Emergent Chaos[C]ountries are at liberty to apply "complex, stupid, and complete arbitrary" rules but one of the fundamental tenants of the rule of law is that any rules should be applied consistently. It's naive to suggest that all travellers should be fully knowledgeable of all aspects of immigration law; that's an expertise for which people pay hundreds of dollars an hour.Since this is sometimes an information security blog, I'd like to put this another way. Imagine you're testing an IDS that watches 7 identical packets flow by, and flags one of them. It either has an 86% success rate or a 14% success rate.
Without paying someone several hundred dollars, I don't know if Halvar got lucky 6 times, or unlucky once.
I do know that I'm upset that our border agents aren't consistent. If they were an IDS system, and that's all the data I had, I wouldn't be buying right now.
Bookmark this post:
He writes:
It appears I can't attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company.Halvar has been coming to the US to train people for six years. So here's my question: Has the law changed? Why did this happen? What's happened may be that he didn't use precisely the right words to get through the line, and now he'll be spending (my guess) $10,000 on lawyers to be able to re-enter the US.A little background: For the last 7 years, I have attended / presented at the 'Blackhat Briefings', a security conference in the US. Prior to the conference itself, Blackhat conducts a trainings session, and for the past 6 years, I have given two days of trainings at these events. The largest part of the attendees of the trainings are US-Government related folks, mostly working on US National Security in some form. I have trained people from the DoD, DoE, DHS and most other agencies that come to mind.
Each time I came to the US, I told immigration that I was coming to the US to present at a conference and hold a trainings class. I was never stopped before...
I'm increasingly concerned about this--the police can detain you in a variety of ways, offer implicit threats of arrest, and there are certain very specific legal formulas you can invoke. For example, I've been told that you must 'demand' and attorney, rather than saying "I'd like an attorney," in order to preserve your rights. If a cop is asking you questions, you must ask "are you detaining me?" in order to get an honest answer. No one should be required to know these formulas--not me to preserve my rights through an encounter with the police, and not Halvar to preserve his ability to enter the US.
I have a friend who has a US denied stamp on his Canadian passport because he was driving a co-worker to the border so that person could enter the US for 2 minutes, turn around, and re-enter Canada (to get a new Visa). The driver said "Oh, I don't really care if you let me into the US," and boom, his passport was marked and he was entered into the refused-entry list.
Now Halvar has to choose: he can spend probably thousands of dollars to clear his passport, or he can stop entering the US. Way to preserve jobs for Americans!
The title is a reference to the ultra-stylized 'Noh' Japanese plays, where actors rehearse their lines in a vacuum.
Bookmark this post:
Tourists visiting the White House must now adhere to a dress code which bans jeans, sneakers, shorts, miniskirts, T-shirts, tank tops, and flip-flops.
Since this is an extremely important rule, signs were posted and emails sent White House staff (writes Al Kamen in the Washington Post).
A telling detail, per the WaPo:
The e-mail reminder was all in capital letters.
Sigh.
(Title yanked from some Luna lyrics, .sig fragment from the Usenet Oracle via Wikipedia)
Bookmark this post:
This is a new twist on an old trick. SFGate reports in, "'I didn't eat and I didn't sleep' -- Coin dealer flies dime worth $1.9 million to NYC'" that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to its new, unidentified owner in New York, by hand-carrying it.
Feigenbaum dressed in a T-shirt, "grubby" jeans, and flip-flops and flew on the red eye from San Jose to Newark, carrying it himself with little fanfare.
There was an unexpected problem, however:
Feigenbaum had purchased a coach ticket, to avoid suspicion, but found himself upgraded to first class. That was a worry, because people in flip-flops, T-shirts and grubby jeans do not regularly ride in first class. But it would have been more suspicious to decline a free upgrade. So Feigenbaum forced himself to sit in first class, where he found himself to be the only passenger in flip-flops.
He shouldn't have worried too much, actually. Scruffy people often do fly first class, trust me. They're the ones who travel too much, so they want to be comfy. Read the whole article, it's amusing.
