Shostack + Friends Blog Archive


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004

Australia dumps National ID

Opponents of Australia’s controversial Access Card received an early Christmas present earlier this month when the incoming Rudd Labor Government finally axed the controversial ID program. Had it been implemented, the Access Card program would have required Australians to present the smart card anytime they dealt with certain federal departments, including Medicare, Centrelink, the Child […]


"Security Vulnerability Research & Defense"

My co-workers in SWI have a new blog up, “Security Vulnerability Research & Defense.” They’re planning to…well, I’ll let them speak for themselves: …share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities… The two posts below are examples of the type of […]


Emergent Privacy Reporting

On December 19th, Denebola, the student run newspaper of Newton South High School, broke the news that video cameras had been secretly installed in their school. Not only were students and parents not notified of the cameras but apparently neither were any of the teachers. From the student article: According to Salzer, only he, Superintendent […]


Aaron Burr and Compulsory Key Disclosure

Orin Kerr has a fascinating tidbit at Volokh, “Encryption, the Fifth Ammendment, and Aaron Burr:” Following my posts last week on encryption and the Fifth Amendment, a few readers asked about how courts have dealt with such issues before. As far as I know, there is only one other judicial decision specifically addressing the Fifth […]


Merry Christmas, Dr. Hansen!

A surgeon who allegedly took a photo of a patient’s penis during an operation at a US hospital is no longer working there, it has been announced. Dr Adam Hansen, of Arizona’s Mayo Clinic Hospital, is accused of taking the snap while conducting gallbladder surgery earlier in December. (BBC, “US ‘penis photo doctor’ loses job.”) […]


Evan Schuman: TJX gets the BB gun

Not much naughtier than other retailers: I’d say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to […]


Anarchy in the UK

“Anger as NHS patient records lost” “Patient data loss affects 168,000” “Post Office sends wrong details” “Discs ‘worth £1.5bn’ to criminals” “£20,000 reward offered for discs“* “More firms ‘admit disc failings’” * Readers are invited to comment on the contrast. Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.


Guinness is Good For You, but don’t tell anyone

A pint of the black stuff a day may work as well as an aspirin to prevent heart clots that raise the risk of heart attacks. Drinking lager does not yield the same benefits, experts from University of Wisconsin told a conference in the US. … The researchers told a meeting of the American Heart […]


"There’s supposed to be a Mars-shattering Ka-boom!"

Here at Emergent Chaos, we’re big fans of large objects hitting other large objects at high speed. Which is why it’s important to tell you that 2007-WD5 is a 50 meter asteroid that’s set to pass within 48,000 kilometers of Mars next month. “We estimate such impacts occur on Mars every thousand years or so,” […]



Check out this amazing video from TED.


Six breach reports in the UK: the floodgates are open

In Dissent’s weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off. Newly reported incidents in the U.K. and Ireland: In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. […]


Transparency lessons from the NFL

I think the NFL’s handling of spying by the New England Patriots is poor. Of course, I expect retrograde, authoritarian, clumsy behavior from the NFL, and I haven’t been disappointed in the few decades I’ve been paying attention. The New York Times covered this issue (the spying, not the decades). In their December 16 article, […]


Flower Chaser

My eyes feel better now. Calla Lily macro 3, by Edwin Bartlett.


Hassling the Hoff

I’m way to lazy to take the time in Photoshop to make this look good, so just use your imagination and pretend I put Beaker’s head on this. Y’all should just be grateful that I didn’t use this animated gif instead….


The Words of our (Founding) Fathers

There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there. Many of the founding fathers’ letters have been transcribed and made […]


Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:” According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months. Sixty-three percent […]


Clark Kent Ervin on TSA Security

Normally, it’s not news when someone takes aim at TSA policies like this: If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems […] is not asking "Will Privacy Sell"

There’s a bunch of press around’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “ Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the […]


So when's the Chicago gig, gents?

‘Good Times Bad Times’ ‘Ramble On’ ‘Black Dog’ ‘In My Time Of Dying’ (full version) ‘For Your Life’ ‘Trampled Under Foot’ ‘Nobody’s Fault But Mine’ ‘No Quarter’ ‘Since I’ve Been Loving You’ ‘Dazed And Confused’ ‘Stairway To Heaven’ ‘The Song Remains The Same’ ‘Misty Mountain Hop’ ‘Kashmir’ ‘Whole Lotta Love’ ‘Rock And Roll’ Playlist via: […]


Data Thefts Triple This Year?

So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles: I’d prefer if Byron Acohido had said “reported” thefts It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough. Both of those things said, it’s a good article, and […]


The Emergent Chaos of the US Presidential Campaign

This New York Times really is interesting. It’s all about how candidates are losing control of their campaigns, and they’re in a new relationship with emergent phenomenon on the internet. Now, as we come to the end of a tumultuous political year, it seems clear that the candidates and their advisers absorbed the wrong lessons […]


Paddigton Bear, Illegal Immigrant

In the new book [Paddington] bear, who arrived in the country as a stowaway, is interviewed about his right to stay in England. He has no papers to prove his identity as his Aunt Lucy arranged for him to hide on a ship’s lifeboat from Peru when she went to live in the Home for […]


Stupid Safety Feature Of The Week

I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. […]


CA1386 meet AB1298

Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this […]


Working on the Traveling Band

If you travel a lot, you’re used to dealing with many network difficulties. For a while now, I’ve been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work […]


Thoughts on "Internet Miscreants"

I’ve been thinking about Franklin, Perrig, Paxson, and Savage’s “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” for about three weeks now. This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not […]


Toasting Repeal Day

Today marks the 64th 74th anniversary of the repeal of Prohibition in the United States. For 14 years, Americans were unable to legally have a drink. This led to a dramatic growth in the acceptance of organized crime and violence. Al Capone made his money in the demon rum, and was willing to fight for […]


Gartner the omniscient

This in reference to the recent HMRC breach… However, [Gartner VP Avivah] Litan warned that the chance of identity theft was actually small, at just 1%. The probability of this estimate being scientifically defensible is 0.00%. I’ll have something to say about learning (for real) from the HMRC breach in a soon-to-come post.


Book on Boyd

Frans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price. Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its […]


This stock is da bomb!

OK. So while researching the stock tout scam noted in another post, I came across a blog which discussed a similar mechanism, but one using text messages. An obvious variant, but the part I absolutely adored was when they linked to this August 31, 2007 article from (emphases added to save your time): An […]


Open Letter to Chris Dodd

Dear Chris: I think you’re a smart person who cares about honesty and the rule of law. I also think your e-mail fundraising campaign is undermining that message by sending what I believe to be deliberately deceptive emails. To be clear, I am not referring to deception in the political message — spinning words, being […]


Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:” “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” […]


Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains: In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 […]


There’s got to be an IT secret handshake

I’ve been in the hotel I am in for over a week now. It is a European hotel that has wireless, and you have to get an access card and type a six-character string into an access web page. That authenticates you, and you can go. The problem I have today is that I can […]


Banksy Would Be Proud

In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered […]


Is 2,100 breaches of security a lot?

There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors: THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone. And […]


HMRC Data discs on EBay

Quite possibly the funniest infosec joke seen in 2007. Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to “Her Majesties Audit Office – Child Benefits Section” and marked “Sensitive HM […]


A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:” Alistair Darling has apologised for the “extremely serious […]


Breach Disclosure of the Zeroeth Millennium

The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings. The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome. Although their home address has been made public, it is unclear if the […]


Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment: Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose […]


The costs of liability

It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems. I don’t think this is a trouble-free idea. There are lots of complexities. As one example, […]


Why can't the CIA hire guys like this?

The Telegraph is concerned that The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends. The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand […]


Controlling Water

In Controlling Water, Dana writes: …Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song. With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away. This simple phrase had the power of a plot changing hollywood one […]


Bye-Bye Pay By Touch!

I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus: Pay By Touch, which has made a major push in POS biometric payments, is backing […]


How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker. I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.” I did something similar after “Security Breaches Are Good for You: […]


Wednesday Privacy Roundup

Privacy in the EU has been hugely in the news in the last week. Check these out: European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic […]



I have been playing with Splunk, for about 45 minutes. So far, I like it. I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy […]


How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]


Security is never static

There’s a story in the Wall St Journal, “London’s Congestion Fee Begets Pinched Plates:” This city’s congestion pricing for drivers is heralded around the world for reducing traffic and pollution. It’s also causing an unintended effect: a sharp jump in thieves stealing or counterfeiting license plates. Thieves are pinching plates by the dozens every day […]


Total Kabab Awareness

In a May, 2006 post entitled Codename: Miranda, I joked about having my grocery purchases linked to another Chicagoan due to poor schema design. There, I joked about buying: … granola, yogurt, hummus — the healthy stuff which probably alerts Admiral Poindexter’s Bayesian classifier to my fifth-column status. Maybe this wasn’t jocular after all, as […]


Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things: Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove […]


"A duty of care" to notify?

Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said: “There was a thorough search for the item, which went missing at the end of September, but it has not been found. We […]


The Magic Phone

The “gPhone” was announced today. I put gPhone in quotes, because there was no actual phone announcement. What was announced was the “Open Handset Alliance” and their toolkit, Android. They are “…committed to commercially deploy handsets and services using the Android Platform in the second half of 2008.” and “An early look at the Android […]


Gordon Brown on liberty

While this great tradition can be traced back to the Magna Carta, it was the rise of the modern state with all the new powers at its disposal that made the 17th century the pivotal period in the struggle against arbitrary and unaccountable government —— as Britain led the way in the battle for freedom […]


No Parking, Really

Via Michael Froomkin, who points out that if this were an intellectual property license, people would seriously argue that parking there gave the owners the right to spraypaint your car.”


Informed discussion? Cool!

David Litchfield examines some public breach data and concludes that Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. He further surmises that the proportion may be even higher, since […]


WEIS 2008 Call for papers

The call for papers for the 2008 Workshop on Economics and Information Security, to be held at Dartmouth’s Tuck School of Business in late June, has just been issued. […] The 2008 Workshop on the Economics of Information Security invites original research papers focused on the economics of information security and the economics of privacy. […]


Today's Free Advice from David Litchfield

Just because you can’t see it, doesn’t mean it’s not there. Also it doesn’t mean you can’t figure out what it is…. Much like traffic analysis what you show and how you show it, can reveal a lot about what is going on behind the scenes.


