KTHXBY, but I can’t, because no one here seems to know when my flight is leaving. I know, you all don’t do a lot of business in Denver, so […]


The Emergent Field of War and Economics?

There’s a fascinating new paper available from West Point’s Combatting Terrorism Center, on “Harmony and Disharmony: Exploiting al-Qa’ida’s Organizational Vulnerabilities.” What I found most fascinating about the paper was not the (apparently) new approach of reading what the terrorists are saying to gain insight into their weaknesses, but its adoption of the language of economics […]


Direct Marketing Association opposes consumer right to see, correct information

Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data. You can’t […]


Software That Works

Ethan Zuckerman did a great job of blogging from TED. The most interesting post for me was his summary of David Pogue’s talk: But he’s a big fan of the iPod and the “cult of simplicity”. Despite violating every rule of product design – going up against Microsoft, having fewer features, having a proprietary, closed […]


My Blogging Will Be Light

I’m on the road this week, here and there, with here being, well, illustrated and there being Seattle, at Microsoft’s Blue Hat event. Some things that I’m hoping to find some time to write about include: “Person to Person Finance” at the Economist (paywall) is fascinating, and I think there’s a fascinating question of if […]


British Columbia, More than 65,000 SINs, Dismal Process

The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people’s medical conditions, their social insurance numbers and their dates of birth. Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely […]


I am not a Probabalistic Polynomial Time Turing Machine; I am a Free Man!

In a jargon-rich yet readable essay, (“Cryptographic Commitments“) David Molnar discusses the assumptions that he brings to his work as a cryptographer. Its fascinating to me to see someone lay out the assumptions portion of their orientation like this, and I think readers can ignore the specifics and get a lot out of the essay. […]


Identity is Hard, Let’s go Shopping.

Kim Cameron, in the course of saying nice things about us (thanks, Kim!) says: “In my view, the identity problem is one of the hardest problems computer science has ever faced.” I think this is true, and I’d like to tackle why that is. I’m going to do that in a couple of blog posts, […]


What’s in a Name?

A rose by any other name might smell as sweet, but it would certainly be confusing to order online. Consistent naming is useful, but requires much effort to get right. In identity management, which I hadn’t thought of as closely related to taxonomies, Zooko has argued that names can be “secure, decentralized or human memorable […]


Economics of Detecting Fake ID

During 2005, the Vail Police Department alphabetized hundreds of drivers licenses, passports and other shoddy identification that will be incinerated at year’s end. Once the IDs come through the department’s doors, they’re gone for good, Mulson said. A liquor license allows bars to confiscate any ID that is fake or appears to be fake. Glendining […]


Your Apple-Fu Is Impressive!

Yesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms: Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t […]


Medco (prescription drug service)/ 4600 people, birth dates, SSNs, drug info/lost laptop

Executive summary: Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop. Money quote from a Medco spokesperson: You’re as efficient as the lessons learned in the last […]


John Robb on Big Bangs

In Big Bangs, John Robb uses complex aircraft dynamics as a fascinating metaphor for society: If we look at today’s global environment we see a moderately unstable system. It is a relatively high performance system that is increasingly controlled by global markets. This explains why it is spreading so quickly. However, our drive towards a […]


Patents and Comments

The comments on “Patents and Innovation” and “New Products, Emerging from Chaos” have been really good. I want to draw your attention to them, because I’m impressed at how much has been added. I’m really enjoying the feedback, and the ability to continue a thread that’s emerged from a comment. I’m also curious what I […]


Not Because It Is Easy, But Because We Can

Twelve barrels of the world’s most alcoholic whisky, or enough to wipe out a medium-size army, will be produced when the Bruichladdich distillery revives the ancient tradition of quadruple-distilling today. With an alcohol content of 92 per cent, the drink may not be the most delicate single malt ever produced but it is by far […]


Patents and Innovation

In responding to “New Products, Emerging from Chaos,” Albatross makes a good comment about how the RSA patent expiry didn’t lead to an immediate outpouring of new products. Albratross also mentions how transaction costs encourage people to look for new ways to solve a problem. Mordaxus says there has been an explosion in the use […]


On Computers and Irony

I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident. Similarly, while it’s quite hard to make code that runs and does what you […]


How Much Does A Firewall Reduce Your Risk?

In a recent post, “The Future Belongs To The Quants,” Chris suggests that risk mitigations must be quantifiable. My post “In The Future, Everyone Will Be Audited for 20 Years,” lists what the FTC is requiring for risk mitigation. It seems none of it is quantifiable. Chris?       (Incidentally, I think this iptables […]


Analysis of University of Texas, 4,000 encrypted SSNs, Laptop

There is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened: The private […]


Relentless Navel Gazing, Part 8

We made a few changes yesterday. There’s now a special archive page for the “Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars” series of posts. I’ve gotten more kudos for that series than anything else, so added a way for you to read them all in the order they were presented. […]


Security Breach Resources

I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful. The URL is […]


Dear Lazyweb

I’m looking for code that will parse the emails sent by online travel agencies and airlines. Ideally, it would be Python code that allows me invoke something like itinerary.get_next_flight(msg) and get a dictionary of (to, from, airline, flight #, date), etc. Does such a library exist?


