Choicepoint Roundup, June 30

  • We open with two articles from “ChoicePoint overhaul falls behind,” (June 24) and “ChoicePoint overhaul completed, company says” (June 30). From the latter:

    “In fact, we’ve gone beyond our announced commitments to make substantial changes in the past 90 days,” ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday.

    The Alpharetta, Ga.-based data broker is clarifying its position after a spokeswoman told on Friday that the transition process was ongoing and that it would be some time before the company could announce its completion.

    “ChoicePoint has absolutely fulfilled its obligation to do what it said it would do in the 90-day period,” McGinn said, noting that the company has actually gone beyond the goals it initially set for itself.

  • Techdirt reports that “IRS Hires ChoicePoint To Leak Your Info.”

    In related news, Choicepoint announced that they didn’t even have to notify Calfornia customers, because the law says to notify when “any one or more” of the data elements, not “all.” (Speaking of Choicepoint announcements, we never hear from spokesperson Chuck Jones anymore.)

  • Finally, Declan McCullagh reports on the predictable effect of six months of “self-regulation,” in “Senators propose sweeping data-security bill.” It’s a probably a nasty law that will be expensive to implement and cause large amounts of collateral damage. But its probably also better than what we have now. I have not yet read the proposed law yet. [Updated for clarity, fixed URL. Thanks, RS!]
  • On the bright side, I bet Choicepoint would do a better job than the U.S. Citizenship and Immigration Service, who think that fingerprints expire every 18 months. Read the “Fingerprint Mystery:
    They Don’t Change,
    But They Do Expire
    ” in the Wall St Journal. (Thanks, DM!) [Update: See extended entry for excerpts of WSJ article.]

Continue reading

Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes:

“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”

And now, the law:

(e) For purposes of this section, “personal information” means an
individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual’s financial account.

That seems remarkably clear to me. Many other states have similar laws, some of which have trap-doors such as “if the institution doesn’t think the consumer will be affected.” As I’ve commented before, the institution has just demonstrated their security competence, so why we’re letting them compound it is beyond me.

Must be a side effect of living in upside-down land, where the law is what we want it to be, not what the text clearly states.

Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless:

In December 2003, CardSystems hired Cable and Wireless America as its outside computer systems security auditor.

“We followed the Visa rules to the letter and the people who did the work are longtime security experts,” said Bill Hancock, a security executive who oversaw the audit. He said CardSystems spent months upgrading its systems before the auditors submitted a report to Visa; CardSystems was certified in June 2004.

The Funeral of an American Soldier

I don’t care what you think of the conduct of a war. What you think of the reasons we’re involved in that war. The funeral of a soldier is no place for political portest, except, perhaps, maybe, if that soldier is a direct family member.

The behavior of a dozen assholes from Kansas at the funeral of Army Staff Sgt. Christopher Piper was despicable:

The 14 demonstrators from Westboro Baptist Church in Topeka, Kan., picketed Monday on a corner near the Old North Church, a Congregational parish founded in 1635, soon after Marblehead was settled. The followers of the Rev. Fred Phelps, who blame American tolerance of homosexuality for the Sept. 11 attacks and the resulting U.S. military casualties in Iraq and Afghanistan, have targeted Massachusetts for protests because it is the only state where same-sex marriage is legal.

Shirley Phelps-Roper, a lawyer for the Kansas church, said Monday that the funeral demonstration was nothing personal against Piper, who was not gay.

“We are protesting the sins of this nation,” Phelps-Roper said. “That doesn’t exclude him.”

On the corner of a narrow street lined with Colonial-era buildings, the Kansas contingent tried shouting its anti-homosexual message at mourners who overflowed from the church. But every time demonstrators spoke out, the 14-man Boston Police Department bagpipe band broke into thunderous sound.

The Kansas group, which had been issued a two-hour protest permit, was escorted out of town by police minutes before the horse-drawn caisson carrying Piper’s flag-draped coffin arrived at the church.

“When we heard about the protesters, we became very angry,” said Bill Audette, a retired police officer and organizer of a central Massachusetts group called Blackstone Valley Nam Vets. Audette, 55, said even though he did not know Piper, he considered it his duty to attend the funeral.

From the LA Times, “Protest at Soldier’s Funeral Brings a Massachusetts Town Together.” Via Sivacracy.

Iran’s New President a “Moderate”

“After all, he didn’t kill his hostages…”

London, Jun. 29 – Iran Focus has learnt that the photograph of Iran’s newly-elected president, Mahmoud Ahmadinejad, holding the arm of a blindfolded American hostage on the premises of the United States embassy in Tehran was taken by an Associated Press photographer in November 1979.

