Emergent Chaos
It's actually sort of impressive how much hate and resentment the TSA has built in the few long years of its existence.
Bookmark this post:
Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It's worth reading in full:
Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. Eastland, and Senator Stennis.It was the 31st of August in 1962 that eighteen of us traveled twenty-six miles to the county courthouse in Indianola to try to register to become first-class citizens.
We was met in Indianola by policemen, Highway Patrolmen, and they only allowed two of us in to take the literacy test at the time. After we had taken this test and started back to Ruleville, we was held up by the City Police and the State Highway Patrolmen and carried back to Indianola where the bus driver was charged that day with driving a bus the wrong color.
After we paid the fine among us, we continued on to Ruleville, and Reverend Jeff Sunny carried me four miles in the rural area where I had worked as a timekeeper and sharecropper for eighteen years. I was met there by my children, who told me that the plantation owner was angry because I had gone down to try to register.
After they told me, my husband came, and said the plantation owner was raising Cain because I had tried to register. Before he quit talking the plantation owner came and said, "Fannie Lou, do you know - did Pap tell you what I said?"
And I said, "Yes, sir."
He said, "Well I mean that." He said, "If you don't go down and withdraw your registration, you will have to leave." Said, "Then if you go down and withdraw," said, "you still might have to go because we are not ready for that in Mississippi."
And I addressed him and told him and said, "I didn't try to register for you. I tried to register for myself."
I had to leave that same night.
On the 10th of September 1962, sixteen bullets was fired into the home of Mr. and Mrs. Robert Tucker for me. That same night two girls were shot in Ruleville, Mississippi. Also Mr. Joe McDonald's house was shot in.
And June the 9th, 1963, I had attended a voter registration workshop; was returning back to Mississippi. Ten of us was traveling by the Continental Trailway bus. When we got to Winona, Mississippi, which is Montgomery County, four of the people got off to use the washroom, and two of the people - to use the restaurant - two of the people wanted to use the washroom.
The four people that had gone in to use the restaurant was ordered out. During this time I was on the bus. But when I looked through the window and saw they had rushed out I got off of the bus to see what had happened. And one of the ladies said, "It was a State Highway Patrolman and a Chief of Police ordered us out."...
I was carried to the county jail and put in the booking room. They left some of the people in the booking room and began to place us in cells. I was placed in a cell with a young woman called Miss Ivesta Simpson. After I was placed in the cell I began to hear sounds of licks and screams, I could hear the sounds of licks and horrible screams. And I could hear somebody say, "Can you say, 'yes, sir,' nigger? Can you say 'yes, sir'?"
And they would say other horrible names.
She would say, "Yes, I can say 'yes, sir.'"
"So, well, say it."
She said, "I don't know you well enough."
They beat her, I don't know how long. And after a while she began to pray, and asked God to have mercy on those people.
And it wasn't too long before three white men came to my cell. One of these men was a State Highway Patrolman and he asked me where I was from. I told him Ruleville and he said, "We are going to check this."
They left my cell and it wasn't too long before they came back. He said, "You are from Ruleville all right," and he used a curse word. And he said, "We are going to make you wish you was dead."
I was carried out of that cell into another cell where they had two Negro prisoners. The State Highway Patrolmen ordered the first Negro to take the blackjack.
The first Negro prisoner ordered me, by orders from the State Highway Patrolman, for me to lay down on a bunk bed on my face.
I laid on my face and the first Negro began to beat. I was beat by the first Negro until he was exhausted. I was holding my hands behind me at that time on my left side, because I suffered from polio when I was six years old.
After the first Negro had beat until he was exhausted, the State Highway Patrolman ordered the second Negro to take the blackjack.
The second Negro began to beat and I began to work my feet, and the State Highway Patrolman ordered the first Negro who had beat me to sit on my feet - to keep me from working my feet. I began to scream and one white man got up and began to beat me in my head and tell me to hush.
One white man - my dress had worked up high - he walked over and pulled my dress - I pulled my dress down and he pulled my dress back up.
I was in jail when Medgar Evers was murdered.
All of this is on account of we want to register, to become first-class citizens. And if the Freedom Democratic Party is not seated now, I question America. Is this America, the land of the free and the home of the brave, where we have to sleep with our telephones off the hooks because our lives be threatened daily, because we want to live as decent human beings, in America?
Thank you.
Bookmark this post:
RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won't use globally. They get used for private networks, NAT ranges and so on. There are three ranges:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
They are thus the Internet equivalent of the American phone system not using the exchange 555, only more useful. If you need to give an example IP address, you can use one of those without causing anyone consternation or irritation.