Beat To The Punch

Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and […]


Breach reporting rates

Adam’s comment to my previous post prompted me to think about breach reporting rates again. Above, there’s a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources. I think the results are pretty interesting when combined with […]


Disaster Preparedness by Conair

Mini-me guest posting on The Guerilla CISO tells us all some hard learned lessons in Data Centers and Hair Driers. In it we learn (yet again!) that Disaster Recovery/Emergency Response/Business Continuity rely heavily on documentation, process being followed and above all regular testing. Regular testing is more than just practicing via drills or table top […]


15-30 dataloss incidents daily, sez top Fed cyber-beancounter

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this […]


Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over […]


Beer For a Laptop

A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, “NZ brewery offers beer for laptop.” Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but […]


FEMA’s Fake News Conference

In light of FEMA using our tax dollars to stage a fake news conference, I’d like to take a moment to assure you that none of the Emergent Chaos combo works for the Burton Group, and any softball questions in our interviews are just because we like them. Photo: FEMA news conference, AP. [Update: We […]


What Would One Actually Do With A Persona?

I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example: […]


Should Email Address Breaches Be Notification-Worthy?

Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals: A database of e-mail addresses and other contact information stolen from business software provider is being used in […]


Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on […]


Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies: The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band […]


With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.” Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other […]


The Pogues Show

What an amazing show. Shane MacGowan slurred a lot, but I just couldn’t care when he sang ‘Brown Eyes’ or ‘The Greenland’ or ‘The Sick Bed Of Cuchulainn.’ They’re touring the western states. Photo: “The Pogues in Seattle on October 17, 2007 – first show of US tour” by Dan10Things.


Laboratories of Security?

There’s a story in USA Today, “Most fake bombs missed by screeners.” It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%: At Chicago O’Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, […]


Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed: MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems […]


What's an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint? Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which […]


How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample: Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from: There are at least two major problems with […]



I, for one, salute our entropy-increasing overlords….but I must confess to being mystified by this press release.


More on LLPersonae, Identity Oracles, and RCSL

Adam: But applying for a job is exactly what you describe, “organizations with whom you don’t have a lot of history and interaction.” For an awful lot of people, they apply for jobs broadly. One cashiership is as good as another. And there are a lot of places where I’d like to protect my privacy. […]


TSA Violates Your Privacy, Ties themselves in Little Knot of Lies

There’s a story in InformationWeek about the latest TSA privacy violation, “TSA Promises Privacy For Subjects Of Clothing-Penetrating Scans:” “We are committed to testing technologies that improve security while protecting passenger privacy,” said TSA administrator Kip Hawley in a statement. “Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, […]


Limits of Limited Liability Personas?

Adam: I have some cost questions, but I think more importantly, this can limit my exposure to, say, a credit card, but I can get most of this without paying Delaware a couple of hundred bucks. I get a PO box, a limited credit card, and a voice mail service. What’s the advantage that’s worth […]


Bob Blakely on the LLP

Adam: The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do […]


Mike Neuenschwander on Limited Liability Personas: Intro

I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part […]


Breach Laws Charts

At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables. Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. […]


Bank Note of the Year

Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.” Don’t miss […]


Emergent Breasts Handled By Ohio’s Finest

Yesterday CNN reported that Ohio State Representative Matthew Barrett was giving a presentation to a group of High School students a photo of a naked woman appeared instead of the expected graphic. The State Highway Patrol seized the USB drive containing the presentation and in less than 24 hours determined that the image had been […]


EWeek on The Gap Breach

Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles” That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services […]


Sammer at Officer Candidate School

Those of you who don’t know Sameer Parekh can ignore this message. For those of you who do, he’s joined the Marines and is attending Officer Candidate School, and would appreciate your letters: He does not have access to email or phone. Please send him snail mail (US mail) as often as you can. He […]


Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager […]


Blogging @ Work: Blue Hat and Threat Modeling

BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers. The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers. There are posts from Rain Forest Puppy, Halvar […]


Connecticut Sues Accenture over Ohio Breach

As reported in the Scott and Scott Business and Technology law blog: Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though […]


Best Comment in a Long Time

Ian Rae comments “I think Apple demonstrated quite convincingly their inability to compete with their own proprietary hardware and software platforms.”


Apple’s Update Strategy is Risky

On Saturday I was going to a party at an apartment building. The buzzer wasn’t working, and I took out my shiny new iphone to call and get in. As I was dialing, a few young teenagers were coming out. They wanted to see the iPhone, and so I demo’d it in exchange for entry […]


Sheep outsmart Britons

The BBC reports that in Yorkshire, crafty sheep conquer cattle grids: Hungry sheep on the Yorkshire moors have taught themselves to roll 8ft (3m) across hoof-proof metal cattle grids – and raid villagers’ valley gardens. … A National Farmers’ Union spokeswoman in York said: “We have never seen anything like it. We have looked at […]


What Secure Flight Really thinks about you

You can find out, by making a request under the privacy act. “Read Your Own DHS Travel Dossier.” Good commentary and context at Threat Level, “Howto: Check Your Homeland Security Travel File.”


SmartHippo Launches

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan. So how do […]


Making a Positive Impression With The Business

Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two: Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into […]


Bayesian battlefield

According to court papers referenced in this VOA report, U.S. sniper teams in Iraq are using an interesting tactic: [A] so-called baiting program developed at the Pentagon by the Asymmetrical Warfare Group….the baiting was described as putting items, including plastic explosives, ammunition and detonation cords on the battlefield then killing suspected insurgents who picked up […]


Once more into the Ameritrade Breach

Last week, I wrote: It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release. On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:” The Ameritrade […]


MIT, Logan, the Chilling Effect and Emergent Chaos

If you’re not hidden under a rock, you know about the latest bomb scare in Boston. Some MIT kid forgot that Boston cops think anything with an LED on it is a bomb. A lot of people are saying she got what she deserved, or that she’s lucky to be alive. These people probably think […]


Family Guy Does Usability

A funny clip for Saturday. I can’t figure out how to embed the video here, so click on the picture to be taken to Gizmodo.


How unladylike

Like most EC readers, I have been following the story of the MIT student with the breadboard and Duracell fashion accessory who nearly got ventilated at Logan airport in the most LED-hostile city in the US, Boston. The Associated Press was quick to repeat the claim that the student was wearing a “fake bomb”, when […]


Transparency in Government

The Privacy Commissioner of Canada is blogging. Welcome to the blogosphere! In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, “$1 Cdn = $1 US.”


TSA knows what you read

Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore’s choice of reading material, […]


Free, as in milk

What the hell are the idiots at Facebook thinking? If there’s anything stupider than banning a woman from breastfeeding in public, it is banning a picture of a woman breastfeeding on the grounds that it is “obscene”, which is what the morons at Facebook have done, as reported (for example) by the Toronto Star. Attention […]


Those scurvy dogs!

The scurvy dogs at TD Ameritrade may have tricked us! Well, maybe. The comments on “Analyzing the TD Ameritrade Disclosure” and articles like “Lawsuit Raises Questions on TD Ameritrade Breach” and “Ameritrade Customers’ contact information hacked” have been demanding a re-think of what I want to think on the subject. But less importantly, today is […]


Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing […]



Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach. According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to […]


Analyzing The TD Ameritrade Disclosure

In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”) It appeared that […]


No word on the lupins

NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details. The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only. There are unconfirmed reports that the details were used to make a string of luxury purchases in […]


Who Likes a Cheater?

If you don’t follow sports news, the New England Patriots and their coach have been fined about three quarters of a million dollars and a draft pick. This is reported in articles like “Belichick given record fine for video cheating.” (Times Online, UK) That may seem like a lot, until you realize that that’s less […]


Invasion Of The Password Snatchers

As I’ve mentioned in the past my wife is a linguistics professor. Yesterday she came home from work with the following poster. A little research revealed that it and several others were originally commissioned in 2005 by Indiana University as part of their security awareness program that they assembled for national cyber security awareness month. […]


When Hackers Don't Strike

Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and […]


HSPD-12 Does Not Require JPL Background Checks

Adam writes about the brouhaha at NASA over HSPD-12 background checks. A friend of a friend who is in the business of implementing HSPD-12 sent me a tidbit about it, along with a link so that you can read the primary source — something always needed when you get emails from FOAFs. In paragraph 3, […]


The Fight Against HSPD12

There’s a fascinating court fight, being run by people at the Jet Propulsion Lab. See “JPL Employees File Suit to End Background Investigations” From the press release: The plaintiffs include highly placed engineers and research scientists at JPL who have been involved in critical roles in NASA’s most successful recent programs, including leading engineers and […]


"I'm in Love with a Girl"

Another in the occasional EC weekend series highlighting awesome covers. I’d like this video even if it was silent. That stage is perfect for a Big Star tune, and the sound is right on. [If only they also performed “Thirteen“…Chilton and friends are too old (or indifferent) to play it properly now].


Pfizer's little problem

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company. … […]


The analog hole strikes again!

I had occasion to park at a rather large parking garage attached to a rather larger complex of hospitals in downtown Chicago today. The company that runs this garage does something smart — in addition to numbering the floors of the garage and giving them a characteristic color, they also play a well-known musician’s tunes […]


1.5 billion, and whaddaya get?

I wrote this post sitting on a plane to Montreal. There were all sorts of announcements about how you had to be on international flights thirty minutes before takeoff, to make Congress happy: Congress mandated that DHS’ Customs and Border Protection (CBP) establish a requirement to receive advance information on international passengers traveling by air […]


From the Advances in Aviation Desk

The Beeb reports, “Goats sacrificed to fix Nepal jet,” in which we learn that two goats were slaughtered in sacrifice to the Hindu god of sky protection, Akash Bhairab, in front of a Boeing 757. Airline official Raju KC said to Reuters, “The snag in the plane has now been fixed and the aircraft has […]


Happy Labor Day

…from Chicago. (May 1st was jettisoned as a date for reasons near and dear to EC — it was too political.)


Links of the day (Also useful as a reading list for a possible upcoming cage match between Hutton and Bejtlich ;^))


Inside Carnivore

Ryan Singel has a long article in Wired: “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates.” I was pretty stunned at some of the numbers: FBI endpoints on DCSNet have swelled over the years, from 20 “central monitoring plants” at the program’s inception, to 57 in 2005, according to undated pages in the […]


Heresy of the Day

Riffing on Adam’s last post, it has been amusing to watch the whole problem with Senator Craig. However, as I’ve chomped my popcorn, there’s been one thing I keep thinking: what if the guy’s telling the truth? What if he was stupidly caught for not doing much of anything, and the stupidly plead guilty in […]


Senator Craig and the Behavior Detection Officers

…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door. Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame. After a man in the […]


Evolve or Die

Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages […]


Harvard Business Review on Breaches

Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.” The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses […]


Security Advantage? I Don’t Buy It.