Prior to the first round of the presidential elections on June 17, Iran Focus was the first news service to reveal Ahmadinejad’s role in the seizure of the U.S. embassy in Tehran.

The identity of Ahmadinejad in the photograph was revealed to Iran Focus by a source in Tehran, whose identity could not be revealed for fear of persecution.

Oh, wait, he didn’t kill hostages, but did he help execute political prisoners?

Defectors from the clerical regime’s security forces have revealed that Ahmadinejad led the firing squads that carried out many of the executions. He personally fired coup de grace shots at the heads of prisoners after their execution and became known as “Tir Khalas Zan” (literally, the Terminator).

I have no idea what biases Iran Focus may be bringing to this story, which quotes mainly anonymous sources.

(From Iran Focus, via JihadWatch. Photo credited to AP, November, 1979. IranFocus has a larger version.)

[Update: If this is of interest, be sure to see The Jawa Report, who has more photos and links in “State Sponsor of Terror Has Terrorist as President: President Elect of Iran Involved in U.S. Embassy Hostage Takings.”]

The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah Platt Majoras’ testimony before Congress, saying that a company should only have to notify customers of mistakes if the company thinks it could be a problem. Now, the companies in these cases have just, prima facie, demonstrated a lack of security competence. Which the FTC would like to allow them to compound, at your expense.

So BJs, under the consent decree is allowed to continue things like saying “PHOTO ID REQUIRED upon first visit” (from their “Join the Club” page) Or, from their new privacy policy, “We collect personally identifiable information (such as your name, Membership number, address, e-mail address, telephone number and driver’s license number).”

BJs has demonstrated that they could not protect this information. That’s why they’ve entered into a consent decree. So why not forbid them from collecting such information? Why not say “You can’t collect information beyond what is needed to execute a transaction?” If I show up and say my name is John Doe, and I’d like to pay cash, why can BJ’s turn me away?

Sure, they have a “business model” that they’d like to preserve. And they’ve demonstrated that they are not responsible with the data that they collect. The information they collect is issued by, and certified by, the government, and the FTC should say, “Sorry, you must be at least this competent to maintain a collection of this sort of data.”

A second problem with the consent decree is the use of a security auditor. The auditor will look at issues from the company’s perspective. But the issue here is externalities, where the company is making poor choices for their customers, not for themselves.

Finally, there is no requirement that the auditor’s report be made public, and given past comments by Majoras about “public confidence,” every reason to believe that they will be kept private, however bad they are.

If you’d like to preserve your business model, it can’t involve dumping toxic waste into the river. It also can’t involve mandatory collection of data you can’t protect.

(Via Daniel Solove, “Is the FTC Finally Getting Serious About Security?” )

Equifax CEO: ID Theft is an epidemic

But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said.

“It’s not going to help and the public is starting to learn that,” Chapman said. He decried the government’s plan to force Equifax and the other top three credit-reporting agencies, Experian and TransUnion, to provide annual credit reports free of charge.

“I’m all for good laws, laws that protect people. But this isn’t one of them,” said Chapman, who also opposes the law because it forces the companies to give away their product, which he called “un-American.”

What Chapman wants to see are stricter standards for data storing, including mandatory encryption. He also spoke in favor of a new method of identifying people other than by Social Security number.

You know, maybe you could stop blaming the victims of fraud by impersonation, stop enabling the crime by allowing all Americans to freeze their credit, and add a comprehensive program to stop libeling people who are victims of the crime?

(From Associated Press, Equifax CEO: Identity Theft Is an Epidemic.)

Fingerprint Privacy

fingerprint-stars.jpgThere have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like

it is not possible to recreate the fingerprint from the stored template

However, as Ross, J. Shah, and A. K. Jain, “Towards Reconstructing Fingerprints from Minutiae Points,” that just ain’t so. You can reconstruct fingerprints from minutae, and they both describe and demonstrate that. Which is to say, the biometrics vendors who persist in making these claims are either ignorant or liars.

Andy Adler points out in “Images can be Regenerated From Quantized Biometric Match Score Data,” you can do the same with faces. Adler’s technique is very different, using the server for repeated queries. Cryptographers would call that an oracle.) Adler was also kind enough to respond to a query about fingerprints with a pointer to Ross, Shah, and Jain’s work. The Adler paper was pointed out to me by Daniel David Walker. And finally, the fingerprint is from

UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“:

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that “unlike electoral registers, the National Identity Register will not be open for any general access or inspection.”

Any guesses as to who’ll be first in line? (I already gave you a hint in the title.)

