Shostack + Friends Blog Archive


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004

Happy New Year!

Our new year’s resolution is to show a sense of childlike wonder at and acceptance of everything we come across, especially this year’s leap second. Incidentally, this post is scheduled to go live at 2008-12-31 23:59:60. Let’s see what happens! Update: Movable Type complained when I tried to save the post: “Invalid date ‘2008-12-31 23:59:60’; […]


Now will you believe MD5 is broken?

I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]


Happy Newton, everyone!

In honor of Newton’s Birthday festival, I therefore propose the following song, to be sung to the tune of “The Twelve Days of Christmas.” For brevity, I include only the final verse. All together now! On the tenth day of Newton, My true love gave to me, Ten drops of genius, Nine silver co-oins, Eight […]


Gavle Goat Gone

The Gavle goat survived until the 27th this year, but as the BBC reports, “ Festive goat up in flames again.” Previously: “Goat Security,” “13 Meter Straw Goat Met His Match.”


I miss Montreal

When Seattle is covered in snow, it’s easy to miss Montreal. Now, folks in areas that get lots of snow like to make fun of Seattlites for being unable to handle a little snow, but it turns out that there’s another reason (beyond the steep hills) the city has a (ahem) unique approach: “Seattle refuses […]


At the tail end of the car series…

Originating from Wootton High School, the parent said, students duplic ate the license plates by printing plate numbers on glossy photo paper, using fonts from certain websites that “mimic” those on Maryland license plates. They tape the duplicate plate over the existing plate on the back of their car and purposefully speed through a speed […]



40 years ago, NASA released this first [human-taken] photo of the Earth from far away: [Update: The BBC has a nice story.]


News and Lessons from the Auto Market

“There are no hot segments,” said George Pipas, Ford’s market analyst. “And there really are no hot products.” So closes an article, “Automakers Report Grim October Sales.” GM, sales down 45%. Ford, -30%. Chrysler, -34.9%. Toyota, -23%. Honda -25%, Nissan -33%. MINI Cooper: Up 56.4%. Soon, Ford will be caring about MINI’s market of “only” […]


Designing Cars

I was struck by this quote in “Edgy, Yet Still Aerodynamic” an article in the New York Times about how new cars are being designed and tested: , To his surprise, in hundreds of tests at Ford’s Wind Tunnel 8 southwest of Detroit the original edges produced less drag than curved substitutes, Mr. Koester said. […]


December 21, 1968

It was even more exciting on a black and white Zenith. Image: Nasa photo 6871798


This is the farewell shoe, you dog

Bloomberg is reporting that “Shoe Hurled at Bush Flies Off Turkish Maker’s Shelves : Baydan has received orders for 300,000 pairs of the shoes since the attack, more than four times the number his company sold each year since the model was introduced in 1999. The company plans to employ 100 more staff to meet […]


Thoughts on the Somali Pirates

Stratfor’s podcast on the seizure of that Saudi oil tanker contained a fascinating tidbit: merchant ships are no longer allowed to carry arms at all, which, of course, makes piracy far easier. This is a dramatic transformation of the rights of merchant ships. Historically, private ships carried weapons when sailing far out of their own […]


Citizens, Juries and other Balances

Following on my post on Parliaments, Dukes and Queens, I’d like to talk about other checks on the power of government, besides throwing tea into the harbor. In Britian, “a jury has failed to clear police in the death of Jean Charles de Menezes.” The jury is the first group who, frankly, has not whitewashed […]


Evidence of Time Travel Found in China

According to Ananova, a Swiss watch-ring has been found covered in dirt in a four-hundred year old Ming dynasty tomb. The watch was found, covered in dirt. It was stopped at the time 10:06 and has the word, “Swiss” engraved on the back. The archaeologists on the dig have requested archaeologists from Beijing to help […]


Happy Boston Tea Party Day!

It was 235 years ago today that the Sons of Liberty threw tea into Boston harbor, and they still haven’t been able to clean the place up. Please join me in celebrating this most American response to taxation.


Of Parliaments, Dukes and Queens

Four interesting stories recently, all having to do with the ancient relationship between a sovereign and a parliament, or the relationship of hereditary rulership to democracy. I secretly admire the emergent forms of government which have proven stable despite their chaotic origins. I’m fascinated by these imperfectly republican nations like Canada and the United Kingdom, […]


As easy as dialing a phone

People often make the claim that something is “as intuitive as dialing the phone.” As I was listening to “Dave Birch interviewing Ben Laurie,” I was reminded of this 1927 silent film: Ben commented on people having difficulty with the CardSpace user interface, and it not being as intuitive as having your email address being […]


Working Through Screens

Jacob Burghardt has a very interesting new ebook, “Working Through Screens.” If one was to summarize the status quo, it might sound something like this: when it comes to interactive applications for knowledge work, products that are considered essential are not always satisfactory. In fact, they may be deeply flawed in ways that we commonly […]


Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]


Privacy Rights & Privacy Law

First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]


Two Buck Barack

So the New York Times is breathless that “Obama Hauls in Record $750 Million for Campaign.” A lot of people are astounded at the scale of the money, and I am too. In a long, hard campaign, he raised roughly $2.50 per American, and spent slightly less than that. Unusually, he ended his campaign not […]


Eric Drexler blogging

At Way cool. I look forward to what he has to say. Unfortunately, one of his early posts falls into the trap of believing that “Computation and Mathematical Proof” will dramatically improve computer security: Because proof methods can be applied to digital systems, and in particular, will be able to verify the correctness (with […]


DataLossDB announces awesome new feature

The Data Loss Database, run by the Open Security Foundation, now has a significant new feature: the inclusion of scanned primary source documents. This means that in addition to being able to determine “the numbers” on an incident, one can also see the exact notification letter used, the reporting form submitted to state government, cover […]


Happy Repeal Day!

Today is the 75th anniversary of the repeal of the blanket prohibition of alcohol sales in the United States. Go pour some Champagne, Cava, or fine California bubbly and read Radley Balko’s excellent “Lessons of Prohibition.” Photo: Jensen.Pernille. Thanks to Sama.


Videos of me

The employer has been posting them at a prodigious rate. There’s: “Threat Modeling at EMC and Microsoft,” Danny Dhillon of EMC and myself at BlueHat. Part of the BlueHat SDL Sessions. Also on threat modeling, Michael Howard and I discuss the new SDL Threat Modeling Tool Michael Howard and I also discussed the new SDL […]


The Costs of Fixing Problems

I enjoyed reading Heather Gerkin’s article: “The Invisible Election.” I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama’s election protection team, I spent […]


You versus SaaS: Who can secure your data?

In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with […]


Virgin America

I flew Virgin Atlantic for the first time recently, for a day trip to San Francisco. I enjoyed it. I can’t remember the last time I actually enjoyed getting on a plane. The first really standout bit was when the Seattle ground folks put on music and a name that song contest. They handed out […]


Chaos in the Airports! Baa! Baa!

Some days the snark just writes itself: The group that created Smokey Bear and McGruff the Crime Dog has a new potential icon: Stephanie the airport screener. A $1.3 million ad campaign launched this month teams the Ad Council and the Transportation Security Administration trying to change behavior of passengers who no longer automatically accept […]


Travel Chaos

NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should […]


Crime in Barcelona

While having a wonderful time in Barcelona, I took the metro a fair amount. Over the course of 8 days, I saw 2 turnstile jumpers, (40€ fine) 3 smokers (30€ fine) and didn’t see as one friend got pick-pocketed (reported fine, one beating). So which crime annoyed me most? The apparently worthless invasion of privacy. […]


Quis custodiet ipsos custodes?

There have been a couple of interesting stories over the last week that I wanted to link together. Verizon Employees Snoop on Obama’s Cellphone Records (followed shortly by “Verizon fires workers over Obama cell phone records breach“) and “4 more Ohio officials punished in ‘Joe’ data search.” There’s a couple of things happening here. The […]


Tidying up Art

In “Tidying up Art” Ursus Wehrli tells the TED audience about not only how to tidy up art, but has a great example of how apparently simple instructions can very quickly lead chaos to emerge. And it’s pretty darn funny after the audience doesn’t know how to respond to his first couple of jokes.