Justice Department Weighs In On Google Subpoena

Surprise surprise, the Department of Justice doesn’t think that the Bush administration’s request for search data violates users’ privacy rights. [Edit: Fixed broken link] [Update: Try this link instead. ]



Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.


"Illegal Political Activity"

Something is seriously wrong when the New York Times has an article “I.R.S. Finds Sharp Increase in Illegal Political Activity,” and fails to mention the free speech issues associated with the claptrap coming out of Congress: While pointing out the extent of the problem, the agency published more guidance for nonprofit organizations, including examples of […]


The future belongs to the quants

The title is of course stolen from Dan Geer. By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database. In dismissing the case with prejudice, the court took note of an […]


New Products, Emerging From Chaos

In a trenchant comment on “Secretly Admiring,” Victor Lighthill writes: Not to disrespect Ron Rivest or Credentica’s Stefan Brands, but patenting your ideas in crypto is, historically, a great way to ensure that it takes them 15 years to go from concept to use. While there may be important grains of truth in this, and […]


Subject: Attention! Several VISA Credit Card bases have been LOST!

You know breaches are reaching the public consciousness when spammers use them to make money. I got this in email yesterday, along with a URL that I don’t feel like linking. Banks would do really well to send less email with the words “click here,” and more saying “visit our site using a bookmark.” Good […]


More CFIUS fun

UAE running our ports? CFIUS is cool with that. Israeli ownership of an IDS company? Now hold on there, pardner. Hat tip to Richard Bejtlich.


"It fell off the truck. No, really."

Via BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck. The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, […]


40 Million Pounds Sterling Stolen from British Bank

As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued […]


In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an […]


Ephemeral port security

By now, most have heard about Dubai Ports World, a foreign entity, assuming control of operations at various U.S. ports. The arguments around this transaction are predictable and uninteresting. One thing that is clear is that the Committee on Foreign Investment in the United States (CFIUS) is legally mandated to consider such deals. In fact, […]


Updating Windows Mobile Phones

Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile […]


Dan Kaminsky on Sony and Anti-Virus

Read “Learning from Sony: An External Perspective” on Dan’s blog: The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources […]


Secretly Admiring

Quick! Name the speaker: In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing […]


Metadata strike again!

Brian Krebs wrote about a botnet and the 733t d00d who ran one, nom de hack 0x80. Well, turns out the doctored on-line photo the Washington Post ran contained metadata identifying the gentleman’s rather small home town. Coupled with information in Krebs’ article concerning businesses near 0x80’s residence, identifying the young criminal would seem a […]


Book Review: The Stag Hunt and the Evolution of Social Structure

Brian Skyrms’ The Stag Hunt and the Evolution of Social Structure addresses a subject lying at the intersection of the social sciences, philosophy, and evolutionary biology — how it is possible for social structures to emerge among populations of selfishly-acting individuals. Using Rousseau’s example of a Stag Hunt, in which hunters face a decision between […]


Police report on Cheney shooting incident reveals license info

Yet another incident of ineffective redaction? Adam’s bookmarks alerted me to this blog entry, in which commenters describe the ease with which the drivers’ license numbers of witnesses to the VP’s recent hunting accident are revealed. If this stuff is worth blocking, it’s worth blocking properly. Sent 'Race-Customized' Valentines

How are’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how […]


Police Chiefs Gone Wild

Harold Hurtt has suggested that surveillance cameras be placed “in apartment complexes, downtown streets, shopping malls and even private homes”, according to this story in the Seattle Post Intelligencer. In response, I hereby found…. The Hurtt Prize The Hurtt Prize is a $1120 (and growing) reward for the first person who can provide definitive videotaped […]


Safari Users: Don't Open "Safe" files after downloading

Go to preferences, general, and un-select that box. From “Apple Safari Browser Automatically Executes Shell Scripts,” via SANS and Eric Rescorla. Don’t miss Peter da Silva’s comment on Eric’s post. Eric, how do you get such good comments?


The Leaf of Trust

One of the most interesting and controversial aspects of Phil Zimmerman’s PGP was that it avoided any central repositories of information, relying instead on what Phil labeled the “web of trust.” The idea was that Alice “trusts” Bob, and Bob “trusts” Charlie, there’s some transitive trust that you can establish.[1] (I’m going to stop putting […]


Branded Security

For quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.) I am FORCED to ask, HOWEVER , what the average consumer is supposed to […]


CPNI Public Comment

The FCC has asked for comments on “TELECOMMUNICATIONS CARRIER’S USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION.” “Customer Proprietary Network Information” is newspeak for “selling your phone records.” Several anonymous readers commented on “Selling Your Phone Records” about their troubles with T-Mobile. Here’s a chance to tell the FCC what you went through. […]


The World's Greatest Rock and Roll Band?

Ok, so the Stones are playing, free, in Rio. I figure the crowd will be big. Maybe huge. Apparently not a record-breaker, though: Saturday’s crowd may not be as big as that at Rod Stewart’s 1994 concert, also at Copacabana beach, which drew a crowd of 3.5 million. Rod Stewart?


Salesman uses credit application to stalk and rape customer

Police say a convicted murderer used his job as a car salesman in Sandy to track a female customer to her home and rape her. Cleon Jones, 34, was arrested Wednesday on multiple first-degree felonies and remains in the Salt Lake County Jail without bail. Authorities allege Jones tracked down his victim by using her […]


University of Northern Iowa, 6000 W-2 forms, virus-infected laptop

An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during “routine monitoring”. Via The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed […]


Custom Shirts

Get your custom shirts with font size controlled by word frequency. It’s shirts-2.0, now available from Snapshirts. Cool.


