Emergent ChaosMake sure to check out the blog posts Bruce Schneier and a host of others will soon make regarding the paralyzing effect that silly Blinkenlights ads for Aqua Teen Hunger Force had in Boston.
The coordinated response by all departments proves the system we have in place works.Boston Mayor Thomas Menino
Behold the power of throwies.
Bookmark this post:
``People are shocked when they hear the cameras talk, but when they see everyone else looking at them, they feel a twinge of conscience and comply,'' said Mike Clark, a spokesman for Middlesbrough Council who recounted the incident. The city has placed speakers in its cameras, allowing operators to chastise miscreants who drop coffee cups, ride bicycles too fast or question the President. [Quote slightly edited for clarity.]The quote is from Bloomberg, "George Orwell Was Right: Spy Cameras See Britons' Every Move."
I'm reminded of Milgram's authority experiment, where he had men in white lab coats telling people that they needed to deliver electrical shocks.
(Via Slashdot, a ways back. Photo of Roxanne by L.N.L.)
Bookmark this post:
eBay is stopping all sales of "virtual artifacts." Maybe.
This story comes from a Slashdot article in which Zonk talks to Hani Durzy, of eBay about it. They are handling this by merely enforcing an existing policy which says:
"The seller must be the owner of the underlying intellectual property, or authorized to distribute it by the intellectual property owner."
This leaves into question some virtual artifacts where the seller is the owner of the intellectual property, but is clearly a virtual artifact. Expect debate.
I can't say as how I blame them. It's disappointing, but there are headaches that I wouldn't want either. Some virtual artifacts, like things in Second Life, arguably fall outside that rule. Nonetheless, what resembles an economy in Second Life is hard to understand. The media love affair with Second Life seems to be turning into a hangover. Valleywag is a great place to see some of the backlash. Subscription numbers may be overstated. What passes for an economy isn't as efficient as people might like. It isn't very fun. Maybe it's too much fun.
Some virtual artifacts fall into the eBay ban rule, but might still be okay to sell. Some games permit the resale of objects, but you can claim the people aren't authorized to distribute, because there's no explicit authorization of them as a sales channel. It's definitely a gray area, especially if we consider the first-sale doctrine, but stores are not obligated to sell things they don't want, and if eBay wanted to stop the sale of used books and records, it would also be disappointing, but within their liberty.
Some other virtual artifacts are not supposed to be sold. World of Warcraft, for example, has it as part of their terms of service that you're not supposed to sell the game's virtual artifacts. I think that such bans are not only ineffective, but the best way to fight a black market is to set up your own that undercuts it. But it's their concern.
The real problem that eBay has to deal with is that when you're selling stuff, as opposed to merchandise, the major problem is that of provenance. You have to know where those jewels came from. Did those artifacts leave the country legally?
There are a number of cases where bad people have hacked into VR accounts and sold the virtual goods. I can understand eBay's conundrum. If someone wants to sell five sheep, a gnome, and a staff of domination, how do you know they have the right to do that, whatever the heck that means? I don't blame eBay for deciding that it's just too hard and they opt out. It's a pity that they aren't stepping up to figure it out, but I don't blame them. Pioneers are the ones with the arrows in their backs, and after being a pioneer for a while, farming looks good. Of course, the problem is that software is a virtual artifact, even when it comes on a CD. So this is far from settled. photo is Egyptian Temple, courtesy of iconolith.
Bookmark this post:
We've enjoyed having Mordaxus with us for the last month or so, and are pleased that he'll be a sticking around as a permanent member of the Combo. A few quick comments on my pseudonomys co-horts.
First, why do I have pseudonymous co-bloggers? There's a long history of artists appearing under names not their own, ranging from the obvious (Sting, Bono or 
) to the less obvious Joe Strummer or Bob Dylan. Less
metaphorically, there's "Publius," who wasn't always exactly one
person. We're proud to continue these traditions here at the Combo.
Second, I've had several people ask me if Mordaxus is a Microsoft employee. Neither Mordaxus or Arthur are Microsoft employees. If they were, you'd know it, to satisfy both my own and the corporate code of ethics.
Lastly, nyms are about privacy, and separation. They allow you to jazz things up, and not be always on message and in tune.
Photo "Jazz In Progress" is from Ivo Stad & Land.
Bookmark this post:
With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape "tries to leave" a facility without having been pre-authorized, bells go off. If a tape can't be found, there's a record of where it was last detected by an RFID reader. Hey, it works for babies, right?
(I am awaiting the comment about how this naive notion is fundamentally flawed. I know EC has some readers who have expertise with RFID. I am somewhat heartened, now that I Googled this brainstorm, that others have thought of it)
Bookmark this post:
There's a blogger get together at the Foreign Cinema Wednesday night of RSA. 5PM - 8PM. We've been trying to coordinate via email, I but figured we should publicize our secret conference now.