An example of why you want to use one of these addresses can be found (at least for the next few minutes) at Microsoft's site for the IE 8 beta. One of the IE 8 features is the "SmartScreen Filter" which can tell you IP addresses you're best not going to. An example is the picture accompanying my post.
If you check out that address, 207.68.196.170, at ARIN Whois, you find out that it's owned by Microsoft themselves.
I suppose that using one of your own addresses as a hazardous address is better than using someone else's, but immature people like Your Friendly Author will titter over it and point it out to other people as well.
There's a reason RFC 1918 exists, and this is one of them. Oh, by the way, be sure to look at RFC 2606, which reserves the domains example.com, example.net, and example.org. It also reserves the top-level domains .test, .example, .invalid, and .localhost. Remember them.
Bookmark this post:
A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn't like the "Social Futilities." Tyler Cowan has a short on "fake following."
I think the futility of these systems involves a poor understanding of how people interact. The systems I like and use (LinkedIn, Dopplr) are very purpose specific. I really like how Dopplr doesn't even bother with a friend concept--feel free to tell me where you're going, I don't have to reciprocate. It's useful because it doesn't try to replace a real, complex relationship ("friendship") with a narrowly defined shadow of the world. (In this vein, Austin Hill links a great video in his Facebook in Reality post.)
In information technology, we often replace these rich, nuanced concepts with much more narrow, focused replacements which serve some business purpose. Credit granting has gone from an assessment of the person to an assessment of data about the person to an assessment of the person's data shadow. There are some benefits to this: race is less of a factor than it was. There are also downsides, as data shadows, blurry things, get confused after fraud. (Speaking of credit scoring, BusinessWeek's "Your lifestyle may hurt credit score" is not to be missed.)
We've replaced the idea of 'identity' with 'account.' (I'll once again plug Gelfman's Presentation of Self for one understanding of how people fluidly and easily manage their personas, and why federated identity will never take off.) Cryptographers model people as Alice and Bob, universal turing machines. But as Adi Shamir says, "If there's one thing Alice and Bob are not, it's universal turing machines." Many people have stopped Understanding Privacy and talk only about identity theft, or, if we're lucky, about fair information practices.
So the key lesson is that the world is a complex, confusing, emergent and chaotic system. Simplifications all come at a cost. Without an understanding of those costs, we risk creating more security systems as frustrating as those "social networks."
[Update: It turns out Bruce Schneier has a closely related essay in today's LA Times, "The TSA's useless photo ID rules" in which he talks about the dangers of simplifying identity into intent. Had I seen it earlier, I'd have integrated it in.]
Bookmark this post:
Wonderful graffiti art by Mau Mau at the Cans Festival II. Photo taken by Alan Bee.
Bookmark this post:
While this may be terrifying on a number of levels, the situation becomes far more questionable with the release of a recent memo from the TSA in which such damaging and destructive actions are apparently ENCOURAGED. The memo clearly states that, "Aircraft operators are required to secure each unattended aircraft to make sure that people with bad intent cannot gain access to the planes. But during the inspection, TSA's inspector was able to pull himself inside of an unattended aircraft by using a tube that was protruding from the side of the plane. TSA encourages its inspectors to look for and exploit vulnerabilities of this type."There's a couple of things I want to say about this. The first is that TSA seems to be orienting their "inspectors" towards the idea that no indignity or stupidity is too large. This is a natural result of there being no accountability.
While it's fun to rage at the TSA like this, I don't want to be throwing stones from a glass house. In information security, we sometimes tend this way. Security risks are seen as accruing to the career of the CSO. Smart CSOs shift jobs often to avoid having the risk (I forget who pointed this out, or I'd give credit.)
Implementing controls for a set of rare, high impact risks is hard. TSA, DHS and the President ought to be telling Americans not to be scared, and to realize that these things may happen again, despite our best efforts. This was the lesson of societies including the UK, France, Germany and Japan, not to mention Israel.
Fortunately, in information security, we have lots of common risks to go after, if only we'd pay attention.
Bookmark this post:
Alan Shimel got hacked, and he's blogging about it, in posts like "I'm back." It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us.
One of the themes of these posts is the difficulty of resolving the cases, especially when your password has been changed and your email accounts have been compromised. Alan's spent a lot of time on the phone getting stuff cleaned up, and I'd like to look at that process a little.
Alan has various business relationships with organizations who know him only via email and credit cards, or perhaps with a PO. How should they handle a claim that an account has been hacked? How are they supposed to authenticate someone calling who doesn't know the password, and wants to tie a new email account into the system? Doesn't that sound like fraud? These organizations likely don't know Alan's driver's license # or passport.