John Robb on the Next Attack

John Robb has some very interesting thoughts on the next major al Qaeda attack on the United States in “The Next Attacks on America:” The impact of these attacks, particularly if they are numerous (attracting copycats?) and spread out over an extended period of time will be severe. Given their lack of symbolic content (and […]


Old Dominion, 601 SSNs, Grad Student's Dismal Process

In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. (“ODU Graduate Student Posts Student Information on Website, School Investigating,” via Netsec.) Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don’t add up. There’s a story in […]


Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth. OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333. Via F-Secure. I feel weird linking […]


Dept of Agriculture, 350,000 Tobacco Farmers, Dismal Process

The Agriculture Department says it accidentally released Social Security numbers and tax IDs for 350,000 tobacco farmers. But the department says those who received the information agreed to destroy copies and return discs to the government. The agency said it inadvertently released the data in response to Freedom of Information Act requests about the tobacco […]


Blue Cross of Florida, 27,000 employee SSNs, Contractor

The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday. The contractor had access to a database of identification badge information and transferred it […]


LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits: 6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder 6b) If your uid != 0 […]


Suffolk County, NY, 7,000+ SSNs, Dismal Process Failures

The Suffolk county [New York] clerk’s office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don’t have a way to remove them. And soon, a new plan will make it easier to retrieve them. Mortgages and deeds that contain Social Security numbers for an estimated […]


Thank You, Choicepoint

It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story: Last week, the company notified […]


Risk aggregation and the living dead

Light blue touchpaper is a new web log written by researchers in the Security Group at the University of Cambridge Computer Laboratory. You should read it. As for the headline, zombies eat brains. There’s plenty of ’em [edited to add: brains, that is!!] in close proximity in Ross Anderson’s group. ’nuff said.


Emergent Intelligence

John Robb has a fascinating post on how networked organizations learn and improve their orientation as they engage with their worlds. In “Emergent Intelligence,” Robb focuses on the Iraqi insurgency, but draws important and general lessons. He says there are five factors needed for emergent intelligence: A critical mass of participation. I’d suggest that a […]


The 4th Amendment is Nice to Have

Cities can require stores to send customers’ identification to an electronic database for police to monitor, judges in two [Canadian] provinces have ruled this week. Cash Converters Canada Inc. and British Columbia’s largest pawn shop have each failed to persuade judges that a new generation of city bylaws is trampling customers’ legal rights. From “Courts […]


Free advice for merchants accepting payment cards

3. Protect Stored Data 3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (not […]


Here's a name: Wal-Mart

Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds. In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced […]


The Wallet Game

At lunch after Shmoocon, Nick Mathewson said he’d like to pay something between zero and the amount of money in his wallet. I think this suggests a fascinating game, which is that Alice asks Bob for some amount of money. If Bob has that much money in his wallet, he pays. Otherwise, Alice pays him […]


SarBox and Breaches

Earlier today Chris wrote (“Naming names isn’t always bad“): A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability. Bugger efficient markets! […]


Crispier Breach Disclosure (Cooks Illustrated, unknown # CCs)

A good breach disclosure fills you up with what happened, how, and what the company is doing for you. But too often, such notices are soggy and imprecise. Want more precision in the recipe? Beefier response? Cooks Illustrated set out to see what could be done, in “What Happened To Your Website.” Unfortunately, the disclosure […]


Naming names isn't always bad

In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this […]


Hasta La Vista Secure Flight

As mentioned on Freedom To Tinker and by Lauren Gelman, at the Center for Internet and Security, the TSA has mothballed it’s plans to deploy Secure Flight. Though the TSA will surely come up with something else, this is definitely a step in the right direction.


On Treatment of Prisoners and the Face of Evil

Establishing villainy is hard work. Too little, and your villains seem pathetic. Too much, and they’re over the top. Even drawing deeply on Joseph Campbell and with the music of John Williams, Lucas still needs actions to show that Darth Vader is the embodiment of evil. What does he choose? The first time we see […]


Selling Your Phone Records

Buried in your wireline and wireless telephone subscriber agreement is a notice concerning “customer proprietary network information” (CPNI). CPNI is your calling records. CPNI shows the phone numbers you called and received and for how long you talked. Privacy Rights Clearing House has a guide to “opting out of CPNI sharing.” This is great, because […]


Ka-Ping Yee on Phishing

In “How to Manage Passwords and Prevent Phishing,” Ping writes: So, right up front, here is the key property of this proposal: using it is more convenient than not using it. This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each […]


Brigham and Women's Hospital, 60 Medical Records, Fax Errors

For the past six months, Brigham and Women’s Hospital in Boston has been accidentally faxing the confidential medical records of women who’d recently given birth to a Boston investment bank, regardless of the bank’s repeated attempts to stop them, the Boston Herald reports. (via CSO Online.) (and) The records, called inpatient admission sheets, contain a […]


City of Washington DC, 190,000 SSNs, Willful Ignorance of Federal Law

Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver’s licenses, yet the District Department of Motor Vehicles continues […]


Blue Cross of North Carolina, 629 SSNs, "Human Error"

A “human error” at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. (“Computerworld“)


That's gotta sting

This administration reacts to anyone who questions this illegal program by saying that those of us who demand the truth and stand up for our rights and freedoms somehow has a pre-9/11 world view. In fact, the President has a pre-1776 world view. Our government has three branches, not one. And no one, not even […]


Is That Legal?