Remember, this will be the most blogged event of RSA.
If you want in, blog about the event and trackback Martin McKeay.
Also covered in "Information Security Sell Out," who comments:
Wow, the bloggers are almost outnumbering the vendors. Perhaps next year RSA will have a separate conference for Bloggers and another for those that actually matter to security.Navel, for gazing, courtesy of mezone, and unlikely to appear at the party.
Bookmark this post:
I'm speaking for myself here.
Bookmark this post:
My 10-y.o. son, like many kids, believes that backpacks have to be overloaded to work.
Recently, at LAX T-6 (shoe carnival central), the TSA removed 2 partially full water bottles from his backpack after x-ray screening.
On the return flight, at JFK T-9, they found 2 more, both of which had been in there all along and been missed at LAX. As we rode the escalator down in T9, I told him that if this happened again, he would never get upgraded until he was 21 (it's a harsh threat...) -- and he reached in to his backpack and took out another partially empty water bottle.
Bookmark this post:
First, you take a business away from legitimate enterprises, claiming only the state can run it without it sinking into a wretched hive of scum and villany. Then, you ban competition. Then, you decide that you're better off selling the monopoly rights to the highest bidder.
It's what Illinois is doing with their state lottery.
I was going to talk about the history of corporations as monopolies, and the issues with government run business, but Larry Ribstein said almost everything I wanted to say in "Selling State Lotteries."
Maybe the state could do the same with health care?
Image credit: Emergent Chaos.
Bookmark this post:
They are:
Here is a sad tale of a man who has a failure on (3), realizes he's done (2), and his solution to the problem. It's a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.
The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the "ooo, shiny" technolust making you think that something is a good idea when it isn't. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.
photo courtesy of split-ends.
Bookmark this post:
Why? Because MySpace complained. He's got a mailing list archive and it has some stuff in it that pissed MySpace off -- security information about phishing attacks. That's well and good, but GoDaddy yanked the whole domain!
Now we find out that GoDaddy gave its owner an hour to respond, when the data had been there for nine days. Well, that makes everything much better. Their rationale? We have to ProTeCT tHe chILdrEN!!! And on top of it all, it turns out that it was actually about one minute, showing that GoDaddy went to the same math school that Verizon did.
I actually don't care much about the details, which you can read here.
I'm willing to agree on the very little I know that the offending posts oughta go, but I think they massively over-reacted, and are compounding the over-reaction with more over-reaction.
I can tell you that never have I ever been so happy to be a lazy slug who has never gotten my domains off of Network Solutions! Many people have hectored me to change for years, but it's a pain and I never really liked the GoDaddy Super Bowl ads, either. I always defended myself by saying that having your domains with NetSol is like having your long distance with AT&T. They're the devil you know.
I'm so happy to find out I made the right decision. Thanks, GoDaddy! And to all you who have made fun of me for years -- Hah! You alphas work so hard, I'll bet it will be easy to switch.
Bookmark this post:
The title is a statement of Kerkhoffs' principle. A cryptographic system is only secure if the security of the system doesn't depend on the whole system being secret. And there's an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every voting machine they sell.
Ross Kinard looked at the key (they're for sale on Diebold's web site) and using some blank keys from Ace Hardware, made some keys, and sent them to Alex Haldeman, who blogs about it in "Diebold Shows How to Make Your Own Voting Machine Key." Alex also reports that Diebold has removed the picture, now all over the internet, of their key.
I hope it can be easily changed, and I wonder if there's a single key for ATM machines?
Also, thanks to the several friends who sent this to me!
Bookmark this post:
A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul.That's a hit rate of 0.314%. Which I'm not going to analyze today....
The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts.
Additional resources, all in Turkish: "İnternet dolandırıcıları yakalandı," "İnteraktif banka dolandırıcılığı" both seem to be "TSI" agency stories, and "10 bin müşteri hesabını boşalttılar" seems to be a gov.tr site with additional details. Do any readers speak Turkish?
Bookmark this post:
Thanks to manfromlaramie for finding this.
Bookmark this post:
January 19, 2007
Dear eBay Community:
We have decided to close eBay on 27 February 2007 due to the repeatedly abuses on our company. We ask your opinion on this matter and we want to know if you agree with us or disagree .Below you can make your choice.
If you want eBay to stay open click YES otherwise click NO .Your opinion is very important to us. If 50% of the eBay members vote positive eBay stays open otherwise it will be closed.
Regards,
eBay Team
Bookmark this post:
Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance.and "Insurers Don't Always Tell you of bad Credit," in the Seattle Post-Intelligencer:
During an hour of argument, several justices seemed taken aback at the magnitude of a federal appeals court ruling. Under that ruling, Geico Corp. and Safeco Insurance Co. would have to notify nearly all their customers that they aren't getting the best rates because their credit scores aren't the highest."Oh, sorry, we can't obey the law...it would be expensive!"
CSM story via Pogo Was Right.
Bookmark this post:
The NYT reports, "Rough Treatment for 2 Journalists in Pakistan" and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years.
However, a computer was seized, sources were roughed up and possibly jailed or killed:
Come on. You don't have crypto? You've never heard of PGP (to name the obvious famous one)? That's so easy to find I won't even paste in the link. I hope when you get a new laptop you'll consider protecting your sources.Since then it has become clear that intelligence agents copied data from our computers, notebooks and cellphones and have tracked down contacts and acquaintances in Quetta.
All the people I interviewed were subsequently visited by intelligence agents, and local journalists who helped me were later questioned by Pakistan’s intelligence service, the Inter-Services Intelligence.
Bookmark this post:
"They are a handful of miserable resuscitators of a degenerate dead religion who wish to return to the monstrous dark delusions of the past," said Father Efstathios Kollas, the President of Greek Clergymen.See "Ancient Greek gods' new believers" at the BBC, who, for once, don't 'misuse' quotes.Hundreds of followers of Zeus, Hera, Poseidon, Artemis, Aphrodite and Hermes stood in a circle, a mile from the Acropolis, in what was the first official religious service allowed in the grounds of an Ancient Greek temple.
Bookmark this post:
On January 18th, Attorney General Alberto Gonzales testified in front of the Senate Judiciary Committee. As part of the hearings, there was a discussion of habeas corpus. As part of that discussion, Gonzales said:
There is no express grant of habeas in the Constitution.
Yes that's right, our own Attorney General thinks that there is no guaranteed right in the U.S. to habeas corpus. He even got more explicit when he said:
the Constitution doesn't say, 'Every individual in the United States or every citizen is hereby granted or assured the right to habeas.' It doesn't say that. It simply says the right of habeas corpus shall not be suspended . . .
Think Progress has the full transcript and video from C-SPAN2. including where Senator Spectre appropriately takes Gonzales to task. The video in particular is a must see if only for the goofy expressions on Gonzales's face.
Via Balkinization, who as usual has an excellent analysis.
Bookmark this post:
Does Pete Lindstrom need to buy a dictionary? You make the call.
In a recent post at Spire Security Viewpoint, he suggests that the folks at Privacyrights.org might be liars:
I am starting to see (and hear) this "100 million records lost since February, 2005" figure referenced in a number of places such that it has somehow gained credibility. What I wonder is if the Privacy Rights Clearinghouse is blatantly lying by listing the CardSystems' 40 million records (I am not statistician, but I think that is a full 40% of the total ;-)), or is just shoddy in its tracking (wink, wink, nudge, nudge).
I may have missed it, but I don't see Privacyrights.org claiming that any records were lost, by Cardsystems or anyone else.
What they do say on the widely-cited breach chronology page is:
The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches....(my bold)
"Lose" and "compromise" have different meanings. Sure, there may only have been a confirmed loss of 260K records. However, "compromise" (according to the good folks at www.dictionary.com) means:
[T]o expose or make vulnerable to danger, suspicion, scandal, etc.; jeopardize
Is this not precisely what is said to have happened in the CardSystems instance?
Consider for example these words from the FTC complaint against CardSystems:
(My emphasis)
Since 1998, respondent has stored authorization responses for up to thirty (30) days in
one or more databases on its computer network. Each day, these databases contain as
many as several million authorization responses.
[...]
In September 2004, a hacker exploited the failures set forth in Paragraph 6 by using an
SQL injection attack on respondent’s web application and website to install common
hacking programs on computers on respondent’s computer network. The programs were
set up to collect and transmit magnetic stripe data stored on the network to computers
located outside the network every four days, beginning in November 2004. As a result,
the hacker obtained unauthorized access to magnetic stripe data for tens of millions of credit and debit cards.
Now, CardSystems never admitted any wrongdoing, and its successor company entered into a consent agreement with the FTC, but if you are a person of ill intent (as I think we can say the hacker was), and you have unauthorized access to tens of millions of credit and debit cards' mag stripes, have you not "jeopardized" those records, exposed them, or made them vulnerable to danger? If not, what the heck does it take?
As an aside, I think "compromise" is excellent word choice. Tying back to the notification trigger discussion in the CIPPIC report, I may prefer it to both "access" and "acquire". I will probably address this question is an extremely tedious and narrowly-focused post in a few days.
Bookmark this post:
