The Daily Parker - Software|Security

Note to phishers

David Braverman — Mon, 19 Jul 2010 13:21:09 GMT

A good friend woke up this morning to find her email and Facebook accounts hacked, with a message sent out to everyone in her address book that she'd been robbed at gunpoint while visiting London and desperately needed a credit card to get on the plane back home.

Other than the story's baseline implausibility (a gun robbery in London being about as likely as getting trampled by a moose in Atlanta), there were other clues it was a phisher. For one thing, my friend is an American lawyer, not a Nigerian criminal, so she has a direct, concise, and moreover punctuated writing style not immediately in evidence in the phishing message.

The take-away, to all the would-be phishers reading this: you'll get farther with your frauds if you learn better English. Next time, instead of asking for credit-card numbers, write this: "Help! I am being held captive unless I can draft a 500-word essay on epistemology, and they'll only allow me one reference book! Please, I'm desperate, send me Strunk and White before I use unnecessary words!"

Oh, and also try hacking your victim's spouse's account, which will make it harder for people to verify the dodge.

Speaking of creativity

David Braverman — Fri, 14 May 2010 02:32:17 GMT

Waaaaay back in ancient history, I actually reported a Nigerian scammer to the FBI. This was, oh, 1997 or so, maybe 1998. The FBI already had a cybercrimes unit in San Francisco, and I had a half-hour conversation with one of the agents there about a bizarre email I'd received from a Nigerian IP address. We actually did some IP tracing and header analysis on the email to determine its origin. Yes, the scam was that new.

Who was it that said, the more things change, the more they stay the same? Right:

OFFICER IN-CHARGE:
NAME: Mr. Robert Stephen Sien @
FBI UK Internet Fraud Watch/Alert
Phone: +44 792 457 7408

We are writing in response to our track light monitoring device which we received today in our office about your transactions.

The Federal Bureau Of Investigation (FBI) Washington DC, in conjunction with the Scotland Yard, Has screened through our various Monitoring Networks also our German counterpart the anti fraud unit reported that your identity/information was used to dupe a German Business man to the tune of $5 Million USD by some Africa/Nigerian Fraudsters.

After all the series of investigations conducted here in our office we tracked your record and we found out that you have never had any fraudulent case that may jeopardize your image and personality.

We have concluded our investigation and you have been approved to be compensated from the total amount recovered for scam victims compensation. So all you need to do right now in other to receive your compensation and clear your name from the list of these Con Men which has already been forwarded to our office is to secure the CLEAN BILL CERTIFICATE immediately.

This Certificate will clear your name from the scam list which will enable you receive the sum of $500,000.00 Usd compensation fund.

You are required to contact Robert S. Sien by email: rssien@aol.com with your full name and contact details for easy communication also to guild you on how to secure the CLEAN BILL CERTIFICATE and claim your money.

THANKS FOR YOUR CO-OPERATION.

Robert Stephen Sien.
FBI SPECIAL AGENT

You know what tipped me off? What made me certain this was a 419 scammer? Because, you can see, it's quite well crafted, no loose ends, nothing to arouse suspicion.

What tipped me off was this:

When real FBI agents refer to their employer, they never capitalize "of".

It's obvious when you look at it.

Why aren't there more terror attacks?

David Braverman — Thu, 06 May 2010 12:36:32 GMT

Bruce Schneier gives three main reasons:

One, terrorist attacks are harder to pull off than popular imagination -- and the movies -- lead everyone to believe. Two, there are far fewer terrorists than the political rhetoric of the past eight years leads everyone to believe. And three, random minor terrorist attacks don't serve Islamic terrorists' interests right now.
... So, to sum up: If you're just a loner wannabe who wants to go out with a bang, terrorism is easy. You're more likely to get caught if you take a long time to plan or involve a bunch of people, but you might succeed. If you're a representative of al-Qaida trying to make a statement in the U.S., it's much harder. You just don't have the people, and you're probably going to slip up and get caught.