In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks: It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether […]


Nations Regions Bank, 100,000 credit cards, breach at unnamed(!) processor

From Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states — including Indiana — saying a separate company put their credit information at risk. Regions said the security breach involves a company that processes credit and debit cards nationwide. The bank, which says it was not responsible for […]


It Depends What The Meaning of "Credit Report" Is

Bob Sullivan has a must-read article “Her ATM card, but her impostor’s picture” about a woman whose SSN is being used by someone else: For years, Margaret Harrison believed she had an impostor. There were signs her Social Security number was living a double life. Four years ago, an unemployment office in West Virginia almost […]


Tools and Secure Code

Mike Howard (and company) have a great post about why “Code Scanning Tools Do Not Make Software Secure:” Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to […]


New OpenSSH, with nifty feature

OpenSSH 4.3 is out. It has one new feature: Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or […]


Disclosure Laws, Redux

In responding to Lyal Collins’ comment on my “Disclosure Laws” post, I went and read the Rhode Island Identity Theft Protection act of 2005 (H6191). A couple of things occured to me. First, the National Conference of State Legislatures has a great list of Security Breach Legislation. Second, and perhaps more important, I don’t see […]


Disclosure Laws

In an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes: The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit […]


Responding to Terror

Once I was loose on the streets of the city, I continued to be impressed with what I saw. Spain is definitely no stranger to terrorism. They suffered the Madrid bombings just over 18 months ago and have been living with the current form of the ongoing sometimes-violent Basque Separatist movement since 1968. Somehow, though, […]


An unethical strategy?

Voting is a means of aggregating individual preferences in order to obtain a collective choice from a set of potential outcomes. Arrow notwithstanding, various voting schemes are often used for very important decisions. Voting is also used to select the winner of the Guy Toph Award, in Hillsborough County, Florida. In this case, the voters […]


Sports Authority in another Point-of-Sale data retention SNAFU?

I posted this to the Dataloss list earlier today. Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December. With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that […]


The Art of Shmoozing

Guy Kawasaki has a great post up on “The Art of Schmoozing.” It’s full of great advice. So read it, and let me know, what can we do to make this blog more useful to you?


Swire on Disclosure, Redux

Following on Chris’s post on disclosure, I’ve been meaning to mention Peter Swire’s “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies:” A previous article proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than […]


The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across. In it, Mr. Rianda, esq., discusses his view of why the breaches we are all […]


Without Surveillance, We'd Have Anarchy In The Streets

The New York Times reports that “Police Officers Sue Over Police Surveillance of Their Protests.” Previously in the New York Police Department department, we offered a look back at the “The New York City Police Riots,” which, if you think about it, indicates that New York City Police, unlike most of the unarmed demonstrators in […]


Redaction Is Harder Than Public Speaking

Did you ever have one of those days where you had a great, totally unfair pot shot to sling at Microsoft, and events just overtake your plans? It started out when I watched the videos of “Blue Hat 2005 – Security Researchers come to MS, Part I.” Now, I have some insight into the training […]


Dataloss Mail List

In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a […]


University of Colorado at Colorado Springs, 2500 employees, SSNs, "virus"

Looks like a worm hit a personnel department PC. From the Colorado Springs Gazette: Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus. Names, Social Security numbers, birth dates and addresses […]


Breach disclosure insurance

A common argument used against state-level breach notification laws, and in favor of federal legislation overriding state laws, is that existence of these numerous state laws with their differing requirements and conditions raises the cost of compliance unacceptably. Just to be prepared to comply with potentially fifty distinct notification regimes, a firm would need to […]


Somebody's Watching Me

Don’t miss the awesome video of Somebody’s Watching Me from Progress Now Action. (Dear Sama: Thanks!)


"Contrasts in presentation style"

“Contrasts in presentation style: Yoda vs. Darth Vader” is brilliant! How can I not love a mash-up of what you do and Star Wars?


TSA Records

Back in August, (“Demand Your records“) I mentioned the effort to request, under the Freedom of Information Act, records relating to the TSA’s illegal data grab on Americans. In December, I got a response, and share a redacted copy here. All redactions are mine. (The whole process of redaction is remarkably difficult, but that’s a […]


Workshop on the Economics of Securing the Information Infrastructure

Workshop on the Economics of Securing the Information Infrastructure October 23-24, 2006 Arlington, VA Submissions Due: August 6, 2006 (11:59PM PST) Has just been announced. There’s a great topics list, and a great list for the program committee. It should be quite the workshop.