I am reminded of another occasion when a similar trick was used, although for a diamond.
Photo courtesy of Tiffibunny.
Bookmark this post:
...is today, July 27.
Pizza and beer retailers are standing by, much as florists do on Valentine's Day.
You know what to do.
Bookmark this post:
In "Help EFF Examine Once-Secret FBI Docs," the folks at EFF ask for your help doing what Congress won't. Engaging in oversight of our civil servants:
We've already started scouring newly-released documents relating to the misuse of National Security Letters to collect Americans' private information. But don't let us have all fun — you, too, can dive into the docs and help uncover the truth about the FBI's abuse of power. All 1138 pages are freely downloadable (with searchable text) from EFF’s website, and we'll be posting a new batch every month.A related request, from Ryan Single over at 27B-6, is to "Help Wired News Make Sense of FBI Computer Crime Stats."
Really, there hasn't been such a good opportunity to uncover illegal activity by Uncle Sam the Church Committee hearings. It's like shootin' fish in a barrel.
Go take a look.
Bookmark this post:
And it's only $225, but you have to register by Friday.
Bookmark this post:
A poor choice of names (I guess "best UNIX editor" was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign.
Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals' sensitive personal data at risk.
Bookmark this post:
A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up.
I'm trying to find the first actual documented theft or attempted theft using this attack.
I'm hoping that a reader will know, when the first reports of salami attacks came out.
Please comment if you have an idea.
Photo: "Salami & cheese - food heaven," taken by SanFranAnnie with a Cannon SD400, which is not the camera mentioned in Mordaxus' post yesterday.
[Update, Jan 5, 2008: Steve Lipner provided me with a cite! Thomas Whiteside, Computer Capers, 1978. The copyright page states that most of the material first appeared in the New Yorker.]
Bookmark this post:
In the Times Online article, "Digital DNA could finger Harry Potter leaker," we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took.
From this, we lean that it was a Canon, likely a Rebel 350D, which means that the perp bought it in the US or Canada. (This doesn't mean that the perp is there, as lots of people buy electronics in the US or Canada).
However, I blinked when I read something from Vic Solomon, a product intelligence officer at Canon UK:
From what we know, the device is one of the original Rebel cameras, probably a 350D, and given that they've been out for three years, it's likely the owner would have had it cleaned or repaired in that time.
Likely? I take likely to be better than a coin flip -- over 50% chance. I'm a huge fan of Canon cameras, and while I don't yet own have a digital SLR (I'm very happy with my SD 700IS), I'd like one, and this makes makes me wary to hear that it is "likely" that I'll be taking it into the shop in three years. I have a twenty-five-year-old A1 SLR, and it's never been cleaned or repaired. Is Canon's well-deserved reputation for quality a thing of the past?
Or was Mr Solomon merely shooting his mouth off? He also said:
The EXIF data is like the picture's DNA; you can't switch it off. Every image has it. Some software can be used to strip or edit the information, but you can't edit every field.
That's not precisely accurate. EXIF metadata is nothing like DNA. It's metadata rather than code; it's annotations about the picture such as date and time, f-stop, exposure values, orientation of the photo, and of course the serial number of the camera. While photo-editing software often doesn't let you edit it, there are plenty of ways to get rid of it, and I'll bet that very shortly there will be more of them, particularly if they catch the person who did this because of the embedded serial number.
Photo courtesy Lone Primate.
Bookmark this post:
In "Stop with the fake phish data," Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites:
Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated??First, I had no idea people were doing this. It seems like at least an interesting idea, and so I'd like to examine the assumptions that seem to underly the request by Justin's anonymous friend (JAF).It creates havoc for those monitoring the drop since it’s an unbelieveable waste of time and resources to clean up the file. Also, for those drop files that ‘recycle’ after every 10 entries, valid data is lost.
It also creates havoc for those who get these files and try to notify victims. They waste time, too .. pulling legit info from amongst the trash.
Firstly, JAF (seems to) presume that his work is roughly equivalent to the phisher's work, or more expensive. This seems likely true. If you're a criminal, testing an account is easy: you try to steal from it. If you're trying to stop them, you have more work to do.