Fallows on Times Square

David Braverman — Mon, 03 May 2010 23:06:09 GMT

Brilliant:

If the TSA Were Running New York

- All vans or SUVs headed into Midtown Manhattan would have to stop and have their contents inspected. If any vehicle seemed for any reason to have escaped inspection, Midtown in its entirety would be evacuated;

- A whole new uniformed force -- the Times Square Security Administration, or TsSA - would be formed for this purpose;

- The restrictions would never be lifted and the TsSA would have permanent life, because the political incentives here work only one way.

... The point of terrorism is not to "destroy." It is to terrify. And for eight and a half years now, the dominant federal government response to terrorist threats and attacks has been to magnify their harm by increasing a mood of fear and intimidation. That is the real case against the ludicrous "orange threat level" announcements we hear every three minutes at the airport. It's not just that they're pointless, uninformative, and insulting to our collective intelligence; it's that their larger effect is to make people feel frightened rather than brave.

It always strikes me that Israel, which has actual, ongoing terrorism, doesn't x-ray people's shoes.

Japan has poked USSR

David Braverman — Mon, 26 Apr 2010 23:41:15 GMT

I'm back in the US, and mostly sure it's Monday evening. Beyond that I'm still recovering from my 14-hour flight yesterday. I'm also waiting for a new hard disk from Dell for my laptop, as the old one died. Fortunately, I back it up religiously.

While I get my creativity back, enjoy someone else's: WW2 As Seen On Facebook.

Pick a peck of pickled packets (Shanghai residency day 9)

David Braverman — Sun, 25 Apr 2010 06:37:44 GMT

The Internet experience at Pudong International Airport differs markedly from the experience at our hotel. I've noticed a pattern, whereby unencrypted data, like The Daily Parker, seems to move about an order of magnitude faster than encrypted data, like the HTTPS connection I've got going with my mail server. The interesting part is that both sites are going through the same router back in Chicago. So, either the Web terminal I'm using has a particularly hard time with secure websites, or something is slowing down the mail packets. Hmmm...can't think what that might be...

Compounding my Internet woes, my laptop's hard drive corrupted its boot sector Saturday afternoon. I have no idea how this happened. The Bitlocker recovery key no longer works. I expect tomorrow I'm going to have to install a new hard drive and then install all my software again. This does not make me happy. On the other hand, I have two episodes of Lost to catch up on before Tuesday.

This, anyway, explains why I didn't post anything yesterday, and why the video clip of the world's fastest land vehicle will have to wait until later today. (Because of the International Date Line, even though I have a 13-hour overnight flight, I arrive at O'Hare 30 minutes after I leave Shanghai.)

Two hours until my flight home. Maybe my email will finish downloading by then?

Stupefying

David Braverman — Wed, 24 Feb 2010 22:09:34 GMT

If this story is true, someone needs time in jail to think about civic responsibility:

In a lawsuit filed Tuesday in federal court, [a Pennsylvania] family said the school's assistant principal had confronted their son, told him he had "engaged in improper behavior in [his] home, and cited as evidence a photograph from the webcam embedded in [his] personal laptop issued by the school district."
The suit contends the Lower Merion School District, one of the most prosperous and highest-achieving in the state, had the ability to turn on students' webcams and illegally invade their privacy.
The suit says that in November, assistant principal Lynn Matsko called in sophomore Blake Robbins and told him that he had "engaged in improper behavior in his home," and cited as evidence a photograph from the webcam in his school-issued laptop.
Matsko later told Robbins' father, Michael, that the district "could remotely activate the webcam contained in a student's personal laptop . . . at any time it chose and to view and capture whatever images were in front of the webcam" without the knowledge or approval of the laptop's users, the suit says.

A security professional in New York has investigated the technical claims and found them convincing. He also expanded on the original news story with some circumstantial evidence:

The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

Possession of a monitored Macbook was required for classes
Possession of an unmonitored personal computer was forbidden and would be confiscated
Disabling the camera was impossible
Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion

When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case.

I can't wait to see how this turns out.

Is your computer backed up?

