The Daily Parker

Politics, Weather, Photography, and the Dog

Predictable and sad

Credit reporting agency Equifax reported last week that thieves had made off with 143 million customer records:

According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud. The hack, which the company says took place in late July, put as many as 143 million consumers -- or half the U.S. population -- at risk.

The person, who requested anonymity to discuss the ongoing investigation, said the web application the attackers used to breach Equifax’s corporate network granted access to both the credit card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver’s license numbers and other sensitive information, Equifax said Thursday in a statement.

Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.

“You would expect these guys to have compartmentalized this data far enough away from a web server -- that there would not be any way to directly access it,” said Tim Crosby, senior consultant with security-assessment firm Spohn.

Knowing how large companies work, and knowing about the diffusion of responsibility principle, and having a healthy belief in the power of governments to correct for bad incentives, I can't say I'm surprised. Neither is the Atlantic's Ian Bogost:

There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.

Of course Equifax, as would be expected of a normally-functioning American corporation, bungled the response:

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

The solution many people recommend is to freeze your credit reports—for a fee, multiplied by 4 to make sure you get all of the credit-reporting agencies. (Everyone has heard of Equifax, TransUnion, Experian...and Innovis. You've heard of Innovis, right? The one that doesn't offer a free annual report?)

Almost immediately, a team of lawyers including a former Georgia governor filed a class-action lawsuit. So have a group of plaintiffs in Oregon. We can also expect an action from the SEC relating to at least three Equifax managers selling their stock right before the announcement.

This situation is why we have government. The incentives for credit-reporting agencies run directly counter to the incentives of the hundreds of millions of people whose data they store. (You're not Equifax's customer; commercial enterprises are.) Without government regulation and higher liabilities for data breaches, this will just keep happening. But that's not "business-friendly," so the right-leaning American and British governments will dither for another few years until someone publishes the leaders' own data. Because their incentives are bad, too.

Existence proofs and military robots

Via Bruce Schneier, an essay on how the fact that something appears in nature means it can exist, and what this means for military robots:

In each of the [Planet Earth II] documentary’s profiles of monkeys, birds, and lizards, I saw what technologists refer to as an “existence proof.” Existence proofs are the simplest way to resolve an argument about what is technologically possible. Before 1900, people argued whether building a human-carrying powered airplane was possible. In 1903, the Wright Brothers ended the debate with an existence proof. As I watched Planet Earth II, I saw existence proof after existence proof of technological capabilities that, applied to warfare and espionage, would make global militaries and intelligence agencies significantly more powerful – but also significantly more vulnerable.

I realized Hollywood has it all wrong. The future of military robotics doesn’t look like The Terminator. It looks like Planet Earth II.

Imagine a low-cost drone with the range of a Canada goose, a bird that can cover 1,500 miles in a single day at an average speed of 60 miles per hour. Planet Earth profiled a single flock of snow geese, birds that make similar marathon journeys, albeit slower. The flock of six-pound snow geese was so large it formed a sky-darkening cloud 12 miles long. How would an aircraft carrier battlegroup respond to an attack from millions of aerial kamikaze explosive drones that, like geese, can fly hundreds of miles? A single aircraft carrier costs billions of dollars, and the United States relies heavily on its ten aircraft carrier strike groups to project power around the globe. But as military robots match more capabilities found in nature, some of the major systems and strategies upon which U.S. national security currently relies – perhaps even the fearsome aircraft carrier strike group – might experience the same sort of technological disruption that the smartphone revolution brought about in the consumer world.

The next war won't look anything like the last one. (Then again, it never does.)

Possibly the worst self-inflicted data disclosure in history

It's hard to overstate how bad this is. Via Bruce Schneier, it turns out that the Swedish Transport Ministry outsourced its database hosting to IBM, which subcontracted the work to a Serbian company with ties to the Russian military. And what databases did Sweden wind up hosting in its "Cloud" facility in Serbia? All of them:

Part of what IBM contracted to was run, and which was run from Serbia, was the Swedish government’s secure intranet – the SGSI, the Secure Government Swedish Intranet. This network is in turn connected to the European Union’s STESTA, which is a European Union secure network. This is what the Swedish Transport Agency gave staff in Serbia administrative network accessto, and it is no conspiracy theory that Serbia is a close military ally with Russia. While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.

The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials. Even if there are additional levels of encryption on STESTA, which there may or may not be, this has “should never happen” written all over it.

Sweden's own data, leaked through this outsourced administration, include:

  • The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);
  • Names, photos, and home addresses of fighter pilots in the Air Force;
  • Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;
  • Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;
  • Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;
  • Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units....

There isn't a desk in the world sturdy enough for the massive head impacts that the rest of the worlds' security forces are perpetrating on them right now.

Stunning.

How to destroy democracy through bad software

Via Bruce Schneier, last week the hacker convention DefCon hosted an event at which every single electronic voting machine tested got pwned within minutes:

Also, organizers revealed that many of these machines arrived with their voter records intact, sold on by county voting authorities who hadn't wiped them first.

While many people at the Voter Hacking Village zeroed in on the weak mechanical lock covering access to the machine's USB port, Synack worked on two open USB ports right on the back. No lock picking was necessary.

The team plugged in a mouse and a keyboard -- which didn't require authentication -- and got out of the voting software to standard Windows XP just by pressing "control-alt-delete." The same thing you do to force close a program can be used to hack an election.

Remember, Russian interference in the 2016 election wasn't designed to throw the election to Trump (though that was a "nice to have" for them), it was designed to reduce the public's faith in the entire Democratic system. I'm glad American voting machine manufacturers are helping them.