I think a more interesting question is, what fraction of sites are getting hit? Are 10% of phishing sites experiencing this? 90%? I'm curious because it gives us insight into the overlap between the two sets of folks working against phishers. It's a relatively easy statistical problem: If set 1 has overlap y with set 2, how large is the population being sampled? Ecologists do this all the time. (How can I spell ecologist with a 'ph?')
It seems like it's an interesting possibility for measuring the size of the phishing site world.
Photo: "Fish" by Wistine.
Bookmark this post:
So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors.
Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina -- a state known for tobacco production. That lad is richly rewarded, and obtains a letter from the USDA to the NC Attorney General's office. That letter contains the names and addresses of the several FOIA requestors who had inquired about tobacco subsidies.
The enterprising lad is now certain the USDA will get his name and address, thereby completing another circle.
Bookmark this post:
The New York Times reports, "U.S. Will Allow Most Types of Lighters on Planes"
Three cheers for them learning! I can only hope that the stupid liquids ban will fall next. We know that we've trained people to be efficient at finding water bottles over finding bombs, even when they're in the same bag.Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded.
The ban was imposed at the insistence of Congress after a passenger, Richard Reed, tried to ignite a bomb in his shoe in 2001 on a flight from Paris to Miami.
Lawmakers said that if Mr. Reid had used a lighter, instead of matches, he might have been able to ignite the bomb, but Kip Hawley, assistant secretary for the Transportation Security Administration, said in an interview on Thursday that the ban had done little to improve aviation security because small batteries could be used to set off a bomb.
Matches have never been prohibited on flights.
“Taking lighters away is security theater,” Mr. Hawley said. “It trivializes the security process.”
The policy change, which is to go into effect on Aug. 4, applies to disposable butane lighters, like Bics, and refillable lighters, like Zippos. Torch lighters, which have thin, hotter flames, will continue to be banned.
Security officers have been collecting some 22,000 lighters a day nationwide, slowing down lines at check points. Even so, many smokers had found ways to sneak lighters through checkpoints, often by placing more than one in a carry-on bag. Disposing of the seized lighters has cost about $4 million a year.
By lifting the ban, Mr. Hawley said, security officers could spend more time looking for bombs or bomb parts. “The No. 1 threat for us is someone trying to bring bomb components through the security check point,” he said. “We don’t want anything that distracts concentration from searching for that.”
Bookmark this post:
Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people.
EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing a methodologically sound and empirically defensible business case for information security spending -- Lawrence Gordon -- weighs in via email.
Hopefully, Gordon is a sufficiently authoritative source to put this question to bed for a while.
Bookmark this post:
Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget that! Banks and merchants are privileged to be entrusted with our important financial data. If they don’t protect our information properly, they, not us, should pay the price.
A recent Government Accountability Office report noted the difficulty of linking data theft to identity theft, but the U.S. Secret Service is having no such problems. The agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.
But you know what? Data theft (as well as, mind you, a negligent data loss!) is a crime even if whoever took off with the data didn't use it for nefarious purposes. To me it sounds akin to "the bank robber who didn't spend the money on more crimes" or (more remote ...) "a carjacker who didn't cause a traffic incident." Mandatory notifications are a means to reduce data loss/theft, and are thus needed with no regards to how the stolen data is used!
The GAO Report that leads off this issue is deeply flawed and does not meet that agency's high standards for excellence in analysis or independence. We learned that the report was done by a group at GAO that doesn't usually work in this area, so their flawed analysis is understandable, but still potentially damaging to GAO's reputation and to the nation's cybersecurity. We have included an analysis of the report in this issue for readers who didn't immediately see the flaws.
Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft Resource Center, and reports obtained from NY and NC under FOIA by Chris Walsh.Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.
Bookmark this post:
(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.)
I am writing to you today to comment on your recent report, "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is
Unknown" I found GAO’s report and its implied recommendations to be disappointing, and not representative of the usual high quality of GAO reports. This is, as you note, a difficult and challenging field in which to do research. As such, I am hesitant to criticize, and do so because of the esteem in which GAO reports are generally held. For ease of writing, I shall refer to GAO as “you.”
