Choicepoint Roundup for Today

  • The Associated Press has a story “Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance” (actually, we all face a lifetime of vigilance, as these companies make buckets of money by gossiping about us.). The money quote:

    Many victims are dumbfounded by the dearth of federal and state laws aimed at protecting their credit histories and other information about them that data brokers gather and sell to institutions including news organizations, banks and, increasingly, companies vetting prospective employees. Victims are also frustrated by the amount of time it takes to re-establish identities.

  • How can I not link to an article titled “Lycos and meet-markets are latest thieves of personal identities, souls and dreams“?
  • Cutting Edge of Ecstasy
    draws a choice quote from this NYTimes story. On Feb 16th, Chuck Jones said:

    ‘California is the focus of the investigation and we don’t have any evidence to indicate at this point that the situation has spread beyond California.’ Is he the same guy that wrote their slogan?

  • The US Senate will be holding hearings on information brokerage. (Via this Wired roundup story. I expect bad law will be the result. It’s too bad that these companies have dug in their heels, rather than collaborating on a much needed law to regulate themselves.)
  • The New York Times has more on Senator Schumer’s position.
  • Monkey McGee gets a Choicepoint press release dumped in his comments.
  • Mercury Rising comments that the mainstream media isn’t covering the Florida debacle, in which Choicepoint played an important role.
  • Public Domain Progress has a nice roundup interspersed with lots of analysis.
  • The Atlanta Journal Constitution reports that Choicepoint execs have been dumping their own stock since this started.

Roger McNamee on Sarbox

Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be.

It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year.  As annoying as the recent sell-off must be to executives, it is the lesser of two evils.  No executive wants to invite shareholder litigation by falling short of aggressive guidance, so most execs put out the lowest guidance they think they can get away with.  As the year progresses, the guidance window gets shorter and shorter, and the trend line in fundamentals provides investors with greater confidence in the outlook for the year.

When you combine that problem with the increased bar for a company to go public, which I wrote about in Sarbox and Venture Capital, the damage done by laws passed quickly becomes increasingly clear. Which is all the more reason to take our time and write a decent privacy law in the aftermath of Choicepoint.

Finding Security Issues

In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled.

The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, if you have a section of web that’s database driven, and can result in infinite looping, of no value to either the search engine or your site. It can also be used to say, “please don’t index these ‘secret’ documents.” Now, those documents are not only not secret, but they’re now being pointed to, so someone gathering data can find it. They’re not an attacker, you chose to put that data on the web without any protection.

Similarly, directory listings being enabled may or may not be a security issue. You may want all users to be able to see all the documents in a directory. You might have made a mistake.

When building automated vulnerability scanners of any sort, these issues raise thorny questions. This applies across the spectrum, from Nessus-style credential-free scanners that look for known vulnerabilities, to Nikto, looking for classes of common implementation flaws, to static code analyzers like Splint. You’ll always find things which may or may not be ok in context. A system running a web server may be running your corporate web server, or it may be running, forgotten, on a developers desktop, full of flaws. That strcpy(foo, bar) may never see attacker-provided data. The creators of these tools try to categorize and describe what they’ve found to help their users. Consultants offering a service around the tools can learn what questions to ask, to help sort through the issues faster, and focus on those that matter.

Similarly, an outsider looking at T-Mobile, Choicepoint, or PayMaxx suffers from trying to interpret what they see, perhaps trying to explain to a company that they’re not trying to hack the site, but that they stumbled across the issue.

I often see things which make me question “Hey, is there a serious security issue here?” and the answer is usually determinable within 5 minutes. Since I’m trying to do business with the company (which is why I’m on their site), I’d like the issue fixed.

Mature disclosure models need to improve not only the researcher side, but the way vulnerability reports are received. (“Press 9 to report a security problem with our web site.”)

Small Bits of Chaos: Conferences and What Would Dylan Do?

This Concealled I conference in Ottawa March 4-5 looks really good.

Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework:
I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.)

Who did this: Privacy Enhancing Technologies, May 30-June 1. Security and Economics, June 2-3. Feh.

