Emergent ChaosImagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products.I've never heard such a clear explanation of why threats to security research are bad. From "Patently Bad Move Gags Critics," in Wired.
The same can be said of sweeping breach information under the rug. We're better off if we talk about it.
Bookmark this post:
Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag.
Additionally, Nicole Ozer, Technology & Civil Liberties Policy Director for the ACLU is also scheduled to speak after Chris to cover the privacy issues around RFID.
[Update 1: Chris: "If you even think about doing this sort of thing, have a patent lawyer"]
[Update 2: HID seems confused about what constitutes a demand. From Chris's presentation and the original letter from HID:
We understand … that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention … We believe such presentation will subject you to further liability …
and
…hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention…
Furthermore, HID hints heavily at burying IOActive in law suits by saying:
…we will have no recourse but to pursue all available remedies against you and IOActive
and
impossible for HID to provide a covenant not to sue
As as result of this letter, Chris stated that he and IOActive felt that they could not risk being put out of business by the costs of a lawsuit brought on by covering the HID specific portions of the talk.
[Update 3: Quotes above are from Chris's slides.]
[Update 4: Full text of the letter from HID has been posted by the ACLU. Also Nicole Ozer has posted her own take on the issues discussed today at Blackhat.]
[Update 5: Jennifer Granick weighs in with some scary thougts:
HID Global reportedly pointed to two of its patents for card readers -- No. 5,041,826 and No. 5,166,676. The important parts of a patent are the claims. To infringe a patent, one must make, use, sell or offer for sale an invention described by the patent's claims without the patent owner's authorization.]Paget doesn't sell his reader, which you can see him demonstrate here. But he did make it. So if it operates identically to the card readers described in HID's patents, then the company's legal threat actually makes some theoretical sense. That should scare everyone reading this.
[Update 6: Clone your verichip. This technique should work on similar RFID chips....]
Bookmark this post:
The leader of a federal panel charged with providing privacy recommendations for the national health information network resigned Wednesday, thwarted, he said, in efforts to develop adequate standards.
Bookmark this post:
Bookmark this post:
The SnoopStick offers full realtime monitoring of another computer. It's Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.
Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.
There is other amusing information on the web site, such as:
All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.
Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.
What a relief! An industry-standard encryption algorithm. Wanna bet it's in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I'd love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?
Picture of the SnoopStick shamelessly appropriated from their web site, because I didn't want their weblogs to get the information. It's bad enough to write about them at all.
Bookmark this post:
Adam Frucci at Gizmodo is calling for action, "Putting Our Money Where Our Mouths Are: Boycott the RIAA in March."
I don't disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don't believe me, I can prove it with one TLA: DAT. If your response to that is, "Huh?" then you've proved me right. The details of that are another essay, however.
However, there's more to it than that. Boycotts are not as effective as purchase-shifting. If you just don't buy any CDs, then one line in an accountant's ledger will go down. The conclusion they're going draw is that this means they have to hold tighter to what they have. There are no atheists in foxholes, but there are clinchpoops, and they clinch their poop tighter.
Subscribing to eMusic is good idea. If you haven't, do so. If you regularly buy music, you will find enough things on eMusic that the monthly fee will save you a penny.
Better, go to CDBaby, Yep Roc, Compadre, and others. Even better, many,many small artists sell their music from their own web sites, often through a small label. As nice as eMusic is, relatively little of the money you give them will get in the hands of the musicians, and buying CDs as close as possible to the musicians themselves is the best way to get them what they deserve. Don't wait for Friday, do it now.
Bookmark this post:
Looks like HID hasn't learned anything from Cisco's experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it.
Chris Paget a well respected researcher is going to present at Blackhat Federal tomorrow on how to build your own proximity card cloner. Infoworld broke the story yesterday. Some choice bits:
Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive.
"They didn't want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them," Kaminsky said.