As quoted in Ken Belva’s blog, Larry Gordon writes: However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing […]


The "Too Many Notices" Meme

There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a […]


Trespass and Forgiveness

A man in the UK has been arrested somewhat dramatically for illegally using a WiFi connection. The BBC reports it here as “Man arrested over wi-fi ‘theft’” and El Reg as “Broadbandit nabbed in Wi-Fi bust.” Each is worth reading. The police statement is worrying. El Reg says: Despite not having secured a conviction yet […]


No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out: You know data security breaches are way too common when a company builds a business around customer notification of stolen information. and he ends: I applaud companies that comply with notification requirements. It’s the […]


Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]


Steganography in the News

In Australia, Jeffrey Ismail has been convicted of “using a carriage service to menace, harass or offend” meaning using his mobile to coördinate reprisal attacks against a rival gang. Despite registering his phone under the name “John Gotti” and being careful enough to tell his “clerics” to “bring ‘ankshays’ and ‘atbays’” police recorded his calls […]


I am not an eyeball, I am a free man!

Kim Cameron has a very interesting article on the distinction between accounts and credentials, “Grab them eyeballs! Any cred at all!:” s this logical? It all escapes me. Suppose I start to log in to Dare’s blog using an AOL OpenID. Does that make money for AOL? No. I don’t have to give AOL two […]


Typical British overstatement

I saw a BBC headline, “Huge payout in US stuttering case“, and figured that somebody who stutters must have been harassed at work or something, and got a settlement of $5 mil. WRONG. What happened is this: Six US citizens who, as children, were used in an experiment that tried to induce stuttering have been […]


Second Breach Closure: Verus?

I’ve been fond of saying that no company goes under because of a breach. It used to be there was one exception, CardSystems Solutions. There now appears to be a second, Verus, Inc, a medical information processor that revealed information on customers of at least five hospitals. “Medical IT Contractor Folds After Breaches.” So that […]


NYT Reporter Has Never Heard of Descartes

Or perhaps more correctly, did not internalize Descartes when he heard of him. In “Our Lives, Controlled From Some Guy’s Couch,” John Tierney writes: Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent […]


Cost of a Breach: $6, not $187?

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per […]


Examining Wikipedia Anonymous Edits

It’s recently been amusing to look at where Wikipedia’s anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources. I am most amused by this selfless edit which came from IP address, which translates to I can only think that had the […]


Breach outliers: $118m charge for TJX

The Associated Press reports that “TJX profit plunges on costs from massive data breach:” FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data […]


Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]


I can't concieve of a better use for anonymity

There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:” Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such […]


British House of Lords gets it

From a report published August 10 by the House of Lords select committee on science and technology: 5.55.  We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at […]


ChoicePoint's data quality

In a comment, Tom Lyons asked: I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a “pattern and practice” on the part of Choice Point. I don’t know Mr. […]


I love the emergent chaos of breach analysis

[Updated: see below] Over at Storefront backtalk, Evan Schuman writes “TJX Kiosk Rumors Re-Emerge:” Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged. Could both be true? It’s unlikely, as both […]


Pseudonyms in the News: Fake Steve Jobs Outed

Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it’s all good that his employer was so delighted that FSJ is going to be hosted by them, now, […]


In Honor of the New Wiretap Law

I’ve been too busy with travel to Blackhat, WOOT and Metricon to really cover the new wiretap law, or the very encouraging results of de-certifying electronic voting machines. I hope to be less buried soon. In the meanwhile, Photo is “Dan Perjovschi´s installation at the Moma, NYC” by Tibau1.


Obscenities in Passwords

El Reg reports that “Pipex invites customer to get ‘c**ted’” in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article. There is, however, a second obscenity here that is far more subtle. That obscenity is in the password selection advice and suggestions. The […]


Welcome iouhgijudgviujs, please log in!

Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you. I also know that there are people I respect […]


Obligation to Secure

Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.” A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches. This is important because there have […]


German Biometric Trials

The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in […]


86%: Would you buy an IDS this good?

A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments: [C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of […]


Noh Entry: Halvar’s experience and American Legalisms

He writes: It appears I can’t attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company. A little background: For the last 7 years, I have attended / presented at the […]


Maybe if I yell at you, you'll trust in what I'm saying

Tourists visiting the White House must now adhere to a dress code which bans jeans, sneakers, shorts, miniskirts, T-shirts, tank tops, and flip-flops. Since this is an extremely important rule, signs were posted and emails sent White House staff (writes Al Kamen in the Washington Post). A telling detail, per the WaPo: The e-mail reminder […]


Camouflage as Security

This is a new twist on an old trick. SFGate reports in, “‘I didn’t eat and I didn’t sleep’ — Coin dealer flies dime worth $1.9 million to NYC’” that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to […]


System Admin Appreciation Day

…is today, July 27. Pizza and beer retailers are standing by, much as florists do on Valentine’s Day. You know what to do.


Help EFF Analyze Formerly Secret FBI Docs

In “Help EFF Examine Once-Secret FBI Docs,” the folks at EFF ask for your help doing what Congress won’t. Engaging in oversight of our civil servants: We’ve already started scouring newly-released documents relating to the misuse of National Security Letters to collect Americans’ private information. But don’t let us have all fun — you, too, […]


Metricon 2.0 Registration Closes Friday

Metricon 2.0 looks to be a great set of papers. I’d tell you what I’m looking forward to, but really, I’m looking forward to the whole day. And it’s only $225, but you have to register by Friday.


Full Disclosure debate, 2.0

A poor choice of names (I guess “best UNIX editor” was their second choice), but is doing something that seems worthwhile by launching their Full Disclosure Campaign. wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors. We are calling […]


The first salami attack?

A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up. I’m trying to find the first actual documented theft or attempted theft using this attack. […]


Canon Says Over 50% of Cameras Repaired in First Three Years

In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took. From this, we lean that it was a Canon, likely […]


Should we stop faking phishing data?

In “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites: Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated?? It creates havoc for those monitoring the drop since it’s […]


Hamster Wheel of Pain™, FOIA edition

So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors. Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina — a state known for tobacco production. That […]


A Small Breath of Sanity in Airline Regs

The New York Times reports, “U.S. Will Allow Most Types of Lighters on Planes” Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded. The ban was imposed at the insistence of Congress […]


You can't spell "Really pointless flamefest" without R-O-I

Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people. EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing […]


Other comments on the GAO Report

[Added July 21] Roger Grimes, “Identity theft? What identity theft:” Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget […]


Analysis of GAO report “Personal Information Data Breaches are Frequent”

(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.) I am writing to you today to comment on your recent report, “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is Unknown” I found GAO’s report and its implied […]


Wretched Term of the Week: Best Practice

This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why: Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are […]


Emergent Chaos and Pirates

… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.” Leeson is fascinated by pirates because they flourished outside the state—and, […]


You can’t change your fingerprint

One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This […]


What If The Hokey Pokey Is What It's All About?

I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap. Last night, Mary Ann Davidson […]


Pseudonyms In The News

The Wall Street Journal reports that the CEO of Whole Foods, John Mackey, posted on the Yahoo! Finance board for Whole Foods under the pseudonym Rahodeb, which is an anagram of Mackey’s wife’s given name. (It’s also an anagram of “A Bread Ho,” but since the WSJ doesn’t stoop to that sort of cheap joke, […]


Wretched Word of the Week: Killer

The word “killer” gets used in two wretched ways. The first is Killer Application, and the second is product-killer. They’re each wretched in their own special way. It’s not only cliché to use each term, but in using it, you are nearly guaranteed to be wrong. The original killer application was Lotus 1, 2, 3. […]


The Greek Wiretapping Scandal

“The Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t? Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered. Hah-ha! […]


Whose Line Is It Anyway?

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether […]


It’s about more than identity theft

Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that “Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.” (“The ‘Insider Statistic’, Good Data, & Risk.”) Alex’s main point is that it’s not insiders, […]


Irony at the BBC

The headline, and warning, of a story about how data formats change, “Warning of data ticking time bomb,” BBC web site, 3 July 2007.


Pete Seeger strikes again

The New York Times Magazine with a long article about swimming the Hudson River.


Electronic data: you can sell it and have it

Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident: So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because […]


In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]


PET Award

For the last several years, Microsoft has worked with the Privacy Enhancing Technologies community to support a prize for the best work done in the field. I’ve been involved as a member of the selection committee, but when I joined Microsoft, stepped away from that. It’s important to us that the prize is independent. This […]



As governor of Texas, George Bush didn’t see fit to commute any of the 152 death sentences brought before him. (Wikipedia) Good thing Scooter Libby ain’t no poor Texan, because if he was, Bush wouldn’t have ruined his law and order record. (Noted at Update: 6 days later, the New York Times notes that […]


More controls creates more risk?

Over at his excellent blog, Chandler Howell referenced an interesting risk analysis performed by a home inspector: “The power switch for the garbage disposal in the sink could be accidentally turned on by a person standing at the sink while their hand was in the disposal.” That is to say, the switch is right next […]


The CIA’s Family Jewels

Last week, the CIA released a document they called ‘The Family Jewels.’ This compendium of shameful acts has gotten a lot of press, and I have not a lot to add. I did like this bit, mentioned in the Washington Post, “Trying to Kill Fidel Castro:” Maheu made the pitch on Sept. 14, 1960, at […]


It’s not all about "identity theft"

There’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes: If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never […]


Data on Data Breaches

At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server. The main points I tried to make […]


Doctors want more study on overuse of books

(Adds psychiatrist interview, industry comment, paragraphs 4, 7-17) CHICAGO, June 27 (EmergentChaos)- The American Medical Association called for more research into the public health risks of books and reading on Wednesday but stopped short of declaring them addictive. The AMA, which recommended a review of the current publishing system, also said it would leave it […]


Stop Real ID, again

Apparently, the forces of evil have inserted themselves a national ID clause into the immigration bill (two bad bills, risen from the dead together?) Please go to Unreal ID’s action page to send a fax. It only takes a minute.


My Privacy Enhancing Technologies talk

At the Privacy Enhancing Technologies workshop, there is a ‘rump’ session, designed for work that’s not of sufficient quality to make it into the workshop. (And given that the workshop now has a 20% acceptance rate, there’s some pretty interesting stuff that doesn’t make it in.) I didn’t use it for that, I used it […]


Maybe things are different (maybe they're the same)

The article to which Adam linked in his post about Dark Side of the Moon mentioned derivative versions of the album as performed by other artists. That got me thinking of memorable covers, such as Senor Coconut’s classic renditions of Kraftwerk tunes (like The Robots and Autobahn). Ultimately, I just gotta throw in a quick […]


Security Tradeoffs

This is from Non Sequitur by Wiley. Since I’ve shrunk it to fit, the guard says to the other: Accept the security breach, or clean a litter box. Take your pick. Click the picture for the full-size one.