David Braverman — Sat, 09 Jan 2010 16:06:55 GMT

Software entrepreneur Joel Spolsky says that's a good start, but only part of it:

[L]et’s stop talking about “backups.” Doing a backup is too low a bar. Any experienced system administrator will tell you that they have a great backup plan, the trouble comes when you have to restore.
And that’s when you discover that:

The backed-up files were encrypted with a cryptographically-secure key, the only copy of which was on the machine that was lost
The server had enormous amounts of configuration information stored in the IIS metabase which wasn’t backed up
The backup files were being copied to a FAT partition and were silently being truncated to 2GB
Your backups were on an LTO drive which was lost with the data center, and you can’t get another LTO drive for three days
And a million other things that can go wrong even when you “have” “backups.”

The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.

As someone who's got reliable, clockwork backups running, and has had them fail for one of the reasons Spolsky listed (and others that he didn't), I think this is tremendously good advice.

OEM virus protection

David Braverman — Fri, 20 Nov 2009 23:17:49 GMT

I don't know where this came from originally, but...well, look:

(Full size after the jump.)

You don't tug on Superman's cape

David Braverman — Wed, 07 Oct 2009 01:32:08 GMT

And you don't let a convicted hacker near the prison computers, either:

Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.

How could this be worse? Glad you asked:

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

It's scary when the Mirror starts to sound like the Onion...

(Via Bruce Schneier.

Please don't tell the TSA

David Braverman — Tue, 29 Sep 2009 01:27:04 GMT

I can't wait to see what they'll have us do after this:

On the evening of Aug. 28, Prince Mohammed bin Nayef, the Saudi Deputy Interior Minister — and the man in charge of the kingdom’s counterterrorism efforts — was receiving members of the public in connection with the celebration of Ramadan....

One of the highlights of the Friday gathering was supposed to be the prince’s meeting with Abdullah Hassan Taleh al-Asiri, a Saudi man who was a wanted militant from al Qaeda in the Arabian Peninsula (AQAP). Al-Asiri had allegedly renounced terrorism and had requested to meet the prince in order to repent and then be accepted into the kingdom’s amnesty program. Such surrenders are not unprecedented....

But the al-Asiri case ended very differently from the al-Awfi case. Unlike al-Awfi, al-Asiri was not a genuine repentant — he was a human Trojan horse. After al-Asiri entered a small room to speak with Prince Mohammed, he activated a small improvised explosive device (IED) he had been carrying inside his anal cavity. The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince — the target of al-Asiri’s unsuccessful assassination attempt.

(Via Bruce Schneier.)

Securely stupid (London residency day 11)

David Braverman — Wed, 26 Aug 2009 11:29:00 GMT

I learned a valuable lesson yesterday: when you lock your computer to your hotel room desk, and you put the cable-lock key in your pocket, you have to remove the key from your pocket before sending the slacks down to the laundry.

This realization crept up on me over a very quiet 90-second period that started when I looked in my room safe for the key and didn't find it there.

I won't keep you in suspense: housekeeping found and returned the key this morning. This is good, because I had no idea how I was going to fit the desk in the overhead compartment on my flight home.

Seriously loving the G1

David Braverman — Mon, 15 Jun 2009 01:43:53 GMT

Photos and reviews of Ribfest tomorrow morning. Right now, though, I'm all about the novelty of updating TDP from my phone. Also tomorrow, I'll explain why this is a bigger deal than it seems.

How not to hold secret documents

David Braverman — Fri, 10 Apr 2009 12:58:23 GMT

Via Bruce Schneier, a demonstrably incompetent police chief in the UK has resigned after mishandling a secret document:

Police were forced to carry out raids on addresses in the north-west of England in broad daylight yesterday, earlier than planned, after [Bob] Quick, the Metropolitan police's assistant commissioner [and senior-most counter-terrorism official], was photographed carrying sensitive documents as he arrived for a meeting in Downing Street.
A white document marked "secret", which carried details of the operation being planned by MI5 and several police forces, was clearly visible to press photographers equipped with telephoto lenses.
Yesterday, realising the existence of the photographs of the document – which included the names of several senior officers, sensitive locations and details about the nature of the overseas threat – the government imposed a "D notice" to restrict the media from revealing the contents of the picture.

The Guardian article has a photo of the document, taken as Quick got out of his car.

Police also revealed that Quick's Windows password was "bob1" and that he routinely leaves his keys in his car "so [he'll know] where to find them."

