86%: Would you buy an IDS this good?

A number of commenters on yesterday’s post, “Noh Entry: Halvar’s experience and American Legalisms” are taking me to task for being idealistic about rule of law. I agree strongly with what Nicko wrote in the comments:

[C]ountries are at liberty to apply “complex, stupid, and complete arbitrary” rules but one of the fundamental tenants of the rule of law is that any rules should be applied consistently. It’s naive to suggest that all travellers should be fully knowledgeable of all aspects of immigration law; that’s an expertise for which people pay hundreds of dollars an hour.

Since this is sometimes an information security blog, I’d like to put this another way. Imagine you’re testing an IDS that watches 7 identical packets flow by, and flags one of them. It either has an 86% success rate or a 14% success rate.

Without paying someone several hundred dollars, I don’t know if Halvar got lucky 6 times, or unlucky once.

I do know that I’m upset that our border agents aren’t consistent. If they were an IDS system, and that’s all the data I had, I wouldn’t be buying right now.

Noh Entry: Halvar’s experience and American Legalisms

He writes:

It appears I can’t attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company.

A little background: For the last 7 years, I have attended / presented at the ‘Blackhat Briefings’, a security conference in the US. Prior to the conference itself, Blackhat conducts a trainings session, and for the past 6 years, I have given two days of trainings at these events. The largest part of the attendees of the trainings are US-Government related folks, mostly working on US National Security in some form. I have trained people from the DoD, DoE, DHS and most other agencies that come to mind.

Each time I came to the US, I told immigration that I was coming to the US to present at a conference and hold a trainings class. I was never stopped before…

Halvar has been coming to the US to train people for six years. So here’s my question: Has the law changed? Why did this happen? What’s happened may be that he didn’t use precisely the right words to get through the line, and now he’ll be spending (my guess) $10,000 on lawyers to be able to re-enter the US.

I’m increasingly concerned about this–the police can detain you in a variety of ways, offer implicit threats of arrest, and there are certain very specific legal formulas you can invoke. For example, I’ve been told that you must ‘demand’ and attorney, rather than saying “I’d like an attorney,” in order to preserve your rights. If a cop is asking you questions, you must ask “are you detaining me?” in order to get an honest answer. No one should be required to know these formulas–not me to preserve my rights through an encounter with the police, and not Halvar to preserve his ability to enter the US.

I have a friend who has a US denied stamp on his Canadian passport because he was driving a co-worker to the border so that person could enter the US for 2 minutes, turn around, and re-enter Canada (to get a new Visa). The driver said “Oh, I don’t really care if you let me into the US,” and boom, his passport was marked and he was entered into the refused-entry list.

Now Halvar has to choose: he can spend probably thousands of dollars to clear his passport, or he can stop entering the US. Way to preserve jobs for Americans!

The title is a reference to the ultra-stylized ‘Noh‘ Japanese plays, where actors rehearse their lines in a vacuum.

Maybe if I yell at you, you’ll trust in what I’m saying

Tourists visiting the White House must now adhere to a dress code which bans jeans, sneakers, shorts, miniskirts, T-shirts, tank tops, and flip-flops.
Since this is an extremely important rule, signs were posted and emails sent White House staff (writes Al Kamen in the Washington Post).
A telling detail, per the WaPo:

The e-mail reminder was all in capital letters.

(Title yanked from some Luna lyrics, .sig fragment from the Usenet Oracle via Wikipedia)

Camouflage as Security


This is a new twist on an old trick. SFGate reports in, “‘I didn’t eat and I didn’t sleep’ — Coin dealer flies dime worth $1.9 million to NYC’” that coin dealer John Feigenbaum transported a $1.9M rare coin (an 1894-S dime) from its previous owner, Daniel Rosenthal, who lives in the Bay Area to its new, unidentified owner in New York, by hand-carrying it.

Feigenbaum dressed in a T-shirt, “grubby” jeans, and flip-flops and flew on the red eye from San Jose to Newark, carrying it himself with little fanfare.

There was an unexpected problem, however:

Feigenbaum had purchased a coach ticket, to avoid suspicion, but found himself upgraded to first class. That was a worry, because people in flip-flops, T-shirts and grubby jeans do not regularly ride in first class. But it would have been more suspicious to decline a free upgrade. So Feigenbaum forced himself to sit in first class, where he found himself to be the only passenger in flip-flops.

He shouldn’t have worried too much, actually. Scruffy people often do fly first class, trust me. They’re the ones who travel too much, so they want to be comfy. Read the whole article, it’s amusing.

I am reminded of another occasion when a similar trick was used, although for a diamond.

Photo courtesy of Tiffibunny.

Help EFF Analyze Formerly Secret FBI Docs

In “Help EFF Examine Once-Secret FBI Docs,” the folks at EFF ask for your help doing what Congress won’t. Engaging in oversight of our civil servants:

We’ve already started scouring newly-released documents relating to the misuse of National Security Letters to collect Americans’ private information. But don’t let us have all fun — you, too, can dive into the docs and help uncover the truth about the FBI’s abuse of power. All 1138 pages are freely downloadable (with searchable text) from EFF’s website, and we’ll be posting a new batch every month.

A related request, from Ryan Single over at 27B-6, is to “Help Wired News Make Sense of FBI Computer Crime Stats.”

Really, there hasn’t been such a good opportunity to uncover illegal activity by Uncle Sam the Church Committee hearings. It’s like shootin’ fish in a barrel.

Go take a look.

Full Disclosure debate, 2.0

A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign.

Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.
We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals’ sensitive personal data at risk.

The first salami attack?

A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up.

I’m trying to find the first actual documented theft or attempted theft using this attack.

I’m hoping that a reader will know, when the first reports of salami attacks came out.

Please comment if you have an idea.

Photo: “Salami & cheese – food heaven,” taken by SanFranAnnie with a Cannon SD400, which is not the camera mentioned in Mordaxus’ post yesterday.

[Update, Jan 5, 2008: Steve Lipner provided me with a cite! Thomas Whiteside, Computer Capers, 1978. The copyright page states that most of the material first appeared in the New Yorker.]

Canon Says Over 50% of Cameras Repaired in First Three Years


In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took.

From this, we lean that it was a Canon, likely a Rebel 350D, which means that the perp bought it in the US or Canada. (This doesn’t mean that the perp is there, as lots of people buy electronics in the US or Canada).

However, I blinked when I read something from Vic Solomon, a product intelligence officer at Canon UK:

From what we know, the device is one of the original Rebel cameras, probably a 350D, and given that they’ve been out for three years, it’s likely the owner would have had it cleaned or repaired in that time.

Likely? I take likely to be better than a coin flip — over 50% chance. I’m a huge fan of Canon cameras, and while I don’t yet own have a digital SLR (I’m very happy with my SD 700IS), I’d like one, and this makes makes me wary to hear that it is “likely” that I’ll be taking it into the shop in three years. I have a twenty-five-year-old A1 SLR, and it’s never been cleaned or repaired. Is Canon’s well-deserved reputation for quality a thing of the past?

Or was Mr Solomon merely shooting his mouth off? He also said:

The EXIF data is like the picture’s DNA; you can’t switch it off. Every image has it. Some software can be used to strip or edit the information, but you can’t edit every field.

That’s not precisely accurate. EXIF metadata is nothing like DNA. It’s metadata rather than code; it’s annotations about the picture such as date and time, f-stop, exposure values, orientation of the photo, and of course the serial number of the camera. While photo-editing software often doesn’t let you edit it, there are plenty of ways to get rid of it, and I’ll bet that very shortly there will be more of them, particularly if they catch the person who did this because of the embedded serial number.

Photo courtesy Lone Primate.

Should we stop faking phishing data?

phish.jpgIn “Stop with the fake phish data,” Justin Mason quotes an anonymous friend complaining about people dumping crap into phishing sites:

Is there any way you can get the word out that dropping a couple hundred fake logins on a phishing site is NOT appreciated??

It creates havoc for those monitoring the drop since it’s an unbelieveable waste of time and resources to clean up the file. Also, for those drop files that ‘recycle’ after every 10 entries, valid data is lost.

It also creates havoc for those who get these files and try to notify victims. They waste time, too .. pulling legit info from amongst the trash.

First, I had no idea people were doing this. It seems like at least an interesting idea, and so I’d like to examine the assumptions that seem to underly the request by Justin’s anonymous friend (JAF).

Firstly, JAF (seems to) presume that his work is roughly equivalent to the phisher’s work, or more expensive. This seems likely true. If you’re a criminal, testing an account is easy: you try to steal from it. If you’re trying to stop them, you have more work to do.

I think a more interesting question is, what fraction of sites are getting hit? Are 10% of phishing sites experiencing this? 90%? I’m curious because it gives us insight into the overlap between the two sets of folks working against phishers. It’s a relatively easy statistical problem: If set 1 has overlap y with set 2, how large is the population being sampled? Ecologists do this all the time. (How can I spell ecologist with a ‘ph?’)

It seems like it’s an interesting possibility for measuring the size of the phishing site world.

Photo: “Fish” by Wistine.

Hamster Wheel of Pain™, FOIA edition

So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors.
Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina — a state known for tobacco production. That lad is richly rewarded, and obtains a letter from the USDA to the NC Attorney General’s office. That letter contains the names and addresses of the several FOIA requestors who had inquired about tobacco subsidies.
The enterprising lad is now certain the USDA will get his name and address, thereby completing another circle.

A Small Breath of Sanity in Airline Regs


The New York Times reports, “U.S. Will Allow Most Types of Lighters on Planes

Federal aviation authorities have decided to stop enforcing a two-year-old rule against taking cigarette lighters on airplanes, concluding that it was a waste of time to search for them before passengers boarded.

The ban was imposed at the insistence of Congress after a passenger, Richard Reed, tried to ignite a bomb in his shoe in 2001 on a flight from Paris to Miami.

Lawmakers said that if Mr. Reid had used a lighter, instead of matches, he might have been able to ignite the bomb, but Kip Hawley, assistant secretary for the Transportation Security Administration, said in an interview on Thursday that the ban had done little to improve aviation security because small batteries could be used to set off a bomb.

Matches have never been prohibited on flights.

“Taking lighters away is security theater,” Mr. Hawley said. “It trivializes the security process.”

The policy change, which is to go into effect on Aug. 4, applies to disposable butane lighters, like Bics, and refillable lighters, like Zippos. Torch lighters, which have thin, hotter flames, will continue to be banned.

Security officers have been collecting some 22,000 lighters a day nationwide, slowing down lines at check points. Even so, many smokers had found ways to sneak lighters through checkpoints, often by placing more than one in a carry-on bag. Disposing of the seized lighters has cost about $4 million a year.

By lifting the ban, Mr. Hawley said, security officers could spend more time looking for bombs or bomb parts. “The No. 1 threat for us is someone trying to bring bomb components through the security check point,” he said. “We don’t want anything that distracts concentration from searching for that.”

Three cheers for them learning! I can only hope that the stupid liquids ban will fall next. We know that we’ve trained people to be efficient at finding water bottles over finding bombs, even when they’re in the same bag.

You can’t spell “Really pointless flamefest” without R-O-I

Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people.
EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing a methodologically sound and empirically defensible business case for information security spending — Lawrence Gordon — weighs in via email.
Hopefully, Gordon is a sufficiently authoritative source to put this question to bed for a while.

Other comments on the GAO Report

  • [Added July 21] Roger Grimes, “Identity theft? What identity theft:”

    Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget that! Banks and merchants are privileged to be entrusted with our important financial data. If they don’t protect our information properly, they, not us, should pay the price.

  • Information Week, “Secret Service Busts Four Fraudsters With Ties To T.J. Maxx Attack:”

    A recent Government Accountability Office report noted the difficulty of linking data theft to identity theft, but the U.S. Secret Service is having no such problems. The agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.

  • Anton Chuvakin, “Nobody Is That Dumb … Oh, Wait! – III:”

    But you know what? Data theft (as well as, mind you, a negligent data loss!) is a crime even if whoever took off with the data didn’t use it for nefarious purposes. To me it sounds akin to “the bank robber who didn’t spend the money on more crimes” or (more remote …) “a carjacker who didn’t cause a traffic incident.” Mandatory notifications are a means to reduce data loss/theft, and are thus needed with no regards to how the stolen data is used!

  • SANS Newsbytes (with some detailed analysis, including the n=24 problem)

    The GAO Report that leads off this issue is deeply flawed and does not meet that agency’s high standards for excellence in analysis or independence. We learned that the report was done by a group at GAO that doesn’t usually work in this area, so their flawed analysis is understandable, but still potentially damaging to GAO’s reputation and to the nation’s cybersecurity. We have included an analysis of the report in this issue for readers who didn’t immediately see the flaws.

  • Dissent, “Did the data breach chronologies backfire:”

    Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft Resource Center, and reports obtained from NY and NC under FOIA by Chris Walsh.

    Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.