New Passports More Secure than Wet Paper Bags (Barely)

Remember the US Government plan to put a radio chip in your passport? The one whose security has never been seriously studied, whose justification seemed to boil down to a hope that it would speed processing, but even that was wrong? The one whose security gets worse every time anyone competent looks at it? Well, […]


On Disclosure

In comments on “Bank of America Customers Under Attack,” Options Scalper writes: I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud […]


Musings on The Future of the State

I love the little corners of the law that is ancient rights and privileges. They illustrate ways in which our institutions have evolved, and from where they came, we can learn much about where they may go. That’s why I was delighted to read “Russian-Israeli who Left Newfoundland and Labrador Church Sanctuary Is Deported.” Church […]


Newspeak Alert

Dear San Jose Mercury News, In re your article, “Date set for hearing on Google data-sharing.” It’s not sharing when you’re holding a court hearing. It’s a demand. I share my toys with my friends. The man with a gun demanded my wallet. Please make a note of it. PS: If you didn’t promulgate the […]


Langley, British Columbia, Canada, 1,000 medical records, courier firm

There are calls for tougher guidelines in the handling of private information after 1,000 medical files went missing when a courier car was stolen in Langley on Thursday. The courier company says the driver left the car running for less than a minute. When the car was stolen, so was a box of health records […]


State of Rhode Island, 4,118 or 53,000 CC, Hacker

Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday. The private company that runs said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any […]


Octopus vs. Submarine

Rare video footage shows a giant octopus attacking a small submarine off the west coast of Vancouver Island. Salmon researchers working on the Brooks Peninsula were shocked last November when an octopus attacked their expensive and sensitive equipment. The giant Pacific octopus weighs about 45 kilograms, powerful enough to damage Mike Wood’s remote-controlled submarine. From […]


Providence Home Services, 365,000 medical records, Car Thief

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records…In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data […]


Providence Home Services, 365, 000 people, health records, theft from employee vehicle

From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was […]


Choicepoint to Pay $15M Fine

Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest […]


Ameriprise, 230,000 SSNs, Stolen Laptop

On Wednesday, Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee’s parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports. The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current […]


Introducing Debix

I’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board: In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes […]


UDel breach twofer

The University of Delaware “UDaily” reports on two breaches: [A] computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students. […] A back-up hard drive was stolen from […]


From the Do As We Say Dept.

Everyone knows that the Motion Picture Association of America is very much against unauthorized copying of movies. Then why is the MPAA admitting that it copied a movie, when it was specifically told not to by the copyright owner. The movie in question is Kirby Dick’s This Film Is Not Yet Rated. According to the […]


Various Oregon credit unions, debit cards, organized fraud ring?

This one seems to have slipped below the radar. From the January 25 Corvallis, Oregon Gazette-Times: Fair Isaac Corp., a Minnesota-based data security provider, late last week alerted the OSU Federal Credit Union, Citizens Bank, Benton County Schools Credit Union and Central Willamette Community Credit Union that customer debit cards bearing the Visa imprint may […]


NSA Wiretaps: General Hayden Speaks

In “Hayden Delivers Impassioned Defense of NSA,” Powerline excerpts Hayden’s Speech to the National Press Club (PDF). One section that jumped out at me was: GEN. HAYDEN: You know, we’ve had this question asked several times. Public discussion of how we determine al Qaeda intentions, I just — I can’t see how that can do […]


Two On Vulnerability Disclosure

Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary […]


Notre Dame, SSNs+CC#s+Check Images,hacker

Not much detail on this one, but it looks like a box used for fundraising purposes got 0wned. The intrusion was detected by “security software” on January 13, but the intrusion itself is said to have occurred between November 22 and January 12. [I guess they run Tripwire monthly ;^)]. Information potentially obtained by the […]


Lockpick Business Card

A hacker, entrepreneur, and all around mischief maker, Melvin wanted something he could give to peers and prospective clients that spoke of this nature. Talk about a card that opens doors! Via Boingboing.


Investing in Identity Theft: The Job Fair

For Aisha Shahid and dozens of others who went to an advertised job fair in Chattanooga and got offers of nightclub work in Atlanta, Memphis and Miami, the “dream jobs” turned out to be an identity theft scam. A man who identified himself as record company and music group president William Devon took applications and […]


University of Kansas, 9,200 SSNs, IT Department

[Update: Fixed headline, thanks to to anonymous.] Students who applied via the online application put out by the Department of Student Housing were alerted through either an e-mail or a letter that their private information might have been exposed. According to a University Relations news release, a computer file with names, addresses, birth dates, phone […]


CodeCon 2006

The program for CodeCon 2006 has been announced. CodeCon is the premier showcase of innovative software projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the lead developers, and accompanied by a functional demo. Early registration ends Jan 31.


The Trouble With Illicit

[Update: I meant to tie this more closely to “Illicit” book review, because I think this illustrates those hard choices.] There’s some fascinating competing legal goals on display in the Washington Post story “Area Police Try to Combat a Proliferation of Brothels:” “Sometimes it takes five or six interviews to break these girls [sic], to […]


Bank of America Customers Under Attack

The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas: According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally […]


Pro-User Zealot!

Get the bumper sticker! The background is that a Canadian MP, Sam Bulte, referred to people other than her film and music business corporate backers as “pro-user zealots” at an all candidates meeting. (Michael Geist has a good summary in “The Bulte Video, Boingboing has covered it extensively, and Technorati can help you find lots […]


Happy Birthday, CVE!

The sixth presentation was based on a paper titled “Towards a Common Enumeration of Vulnerabilities” by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism […]


What Software Do I Like?

