Emergent Chaos

Australia dumps National ID

Opponents of Australia's controversial Access Card received an early Christmas present earlier this month when the incoming Rudd Labor Government finally axed the controversial ID program. Had it been implemented, the Access Card program would have required Australians to present the smart card anytime they dealt with certain federal departments, including Medicare, Centrelink, the Child Support Agency, or Veterans' Affairs. ("Australia's controversial national ID program hits the dumpster," Ars Technica)

Congratulations to the people of Australia. Now let's hope the UK and US pick up on a winning trend.

Picture by Drewsta.

"Security Vulnerability Research & Defense"

My co-workers in SWI have a new blog up, "Security Vulnerability Research & Defense." They're planning to...well, I'll let them speak for themselves:

...share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities...

The two posts below are examples of the type of information we’ll be posting. We expect to post every “patch Tuesday” with technical information about the vulnerabilities being fixed. During our vulnerability research, we discover a lot of interesting technical information. We’re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization.

I'm excited. I see the good work that the team does in understanding vulnerabilities, and I'm glad that we're sharing more of it.

Emergent Privacy Reporting

On December 19th, Denebola, the student run newspaper of Newton South High School, broke the news that video cameras had been secretly installed in their school. Not only were students and parents not notified of the cameras but apparently neither were any of the teachers. From the student article:

According to Salzer, only he, Superintendent Jeff Young, Director of Public Facilities Mike Cronin, and a small security team were aware of the cameras. They did not inform faculty members, and the Newton Fire and Police Departments are not involved in their operations.

Boston.com is reporting that the school committee and the teachers union are asking why there weren't contacted or involved in this discussion.

Newton Teachers Association (NTA) President Cheryl Turgel is unsure whether the cameras violate teacher contract agreements or faculty privacy rights. The Newton Public Schools did not warn the NTA prior to the camera installation of their decision. While Turgel is not necessarily opposed to the Newton Public Schools using surveillance cameras to deter vandalism, she feels that the NTA should have warned of the installation.

While the Boston.com article ignores the issue of student privacy, the student paper does not:

Staff Attorney for the American Civil Liberties Union Foundation of Massachusetts Sarah Wunsch notes that, while the legalities of putting surveillance cameras in schools without notifying the public is a rather gray area, South’s installation is “at the very least, an awful thing to do.”

The one saving grace is that the cameras are not yet operational, apparently due to a software problem. When fully operational, the principal will be able to access the previous 31 days of footage on any of the cameras. I really hope (and seriously doubt) that a proper security audit has been done on this system to ensure that other people won't be able to remote access this footage.

Aaron Burr and Compulsory Key Disclosure

Orin Kerr has a fascinating tidbit at Volokh, "Encryption, the Fifth Ammendment, and Aaron Burr:"

Following my posts last week on encryption and the Fifth Amendment, a few readers asked about how courts have dealt with such issues before. As far as I know, there is only one other judicial decision specifically addressing the Fifth Amendment implications of decrypting ciphertext. Remarkably, it arose 200 years ago, in the treason trial of former Vice-President Aaron Burr.

Merry Christmas, Dr. Hansen!

A surgeon who allegedly took a photo of a patient's penis during an operation at a US hospital is no longer working there, it has been announced. Dr Adam Hansen, of Arizona's Mayo Clinic Hospital, is accused of taking the snap while conducting gallbladder surgery earlier in December. (BBC, "US 'penis photo doctor' loses job.")

For a doctor to violate patient confidentiality like this is a stunning lapse of judgement. If he did what he's accused of, I hope the impact on his career lasts as long as the impact on his patient.

Oh, I tried, but couldn't find an appropriate picture to go with this post.

Evan Schuman: TJX gets the BB gun

Not much naughtier than other retailers:

I'd say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I'd give it a pass.

TJX theorized—correctly—that any breach wouldn't cause any impact on sales, as consumers (protected by the card brands' zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.

eWeek, 2007-12-24

"Justified" in the last quoted sentence means "justified to shareholders".