This problem isn't hard because we lack technology, it's hard because a networked system has emerged which makes it easy to do business all around the world with people you don't really know. If Alan had a client cert, maybe that would have been stolen, too. If he had a smartcard, maybe that would have been attacked via a client-side trojan. He ran into these troubles, and documents them at Yahoo, in "Why Google is now my homepage instead of Yahoo:"
I have written and called to every address you can think of. They have asked for copies of my drivers license. They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe. Don't ask me where, but somewhere safe). Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won't give me the question they want to answer. I sent them the hackers post bragging about getting my email account.There may well be multiple guys named Alan Shimel out there-just seeing a faxed copy of a license isn't very good authentication.
All we have in distant and simple relationships is persistence and that's not that strong. We also have what Alan used, which is webs of trust. He called people who knew him and had them call people he knew:
As I have written earlier, I was lucky in that I was able to call on people to help me out. For instance my friends at FeedBurner/Google, Matt Shobe and Dick Costollo, quickly took control of my FeedBurner accounts, including the SBN feed. They were also to get someone live at Typepad to allow me to take back the blog. This took more time than it should have though. Until the Feedburner reached out to someone, the Typepad support team just kept sending a new password to mailboxes that the attackers controlled, even though I was mailing them from my stillsecure mail box! You could not get any of these people on a phone. Very frustrating! ("Our web infrastructure needs to be at public utility levels")Now, persistence and webs of trust seem like bad business models. They're not easy to manage with regards to liability and contracts, but they are a great representation of how the world really works.
Closely related: "Certifiably Silly," and "I'm certifiably wrong."
Bookmark this post:
A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges.So reports the Washington Post. Wow.The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is the root of the problem has been part of the software for 10 years, said Chris Riggall, a spokesman for Premier Election Solutions, formerly known as Diebold.
When Congress acts in haste, a la the HAVA fiasco, we all repent at leisure.
Bookmark this post:
GetAFreelancer.com has a job for you if you need some high-paid work -- write a remote keylogger.
Here are the project requirements:
We need a keylogger that can be installed remotely.Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.
They only want to pay $250 to $750, which seems fair given that the requirements don't include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.
Photo "Keylogger 1.0 Beta" by soulrift.
Bookmark this post:
I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore's Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you would never try or try again.
I found it via Cygnoir, who also gave a pointer to an easy-to-fill-out web page that will give HTML.
My results of that page are below.
-----------------------------------------
To make the filling out of this form and generating the HTML for it a bit easier, ![[info]](http://stat.livejournal.com/img/userinfo.gif){kind=small}
reddywhp has played around with some PHP. Go to http://reddywhip.org/lj/foods/ and fill it out there. After filling it out, you will be given the code to copy and paste into your blog.
Livejournal users, remember to use your LJ-Cuts!
Bookmark this post:
The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting:
Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning the safety instructions on a plane before take-off: you hope you will never need them, but you know it would be unwise to miss the lesson. The team should include the chief executive and a representative of the press office. Thereafter, all external enquiries relating to a crisis should be answered by the team.
It's amazing how often this step gets left out of business continuity plans and it is probably the most important. I heartily encourage all executives to not just plan but practice practice practice. This is the sort of thing that can really bite you hard at just the wrong time.
Bookmark this post:
A Christian Science church near the White House filed suit against the city on Thursday, accusing it of trammeling religious freedom by declaring the church a historic landmark and refusing to allow church leaders to tear it down.Me, I just think there's something between irony and schadenfreude in there not only being a "brutalist" style of architecture, but that Washington DC wants to preserve it, over the objections of those subjected to it.The building, a stark structure with walls that soar toward the sky, is an eyesore or a work of genius, depending on who is discussing it. The 37-year-old church was designed by Araldo A. Cossutta, who had been an architect in I. M. Pei’s firm, and declared a landmark in December.
Supporters of preserving the church, the Third Church of Christ, Scientist, say it is a sterling example of a style of architecture called brutalism, which is identified by repetitive geometric design and raw concrete. ("Church Sues over Landmark Status"="
(Not to mention the questionable justification for the government creating and keeping a list of historic landmarks which their owners then must maintain.)
Photo: Washington DC 3rd Church of Christ Scientist, Amy.Arch
Bookmark this post:
Ryan Singel reports at 27B/6:
The TSA was keeping the names of people who lost their wallets and needed to fly -- even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won't store the names of people who it was able to identify as not a threat.
The entire article is a must read.
Bookmark this post:
Could we take the cost issue out of this equation please ... [Adam: I'm willing to set it aside, because the conversation has spiraled.]I'd argue that these are the wrong questions: the real questions underlying our disagreement are probably "do certification authorities do what they're purported to do, and (if we agree they don't), what do we do about it?"The real questions as I see it are
1) Leaving aside the issue of cost, what are the pros and cons of introducing self-signed certificates into the current browser model of SSL?
2) If the advantages of introducing self-signed certificates into this model outweigh the disadvantages, what is the best approach (from a technical and user experience perspective) to introduce self-signed certificates into the current SSL model?
3) If there is a good technical/UX approach to introduce self-signed certificates into the current SSL model, what is the likelihood of such an approach being adopted on a universal basis (i.e., by all browser vendors), and how might this be made more likely?
I think we do two things: One, we stop investing so much in them, and second, we investigate the heck out of the alternatives, including persistence and organizational CAs, including CAs run by groups like the American Bankers Association. These are both in direct contradiction of the CA business model, and so they've been stillborn.
I'm not going to claim that either will have better user experience than the current SSL model, and that's a low bar.
So I'm wrong, the issue isn't really self-signed certs, it's the CA model.
There were another points raised, by both Frank and Andy Steingruebl about my bookmark model, which is that it breaks PayPal. There are two ways to read this model: One is "always use bookmarks." the other is "never click on a link in email." I intended the first, the second is unclear, given the prevalence of webmail. Perhaps we could address this by having merchants send transactions to PayPal, and then if I choose to login via a bookmark, I get a list of pending activity.
The final point that Andy raised is organizations with lots of web sites. A reasonable point, and one I'm not sure how to address. Part of how I'd address it is that most of us don't see all of those brands. I would be happy to see some of the brand profusion go away, which of course, doesn't mean it would happen. (I consulted for a bank for several years, I can't keep track of all the brands that they present around my retirement accounts.) If I can't keep track of them when they're 'not' security critical, I surely can't keep track when they are, and it is unreasonable to expect me to.
Bookmark this post:
Bookmark this post:
...almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal.There are all sorts of use cases where $29 is not chump change. For example, I own about 8 domains, that's $240 in "security taxes." People in the third world would like to communicate securely. But most importantly, the idea assumes that it's ok to have an infrastructure which is mostly unencrypted, and we may only trust encryption only after the certificate priests bless it. When I wrote about turning on "opportunistic encryption for PostFix," my goal was encrypting all email. There's no need for a CA. The threat model is passive adversaries, and there are lots of those.
My company is a major target of phishing, and as such we’ve spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at www.thepaypalblog.com), which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there’s no single “silver bullet”, and 3) that what we describe as “safer browsers” such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors.You can't always get what you want. Really, most people have little understanding of the issues. I think this is in large part because we've been talking down to them, in some part because the issues are complex, and in some part because it's not important enough for them to want to become educated. It's especially not important enough in light of debates like this one. We should try (sometime) to give people what they need.
I think we'd agree that the vast majority of users want, need and deserve protection that's as simple and effective as we can make it. I don't think blocking self-signed certs is a large part of that goal.
I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice – if they are, there’s typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones.Even viewed through the lens presented, the self-signed experience doesn't make perfect sense, unless you start with the assumption that a $29 SSL cert has some useful security value. I don't believe it does. What it does is get rid of the 'self-signed' warnings. There are cheaper and easier ways to do that. Most of the certificates out there are signed by a company that the relying consumers have never heard of. There's just not that much verification that can be done for $29. Today, anyone who's broken into a company's mail server can buy a fake cert with a stolen credit card.When viewed through this lens, the changes to the Firefox user experience for self-signed certificates makes perfect sense.
Now, Michael's employer is under massive attack. I am sympathetic to their desire to improve things, and I applaud a lot of things that they do. For example, their use of one time password tokens is great. I also think there's great value to pushing people to recent browsers.
At the same time, it's sensible for them to want to shift risk-part of me even welcomes the risks and attacks hitting the CAs. But I think that imposing yet another security tax, based on a static analysis of attackers, and some certificate authority pixie dust isn't going to help things for very long.
And given the very real costs and the very fuzzy benefits, I think that breaking self-signed certificates is the wrong approach. What's the right approach? I wrote "Preserving the Internet Channel Against Phishers" three years ago. I think that the advice isn't silly at all.
Bookmark this post:
His book, Applied Security Visualization, is now out:
Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.I'm really excited, and look forward to reading it!
Bookmark this post:
The letter is dated June 9, regarding a February 27th loss by Archive Systems, Inc. The three-plus month delay annoys me. Archive Systems isn't named in the letter. I had to look at Data breach at New York bank possibly affecting hundreds of thousands of CT consumers to discover that.
The signup experience for the "Triple Alert Monitoring" from Experian was not awful, but it was pretty