Terrifying Financial Blacklists Falling Down

There’s a list, maintained by the UN security council, of people who can’t have their money. Once you’re on the list, there’s no way to get off. The global blacklisting system for financiers of al-Qaeda and other terrorist groups is at risk of collapse, undermined by legal challenges and waning political support in many countries, […]


Ephemeral Anniversary

Yesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date. That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The […]


Diverse Preferences for Privacy

A Wide Diversity of Consumer Attitudes about Online Privacy shows this picture of Flickr users setting privacy preferences: green is public (default) and red is private. I hope Flickr shares some of the underlying data. I don’t know what anyone would do with it, and there’s two ways to find out. One is to talk, […]


The Twain Meeting

Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin. I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard […]


Actually, Randall, We Tried That

And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight […]


SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]


Public Policy and InfoSec

…Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School. The more […]


An early clue to the new direction?

Obama gave his first press conference as President-elect last Saturday. Pundits have noted his humor in responding to the urgent canine matter, but I was struck by a particular phrase used in response to a question regarding whether he’d be moving quickly to fill key cabinet positions: When we have an announcement about cabinet appointments, […]


CTO of the United States?

So Obama wants a CTO for the United States. The job description: Obama will appoint the nation’s first Chief Technology Officer (CTO) to ensure that our government and all its agencies have the right infrastructure, policies and services for the 21st century. The CTO will ensure the safety of our networks and will lead an […]


Chaos, My Desk and Dilbert

The Wall St Journal covers the latest management fad in “Neatness Counts at Kyocera and at Others in the 5S Club:” 5S is a key concept of the lean manufacturing techniques that have made makers of everything from cars to candy bars more efficient. The S’s stand for sort, straighten, shine, standardize and sustain. Lately, […]


I Was On NPR, An Unmasking of Sorts

Okay so for a long time now, I’ve been blogging as Arthur. It all started as an excuse to blog without the company I worked for at the time having to worry about anything I said being a reflection on them. Almost three years ago they were acquired by Oracle and I have long since […]


Confirmation Bias and Newspaper Endorsements

We’ve been talking a lot lately about confirmation bias. It turns out that newspaper endorsements are more influential when they are unexpected. The degree of this influence, however, depends upon the credibility of the endorsement. In this way, endorsements for the Democratic candidate from left-leaning newspapers are less influential than are endorsements from neutral or […]


Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that […]


It’s Morning in America

It’s hard to know what to say after an election that feels so momentous in so many different ways. So, I’ll start from the simple: congratulations to Obama on being elected the 44th President of the United States. Next, let’s add some chaos here and see what emerges. So what’s on your mind? And please, […]


This just in!!

MSNBC’s live streaming internet election coverage looks like it was filmed from within Second Life. Yuck.


The Purple States

As we go into what may well be another very long day of elections for the Presidency of the United States, I wanted to reprise two images from 2004: Click on either for more details and the context four years ago. Despite the electoral college, America isn’t a red country or a blue country, and […]


You talk like a delinquent

This is interesting. Not sure how robust the finding is, but according to an analysis of LendingClub data on all past loans, including descriptions of the use for the money, applicants using certain words in their descriptions are much more likely to default. For our purposes define a Delinquency as either being late in your […]


Thoughts about Democracy in America

There’s a place in de Tocqueville where he talks about America’s civic strength coming from the way we organize: those voluntary organizations which come together to solve a problem as a community. He pointed out that what we got from that was not merely that particular problem solved, but a sense of community and a […]


It was twenty years ago today

It was twenty years ago today Sgt. Morris taught the worms to play They’ve been going in and out of style But they’re guaranteed to last a while So may I introduce to you… the bug you’ve known for all these years Sgt. Morris Lonely worm club band We’re Sgt. Morris’ lonely worm club band, […]


Don’t Stay at the Renaissance Amsterdam Hotel

The night of September 29th, I had a room at the Renaissance Amsterdam hotel on Kattengat street. Actually I had two rooms, not that I slept in either of them. The first had too much street noise, and windows that didn’t block out the sound. The second, well, I woke up at 7.30 AM from […]


Cheetah Delays Luggage

A cheetah traveling from Oregon to Memphis Tennessee escaped from its cage on a Delta flight from Portland to Atlanta. Luggage was delayed, a baggage worked got a good fright (oh, yeah, imagine finding a cheetah on Halloween), but no baggage was destroyed. I would like to be able to link to the full story, […]


Studs Terkel, 1912-2008

No Chicagoan stood up for the common man like Studs Terkel, although Nelson Algren was probably in the running. A security-related anecdote, courtesy of the Chicago Tribune: In 1997 he went to the White House to receive the National Humanities Medal and the National Medal of Arts with a group including Jason Robards, Angela Lansbury, […]


Experience and Decision Making

Following on our satirical endorsement of McCain-Palin yesterday, I’d like to talk a little about the experience argument, that is, that Obama lacks the experience to be President. This may well be true. I’d prefer someone with extensive executive experience, ideally running a state, experience matters in one very specific way: it may help you […]


Emergent Chaos: For McCain Palin

As we come to the close of the longest campaign in American history, it is time to make a call on who to vote for. In these turbulent and chaotic times, America needs a candidate who will cause more chaos to emerge. Now is not the time for calm and reasoned leadership. Now is not […]


Responses to Terror: Boston and Ashdod, Israel

An Israeli teenager has been arrested after he donned a mask and prowled the streets of his town with a big rucksack and toy gun for a school project. The boy, 15, was seized by police in the southern town of Ashdod suspecting he was a Palestinian militant. The student was quoted as saying he […]


CTOs, Product Management and Program Management

In “The product manager’s lament,” Eric Ries writes about his view of product managers: Let’s start with what the product manager does. He’s supposed to be the person who specifies what the product will do. He writes detailed specs which lay out exactly what features the team should build in its next iteration. These specs […]


New ID Theft Research And Blog For Debix

Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them. Debix now has a blog, which will be covering issues around identity theft, breaches and privacy. Debix also released a new research study examining child identity theft. The most recent […]


100 Mile Constitution Free Zone

Government agents should not have the right to stop and question Americans anywhere without suspicion within 100 miles of the border, the American Civil Liberties Union said Wednesday, pointing attention to the little known power of the federal government to set up immigration checkpoints far from the nation’s border lines. The government has long been […]


Ridiculing the Ridiculous: Terrorist Tweets

A group of soldiers with the US Army’s 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft. Realizing that mentioning the word “terrorist” can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter. […]


Insecurity Theatre

“It’s been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?” federal Judge William Pauley III asked. Sachs, from West Babylon, said cops just laughed as he passed through the Queens Midtown Tunnel on his way into the city Sept. 8. Sachs […]


Fake Fish and Security

There was a very interesting article in the New York Times, “Fish Tale has DNA Hook,” in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors: Dr. Stoeckle was willing to divulge the name […]


"Secure Flight" now part of the Bush Administrations Legacy

We welcome the Bush administration’s continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying: In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the […]


Canadian Privacy and Private Action

In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant […]


Buffer Overflows and History: a request

One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in James P. Anderson’s Computer Security Technology Planning Study: The code performing this function does not check the source and […]


Discipline and Art

Stephan Bugaj has a fascinating article up, “Steve Kurtz: Tactical Art.” I wanted to tie this to my post “The Discipline of ‘think like an attacker’” Kurtz only briefly mentioned his four year ordeal with the Department of Justice (this is also a good article about it), and only as a single exemplar of his […]


Buffett Vs Paulson

I was listening to Joseph Stiglitz on NPR this morning, and he had a very interesting comparison. (Quoting from an op-ed in the Guardian): For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital […]


The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge. Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” […]


Investing in the finance crisis

The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs […]


Elections Are Done For Me

Forty Percent of California voters are “permanent absentee” voters. Oregon runs entirely by mail-in votes. Other US states have some sort of mail-in or absentee status that people can assign themselves to. For those people, including me, elections are a slice of time that ends on election day. This isn’t new, until relatively recently, it […]


Security is an Empirical and Social Science

In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment: It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.” Firstly, security is almost always an outcome […]


Open thread

What’s on your mind in October?