In a comment on “Software Usability Thoughts: Some Advice For Movable Type,” Beau Smith asks “What Mac software do you like?” That’s a tough question for three reasons: First, there’s enough decent software (consistent, attractive, discoverable) that the bad stuff can generally be avoided. Secondly, I’d like to choose examples which are either free or […]


UK various breaches

Deptarment of Work and Pensions, 8,800 identities Her Majesty’s Revenue and Customs (HMRC) was forced to close down the tax credits website at the start of December last year, after a spate of fraudulent claims came to light which exploited the stolen identities of Department for Work and Pensions staff. Network Rail, 4,000 identities Primarolo […]


Do no evil

As readers of this blog probably are already aware, Google has been subpoenaed. The United States government is demanding, in part, that they provide a list of all URLs they index. This is something I’d expect them, or any other search firm, to want to keep secret. Imagine my surprise when I read this in […]


Reacting to Web Pages

Researchers led by Dr. Gitte Lindgaard at Carleton University in Ontario wanted to find out how fast people formed first impressions. They tested users by flashing web pages for 500 msec and 50 msec onto the screen, and had participants rate the pages on various scales. The results at both time intervals were consistent between […]


More on "A Ping" Privacy Invasion

Before I’d had much in the way of coffee, I thought that the “Firefox Ping URLs” might offer a way to scan the web for sites to avoid. It would be simple. For each site mentioned in a ping URL, add it to a blacklist. The trouble with this is that the same set of […]


Firefox Ping URLs

It’s all over the internet that Mozilla has added a “ping” attribute to URLs: I’ve been meaning to blog about a new web platform feature that we’ve added to trunk builds of Firefox. It is now possible to define a ping attribute on anchor and area tags. When a user follows a link via one […]


Known unknowns?

Oracle has just released fixes for 82 vulnerabilities. After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security […]


BSD Kernel Stack Overflow

An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. From the FreeBSD Advisory. Researcher advisory is at No word yet on if Macs are vulnerable. I think Richard at TaoSecurity sums it up well: […]


Brokerage account zero liability

E*Trade is implementing a program under which it will reimburse on-line fraud victims for their losses, according to a New York Times report This is an interesting step. Now the question is whether investors who prefer to use their pet’s name as a password will shift their accounts to E*Trade :^)


On the NSA Wiretaps

One of the noteworthy aspects to the ‘NSA Wiretap’ revelations is how it has galvanized a broad swath of people, far beyond the “usual suspects” to state that the program was a mistake, and we need to function within the rule of law. For example, Suzanne Spaulding, former assistant general counsel at the CIA: Before […]


Dear Recruiter

Hi, My name is () and I am a recruiter for (). I came across your name on an internet search and wanted to tell you about our opportunities available within our NYC and Houston locations. (), a key component of the firm’s () practice, provides the building blocks for a secure and protected business […]


Roll Clouds

These rare long clouds may form near advancing cold fronts. In particular, a downdraft from an advancing storm front can cause moist warm air to rise, cool below its dew point, and so form a cloud. When this happens uniformly along an extended front, a roll cloud may form. Image and text from “Astronomy Picture […]


Russell Tice and NSA Wiretaps

Democracy Now has a radio interview, downloadable in several formats, and a transcript at “National Security Agency Whistleblower Warns Domestic Spying Program Is Sign the U.S. is Decaying Into a “Police State.” Reason’s Julian Sanchez has an interview “Inside The Puzzle Palace:” REASON: You’re referring to what James Risen calls “The Program,” the NSA wiretaps […]


The Remittor and the Money Launderer

Ethan Zuckerman has a great post about the practicalities of international workers sending money ‘home,’ “Remittance – the big business of sending money home:” It’s difficult to overstate the importance of remittance income to most African nations and many developing nations. Nworah cites a figure of $300 billion dollars sent from diasporas to developing nations […]


Hotel Room Keys

For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At […]


Liberty Breeds Security

Another method, says Princeton University economist Alan B. Krueger, is to increase the civil liberties of the countries that breed terrorist groups. In an analysis of State Department data on terrorism, Krueger discovered that “countries like Saudi Arabia and Bahrain, which have spawned relatively many terrorists, are economically well off yet lacking in civil liberties. […]


Illinois Department of Human Services, client names and SSNs, misconfigured voicemail

“To leave a message, press ‘1234’ and listen to confidential client voicemail containing SSNs and other identifying information”. The compromised information dated back to mid-November 2005. Additional details at the Belleville News-Democrat, which notes that this is a repeat offender — the same office left unshredded confidential documents in a trash bin until the paper […]


Real ID Even More Expensive Than Predicted

Bruce Schneier links to an AP article about the hideous costs of the RealID Act. Early estimates were for $120 million, current estimates are for $300 million for the first year alone, and that’s just for three states, Pennsylvania, Virginia and Washington state. So we can safely say that nationally we’re looking at billions of […]


Quicktime WMF like Vulns on OSX and Windows

The folks at eEye and Fortinet have identified a variety of image based heap overflows that allow for arbitrary code execution on both OSX and on Windows. Also an article on claims that the patch initially caused some issues for some users on both platforms, that have been addressed now. Seems that poor implementation […]


Steve Jobs and Presentations

Public speaking is an art, but like every art it depends not only on innate talent, but also on mastery of a set of technical skills which empower the artist to share their vision with an audience in a compelling way. Presentations by Steve Jobs are unique, not within the computer industry, but across business. […]


More Victims of Money Laundering Regulations

In a comment on “Atlantis Resort (Bahamas) 50,000, Hacker,” Ian Grigg explains that the reason Bahamas Casinos collected 55,000 SSNs is that the various and sundry “anti-money laundering” regulations force them to, or be labeled “naughty.” Err, ‘non-compliant.’ How’s that for NewSpeak? There’s a pretty large steamroller behind such rules and regulations, and the push […]


People's Bank of Connecticut, 90,000 SSNs, UPS & TransUnion

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported today. People’s Bank, based in Bridgeport, Connecticut, is sending letters to the affected customers, it said in a statement. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. […]


Friendster this ain't!

