Hasbrouck on RFID Passports

In his closing CFP keynote, Bill Scannell of RFIDKills.com asked for voice votes by the audience on whether a series of government measures including the use of secretly and remotely-readable RFID chips in passports were stupid or evil. “Both” seemed to be the predominant response. I and some others (including Ryan Singel of Wired News and Kevin Bankston of EFF have framed the question a little more harshly: are the architects of the travel panopticon incompetent, or are they lying?

So writes Ed Hasbrouck in “RFID Passports at CFP.” Go read it, unless you love Big Brother, and don’t want to hear any thoughtcrime.

DSW, IRS Security Failures

What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed.

In other news, the General Accounting Office reports

[The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition to the remaining 21 previously reported weaknesses for which IRS has not completed actions, 39 newly identified information security control weaknesses impair IRS’s ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data and FinCEN’s Bank Secrecy Act data.

Andy Sullivan has some good analysis at Computerworld. We don’t yet know of any breaches at the IRS, but that doesn’t mean there haven’t been any. It seems that California’s SB 1386 covers “any agency.” I don’t see why the Federal Government would be exempted from that, any more than they’re exempted, from say, local noise ordinances. But the IRS is legendary for their willingness to ignore the law, so it could be that they’re illegally concealing information that the law in California requires them to disclose.

Housing Bubble?

Tyler Cowen asks, does DC have a housing bubble, and asks how can we justify the price rise:

Housing can be lived in, most buyers have only one home, transaction costs are relatively high, and rarely are homes sold and resold in a matter of days. All those features militate against a housing bubble. Yet it is scary to see how high prices have risen in the Washington D.C. area. Prices in my overall region are up 73 percent in the last four years, can houses be worth so much more? Plus rent-buy ratios have reached apparently unsustainble levels, inconsistent with traditional assumptions about discount rates.

I’ll offer up a reason #5 for his list: You believe that the government grows at the drop of a hat, and shrinks only as a result of heroic effort. The ‘compassionate conservative movement’ is about using the government to achieve goals, not to create a level playing field. If these are true, we can expect government to grow for at least the next 3-4 years, creating increased demand, and driving prices upwards.

I hear people all over talking about houses as investments; believing that they can’t ‘really’ lose money, that the tax break for mortgages makes anything you can finance a good deal. Anecdotes are not evidence, but when I look for evidence against the idea that there’s a national housing bubble, it’s in short supply.

[Update: Forgot to link to the article. Sorry!]

Relentless Navel Gazing, in the blogger syle

I’ve made a couple of CSS changes. (CSS is the Content Style Sheet which controls how this page looks in your browser.) Mostly making the CSS fully valid, and adding some padding around list items so they don’t scrunch together quite as much. Aren’t you thrilled?

Do let me know if it looks messed up, I only checked the changes with Safari.


Speaker B: And the helmets are shaking their purple-dyed crests, and for the wearers of breast-plates the weavers are striking up the wise shuttle’s songs, that wakes up those who are asleep.

papyri2_small.jpgis a pretty unexceptional line of a play, unless you happen to be a classicist, familiar enough with the works of Sophocles to say “That’s not Sophecles! I’ve read all that we have of his work, and that not his!” In that case you might scoff at the idea that it’s from Epigonoi, which has been lost for, oh, a thousand years or more.

Now scientists are using multi-spectral imaging techniques developed from satellite technology to read the papyri at Oxford University’s Sackler Library. The fragments, preserved between sheets of glass, respond to the infra-red spectrum – ink invisible to the naked eye can be seen and photographed.

Read the stories in The Independant, “Decoded At Last” and “Eureka.”
The fellow leading the project, Dr. Dirk Obbink, is a MacArthur Fellow, and the project has its own web site.

(The copyfighter types will be either amused or outraged to know that the reconstructed papyrus pictured here is “P.Oxy 2075 © Imaging Papyri Project.“)

[Updated with new links, better image, and some text changes.]

Apple Security Update 10.3.9, Analyzed

I have a confession to make. I’ve spent way too much time thinking about patching, and secure programming technique. This week’s Apple security update is interesting to me for a few reasons. Two side comments before I delve into the nitty-gritty.

What’s with releasing this at 5.30PM on a Friday? If Microsoft had done that, they’d have been drawn and quartered. Secondly, what’s with making me agree to a new license for a security update? How about (at worst) “This code is licensed under the same terms as the code it updates. The license is included below, and you need to agree to it to continue.”

This post is more technical than most, but some readers may want to read what’s after the break.

Continue reading

Polo Ralph Lauren Breach: The Rules Have Changed.

The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands:

[An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine the origin and extent of the compromise. “The company is confident that its credit card system is secure, and that our customers’ credit card information is properly protected,” it added.

According to [HSBC spokesperson] Nicholson, the retailer’s POS systems retained and stored credit card information rather than purging the data immediately after processing each transaction. The problem affected all credit card transactions at the retailer between June 2002 and December 2004, not just those involving HSBC-issued credit cards, he said.

The article also quotes Discover as acknowledging the problem.

So, what’s going to make this a big story? First is the confused and defensive way information is trickling out. Second is that the problem has apparently gone on for two years, as Chris Walsh notes in “POS Security, indeed.” Third is the apparent violation of California’s disclosure & notification law.

But most importantly, while the banks weren’t looking, the American people, our media, and our elected representatives got together and decided that we get to hear about breaches that affect us. Sorry we forgot to invite you, American Bankers Association. Our bad. But we’ve taken a vote, and it was pretty overwhelming. We don’t like it when you treat us like mushrooms. All that dark and dank doesn’t agree with us. Statements like “our customers’ credit card information is properly protected” are clearly lies. If it were true, there’d be no story to report on.

Americans are mostly forgiving. If Ralph Lauren had come out and said “Sorry, we made a mistake, here are the facts,” they’d be forgiven. People chose to shop there. People chose to do business with HSBC for their GM Mastercard; with Discover; and with all the other credit card companies. They understand there’s a risk of a breach, and are willing to accept that. (Especially because it’s credit cards, which are mostly easily changed, rather than social security numbers.)

So this story is a story not because of the breach, but because these banks didn’t get the memo: the rules have changed.

Small Bits: Turing Test, Keynote HTML!, individual i, zipcar,

  • Students need volunteers:

    Back in the 1930s, Alan Turing proposed a “Gender Guessing Game” in which a judge, connected to two people in closed rooms with a teletype each, would attempt to guess which was a man and which was a woman. Turing then proposed extending the game into his infamous “Turing Test” where a judge tries to tell the difference between a human and a computer.

    On April 16th (Today) between 3pm and 6pm Eastern Time, a group of students at Simons Rock College of Bard will be implementing the first half of Turing’s test with AOL IM — they will try to see if judges can tell the difference between men and women over Instant Messaging.

    (Via Simson Garfinkel)

  • individual-i.gifThis logo is cool, a symbol for liberty. Maybe it’ll compete with the smiley face.
  • Simon Cozens has put a Javascript reader for Keynote on his blog. Cool! (Previously here: “Why I Want HTML Export (from Keynote)”. Thanks, Cat X!)
  • The Marriage of True Minds is pretty entertaining.
  • Blog*on*nymity notes a BBC article on Zipcar. It turns out they have extensive tracking technology attached to their cars. Not really surprising, but I hadn’t thought about it. Update: In a totally scientific survey (n=1), users report:

    I know that they track them pretty closely because I returned one six minutes
    late once. They figured it out, and automatically charged me for being late.

DNA Dragnets Not Needed

In January, I blogged about the city of Truro, Mass, trying to get DNA samples from all 790 residents. (“DNA Dragnets” and “DNA Dragnets and Criminal Signaling.”) The New York Times reports that they’ve arrested someone:

Mr. McCowen was first considered a possible suspect in April 2002, three months after the murder, Mr. O’Keefe said, and at that time he was asked if he would be willing to give a DNA sample. He said he would, Mr. O’Keefe said.

But for reasons that Mr. O’Keefe would not make clear at today’s news conference, it took authorities nearly two years to collect a DNA sample from Mr. McCowen even though they knew he had a lengthy criminal history in Florida involving, according to Florida records, burglary, trafficking in stolen property, grand theft and motor vehicle theft.

Then, from the time the DNA sample was taken in March 2004, it took more than a year for the state crime lab to analyze the DNA results.

Mr. O’Keefe said that was because of a lack of resources and a long backlog at the crime lab.

He said that it wasn’t until last week, on April 7, that the crime lab analysis was completed and it turned out that Mr. McCowen’s sample matched DNA found at the crime scene.

Its a good thing they thoroughly followed up on all the leads before pressuring everyone in town to submit to a DNA test.

[Update: Fixed NYT link so it won’t go bad, using the New York Times link generator.]

[Update2: The New York Times has another story, including Mr. O’Keefe taking the 5th over why it took so long: “I’m not going to go there,” Mr. O’Keefe said, declining to answer the question. “I’m just not going to go there.” Richard Smith points out a Boston Globe story, with finger-pointing over who sent the request when, and what the backlog might be at the state’s lab:

The two officials also said that, in some cases, DNA samples can be processed in as little as a week if a district attorney makes an emergency request. No such request was attached to McCowen’s sample, one of the officials said.

Regardless of the time it took to process McCowen’s DNA sample, however, O’Keefe acknowledged that the lengthier delay came between the time McCowen first agreed to give the sample and when police finally obtained it.

Choicepoint, April 15

My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

Congratulations, Choicepoint!

big-brother-award.jpgYou’ve won the Big Brother award for Lifetime achievement!

It was a tough battle for top place this year, and while Choicepoint was the people’s fave, we all know that those privacy elitists don’t really care about the little people.

Other winners included California’s Brittan Elementary. The Department of Education got worst government department, despite stiff competition from Homeland Security and the IRS.

So, Mr. Smith, now that you’re at the very top, where do you go? New levels of cringe-inducement with that DNA database? Something the rest of us haven’t even thought of? Or maybe it’s time for new directions?

We’re sure you’re thinking about these big questions in private, and rest assured: We’re not watching nearly as closely as you do.

Small Bits of Chaos: Video, Anonymous Blogs, Real ID Act dead

  • This New York Times article on Videos Challenge Accounts of Convention Unrest covers the fascinating conflict between the video and human memories of an event; the issues raised by transparent video editing, and other issues. Worth reading.

    During a recess, the defense had brought new information to the prosecutor. A videotape shot by a documentary filmmaker showed Mr. Kyne agitated but plainly walking under his own power down the library steps, contradicting the vivid account of Officer Wohl, who was nowhere to be seen in the pictures. Nor was the officer seen taking part in the arrests of four other people at the library against whom he signed complaints.

  • Ethan Zuckerman has a post on how to blog anonymously. Great stuff, but why no mention of tor? (Via the Committee to Protect Bloggers.)
  • The Counterterrorism blog reports that “‘Real ID Act’ Effectively Blocked in U.S. Senate

    Roll Call (sorry, paid subscription required) reports today that the Senate easily passed a nonbinding resolution to exclude all immigration issues from the bill. Roll Call also quotes the powerful chairman of the Senate Appropriations Committee as saying that the entire supplemental spending bill “would go down” if the “REAL ID Act” is included.

Choicepoint, April 14

  • Following yesterday’s Congressional testimony, there’s analysis by Thomas Greene in The Register, also in Internet News. The Atlanta Journal Constitution reports that Choicepoint VP Doug Curling, and LexisNexis President Kurt Stanford both seemed to come out as accepting of extending fair information practices to their businesses.

    The testimony prompted editorials in USA Today, and the Washington Post.
    Perhaps the best line, from Thomas Greene, is:

    FTC Chairwoman Deborah Platt Majoras advised the Committee to avoid over-notification. “Consumers will become numb to notices,” she said.

    That’s how bad it is, huh? We’ll become numb if we knew the truth?

  • Bruce Schneier has insightful analysis at cnet.
  • According to this press release:

    The Identity Theft Resource Center (ITRC) announced today that ChoicePoint is partnering with the ITRC to combat identity theft via a four-year funding commitment to expand ITRC’s current victim assistance and consumer education program.

    The ChoicePoint Foundation is paying $1 Million over 4 years. Congrats to the ITRC. I’ve mentioned a profile of the Foleys, who run the center.

    My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.