All That You Buy, Beg, Borrow or Steal

Let’s face it. There hasn’t been a better pressing of Dark Side (with the possible exception of the original vinyl, which I haven’t heard) than the Mobile Fidelity gold disk. Which doesn’t prevent EMI from releasing it over and over again. That makes perfect sense, it keeps selling like mad. As bbum points out in […]



Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by […]


Defending Metrics

Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those […]


Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the […]


One Company Gets The Privacy Thing

I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email […]


The 'Gay Marriage' of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize): What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) […]


On Privacy Law: HIPPA, Library

At, “Hospitals Fear Privacy Claims Over Medical Records:” The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits. Labor and employment attorneys who represent health care providers are especially concerned about the prospect […]


Flower Power Sucks

Having the unfortunate luck to be in National Public Radio’s target demographic, I occasionally wind up hearing stories that clearly are pandering to what I will with all due sarcasm refer to as “my generation”. Actually, I’m in the one after that, but I recognize the pandering. Lately, not just on NPR but on my […]


New Hampshire, North Carolina overlap

New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007. I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is: NewHampshire NorthCarolina New Hampshire 40 11 North Carolina 11 41 I am eager to […]


Disclosures where they're not required by law

It’s the new normal in the English speaking world. See: “Hard drive stolen from Concordia” hospital in Winnipeg. The Bank of Scotland lost a DVD or DC in the mail, “Bank loses details on 62,000 customers in post.” “Personal banking info goes missing” regarding 120,000 Coastal Community Credit Union in Nanaimo, British Columbia. “Personal information […]


Emergent Downtime

We had some downtime after a failure at our hosting facility. We would like to address the power loss which occurred in our Virginia Datacenter on Wednesday, June 13th. We are still investigating the root cause, but in the interest of full disclosure, here are the facts as we know them today. A more complete […]


New Hampshire gets it

Via Lyger at, comes word that New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net. I haven’t had any time to read […]


"Whatever happened to Zero-Knowledge Systems?"

Zero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?” The […]


Global Biometrics Database, Coming to Soon to You

Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:” MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security. Secretary General Noble exposed the global problem of prison escapes […]


Joe Strummer interview, book

There was a great interview on the local NPR station yesterday with Chris Salewicz, who has a new biography out. It’s “Redemption Song: The Ballad of Joe Strummer.” The interview was really well done–the music was well and cleverly integrated into the conversation. If you’re taking it easy, why not listen to the KUOW Weekday […]


Dear FBI: Fusion requires critical mass

The FBI runs what they call “Fusion Centers” for intelligence sharing. There’s a fascinating quote in the Washington Technology article, “Boeing to staff FBI Fusion Center:” “As a police chief of the 19th largest city in the nation, and in possession of a top secret clearance, by law I cannot set foot unescorted in the […]


Fascinating breach detail: Illinois Department of Financial and Professional Regulation

Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:” A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan […]


Laurie, Cameron and Brands (Oh My!)

There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands. This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems. I’d try to contribute, but I’ve been in the midst of a large project at work. Archival links: Stefan: […]


Wanted: iPod organ donor.

I’m not throwing out a whole iPod just because the headphone jack is hosed. If you have a dead mini iPod (maybe with a smashed display, say?), and you don’t want to take up precious landfill space, leave a comment or send me an email.


Federal Computer Week on SSN Purges

There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’ Agencies can eliminate some SSN uses by asking employees not to write their SSNs on […]


I don't know much about art…

…but encasing a skull in millions of bucks worth of diamonds and thinking you’ve made some kind of statement strikes me as uninspired in the extreme. Of course, this matters not, because this is “the work with the highest intrinsic value in modern and contemporary art” according to a guy who works for an insurance […]


DVD Player

[Substantially more than] a week ago, I asked what DVD player I should get. I didn’t get the answer, but I did get a lot of “I’d like to know.” I wanted to share that I ended up with a Philips DVP-5140. It was cheap, there’s an easy fix for the region bug explained in […]


"An Empirical Approach to Understanding Privacy Valuation"

Luc Wathieu and Allan Friedman have an article in Harvard Business School’s ‘working knowledge,’ titled “An Empirical Approach to Understanding Privacy Valuation.” In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include: Contrary to some research, the chief privacy concern appears based […]


Failure of Imagination

USA Today tells us, “Sci-fi writers join war on terror,” in which, “the Homeland Security Department [sic] is tapping into the wild imaginations of a group of self-described “deviant” thinkers….” There are many available cheap shots as well as fish to shoot in that barrel. I’m going to take a cheap shot at one not […]


Lrn 2 uZ ‘sed’, n00bz

The iTunes Plus music store opened up today, which sells non-DRM, 256kbit AAC recordings. In case you have missed the financial details, the new tracks are $1.29 per, but albums are still $9.99. You can upgrade your old tracks to high-quality, non-DRM, but you have to do it en masse and it’s only for the […]


Movie Plot Threat No Longer a Metaphor

Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.” On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how […]


Venn and the art of empirical breach research

As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws. This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send […]


Pure Evil Entertainment

My friend Jeff Herrold has a new production company, Pure Evil Entertainment. Jeff is one of the best storytellers I know, and he’s put a short he made a few years back up on YouTube. It’s DEADLINE, and it’s a pretty entertaining bit of twistedness.


White House Data Breach Prevention Guidelines

So the Office of Management and Budget sent a memo this week, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it’s necessary. Unfortunately, what I […]


Ministry of Truth in Advertising

The BBC reports that “Ministers set out plan for waste.”…Usually, they at least claim they’re spending our money wisely.


Billions for Fashion Police, but Not One Cent for Tribute Bands!

Woo hoo! I feel so much safer! The TSA reports, “Transportation Security Officers SPOT Passenger in Fake Military Uniform at Florida Airport.” Picture at right is my foofification of the picture on the TSA site. Our brave protectors write: A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a […]


Overwhelmed or Under-notified: Consumers and Breach Notices

In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, […]


Marco Pierre White on Intellectual Property

This via Salon’s “The man who made Gordon Ramsay cry” — and let’s face it, making Gordon Ramsay cry is a great place to start. Alex Koppelman asks: …. Do you think a chef’s recipes should be protected as intellectual property? White replies: You can’t reinvent the wheel. Everyone takes from everybody. How many people […]


TSA on PBJ: No way

United States congressman Tim Ryan is interested in bringing attention to the meager allotment the U.S. food stamp program provides. This program, for those who don’t know, provides what amounts to scrip which can be used for qualified food purchases to persons who meet a certain needs test. The average food stamp recipient receives $21.00 […]


Cutty Sark Burns

The Cutty Sark, perhaps the last sailing clipper, has burned in Greenwich. It was undergoing a £25M restoration. Details from the BBC as well as CNN. Photo courtesy yours truly. I visited it last summer. I’m going to pour myself a strong drink.


Premature optimization is the root of all evil

The observation is no less true of legislation than it is of code.
Case in point is the debate over whether to trigger breach notifications when a “reasonable” risk of harm or a “significant” risk of harm exists. Everybody is quick to cite California’s breach law, so I’m going to cite New York’s:


75% of Britons Want to Know

The European Commission has done an “E-Communications Household Survey,” and found that overwhelmingly, “UK internet users want to be informed of data losses:” Most UK residents want to be informed if their personal data is lost or stolen after a corporate security breach, the latest E-Communications Household Survey from the European Commission (EC) has revealed. […]


Reading, Writing, and Arithmetic

I’ve been encountering some really silly software lately. I was trying to visit the homeland stupidity blog, with Safari and the most-excellent pithhelmet, and I get this message: We’re sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server. An invalid request was received from your browser. This may be caused by […]


Shock Horror! Ashcroft Am Not Devil Incarnate!

In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, “News from Bizzaro World: Ashcroft Opposed Taps.” Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I’m not particularly a fan of his, but the Venn diagram of what […]


On Illegal Wiretaps

What, indeed, was the nature of the “program” before Goldsmith, Comey and Ashcroft — those notorious civil libertarian extremists — called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that […]


893 Million, and Whadda Ya Get?

♫Another DHS network, and we’re not sharing yet.♫ So reports Haft of the Spear, in “You’ll Share and You’ll Like It!” The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government […]


The War on Cash?

There’s a war on cash? Who knew? Dave Birch uses the phrase in “More from the war on cash” without a whole lot of surprise. Here he’s quoting a McKinsey study. (Unsurprisingly, you need to login to read it.) I liked this gem: Cash needs to be priced appropriately. The fact is that, today, the […]


A quick pointer

Adam has made several posts about it being ‘good for you’ to open up about data breaches. Unfortunately, keeping a lid on the info is a stable equilibrium. This situation is what economists would call an Assurance Game. A quick pointer to a post I made reviewing a very good book on how to get […]


Is that an interesting question?

In a comment on “Why Customers Don’t Flee,” Chris adds “too much work.” I’ll add “too hard to evaluate alternatives.” But before we go much further, I’ll ask, is this the right question? Given that few customers leave after most breaches, is it useful to ask why they’re not leaving, or are there other questions […]


Why Customers Don’t Flee

At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I […]


Applied Kid Cryptography

Where’s Waldo? Have you ever been “playing” Where’s Waldo? and after finding him on a particular page needed to prove that you actually found him but didn’t want to reveal his actual location? Personally, I haven’t, but Applied Kid Cryptography recently referenced on the cryptography mailing list was too much fun to pass up.


Animations of US Flight Patterns

Aaron Koblin of UCLA has an amazing website of animations he’s done using FAA flight data. It’s well worth a look.


What, me worry?

TJX sales up, again. Via StorefrontBacktalk: …TJX reported Thursday that its April sales increased another 2 percent, to $1.28 billion…. More importantly, for the thirteen weeks ended May 5, 2007, sales reached $4.2 billion, a 7 percent increase over last year’s $3.9 billion.


The Wrong Breach Law

Last week, the Senate Judiciary committee passed the “The Personal Data Privacy and Security Act of 2007” (See more in Security Fix, Federal Data Breach Bills Clear Senate Panel: Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. […]


Disclosure in The UK reports “Standard Life customers are hit by breach in security,” and reports that a “Laptop containing Southend children’s social services case notes bought on eBay.” In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law. However, it’s anarchy in […]


Food and Bacterial Risk Assessment

How clean is that piece of food that you dropped on the floor? Do you really want to eat it? Harold McGee explores the five-second rule in the New York Times. Personally, I always heard it as the thirty-second rule. I guess that it’s a good thing I have a strong immune system.