There's gotta be a dissertation out there about herd behavior in the face of the inability to measure the effect of behaviors on outcomes. It explains way more than I wish it did about infosec resource allocation decisions.

Pic via The Daisy Museum (in downtown Rogers, Arkansas).

Anarchy in the UK

• "Anger as NHS patient records lost"
• "Patient data loss affects 168,000"
• "Post Office sends wrong details"
• "Discs 'worth £1.5bn' to criminals"
• "£20,000 reward offered for discs"*
• "More firms 'admit disc failings'"

* Readers are invited to comment on the contrast.

Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.

Guinness is Good For You, but don't tell anyone

A pint of the black stuff a day may work as well as an aspirin to prevent heart clots that raise the risk of heart attacks.

Drinking lager does not yield the same benefits, experts from University of Wisconsin told a conference in the US.

...

The researchers told a meeting of the American Heart Association in Orlando, Florida, that the most benefit they saw was from 24 fluid ounces of Guinness - just over a pint - taken at mealtimes.

They believe that "antioxidant compounds" in the Guinness, similar to those found in certain fruits and vegetables, are responsible for the health benefits because they slow down the deposit of harmful cholesterol on the artery walls.

Even though it's true, companies are scared of making health claims for booze. "Draft legislation could outlaw any health claims in adverts for alcohol in Europe, [a spokeswoman for Brewing Research International] said."

It's sad when the ability to make true statements is suppressed because 'authorities' worry that people are too dumb to listen to a bunch of statements and make up their own minds.

All quotes from the BBC, "Guinness good for you - official"

"There's supposed to be a Mars-shattering Ka-boom!"

Here at Emergent Chaos, we're big fans of large objects hitting other large objects at high speed. Which is why it's important to tell you that 2007-WD5 is a 50 meter asteroid that's set to pass within 48,000 kilometers of Mars next month.

"We estimate such impacts occur on Mars every thousand years or so," said Steve Chesley, a scientist at JPL. "If 2007 WD5 were to thump Mars on Jan. 30, we calculate it would hit at about 30,000 miles per hour and might create a crater more than half-a-mile wide." The Mars Rover Opportunity is exploring a crater approximately this size right now. (JPL press release.)

More details about the orbit at the JPL small-body datatbase. Story via VOA news.

What happens when a tree house grows up?

It becomes a tree pub.

See "Fancy a pint in the world's only bar that's INSIDE a tree?" in the Daily Mail for more.

Thanks, C!

Bonobos!

Check out this amazing video from TED.

Six breach reports in the UK: the floodgates are open

In Dissent's weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off.

Newly reported incidents in the U.K. and Ireland:

• In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. The unencrypted data were on two discs that went missing after being sent to the agency’s headquarters in Swansea. This was the second incident involving the DVLA in a month.
• The Leeds Building Society has warned its staff of 1,000 to be vigilant after admitting to losing their personal details including bank and salary details when the company’s human resources department was moved during a refurbishment of its head office.
• In the UK: government officials mistakenly sent confidential personal details consisting of names, dates of birth and criminal histories of dozens of inmates set to be released; the data were sent to a private business. The personal details also reveal the addresses the prisoners will move to after leaving jail.
• Hundreds of people have had personal pension details sent to the wrong addresses after an error by a Herts County Council contractor, Serco. Serco sent 1,400 statements for staff, former staff and councillors to the wrong destinations because of an “administrative error”. The statements included the person’s name, date of birth, national insurance number, and pensionable pay. So far, only 400 of the statements have been returned to the county council leaving 1,000 still missing.
• A laptop with the names, addresses, phone numbers and dates of birth of 950 diabetes patients of NHS patients was stolen from the St Julian’s GP surgery. Data on the stolen laptop also include a link to a picture of patients’ retinas — already they have a problem with the security of biometric data before they have implemented any ID system, it seems — Dissent.
• Sefton Primary Care Trust has accidentally sent about 1800 of its staff’s records to four organisations it is refusing to name. Staff details including dates of birth, national insurance numbers, pensions and salary details. The four companies were bidding for work with the trust. The Trust is reportedly not revealing the names of the four companies because of “commercial confidentiality”. They seem to take “commercial confidentiality” more seriously than employee confidentiality — Dissent.

