Emergent ChaosThe Washington Times reports, "Outsourced passports netting govt. profits, risking national security." It is the first of a three-parter.
Interesting comments:
The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put ahead of national security, an investigation by The Washington Times has found.The Government Printing Office's decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.
The GPO tells us we don't need to worry, because the blanks are moved by armored car. I feel better already, but can't stop giggling.
Bookmark this post:
Or something like that. You have to know how to use a Mac and be British. Her Majesty needs you.
Bookmark this post:
The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.He's right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they've done is more than just creating a system which is prone to identity theft. Let's review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.
The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don't quite say "nice credit score you've got there. Shame if we were to do something to it," but they come close.
Small wonder it’s hard to address the problem.
Rich closes:
I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.
Bookmark this post:
Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly:
OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies - the more it succeeds, the more dramatically phishable it will become.
There you have it.
It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, "Welcome to <insert-name-here>, now go home."
As a Mac user, someone often asks me if they should switch to a Mac because it's more secure, my response to them is that the only reason a Mac is more secure than a PC is because it's only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don't think you should switch to a Mac because it's more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It's Open Source! (Cue sounds of angels singing.) People tell me it's really nice. And I hate Leopard.
Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.
OpenID is similar in that it's a safe neighborhood because people like me don't go there. Once enough people like me start going there, it's not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.
I am happy to help keep OpenID secure by not using it. I've already written about what I think is better.
What I find amusing about Cameron's epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.
There's a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I'll not make it. I'll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.
I am again using the photo "Trunk 'n Branches" by slightly-less-random because it is the only image in Flickr that comes back from the search of "cardspace phishing" and one of two for "openid phishing".
Bookmark this post:
On the beaches of Mexico, they're talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.
First is the price. About €9,000. Second, there's the performance. A complete DES keyspace sweep in a fortnight. That's not bad. If you think about Deep Crack and what you'd expect from normal semiconductor advances.
The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you're clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight's of computing, you can generate any one-time password the real owner can.
Maddeningly, there are other systems based on AES or some other crypto that aren't at all vulnerable to this attack -- because they have better keys. People who are vulnerable to this attack need not be.
Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It's also negligent, when it's so easy to get shot.
Photo courtesy of Imagem Compartilhada.
Bookmark this post:
Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel.
Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can help to minimize the scope and scale of identity theft and fraud.My colleagues Jeffrey Friedberg (Microsoft) and Julie Fergerson (Debix) co-chaired one of the working groups, and I'm pleased to see that they've focused on businesses and governments, not consumers. I thinkwe often spend too much time trying to blame the consumer. It's important to understand the role that organizations play in using identifying information, and how that interacts with identity fraud, and I hope that this report will advance both that understanding, and the understanding of solutions.The new report, which will be published on January 31, 2008, helps to arm businesses, government agencies, and other organizations with the tools needed to protect themselves and their customers against the theft and misuse of personal and financial information.
To access the report or webinar, "Identity Theft Prevention and Identity Management Standards Panel: Report and Webinar."
Bookmark this post:
First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report:
TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”House Oversight and Government Reform CommitteeThe TSA official in charge of the project was a former employee of the contractor The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”
As for accountability,
Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
Bookmark this post:
I've always been concerned about biometric systems for payment. I don't want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I'm glad to see that biometrics pioneer Pay-By-Touch is shifting focus:
Pay By Touch, which has made a major push in POS biometric payments, is backing off that business, according to a report in the current issue of The Nilson Report, a major payments newsletter.Tip of the hat to StoreFrontBackTalk, "Pay By Touch Giving Up On Biometric POS?"
A quick clarification: "POS" is industry-speak for "Point of Sale," not "Piece of Shit." We apologize for any confusion.
[Update: Evan now relays the news that "Pay By Touch (is) In Bankruptcy Proceeding(s)."
Photo: Escaped Monkey's password, posted to Flickr.
Bookmark this post:
If you need a change in your life, consider this job posting:
Read on. If you like being the sheriff who cleans up town, this could be for you!Title: IT Security Architecture Manager Needed
Company: TJX Companies
Location: Framingham, MA
Skills: Very strong technical security background in both the mainframe and distributed environments.
Term: Full Time
Pay: DOE
Length: Full Time
Detail:
TJX Companies is seeking an IT Security Architecture Manager who has at least 6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred.
Bookmark this post:
Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it's all good that his employer was so delighted that FSJ is going to be hosted by them, now, but -- Geez. Have you no sense of decent fun?