Dan, as as always, can be counted on to say something both interesting and provocative:
The technology is very convenient, but don't interpret the convenience as security," Kaminsky said. "At the end of the day, many companies are essentially using barcode technology to control access to their facilities. I'd posit that perhaps there are more secure technologies out there."
Jeff Moss however nails the real issue.
It's just so frustrating from a security standpoint. Now anytime someone wants to talk about anything, they need a team of lawyers. Even when it's about commonly understood problems.
[Update: HID is claiming that the talk infringes on their patents. As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID. Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry as well.]
[Update 2: Rob Lemos has much more detail.]
Bookmark this post:
The Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in "Privacy Commissioner on Domain Name Registrant ID Requirements" says:
requirements of personal identification, such as a driver's license, in order to change the administrative email address for a domain name registration...was reasonable.Which is odd, because my drivers license doesn't contain my email address. Also odd is the idea, in a second case "PIPEDA Case Summary #361, Retailer requires photo identification to exchange an item" that "The investigation established that the information from the piece of identification is not recorded at this store." Except in the paragraphs prior, they found that:
The store’s purpose for collecting the customer’s name, address and telephone number is to protect against fraud and error in order to protect its customers and business. It asks for photo identification in order to verify that the information provided by the customer is accurate.So...information is taken down, and verified against the card, but not taken from the card. Would things be any different if they copied the information directly from the card?
It seems to me that these decisions are a great blow to privacy in Canada, essentially nullifying the common law tradition of being able to use whatever name one wants to use in one's day to day business.
Remember, all non-trivial privacy fears come true. I'm confident that there were claims that drivers licenses won't be needed for normal everyday life, and privacy advocates predicted this.
Bookmark this post:
There's a really fascinating article in New York Magazine, "Say Everything:"
And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reade or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not.Dan Kaminsky keeps telling me that, too. It's worth reading the article. Virginia Postrel has some interesting commentary, "The Transparent Society and its clueless adult enemeies." I think the most insightful comments come from Paul Saffo, in "Retroprobrium and mutually assured embarrassment:"
Several comments to my 2/17/02007 posting have noted that in a future transparent society, no one will make fun of their friends’ past postings because everyone will be in the same confessory boat. The problem with this argument is that we don’t judge behavior by the standards of the time when it occurred; rather, we consistently engage in retroactive opprobrium -- retroprobrium -- judging past actions by present standards.To me, a key element of privacy is that the past is reasonably ephemeral: only the most important elements get remembered, and the cost of search is high. This is changing, and we don't fully understand where we're going.
The Canaidian government has recently obtained access to US conviction records, as reported in the San Francisco Chronicle, "Going to Canada? Check your past:"
Canadian attorney David Lesperance, an expert on customs and immigration, says he had a client who was involved in a fraternity prank 20 years ago. He was on a scavenger hunt, and the assignment was to steal something from a Piggly Wiggly supermarket. He got caught, paid a small fine and was ordered to sweep the police station parking lot.I certainly would never have thought so. If I had, I might write an article with a title like "Long Term Impact of Youthful Decisions."He thought it was all forgotten. And it was, until he tried to cross the border.
...
"This,'' [an attorney] says, "is just the edge of the wedge.'' Who would have thought a single, crazy night in college would follow you around the world?
Photo: "How to tell you've had a good day," by Andrew Murray.
[Edit: fixed broken html -Arthur]
Bookmark this post:
In the "inconvenient coincidences" category, it seems that Al Sharpton's great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond.
Thurmond's niece, Ellen Senter (via an AP report) provides an interesting perspective:
I doubt you can find many native South Carolinians today whose family, if you traced them back far enough, didn't own slaves," said Senter, 61, of Columbia, South Carolina.
Except, that is, for the ones who were slaves, Mrs. Senter.
Bookmark this post:
[Via kungfoodie]
Bookmark this post:
I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I'd been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of irony.
The guy in the window seat was talking on the phone with the usual stuff you hear by people who are smart enough not to do business on the mobile. "Yeah, honey, I love you too." "Good to be home this weekend." That sort of washed over me as I thought, "Aww, that's sweet." (My SO and I text each other, and I was firing off a few equivalents, myself. Then he said something that jolted me out of my hearing-yet-not-paying-attention.
The music of his voice shifted from rubato and legato to marcato and strict tempo. "You tell Connor," he said, "that when I get home, I don't want the first words out of his mouth to be, 'Where's my iPod?'" I suppressed staring, but my eyes bounced off of the end of their swivel pins.
I thought, "Dude, you stole your kid's iPod!" There was silence on his end, and I have no idea what she said. I just thought again, loudly, hoping his conscience might hear, "Guy! You stole your kid's iPod! I mean, jeez, I can see "borrowing" it once to see if you like this whole digital music stuff, but DFW's got a bleeding vending machine for the critters right at A19! Can't you at least bury a Shuffle in your expenses?"
So Connor, if you read this because we're 1337-ish, show this post to your dad. And if he's still being cheap, install Limewire on his laptop and start sharing Sinatra or something. Maybe the RIAA will notice.
photo courtesy of Michael P. Whelan.
Bookmark this post:
So there's been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, "Fifth Third has role in TJX hole," Mike Cook is quoted as saying "If you are a consumer and you're part of the TJX breach, you are hoping it's 10 million people because the chance of your name being misused goes down considerably depending on the size of the data breach."
I don't buy it. What we're doing is telling criminals they need to scale up their exploit techniques and networks. We did that with spamming and phishing. Bad idea.
Some other news tidbits I found interesting:
[Update: by 'these things' I was intending to imply not only credit card issues, but the gamut of information security issues that might arise. If you think we do have economic advice to give, consider submitting a paper to the workshop on the economics of information security: they explicitly ask for papers on 'optimal security investment']
Bookmark this post:
At Balkinization, Scott Horton discusses how "Two Hundred Years Ago Today, the Global Campaign for Human Rights Achieved Its First Victory:"
"As soon as ever I had arrived thus far in my investigation of the slave trade, I confess to you sir, so enormous, so dreadful, so irremediable did its wickedness appear that my own mind was completely made up for the abolition. A trade founded in iniquity, and carried on as this was, must be abolished, let the policy be what it might, - let the consequences be what they would, I from this time determined that I would never rest till I had effected its abolition."Scott says much and says it well. Go read his post for the history, the nature of the arguments put forth, their relationships to today, and the biographic information about Wilberforce.- William Wilberforce, speech before the House of Commons, May 12, 1789, Hansard vol. 28, col. 68
Today the cause of universal human rights celebrates an important anniversary. On this day two hundred years ago, the Parliament at Westminster voted an act for the abolition of the slave trade. A few decades later, Parliament also voted the manumission of slaves throughout the British Empire. By that time, in the 1830's, the trafficking in slaves was viewed as a jus cogens crime by legal scholars around the world and the global movement to abolish slavery altogether was well launched.
I'm left then, with few things to add, and so I'll say them briefly.
Advances in human freedom are cause for celebration.
There were strong economic arguments for the institution of slavery, but sometimes you have to do the right thing, even if it costs.
Painting from American University Slave Trade case studies
Bookmark this post:
Even more disturbing, Global Guerrillas has analysis in "Al Qaeda Redux:"
With all indications that the US is in withdrawal, a new attack is likely needed to propel the US back into aggressive action (see "Al Qaeda's Grand Strategy: Superpower Baiting" for more on why).
Bookmark this post:
As promised last week, I have more to say on selling security. Well sort of. Actually, I'm going to try a new approach. I'm increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need to be creating passionate users.
I'm hoping that I'm not going to get Mordaxus's dander up to much with my semantics, but I think this is an important distinction Kathy Sierra explains far better than I can in "Marketing should be education, education should be marketing".
Do you want passionate users? Educate them. Do you want passionate learners? Sell them. If ever there were two groups who ought to trade places--and especially research -- it's teachers and marketers. Our mantra here is, "Where there is passion, there is a user kicking ass..." and by "kicking ass" we mean "being really good at something." In the post-30-second-spot world, the marketing department should become the learning department. Meanwhile back in schools, teachers should become...marketers.