In related news, BoingBoing covered a petition for mandatory disclosure in the UK. It's for British citizens and residents only. If you're in the UK, or a citizen, in an overseas territory or Crown dependency, you may and should sign.

Transparency lessons from the NFL

I think the NFL's handling of spying by the New England Patriots is poor. Of course, I expect retrograde, authoritarian, clumsy behavior from the NFL, and I haven't been disappointed in the few decades I've been paying attention.

The New York Times covered this issue (the spying, not the decades). In their December 16 article, they quoted crisis management experts. Thinking about some of the big information exposure incidents we've seen, consider how applicable these observations might be.

The strategy is profoundly bad, I don’t know why they would destroy [taped evidence]. That’s astounding. There’s no criminality here, but it sure doesn’t pass the smell test.

Al Tortorella, managing director of crisis management, Ogilvy Public Relations Worldwide

They’re rolling the dice that the whole thing is just going to go away. And here’s the thing — a lot of this could be avoided.

Greg Wilson, crisis counselor and senior vice president, Levick Strategic Communications

Wilson sees a crisis that requires managing, a “clear-cut case of all the parties needing to rip off the Band-Aid as soon as possible.” The goal of managing any crisis, he said, is to acknowledge the black eye and compress the time it lasts.

Wilson says the American public generally wants to hear what he calls the Big Three of crisis management: I am sorry. I take responsibility. And I will fix it.

NYT, 12/16/2007

Flower Chaser

My eyes feel better now.

Calla Lily macro 3, by Edwin Bartlett.

Hassling the Hoff

I'm way to lazy to take the time in Photoshop to make this look good, so just use your imagination and pretend I put Beaker's head on this.



Y'all should just be grateful that I didn't use this animated gif instead....

The Words of our (Founding) Fathers

There's an article in the Washington Post, "In the Course of Human Events, Still Unpublished." It's about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there.

Many of the founding fathers' letters have been transcribed and made available over the years, and the original documents can increasingly be found online. But it is the painstaking annotation of these thousands of documents -- their detailed explanation -- that takes so long. Scholars check and double-check each reference and then try to explain each one and put it in context. A page of the massive annotated tomes can contain a snippet of a document and then a long footnote of explanation.

It seems to me that, while useful, footnotes and explanations inevitably reflect the time in which they're written. The writings of those brilliant men usually speak for themselves. There's certainly context and explanation that adds to it, but for heaven's sake, get the originals out there. They're far more important than the footnotes.

Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, "Study: Breaches of Personal Data Now Prevalent in Enterprises:"

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed -- some 800 individuals -- claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

Most of the reporting is on that 85% number. I think the second number is far more interesting -- 63% have experiences more than 5 breaches--that shocks me. I'm way behind on Ponemon Institute research, and I hope to say more shortly.

[Update: see the comments for some excellent analysis.]

Clark Kent Ervin on TSA Security

Normally, it's not news when someone takes aim at TSA policies like this:

If you are someone who suspects that what is billed as “aviation security” is often more show than substance, you are not alone. In fact, you are part of what Nixon aides used to call the “silent majority.” The security bureaucracy seems to think that as long as it is seen as doing something, and so long as another terror attack does not occur, the public will at least feel secure enough not to insist that it do whatever needs to be done actually to make us secure.

It's a bit more unusual when that someone is the former inspector general of the Department of Homeland Security. Go read what Ervin has to say in "Screening Dreams."

Ask.com is not asking "Will Privacy Sell"

There's a bunch of press around Ask.com's marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, "Ask.com Puts a Bet on Privacy" and now Slashdot jumps in with "Will Privacy Sell?" This is the wrong question to ask, and is going to lead to bad thinking for a long time, because what Ask.com is selling is not privacy, and it's not a complete product. I'll explain what it is, why it's not privacy, and why it's not going to sell.

The idea is that if you use AskEraser, Ask will not log what you're doing. Sounds good, right? No AOL embarrassing disclosures! What could