Where did the day go?

Usually when I work from home, I get a lot done. Today...not as much. I've run errands, had two meetings outside the house, and (to Parker's horror) vacuumed.

Now I'm off to another meeting, with half the house un-vacuumed and many emails unread.

Articles also unread:

Now, time for a board meeting.

Maybe someday the U.S. will catch up to Europe and Canada

Specifically today, I'm talking about chipped credit cards, which the rest of the world has had for years longer than we have, and they're a lot less annoying. Bloomberg's Ben Steverman explains why:

It's an awkward and irritating experience, and payment companies are aware of the problems. "Some places, it's seamless and beautiful," said Robert Martin, North American vice president of security solutions at Ingenico Group, the second-largest maker of payment terminals in the U.S. "Other places, not so much. But we're learning." 

Unfortunately, there are no easy fixes. To connect to card networks, retailers use a countless array of software providers and payment processors. Payments can also be linked to more than a dozen other applications controlling store operations, from coupons to inventory. If not configured perfectly, this tangle of systems and vendors can slow chip transactions to a crawl. 

Customers' experience with chip cards should improve gradually, one upgrade at a time, as the systems become more standardized, industry experts say. Slow transactions and confusing interfaces will disappear, or retailers risk losing customers to rivals with more pleasant checkout experiences.

Once again, the U.S. is way behind the rest of the world. In the U.K. and Canada, about 40 percent of Visa's transactions are contact-less, the payment network says. In Australia, the number is 85 percent.

And let's not forget: in the rest of the world they use chip and PIN systems, which are far more secure than chip and signature. Maybe someday...

Don't do this. Just don't.

It's a general rule of software security that, if I have physical access to your computer, I own it.

I'm analyzing a piece of software so that I can transfer its data to another application. The software runs on a local machine and is written in .NET, with a SQL Express back-end. I have administrator access to the SQL database, the machine, and therefore, to the software.

It took me all of an hour to find the master encryption key in one of the DLLs that make up the software, and another hour to build an applet—using the software's own assemblies—that can read and decrypt every byte in the database.

Good thing I'm covered by a confidentiality agreement and the owner of the data has engaged my company to do exactly what I'm doing. But wow, we really need to migrate this stuff quickly, and get it the hell off this computer.

Google's Project Zero for laypeople

Via Bruce Schneier (again), Fortune takes a look at Google's security project:

Google officially formed Project Zero in 2014, but the group’s origins stretch back another five years. It often takes an emergency to drive most companies to take security seriously. For Google, that moment was Operation Aurora.

In 2009, a cyberespionage group associated with the Chinese government hacked Google and a number of other tech titans, breaching their servers, stealing their intellectual property, and attempting to spy on their users. The pillaging outraged Google’s top executives—enough so that the company eventually exited China, the world’s biggest market, over the affair.

The event particularly bothered Google co-founder Sergey Brin. Computer-forensics firms and investigators determined that the company had been hacked not through any fault of Google’s own software, but via an unpatched flaw in Microsoft Internet Explorer 6. Why, he wondered, should Google’s security depend on other companies’ products?

Says Schneier,

I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.

On the other hand, as Schneier's commenters point out (and as he has suggested in the past), better Google exposing the bugs than the NSA losing control of them.

The women who broke Nazi codes

Via Bruce SchneierTech Republic tells the story of the women who worked at Bletchley Park during World War II:

Because [Alan] Turing's individual achievements were so momentous, it's sometimes forgotten that more than 10,000 other people worked at the Government Code and Cypher School, of whom more than two-thirds were female. These servicewomen played a pivotal role in an operation that decrypted millions of German messages and which is credited with significantly shortening the war.

The code-breaking operation was spread over teams working in various huts around the manor house at Bletchley, with the bombe machines situated in outstations nearby. There were about 8,000 people involved in the code-breaking—what was known as the factory—and 4,000 support staff. Each team generally knew no more than was necessary about what the other groups were doing.

Teams worked in different huts on breaking the Enigma codes, focusing on the army and air-force ciphers in one and the tougher naval encryption in another. Unscrambled messages were then sent on to linguists for translation and officials who would decide how the information should be used and, more importantly, whether it could be used without revealing that the Allies had cracked Enigma.

This history is hinted at, however minimally, by Kiera Knightly's character in The Imitation Game.

Europe's worst case scenario

We have a child in the White House. And European leaders are saying they can no longer rely on the United States:

Trump’s speech alone is likely a sufficient explanation. But I suspect there’s an additional element. Most of the major European and NATO leaders had already met Trump in Washington – Merkel, May, Gentiloni, Trudeau and others. But I suspect in meeting as a group, over a more extended period and in a context specifically focused on Europe and NATO there was a further realization that what they are watching from across the Atlantic is no act. Indeed, Trump appears more impulsive and erratic in person than on TV. Rather than growing into the job he’s growing into the role of aggressor.

Another, perhaps more critical realization, is suggested in this Twitter thread by Max Fisher of the Times: That is, it’s not just that Trump is greedy or impulsive or unreliable, indifferent to the North Atlantic alliance but that he is positively against it. He and Vladimir Putin are in a de facto alliance against ‘Europe’ or to put it less geographically, the liberal internationalist state system which has rested on and built out from the United States and Western Europe.

I've imagined the damage that Trump can do to the world, and I am seeing how what I've imagined is coming to pass. I hope Europe is stronger than they have seemed so far.