Meanwhile, Stefan Brands has a 4 part summary of the LSE analysis of the new ID card system. Part I, Part II, Part III, Part IV. Summary of the summaries: The proposed system was designed by companies selling “enterprise” software with no concern for, or thought given to, the appropriateness of that software for national ID use.
(UK ID tidbit via Pacanukeha’s “It’s all about Control.” ID card from ID Unknown)

A Privacy-Openness Tradeoff

In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” reports on a dispute between the parents and children, mediated by the state:

A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause allowing people to keep their records sealed. By calling for a veto, Cavoukian “is trying to say that we do not have an automatic right to our birth registration information,” said Wendy Rowney of the Coalition for Open Adoption Records.

I find this interesting first because of the human dramas it represents, of people wanting to know about their heritage, and the conflict with parents who make a mistake, choose to bear a child, but want no part of raising that child. (There’s also an interesting tie to Roe v. Wade, which you may recall was based on a woman’s right to privacy.)

The second thing that makes this interesting is that its an outgrowth of the government collection of data. Before the growth of centralized records, a baby ‘left on the church steps’ could be truly anonymous. There were no records to be had, except possibly in people’s memories. If a family was wealthy enough to send a daughter some distance, she could go under an assumed name, and return, and perhaps get on with her life.

These multiple person privacy issues are extremely hard. A related example is what happens if a sibling gets a genetic test? A great deal about me can be inferred. Should I have a data protection right in that test result? What if two siblings get tested, and the data holder starts performing family inferences?

Choicepoint, Two Minutes Hate

This was going to be a roundup, but heck, There’s a backlog of hate, and I must post.

  • Under the headline, “Who let Jeb Bush and ChoicePoint into the UK?” ‘Brother Rail Gun of Desirable Mindfulness’ points to a BBC story, “Hundreds wiped off vote register.”
  • An oldy-but-I-Hadn’t-linked, Adrift at Sea comments in “Bleeding Edge Technology:”

    I don’t know if ChoicePoint or any of its subsidiaries are actually involved in the development or deployment of the new passports for the United States, but given the track record of DHS and of these companies, I would rather stick with more basic, less technologically advanced security methods for now.

  • Juxtapostition asks “A message to ChoicePoint customers: just how helpful is the data you are buying?:”

    A great point that has been lost in a lot of the reporting. Just how useful is the service they provide when they were spoofed over 50 times by fraudulent users?

    These companies always beg the question of which entities are authorized to be their customers to “legitimately” obtain this kind of sensitive data about people? What would stop me from paying to get the data on anyone they had? What criteria would they establish to prevent just anyone from getting at this data? Or, do they not care as long as you have the cash?

  • Unmarketing has a long post, which I’ll excerpt unfairly:

    In fact, it was a passing remark made by a ChoicePoint representative, who said, in effect (because I didn’t write it down):

    Americans have the right to privacy, but no longer have the right to anonymity.

    As a private citizen, this made me blanch. This made me sick. This, in short, pissed me off.

    He also points to Infinisource, who, back in 2001, examined her Choicepoint file in “A Sample ChoicePoint FBI Dossier:”

    Just for fun, if a rough accounting of the report I received is done by giving each correct entry a point, deducting a point for each error and ignoring omissions then my ChoicePoint report was only 56% accurate.

  • No link, but in the Wall Street Journal Monday June 13, there’s a story on Wal Mart “rescinding” its retirement package for ex-executive Thomas Coughlin. Coughlin’s package was worth about $12m. Coughlin has not resigned from the board of…Choicepoint.
  • If you think hatred of Choicepoint is only here, take a gander at the LiveJournal “Awake and Dreaming – Still far from shores I’ve yet to reach

    I’ve been getting a lot of attention from ladies online recently. I’ve been talking to one for about a week who lives in Gwinnett. The only problem is she works for Choicepoint (for those of you who don’t know, that’s the company that got in trouble for selling lots of people’s personal information to people posing as government entities or something), and although she’s not ugly, she doesn’t attract me too much.

  • To close, in stark contrast to the outporing of hate for Choicepoint, we offer up Two Minutes Hate from Choicepoint employee Jason Fayling, blogging at “Dude, Where’s My Car?” Jason offers up “Linux Sucks:”

    I have been playing around with Linux lately. Specifically Red Hat FedoraCore 3. Let me tell you, for those who fear Linux will over come Windows. Fear Not! Linux Sucks! I spent my entire weekend last week trying to install that piece of junk. I finally got it to install after my 7th attempt, but even still, my sound card doesnt work. Granted, I am trying to run Linux inside Microsoft Virtual PC 2004, a virtual machine software, but that is because I am not willing to do a dual boot from my laptop. I had to get a hacked Linux kernel to get it to run within the virtual machine. What amazes me is how anybody gets anything done in Linux at all. There are so many CRYPTIC commands. For example, if you want to rename a file in Linux you use the mv command. What the heck is that all about?