.BadIdea, Mikko

Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains. I have three problems with this: Crooks are already investing […]


Facebook Hangover

On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says, What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think… Trust me, it’s worth the look. And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background […]


She’s Such A Geek

Longtime geek author Annalee Newitz and Charlie Anders, published She’s Such A Geek last year. I’ve been meaning to blog about this for a while It’s a collection of over 20 essays by women geeks. These essays cover the trials, tribulations and joys of being a female geek. At times entertaining and other times depressing, […]


TSA Can’t Keep a Secret

Alternate title: “If schadenfreude is wrong, I don’t want to be right.” Ryan Singel reports that the “TSA Lost Sensitive Data on 100,000 Employees.” This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. […]


Interesting Stuff From Microsoft

My colleague Dave Ladd has a post “Security Education v. Security Training:” Unfortunately, there’s an assumption held by many in our (IT) community that the road to better security leads to “drinking from the fire hose” – that is to say, employees are rocketed through week long training classes, then drilled and tested on security […]


Encryption Is Security Theater

Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and […]


Breaches in SEC Reports

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports: At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches. Generally, these items […]


Stop Real ID

So I was a little curt in my bloviation the other day about the REAL ID forum. There’s good people doing real work to stop this thing, and they deserve your help and support. Over 40 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national […]


"The vendor made me do it"?

Via StorefrontBacktalk comes news that Following lawsuits in February against some of the nation’s largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors. In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS […]


Flash Data Breach

The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and “took it home for a 20-minute look-see, then turned it over to authorities.” I have three words of advice: full disk encryption. Photo courtesy of POONDOG.


DHS Sends a Flunky to Do A Man's Job

So DHS has managed to cancel all but one “Town Hall Meeting” about REAL ID. They’re sending a “Richard Barth, Assistant Secretary, Office of Policy Development” to talk to the fine people of San Francisco about the travesty of a national ID card which is REAL ID. We’ll waste $20 billion dollars on this nonsense, […]


Quantum Cryptography Cracked!

Nature reports that, “Simulation proves it’s possible to eavesdrop on super-secure encrypted messages.” A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn’t a real attack, but as […]


A Market To Be Tapped

I’ve often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article “Phone Taps in Italy Spur Rush Toward Encryption” is fascinating: Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to […]


WOOT! Looks Exciting

Via Nate, “WOOT = Usenix + Blackhat:” The call for papers is now up for a new Usenix workshop, WOOT (Workshop On Offensive Technologies, but don’t think the name came before the acronym.) The workshop will be co-hosted with Usenix Security and will focus on new practical attacks. I was recently saying that vulnerability research […]


Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.


Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention. Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you […]


Gartner Discovers Offshoring

According to CIO Forum, Gartner has discovered some amazing things. There’s offshoring to India, and it’s growing at a “staggering” 16% per year. And lots of manufacturing is being done in China now. And the US better wake up ASAP because it is “in imminent danger of becoming an industry of failure.” This is a […]


One Third of McAfee Survey Respondents Are Not Paying Attention

So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: “Companies Say Security Breach Could Destroy Their Business:” One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee. The security […]


Save Chocolate

“Don’t Mess With Our Chocolate,” says Guittard. Summary: the FDA is considering changing the definitions of “chocolate” and “chocolate flavored” and “chocolaty” so that they don’t have to put as much cocoa solids in it to make it be “chocolate.” The FDA is soliciting comments, and the cutoff is April 25, so that’s not much […]


When Do Customers Flee?

So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches. In the CSO blog, “What, When and How to Respond to a […]


Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not […]


Buy Gas, Get Busted for Pedophilia?

The BBC reports “Motorists hit by card clone scam:” Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn […]


On Liquid Explosives

Wired’s Danger Room blog has an interesting quote from the inventor of a liquid explosive in “‘Liquid Landmine,’ Qaeda Tool?:” My advice would be to stick with PETN [a high explosive] and rattlesnakes.


"What security people won't share with each other"

Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike’s post, “it never ceases to amaze me what security people won’t share with each other,” and go understand why you should give Scott a demerit. (I’d meant to post this months ago, when Scott did the interview. Oops!)


Users force Dell to resurrect XP

The Beeb reports. This means that if you want to start speculating in copies of XP, you probably have even longer to wait.


Weak Crypto Contest

The 2007 Underhanded C Contest has a marvelous theme — weak crypto. The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library. […] Your challenge: write […]


Credentica White Paper & Presentation

The title of Stefan Brands’ blog post, “New Credentica white paper and other materials,” pretty much says it all. If you think about identity management, you should go check these out. Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; […]


Frontiers of Data Disclosure

Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop […]


More on Crappy Credit Reports

In October, 2006, I commented on the story of a man in Acarta, California whose credit report bizarrely includes a claim he’s the son of Saddam Hussein. (“The Crap in Credit Reports“) Now, via Educated Guesswork, “If OBL can buy a used car, the terrorists have won” we learn of a fellow who can’t buy […]


Month of Owned Corporations

Richard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the “Month of Owned Corporations“: Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest […]


Micropayments Company Bought or is that Sold?

Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will “increase consumer ‘stickiness’ and brand affinity” and “increase average ticket price more than 12%.” Okay…. I thought that the reason for bearer-level micropayments was the opposite. Right here […]


Psychology & Security & Breaches (Oh My!?)

I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing […]


Bejtlich gets it: It's about empiricism

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt 60 percent of the incidents involved organizational mismanagement as a way to question my assertion that insiders […]


The Visual Display of Quantitative Lawsuits

So the Boston Globe has this chart of who’s suing whom over failures in the “Big Dig:” (Click for a bigger version) What I find most fascinating is that it’s both pretty and pretty useless. Since just about everyone is suing everyone else, what would be perhaps more interesting is a representation of who’s not […]


Bad Advice on Tax Shelter Patents

Techdirt carries marvelous coverage of the increasing devolution of our intellectual property system. However there is some bad advice in “Be Careful Not To Use Any Patented Tax Shelters This Tax Season.” The bad advice is in the last sentence: So as we get to tax day, besides going over all your tax forms and […]


How Long To Be Identified?

Today I spent nine (9) (no, that’s not a typo) hours in line to apply for a passport. What happened was, since the U.S. changed the rules to say everyone’s gotta have a passport, a lot of Americans and Canadians who were used to going back and forth between the countries suddenly needed passports, and […]


Investment Opportunity of the Year

El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP. No fewer than three people told me yesterday, “This means I have to buy that Mac Book Pro this year. They can’t be alone. I have several co-workers running Vista running on laptops, and even without the overhead of […]


Your Bribe, Should You Choose to Accept It

In the secret language of corruption in India, an official expecting a bribe will ask for Mahatma Gandhi to “smile” at him. The revered leader of the independence movement is on all denominations of rupee notes. With rampant dishonesty ingrained in the bureaucratic culture, an anticorruption group has decided to interpret the euphemism literally by […]


From The "Wish I'd Posted That" Files

Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I’d […]


On Credit Cards and Being Behind

Just a quick note–you’ve convinced me that my thoughts on credit cards were wrong. (“The Cost of Disclosures, and a Proposal.”) Iang, rG0d and Nick are right. I should have remembered that disclosure is a moral imperative. I’ve also enjoyed the debate with Ken Belva, and will have one final closing post to respond to […]


So it goes

Kurt Vonnegut, dead at 84.


New Hampshire joins the club

The Granite State requires that security breaches involving PII be reported to the Attorney General: Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office. […]


UK Story On Breaches and Silence

IT Week in the UK writes, “Companies keep silent on data breaches.” There are a couple of interesting quotes: Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about […]


Daft Bloggers’ Code of Conduct

Tim O’Reilly with the help of others has posted a “Draft Blogger’s Code of Conduct” in reaction to l’affaire Sierra. Forgive me the pedantry, but I’ve corrected the plural in my derivative topic line above. There have been other comments about this in many other places. I’m not a friend of Sierra’s, but I have […]


Disclosure Laws, State-by-State

Philip Alexander writes in Intelligent Enterprise about “Data Breach Notification Laws: A State-by-State Perspective.” The article is short and readable, and points to his new book, which is likely a good read.


The Cost of Disclosures, and a Proposal

So there’s a spectre haunting my arguments for disclosure, the spectre of cost. I’m surprised none of my critics have brought it up yet. Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don’t care that much. When it’s medical data, […]


See, it can be done

I’ll keep this short since you should all be reading Mordaxus’ latest, not this, but speaking of data… This breach report [pdf] from Community National Bank wasn’t sent to consumers, but you can’t say it was short on details.


Cleaning Up

If you haven’t read Steven Johnson’s The Ghost Map, you should. It’s perhaps the most important book in print today about the next decade of computer security. John Snow was a physician who was a pioneer in anaesthesia who turned his attention to cholera when the worst epidemic hit the London where he lived in […]


Replacing Evite

So I hate Evite, even when it brings me to cool parties. You know who you are. Encouraging my friends to enter social network information, and then using it to contact me feels tremendously invasive. Failing to understand that annoys me. Their lame privacy policy infuriates me. Their success at co-opting my friends to sucking […]


Three on Information Sharing

The New York Times has a story, “Teaching the Police to Stay a Step Ahead of Car Theft:” The police have traditionally kept such conversations quiet, fearing they could tip off aspiring thieves. Mr. Bender’s mission is to bring investigators into the digital age and get them to share information, just as their adversaries are […]


Phriday Phish Blogging: Randomly Flagged

One of the things I really appreciate about phishing is that we pay people to discover the zeitgeist and share it with us. There’s little spam advertising fallout shelters or other ways to deal with the Red Menace. I rarely see advocacy about bimetallism in the currency in my inbox. We see what we see […]


We Have Nothing to Fear But Fear Itself

So Ken Belva suggests that we should cordially agree to disagree. (“My Response to Adam Shostack’s Reply on Transparency & Breaches“) I’m happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing […]


Another Side Of Copyright

These days when you read an article about copyright that involves students, it also involves the RIAA or the MPAA. This article in the Chronicle of Higher Education, on the other hand, is about two high-school students taking on Turnitin. The students specifically asked that certain papers of theirs not be included in Turnitin’s database […]


How to Allocate Resources

The other day, I wrote: I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly. So here’s the experiment. It works better in person than in blog comments. Ask two experts to write down how they’d allocate […]


UK NHS & Disclosure: A Moral Imperative Example

From, “Pressure grows for UK data loss disclosure:” As a spokeswoman for the Information Commissioner’s Office told last year: “There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.” But, from the BBC, “Children’s details taken in theft:” Health bosses in Nottinghamshire have issued […]


Stop REAL-ID From Wasting Real Money and Liberty

Welcome to the Stop Real ID Now blog. Not surprisingly, we’ll be talking a lot here about the Real ID Act of 2005… and more specifically about an activism campaign that will use the power of blogs, social networks and art as well as creating partnerships and using media outreach to, we hope, stop the […]


Response to Ken Belva on Transparency & Breaches

Over at bloginfosec, Ken Belva takes issue with my claim that “security breaches are good for you,” in the aptly titled “Why security breaches are still bad for you…” His summary and response are well thought out, and I’d like to respond to a few of his points. This is a long post because I […]


TJX Commentary

I keep trying to avoid commenting on TJX, and keep getting drawn back in. The amount of news and analysis out there is large, and I’m selecting islands in the clickstream. (Any advice on who’s covering it well would be appreciated.) In “TJX Lawsuits — 45 Million Credit Cards,” Pete Lindstrom mentions that there are […]


Secure Flight @ Home

Prof. R. H. Anssen of the Univeristy of Florence, Colorado working under a Department of Homeland Security Advanced Research Projects grant has released a new paper discussing improvements to SecureFlight that make it much more scalable, while adding in grid-computing and privacy-friendly aspects as well. Expanding upon the ideas of K. P. Hilby and J. […]


Privacy Policy

“Among other changes, the revisions to our Privacy Policy may have changed your preferences for receiving postal mailings from Alaska Airlines and its partners.” Now that’s the power of policy! Photo, text from “Privacy policy update from Alaska Airlines, received March 24, 2007” by JasonJT, on Flickr. He has great outraged commentary.  