When you’re facing hard time, and the chips are down, you need to hunker down and dig up all the dirt you can on the stool pigeon who fingered you. That’s where comes in: Who’s A Rat is a database driven website designed to assist attorneys and criminal defendants with few resources. The purpose […]



At the Windows Mobile team blog, Mike Calligaro releases a bunch of cool freeware, including a simple Bluetooth toggler. This will make demo’ing the Smurf Bluetooth logger sooo much easier. Thanks Mike!


Bug Scrubs and Learning From Mistakes

There’s a story at CNet, “Microsoft to hunt for new species of Windows bug:” Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products. Now, its’s easy to kick Microsoft for not having perfect code, […]


Adam's Email Troubles

This morning I got two different emails saying something like “I need an answer to that question.” Trouble is, I hadn’t seen the original emails. If you’ve sent me email lately, and not heard back, please resend it. I’m trying to respond to every email within 24 hours so I can get a clean inbox. […]


Atlantis Resort (Bahamas) 50,000, Hacker

Customers of the Atlantis resort in the Bahamas have reason to worry this week, as over 50,000 identities have been taken from the hotel’s database. The information was revealed in a document submitted to the Bahamas Securities and Exchange Commission. The information includes typical information such as names, addresses and credit card details, but also […]


Winnebago County (IL), Several SSNs, Winnebago County Clerk

ROCKFORD, Ill. – The Winnebago County Clerk is apologizing for releasing a list of election officials that included Social Security numbers. County Clerk Dave Johnson said an employee forgot to blacken out the numbers before giving the list of Democratic election judges to county clerk candidate Jeff Polsean. The Illinois Freedom of Information Act exempts […]


Brain fingerprint clears prisoner

Wow. An innocent man has been freed based upon his “brain fingerprint”. This happened over a year ago, but hey, I’ve been busy. The murder conviction of an Iowa man was overturned last year by that state’s highest court on the basis of a new technique called “brain fingerprinting”. Terry Harrington had served more than […]


SubDomain GPL'd

AppArmor, the security tool formerly known as SubDomain, has been released under the GPL by Novell. See the Apparmor FAQ or the CNET story, “Novell delivers security shield for Linux computers.” If you need another layer of resilience for your Linux systems, take a look.


Device ID and Privacy

Unique, hardcoded device IDs are bad for privacy. We hate them. Our friends hate them. So its nice to see that Microsoft is making it harder to get to them: GetDeviceUniqueID attempts to address these issues and to reduce applications dependency on the precious device id. Firstly GetDeviceUniqueID can be called from the trusted or […]


RFID Zapper

I’ve been mulling over John Robb’s description of the (very cool) RFID zapper the Chaos Computer Club demoed at their conference. He calls them “the German branch (privacy activists) of the global guerrilla innovation network.” He also states that “In order to correctly route and track items from inception to purchase, these chips are attached […]


Anonymous Blogging Wiki!

The Blog Safer Wiki was announced by the Spirit of America’s Anonymous Blogging project. There’s a lot of technology know how, and a lot of cultural issues that go into this, and Curt is doing a great job at bringing the technical knowledge to those who need it, and helping them help each other: Spirit […]


Google's Video "Store"

Justin Mason has some thoughts in “Google DRM and WON Authentication:” That’s interesting. In my opinion, given that quote, I’ll bet Google’s DRM is something similar to the copy-protection systems used for many games since about id’s Quake 3 and Valve’s Half-Life; an online “key server” which validates codes, tracks player IDs, and who’s viewing […]


"High Assurance" Certificates

Following up on previous posts on the concept of high assurance certificates (“Web Certificate Economics“), I’d like to draw attention to a CSOOnline blog post, “Phishers Now Targetting SSL:” The spoofing has taken a number of forms, which appear to be becoming highly sophisticated. They vary from exploiting browser flaws, to hacking legitimate sites or […]


Mobile Phones, Modernity, and Stress

The study, which followed more than 1,300 adults over 2 years, found that those who consistently used a mobile phone or pager throughout the study period were more likely to report negative “spillover” between work and home life — and, in turn, less satisfaction with their family life. From “Cell phones tied to family tension,” […]


On Grammar

I have friends who believe that grammar is handed down from on high, either by Safire, or Strunk and White, or some are strange adherents of something they call ‘Chicago.’ One of them even argues that the rules of grammar are no subject to evolution. Which is odd, given that we’re speaking really bad French, […]