Security comes down to people

David Braverman — Wed, 14 Jan 2009 20:04:51 GMT

Two examples of totally ineffective security responses in today's news. First, in suburban Chicago, a commuter-rail ticket agent called police about a man with a gun boarding a train, causing a two-hour delay as heavily-armed cops evacuated and searched the train. They found the man with the gun when the man in question saw the commotion and identified himself as a Secret Service agent, not realizing he was himself the target of the search:

Metra spokeswoman Judy Pardonnet said the incident began when a plainclothes Secret Service agent asked a Naperville ticket agent whether there were metal detectors aboard the BNSF Line train and indicated he was carrying a gun.

More fun with the TSA

David Braverman — Mon, 29 Dec 2008 14:48:46 GMT

Via Bruce Schneier, a woman brought clearly-labeled gunpowder through a TSA checkpoint, in the regulation size baggies:

Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As a good citizen, I had packed the resulting pastes into a quart-sized "3-1-1" plastic bag, along with my shampoo and hand cream. This bag I took out of my messenger bag and put on top of my bin of belongings, turned so that the labels were easy for the TSA inspector to read.

I expect she'll get noticed the next time she flies...

More good news

David Braverman — Sun, 07 Dec 2008 18:31:43 GMT

From my dad, yet another New York Times article to make you all warm and fuzzy inside:

Thieves Winning Online War, Maybe in Your PC
Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.
As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.

Sigh.

Lost passwords

David Braverman — Sun, 30 Nov 2008 23:14:57 GMT

I spent part of this afternoon rooting around in my email correspondance from 1999 and 2000. Forgetting the wherefores and whatnots of the emails themselves, just getting into the Outlook files proved difficult. How many passwords does anyone remember from nine years ago? I actually remember a few, but not, unfortunately, the ones I needed.

Sure, I found them eventually, but heavens. That's half an hour of my life I'll never get back, and it was my own fault.

More stupid Windows tricks

David Braverman — Mon, 28 Jul 2008 12:09:12 GMT

I've largely solved Yesterday's frustration (more of a PEBCAK issue than anything else, wouldn't you know?) so now I have a new one: the touchpad on my laptop isn't working. It's probably a driver issue, but still, it makes navigating—doing anything, really—that much more difficult.

Anyway. On to New York for my first-and-only Yankees game.

Forgot to mention: Philadelphia beat Altanta 12-10 yesterday. As soon as I get my technical problems fixed I'll have photos of the massive thunderstorm that caused a two-hour rain delay. And after a nail-biting day when the Cubs and Milwaukee were tied for first place, the Cubs won and Milwaukee lost, putting us a full game up once again.

Stupid Windows tricks

David Braverman — Mon, 28 Jul 2008 02:14:44 GMT

Windows is designed to be secure (don't laugh). One security measure is to lock users out after a certain number of failed login attempts. Vista, however, tries lots more times to login than you might think. So, even if you mis-type your password once or twice, Vista might think the KGB is trying to break into your laptop and lock you out.

I know this because, 36 hours into a 7-day trip, I appear to be locked out of my laptop.

Now, I can unlock my laptop in seconds by logging in while connected physically my network. Only problem, my network is 1100 km away and I won't reconnect to it for a few days.

So, great, at least my laptop is secure from someone who knows my UID and password. Of course, if someone ripped the hard drive out and connected it to another machine, he could read the unencrypted parts without any problem. Since I would like to keep the laptop intact, and it's the encrypted parts that I kind of need right now, it's inconvenient, to say the least.

When I calm down and I don't want to beat the Windows Vista team lead over the head repeatedly with my laptop, I'll explain why this "security" only matters if you aren't actually a malicious hacker, and why if you are a malicious hacker it's irrelevant. In other words, what I'm going through at this exact moment is much like the people lining up for crosses in Monty Python's Life of Brian: it'll only hurt if you're honest.

Identity theft?

David Braverman — Sat, 19 Jul 2008 16:33:49 GMT

Via Bruce Schneier:

Major sabotage to San Francisco city computers

David Braverman — Tue, 15 Jul 2008 16:09:02 GMT

Via Dad, it seems a network administrator for the City of San Francisco has locked out all the other administrators:

A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.

Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

...

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.

He's about to find out that you can sit in jail on a contempt of court charge for, well, ever.

Several creepy items

David Braverman — Wed, 26 Mar 2008 02:43:24 GMT

The first—the most serious one—comes from David Brooks via my friend RB:

Let’s take a look at what [Clinton is] going to put her party through for the sake of [a] 5 percent chance [of winning]: The Democratic Party is probably going to have to endure another three months of daily sniping. ... For three more months (maybe more!) the campaign will proceed along in its Verdun-like pattern.

Get them while they're young

David Braverman — Thu, 28 Feb 2008 03:24:38 GMT

Via Bruce Schneier, a true horror.

British nuclear security

David Braverman — Wed, 21 Nov 2007 20:02:03 GMT

Via Bruce Schneier, apparently the physical security of British nuclear weapons until around 1998 consisted of, essentially, a bicycle key:

To arm the weapons you just open a panel held by two captive screws - like a battery cover on a radio - using a thumbnail or a coin.

Inside are the arming switch and a series of dials which you can turn with an Allen key to select high yield or low yield, air burst or groundburst and other parameters.

The Bomb is actually armed by inserting a bicycle lock key into the arming switch and turning it through 90 degrees. There is no code which needs to be entered or dual key system to prevent a rogue individual from arming the Bomb.

Oh. Well. Of course. Why use a hard-to-forge sequence of letters and numbers like the U.S. or U.S.S.R. when a little key will do?

So what prevented an accidental (or deliberate) British detonation until Tony Blair fixed the problem? Why, tradition, of course, what what!

The Royal Navy argued that officers of the Royal Navy as the Senior Service could be trusted: "It would be invidious to suggest... that Senior Service officers may, in difficult circumstances, act in defiance of their clear orders."

(Insert nervous laughter here.)

Digital Rights Management sucks: UK Guardian

David Braverman — Tue, 11 Sep 2007 12:50:02 GMT

Via Bruce Schneier, Cory Doctorow: "The DRM business model is the urinary tract infection of media experiences: all of the uses that used to come in an easy gush now come in a mingy, painful dribble..."

Distracting news roundup

David Braverman — Fri, 07 Sep 2007 14:40:13 GMT

A larger-than-usual bunch of news stories piqued my interest this morning:

Scientists may have a break in the case of the mysterious bee die-offs;
The Cook County, Ill., Clerk is putting public records online all the way back to 1871;
A German company has started piecing together Stasi documents the East German security service shredded in the final hours before the Berlin Wall fell; and
An Australian comedy troupe successfully infiltrated the APEC conference by—how else?—dressing up as Osama bin Laden and walking in the front door.

How the terrorists are winning

David Braverman — Mon, 27 Aug 2007 18:02:14 GMT

Terrorism only works if people allow themselves to be terrorized. People like, for example, shoppers in New Haven, Conn.:

Two people who sprinkled flour in a parking lot to mark a trail for their offbeat running club [the Hash House Harriers] inadvertently caused a bioterrorism scare and now face a felony charge.

New Haven ophthalmologist Daniel Salchow, 36, and his sister, Dorothee, 31, who is visiting from Hamburg, Germany, were both charged with first-degree breach of peace, a felony.

The siblings set off the scare while organizing a run for a local chapter of the Hash House Harriers, a worldwide group that bills itself as a "drinking club with a running problem."

...

Mayoral spokeswoman Jessica Mayorga said the city plans to seek restitution from the Salchows, who are due in court Sept. 14. "You see powder connected by arrows and chalk, you never know," she said. "It could be a terrorist, it could be something more serious. We're thankful it wasn't, but there were a lot of resources that went into figuring that out."

Maybe there's something about New England that prevents the police there from exercising common sense (see, e.g., blinking advertisements).

Update, 15:20 CDT: Security expert Bruce Schneier has declared this the "stupidest terrorist overreaction yet."

Security theater

David Braverman — Wed, 15 Aug 2007 13:50:29 GMT

Via Bruce Schneier, a really good article about security theater:

At the time, it seemed reasonable. Richard Reid tried to ignite explosives hidden in his shoe while aboard a December 2001 flight from Paris, so Congress banned butane lighters on planes.

But in retrospect, the costs of the ban outweighed the benefits. Airport retailers had to stop selling lighters. Lighter vendor Zippo Manufacturing Co. laid off more than 100 workers in part because of the prohibition. Transportation Security Administration screeners at one point had to confiscate 30,000 lighters every day, quadrupling the amount of garbage the agency had to dispose of. TSA even had to hire a contractor to help with all the extra trash.

Welcome to homeland security, where everyone has an incentive to exaggerate threats. A Congress member whose district includes a port has little to lose and much to gain by playing up the potential for container-borne terrorism. A city with a dam talks up the need to protect critical infrastructure. A company selling weapons-detection technology stresses the vulnerability of commercial aviation. A civil servant evaluating homeland security grant applications has an interest in over-estimating dangers that might be addressed by grantees rather than denying funding and risk blame in the event of a disaster.

Intel video ad

David Braverman — Thu, 26 Jul 2007 18:51:59 GMT

(Via Bruce Schneier.) I'm really not sure what to make of this, or what, actually, they're selling:

A real Trojan horse

David Braverman — Mon, 16 Jul 2007 18:25:34 GMT

Via security guru Bruce Schneier, an actual, real-world Trojan Horse that gets in...well, almost everywhere.

Excellent piece about the failed British bombings

David Braverman — Thu, 05 Jul 2007 20:12:45 GMT

Via Bruce Schneier, a former British military bomb-disposal operator offers some thoughts about the clowns who completely failed to bomb anything in the UK last week:

If these guys at the weekend really were anything to do with al-Qaeda, all one can really say is that it looks as though the War on Terror is won. This whole hoo-ha kicked off, remember, with 9/11: an extremely effective attack. Then we had the Bali and Madrid bombings, not by any measure as shocking and bloody but still nasty stuff. Then we had London 7/7, a further significant drop in bodycount but still competently planned and executed (Not too many groups would have been able to mix up that much peroxide-based explosive first try without an own goal).

...

Remember, this country carried on successfully for six years with hundreds—thousands, sometimes—of tons of explosives raining down on it every night for six years, delivered by very competent Germans who often died doing that job. The civilian death toll was around 60,000 according to most sources; the equivalent of 20 9/11s, more than three for every year of the war. Civilisation was not brought down. Germany and Japan withstood even greater violence, and survived it too.

U.K. terrorism

David Braverman — Mon, 02 Jul 2007 17:07:54 GMT

Bruce Schneier asks: "Is there a Special Olympics for terrorists going on in the U.K. this week?"

We're twitchy about the war

David Braverman — Wed, 20 Jun 2007 13:22:37 GMT

Via Bruce Schneier, a report of an English artist being arrested for sketching a military asset...in 1748.

Blog spam

David Braverman — Tue, 12 Jun 2007 01:06:13 GMT

I just spent two hours removing blog spam. I hate these guys.

DHS using screenwriters for "movie-plot" analysis

David Braverman — Mon, 04 Jun 2007 13:20:02 GMT

From Bruce Schnier: "At least they're honest about it this time."

Federal agency white-washes Wikipedia

David Braverman — Fri, 26 Jan 2007 14:17:47 GMT

Via Talking Points Memo, this reminder that on the Internet, nobody knows you're a dog...but they do know what terminal you're using:

In late August, someone with an IP address that originated from the National Institutes of Health drastically edited the Wikipedia entry for the National Institute on Drug Abuse, which operates within NIH. Wikipedia determined the edit to be vandalism and automatically changed the definition back to the original. On Sept. 18, the NIH vandal returned, according to a history of the site's edits posted by Wikipedia. This time, the definition was gradually changed, presumably to avoid the vandalism detector.

People forget about this quite a bit. On the Internet, your browser must send a request to a Web server to get a Web page. In order for the Web server to respond, it has to know where to send the page; ergo, every time you hit a Web site, you tell that site who you are. Wikipedia uses this simple fact to help determine the value of contributions. In this case, it worked perfectly.

In praise of security theater

David Braverman — Thu, 25 Jan 2007 14:30:34 GMT

Security expert Bruce Schneier finds some cases of appropriate and helpful security theater:

Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.

Because little planes are SCARY

David Braverman — Tue, 23 Jan 2007 22:40:45 GMT

The Aircraft Owners and Pilots Association reports that an enormous block of airspace around Washington is off-limits to general aviation tonight because of the State of the Union Address:

During the president's speech to Congress and the nation, no flights are allowed to or from any of the 21 airports within the Washington, D.C., ADIZ, including pattern work. The special ingress/egress procedures for the "DC-3" airports inside the Flight Restricted Zone are also suspended. Only IFR flights to and from Washington Dulles International (IAD) and Baltimore/Washington International Thurgood Marshall (BWI) airports will be allowed.

This is what security expert Bruce Schneier calls "security theater."

Botnets go mainstream

David Braverman — Sun, 07 Jan 2007 13:47:54 GMT

The New York Times picked up the ongoing story of botnets, networks of computers that spammers and other miscreants have taken over:

According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm. That indicated that machines of the service providers' customers had been woven into a giant network, with a single control point using them to pump out spam.

Users, ISPs, users, software vendors, and users contribute to the problem:

Serry Winkler, a sales representative in Denver, said that she had turned off the network-security software provided by her Internet service provider because it slowed performance to a crawl on her PC, which was running Windows 98. A few months ago four sheriff’s deputies pounded on her apartment door to confiscate the PC, which they said was being used to order goods from Sears with a stolen credit card. The computer, it turned out, had been commandeered by an intruder who was using it remotely.

Note that Winkler's computer probably ran slowly because it had already gotten infected, and the ISP's security software had a lot of work to do because of this.

At least with the Times picking up the story, perhaps more people will notice.

Security Theater

David Braverman — Wed, 20 Dec 2006 14:02:51 GMT

The New York Times (reg.req.) has finally picked up a year-old article by security expert Bruce Schneier, taking the TSA to task for concentrating more on theater than actual security:

FOR theater on a grand scale, you can’t do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.

As passengers, we tender our boarding passes and IDs when asked. We stand in lines. We empty pockets. We take off shoes. We do whatever is asked of us in these mass rites of purification. We play our assigned parts, comforted in the belief that only those whose motives are good and true will be permitted to pass through.

Of course, we never see the actual heart of the security system: the government’s computerized no-fly list, to which our names are compared when we check in for departure. The T.S.A. is much more talented, however, in the theater arts than in the design of secure systems. This becomes all too clear when we see that the agency’s security procedures are unable to withstand the playful testing of a bored computer-science student.

Four billion dollars to airport security that doesn't work. Could we expect anything more from this Administration (762 days, 2 hours left)?

This conversation may be monitored for quality purposes

David Braverman — Wed, 18 Oct 2006 23:13:05 GMT

Bruce Schneier writes today about a pernicious loss of privacy and our complacency about that:

Fewer conversations are ephemeral, and we’re losing control over the data. We trust our ISPs, employers and cellphone companies with our privacy, but again and again they’ve proven they can’t be trusted. Identity thieves routinely gain access to these repositories of our information. Paris Hilton and other celebrities have been the victims of hackers breaking into their cellphone providers’ networks. Google reads our Gmail and inserts context-dependent ads.

Taking passwords to the grave

David Braverman — Tue, 03 Oct 2006 13:38:17 GMT

CNet raises an interesting problem: what happens if you die without telling anyone your passwords? It could be a real problem for your heirs:

"He did not keep a hard copy address book. I think everything was online," said [San Francisco poet William] Talcott's daughter, Julie Talcott-Fuller. "There were people he knew that I haven't been able to contact. It's been very hard."

"Yahoo (his e-mail provider) said it wouldn't give out the information due to privacy laws, but my dad is dead so I don't understand that," she said.

One solution is to use a secure password storage facility, like Bruce Schneier's Password Safe, and then put the master password in trusted escrow like a safe-deposit box or your attorney's office. Of course, you'll have to keep up with this, because you'll change your master password at least every three months, right?