The next think you know, someone's going to out the guy who plays Stephen Colbert.
The only good thing to come out of this is that the BBC has come out with the article, "How to mastermind a fake blog" and it is a very good thing.
Photo is the first person you get when you do a Google image search for "Brad Stone New York Times." Hah.
Bookmark this post:
Ben Laurie has shown time and again that OpenID is Phishing Heaven. It's also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you.
I also know that there are people I respect who disagree with this harsh opinion. I believe that the ultimate decider of who is right on this is depends on whether an effective OpenID exploit gets created, either in vitro or in vivo, and how well the OpenID people can fix it. My money is on the exploiters, but that's what makes horse races fun, as Twain put it.
At Black Hat last week, Eugene and Vlad Tsyrklevich gave a talk on OpenID security, and I just nodded as they outlined mechanism after mechanism to show how OpenID can be hijacked, MiTMed, spoofed and so on. They had short examples to show the HTML for how to do all the things that Laurie has described in words.
But then they summed up with saying that they like OpenID, they think it's kinda cool, and despite its flaws, it gives people a single sign on system that is good for -- I don't know, giving criminals a way to ruin your reputation on LiveJournal, eBay, and your employer all at the same time. I can't adequately relate it, because I just blinked a lot.
There's an old joke that exists only as a punch line: "But other than that, Mrs Lincoln, how was the play?" It's as if they summed up their presentation with, "Well, Booth's bit of performance art was over-dramatic with all that shouting Latin, but the characterization of the American Cousin was quite touching, and I thought the acting up to Ford's usual high standards."
I went up to talk to the speakers, hoping I could be more eloquent than "WTF?!" As I waited, I heard someone say that he just didn't get it at all, because he's been using the username/password saving and forms-filling in Firefox. He said that he likes it because now he picks web site names and passwords by just running his hand over the keyboard randomly. He added something like, "I know all of the problems with what I'm doing, but at least they are all on my machine." Inevitably, several people pointed out that the Mac has had that for years.
There then seemed to be a murmured assent that handing the problem locally may be a better solution.
I'm fascinated by the possibility that identity management might be headed the way of "push." I also wonder that while making fun of Microsoft cloning things is a sport rivaled only by grousing about Apple's disdain for battery compartments, this would be a case where it's called for. Out with InfoCardSpace, in with KeyChain.
Photo "Trunk 'n Branches" by slightly-less-random.
Bookmark this post:
The BBC reports "Motorists hit by card clone scam:"
Thousands of motorists who use a bank card to buy petrol are thought to have lost millions of pounds in an international criminal operation. It is believed cards are being skimmed at petrol stations, where the card details and pin numbers are retrieved and money withdrawn from the account.That's impressive if the thieves have gone to the stations one by one, less so if they cracked a central billing computer. Hard to tell, because the U.K. doesn't (yet) require breach notification.About 200 of the UK's 9,500 petrol stations are thought to have been hit.
As to the effects of credit card theft, which I said were low, Ross Anderson has an article at Light Blue Touchpaper, "Extreme Online Risks:"
An article in the Guardian, and a more detailed story in PC Pro, give the background to Operation Ore. In this operation, hundreds (and possibly thousands) of innocent men were raided by the police on suspicion of downloading child pornography, when in fact they had simply been victims of credit card fraud. The police appear to have completely misunderstood the forensic evidence; once the light began to dawn, it seems that they closed ranks and covered up.See Ross's story for links and more details.
What I'd like to know is, are all those cameras helping reduce crime over in the UK?
Bookmark this post:
Why? Because MySpace complained. He's got a mailing list archive and it has some stuff in it that pissed MySpace off -- security information about phishing attacks. That's well and good, but GoDaddy yanked the whole domain!
Now we find out that GoDaddy gave its owner an hour to respond, when the data had been there for nine days. Well, that makes everything much better. Their rationale? We have to ProTeCT tHe chILdrEN!!! And on top of it all, it turns out that it was actually about one minute, showing that GoDaddy went to the same math school that Verizon did.
I actually don't care much about the details, which you can read here.
I'm willing to agree on the very little I know that the offending posts oughta go, but I think they massively over-reacted, and are compounding the over-reaction with more over-reaction.
I can tell you that never have I ever been so happy to be a lazy slug who has never gotten my domains off of Network Solutions! Many people have hectored me to change for years, but it's a pain and I never really liked the GoDaddy Super Bowl ads, either. I always defended myself by saying that having your domains with NetSol is like having your long distance with AT&T. They're the devil you know.