U Connecticut, 72,000 SSNs, Hacker

A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk.

The breach occurred on October 26, 2003. It was detected on June 20, 2005. The attack took advantage of an insecure service, for which no vendor patch was yet available. Careful analysis of the computer indicates that the original compromise was incomplete.

From “The University of Connecticut issues ID alert about computer security incident. See also UConn Server May Have Been Breached
, which contains the interesting tidbit:

The hacking incident came to light after UITS received notification from a non-University corporation that an invalid logon attempt had originated from a computer within the University of Connecticut domain. This automated notification was investigated by UITS technical staff, Kerntke said, and they found that an unauthorized program, known as a rootkit, had been installed on a UITS data center server on Oct. 26, 2003.

Kerntke said that the attack took advantage of vulnerability in the server that was unknown at the time of the breach to the University or the manufacturer. A patch has subsequently been developed by the manufacturer to eliminate security breaches. Kerntke noted that the personal information on the server was not easily accessible.

“The nature of the compromise indicates that the server was breached during a broad attack on the Internet and not the target of a direct attack. Therefore, the attacker most likely had no knowledge of the kind of data stored on the server,” he said.

They seem to be claiming that they were attacked by 0day (unannounced vulnerabilities, in this case found by malicious attackers), and that 0day was embedded in either a worm, or a bulk scanning tool, rather than executed by hand.
Some security analysts claim that that doesn’t happen, or hasn’t happened yet. They claim that attacks are dependent on information garnered from patches and advisories. That claim has always been false, I know a great many people who’ve been attacked by clever new attack code, but the details have always been confidential. One final bit:

We are doing everything we can to prevent this from happening again in the future,” he said, noting that the University is reviewing its dependence on social security numbers as a unique identifier, auditing other servers and departments …

If your organization hasn’t started that review, what are you waiting for? An engraved invitation?
(Via Farber’s IP list.) [Updated 0day paragraph substantially shortly after posting.]

TSA Lies, Could Face Time Fines


Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed.

Read “TSA Lies, Could Face Fines” at Secondary Screening.

Pictured is Acting Assistant Secretary Kenneth S. Kasprisin, who is allowing his subordinates to break the law. Kasprisin has failed to take basic measures, like calling for the program to be halted, or speaking out against lawbreaking by his employees.

In ironically similar news, Nixon patsy and acting FBI director at the time of Watergate, L. Patrick Gray says he felt betrayed by the disclosure that his #2 man Felt was Deep Throat. Mr. Gray contributed to White House obstruction of justice by feeding FBI documents to John Dean. Mr. Gray also failed to prevent wrongdoing by those around him.

It was of course, the Watergate scandal that lead to the Freedom of Information law which is being used to prise the truth out of TSA.

FinCen (IRS), Potentially tens of thousands, Complacent Bureaucrats

The U.S. tax agency — whose databases include suspicious activity reports from banks about possible terrorist or criminal transactions — launched the probe after the Government Accountability Office said in April that the IRS “routinely permitted excessive access” to the computer files.

The GAO team was able to tap into the data without authorization, and gleaned information such as bank account holders’ names, social security numbers, transaction values, and any suspected terrorist activity. It said the data was at serious risk of disclosure, modification or destruction.

“There is no evidence that anyone who was not authorized accessed the data outside the GAO,” said Sheri James, a spokeswoman for the Treasury’s Financial Crimes Enforcement Network (FinCEN), which is working with the IRS to address the concerns of the GAO, the investigative arm of Congress.

There’s also no evidence that the GAO investigators were detected. That raises the question, are drug dealers and terrorists tapping into this database, perhaps via the very capitalistic Russian organizations, and if they are, would FinCen have noticed?

It also raises the question of “Who’s going to get fired for this?”

Hah. Just kidding. We all know that failure to protect prole data doesn’t cost anyone anything.

(Reuters, thanks to Samablog for the pointer.)

CVE Content Decisions

The fine folks at MITRE have published “CVE Abstraction Content Decisions: Rationale and Application:”

This document is intended for use by Candidate Numbering Authorities (CNAs)and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and technical consumers of vulnerability information on a large scale.

Via OSVDB Blog, because somehow someone (pictured) didn’t tell the editorial board.