The Daily Parker

Politics, Weather, Photography, and the Dog

In case you didn't have enough to worry about

Via Bruce Schneier, two Harvard undergraduates have demonstrated that the volume of easily-obtainable information from multiple, large-scale data breaches makes targeting people for cybercrime easier than you could have guessed:

The students found a dataset from a breach of credit reporting company Experian, which didn’t get much news coverage when it occurred in 2015. It contained personal information on six million individuals. The dataset was divided by state, so [students Dasha] Metropolitansky and [Kian] Attari decided to focus on Washington D.C. The data included 69 variables—everything from a person’s home address and phone number to their credit score, history of political donations, and even how many children they have.

But this was data from just one leak in isolation. Metropolitansky and Attari wondered if they could identify an individual across all other leaks that have occurred, combining stolen personal information from perhaps hundreds of sources.

There are sites on the dark web that archive data leaks, allowing an individual to enter an email and view all leaks in which the email appears. Attari built a tool that performs this look-up at scale.

“We also showed that a cyber criminal doesn’t have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria,” Metropolitansky said.

For example, in less than 10 seconds she produced a dataset with more than 1,000 people who have high net worth, are married, have children, and also have a username or password on a cheating website. Another query pulled up a list of senior-level politicians, revealing the credit scores, phone numbers, and addresses of three U.S. senators, three U.S. representatives, the mayor of Washington, D.C., and a Cabinet member.

"We're two college students. If someone really wanted to do some damage, I'm sure they could use these same techniques to do something horrible," [Metropolitansky said].

As Schneier points out, "you can be sure that the world's major intelligence organizations have already done all of this."

This is also why we need government regulation or stricter liability laws around data breaches. Experian's sloppiness imperiled six million people, and has probably resulted in crime already. But they have no incentive to fix their issues. In fact, they didn't even reveal the breach for years.

Why transparency matters

Yesterday I bemoaned not only our depression-inducing lack of sunlight (predicted return of the sun: Sunday, maybe), but also Senate Republicans' efforts to hide or ignore information relevant to the impeachment trial now underway.

Another story about how a lack of transparency causes damage has come to light. The Washington Post reports that the Saudi attack on Post owner Jeff Bezos' phone was helped to great extent by Apple's refusal to report security defects:

A security report last week alleged that Bezos, who also owns The Washington Post, received a WhatsApp message laden with code that secretly snatched reams of personal data from his iPhone X. The message allegedly came from Mohammed bin Salman, the crown prince of Saudi Arabia. Security researchers say Bezos probably fell victim to the iPhone’s Achilles’ heel: Its defenses are so difficult to penetrate that once sophisticated attackers are in, they can go largely undetected.

That is in part because Apple employs a secretive approach to finding and fixing security flaws, researchers say, something that has generated debate in the security community.

Security researchers say iPhones and Androids have different approaches to security. They say they generally believe there are more bugs and vulnerabilities in Android. That may be because there are so many different versions, or “forks,” of Android. Google allows its myriad handset makers and others to customize the operating system.

That results in two security philosophies. In Android’s case, the researchers said, the more people who look for bugs, the more secure a system becomes. But Apple’s strategy follows the idea that less visibility into the software means fewer bugs will be discovered in the first place, making the overall operating system more secure. It takes skill, resources or both to find those bugs, which means hackers will typically use them sparingly to protect them from discovery.

Bruce Schneier has argued in favor of transparency for years. This is why. And why I only use Android devices.

Too many things to read this afternoon

Fortunately, I'm debugging a build process that takes 6 minutes each time, so I may be able to squeeze some of these in:

Back to debugging Azure DevOps pipelines...

Busy day links

I had a lot going on at work today, so all I have left is a lame-ass "read these later" post:

I'd say "back to the mines," but I believe I have a date with Kristen Bell presently.

Spot the theme

A few articles to read at lunchtime today:

  • Will Peischel, writing for Mother Jones, warns that the wildfires in Australia aren't the new normal. They're something worse. (Hint: fires create their own weather, causing feedback loops no one predicted.)
  • A new analysis finds that ocean temperatures not only hit record highs in 2019, but also that the rate of increase is accelerating.
  • First Nations communities living on Manitoulin Island in Lake Huron—the largest freshwater island in the world—warn that human activity is disrupting millennia-old ecosystems in the Great Lakes.

Fortunately, those aren't the only depressing stories in the news today:

Now that I'm thoroughly depressed, I'll continue working on this API over here...

Two big 20th anniversaries today (and a centennial)

We typically think of January 1st as the day things happen. But December 31st is often the day things end.

On 31 December 1999, two things ended at nearly the same time: the presidency in Russia of Boris Yeltsin, and the American control of the Panama Canal Zone.

Also twenty years ago, my company gave me a $1,200 bonus ($1,893 in 2019 dollars) and a $600 suite for two nights in midtown Manhattan because I volunteered to spend four hours at our data center on Park Avenue, just so that Management could say someone was at the data center on Park Avenue continuously from 6am on New Year's Eve until 6pm on New Year's Day. Since all of the applications I wrote or had responsibility for were less than two years old, literally nothing happened. Does this count as an anniversary? I suppose not.

And one hundred years ago, 31 December 1919 was the last day anyone could legally buy alcohol in the United States for 13 years, as the Volstead Act took effect at midnight on 1 January 1920.

I'm DD tonight, but I will still raise a glass of Champagne to toast these three events.

Photo by Harris & Ewing - Library of Congress, Public Domain, Link

Same job, new title

For the past seven months I've worked as a contract development lead in Milliman's Cyber Risk Solutions group. Today I officially convert to a new full-time role as Director of Product Development for Cyber Risk Solutions.

We have a lot to do in 2020, and I'll post about it what I can. So far we've started building "a new generation risk platform which uses an ensemble of cutting edge techniques to integrate what is known, knowable and imaginable about complex risks in order help risk managers identify, assess and monitor dynamic, high velocity, complex risk such as cyber," as the partner in charge of my practice says. It's cool shit, I say. And I'm happy to make Milliman my permanent home.

The role now shifts a little bit from building out the minimum-viable product to building out the team. I'll still have to write a lot of software, but I'll also expand our partnerships with teams in London, Sydney, and Lyon, and will probably have to visit at least two of those places more than once in 2020. In fact, at minimum I'll be in the London office four times, probably six. The only one sad about this is Parker.

And as an example of how great the management team is, they're starting me today so that my benefits kick in tomorrow. That was a very cool gesture.

Watch this blog for more updates.

I'll take an antacid with my lunch now

With only two weeks left in the decade, it looks like the 2010s will end...bizarrely.

More people have taken a look at the President's unhinged temper tantrum yesterday. I already mentioned that Aaron Blake annotated it. The Times fact-checked it. And Jennifer Rubin says "It is difficult to capture how bizarre and frightening the letter is simply by counting the utter falsehoods...or by quoting from the invective dripping from his pen."

As for the impeachment itself, Josh Marshall keeps things simple:

Here are three points that, for me, function as a sort of north star through this addled and chaotic process.

One: The President is accused of using extortion to coerce a foreign power to intervene in a US presidential election on his behalf.

Two: There is no one in US politics who would ever find that behavior remotely acceptable in a President of the opposite party.

Three: The evidence that the President did what he is accused of doing is simply overwhelming.

In the UK, Shadow Foreign Secretary Emily Thornberry (Labour—Islington South and Finsbury) has announced a run for Labour Party leader: “Listening to Labour colleagues on the media over the last week, I have repeatedly heard the refrain that the problem we faced last Thursday was that ‘this became the Brexit election’. To which I can only say I look forward to their tweets of shock when next Wednesday’s lunch features turkey and Brussels sprouts … I wrote to the leader’s office warning it would be ‘an act of catastrophic political folly’ to vote for the election, and set out a lengthy draft narrative explaining why we should not go along with it."

The Times review of Star Wars: The Rise of Skywalker left me feeling resigned to seeing the movie, rather than excited. A.O. Scott said:

The director is J.J. Abrams, perhaps the most consistent B student in modern popular culture. He has shepherded George Lucas’s mythomaniacal creations in the Disney era, making the old galaxy a more diverse and also a less idiosyncratic place.

Abrams is too slick and shallow a filmmaker to endow the dramas of repression and insurgency, of family fate and individual destiny, of solidarity and the will to power, with their full moral and metaphysical weight. At the same time, his pseudo-visionary self-importance won’t allow him to surrender to whimsy or mischief. The struggle of good against evil feels less like a cosmic battle than a longstanding sports rivalry between teams whose glory days are receding. The head coaches come and go, the uniforms are redesigned, certain key players are the subjects of trade rumors, and the fans keep showing up.

Which is not entirely terrible. “The Rise of Skywalker” isn’t a great “Star Wars” movie, but that may be because there is no such thing. That seems to be the way we like it.

Well, that's a ringing endorsement. I mean, I'm sure I'll come out of it feeling like it was worth $15, but I'm not sure I'll see it over 200 times like I have with A New Hope. (It helps that ANH came out when I was about to turn 7.)

And in other news:

Will the world be better in 2020? We'll see.

Voting underway...

Voting in the UK general election started at 1am Chicago time (7am GMT) last night and goes until 4pm Chicago time (10pm GMT) this afternoon. Because we have regular readers in the UK, the Daily Parker will observe UK law and precedent against reporting or commenting on the election while the polls are open.

Instead, I'd like to call attention to an article in yesterday's Times outlining the problems with the FBI's wiretap on Carter Page. While the inspector general found that the investigation started from genuine criminal suspicion rather than politics, he also unearthed many abuses of Foreign Intelligence Surveillance Act (FISA) rules in the investigation's early stages:

The Justice Department’s independent inspector general, Michael E. Horowitz, and his team uncovered a staggeringly dysfunctional and error-ridden process in how the F.B.I. went about obtaining and renewing court permission under the Foreign Intelligence Surveillance Act, or FISA, to wiretap Carter Page, a former Trump campaign adviser.

To give just three examples:

First, when agents initially sought permission for the wiretap, F.B.I. officials scoured information from confidential informants and selectively presented portions that supported their suspicions that Mr. Page might be a conduit between Russia and the Trump campaign’s onetime chairman, Paul Manafort.

But officials did not disclose information that undercut that allegation — such as the fact that Mr. Page had told an informant in August 2016 that he “never met” or “said one word” to Mr. Manafort, who had never returned Mr. Page’s emails. Even if the investigators did not necessarily believe Mr. Page, the court should have been told what he had said.

Second, as the initial court order was nearing its expiration and law-enforcement officials prepared to ask the surveillance court to renew it, the F.B.I. had uncovered information that cast doubt on some of its original assertions. But law enforcement officials never reported that new information to the court.

Finally, the report stressed Mr. Page’s long history of meeting with Russian intelligence officials. But he had also said that he had a relationship with the C.I.A., and it turns out that he had for years told the agency about those meetings — including one that was cited in the wiretap application as a reason to be suspicious of him.

On the other hand, the FBI had credible suspicions that a hostile foreign power had begun to intervene in our election.

On the third hand, civil libertarians (and The Daily Parker) have criticized FISA for years, both in law and application, because it makes abuses like these far too easy.

We'll be back after 4pm with the latest news from Britain.