I'm so happy to find out I made the right decision. Thanks, GoDaddy! And to all you who have made fun of me for years -- Hah! You alphas work so hard, I'll bet it will be easy to switch.
Bookmark this post:
January 19, 2007
Dear eBay Community:
We have decided to close eBay on 27 February 2007 due to the repeatedly abuses on our company. We ask your opinion on this matter and we want to know if you agree with us or disagree .Below you can make your choice.
If you want eBay to stay open click YES otherwise click NO .Your opinion is very important to us. If 50% of the eBay members vote positive eBay stays open otherwise it will be closed.
Regards,
eBay Team
Bookmark this post:
PCMesh, a Canadian company, has something Better Than Encryption.
Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, a need exists for a better type of protection.In addition to rapidly becoming obsolete, current encryption programs are slow. It takes as long as 10 minutes per 200 MB to encrypt or decrypt a file, while PCMesh Hide Files and Folders executes instantly regardless of the file size or number of files/folders being protected. Just one click is all it takes to render any file or directory invisible.
Yes, that will stop all those data breaches, we'll just hide our files and when the machine is stolen, the identity thieves will simply not be able to find the files. I feel better all ready, don't you?
via El Reg, photo courtesy of killermonkeys
Bookmark this post:
It's the MLK Day holiday weekend. That means that one's headache has subsided to the point that one can no longer hear one's nose hair growing, and the cat is padding rather than stomping. It also means that it's time for New Year's Resolutions!
If yours is to get better control over your information privacy, particularly as it relates to identity theft, here are some effective steps you can take:
Bookmark this post:
From the files of "too good to make up", DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn't have a point of sale terminal so the clerk was IMing all credit card data to a friend who had one who would then run the credit card info for him.
[Via NoticeBored]
Bookmark this post:
Seventy Percent of Americans think we need more laws to protect them from identity theft and all that.
I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to Alice, he cannot try to collect it from Bob. That's all we need. If we have that, we'll have all the legal protection we need to solve identity theft.
The threat of identity theft comes from Larry's business practices. Larry wanders around hawking credit. "Yo, Alice, Bob, either of you want to borrow some money for lunch? A car?" There are a lot of advantages to easy credit, but disadvantages as well. In addition to the usual ones of people amassing too much debt (whatever that means), identity theft is actually the result of easy credit.
Perhaps Larry is nearsighted, perhaps Larry is stupid. Perhaps Larry is dumb like a fox. However, what happens is that Alice borrows money from Larry and says, "I'm Bob." Larry marks that down, and then goes and hits up Bob for payment. Bob is understandably confused.
That's it, that's the security scenario of identity theft. We're going about solving it the wrong way, because the real cause of identity theft is Larry's business practices. I can (and probably will, in a future post) tell you how to reduce the chances of identity theft. These are actionable suggestions; they are things you can actually do. None of us can presently deal with the real problem, so we have to make do.
There is nothing in law, morality, or ethics that requires Bob to pay up when Larry lends to Alice. Unfortunately, we've all let Larry get away with it. We've made it be Bob's problem, when it isn't. Let's make no mistake here, Alice is committing fraud. But Larry is the enabler, and really not only owes Bob setting the record straight, but reimbursement for the trouble Bob had to go to because Larry is stupid (even if it's stupid like a fox).
If Congress wants to do something for consumers, it would be to require lenders to be responsible. Yes, this would crimp their style. For example, one bank sends my household mail for pre-approved credit cards at a rate of more than one per day. We used to shred them, but now we package everything up in the business reply envelope and send it back to them. Perhaps it would be part of the slow slide into tyranny for the nanny-state to effectively prevent banks from sending 400 credit-card offers to a single household per year, but the right to swing your arm stops at my nose, and the right to beg, plead, whine, and wheedle me to borrow more stops when you can't tell Alice from Bob.
An alternative solution would be for some ambulance-chaser to file a class action lawsuit. I think that it could be extremely successful, properly done. Contract law covers these cases, or at least it's mystifying to me why it doesn't.
Apparently, however, it seems that our current legal system does not support this intuitively obvious notion that bad business decisions do not create liability on some third party. If Congress wants to help people, it will do something simple and sane. It's not Bob's fault that Larry is stupid. Photo of Larry The Lender courtesy of jonmc.
Bookmark this post:
