Jennifer Granick’s awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products.

I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired.

The same can be said of sweeping breach information under the rug. We’re better off if we talk about it.

HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag.
Additionally, Nicole Ozer, Technology & Civil Liberties Policy Director for the ACLU is also scheduled to speak after Chris to cover the privacy issues around RFID.
[Update 1: Chris: “If you even think about doing this sort of thing, have a patent lawyer”]
[Update 2: HID seems confused about what constitutes a demand. From Chris’s presentation and the original letter from HID:

We understand … that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention … We believe such presentation will subject you to further liability …


…hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention…

Furthermore, HID hints heavily at burying IOActive in law suits by saying:

…we will have no recourse but to pursue all available remedies against you and IOActive


impossible for HID to provide a covenant not to sue

As as result of this letter, Chris stated that he and IOActive felt that they could not risk being put out of business by the costs of a lawsuit brought on by covering the HID specific portions of the talk.
[Update 3: Quotes above are from Chris’s slides.]
[Update 4: Full text of the letter from HID has been posted by the ACLU. Also Nicole Ozer has posted her own take on the issues discussed today at Blackhat.]
[Update 5: Jennifer Granick weighs in with some scary thougts:

HID Global reportedly pointed to two of its patents for card readers — No. 5,041,826 and No. 5,166,676. The important parts of a patent are the claims. To infringe a patent, one must make, use, sell or offer for sale an invention described by the patent’s claims without the patent owner’s authorization.
Paget doesn’t sell his reader, which you can see him demonstrate here. But he did make it. So if it operates identically to the card readers described in HID’s patents, then the company’s legal threat actually makes some theoretical sense. That should scare everyone reading this.

[Update 6: Clone your verichip. This technique should work on similar RFID chips….]

Medical Privacy News

There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:”

The leader of a federal panel charged with providing privacy recommendations for the national health information network resigned Wednesday, thwarted, he said, in efforts to develop adequate standards.

No, seriously

Somebody — I want to say Rich Mogull, but I cannot find the reference — wrote sarcastically about breach notices almost always saying “At $COMPANY we take security seriously….” as they report how, well…you know.
I just finished scanning 183 notice letters I got from New York, covering the last half of 2006. Using an extremely inelegant hack involving pdftotext and grep, I can report that a mere 35 of the 183 contain the word “seriously”.
Update: In the comments, Rich says it wasn’t him. Dan Gillmor is the leading candidate.

Rootkit on a Stick


The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.

Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.

There is other amusing information on the web site, such as:

All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.

Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.

What a relief! An industry-standard encryption algorithm. Wanna bet it’s in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I’d love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?

Picture of the SnoopStick shamelessly appropriated from their web site, because I didn’t want their weblogs to get the information. It’s bad enough to write about them at all.

Vote Positively With Your Pocketbook

Adam Frucci at Gizmodo is calling for action, “Putting Our Money Where Our Mouths Are: Boycott the RIAA in March.”

I don’t disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don’t believe me, I can prove it with one TLA: DAT. If your response to that is, “Huh?” then you’ve proved me right. The details of that are another essay, however.

However, there’s more to it than that. Boycotts are not as effective as purchase-shifting. If you just don’t buy any CDs, then one line in an accountant’s ledger will go down. The conclusion they’re going draw is that this means they have to hold tighter to what they have. There are no atheists in foxholes, but there are clinchpoops, and they clinch their poop tighter.

Subscribing to eMusic is good idea. If you haven’t, do so. If you regularly buy music, you will find enough things on eMusic that the monthly fee will save you a penny.

Better, go to CDBaby, Yep Roc, Compadre, and others. Even better, many,many small artists sell their music from their own web sites, often through a small label. As nice as eMusic is, relatively little of the money you give them will get in the hands of the musicians, and buying CDs as close as possible to the musicians themselves is the best way to get them what they deserve. Don’t wait for Friday, do it now.

Blackhat Do It Again

Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it.
Chris Paget a well respected researcher is going to present at Blackhat Federal tomorrow on how to build your own proximity card cloner. Infoworld broke the story yesterday. Some choice bits:

Asked why HID hasn’t addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause “major upheaval” among customers.
Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive.
“They didn’t want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them,” Kaminsky said.

Dan, as as always, can be counted on to say something both interesting and provocative:

The technology is very convenient, but don’t interpret the convenience as security,” Kaminsky said. “At the end of the day, many companies are essentially using barcode technology to control access to their facilities. I’d posit that perhaps there are more secure technologies out there.”

Jeff Moss however nails the real issue.

It’s just so frustrating from a security standpoint. Now anytime someone wants to talk about anything, they need a team of lawyers. Even when it’s about commonly understood problems.

[Update: HID is claiming that the talk infringes on their patents. As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID. Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry as well.]
[Update 2: Rob Lemos has much more detail.]

It’s “privacy,” Jim, but not as we know it.

license.jpgThe Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says:

requirements of personal identification, such as a driver’s license, in order to change the administrative email address for a domain name registration…was reasonable.

Which is odd, because my drivers license doesn’t contain my email address. Also odd is the idea, in a second case “PIPEDA Case Summary #361, Retailer requires photo identification to exchange an item” that “The investigation established that the information from the piece of identification is not recorded at this store.” Except in the paragraphs prior, they found that:

The store’s purpose for collecting the customer’s name, address and telephone number is to protect against fraud and error in order to protect its customers and business. It asks for photo identification in order to verify that the information provided by the customer is accurate.

So…information is taken down, and verified against the card, but not taken from the card. Would things be any different if they copied the information directly from the card?

It seems to me that these decisions are a great blow to privacy in Canada, essentially nullifying the common law tradition of being able to use whatever name one wants to use in one’s day to day business.

Remember, all non-trivial privacy fears come true. I’m confident that there were claims that drivers licenses won’t be needed for normal everyday life, and privacy advocates predicted this.

Emergent Meanings of Privacy

There’s a really fascinating article in New York Magazine, “Say Everything:”

And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reade or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not.

Dan Kaminsky keeps telling me that, too. It’s worth reading the article. Virginia Postrel has some interesting commentary, “The Transparent Society and its clueless adult enemeies.” I think the most insightful comments come from Paul Saffo, in “Retroprobrium and mutually assured embarrassment:”

Several comments to my 2/17/02007 posting have noted that in a future transparent society, no one will make fun of their friends’ past postings because everyone will be in the same confessory boat. The problem with this argument is that we don’t judge behavior by the standards of the time when it occurred; rather, we consistently engage in retroactive opprobrium — retroprobrium — judging past actions by present standards.

To me, a key element of privacy is that the past is reasonably ephemeral: only the most important elements get remembered, and the cost of search is high. This is changing, and we don’t fully understand where we’re going.

The Canaidian government has recently obtained access to US conviction records, as reported in the San Francisco Chronicle, “Going to Canada? Check your past:”

Canadian attorney David Lesperance, an expert on customs and immigration, says he had a client who was involved in a fraternity prank 20 years ago. He was on a scavenger hunt, and the assignment was to steal something from a Piggly Wiggly supermarket. He got caught, paid a small fine and was ordered to sweep the police station parking lot.

He thought it was all forgotten. And it was, until he tried to cross the border.

“This,” [an attorney] says, “is just the edge of the wedge.” Who would have thought a single, crazy night in college would follow you around the world?

I certainly would never have thought so. If I had, I might write an article with a title like “Long Term Impact of Youthful Decisions.”

Photo: “How to tell you’ve had a good day,” by Andrew Murray.

[Edit: fixed broken html -Arthur]

A telling remark

In the “inconvenient coincidences” category, it seems that Al Sharpton’s great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond.
Thurmond’s niece, Ellen Senter (via an AP report) provides an interesting perspective:

I doubt you can find many native South Carolinians today whose family, if you traced them back far enough, didn’t own slaves,” said Senter, 61, of Columbia, South Carolina.

Except, that is, for the ones who were slaves, Mrs. Senter.

Information Leaks

Traveling iPod

I was on the last flight back west on a Friday night, glad that it looked likely I was going to get home. Even better, I’d been upgraded. I flopped into my seat, pulling out the noise-canceling headphones, laptop power adapter, books, and all that other stuff that makes a long flight an oasis of irony.