Emergence Emerges

This paper, “More Really is Different,” may be one of the most important papers of the last half-millenium. It argues that P.W. Anderson’s concept of “emergence” is provable. It may have even proved it. The idea of emergence, from whence this blog gets its name is the opposite of reductionism. It is the idea that […]


Death Penalty Protestors are Terrorists

The Washington Post reports upon the further cheapening of the word “terrorism” in, “Md. Police Put Activists’ Names On Terror Lists.” The fifty-three people with “no evidence whatsoever of any involvement in violent crime” who were put on a list of terrorists include anti-death-penanty protestors. It’s really hard to keep from laughing about this. Are […]


Identity Manglement

It was Dopplr that drove me over the edge on this rant. I almost feel bad for starting off with them, because as you will see, they’re just the bale of hay that broke the camel’s back. I was updating my travel schedule, which included a trip to St. Louis. It told me that by […]


Experiences Threat Modeling at Microsoft

A little bit of cross-polination between blogs: Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of [the Microsoft Security Development Lifecycle] blog might enjoy. So please, enjoy!


"No evidence the data was misused"

The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it. Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected […]


Researchers Two-Faced over Facebook Data Release

[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]


What's in a name(less)?

Me! I had a great time in a conversation with Dennis Fisher which is now up on his nameless security podcast: Adam Shostack on privacy, data breaches and “The New School of Information Security” Check it out. Update: Amazon seems to be having trouble keeping The New School in stock. (Thank you!!!) Addison Wesley has […]


Quantum Crypto Broken Again

The New Scientist reports that researchers Vadim Makarov, Andrey Anisimov, and Sebastien Sauge have broken quantum key distribution. The attack is described in their paper, “Can Eve control PerkinElmer actively-quenched single-photon detector?” Spoiler Warning: Yes. She can. The attack is brilliant in its elegance. They essentially jam the receiver. A bright pulse of laser light […]


Monsieur Vuitton, I’m ready for my closeup!

This is the window of a Louis Vuitton store. I found it tremendously striking, and so took some pictures. Setting aside the direct message of “everyone will look at this bag,” I thought what’s interesting is the technological replacement of self with avatar. As if the designer is saying “we no longer want to be […]


The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]


What’s in a name? A Candidate by any other name…

For those who haven’t been listening closely to their NPR, it turns out that there are at least eight Barack Obamas running for election in Brazil this year. Yes, you heard that right. Under Brazilian law, it turns out, candidates are allowed to run for office under any name, as long as it’s not offensive. […]


Submitted for your consideration

I added Bank Lawyer’s Blog to my set of RSS feeds some time ago, after I came across a decent post about ID theft there. I provide — without comment — the following quotation from a banking industry lawyer, as posted yesterday: Near the end of the Oscar-winning movie “Unforgiven,” the young assassin who calls […]


Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]


Adam on CS TechCast

I did a podcast with Eric and Josh at CS Techcast. It was lots of fun, and is available now: link to the show Welcome to another podcast for IT professionals. This week we interview Adam Shostack, author of The New School of Information Security about the essentials IT organizations need to establish to […]


And I thought I didn't like Streisand

While Babs’ vocal stylings may be an “acquired taste”, today I have a new appreciation for the Streisand Effect. Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management […]


Blaming the Victim, Yet Again

John Timmer of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.” The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, […]


2008 Breaches: More or More Reporting?

Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for […]


The Discipline of "think like an attacker"

John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]


TSA Badges

9Wants to Know has uncovered a new policy that allows airport screeners at Denver International Airport to bypass the same security screening checkpoints that passengers have to go through. … The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed. … At DIA, […]


This Week in Petard-Hoisting, the Palin Edition

If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not […]


University of Lake Wobegon?

Spaf has an excellent post up about Purdue’s decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that “excellence” loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum […]


Avast there!

You might not be able to think like one, but today you should certainly talk like a pirate. Yo ho ho, shiver me timbers, etc. etc. Image credit: charliekwalker


Think Like An Attacker?

One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]


SDL Press Tour Announcements

Steve Lipner and I were on the road for a press tour last week. In our work blog, he writes: Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, […]


Applied Security Visualization

Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. […]


More on Confirmation Bias

Devan Desai has a really interesting post, Baffled By Community Organizing: First, it appears that hardcore left-wing and hardcore right-wing folks don’t process new data. An fMRI study found that confirmation bias — “whereby we seek and find confirmatory evidence in support of already existing beliefs and ignore or reinterpret disconfirmatory evidence” — is real. […]


Help fund historic computers at Bletchley Park

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]


Canadian PM FAIL

Dear Mr Harper, In general people do not care for the government to be tracking their religious affiliation. In particular however, there are few groups who care less for this sort of tracking than Jews. Seriously, you’re not going to get votes by sending Rosh Hashanah cards to your Jewish constituents. It freaks us out, […]


Risk Managers Are Just Like Security People

Or is that vice-versa? A few weeks ago, Security Retentive posted about an article in the Economist: “Confessions of a Risk Manager”. Both his analysis and the original story are quite interesting and I encourage you to read them as well as a letter to the editor that was published in last week’s print edition […]


No Privacy Chernobyls

Over at the Burton Identity and Privacy Strategies blog, there’s a post from Ian Glazer, “Trip report from the Privacy Symposium,” in which he repeats claims from Jeff Rosen: I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 […]


Things only An Astrologist Could Believe

There’s a really funny post on a blog titled “Affordable Indian Astrology & Vedic Horoscope Provider:” Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making. This is […]


Hans Monderman and Risk

Zimran links to an excellent long article on Hans Monderman and then says: When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly […]


Signal Boosting Amrit Williams

File this under “Posts I Wish I’d Written”. Amrit Williams’ “ The 7 Greatest Ideas in Security,” really highlights a lot of my basic thoughts on how security should work. His conclusion sums things up cogently, but go read the entire post: Some may argue that something has been forgotten or that the order is […]


TSA’s Brand

Passing through Portland’s PDX Airport, I was struck by this ad for SeaPort Airlines: Things are pretty bad for TSA when right after “faster travel,” a company lists “No TSA” as its second value proposition. (Bottom left corner.) It’s actually sort of impressive how much hate and resentment the TSA has built in the few […]


44 Years

Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It’s worth reading in full: Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. […]


The Hazards of Not Using RFC 1918

RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won’t use globally. They get used for private networks, NAT ranges and so on. There are three ranges: to to to They are thus the Internet equivalent of the American phone system not […]


Lessons for security from "Social Networks"

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a […]


TSA Breaks Planes (and a link to infosec)

Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues: While this may be terrifying on a number of levels, […]


Authenticating Alan Shimel is Certifiably Hard

Alan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us. One of the themes of […]


Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges. The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is […]


Write Keyloggers Professionally! has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]


The Omnivore's Hundred

I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you […]


Disaster Recovery Drills Aren't Just For IT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting: Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning […]


King Log or King Brutalist

A Christian Science church near the White House filed suit against the city on Thursday, accusing it of trammeling religious freedom by declaring the church a historic landmark and refusing to allow church leaders to tear it down. The building, a stark structure with walls that soar toward the sky, is an eyesore or a […]


We're all in it together

Ryan Singel reports at 27B/6: The TSA was keeping the names of people who lost their wallets and needed to fly — even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won’t store […]


I’m Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker: Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation […]


Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers. …almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only […]


Congratulations to Raffy!

His book, Applied Security Visualization, is now out: Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work […]


That's an address I haven't used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]


Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]


This Is Not Writing; You Are Not Reading

The Paper of Record has a hilarious article, “Literacy Debate: Online, R U Really Reading?” which asks important questions about what Those Darn Kids are doing — spending their time using a mixture of hot media and cold media delivered to them over the internets. I’ll get right to the point before I start ridiculing […]


Keeping abreast of the threat

The German Bundespolizei have announced what the BBC are calling a “bullet-proof bra“. It may sound like a joke, but this is a serious matter – the policewoman who came up with the idea said normal bras can be dangerous when worn in combination with a bullet-proof vest. “The impact of a bullet can push […]


Instant Ice Age

Science reports in, “The Year the World Froze Over:” It sounds like the stuff of science fiction, but nearly 13 millennia ago Europe was plunged suddenly into a deep freeze that lasted 1300 years–and the change happened in little more than a year, according to new data. The evidence also suggests that strong winds, not […]


Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways. An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid […]


Does this mean we can revise our opinion of Friday the 13th?