So my recommendation is make friends with your marketing department. Find someone who is interested in security and get their assistance in putting together an effective program. In brief, the goal is to have a company full of people who care about security. This means not telling them what they can't do, but telling them how they can help the company. Is this just spin? Yes. Am I talking about indoctrinating users? Yes. Will it be far more effective than telling users not to click on attachments in email. I think so...
[Edit: The Security Catalyst had a post yesterday talking about similar issues]
[Image is the cover of Citizen Marketers]
Bookmark this post:
TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier."TJX says theft of data may go back to 2005", Boston Globe, 2/22/2007Store closings led TJX to take a $38 million charge, while the cost of investigating the breach and upgrading systems was $5 million through the end of the quarter.
On an earnings webcast with analysts yesterday, TJX executives said that store traffic through the end of January hasn't suffered since its Jan. 17 announcement of the security breach. "I want to assure our shareholders that our operational management team isn't being distracted from our core business or our opportunities to grow," said chief executive Carol Meyrowitz on the webcast.
Mark Montagna, analyst at CL King in New York, said yesterday's share decline had more to do with lower-than-expected earnings guidance TJX gave yesterday than the data problems.
"I don't think that overall Wall Street is seeing it as that big an issue," Montagna said.
He praised TJX's management and noted that other retailers have faced similar security problems. "Once they get this resolved, it's behind them," he said.
Bookmark this post:
Where to start on this one?
Trust as we use it means so many things. Then there's the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, "Trusted computing is not trustworthy computing." Oh, how nice. Even better, "Trusted Computing does not mean trustworthy or secure." I must ask in what sense is trust anything but jargon (at best) or newspeak (at worst), with hyperbole being a middle interpretation?
Isaac Newton said that for every hyperbole, there's an equal and opposite hyperbole. Confirming this law of nature, Richard Stallman has declared that trusted computing is actually treacherous computing. Thus we have Orwell satisfied. War is peace; freedom is slavery; trust is treachery.
A good deal of the problem is that trust is transitive. No, not that way. Not in the sense that if Alice trusts Bob and Bob trusts Carol, then Alice trusts Carol. Transitive as in verb that takes a direct object. Of course we all trust our mothers. But if you "trust your mother with your life," does that mean you trust your mother to change a firewall rule in your router? Trust is not only a transitive verb, but it is a situational transitive verb.
We in security use trust not as a transitive verb, but as a noun, and worse, an adjective. This leads to many strange things. Among them:
Let's stop using the word trust. Don't say trustworthy metadata if you mean believable metadata. Don't say trust if you mean control, risk, willingness, confidence, or reliance. Use those words. Trust is stale and vague. It would be best if we stop using it.
That is easier said than done, given the way we habitually use it. Nonetheless, we should fight new uses of the word, if for no other reason than a smart consumer will run screaming if they hear you use it, because when trust is used with security, it means something bad is going to happen. It means exactly what "This won't hurt a bit" does. The faster you flee it, the faster the irony becomes apparent to all.
Photo "Trust" courtesy of yourclimbing.com.
Bookmark this post:
Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.”I just wantShould that entry in a breach list be removed? I think that the answer depends, in part, on the stated inclusion criteria for the list, the stated or anticipated purpose/intended usage of the list, and on whether the list compiler has been provided with a statement by the agency or business to support the claim of no loss.
If the inclusion criteria are worded so as to only include agencies or businesses where records were actually compromised or might have been accessed, then one might see some merit in an argument to remove the entry in our hypothetical case. Common sense would dictate that if I say “I lost my wallet!” but then find it an hour later in another room in my house or under a pile of papers on my desk, it wasn’t really “lost” and no harm, no foul, right?
But what if one of the purposes of the list is to enable tracking and analysis of costs associated with notifications and our hypothetical company had already made a notification before discovering the hardware on their premises?