My concerns can be summarized as your analysis of the data fails to pursue important and possibly revelatory data to which the public does not yet have access, your selection of data sources lacks justification, you failed to consider (or discuss) alternate methodologies which may have resulted in different results, you make unjustified assumptions that companies can provide data, and you fail to identify systemic sources of bias in comments on which you rely. I will explain each of these concerns in order.
Failure to pursue important questions
You were charged with “identifying what is known about the incidence and circumstances of breaches of sensitive personal information” (page 3). In a set of paragraphs from page 12 through 17, you list incidence and circumstance, and fail to analyze commonalities between your data sources. You even fail to bring them together to draw attention to how disparate they are:
| Source | Dates | # of Incidents |
|---|---|---|
| FBI | Unclear | 1,300 under investigation |
| Secret Service | 2006 | 327 |
| House Government Reform Committee | Jan 1, 2003-July 10, 2006 | 788 |
| US CERT | FY 2006 | 477 |
| 5 banking regulators | “past few years” | “several hundred” |
| FDIC | May 2005-Dec 2006 | 194 at regulated, 14 third party |
| Office of thrift supervision | April 2005-Dec 2006 | 56 at regulated, 72 third party |
| New York State | Dec 7, 2005-Oct 5, 2006 | 225 |
| North Carolina state | Dec 2005-Dec 2006 | 91 affecting > 1000 people |
| Educase survey | 2005 | 127.4 (26% of 490) |
| American Hospital Assoc. survey of 46 institutions | 2006 13 hospitals reported 17 breaches | |
| Attrition | Not listed in GAO | 500+ |
| Privacy Rights Clearinghouse | Not listed in GAO | 300+ |
| All except attrition, PRCH | Jan 2003-Dec 2006 | 3688.4* (Not rigorous) |
We don’t know. Many people instinctively believe in #2. What we do know is the one time the experiment has been done (New York vs. the University of Washington dataset, derived from Attrition) the data looked a lot more like possibility 1. To effectively answer Congress’s question, we need the answer, and GAO has not provided it.
I believe that a fair answer to the question would have pointed out these issues.
Unjustified data selection.
Starting from the highlights, you state that you examine the 24 largest breaches reported in the media from January 2000 through June 2005. You do not justify this selection. We have reason to believe that the largest breaches are not all reported in the media. (Analysis by Chris Walsh showed that 3 of the 5 largest breaches reported to the State of New York were not in the attrition or Privacy Rights databases on which you relied.)
You do not justify your selection of the largest breaches. We have no reason to believe that the largest incidents have the same likelihood of identity theft, and there are reasons to believe that they will show a lower incidence. In particular, several of the largest incidents involve loss of backup tapes, which are likely in Iron Mountain and UPS warehouses. Some of the others may have been “trophy hunting” by hackers, where, rather than taking the data for profit, they were attacking for reasons of prestige.
A more reasonable methodology might have been to randomly select incidents from the data sets, or to investigate the largest and a random sample, in order to identify if biases (perhaps accounted for by the hypothesis above) were present.
You do not justify the size of your sample set. As you identified, there were at least 572 publicly reported incidents in your time sample (page 11). You examined 4.2% of these, and have no comment on how your sample size was selected.
Alternate methodologies possible
You fail to justify your decision to start from data breaches. An alternative investigative methodology would have been to select a set of victims reporting ID theft to the FTC, FBI, or other source of criminal data, and trace those reports back to their source as best as could be done. This has a challenge in that (as you note) many of the victims of identity fraud do not know how they were victimized. GAO could have presented a list of known breaches to these individuals, and looked for correlations, or considered only the known cases.
Unjustified assumption that companies can supply data
There is an assumption that breached organizations are notified of identity theft by their customers. This assumption shows strongly on page 5, where you write, “available data and interviews with researchers, law enforcement officials and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft.” However, there are several assumptions here. First is that a company who has suffered a breach would be told by a consumer that that consumer has suffered identity theft. Consumers have little motivation to do so, and so looking to companies as a source of data is, at best, a partial answer.