Today’s Choicepoint Roundup

  • The Privacy Rights Clearninghouse has an extensive sheet on what to do if you’re a victim of Choicepoint’s failure to secure data.
  • SoftReset calls for banning the use of SSNs for non-government purposes. I take a slightly more moderate view: Anyone using the SSN is already subject to GLB liability.
  • Random Thoughts on Politics comments that Choicepoint is really an end-run around controls on government monitoring of citizens.
  • The folks with
    the Google ad
    have sued Choicepoint in the past, over the FL drivers license thing. (That’s an interesting background link, even if you’re not in Florida.)

  • Richard Smith, a longtime privacy advocate and security bug finder, sends a note to the Web Application Security list, explaining that he’s found many problems with Choicepoint sites.
  • Coverage is getting broader, as Red Herring covers things. Which raises the question, who notified whom? Reuters claims that the authorities notified Choicepoint, while Choicepoint claims they notified the authorities. Let’s see…who has motive to lie?
  • The Atlanta Journal Constitution reports that California is wondering why the notifications took so long. Was it not due to law enforcement requests?
  • Stefan Brands steps away from the noise and explains what identity providers should learn.

Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis:

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

Instead of being denied access, Greenspan found that another person’s W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers’ data.

“Due to the lack of specificity provided by Mr. Greenspan in his obvious sales pitch, PayMaxx did not view his communications as credible,” the company said. “Consequently, we declined his offer to hire his services.”

It seems that Greenspan provided more than enough data to Mr. Lemos for me to understand the problem. [Update: oops! Via Security, Trust and Privacy News.]

Oh, there it is.

Back in October, I asked, “where’s the 8-in-1 media reader to take photos directly from your camera.” From today’s Apple press release:

The new iPod Camera Connector is an optional accessory that enables customers to connect their digital camera to iPod photo and import their photos into the iPod. By simply connecting the iPod Camera Connector and a digital camera*, customers can easily transfer digital images to their iPod photo, providing tremendous storage space so they can take more pictures. Imported photos are immediately viewable on iPod photo’s crisp color screen, and can also be brought back to iPhoto(R) on the Mac or various photo applications on the PC. The iPod Camera Connector is expected to be available in late March for $29.

Now can I have my HTML export from Keynote? Thanks!

When The Future Has No Shadow

I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you.

The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded in the future, as a strong driver towards cooperative behavior. So what happens if you expect that your company will, over the next few years, be sued out of existence?

One valid answer is to maximize the cash extracted from your customers now, and damn the effects on the rest of the world. You might break laws in other countries. You might claim, under tenuous logic, that local regulations don’t apply to you. You should maximize short term profits over everything, because you may be shut down soon.

Now, I’m not privy to any secrets at Choicepoint. (Unlike Choicepoint, who is privy to secrets about me.) I have no idea if this is their strategy. But are their actions distinguishable from this?

Let’s close with a quote from Schneier:

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint’s databases are not ChoicePoint’s customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company “NoChoicePoint.”

[Other Choicepoint posts today include a roundup, some analysis. Or you may just want to look at the archives from Feb 17th onwards.]

Today’s Choicepoint Roundup

Google is running an ad when you search on Choicepoint: “ChoicePoint letter says your identity stolen? Learn your rights.” On clicking through, its just a form, asking someone to contact you. Renaissancemen has a good roundup, including the fact that only 5% or perpetrators are arrested, and a pointer to Kevin Drum arguing for more consumer control. (The industry will successfully argue that they can’t identify customers like that, and it would be too expensive if they did.) The Seattle Times points out that Choicepoint will be rescreening 17,000 customers.

Wired has a story by Kim Zetter:

Legal experts say that people who suffered losses as a result of the breach will find it difficult to get compensation from ChoicePoint for selling their personal data to con artists, even if the victims can prove that ChoicePoint was negligent in screening customers who purchased their data. That’s because courts have been unwilling to penalize companies when victims of identity theft are not their direct customers.

Michelle Malkin has a roundup, which includes pointers two comments from a private investigator on the value of that industry and the danger of knee-jerk reactions (with more on why PIs are good for you). I am actually very sympathetic to the problem of bad law. It’s too bad that Choicepoint has claimed they’re not covered under the Fair Credit Reporting Act. If they hadn’t taken that position, they’d find it easier to oppose new laws.

