From Bruce Schnier: "At least they're honest about it this time."
Via Talking Points Memo, this reminder that on the Internet, nobody knows you're a dog...but they do know what terminal you're using:
In late August, someone with an IP address that originated from the National Institutes of Health drastically edited the Wikipedia entry for the National Institute on Drug Abuse, which operates within NIH. Wikipedia determined the edit to be vandalism and automatically changed the definition back to the original. On Sept. 18, the NIH vandal returned, according to a history of the site's edits posted by Wikipedia. This time, the definition was gradually changed, presumably to avoid the vandalism detector.
People forget about this quite a bit. On the Internet, your browser must send a request to a Web server to get a Web page. In order for the Web server to respond, it has to know where to send the page; ergo, every time you hit a Web site, you tell that site who you are. Wikipedia uses this simple fact to help determine the value of contributions. In this case, it worked perfectly.
Security expert Bruce Schneier finds some cases of appropriate and helpful security theater:
Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.
The Aircraft Owners and Pilots Association reports that an enormous block of airspace around Washington is off-limits to general aviation tonight because of the State of the Union Address:
During the president's speech to Congress and the nation, no flights are allowed to or from any of the 21 airports within the Washington, D.C., ADIZ, including pattern work. The special ingress/egress procedures for the "DC-3" airports inside the Flight Restricted Zone are also suspended. Only IFR flights to and from Washington Dulles International (IAD) and Baltimore/Washington International Thurgood Marshall (BWI) airports will be allowed.
This is what security expert Bruce Schneier calls "security theater."
The New York Times picked up the ongoing story of botnets, networks of computers that spammers and other miscreants have taken over:
According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm. That indicated that machines of the service providers' customers had been woven into a giant network, with a single control point using them to pump out spam.
Users, ISPs, users, software vendors, and users contribute to the problem:
Serry Winkler, a sales representative in Denver, said that she had turned off the network-security software provided by her Internet service provider because it slowed performance to a crawl on her PC, which was running Windows 98. A few months ago four sheriff’s deputies pounded on her apartment door to confiscate the PC, which they said was being used to order goods from Sears with a stolen credit card. The computer, it turned out, had been commandeered by an intruder who was using it remotely.
Note that Winkler's computer probably ran slowly because it had already gotten infected, and the ISP's security software had a lot of work to do because of this.
At least with the Times picking up the story, perhaps more people will notice.
The New York Times (reg.req.) has finally picked up a year-old article by security expert Bruce Schneier, taking the TSA to task for concentrating more on theater than actual security:
FOR theater on a grand scale, you can’t do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.
As passengers, we tender our boarding passes and IDs when asked. We stand in lines. We empty pockets. We take off shoes. We do whatever is asked of us in these mass rites of purification. We play our assigned parts, comforted in the belief that only those whose motives are good and true will be permitted to pass through.
Of course, we never see the actual heart of the security system: the government’s computerized no-fly list, to which our names are compared when we check in for departure. The T.S.A. is much more talented, however, in the theater arts than in the design of secure systems. This becomes all too clear when we see that the agency’s security procedures are unable to withstand the playful testing of a bored computer-science student.
Four billion dollars to airport security that doesn't work. Could we expect anything more from this Administration (762 days, 2 hours left)?
Bruce Schneier writes today about a pernicious loss of privacy and our complacency about that:
Fewer conversations are ephemeral, and we’re losing control over the data. We trust our ISPs, employers and cellphone companies with our privacy, but again and again they’ve proven they can’t be trusted. Identity thieves routinely gain access to these repositories of our information. Paris Hilton and other celebrities have been the victims of hackers breaking into their cellphone providers’ networks. Google reads our Gmail and inserts context-dependent ads.
CNet raises an interesting problem: what happens if you die without telling anyone your passwords? It could be a real problem for your heirs:
"He did not keep a hard copy address book. I think everything was online," said [San Francisco poet William] Talcott's daughter, Julie Talcott-Fuller. "There were people he knew that I haven't been able to contact. It's been very hard."
"Yahoo (his e-mail provider) said it wouldn't give out the information due to privacy laws, but my dad is dead so I don't understand that," she said.
One solution is to use a secure password storage facility, like Bruce Schneier's Password Safe, and then put the master password in trusted escrow like a safe-deposit box or your attorney's office. Of course, you'll have to keep up with this, because you'll change your master password at least every three months, right?