Failure to identify commenter biases
Even if a company’s call center representative was told that, the call center computers likely have no way to record that information. Modern call centers are expensive to run, and are often run from `scripts’ and ‘trees.’ If these trees have not been updated, even a company that had been notified of issues might not have captured and analyzed that information. Even if a company has captured and analyzed that information, it is likely being treated as highly sensitive in conversations with attorneys in order to contain liability. It is unlikely to be shared with industry association representatives, at conferences, etc. The information is likely to be kept close to the chest. Finally, even if the representatives with whom you spoke were aware of fraud, they might be biased against sharing that with you. They are likely aware that Congress is considering further regulations, and may be eager to sweep evidence of the breadth of the problem under the rug, to avoid further regulation.
As a final note before I conclude, you imply that notifications are expensive and complex, and seem to endorse a ‘reasonable likelihood of harm’ standard (although you do not come out and say so). Before you endorse such a standard, I would urge you to pay close attention to the difficulty that that would cause banks (as you cover on page 35). Absent more and better data on the relationship between breaches and fraud, it will be hard to figure the odds of fraud. The best way to get information on the relationship is to expand the datasets available to all researchers to allow and encourage research. A ‘reasonable likelihood of harm’ standard will prevent us from crawling out of the mess that we’re in today.
In conclusion, your failure to pursue important questions about the nature of the data, your failure to justify your data selection or sample sizes, your failure to explain your choice of methodologies in the presence of alternatives, and your assumptions that companies have the data you wanted, and would, unbiased, provide it, cause this report to be deeply flawed, and create a worrisome possibility that anyone relying on it would come to erroneous conclusions.
I would urge you to update your research to take these concerns into account. In the future, I would be happy to work with you on this subject, which I believe to be of considerable import.
[Updates: html typos]
Bookmark this post:
This is a peeve I learned from the great Donn Parker. The term "Best Practice" should be avoided. It is inaccurate. misleading, and self-defeating. Here's why:
Shortly after 9/11, some physical security people I know put some physical security plans in place that many people, including me, sneered at. Harumph, harumph, it doesn't actually improve security. It's there just to look like you're doing something. Some time later, one of them took me quietly aside and told me that the reason they did it was to lower insurance costs. If you're faced with your insurance bills going up by a million bucks and you can avert that with fifty grand of security theatre, out comes the greasepaint and tap shoes followed shortly by an amateur production of songs from Chicago.
What do you say, then? Parker recommended "Good Practices," but noted that many best practices need improvement before they can get to good. This the problem -- we're always having to do things that may not be quite so good. Grading on the curve is an old technique, and the same budget holder who will question improving a best practice may not appreciate honesty. Some organizations use "Best Current Practices" which manages to keep from tacitly chiseling them in stone, but still keeps the superlative, and I believe that the superlative is a problem. I think I can count practices that are truly best on one hand once they get more complex than, "look both ways before crossing the street" or "cook the popcorn for only two minutes."
I recently heard Stephen R. Katz, another pioneer of computer security -- the world's first CISO, mention the same peeve and suggest the term "Standard Acceptable Practice." The great thing about a term like "Standard Acceptable Practice" is that no one is going to disagree with either, "We have to get this organization to follow Standard Acceptable Practices," or "We need to improve our Standard Acceptable Practices." Photo by andai.
Bookmark this post:
... pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.”Mmmmm, chaos and emergent rules that work. Who'da thunk?Leeson is fascinated by pirates because they flourished outside the state—and, therefore, outside the law. They could not count on higher authorities to insure that people would live up to promises or obey rules. Unlike the Mafia, pirates were not bound by ethnic or family ties; crews were as remarkably diverse as in the “Pirates of the Caribbean” films. Nor were they held together primarily by violence; while pirates did conscript some crew members, many volunteered.
Read about pirates in the New Yorker.
Photo: "Tom Ironlocks, Sam Hawkeye and Wilde Oskar posing," by larsst.