I realized today that Chris Hoofnagle’s blog at EPIC West wasn’t on my blogroll. He’s had lots of important posts up lately, from the informational (“ CA OPP: 13 New Privacy Laws in Effect“) to the amusingly disgusting (“Pretexting Isn’t Lying, According to“) California’s Office of Privacy Protection just released an announcement that 13 […]


How to Blog for Your Company

Here at SiteAdvisor, we strongly believe in the importance of this feature. But we admit that so far we’ve done a mediocre job explaining our motivation and our initial implementation. So writes Chris Dixon in “The Role of Affiliates in Spyware, Adware, and Spam.” Chris is using the Siteadvisor blog as an extended discussion of […]


Beautiful Evidence, by Edward Tufte

After 9 years, I have completed Beautiful Evidence, except for the index and a few loose ends. We are currently proofing some difficult images on press, negotiating with printers, planning the order for paper and binding, and working through other production issues. Probably the major threats to breaking the schedule will be in color-correcting images […]


Privacy Competition in Politics

Two leading governor candidates are trying to outdo each other in protecting Minnesotans’ privacy…The candidates’ dueling news conferences produced more politics than policy, with each charging the other with not doing enough to protect citizens’ privacy. From “Governor is seeking privacy law changes.” I don’t like some of the proposals. It seems to me that […]


Brilliant Evil Redux

Following up with further conspiracy theory on Adam’s post, I also have to wonder just how accidental it was that a properly cryptographically signed version of the patch for WinXP was “posted to a community site” yesterday. Given the pressure to quickly product a patch combined with the one produced by Ilfak Guilfanov, it wouldn’t […]


WMF Patch Timing: Brilliantly Evil?

If you’ve followed the “WMF Vulnerability” that’s been all over the security blogosphere, with leaks into the mainstream media, then you know that today Microsoft released a patch. (If you don’t know this, please just go run Windows update.) I haven’t talked about it because I haven’t had much to add, but today’s release of […]


Microsoft, China, and Cultural Imperialism

Rebecca MacKinnon has a post on Microsoft’s removal of a blog, run by Michael Anti from their MSN Spaces blog site. (“Why Microsoft censorship in China matters to everybody.”) I’m finding the justifications and responses (both official and unofficial) to be fascinating and ultimately confusing. Matt Marshall at SiliconBeat has “Microsoft and Bokee mired in […]


Two Quick Notes

I’d like to remind everyone that Emergent Chaos now has three people posting, not just Adam. I see comments and links that assume I’m writing everything here, which is a little demeaning to Chris and Arthur. Also, I’d like to remind people that I maintain bookmarks of things I find interesting, but don’t have […]


The Machinery of Repression

The New York Times reports on the completion of the first phase of the treat-visitors-like-criminals US-Visit system. The article is informative, and tells us: The fingerprint check at the borders has turned up just 970 hits of visa violators or criminal suspects. The total rises to about 15,000 with inclusion of the cases identified overseas […]


Thoughts on Farris Hassan, the 'Iraq Teenager'

If you haven’t read about Farris Hassan and his trip, take a minute to do so. He flew to Iraq to learn what was going on. I’d like to start by congratulating the teachers at Pine Crest School. How often, today, are teachers so inspiring? The goal of school should be to develop both a […]


Security Stickers

Today I received a great add for a newish security company, Devicewall. They are yet another company providing a solution for prevention of intellectual property theft. They sent me a stack of humorous stickers saying things like: “This Computer is Protected by BRSD Technology. Big Red Sticker of Doom technology leverages our natural fear of […]



Illicit, by Mosés Naím is a tragic book. It is considered, insightful, wide-ranging, deep, and so close to amazing. Had Naím gone just a little further, it could have been brilliant, and the tragedy is that he didn’t. Perhaps I should back up, and explain. Naím is the editor of Foreign Policy. He has written […]


H&R Block, Unknown # of SSNs, Mailing Labels

Stories like this one make me scratch my head and wonder, what is a breach? What should this category cover? Why do I blog these things? Why are we here? Why are you here? And what are those clowns doing over there? However, since we sent you this CD, we have become aware of a […]


University of San Diego, 7800 people, W-2 information, "hackers"

One that I missed. The executive summary is that somebody, somehow, got into the machine that prints W-2s for the university. The University sent out an undated disclosure letter which was very sparsely detailed — “one of the worst” seen by Beth Givens of, who’s seen plenty of ’em. Story is at the San […]


Iowa State (again!), 3000 SSNs+2500 encrypted CC#s, "hacker"

The Des Moines Register reports on a December, 2005 breach at Iowa State: [3,000 ISU employees’] personal data might have been viewed by hackers who infiltrated two computers earlier this month. One held about 2,500 encrypted credit card numbers of athletic department donors. The second computer contained Social Security numbers for more than 3,000 ISU […]


Identity Theft Poster Girl

..may just have been found! The Associated Press reports that Fashion model Beverly Peele was arrested on identity theft charges for allegedly buying around $10,000 worth of housewares, appliances and furniture by using credit card numbers without permission, authorities said Friday. […] The complaint filed against the 30-year-old alleges she charged furniture, a refrigerator, a […]


Slipping through the analog hole

I have a number of LPs which gradually I am ripping to disc, using The Analogue Ripper (which is adequate but I’m not raving). At the moment, I’m recording an old blues album I haven’t listened to in probably ten years. Naturally, then, I thought of “The UPS Song“, which you can even listen to. […]


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004