According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.) This adds up to a nice round €100 billion. The Telegraph didn’t say whether that is American billions (thousand million, 109) or English billions (million million, […]


Cleared Traveler Data Lost

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not […]


Privacy Enhancing Technologies and Threat Modeling

Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how […]


Solove’s Understanding Privacy

Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, […]


Aleksandr Solzhenitsyn, RIP

The author of The Gulag Archipelago and other important works on the barbarity of the Soviet Union passed away today. Aleksandr Solzhenitsyn was 89. My sympathies to his family and friends.


SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this. There’s only one request I’d make: There’s no single […]


What do you want to know about SDL Threat Modeling?

Over on my work blog, I asked: I’m working on a paper about “Experiences Threat Modeling at Microsoft” for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don’t know all the questions that readers might have. So, what questions should I try […]


Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]


Silver Bullet podcast transcript

I know there’s a lot of people who prefer text to audio. You can skim text much faster. But there are also places where paper or screens are a pain (like on a bus, or while driving). So I’m excited that the Silver Bullet Podcast does both. It’s a huge investment in addressing a variety […]


Congratulations to the PET Award Winners

Congratulations to Arvind Narayanan and Vitaly Shmatikov! Their paper, “Robust De-Anonymization of Large Sparse Datasets,” has been awarded the 2008 Award for Outstanding Research in Privacy Enhancing Technologies. My employer has a press release which explains how they re-identified data which had been stripped of identifiers in the Netflix dataset. In their acceptance remarks, they […]


London’s New Transit Card

Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper — and theoretically easier to use — than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is […]


Reproducibility, sharing, and data sensitivity

What made this particular work different was that the packets we captured came through a Tor node. Because of this difference, we took extreme caution in managing these traces and have not and will not plan to share them with other researchers. Response to Tor Study I won’t get into parsing what “have not and […]


Ethics, Information Security Research, and Institutional Review Boards

Several weeks ago, in “A Question of Ethics“, I asked EC readers whether it would be ethical “to deliberately seek out files containing PII as made available via P2P networks”. I had recently read an academic research paper that did just that, and was left conflicted. Part of me wondered whether a review board would […]


New FISA Analysis

Vox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, “I think I understand the FISA bill. Do I?” Vox Libertas has taken an approach that I can appreciate. On the one hand, many people are unhappy with the telecom immunity. I’m one of […]


Breaches & Human Rights in Finland

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights. The Court made its ruling based on Article 8 of the European Convention […]


Off to Belgium

I’m getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I’m proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability. I’m also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing […]


Putting the fun back in threat modeling

I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:” My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable […]


Writing a book: The Proposal

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell […]


Breach notice primary sources

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line. I responded thusly (links added for this blog post): I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ […]


Security & Human Behavior

There’s a huge amount of interesting stuff from a recent workshop on “Security & Human Behavior.” Matt Blaze has audio, and Ross Anderson has text summaries in the comments on his blog post. Also, see Bob Sullivan, “How magic might finally fix your computer”


Laptops and border crossings

The New York Times has in an editorial, “The Government and Your Laptop” a plea for Congress to pass a law to ensure that laptops (along with phones, etc.) are not seized at borders without reasonable suspicion. The have the interesting statistic that in a survey by the Association of Corporate Travel Executives, 7 of […]


Leveraging Public Data For Competitive Purposes

The Freakonomics blog pretty much says it all: The latest:, the brainchild of brothers Ryan and David Petersen, with Michael Kanko. They exploit customs reporting obligations and Freedom of Information requests to organize and publish — in real-time — the contents of every shipping container entering the United States. From There’s a neat […]


The Recent History of the Future of Cash

Dave Birch has a really interesting post about The future of the future of cash: The report also identifies three key attributes of cash that make it — still — the dominant payment system. Universality, trust and anonymity. I’m curious about the location of anonymity in the customer mindset and I’m going to post some […]


Richard Feynman and The Connection Machine

There’s a fascinating article at The Long Now Foundation, “Richard Feynman and The Connection Machine,” by Danny Hillis. It’s a fun look into the interactions of two of the most interesting scientist/engineers of the last 40 years.


Massive Coordinated Vendor Patch For DNS

Dan “Doxpara” Kaminsky today released information about a fundamental design flaw in the architecture of DNS which if properly exploited would allow a malicious party to impersonate any website they wanted to. This issue effects every single version of DNS. The flaw primarily effects the DNS server but it can also effect clients as well […]


Writing a book: technical tools & collaboration

When Andrew and I started writing The New School, we both lived in Atlanta, only a few miles apart. We regularly met for beer or coffee to review drafts. After I moved to Seattle, our working process changed a lot. I wanted to talk both about the tools we used, and our writing process. We […]


Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]


Freakonomics and Data

There’s a really interesting article in the New Republic, “Freaks and Geeks:” In 2000, a Harvard professor named Caroline Hoxby discovered that streams had often formed boundaries to nineteenth-century school districts, so that cities with more streams historically had more school districts, even if some districts had later merged. The discovery allowed Hoxby to show […]


Passport-peeking probably pervasive

Back in March, we wrote about unauthorized access to Barack Obama’s passport file. At the time, a Washington Post article quoted a State Department spokesman: “The State Department has strict policies and controls on access to passport records by government and contract employees” The idea was that, while snooping might occur, it would be caught […]


In Congress Assembled, July 4, 1776

In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which […]


On Gaming Security

Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens. Since I have the ability to comment here, I shall. This isn’t the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues. […]


Want Real Homeland Security?

All around cool guy, and former provost of the University of Chicago, Geoffrey Stone (the Edward H. Levi Distinguished Service Professor at the University of Chicago Law School), posted earlier this week proposed that “The next president should create a brand new position, which should become a permanent part of the Executive Branch in the […]


On Banking Security

Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]


Sounds Like — Chomsky

The New Scientist reports that “Charades reveals a universal sentence structure.” Susan Golden-Meadow, a linguistic psychologist at the University of Chicago, led a team that found that speakers of most languages use the same simple sentence structure when miming, regardless of the structure of the language they speak. A demonstration movie is here. That structure […]


Study: Firefox patched quickest, IE a laggard

A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers. The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were […]


I said "No, No, No"

After having seen some footage of Amy Winehouse’s performance at Glastonbury, I think she needs to immediately marry Shane Macgowan, preferably as part of a reality TV show.


UK Passport Photos?

2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could. Really? This is a really creepy image. Does anyone know if […]


You Have Confused Me for the Last Time!

I love these boots, via “BoingBoing gadgets.” They’re transgressive on so many levels. Star Wars geek versus fashion. Military versus sexy. I’m glad George Lucas isn’t an obsessive control freak who hunts down anyone who adopts the visual language that he created.


Network Security Podcast #109, featuring Adam

I’m the guest on the latest episode of Martin McKeay and Rich Mogull’s Network Security podcast. It was a lot of fun to record, I hope you enjoy listening to it. [Link fixed.]


Game Theory and Poe

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle: Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game? The paper discusses a game that Poe describes in The Purloined […]


I’d bet on security prediction markets

In his own blog, Michael Cloppert writes: Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn’t be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies. I’m glad my readers […]


Not quite clear on the subject

Slyck News has a story, “SSL Encrpytion Coming to The Pirate Bay” a good summary of which is in the headline. However, may not help, and may hurt. Slyck says: The level of protection offered likely varies on the individual’s geographical location. Since The Pirate Bay isn’t actually situated in Sweden, a user in the […]


Science isn't about Checklists

Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]


Water on Mars!

Mars Phoenix Tweets: “We Have ICE!” And yes, they really did announce on Twitter and a press release.


Medeco Embraces The Locksport Community

Two days ago, Marc Weber Tobias pointed out that Medeco, the 800 pound gorilla in the high-security lock market, recently published an open letter to the locksport community, welcoming it to the physical security industry: While we have worked with many locksmiths and security specialists in the past to improve our cylinders, this is the […]


R-E-S-E-P-C-T! Find out what it means to me

The TSA apparently is issuing itself badges in its continuing search for authority. The attire aims to convey an image of authority to passengers, who have harassed, pushed and in a few instances punched screeners. “Some of our officers aren’t respected,” TSA spokeswoman Ellen Howe said. … A.J. Castilla, a screener at Boston’s Logan Airport […]


Identity Theft is more than Fraud By Impersonation

In “The Pros and Cons of LifeLock,” Bruce Schneier writes: In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information […]


How much work is writing a book?

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit: I can’t tell you how many times I asked […]


Iowa breach law arrives a bit early

On May 10, Iowa became the 42nd U.S. state (counting D.C. as a state) with a breach notification law. The law itself is not remarkable. If anything, it is notably weaker than many other states’ laws. When can we expect to see the last stragglers finally pass their laws? Here’s a plot of each state’s […]


L'affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]


Quantum Pride

One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.” It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum […]


Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]


Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification: Several bills now before Congress […]


Quanta In Space!

What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when […]


Paper Breach

The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]


What’s up with the "New and Used" Pricing on Amazon?

So having a book out, you start to notice all sorts of stuff about how Amazon works. (I’ve confirmed this with other first time authors.) One of the things that I just can’t figure out is the pricing people have for The New School. There’s a new copy for 46.43. A mere 54% premium over […]


Debix Publishes Data on Identity Theft

Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud […]


Hats Banned in Yorkshire to Aid CCTV Identification

The Telegraph reports in “Hats banned from Yorkshire pubs over CCTV fears” that Pubs in Yorkshire have been ordered to ban people from wearing flat caps or other hats so troublemakers can be more easily recognised. And in other news this weekend, MPs have stamped their little feet insisting that Britain is not a surveillance […]


Security Prediction Markets: theory & practice

There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]


Praises for the TSA

We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports. The People’s Anonymous Commissar announced: This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining […]


Messing with the RIAA and MPAA

Some very smart people at the University of Washington figured out how to leverage the bittorrent protocol to cause the RIAA and MPAA to generate takedown notices. From the website: * Practically any Internet user can be framed for copyright infringement today. By profiling copyright enforcement in the popular BitTorrent file sharing system, we were […]


Terms and Conditions for Accepting Email

Some time ago, I wrote about the absurdity of email disclaimers. It is therefore with great amusement I pass on the “Terms & conditions for acceptance of email messages by Andrews & Arnold Ltd” by a small ISP and IT company in Bracknell. The best part of it is the last term. Check out their […]


Security Prediction Markets?

In our first open thread, Michael Cloppert asked: Considering the contributors to this blog often discuss security in terms of economics, I’m curious what you (and any readers educated on the topic) think about the utility of using prediction markets to forecast compromises. So I’m generally a big fan of markets. I think markets are, […]


The Emergent Chaos of the Elections

First, congratulations to Barack Obama. His organization and victory were impressive. Competing with a former President and First Lady who was the shoo-in candidate is an impressive feat. I’d like to talk about the Obama strategies and a long chaotic campaign in two ways. First in fund-raising and second, on the effects of a long […]


Supreme Court Narrows "Money Laundering"

The Supreme Court narrowed the application of the federal money-laundering statute on Monday, ruling for criminal defendants in two cases in which prosecutors had employed broad definitions of two of the law’s major provisions. The two rulings are likely to crimp the government’s ability to bring money-laundering cases, although not necessarily to the degree that […]


In the "couldn't have happened to a better set of people" department…

Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground. The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane. And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. […]


8th Pet Symposium Early Registration Deadline

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE […]


Open thread

What the heck. Let’s see what happens. Comment on what you will.


Because it is the weekend and I am lazy

Chris’s beach reading recommendations John Maynard Smith, Evolution and the Theory of Games James S. Coleman, Foundations of Social Theory Ken Binmore, Natural Justice


Jonathan Ive's Sharia Style

I was on a business commuter flight the other day, which was also the maiden voyage of my MacBook Air. I had it out before takeoff. This was an international flight and I was in bulkhead. On international flights, they’re not as strict about not having your laptop on your lap during takeoff. This flight […]


CSO’s FUD Watch

“Introducing FUD Watch:” Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – […]


RIM speaks out on BB security

El Reg writes that the India Times writes that RIM has “blackballed” (El Reg’s words) the Indian Government’s requests to get BB keys, saying what we suspected, that there are no keys to give. The India times says: BlackBerry vendor Research-In-Motion (RIM) said it cannot hand over the message encryption key to the government as […]


Does the UK need a breach notice law?

Chris Pounder has an article on the subject: In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals […]


Visualizing Risk

I really like this picture from Jack Jones, “Communicating about risk – part 2:” Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this […]


Why the heck don't I ever have ideas this good? Calculates a location’s “walkability” by using Google Maps to figure out how close various amenities (such as grocery stores, public transit, parks, etc.) are. Not a perfect service, but a great idea.


Please read more carefully.

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce The folks at Bank […]


Sing it shrdlu

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective: In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned […]


This May Be FUD

You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days. The gist of the article is that the Indian Government has told RIM that if […]


The Costs of Security and Algorithms

I was struck by this quote in the Economist special report on international banking: There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your […]


New School Reviews

Don Morrill, IT Toolbox: If you want to read a book that will have an influence on your information security career, or if you just want to read something that points out that we do need to do information security differently, then you need to go pick up a copy of “The new school of […]


"The Black Hat Tax?" Show me the money

A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:” In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to […]


To the moon!

In name only, but NASA will be sending a database of names to the moon on the forthcoming Lunar Reconnaissance Orbiter. You can add yours. Oh, the name? seemed right when I wanted one with a quote in it. [Update: Securology posted “ Sending Bobby Tables to the Moon,” which is funnier, if more likely […]


Apparently The State Department Didn’t Learn From Regular Passports

The Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean. About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about […]


Adam on "Silver Bullet Security" Podcast

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book […]


Let's not ask the experts?

Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this: “The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and […]


Uncle Harold and Open Source

Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust […]


Check out these great blogs!

I’m excited and grateful to the Industry Standard for including us in their “Top 25 B-to-Z list blogs.” There’s some great stuff in there which I read, like “Information Aesthetics


The Difference Between Knowledge and Wisdom

If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]


6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]


UK Information Commissioner's Office Can Now Fine Your Ass

From the article: The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. It’s about time […]


Jack Jones on Risk Management

I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.” I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a […]


Call me crazy?

There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]


Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]


Security Cameras Functional

Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. “CCTV was originally seen as a preventative measure,” Neville told the Security Document World Conference in London. “Billions of pounds has been spent on kit, but […]


Hiring Fraudsters?

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm. Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee […]


Spending to Protect Assets

There’s a story in the New York Times about a bike rental program in Washington DC. It’s targeted at residents, not tourists, and has a subscription-based model. Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting […]


A question of ethics

Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing […]


Fasilyce, upon Reading

Dear Mr. Banks, Much as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible. Thank you for your future attention to this matter. I remain, etc, etc.


Brightening up the day from an unexpected place

I would estimate that 2/3 of the calls I get are from people trying to sell me things I neither need nor want. Of those, over half are outsourcing services. Of the remainder, recruiters are over half. There are also people who call me for their services once a week. There’s one particular outsourcing firm […]


Italy Posts Tax Return Data on Official Website

How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from […]


Quantum Debate

The debate about Shor’s Algorithm (which I blogged about a couple days ago) continues. Rod Van Meter has a good blog post about it here. While there are plenty of people who have just wholesale dismissed the Hill/Viamontes paper outright, apparently because they know Shor’s algorithm works and that building a working quantum computer is […]


Bush’s Law — Less Safe, Less Free

I’d like to review two recent books on the war on terror: “Bush’s Law: The Remaking of American Justice” by by Eric Lichtblau, and “Less Safe, Less Free: Why America Is Losing the War on Terror” by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration […]


Everybody Run, Crispin's Got a Blog

My buddy, collaborator and co-worker Crispin Cowan has started a blog. The first post is “Security Is Simple: Only Use Perfect Software.” [Update: Added a link to Crispin’s home page, because some readers apparently have trouble with a search engine.]


Quantum Uncertainty

Technology Review has a pair of articles on D-Wave‘s adiabatic quantum computer. Quantum pioneer Seth Lloyd writes in “Riding D-Wave” about quantum computing in general, adiabatic quantum computing, and D-Wave’s efforts to show that they’ve actually built a quantum computer. Linked to that is Scott Aaronson’s article, “Desultory D-Wave,” in which Lloyd’s nail-biting is made […]


The messenger is the message

In a blog post entitled “Lending Tree A Little Late In Cutting Off Network Access?“, I read that in the recent Lending Tree breach: several former employees may have helped a handful of mortgage lenders gain access to Lending Tree’s customer information by sharing confidential passwords with the lenders. Later, the author describes “an obvious […]


Who Watches the Watchlists?

The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]



The ACM has a list of classic computer science works put together based on responses to a survey of the membership. I’m no computer scientist (though I’ve lived with my share…) but I’m shocked that none of Knuth’s works is on this list, even if it is basically a beauty contest.


Security Metric?

Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]


Good problems to have

You don’t have much credibility looking for a publisher for a book on rum when you’re sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn’t take me seriously that there was even a need for a book on rum. It took quite a while […]


University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes. The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial […]


Point Break, Live

The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the “screen test” wherein the volunteer Keanus […]


Marty Lederman, on a roll

You see, the CIA apparently uses the less dangerous version of “waterboarding” — not the Spanish Inquisition method, but the technqiue popularized by the French in Algeria, and by the Khmer Rouge — involving the placing of a cloth or plastic wrap over or in the person’s mouth, and pouring or dripping water onto the […]


Microsoft Security Intelligence Report V4

Microsoft Security Intelligence Report (July – December 2007) This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest […]


Quantum Cryptography Broken and Fixed

Researchers at Linköping University in Sweden have found flaws in quantum cryptography. They also supply a fix. The announcement is here; a FAQ is here; full paper is at the IEEE here (but requires an IEEE membership). The announcement says: Jan-Åke Larsson, associate professor of applied mathematics at Linköping University, working with his student Jörgen […]


Reality imitates the Onion

I’m somewhat sure this is a real AP story, “Al-Qaida No. 2 says 9/11 theory propagated by Iran.” The Onion scooped them, with “9/11 Conspiracy Theories ‘Ridiculous,’ Al Qaeda Says.” Unfortunately, no progress on the “fake tape” issue: The authenticity of the two-hour audio recording posted on an Islamic Web site could not be independently […]


Keynoting at ISSA tomorrow

I’ll be delivering the keynote at “ The Fourth Annual ISSA Northwest Regional Security Conference” tomorrow in Olympia, Washington. I’m honored to have been selected, and really excited to be talking about “the crisis in information security.” The topics will be somewhat familiar to readers of this blog, but in a longer, more coherent format […]


WEIS 2008: Register now

Registration is under way for the seventh Workshop on the Economics of Information Security , hosted by the Center for Digital Strategies at Dartmouth’s Tuck School of Business June 25-28, 2008 The call for papers, and archives of past workshops give a good sense of what you’ll find (and it is awesome and well worth […]


More New School Reviews

Gary McGraw says buy it for the cover: The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become […]


Why Aren’t there More Paul Grahams?

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund: And yet it’s the bold ideas that generate the biggest returns. Any really good new […]


Edward Lorenz, 1917-2008

Edward Lorenz, most famous for research concerning the sensitivity of high-level outcomes to seemingly insubstantial variations in initial conditions (the so-called “butterfly effect“), died April 16 in Cambridge, Massachusetts. Much more information concerning Lorenz’s life and work is available via Wikipedia.


Congratulations to the CVE team!

The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a […]


Center for Innovative Financial Technology Launches at Berkeley

Congratulations to Berkeley on setting up a “Center for Innovative Financial Technology“, but I wonder why their mission is so conservative? The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system. The information people […]


User Friendly Gets It

In his inimitable way, Illiad has hi-lighted that the miscreants have moved from the operating system to the applications.


Virginia gets it

[…]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Virginia’s […]


One Nation Under CCTV

Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance. Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, […]


Bot construction kit for non-programmers

We all know that ID theft and extortion bots are ubiquitous. Perhaps it is some consolation that a modicum of technical skill is needed to construct such things. That has changed. I (a complete non-programmer) have just built not one but two “bots” using materials available here and here! With these templates, any 8 year-old […]


Generativity, Emergent Chaos and Adam Thierer

Jonathan Zittrain, a professor at Oxford, has a new book, “The Future of The Internet.” He’s adapted some of the ideas into a long and worthwhile essay, “Protecting the Internet Without Wrecking It.” In that essay, he uses the term “generativity” to refer to a system which has what I would call ’emergent chaos.’ A […]


Privacy Act and "actual damages"

Lauren Gelman writes: I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, […]


Attrition ends Dataloss — NOT!

UPDATE: This was a belated April Fools’ from the Attrition people, which clearly suckered me in.’s Lyger has announced the end of Attrition’s Dataloss project (presumably including both the DLDOS and Dataloss mailing list). In the past few weeks, it has come to our attention that too many people are more concerned with making […]


41 and counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]


RSA Crazy Busy, book notes

I’m sorry blogging has been light, but RSA has been really busy. I did want to post a quick reminder, I’ll be doing a book singing at 2.30 at the RSA bookstore. PS: I know, that should really say “signing,” not “singing” but I decided I like the typo. If enough people show up and […]


Amazon and The New School

Several of you have mailed or commented about the New School being “delayed” from Amazon. I apologize, this was a surprise to me. What our publisher says: Because of their set-up, Amazon has been taking longer to get a book available for shipping. As you can see this causes problems when they list the pub […]


New School of Information Security: book signing at RSA

I’ll be at RSA next week, and have a book signing scheduled for 2:30 PM Wednesday (April 9) at the RSA bookstore. To be more clear: The RSA bookstore will have copies for sale. I know many of you are waiting for copies. Many of our reviewers emailed me in the last day or two […]


The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]


94% of Philippine IT Professionals Endorse Breach Disclosure

“LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :” MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed. “A surprising 94 percent favored the imposition by law of [an] obligation upon […]


Do you feel like we do?

As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”. Such statements are sufficiently numerous that the pre-eminent source of breach data,, have issued a […]


I see you stand like greyhounds in the slips…

…straining upon the start. The game’s afoot! Follow your spirit; and upon this charge Cry ‘God for Harry, England, and Saint George!’ So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem […]


Black Hat Speaker Selection

Black Hat USA News: We’re very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August – delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. […]


Wendy Richmond’s Surreptitious Cellphone

At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond. Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. […]


A Crime That Flourishes Because Victims Remain Silent

There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.” “I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor […]


Dan Solove's books free and online

Dan Solove has put his two current books, “The Future of Reputation” and “The Digital Person” online for free. I’ve felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many […]


Saving the Taxpayers Money

The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter. Interesting comments: The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put […]


Science in Action

The New Scientist reports in, “Have peacock tails lost their sexual allure?” A controversial study has found no evidence for the traditional view – practically enshrined in evolutionary lore – that peahens choose their partners depending on the quality of the peacocks’ tails. Obviously, traditionalists have many things to say about the quality of the […]


New, Improved Indiana Breach Law

Thanks to infosec expert (and Indiana resident) Chris Soghoian, and a receptive state legislator who listened to an informed constituent, Indiana now has a much improved breach notification law , closing a loophole we discussed previously. We’ve written about expert involvement in crafting improved state laws before, most recently here. BTW, the loophole Indiana has […]


The Principal-Agent Problem in Security

There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed: “In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will […]


On the Frequency of Fake bin Laden Messages

I’ve noticed that every time there’s a new message from Osama bin Laden, the press very carefully calls into question its authenticity. For example, CNN’s article “Purported bin Laden message: Iraq is ‘perfect base’” opens: Al-Jazeera broadcast on Thursday an audiotape on which a voice identified as Osama bin Laden declares “Iraq is the perfect […]


Ain’t Nobody’s Business But My Own

A year ago, I discussed stupid email disclaimers in, “If I Screw Up, It’s Your Fault!” This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his “They Told You Not To Reply.” Krebs tells the story of Chet Faliszek, who owns the domain, which he bought in 2000 […]


Avoid ID theft: Don’t run for President

The Washington Post reports: The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file. Obama’s presidential campaign immediately called for a “complete investigation.” State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, […]


First in-depth review

Andre Gironda writes “Implications of The New School:” Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly […]


Algorithms for the War on the Unexpected

Technology Review has an article, “The Technology That Toppled Eliot Spitzer.” What jumped out at me was the explicit statement that strange is bad, scary and in need of investigation. Bruce Schneier is talking a lot about the war on the unexpected, and this fits right into that. Each category is analyzed to determine patterns […]


Context, please!

Chess masters will sometimes play chess against a dozen or more competitors at once, walking from board to board and making a move. The way they do this isn’t to remember the games, but to look at the board, and make a decent (to a master) move each time. They look at the board, get […]


Hannaford: 4.2 million card #s potentially exposed

Hannaford says the security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company puts the number of unique credit and debit card numbers that were potentially exposed to fraud at 4.2 million. The company is currently […]


More New School feedback

Our editor says that the Safari e-book edition of The New School is now available. Hardcopies should be out in a week or so. Jon Pincus gives us a mention in his long article “Indeed! The Economist on “computer science as a social science”” and comments that we “explicitly include discussions of diversity in the […]


Bear Stearns

Dan Geer is fond of saying that financial risk management works because everyone knows who owns what risks. Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday’s closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns […]


Reporting on Data Breaches: US and Great Britain

Is the recent wave of reporting on British data breaches similar to what we’ve been seeing in the US? A couple of things seem true: the US has way more reported breaches per capita, but both locations have seen greatly accelerated reporting. Here’s a plot of all US (Country = ‘US’) and British (Country = […]


Liechtenstein Über Alles?

The New York Times had a story, “Tax Inquiry? Principality Is Offended:” After weathering days of criticism from Germany over a spectacular tax evasion case, Liechtenstein — sometimes seen as the inspiration for the satirical novel from the 1950s about a tiny Alpine principality that declared war on the United States — is digging in […]


Speaking of Privacy….

I was dismayed to learn that footage of Spitzer’s (alleged) rent-a-babe “Kristin” performing in a class play while in elementary school has been featured at various web sites — among them serious sites that should know better. One could argue that this woman made her bed, and now she can lie in it (puns intended). […]


Banks, Privacy and Revenge

Eliot Spitzer made a name for himself attacking banks. Setting aside the legitimacy of those attacks, I find it shocking that he didn’t realize how much banks know about each one of us. It’s doubly shocking that he didn’t expect revenge. The New York Times claimed that the “Revelations Began in [a] Routine Tax Inquiry.” […]


More Hardware Security Shown to be Bunk

After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk: Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy […]


Thank you, Usenix!

I’m delighted to report that USENIX, probably the most important technical society at which I publish (and on whose board I serve), has taken a long-overdue lead toward openly disseminating scientific research. Effective immediately, all USENIX proceedings and papers will be freely available on the USENIX web site as soon as they are published. (Previously, […]


Quantum Progress

What is it about the word “quantum” that sucks the brains out of otherwise reasonable people? There has to be some sort of Heisenberg-Schödinger Credulity Principle that makes all the ideons in their brains go spin-up at the same time, and I’m quite sure that the Many Worlds Interpretation of it has the most merit. […]


Dan Geer: Economics and Strategies of Data Security

Speaking of books: This book explores the dramatic shift from infrastructure protection to information protection, explaining why data security is critical to business today. It describes how implementing successful data security solutions across sophisticated global organizations requires a new data-centric, risk based and strategic approach, and defines the concepts and economics of a sound data […]


Reactions to "The New School:" Thank you!

A big thank you to those of you who picked up the New school in your blogs and mailing lists. Ryan Hurst says: This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can’t wait to get my copy to see […]


Belva's got a brand new blog

Ken Belva has a new blog at Looks like it is more “formal” and magazine-like than the typical blog, which many people will appreciate. There seems to be a pretty solid collection of contributors, and the hunt is on for additional qualified writers. There’s even a raffle for an iPod (but I already have […]


The New School of Information Security

A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley. My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make […]


Are We Measuring the Right Things?

One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures “on time departures.” The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the […]


WOOT08 Call for Papers

Progress in the field of computer security is driven by a symbiotic relationship between our understandings of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications. 2nd USENIX Workshop on […]


You Can't Say That: Blogging Your Failures

I forgot exactly where I saw the link to Ben Neumann’s Views from the Trenches, but the opening lines of his post “Network Outage” are great, doubly for what he’s just gone through: Today was a NIGHTMARE-DAY! just emerged from a major outage – the worst in company history and everybody – customers and […]


There’s Going to Be a Paper-Scorching Ka-Booom!

The New York Times has a great story about Cai Gou-Qiang, an artist who works in gunpowder. “The Pyrotechnic Imagination.” It’s pretty cool stuff for a lazy weekend afternoon read. [I forgot to mention, he has a show at the Guggenheim, and their press release states, “For publicity images go to User ID = […]


Friday Pogues Blogging

I saw the Pogues’ show at Chicago’s Riviera Theatre last night, exactly 22 years minus one day since the last time I saw them. Spider Stacy seems to have fared a tad better than Shane :^). The show was good, but of course nothing can compare to nostalgia. A particularly enjoyable feature for me was […]


Microsoft Acquires Credentica’s U-Prove

I am tremendously pleased to say that Microsoft has closed an acquisition of Credentica‘s U-Prove technology. This technology adds a new and important set of choices in how we as a society deal with identity and properties of people. Kim Cameron has the official announcement, “Microsoft to adopt Stefan Brands’ Technology” and Stefan Brands has […]


Analyzing the Analysts

In Things Are Looking Up For TJX, or, Javelin Research – Credibility Issues?, Alex takes a look at research released by Javelin, and compares it to some SEC filings. Javelin is making the argument that companies that suffer massive breaches will lose market share. As do these folks at Response Source: “LATEST NATIONAL RESEARCH REVEALS […]


Credit Ratings for Governments?

Last week, I talked about consumer credit in “The real problem in ID theft.” Yesterday, the New York Times had a story, “States and Cities Start Rebelling on Bond Ratings:” A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many […]


I've Made Up My Mind, Don't Bother Me With the Facts

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. … “My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university […]


The real problem in ID theft

In “Reckoning day for ChoicePoint, “Rich Stiennon writes: The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they […]


Damn You, Beaker!

Yesterday Hoff blogged about McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security” and added ten more of his own. I’m particularly annoyed at him for #4: Awareness initiatives are good for sexual harassment and copier training, not security. Why? Because, damn that really sums it up. I wish that I had thought […]


US Banks Rated for Identity Theft

Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution. Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed […]


Threat Modeling Blog Series

Over on my work blog, I just wrapped up a series on threat modeling. Because blogs display the content backwards, I’ve put the entire series up as a Word doc: The Trouble With Threat Modeling. [Update: If you want to see all the threat modeling posts, they’re at Threat Modeling SDL blog posts. They’re displayed […]


Saying it loud — OpenID leads to phishing

Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly: OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become. There you have it. It has long been […]


Not Dead Yet

Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become: Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead” According to government paperwork, Laura Todd has been dead […]


More airport security toys

“Let’s play ‘airport security’,” says Foriegn Policy. It’s like playing Doctor, only with latex gloves and inappropriate touching. In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we’ve developed a new play and learning toy and resource web site to promote and educate […]


Dubai banks hiring hackers (no word on if a drug test is needed)

Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled. Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008): Dubai-based banks are recruiting former […]


Cat Le-Huy, Dubai and the moral high ground

Cat Le-Huy is a friend of friends who has been “detained” entering Dubai. I put detained in quotes, because he’s been thrown into prison, where he’s now spent a few weeks. He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of […]


Time To Rethink The Efficacy Of That Hard Drive Crypto

As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full […]


Back in the ring to take another swing

Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”. Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our […]


Here we go…

Experian sues Lifelock. I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism. I’d like to see some numbers showing the efficacy of […]


Sivacracy on Privacy and Surveillance

Last week, Siva Vaidhyanathan, of Sivacracy, released a new column in the Chronicle of Higher Education, Naked in the ‘Nonopticon’ has some refreshing thoughts on privacy and surveillance that I wish more of us on the security side understood better. His main themes are (in his own words): 1) Anyone who claims “young people don’t […]


A++++ Fast and Professional!! Would Read Again!

In “Crowd control at eBay,” Nick Carr writes: EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to […]


Where's the Beef?

As I was driving home, listening to the radio, I heard this: We’ve been really astonished by how some of the most high-profile situations actually resulted in increased consumer confidence, because sometimes high-profile issues give us an opportunity to talk about what we do, and that has actually encouraged consumers. No, it’s not a TJX […]


By their fruits, ye shall know them

We’ve made frequent calls here at EC for improved breach breach reporting. In particular, we’ve said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that […]


Chill, dude.

Because Baltimore police officer Salvatore Rivieri seemingly was unable to tell he was being filmed. Pity. There’s some infosec relevance to obsessing and overreacting to one thing, while being oblivious to another that could prove far more damaging.



Via Michael Froomkin.


Obama vs. McDonalds

As he was winning contests in Iowa and South Carolina, Senator Barack Obama raised $32 million in January for his presidential bid, tapping 170,000 new contributors to rake in nearly double the highest previous one-month total for any candidate in this election cycle. The New York TImes, “Enlisting New Donors, Obama Reaped $32 Million in […]



Unfortunately, this was easy to see coming.


Breach Laws Charts (updated)

A while back, I posted a list of breach laws. I’ve now added the CSO map, which is pretty cool. Scott and Scott, one page reference chart Perkins, Coie summary of laws Proskauer Rose listing of laws (Updated 1 December 2007) Julie Brill, Assistant Attorney General, Vermont (not online). CSO Magazine has an interactive chart […]


Because RealID Isn't Good Enough

Apparently we need not one, but two national ID cards. Illinois Reps. Mark Kirk and Peter Roskam (may they not get re-elected in November) are introducing legislation that would mandate that Social Security cards have “a photograph and fingerprint, as well as a computer chip, bar code and magnetic strip.” The cards would be modeled […]


Scott Page’s The Difference

A lot of people think of calls for diversity as fuzzy headed liberalism at its worst. If you’re one of them, please keep reading. Or you could click here and just


Two brief followups to "Already donated the limit"

First, I’d like to thank everyone for keeping the comments civil and constructive. Second, I’d like to respond to Philll’s comment, “You sure do pick the strangest issues to make non-negotiable.” I picked this because it struck me that the rules in question were being accepted and treated in the various discussions as fixed and […]


Parking Meters are Reverse Slot Machines

Raymond Chen has an amusing blog post, “When computer programmers dabble in economics: Paying parking tickets.” This is further dabbling in economics, and I hope you find it amusing. I believe that parking meters–the old fashioned kind where you put coins in and hope to not get a ticket–are precisely the opposite of slot machines. […]


"Already donated the limit"

I was listening to the radio yesterday, a show about Super Tuesday. First, a big thank you to all the Democrats who voted


Economist Debates Security V Privacy

The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]


People Not Being Terrorized

Recently, a group of passengers on the London Underground performed the dance from Michael Jackson’s “Thriller” in front of an unsuspecting audience. Shockingly, no one panicked. You can see one passenger move out of the way, but people otherwise just sat there and watched. When the performance was done, the fellow-passengers applauded. Security was not […]


Emergent Chaos Primary Endorsements

Well, Super Tuesday is here in the United States, and some millions of people will stand up and vote or caucus for the candidate of their choice. We here at Emergent Chaos have spent tremendous amounts of time watching the election, and we wanted to offer up some of the least-awaited endorsements in the bloggosphere. […]


Password Fatigue

The Macquarie Dictionary of Australia has an annual contest for Word of the Year. The People’s Choice Award goes to the term that is the title of this post: password fatigue noun a level of frustration reached by having too many different passwords to remember, resulting in an inability to remember even those most commonly […]


Computer Capers and Progress

We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside. What, might you ask, can we learn from a 30 year old text? Nothing has changed. Except, for some of the names. Donn Parker is in there, as are a melange of […]


How To Fly With An Expired License

Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston […]


A Cha-cha all the way to the bank

On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]


ANSI on Identity Fraud

Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel. Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can […]


Adam’s Law of Perversity in Computer Security

Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed: I think the key is that it’s hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it’s possible. I think this […]


"We have to be careful we don't release the wrong person"

Hence, we imprison and deport American citizens for immigration violations. Thomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia. Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he’s […]


How dumb do we think spammers are?

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”? Kudos to the first person who puts such a […]


Welcome, SecurityFocus readers

The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, “on Internet time”. Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog’s title. Anyway, Adam, EC’s bandleader, is away from […]


Programming World Going to Hell Because of Java and Grace Hopper

Ekinoderm writes in “Who did Kill the Software Engineer?” that schools today are ruining software engineering by teaching people Java. He references Joel Spolsky’s rant on the same. I agree completely, except neither went far enough! Java is just the replacement for Pascal, a pedagogical language designed because it was more fun and understandable than […]


The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.” “In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the […]


Why some companies hire PR staff

2008, for us, is a big change because up to now we have been more like a terrorist group, threatening to do something and making big claims. Nicholas Negroponte, of the One Laptop Per Child program, speaking on his own web site. Wow. There’s a stunning analogy for you. Maybe “we’ve been more like a […]


Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security: I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain […]


Microsoft Has Trouble Programming the Intel Architecture

Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.) Most of the whining comes because Office 2008 does not include Visual […]


How taxing is it to read a tape?

In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it […]


Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:” The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data:, the […]


One man's vulgarity is another's lyric

DOYLESTOWN, Pennsylvania (AP) — A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him. David Binner sent the check after receiving a $5 parking ticket. He calls it “a […]


Hurricane Ivan From the Space Station

Every now and then, an “Astronomy Picture of the Day” is just breathtaking. Today’s is Hurricane Ivan from the Space Station. Click for the larger view.


TSA's insecure "Traveller Identity Verification" site slammed by Oversight Committee

First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report: TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services […]


Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper: The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs. He wanted to prove the story was a fuss […]


The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s […]


How about a little fire?

At WD-50 I saw something done to the potatoes that makes a cook scream, “yes!” A method of cooking the potatoes with an explanation using true understanding of the molecules inside the potatoes and the effects of heat on them. The potatoes are peeled, sliced, and cooked in a water bath at 65 degrees celsius […]


Andy Olmsted

Andy Olmsted, who posted as G’Kar on Obsidian Wings, was killed yesterday in Iraq. I always enjoyed his posts, especially when I disagreed with them, because he was so clearly thoughtful. I find myself terribly sad for the death of a man who I only knew through his words. He asked that we not politicize […]


Ohio Voters May Demand Paper Ballots

Ohio Secretary or State Jennifer Brunner announced yesterday that paper ballots must be provided on request. Poll workers won’t be told to offer the option to voters but must provide a ballot if requested to help “avoid any loss of confidence by voters that their ballot has been accurately cast or recorded,” a directive from […]


Citibank limiting ATM withdrawals in NYC?

Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank’s ATM machines in […]


Send data leakers to jail? Heck, no!

In “Data breach officials could be sent to the big house,” we learn: In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. “These will take account of the need not […]


New breach blog

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition. As I looked at it, I had a couple of thoughts. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was […]


Quick Links: 2017-Present | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004