Worst Breach Ever?

There’s a lot of headlines about how the TJX “Data Theft Grows To Biggest Ever” (Washington Post). The trouble is, that claim is wrong, and it’s wrong even amended to “Biggest reported ever.” The biggest reported theft of person data is Scott Levine’s theft of over a billion records from Axciom. As the Department of […]


The Sky Is Not Falling–What Can We Learn?

I’d like to respond to two questions posted to my “Security Breaches Are Good For You” post. Antonomasia writes “there are security events other than customer data disclosure – any thoughts on how those can be subjected to evidence-based assessment?” Blivious writes: “What about other kinds of breaches? The apparent moral standard only applies to […]


Names Don’t Matter, Accountability Does

Riffing on what Arthur has said, I’ll take a slightly different exception to Mike Rothman’s rant on anonymity. Kathy Sierra’s been treated pretty shabbily. The problem isn’t anonymity, it’s a lack of accountability. These people are behaving unacceptably, and we don’t know who they are. However, there are cases where people have acted in similarly […]


Security Breaches Are Good for You: My Shmoocon talk

At Shmoocon, I talked about how “Security Breaches are Good for You.” The talk deviated a little from the proposed outline. I blame emergent chaos. Since California’s SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. […]


On Anonymity

So Mike Rothman thinks that anonymity is for cowards: During the discussion last night, one guy pointed out that sometimes things are too sensitive or controversial or unpopular to say, so anonymity allows folks to do that. I call bullshit on that. Anonymity is the tool of a coward. And while I agree with Mike […]


Portuguese Got to Australia in 1522

Portuguese seafarer Christopher de Mendonca led a fleet of four ships into Botany Bay in 1522. No one noticed before because the map was oriented wrong when it was copied. This is a nice article from


Holding a Lighted Brand up to Damage

Adam comments on some breach commentary, and quotes Nick Owen saying that breaches are a sign of incompetence. I can’t let this stand un-commented-upon. I believe that that is a dangerous comment, and one that needs to be squashed early. It’s like saying that a bug tracking system with lots of bugs in it is […]


Breaches and Brand Damage

Tim Erlin runs some numbers in “Is Brand Damage a Myth” at Ncircle, and Nick Owen piles follows on with some diplomatically presented thoughts in “Brand Damage, Stock Price and Cockroaches:” My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are […]


Privacy's Other Path

Dan Solove writes: Professor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been […]


Thumbing A Ride…

The DailyBreeze tells us about how Lorna Herf discovered South Bay BMW in Torrance’s sales policy of “No fingerprint, no car.” The dealership claims that this is an effort to prevent identity theft, though how this would help the customer is unclear. Additionally, this effort is being actively supported by the sheriff’s office. I think […]


A Different X-Box Hack

Back in the day, I was a member of FIRST. (Btw, rumor has it Chris and Adam are presenting at their annual conference this summer). At the time, one of the more prolific posters to the mailing list was Robert Hensing from Microsoft (Adam, if you haven’t met Rob, you should look him up). Anyways, […]


DoS == Vulnerability?

I think that a Denial of Service condition is a vulnerability, but lots of other people don’t. Last week Dave G. over at Matasano posted a seemingly very simple explanation that nicely sums up the way I’d always been taught to think about these sorts of issues: The ability to halt or shutdown most modern […]


Off to Shmoocon!

Where I’ll be explaining that “Security Breaches are good for you.” Come see me speak at 5 PM on Friday. It’ll be … entertaining.


Why BitLocker Won't Help Most Companies

A couple of weeks ago, Mike Rothman linked to an article by George Ou about using EFS and BitLocker under Vista. There he made an extraordinary claim: Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes […]


From the Heresy Desk

Before Bruce Schneier started using the term, “Security Theatre” was a term I heard from what I call Real Security People. I was designing a security-oriented NOC, and I interviewed people who built secure sites for a couple of governments, banks, and others. They said that what The Adversary thinks you can do is more […]


Anarchy in the UK?

Via Silicon Strategy, we learn that “Pressure grows for UK data loss disclosure:” The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts. Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do […]


Ptacek scores, Pre-Blogging Department with the assist!

Matasano’s Thomas Ptacek had a Groucho-like reaction to being included as a “Top 59” infosec influencer in’s recent list. EC’s Pre-Blogging Department was initially caught flat-footed on this, but predicted in an update that Tom’s view would gain traction. And it has. Meanwhile, Mark Curphey has stirred the pot by leaving the Security Bloggers’ […]


Backus Having Drinks with Hopper

John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp. Back in the days when I would rather have died than work for […]


Emerging at the Intersection of Art and Commerce

I never really thought much of Hamilton, either. I’m glad this wasn’t done on one of the New Ten Dollar bills. If it was, the Constellation EURion might have prevented me from scanning it for your amusement. (Today, that “feature” is mostly in copiers, but expect it to spread.) In other looking at money news, […]


If I Screw Up, It’s Your Fault!

I can’t help but wonder how many bits have died to hold disclaimers like this one: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are […]


"You Don’t Need to See His Identification"

Well, here we are, on a list of top influencers in information security, and we’ve barely said welcome to any new readers! Welcome! If you’re just showing up, we’d like to influence you to understand that identification rarely solves security problems by itself. I posted “You Don’t Need to See His Identification,” using a famous […]


We're number 18, but we try harder…

Adam (or perhaps EC?) is one of the top 59 infosec influencers, sayeth Cool. 18. Adam Shostack Emergent Chaos is a group blog on security, privacy, liberty and economics – a self-declared “Emergent Chaos jazz combo of the blogosphere. ” While the EC bloggers tend to drift off topic with political posts, they […]


Dating & Background Checks in China

Shimrit sends in this Shanghai Daily story, “Matchmaking site works to cut down deception:” A LEADING Chinese matchmaking Website is to check the age, marital status and other personal details of prospective cyber daters against an official database to prevent deception. Beginning today, will screen its eight million online daters against an ID authentication […]


Reports on Reporting, Compliance

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes: One important outcome of […]


Mommas, Don’t Let Your Babies Grow Up to be County Clerks

At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing. However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social […]


Ignorance is Strength

Via a Stitch in Haste, we learn about more members of the ‘sweep it under the rug’ club: David Oliver Burleson, 49, an anesthesiologist whose license was suspended for two years in October 2005 … acknowledged to the Oregon Board of Medical Examiners that he inappropriately touched women whom he had sedated before surgery. The […]


"Terrorists Proving Harder to Profile"

…terrorism suspects from atypical backgrounds are becoming increasingly common in Western Europe. With new plots surfacing every month, police across Europe are arresting significant numbers of women, teenagers, white-skinned suspects and people baptized as Christians — groups that in the past were considered among the least likely to embrace Islamic radicalism. The demographics of those […]


Dating and Background Checks in the UK

My friend Shimrit saw Cluechick’s post on the dating (“Emerging Dating Paranoia“) and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at “Everyone’s Guide to Online Dating.” She writes: With all the current craziness surrounding online dating background […]


"Voluntary" ID Cards

Anybody who objects to their personal details going on the new “Big Brother” ID cards database will be banned from having a passport. James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out – but in return they must “forgo the ability” to have a travel […]


"ist nicht verfgbar"

So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future. Oh, and we lost the SSNs of everyone who had […]


Dennis Lormel's Authoritarian Streak

In a post at the Counter-terrorism blog, “National Security Letters…An Important Investigative Tool for the FBI” Dennis Lormel writes: The Inspector General (IG), U.S. Department of Justice, has issued a report delineating audit findings identifying significant deficiencies in NSL recordkeeping and reporting processes. This determination is quite troubling and inexcusable. Troubling and inexcusable? Well, you’d […]


Power Tends to Corrupt

The Justice Department’s inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval. The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do […]


If It feels so wrong, how can it be so right?

Emacs users get addicted to the standard key bindings (which are also available in Cocoa apps). Microsoft Word doesn’t support these by default, but you can add them through customization. Here are the ones I find most useful: StartOfLine: Control-A EndOfLine: Control-E To set these up in Word… …you’ll have to read “Add emacs key […]


Choicepoint’s Error Rate

Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.” Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:” At his insurance […]


Privacy Fears Come True, Again

Two reports in the New York Times: “Driver’s License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry” and “Warnings Over Privacy of U.S. Health Network.” Naturally, we’ll have that sorted out by the time the system ships. No reason for you to be worried that your health records will be automatically scanned to see if […]


Responsible Disclosure and Months of Bugs

I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying: I whole-heartedly back these projects as […]


Emerging dating paranoia

When Adam asked me to guest blog on “Dinner, Movie — and a Background Check — for Online Daters“, I promised him I would do it. And then I read the article and couldn’t think of what to say about it. I’m something of a self-proclaimed expert of internet hookups (as anyone who reads ClueChick, […]


"Free the Grapes" Externalizes Risk

Or so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.” The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions […]


Chaos and Piracy on the High Seas

“This repo man drives off with ocean freighters” “I’m sure there are those who would like to add me to a list of modern pirates of the Caribbean, but I do whatever I can to protect the legal rights of my clients,” said Hardberger, whose company, Vessel Extractions in New Orleans, has negotiated the releases […]


Iggy Pop on Chaos

[Iggy] wouldn’t tell me who he was talking about specifically, he said, but he believes that the rock business is too big, run by people who know nothing about it. Wasn’t that always the case? “No,” he said, decisively. “The people I met at the top in 1972 tended to be crackpots from the fringes […]


DST is Coming, Run For Your Lives!

