Mangle those cell phones?

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was sparked by the news that computers being re-sold in Nigeria were being used to harvest bank account information which was then sold to attackers.
Now, Trust Digital has demonstrated that most phones are not properly scrubbed before being offered for sale on eBay. They purchased ten cell phones and proceeded to extract all sorts of data from them. Read the whole story from the Associated Press article. There is a great quote from Howard Schmidt who types his password incorrectly 11 times to cause his cell phone to self destruct. Of course Trust Digital was demonstrating the need for their products which are justified in the corporate world.
For personal protection? I would mangle the flash memory of all un-needed cell phones. Incinerate? Acid bath? Microwave? All good. But unless you are worried about the NSA recovering your info I would just take it out to the garage and whack it with a hammer on your anvil. Don’t have an anvil? I can lend you one of mine. 🙂
Can’t get the flash memory out of the phone? Hit the phone with a hammer until you can find the chip. Then proceed to instruction 1. above. (Always wear safety goggles when hitting things with hammers).

Several On MS Software

excel-inline-bar-charts.jpgFirst, don’t miss the great series of posts on the “Excel 2007 Trust Center.” There’s some really good thought on security and usability in there. (While I’m at it, after two months of using ribbons, the idea of going back pains me. It really does. I had that “WTF did you do to my screen space?” reaction at first, now I love them.)

Next, check out “Lightweight Data Exploration in Excel” at the excellent Juice Analytics blog:

For instance, REPT(”X”,10) gives you “XXXXXXXXXX”. REPT can also repeat a phrase; REPT(”Oh my goodness! “,3) gives “Oh my goodness! Oh my goodness! Oh my goodness! ” (my daughter’s an Annie fan).

For in-cell bar charts, the trick is to repeat a single bar “|”. When formatted in 8 point Arial font, single bars look like bar graphs.


On a less complimentary note, see “Death By Powerpoint:”

The Iraq disaster did not happen because someone in the JTF-IV planning group or the Office of the Secretary of Defense (OSD) couldn’t write a good PowerPoint presentation. The problem was that anyone used PowerPoint to plan a war.

Via Marty Lederman’s “The Evil That Is PowerPoint (or, How We Lost the War)), which concludes:

Exception that proves the rule: I must concede that Yochai Benkler’s PowerPoint presentation last year at the Yale Constitution-in-2020 Conference was really engaging and fun — informative, even. So there is hope.

This “evil” actually pre-dates the current Secretary of Defense, and it even pre-dates Powerpoint. The Army has long had a tradition of briefings in which foils replaced well-reasoned essays. For example, all of the work of John Boyd was done as sets of foils, which were available as scanned photocopies. Those were manually redone as powerpoint slides. The issue isn’t the tool, it’s the culture that expects a presentation can replace other forms of communication.

This is particularly disappointing in Boyd’s case, because I’m really interested in how to apply his work to information security, and all we have is sentence fragments. It’s tough to blame that on a tool which didn’t exist when he did his work.

Also, last week, Presentation Zen had a really good roundup on presentations, entitled “Is it Broken,” which touches on a lot of these issues. Finally, I should mention, MS PR had a chance to look at this post, because, well, I’m discussing our software, and it seemed like the right plan.

[Update: For some reason this post has become a spam magnet; I’ve closed comments, but will happily take them for publication, via email.]

On Terror and Terrorism

Is There Still a Terrorist Threat” asks Foreign Affairs. Bruce Schneier considers “What the Terrorists Want,” and also offers up a useful roundup of “Details on The British Terrorist Alert.” In that details space, Phil offers up thoughts on what a “Temporary Flight Restriction” meant to his travel. Meanwhile Kung-Fu Monkey asks “Wait, Aren’t You Scared?” while Moshe Yudkowsly thinks that “Fear Is a Healthy Reaction to Terrorism.”

John Quarterman doesn’t think you should be scared, even if it makes sense to think of “Terrorism as Theater.”
I think John’s point that terrorism is theater is often forgotten, and not giving the terrorists extended ovations for their performances is an important part of the solution.

Outsiders! Insiders! Let’s call the whole thing off.

I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction.
I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments where they probably were not. In no case would I have been able to conclude this from criminal prosecution data, which is what one report relies on to support it’s conclusions.
My point is that regardless of what the aggregate “threat landscape” looks like, there is no substitute for knowing your own environment, and for proper threat modeling and countermeasures.
[The image is part of a screenshot from, circa February 22, 2005]

Are Things Out of Whack?


In North Dakota, the state agricultural commissioner, Roger Johnson, has proposed allowing () farming, and has been working with federal drug regulators on stringent regulations that would include fingerprinting farmers and requiring G.P.S. coordinates of () fields.

“We’ve done our level best to convince them we’re not a bunch of wackos,” Mr. Johnson said.