Finally, Jackson’s Junction has an interesting insider’s view, including:

I have always known that fraudulent companies were finding ways to obtain credit reports. How have I known this you may ask? Simple. One of the major bureaus issues a list of companies they have banned for improperly obtaining credit reports each month. This list is sent out to all resellers of credit reports letting us know not to do business with these companies. 

More on Choicepoint

Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched.

starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you to use it. The TSA is making this same mistake. They’re all over trying to identify the bad people with CAPPS, CAPPS-II, and Free Wheelchairs for Paraplegic Children. The issue isn’t who you are, it’s what you’re doing.

In a move that a lot of people might laugh at, Rich Baich, Chief Information Security Officer of ChoicePoint will be speaking at a web seminar on risk management. (From Mike T, posting to IP.) This is actually a good thing. Mr. Baich and his company have been managing their risks very well. The 140,000 victims? Well, they were an externality. From the company’s tactical viewpoint, it makes sense to maximize revenue by selling as much product as possible. No instance of ID theft, job-lockout, or false arrest was likely to come back to haunt Choicepoint. Then 1386 happened, and now the stock has fallen 5½%. Was this predictable by a reasonable person? I’m sure the courts will decide.

The Open Passport

Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.”

writes Dennis Bailey over at “The Open Society Paradox.” However, a properly shielded passport isn’t the right fix; the right fix is to make the chip one that requires contact to read. Otherwise, you’re at risk every time you open your passport, say at a hotel, money-changer, or bank. The added value of a contact-less reader hasn’t been made clear at all, while the risks are very, very clear.

Cool Tech at RSA: i-Mature

At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company.
There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits of the tech. Some folks wanted to believe that the tech is to magically distinguish 18 year olds from 17 year olds. All of these were discussing the online use of the technology.

I think much more useful and practical is to reduce the demand for ID cards for drinking. If we can reliably, and anonymously, discover that Alice is over 21, then Alice doesn’t need to carry an ID. This is a good thing. Bars would go for this, if it’s both cheap and legally covered, because they sometimes have people who would like to buy drinks who don’t have ID. Bars, being businesses, would like to serve them, if they could manage their liability. So I hope this technology takes off.

Small Bits of Chaos: Passports, Financial Crypto

Ryan Singel has a good post on chipped passports:

Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure.

But, the chips create a new hazard, since older passports, which have a ten year expiration, will remain valid until they expire.

An unencrypted RFID enabled passport can be skimmed by a hidden reader most easily when the bearer is showing it at a money-changer, giving it to a hotel for safe keeping in the safe or checking into a hostel.

The data — inluding the digital photo — can then be used to create a phony version of the *old* passport, using the name, passport number, and possibly even the picture of a real passport holder.

Firstly, you don’t need an RFID chip to get the benefits of a digital signature. You can use a physical print out (say, several 2-d bar codes, or the signing technology used for physical mail), or a contact chip, like smart-cards have.

Secondly, if the chip isn’t doing a signature, then I can copy the entire block, data and signature, and insert it in a new RFID chip. Since there will be a chip that’s read, I may be able to get away with a lower quality passport fake.

Adam Shostack, another of the original organizers, thinks that the reason for the failure of financial cryptography is simple. “People are conservative in how they pay for things,”

is only one of things that Peter Wayner has to say in this Technology Review article.

Free Mojtaba and Arash!

Sending people to jail for expressing their opinions is wrong. In the west we’ve understood why it was wrong since John Stuart Mill wrote On Liberty. So please, for the betterment of Iran, and the entire world:


Mojtaba and Arash are Iranian bloggers jailed for their ideas. What ideas is almost not relevant. Even if they were saying disgusting things like “Osama is a great guy,” (which would probably get them a medal in Iran), they should be allowed to speak, so that others can counter their false ideas.

(My prior post on Fighting Terrorist Ideas also mentions Mill.)

Cool Tech At RSA

One of the best bits at RSA was at the HP booth.
Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to bring it to market.