Reading, Writing, and Arithmetic

I’ve been encountering some really silly software lately. I was trying to visit the homeland stupidity blog, with Safari and the most-excellent pithhelmet, and I get this message:

We’re sorry, but we could not fulfill your request for /2007/04/21/astroglide-data-breach-exposes-customer-information/ on this server.

An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.

Your technical support key is: 4051-a119-45b3-5e30

You can use this key to fix this problem yourself.

If you are unable to fix the problem yourself, please contact badbots at and be sure to provide the technical support key shown above.

This is broken. I’m trying to read. My request is well-formed HTTP. Bloggers like readers, right? If you’re an attacker and trying to blog spam in some way, this doesn’t help. You’ll add a referrer header. Blocking some URLs that come in without an HTTP referrer header might help a little, but all this does is lose you readers.

I don’t know who’s to blame for this really ill-considered software, but it blocks me from visiting URLs I’ve bookmarked at a couple of blogs. Oh well. You’ve lost me as a reader. So, homeland stupidity, no link for you. Not knowing the difference between reading and writing means you don’t me as a reader for your blog.

Shock Horror! Ashcroft Am Not Devil Incarnate!

Bizarro World

In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, “News from Bizzaro World: Ashcroft Opposed Taps.”

Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I’m not particularly a fan of his, but the Venn diagram of what he valued and what I value looks more like the Mastercard logo than the Hooters logo, and I don’t think that this is an ipso facto surrealism.

Back in 1998 as a Senator, Ashcroft was a supporter of Goodlatte’s SAFE (Security And Freedom through Encryption) Act, not to be confused with the 2003 “Security and Freedom Ensured” act, which was an attempted limitation of the PATRIOT Act. When that SAFE Act was destroyed in the House, he with Patrick Leahy and Conrad Burns introduced the E-PRIVACY (Encryption Promotes the Rights of Individuals in the Virtual Arena Using Computers) bill. Despite the fact that there was no “Y” in their acronym (perhaps it was a silent “Y’all”), it’s a pity it never was passed. The EFF gave a good news/bad news assessment with the good news being:

EFF is pleased to say that the E-PRIVACY Act is the most thoughtful piece of encryption legislation to date. Introduced by Senators John Ashcroft (R-Mo.), Patrick J. Leahy (D-Vt.), and Conrad Burns (R-MT), the new bill sharply varies from proposals favored by the Clinton Administration and law enforcement/national security agencies by easing export controls on mass market encryption products, limiting government access to decryption keys, and prohibiting the government from requiring key recovery mechanisms.

The bad news was that it created a new crime of using encryption as part of a criminal act. I’m not in favor of that, but we got that part, and we never got the good news.

After E-PRIVACY never went anywhere, there was the 1999 PROTECT Act, and you can find Ashcroft saying it doesn’t go far enough fast enough.

Despite many quirks, such as being bothered by bare breasts, he favored bearing arms and clothing communications. His successor as AG, Alberto “Schultzie” Gonzales, often seems to be to be the incarnation of the cynical adage, “be careful what you ask for.” Take a look through the EFF archives from ’98, and feel a bit wistful. Read Dahllia Lithwick in Slate, and feel moreso. Ashcroft was a complex person with whom many of us had disagreements, not an inhabitant of Bizarro World.

On Illegal Wiretaps

What, indeed, was the nature of the “program” before Goldsmith, Comey and Ashcroft — those notorious civil libertarian extremists — called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that these are the most important questions arising from the recent Comey testimony. It’s the question of the night, all over the Web. (When will the mainstream press catch on? And more importantly, as I asked in my last post — When will the Congress insist on comprehensive and public hearings, both on this and on the legal support for the Administration’s torture practices?)

Marty Leberman continues to have the best analysis of the NSA’s wiretap program. Go read “What Was “The Program” Before Goldsmith and Comey?” In “Putting the Pieces Together” he also explains how the criminal wiretaps led to the appointment of Gonzales to clean the DOJ of libertarians like Ashcroft.

893 Million, and Whadda Ya Get?

♫Another DHS network, and we’re not sharing yet.♫

So reports Haft of the Spear, in “You’ll Share and You’ll Like It!

The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government Accountability Office.

Admittedly, there are more problems in sharing intelligence data than there are in sharing breach data. The fear of change runs deep, as does our unwillingness to give up control of the little bits of data we can see. It would be funny, if it wasn’t so painful.

The War on Cash?

cross-of-gold.jpgThere’s a war on cash? Who knew? Dave Birch uses the phrase in “More from the war on cash” without a whole lot of surprise. Here he’s quoting a McKinsey study. (Unsurprisingly, you need to login to read it.)

I liked this gem:

Cash needs to be priced appropriately. The fact is that, today, the pricing of cash is not in line with its costs. Consumers and merchants in most countries do not pay the real cost of cash, and so merchants and consumers have no reason to reduce their use of cash. One problem is that there is no clear ownership of cash. Another is that governments often position cash as a public good — to be offered free by banks — thereby inhibiting an economic debate on cash versus other instruments.

That’s a problem now, is it? While I agree that cash having government backing creates a barrier to entry, cash is also a highly evolved product, and the risks are assigned reasonably efficiently. This is in stark contrast to some newer payment methods, like credit cards, which may be “efficient,” but carry surprising side effects, like “Buy Gas, Get Busted for Pedophilia.”

Having the government provide a means for a reasonable functioning economy, and removing the costs of worrying about the gold content of a coin, or the solvency of DavidBucks adds huge efficiencies. There’s quite a few things that I’d take the government out of before I took them out of coining currency. (Know thy customer regulations, for example.)

