The Daily Parker

Politics, Weather, Photography, and the Dog

The threat condition level is colorless

Via Schneier, the Department of Homeland Security will soon get rid of color-coded warnings:

In an interview on “The Daily Show” last year, the homeland security chief, Janet Napolitano, said the department was “revisiting the whole issue of color codes and schemes as to whether, you know, these things really communicate anything to the American people any more.”

The answer, apparently, is no.

The Homeland Security Department said the colors would be replaced with a new system — recommendations are still under review — that should provide more clarity and guidance. The change was first reported by The Associated Press.

I wonder what that guy at O'Hare—the one who says "The current threat advisory level is orange" all day—I wonder what he'll do now?

When to change passwords

Security guru Bruce Schneier has great advice about when to change your passwords:

The primary reason to give an authentication credential -- not just a password, but any authentication credential -- an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.

... An attacker who gets the password to your bank account by guessing or stealing it isn't going to eavesdrop. He's going to transfer money out of your account -- and then you're going to notice. In this case, it doesn't make a lot of sense to change your password regularly -- but it's vital to change it immediately after the fraud occurs.

... So in general: you don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.

Note to phishers

A good friend woke up this morning to find her email and Facebook accounts hacked, with a message sent out to everyone in her address book that she'd been robbed at gunpoint while visiting London and desperately needed a credit card to get on the plane back home.

Other than the story's baseline implausibility (a gun robbery in London being about as likely as getting trampled by a moose in Atlanta), there were other clues it was a phisher. For one thing, my friend is an American lawyer, not a Nigerian criminal, so she has a direct, concise, and moreover punctuated writing style not immediately in evidence in the phishing message.

The take-away, to all the would-be phishers reading this: you'll get farther with your frauds if you learn better English. Next time, instead of asking for credit-card numbers, write this: "Help! I am being held captive unless I can draft a 500-word essay on epistemology, and they'll only allow me one reference book! Please, I'm desperate, send me Strunk and White before I use unnecessary words!"

Oh, and also try hacking your victim's spouse's account, which will make it harder for people to verify the dodge.

Speaking of creativity

Waaaaay back in ancient history, I actually reported a Nigerian scammer to the FBI. This was, oh, 1997 or so, maybe 1998. The FBI already had a cybercrimes unit in San Francisco, and I had a half-hour conversation with one of the agents there about a bizarre email I'd received from a Nigerian IP address. We actually did some IP tracing and header analysis on the email to determine its origin. Yes, the scam was that new.

Who was it that said, the more things change, the more they stay the same? Right:

OFFICER IN-CHARGE:
NAME: Mr. Robert Stephen Sien @
FBI UK Internet Fraud Watch/Alert
Phone: +44 792 457 7408

We are writing in response to our track light monitoring device which we received today in our office about your transactions.

The Federal Bureau Of Investigation (FBI) Washington DC, in conjunction with the Scotland Yard, Has screened through our various Monitoring Networks also our German counterpart the anti fraud unit reported that your identity/information was used to dupe a German Business man to the tune of $5 Million USD by some Africa/Nigerian Fraudsters.

After all the series of investigations conducted here in our office we tracked your record and we found out that you have never had any fraudulent case that may jeopardize your image and personality.

We have concluded our investigation and you have been approved to be compensated from the total amount recovered for scam victims compensation. So all you need to do right now in other to receive your compensation and clear your name from the list of these Con Men which has already been forwarded to our office is to secure the CLEAN BILL CERTIFICATE immediately.

This Certificate will clear your name from the scam list which will enable you receive the sum of $500,000.00 Usd compensation fund.

You are required to contact Robert S. Sien by email: rssien@aol.com with your full name and contact details for easy communication also to guild you on how to secure the CLEAN BILL CERTIFICATE and claim your money.

THANKS FOR YOUR CO-OPERATION.

Robert Stephen Sien.
FBI SPECIAL AGENT

You know what tipped me off? What made me certain this was a 419 scammer? Because, you can see, it's quite well crafted, no loose ends, nothing to arouse suspicion.

What tipped me off was this:

When real FBI agents refer to their employer, they never capitalize "of".

It's obvious when you look at it.

Why aren't there more terror attacks?

Bruce Schneier gives three main reasons:

One, terrorist attacks are harder to pull off than popular imagination -- and the movies -- lead everyone to believe. Two, there are far fewer terrorists than the political rhetoric of the past eight years leads everyone to believe. And three, random minor terrorist attacks don't serve Islamic terrorists' interests right now.