The guy in the window seat was talking on the phone with the usual stuff you hear by people who are smart enough not to do business on the mobile. “Yeah, honey, I love you too.” “Good to be home this weekend.” That sort of washed over me as I thought, “Aww, that’s sweet.” (My SO and I text each other, and I was firing off a few equivalents, myself. Then he said something that jolted me out of my hearing-yet-not-paying-attention.

The music of his voice shifted from rubato and legato to marcato and strict tempo. “You tell Connor,” he said, “that when I get home, I don’t want the first words out of his mouth to be, ‘Where’s my iPod?'” I suppressed staring, but my eyes bounced off of the end of their swivel pins.

I thought, “Dude, you stole your kid’s iPod!” There was silence on his end, and I have no idea what she said. I just thought again, loudly, hoping his conscience might hear, “Guy! You stole your kid’s iPod! I mean, jeez, I can see “borrowing” it once to see if you like this whole digital music stuff, but DFW’s got a bleeding vending machine for the critters right at A19! Can’t you at least bury a Shuffle in your expenses?”

So Connor, if you read this because we’re 1337-ish, show this post to your dad. And if he’s still being cheap, install Limewire on his laptop and start sharing Sinatra or something. Maybe the RIAA will notice.

photo courtesy of Michael P. Whelan.

On the TJX Breach

tj-maxx-hacked.jpgSo there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer and you’re part of the TJX breach, you are hoping it’s 10 million people because the chance of your name being misused goes down considerably depending on the size of the data breach.”

I don’t buy it. What we’re doing is telling criminals they need to scale up their exploit techniques and networks. We did that with spamming and phishing. Bad idea.

Some other news tidbits I found interesting:

It’s my understanding that the shopping bags in the photo aren’t full of clothes. (Photo from here, original context unclear.)

[Update: by ‘these things’ I was intending to imply not only credit card issues, but the gamut of information security issues that might arise. If you think we do have economic advice to give, consider submitting a paper to the workshop on the economics of information security: they explicitly ask for papers on ‘optimal security investment’]

“A trade founded in iniquity”

slave trade.jpgAt Balkinization, Scott Horton discusses how “Two Hundred Years Ago Today, the Global Campaign for Human Rights Achieved Its First Victory:”

“As soon as ever I had arrived thus far in my investigation of the slave trade, I confess to you sir, so enormous, so dreadful, so irremediable did its wickedness appear that my own mind was completely made up for the abolition. A trade founded in iniquity, and carried on as this was, must be abolished, let the policy be what it might, – let the consequences be what they would, I from this time determined that I would never rest till I had effected its abolition.”

– William Wilberforce, speech before the House of Commons, May 12, 1789, Hansard vol. 28, col. 68

Today the cause of universal human rights celebrates an important anniversary. On this day two hundred years ago, the Parliament at Westminster voted an act for the abolition of the slave trade. A few decades later, Parliament also voted the manumission of slaves throughout the British Empire. By that time, in the 1830’s, the trafficking in slaves was viewed as a jus cogens crime by legal scholars around the world and the global movement to abolish slavery altogether was well launched.

Scott says much and says it well. Go read his post for the history, the nature of the arguments put forth, their relationships to today, and the biographic information about Wilberforce.

I’m left then, with few things to add, and so I’ll say them briefly.

Advances in human freedom are cause for celebration.

There were strong economic arguments for the institution of slavery, but sometimes you have to do the right thing, even if it costs.

Painting from American University Slave Trade case studies

Department of Pre-Blogging: Waziristan

Back in September, we covered how Pakistan and Waziristan had a peace deal, essentially, a deal with al Qaeda. In it, I commented on how people would get medals for “convincing al Qaeda to get a territorial base which we can bomb.” Now, in “Al Qaeda Chiefs are seen to regain power,” the Times reports: “One counterterrorism official said that some within the Pentagon were advocating American strikes against the camps…”

Even more disturbing, Global Guerrillas has analysis in “Al Qaeda Redux:”

With all indications that the US is in withdrawal, a new attack is likely needed to propel the US back into aggressive action (see “Al Qaeda’s Grand Strategy: Superpower Baiting” for more on why).