To put it another way:

…we believe that the right to coin money and issue money is a function of government. We believe it. We believe it is a part of sovereignty and can no more with safety be delegated to private individuals than can the power to make penal statutes or levy laws for taxation.

Photo: Cross of gold, courtesy of Ewtn Religious

[Updated: Clarified that the quote was McKinsey, not David Birch.]

A quick pointer

Adam has made several posts about it being ‘good for you’ to open up about data breaches. Unfortunately, keeping a lid on the info is a stable equilibrium.
This situation is what economists would call an Assurance Game. A quick pointer to a post I made reviewing a very good book on how to get out of this mess.

Is that an interesting question?

In a comment on “Why Customers Don’t Flee,” Chris adds “too much work.” I’ll add “too hard to evaluate alternatives.” But before we go much further, I’ll ask, is this the right question? Given that few customers leave after most breaches, is it useful to ask why they’re not leaving, or are there other questions which should occupy our attention?

Pro-interesting question: People are concerned. Measuring the cause of variation will help them get control of the situation, and thus their fears.

Anti-interesting question: there’s only so many hours in the day.

Your thoughts?

Why Customers Don’t Flee

At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I also talked about TJX being well publicized as the largest breach out there, and their increased profits.

One of the questions that someone asked was “Why don’t customers flee?” I offered up several reasons for this:

  1. Customers view these things as mistakes, and are willing to accept a single mistake. (I covered this in “When do customers flee?
  2. People don’t have the opportunity to leave because they no longer have a relationship with the entity who made a mistake. For example, the USC admissions breach covered eight years of applicants.
  3. My final reason was that many breaches are by government agencies, and even regime change is unlikely to curb the state’s enthusiasm for identifiers. For example, Massachusett’s mandatory health care apparently requires a company that prints the SSN on your health card.

Frank Heidt of Leviathan offered up a fourth reason, which is the “Jack in the Box” effect. After an e. coli incident killed four customers, sales apparently went up, as people expected that they’d clean up their act.

Another questioner challenged the idea that people had heard about TJX, or associated it with TJ Max. I think the later is more likely, since the incident got major play on TV and in newspapers.

Toorcon, incidentally, was loads of fun, and props for the best badge presentation I’ve seen. (Photo by Mattdork.) The badges were in the form of a Willy Wonka candy bar, and were wrapped in a golden ticket to get you into ToorCon.Seattle 09.

The Wrong Breach Law

Last week, the Senate Judiciary committee passed the “The Personal Data Privacy and Security Act of 2007” (See more in Security Fix, Federal Data Breach Bills Clear Senate Panel:

Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. In the Leahy-Specter bill, an organization would be required to disclose a data breach or loss if it posed a “significant” risk of harm to the affected consumers.

Meanwhile, the “Notification of Risk to Personal Data Act of 2007,” a bill introduced by Sen. Dianne Feinstein (D-Calif.), would require disclosure only in the event that the breach resulted in a “reasonable risk” of harm, a term of art that groups like Consumers Union say would leave companies more wiggle room in determining when to talk about a consumer data spill. The Identity Theft Prevention Act of 2007, a data breach bill approved by the Senate Commerce Committee last week, also takes this approach. Feinstein’s bill was also approved by the committee today.

Leave it to the lawyers to argue over ‘significant’ versus ‘reasonable,’ while missing the big picture. These folks are worse than the emacs/xemacs split. The liability of getting your significant/reasonable risk assessment wrong, after you’ve just made a mistake, seems quite high.

Worse, it will make the data that we can mine from Attrition/Privacy Rights Clearninghouse that much less valid, by adding sampling bias. I covered this in “Disclosure, Discretion and Statistics,” and feel it’s worth repeating as Congress debates these points.

Dissent points out that US PIRG is saying much the same thing in “Senate breach notification and data protection bills get mixed reactions.”

Disclosure in The UK reports “Standard Life customers are hit by breach in security,” and reports that a “Laptop containing Southend children’s social services case notes bought on eBay.”

In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law.

However, it’s anarchy in the UK. There are no disclosure requirements. So why did Standard Life say this:

It said: “There has been an individual error in systems employed for the production of contract notes by Standard Life Investments.

“Less than 0.2 per cent of our valued investors have been impacted by this. We have acted swiftly to make investors aware of the error.”

I’ve said before that there’s a new standard out there, even ahead of the laws. It requires owning up to mistakes, and doing so promptly.

I wanna be clear on something: customers prefer it that way. Every customer impacted knew about it (they got someone else’s bank statement.) I bet fewer than 15 leave.

.BadIdea, Mikko

Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains.

I have three problems with this:

  1. Crooks are already investing in their attacks. If that money will have a high return, by convincing more people that the URL is safe, then crooks will invest it.
  2. Some banks, such as credit unions, can’t really afford $50,000 for a domain name, and so won’t have one. (Thanks to Alex at, “
    .bank TLD, An Idea Whose Time Has Come?

  3. Finally, and most importantly, it won’t work. People don’t understand URLs, and banks create increasingly complex URLs. The phishers will make and people won’t understand that’s bad.

The easy solution to preserving the internet channel against phishers is to use bookmarks. But that’s too simple for anyone to make money at it. Certainly, no one’s gonna make $50,000 a bank. That money is better spent on other things. .Bank is a bad idea.

[Updated: See also, “more .shenanigans” at Matasano, and “New .TLDs: Panacea for Security?” at SecureWorks.]