... So, to sum up: If you're just a loner wannabe who wants to go out with a bang, terrorism is easy. You're more likely to get caught if you take a long time to plan or involve a bunch of people, but you might succeed. If you're a representative of al-Qaida trying to make a statement in the U.S., it's much harder. You just don't have the people, and you're probably going to slip up and get caught.

Fallows on Times Square

Brilliant:

If the TSA Were Running New York

- All vans or SUVs headed into Midtown Manhattan would have to stop and have their contents inspected. If any vehicle seemed for any reason to have escaped inspection, Midtown in its entirety would be evacuated;

- A whole new uniformed force -- the Times Square Security Administration, or TsSA - would be formed for this purpose;

- The restrictions would never be lifted and the TsSA would have permanent life, because the political incentives here work only one way.

... The point of terrorism is not to "destroy." It is to terrify. And for eight and a half years now, the dominant federal government response to terrorist threats and attacks has been to magnify their harm by increasing a mood of fear and intimidation. That is the real case against the ludicrous "orange threat level" announcements we hear every three minutes at the airport. It's not just that they're pointless, uninformative, and insulting to our collective intelligence; it's that their larger effect is to make people feel frightened rather than brave.

It always strikes me that Israel, which has actual, ongoing terrorism, doesn't x-ray people's shoes.

Pick a peck of pickled packets (Shanghai residency day 9)

The Internet experience at Pudong International Airport differs markedly from the experience at our hotel. I've noticed a pattern, whereby unencrypted data, like The Daily Parker, seems to move about an order of magnitude faster than encrypted data, like the HTTPS connection I've got going with my mail server. The interesting part is that both sites are going through the same router back in Chicago. So, either the Web terminal I'm using has a particularly hard time with secure websites, or something is slowing down the mail packets. Hmmm...can't think what that might be...

Compounding my Internet woes, my laptop's hard drive corrupted its boot sector Saturday afternoon. I have no idea how this happened. The Bitlocker recovery key no longer works. I expect tomorrow I'm going to have to install a new hard drive and then install all my software again. This does not make me happy. On the other hand, I have two episodes of Lost to catch up on before Tuesday.

This, anyway, explains why I didn't post anything yesterday, and why the video clip of the world's fastest land vehicle will have to wait until later today. (Because of the International Date Line, even though I have a 13-hour overnight flight, I arrive at O'Hare 30 minutes after I leave Shanghai.)

Two hours until my flight home. Maybe my email will finish downloading by then?

Stupefying

If this story is true, someone needs time in jail to think about civic responsibility:

In a lawsuit filed Tuesday in federal court, [a Pennsylvania] family said the school's assistant principal had confronted their son, told him he had "engaged in improper behavior in [his] home, and cited as evidence a photograph from the webcam embedded in [his] personal laptop issued by the school district."

The suit contends the Lower Merion School District, one of the most prosperous and highest-achieving in the state, had the ability to turn on students' webcams and illegally invade their privacy.

The suit says that in November, assistant principal Lynn Matsko called in sophomore Blake Robbins and told him that he had "engaged in improper behavior in his home," and cited as evidence a photograph from the webcam in his school-issued laptop.

Matsko later told Robbins' father, Michael, that the district "could remotely activate the webcam contained in a student's personal laptop . . . at any time it chose and to view and capture whatever images were in front of the webcam" without the knowledge or approval of the laptop's users, the suit says.

A security professional in New York has investigated the technical claims and found them convincing. He also expanded on the original news story with some circumstantial evidence:

The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

  • Possession of a monitored Macbook was required for classes
  • Possession of an unmonitored personal computer was forbidden and would be confiscated
  • Disabling the camera was impossible
  • Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion

When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case.

I can't wait to see how this turns out.

Is your computer backed up?

Software entrepreneur Joel Spolsky says that's a good start, but only part of it:

[L]et’s stop talking about “backups.” Doing a backup is too low a bar. Any experienced system administrator will tell you that they have a great backup plan, the trouble comes when you have to restore.

And that’s when you discover that:

  • The backed-up files were encrypted with a cryptographically-secure key, the only copy of which was on the machine that was lost
  • The server had enormous amounts of configuration information stored in the IIS metabase which wasn’t backed up
  • The backup files were being copied to a FAT partition and were silently being truncated to 2GB
  • Your backups were on an LTO drive which was lost with the data center, and you can’t get another LTO drive for three days
  • And a million other things that can go wrong even when you “have” “backups.”

The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.

As someone who's got reliable, clockwork backups running, and has had them fail for one of the reasons Spolsky listed (and others that he didn't), I think this is tremendously good advice.