The quotes, with a single word replaced by (), are from the New York Times story, “California Seeks to Clear Hemp of a Bad Name.” Whatever you happen to think about the criminalization of plants and their products, I hope it’s clear that when we’re talking about fingerprinting farmers in order to convince someone that “we’re not wackos,” something is out of whack.

Photo: “Picking Stuff” by Lynt.

Air Safety: Terrorism and Crashes

There have been two fatal air accidents this week, one in Ukraine in which 170 people died, and one in Kentucky, in which 50 people died. In neither case is terrorism being blamed as I write this.

The safety engineering that makes air travel so safe is astounding. The primary activities, from pilot training to maintenance to operations, are all excellent, and they’ve gotten there through a well designed feedback loop that analyzes every error. (oh, to have such a thing in information security! Errors being made public!)

Given that the air safety loop is so good already, and given the enormous resources being put into measures of dubious effectiveness, I’m curious: Would those resources be better spent further improving general aviation safety, or are they relatively well deployed in the areas of passenger and luggage screening?

PS: I know I have readers who are deeply interested in aviation safety. Can I ask you to provide some good links for further reading?

Poll: 58% approval rating for Bush among voting machines


WASHINGTON – Despite mounting public criticism of his administration’s handling of Iraq and the war on terror, 58 percent of voting machines approve of the way Bush is handling his job according to the latest poll by Shamby and Associates. This is in contrast to the 42% approval rating he has among human beings from polls conducted in the same time period.

“We’re very encouraged by these numbers,” said Karl Rove, Bush’s chief political advisor. “Voting machines across America, especially in the contested Congressional districts, are likely to stand with Bush against the forces of terrorism and extremism this election cycle.”

From Democratic Underground.

Hamming it Up

thousand-dollar-ham.jpg(or “The New York Times Gets Self-Referentially Ironic“)

… he recognizes that plenty of people must think that rounding up friends and family members to go in on a thousand-dollar ham that he envisions hanging in his living room is crazy. But food lovers like him understand, he says. And in the end, the elaborate narrative of the ham (the way it is produced, his advance payment, the visit to the picturesque town in western Spain where it’s made) is a thing to be savored almost as much as the meat itself. “I must say,” Saltzman adds, “I’ve gotten incredible mileage out of the whole ham story.”

Indeed you have, Mr. Saltzman, indeed you have.

The image is from La Tienda, who are charging $1200 for a (roughly) 15 pound ham, or roughly $80 per pound, which, frankly, doesn’t sound nearly so bad. It’s in range with foie gras, and it’s even legal in Chicago.

Mea Maxima Culpa

In posting yesterday about Debix, I should have disclosed that I have
personal and financial relationships with the company.

In addition, I was one of the 54 people in the test, and my fraud
alerts did not set properly. I should have disclosed that as well.

I apologize for the oversight.

My thanks to
Mr. X for commenting that I didn’t seem my usual skeptical self in my
posting. I had planned to disclose this in the post, as I have in
prior mentions of Debix. (“Does
Lost Data Matter
,” and “Introducing Debix.”) For clarity, I am no longer on Debix’s Technical Advisory Board. As I said when I announced that I’m Joining Microsoft, “I want to be clear that [the decision to leave advisory boards] is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.”

An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?

Since this is part of a continuing conversation, let me summarize by stating that I don’t think any of my questions have been clearly answered, and I think John’s use of language is substantially divorced from mine, and, I think, from general usage.

I’ll start with consent. I wrote: “[These systems] are non-consensual for the consumer. Companies such as IDology make deals with other companies, such as my bank, and then I’m forced to use the system.”

First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented.

That’s an odd definition of consent. I’ve submitted information which I hope will be used to fulfill a transaction. I have not consented* to transferring that data to a third party for ‘verification’ or analysis. I’ve consented to the reasonable and predictable uses of that data, which don’t, in my professional and personal opinions, include grubbing through other databases. What if I don’t consent to having the data verified?

Let me tell you, having just moved, my data doesn’t “verify.” The databases are wrong, out of date, and confused. I am forced to feed them a pack of lies in order to get anything done.

More after the break.

Continue reading

40% of Fraud Alerts Don’t Propagate

[Update 3: I should have disclosed affiliations with Debix in this post. See “Mea Maxima Culpa.”]

Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret.

Identity theft is the best thing to happen to the credit agencies since the creation of the SSN.

Identity theft helps them sell more products, like identity verification tools, to their customers. It creates a new line of consumer business, people who will often happily pay them $10 a month to tell you what lies they’re spreading about you.

Is it any wonder that the alerts don’t propagate? Is it any wonder that they’ve been sitting on this knowledge?

I’m very excited about the emergence of companies like Debix, who are not responsible for the problem, but are helping us understand and fix it.

[Update: The New York Times covers this, “ID Security Company Finds Snags in Fraud Alert System.”] [Update 2: Bob Sullivan has a story at MSNBC, “Fraud Alert System Broken, Study Says.”