In a week, the US and Canada are changing when they go to Daylight Savings Time. It must also be a slow news time, as well, because I’ve read several articles like this, “Daylight-Saving Time Change: Bigger than Y2K?” When Y2K came around, a number of us quoted Marvin the Martian (now of the Boston […]


No RFID In Real ID

So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including: While some expected Homeland Security to require the licenses to […]


More On Secure Banking

Continuing our tradition of bringing you the news before it’s fit to print, Chris covered “The Emperor’s New Security Indicators” in “Why Johnny Can’t Bank Safely.” Don’t miss Andrew Patrick’s “Commentary on Research on New Security Indicators,” Alan Schiffman’s “Not The Emperor’s New Security Studies,” or Alex’s “Bad Studies, Bad!” As an aside, Chris used […]


Jennifer Granick's awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]


HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag. Additionally, Nicole […]


Medical Privacy News

There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:” The leader of a federal panel charged with providing privacy recommendations for […]


No, seriously

Somebody — I want to say Rich Mogull, but I cannot find the reference — wrote sarcastically about breach notices almost always saying “At $COMPANY we take security seriously….” as they report how, well…you know. I just finished scanning 183 notice letters I got from New York, covering the last half of 2006. Using an […]


Rootkit on a Stick

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]


Vote Positively With Your Pocketbook

Adam Frucci at Gizmodo is calling for action, “Putting Our Money Where Our Mouths Are: Boycott the RIAA in March.” I don’t disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don’t believe me, I can prove it with one TLA: DAT. If your response to that […]


Blackhat Do It Again

Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it. Chris Paget a well respected researcher is going to present at Blackhat Federal […]


It’s "privacy," Jim, but not as we know it.

The Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says: requirements of personal identification, such as a driver’s license, in order to change the […]


Emergent Meanings of Privacy

There’s a really fascinating article in New York Magazine, “Say Everything:” And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street […]


A telling remark

In the “inconvenient coincidences” category, it seems that Al Sharpton’s great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond. Thurmond’s niece, Ellen Senter (via an AP report) provides an interesting perspective: I doubt you can find many native South Carolinians today whose family, if you traced them back far […]


Information Leaks

I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of […]


On the TJX Breach

So there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer […]


"A trade founded in iniquity"

At Balkinization, Scott Horton discusses how “Two Hundred Years Ago Today, the Global Campaign for Human Rights Achieved Its First Victory:” “As soon as ever I had arrived thus far in my investigation of the slave trade, I confess to you sir, so enormous, so dreadful, so irremediable did its wickedness appear that my own […]


Department of Pre-Blogging: Waziristan

Back in September, we covered how Pakistan and Waziristan had a peace deal, essentially, a deal with al Qaeda. In it, I commented on how people would get medals for “convincing al Qaeda to get a territorial base which we can bomb.” Now, in “Al Qaeda Chiefs are seen to regain power,” the Times reports: […]


Not Selling But Marketing

As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need […]


Why We Fight

TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier. Store closings led TJX […]


Wretched Word of the Week: Trust

Where to start on this one? Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I […]


Data Collection about Breaches

In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing. Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.” Should that entry in a breach list be removed? I think that the […]


Award-winning scrotum

The New York Times writes about “The Higher Power of Lucky“, a children’s book which recently won the Newbery Medal. As someone who has purchased his share of kids’ books, I assure you that the Newbery — and its companion the Caldecott Medal — signal quality to buyers. In this case, though, some parents and […]


Visualizing Breach Data

Using IBM’s cool “Many Eyes” service (now in alpha), I played for a few minutes with some breach data. Nothing more than the size of each entry in Attrition’s database, and its date. Looks kinda cool, I think.


There’s A List?

I received the following in the mail the other week and while I was initially amused that I was getting this without asking for it, it took my wife pointing out the irony of there being an actual directory at all:


More On Selling Security

Chandler says that “would rather be understood than perfect” in response to Mordax’s call to stop cutesy names for attacks. In doing so, he says: Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a […]


Advances in Conference Usability

A little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I’m told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I’m always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash […]


DVD Player Advice?

I’d like to buy a cheap DVD player, and bet someone reading can tell me: Who’s the Apex of 2007? That is, who’s making cheap, consumer-friendly DVD players? I’d like one that’s: region-free fully controllable (none of that “we’re sorry, you have to watch the ads” crap) good at error-correcting for scratched up DVDs.


Let’s Stop Cutesy Names for Attacks

Orwell said it best in “Politics and the English Language,” and if you haven’t read him recently, you should. Abuse of the language has adverse effects on thought, and it’s true in security as well as politics. He gives some wretched examples and says of them: Each of these passages has faults of its own, […]


Professional Ethics

Cutaway’s post about ethics at RSA reminded me that I wanted to post about this as well. Like Cutaway, I attended “Professional Ethics in the Security Disciplines” which was chaired by Howard Schmidt and the panelists were representatives of SANS, (ISC) , ASIS and ISACA. All in all, despite Howard’s expert moderation, I remain under-whelmed […]


Credentica Launches U-Prove

Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is […]


Ignite Seattle

I attended Ignite Seattle last night. It was awful. Don’t attend next time. No, just kidding. It was great, and very crowded. There were some really awesome talks. I’m inspired to put a talk together for next time. My favorites from last night were: Elisabeth Freeman gave a great talk on how the Head First […]


Identity theft numbers: Javelin vs. FTC

So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that “FTC Findings Undercut Industry Claims that Identity Theft Is Declining.” I think that there’s an interesting possibility which isn’t […]


Department of pre-blogging, II

A bit of background. Sun recently got hit with a 0-day that was 13 years in the making, by seemingly repeating a coding worst practice that bit AIX back in 1994 — trusting environment variables under the control of an attacker. A slightly more complex variant bit Solaris’ telnetd in 1995. From the advisory (NSFW) […]


Flying Without an ID

I’ve been inspired by Christopher Soghoian’s efforts to fly without having to show ID. I figured that my return flight from RSA was the perfect time to try it for myself. I was flying without my family and had lots of time to spare. Chris has previously reported on fun flying out of SFO, I […]


When I Hear "Precise Machining," Iran Springs to Mind

The New York Times has an article “U.S. Presents Evidence of Iranian Weapons in Iraq.” It contains this gem: They said that at least one shipment of E.F.P.’s was captured as it was being smuggled across the border from Iran into southern Iraq in 2005. The precise machining, the officials said, is another feature that […]


Party like it's 1994

A 0-day in Solaris {10,11} telnetd is reported. SANS has some details. Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one. (h/t to KK on this one)


Astronaut Screening & Privacy

Following up on the issue of astronaut screening, there’s an article at MSNBC, “Former NASA doctor says agency must do more,” in which “NASA flight surgeon and professional psychiatrist Patricia Santy” discusses the screening which takes place. It’s an interesting article, in which she discusses the tension between NASA’s organizational culture and psychological screening. What […]


Breach irony

According to Courtney Manzel, Counsel – Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY’s notification law: A laptop computer was stolen from the human resources department of Velocita Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area. The laptop computer was one of many items stolen. It […]


Best Sign at RSA?

Ryan Russell shows his loyalty by claiming this is only the second-best ad at RSA. The words beneath the sign read “Beware of false positives:” Incidentally, this is an advertisement, trafficking in stolen property, referring to another ad campaign which caused mass hysteria, and flipping off its audience. What’s not to love? Kudos to Cyberdefender […]


Astronauts and Terrorists: Limits of Screening

So we here at Emergent Chaos have carefully refrained from using the phrase “astronaut in diapers” not because we think that it is now incumbent apon the blogosphere to maintain what little dignity remains in American journalism, but because, within about nine minutes of the arrest of Lisa Nowak, the blogosphere had thoroughly digested the […]


Must-Read Article: The Ecstasy of Influence

This is in Harpers, “The Ecstasy of Influence.” It is an interesting meditation on the nature of art itself and how art is composed of other art. However, not only must you read this, you must read it all the way through to understand it and why it is important.


Coviello: RSA 2010 Will be Last Conference

Okay, that’s not precisely what he said. What he said was that in “two to three years” there will be no more “standalone security solutions.” Meanwhile, the tradeshow floor of the RSA conference seems to be enjoying something of a renaissance, which is good to know, as the theme of the conference is, well, The […]


Telephone Privacy

Privacy, being the right to be left alone, is hard to get with a telephone. Two interesting stories make a trend, and we report on trends here. Or something. I think that the profusion of new services around telephone privacy are the start of an interesting market backlash against the cell phone’s effect of making […]


If You Blow Hard, You Can Find a Disclosure Debate

So there’s a video of how to “Unlock A Car With a Tennis Ball.” I advise turning the sound off-there’s no value to a bad pseudo-rock soundtrack, and no information in it (all the narration is in text in the video). There’s also precious little information in the video. It’s not clear what make or […]


Why Johnny Can’t Bank Safely

Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer have written a paper which examines the behavior of persons doing on-line banking under various experimentally-manipulated conditions. The paper is getting some attention, for example in the New York Times and at Slashdot. What Schechter, et. al. find is that despite increasingly alarming indicators that […]


I Was Wrong

I’ve had a conversation recently with a CSO about breach disclosure. His shop had screwed up and exposed, well, an awful lot of social security numbers. They feel really bad about it, and they don’t think anyone will really be hurt. Gosh darn it, he was really sincere. So I take it back. We should […]


Defend Traditional Marriage In Washington

The Washington Defense of Marriage Alliance seeks to defend equal marriage in this state by challenging the Washington Supreme Court’s ruling on Andersen v. King County. This decision, given in July 2006, declared that a “legitimate state interest” allows the Legislature to limit marriage to those couples able to have and raise children together. Because […]


DRM, digitally coded music, and information

Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]


Jim Gray Missing, please help

[Updated: This has somehow come to #3 on Google. The best place for up to date news is the Tenacious Search blog.] On Sunday, January 28th, 2007, Jim Gray, a renowned computer scientist was reported missing at sea. As of Thursday, Feb. 1st, the US Coast Guard has called off the search, having found no […]


Friday Phish Blogging: Bank of America

Today’s Friday Phish blogging comes to you pretending to be from Bank of America: It appears here in our system that you or a wrong person is usually trying to log into your account, in nine differnt occasions have you or (person) provided us a nearly correct answer to your site-key challenging question, of which […]


Dave Molnar, Call Matt Blaze

Dave Molnar has some good comments on ‘Stolen ID Search.’ He writes, starting with a quote from “ben:” “I can’t believe you are advocating typing your ssn or credit card into a mystery box.” That’s “ben”, commenting at TechCrunch on Stolen ID Search, a service from Trusted ID that will tell you if your social […]


Department of Pre-blogging

Make sure to check out the blog posts Bruce Schneier and a host of others will soon make regarding the paralyzing effect that silly Blinkenlights ads for Aqua Teen Hunger Force had in Boston. The coordinated response by all departments proves the system we have in place works. Boston Mayor Thomas Menino Behold the power […]


Security Cameras and the Obedience Imperative

“People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,” said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, […]


Non-Tangible Security

eBay is stopping all sales of “virtual artifacts.” Maybe. This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says: “The seller must be the owner of the underlying intellectual property, or authorized to distribute it […]


Mordaxus, redux

We’ve enjoyed having Mordaxus with us for the last month or so, and are pleased that he’ll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts. First, why do I have pseudonymous co-bloggers? There’s a long history of artists appearing under names not their own, […]


Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]


Speaking of Secret Events You’re Not Invited To

There’s a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM – 8PM. We’ve been trying to coordinate via email, I but figured we should publicize our secret conference now. Remember, this will be the most blogged event of RSA. If you want in, blog about the event and trackback Martin McKeay. […]


Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.” First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer. Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II […]


From the "A Child Shall Lead Them" Desk

Response #24 in a discussion on FlyerTalk: My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work. Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening. On the return flight, at JFK T-9, they found 2 more, both […]


It’s a Flawless Plan for Making Money

First, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you’re better off selling the monopoly rights to the highest bidder. It’s what Illinois is doing with their state lottery. […]


There are three types of authentication

They are: Something you’ve lost, Something you’ve forgotten, and Something you used to be. Here is a sad tale of a man who has a failure on (3), realizes he’s done (2), and his solution to the problem. It’s a classic tale of how more is often less when it comes to security. Lest you […]


I'm Glad I'm a Beta!

27B Stroke 6 tells us of a story. The domain was removed from the net by GoDaddy, its registrar. Why? Because MySpace complained. He’s got a mailing list archive and it has some stuff in it that pissed MySpace off — security information about phishing attacks. That’s well and good, but GoDaddy yanked the […]


Rely only on the secrecy of that which can be easily changed

The title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every […]


When a 0% Success Rate is Worthwhile

There’s an article in, about “Turkish Hacker Depletes 10,000 Bank Accounts ” A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul. … The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts. That’s a hit rate […]


Old-Fashioned Values

This is probably the most important minute of video you’ll see this week, but on a better week, it won’t be. Thanks to manfromlaramie for finding this.


Funniest Spam of the Week

Hmmm, what to do, what to do? This is so funny on so many levels. How can you not like a phishing attack where the hook is a poll based on eBay being closed because of so many phishing attacks? January 19, 2007 Dear eBay Community: We have decided to close eBay on 27 February […]


Two Quickies on Credit

“The spread of the credit check as civil rights issue,” in the Christian Science Monitor: Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance. and “Insurers […]


Information Security Needs

The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years. However, a computer was seized, sources were roughed up and possibly jailed or killed: Since then it […]


Everything Old is New Again

“They are a handful of miserable resuscitators of a degenerate dead religion who wish to return to the monstrous dark delusions of the past,” said Father Efstathios Kollas, the President of Greek Clergymen. Hundreds of followers of Zeus, Hera, Poseidon, Artemis, Aphrodite and Hermes stood in a circle, a mile from the Acropolis, in what […]


Habeas Corpus? What Habeas Corpus?

On January 18th, Attorney General Alberto Gonzales testified in front of the Senate Judiciary Committee. As part of the hearings, there was a discussion of habeas corpus. As part of that discussion, Gonzales said: There is no express grant of habeas in the Constitution. Yes that’s right, our own Attorney General thinks that there is […]


A compromising position

Does Pete Lindstrom need to buy a dictionary? You make the call. In a recent post at Spire Security Viewpoint, he suggests that the folks at might be liars: I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it […]


Liberty Bags

Phil offers up some thoughts on Liberty Bags, named in the tradition of patriot bins and freedom tables. Phil, I think you need to wrap your items in bacon.  


BenL on OpenID and Phishing

Ben Laurie (of Apache-SSL fame) posted a great analysis of a major design problem with OpenID calling it a “Phishing Heaven“. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens. I had hoped that by constantly bringing this up […]


More on the CIPPIC Report

A few days ago, Chris covered the release of a report from the Canadian Internet Policy and Public Interest Clinic, “Approaches to Security Breach Notification” (PDF). This is highly readable and important analysis. If you care about breaches, read it. I’d like to add some notes from my reading of it. First, the report talks […]


CIBC, 470,000 Canadians, lost tape

I’d attribute our knowledge that “CIBC loses info on 470,000 Canadians” (reported in the Globe and Mail) to the new transparency imperative, but as the CIPPIC survey makes clear, privacy regulators are finding notice requirements in extant laws. (More on that excellent survey soon.) Also note that the Globe and Mail seems to think that […]


It's Amazing What A Little Oversight Can Do

Two in the Washington Post today: “Secret [FISA] Court to Govern Warrantless Taps” and “Vast Data Collection Plan Faces Big Delay:” In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks’ […]


"Not Having a Discussion About What I'm Buying? Priceless."

There’s a fascinating article in Sunday’s New York Times, “Money Doesn’t Talk.” The money quote: Through her store, Pesca, Ms. Azizian has earned her financial independence, but to avoid the disapproval of her husband of 27 years, she adopts a low profile by using cash. “His tastes aren’t as expensive as mine, and he doesn’t […]


Security Through Obscurity, The Next Big Thing

PCMesh, a Canadian company, has something Better Than Encryption. Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, […]


New Year's Resolution Dept. — Protecting Against Identity Theft

It’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions! If yours is to get better control over your information privacy, […]


Report: Approaches to Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf]. From the Introduction: This White Paper considers the need for an explicit obligation in Canadian privacy law to notify affected individuals of a breach in an organization’s security that places those individuals’ […]


New York Times on DRM

“Want an iPhone? Beware the iHandcuffs” says The New York Times in today’s edition of “Your Money”. Unfortunately it doesn’t really say much about the iPhone and crippleware beyond saying that it will be limited in music playing in effectively the iPod. However the article does a very nice job of covering the state of […]


Going the extra mile

As a control against identity theft, firms operating on-line often send snail mail confirmations to their customers when such things as site passwords, beneficiaries, or customer addresses have been changed. This allows the customer to review such changes and catch any that may have been unauthorized. I was the recipient of two such pieces of […]


Credit Card Data Over AOL IM

From the files of “too good to make up”, reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data […]


Full Disclosure == Torture

Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well. I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be […]


Robert Anton Wilson Defies Medical Experts

Robert Anton Wilson Defies Medical Experts and leaves his body @4:50 AM on binary date 01/11. All Hail Eris! On behalf of his children and those who cared for him, deepest love and gratitude for the tremendous support and lovingness bestowed upon us. (that’s it from Bob’s bedside at his fnord by the sea) RAW […]


A Pleasure Doing Business With You!

The BBC reports that the United Kingdom’s 1945 war debt to US [is] ‘almost paid’ and [was] paid off at the end of last year: The final payment of £45m will be made by the 31 December, meeting a 1945 obligation to repay the debt in full. In unrelated news, I’m told that neither the […]


What Congress Can Do To Prevent Identity Theft

Seventy Percent of Americans think we need more laws to protect them from identity theft and all that. I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to […]


Bay Area Security Incident Exercise

For those who are located in the SF Bay Area (or will be there on February 21st), the Silicon Valley ISSA Chapter is hosting a one day mock security incident exercise. The goal of the exercise is to explore how different organizations and industries must work together to respond to events based on their organizational […]


FTC Accepting Comments on ID Theft

The President’s Identity Theft Task Force announced that it is seeking public comment on various possible recommendations to improve the effectiveness and efficiency of the federal government’s efforts to reduce identity theft. The Task Force is chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras and participants […]


Secret Laws, Obnoxious Laws … No Law's Not Looking So Bad

First, from 27B/6, we learn that “Supremes Won’t Hear Secret Law Challenge,” and that the administrative agencies such as TSA are free to propogate laws and regulations we can’t see or challenge. Second, via Kansas City Newzine, we learn about the totally screwed up set of rules which are ‘REAL ID,’ featuring this chilling quote: […]


Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:” ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005. Choicepoints losses are a severe outlier. As I said in March, 2005, […]


That’s Funny….

Over the last week, I’ve read several things involving poor Lind Weaver. In case you missed it, she’s a 57-year-old owner of a horse farm. She got a bill for the amputation of her right foot. As you should expect if you’re a regular reader here, it wasn’t her. Comic hijinks ensue which conclude with […]


Pragmatic Redux

Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is: The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he […]


A Pledge

Having thought about my previous post, “On airport advertising,” I’d like to see what content-based restrictions are in place. If the ACLU applies and is accepted, I’ll donate $500 for the ACLU to buy bins that advise people of their rights when passing through airport screening. [Update/clarification: I’ll pay for the ACLU to inform travellers […]


On airport advertising

Via Eric Rescorla, who has insightful comments, and Boingboing, we learn that “TSA Pilot Would Offer Ads at Airport Security Checkpoints.” A few chaotic comments: What authority does TSA have to sell advertising? Isn’t Congress supposed to fund their operations? The advertisers will “who will provide divestiture bins, divestiture and composure tables, and metal-free bin […]


United Airlines Customer Service

I was wondering what United Airlines customer service did. This screen capture seems to make it all clear. United Airlines has been featured before, in “Dear United.” To be fair, I met a very nice and human supervisor while I was stuck in Denver due to their crew change, but he maintained the claim that […]


Insuring Against Data Loss Losses

Matt Hines reports on a growing market for corporate insurance, responding to concerns about breach laws, in “Dark Day Planning: Insuring Against Data Loss:” As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another […]


Joanna on Stealth Malware

Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]


A Request

My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so. The nice folks in NY made […]


Hmmm…Breach Notification…Australia…

So there’s an article in ZDNet Australia, “Establish a strategy for security breach notification.” All well and good, but Australia doesn’t have a breach notice law. (As far as I know.) So all you ‘new normal’ skeptics, who don’t believe me that standards are changing ahead of laws…why did a competent journalist writing for editor […]


Goat Security

It seems that the Gavle goat survived the holiday this year. Giant goats in Gavle seem to have about a 20% survival rate, with this year’s being only the 11th to survive the holiday season since 1966. No word on what fire-retardant was used, which is too bad. How are other 13 meter straw goats […]


The Pragmatic Reviewer

Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. […]


When Planes Fell From the Sky

The excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:” In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the […]


Five Things You Don't Know About Me

Dear Bob, You may think I’ve been ignoring your post, but I’ve been trying to decide how to approach it. This morning, courtesy of Scoble, I found Hugh McLead’s post on the subject: I dislike you intensely. I love it when bad things happen to you. When your name is mentioned I immediately try to […]


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004