How To Fly With An Expired License

Yahoo news recently reported the story of Charleston, West Virginia Mayor Danny Jones who used a photo of himself in a magazine to prove his identity. In brief, he was flying out of John Wayne Airport and his drivers license was expired so he wasn’t going to be allowed to get past security. The Charleston Daily Mail adds that the same license was sufficient to allow him to check his bags. However, Mayor Jones did have a copy of a magazine that had a photo of him in downtown Charleston which was deemed by the local agents to sufficient ID. So, what we have (quelle surprise!) is inconsistency in how security is applied between the ticket agents and the security guards, security guards who didn’t seem to properly understand the process of handling people without proper ID and finally agents who were willing to accept a worse form of ID than an expired drivers license. I feel safer, how about you?

A Cha-cha all the way to the bank


On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.

First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a fortnight. That’s not bad. If you think about Deep Crack and what you’d expect from normal semiconductor advances.

The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you’re clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight’s of computing, you can generate any one-time password the real owner can.

Maddeningly, there are other systems based on AES or some other crypto that aren’t at all vulnerable to this attack — because they have better keys. People who are vulnerable to this attack need not be.

Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It’s also negligent, when it’s so easy to get shot.

Photo courtesy of Imagem Compartilhada.

ANSI on Identity Fraud


Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel.

Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can help to minimize the scope and scale of identity theft and fraud.

The new report, which will be published on January 31, 2008, helps to arm businesses, government agencies, and other organizations with the tools needed to protect themselves and their customers against the theft and misuse of personal and financial information.

My colleagues Jeffrey Friedberg (Microsoft) and Julie Fergerson (Debix) co-chaired one of the working groups, and I’m pleased to see that they’ve focused on businesses and governments, not consumers. I thinkwe often spend too much time trying to blame the consumer. It’s important to understand the role that organizations play in using identifying information, and how that interacts with identity fraud, and I hope that this report will advance both that understanding, and the understanding of solutions.

To access the report or webinar, “Identity Theft Prevention and Identity Management Standards Panel: Report and Webinar.”

Adam’s Law of Perversity in Computer Security

Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed:

I think the key is that it’s hard for the average person to read tapes
if they found/stole them, but for a moderately-large
organization/attacker, it’s possible.

I think this is a great example of what I call perversity in computer security. When a fellow with the best of intentions is trying to do something, it’s hard, and when the bad guy tries it, it’s easy. It’s like when you want your computer to keep data, it loses it. But when you’re trying to delete it, it’s awfully hard. Similarly, your computer often behaves in seemingly random ways. But when you’re trying to get what cryptographers call good randomness, it’s perversely hard.

There’s another place this routinely shows up, and that’s around the question of “are IP addresses personal information?” If you want to use IP addresses for security purposes, they’re notoriously poor. But if you want to use them to invade privacy, they’re often good enough. As Eric Rescorla writes in “Uh, yeah IP addresses are identifying:”

It’s certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they’re dynamic, but that doesn’t mean that you don’t regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they’re semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it’s still possible to cross-correlate activities at multiple sites at the same time.

This is up there with my other law: “All Non-Trivial Privacy Fears Come True.”

“We have to be careful we don’t release the wrong person”

Hence, we imprison and deport American citizens for immigration violations.

Thomas Warziniack was born in Minnesota and grew up in Georgia, but immigration authorities pronounced him an illegal immigrant from Russia.
Immigration and Customs Enforcement has held Warziniack for weeks in an Arizona detention facility with the aim of deporting him to a country he’s never seen. His jailers shrugged off Warziniack’s claims that he was an American citizen, even though they could have retrieved his Minnesota birth certificate in minutes and even though a Colorado court had concluded that he was a U.S. citizen a year before it shipped him to Arizona.
During a deportation hearing Thursday morning, pleas by Warziniack’s family and lawyer to release him, as well as a copy of his birth certificate proving his citizenship, did little to deter the government.
“The immigration agents told me they never make mistakes,” Warziniack said in a phone interview from jail. “All I know is that somebody dropped the ball.”
The story of how immigration officials decided that a small-town drifter with a Southern accent was an illegal Russian immigrant illustrates how the federal government mistakenly detains and sometimes deports American citizens.

The whole article (which is a must read) makes The Trial seem like a due process Shangri-La by comparison.
The title quote, BTW, is from Ernestine Fobbs, whom McClatchy describes as a spokeswoman for “ICE, the federal agency that oversees deportations”.

How dumb do we think spammers are?

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”?

Kudos to the first person who puts such a pattern in the comments below.

Welcome, SecurityFocus readers

The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, “on Internet time”. Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog’s title.
Anyway, Adam, EC’s bandleader, is away from the keyboard. Hopefully, this brief introduction to the blog will suffice in his absence.
Emergent Chaos is a group blog on security, privacy, liberty, and economics. We write on each of these topics singly (except the last — too much high-quality competition), and in various combinations. Perhaps the best way to become familiar with Emergent Chaos is to take a look at the highlight reel.
I’d say (not speaking for EC, the President of the United States, or the National Football League) that you could do worse than to start with:

Thanks for your time. Hopefully, you’ll like what you see and become a regular.

Programming World Going to Hell Because of Java and Grace Hopper


Ekinoderm writes in “Who did Kill the Software Engineer?” that schools today are ruining software engineering by teaching people Java. He references Joel Spolsky’s rant on the same.

I agree completely, except neither went far enough!

Java is just the replacement for Pascal, a pedagogical language designed because it was more fun and understandable than FORTRAN. So was BASIC, and APL. Heck, C is really just PDP-11 assembler code for people who can’t allocate stack variables by hand. Come on, it’s just subtraction! Oh, and don’t get me started about how RATFOR screwed people up my making them not compute the gotos in their IF statements.

However, I have to sneer at their examples in Scheme. Scheme! That’s also part of the problem. Scheme is a dumbed-down version of MACLISP for people who can’t handle a real LISP, for Pete’s sake! They should be doing their work in that, if not MDL or LISP 1.5.

The world has already gone to hell in a handbasket because of this continued coddling of the next generation of software engineers. Engineers need to learn how to twist transistors together to make flip-flops and make adders out of discrete components before they should go write computer programs. So-called high-level languages have been ruining the competitiveness of America since the mid 1950s!

Let’s face it, when Jim Backus started on FORTRAN, that was compounding on the mistakes that Grace Hopper started with AUTOCODER, which made it so that you could use so-called “opcodes” in your machine language instead of typing in the binary, and worse, far worse to have macros. Macros make people fat and lazy. Transfats and sugar only make it worse. They stereotype of programmers being fat and unkempt is a product of macros, transfats and sugar over time.

Since I now realize that it’s actually all the Commodore’s fault, I’m going to throw away my nanosecond. Her use of tools that help people understand has ruined computer science. I also promise never to write another line of COBOL.

Photo Grace Hopper’s nanosecond courtesy of Shiny Things.

The UK Driver’s License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.”

“In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the records of just over three million candidates for the driving theory test.”

The records contained the driver’s name, postal address, phone number, the test fee paid, the test center, a code indicating how the test was paid for, and an email address, Kelly said.

I think this is an interesting disclosure, because most of the laws we see are of the form “if you disclose information about our citizens” rather than “if you disclose in our state.” Sometimes, like with Choicepoint, this serves to get notice out. Other times, perhaps this being one of them, it acts as a loophole.

As Canada, the UK, and other places look to write new laws or regulations, it would be good for them to consider if they’d like to have laws which cover more breaches. It strikes me as a tremendously good idea.

Why some companies hire PR staff


2008, for us, is a big change because up to now we have been more like a terrorist group, threatening to do something and making big claims.

Nicholas Negroponte, of the One Laptop Per Child program, speaking on his own web site. Wow. There’s a stunning analogy for you. Maybe “we’ve been more like a startup?”

Real quote, via Fake Steve.

Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security:

I am delighted to announce that Crispin Cowan has joined the core Windows Security Team!

For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy. He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot!

Let me add my own welcome. Crispin and I have collaborated on a couple of projects, and I look forward to working with him more, and seeing what happens when he applies himself to Windows security.

[A clarification: Crispin is joining Microsoft, not Emergent Chaos (today, anyway). I remain the only MS employee blogging here, and my comments do not represent my employer. I was simply excited and wanted to share the news.]

Microsoft Has Trouble Programming the Intel Architecture


Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.)

Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.

However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That’s worth complaining about.

The reason, according to El Reg is blink-inducing:

Microsoft argued that the technical problems involved in porting Visual Basic at the same time as revamping Mac Office to work on Apple’s Intel platform would have meant further delays.

I have demonstrated the absurdity of that argument in my headline. Please, I’m a technologist. I can imagine the real reasons. It was a pain in the butt; it would have required hiring another person or two; it seemed futile to port it when Office 2009 is going to get rid of it. I understand. Don’t insult my intelligence. Don’t lie to me.

The truth is that you didn’t want to, because it would suck. And what are we customers going to do, anyway? So that means you don’t have to do it because you don’t want to.

OpenOffice sucks. No, really, it does. I have co-workers that use it and watching them always brings a smile of schadenfreude to my lips. When trying to bend Word or PowerPoint to my will makes me want to put my fist through the screen, nothing makes me feel better faster than strolling into someone’s office and saying, “I dunno, maybe I ought to switch. How do you do XXXX in OpenOffice?” It’s cruel; it is the equivalent of seeking out someone with no feet because you have no shoes. But hey. I admit and argue the necessity of using Office, but I am Mordaxus, not Pangloss.

Pages is cute and nice for new work, but people don’t send me Pages documents, they send me Word documents. Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize — but when someone says, “Would you look at this deck” it’s a ppt.

There will be those who are scrolling for the reply button to tell me that Pages and Keynote can import Office documents. They can. I still need Office, because they import Office document, not interoperate with them.

Longer work is another issue. Over the last couple of years, I’ve become a LaTeX expert again. The irony is that I stopped doing most of my work in LaTeX because Word 3 was better for so many things. Nonetheless, nothing is as drop-dead gorgeous as a TeX document.

This weekend, a friend who writes books recommended Scrivener to me as an alternative for long documents. Scrivener is more or less a project manager for large documents. I’m going through the tutorials, which are amusing. It reminds me in other ways of the wonderful Notebook by Circus Ponies.

Nonetheless, the friend who pointed me there uses Word.

This brings us back to the matter at hand. As painful as it is for Microsoft, they are a monopoly. Not using Office is not an option. Sure, I can screw around with beautifully designed, fun to use productivity managers, but you have to use Office. (Or LaTeX.)

The plus side of being a monopoly is that you are ubiquitous, and money doesn’t do anything as plebeian as grow on trees for you. The minus side is that when a tree falls in the forest on some power lines, you hear it, and you have to fix it!

Forget duty, let’s talk self-preservation. Microsoft, if you don’t want to go the way of Western Union, AT&T, IBM, Bessemer Steel, or The Railroads, you have to at least pretend you like us, your customers. Getting rid of VBA is a great idea. It was an abomination in the first place, breaking the data/code separation that security needs. But if you’re going to can it in 2009, you have to can it in 2009, not 2008. The result is that we’re going to get more hair-pulling for another year.

How taxing is it to read a tape?

3410-tape.jpgIn “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it will undermine their credibility. (For example, “it’s snowing in Jamaica” makes no sense as a parenthetical, and would undermine my credibility if I said it.)

So I found an offhand comment reported by Beth Pariseau in “IRS sent tax database on unencrypted tapes” to be fascinating:

The IRS confirmed to that copies of its tax database were distributed to state agencies on unencrypted tapes before Sept. 30, 2007. A source at one state agency said the tapes were also sent using common carriers, such as FedEx.

The source, whose agency received the database information on a regular basis, said the IRS had formal guidelines for agencies to place the tapes behind three layers of physical security — inside a locked box, for example — and restrict access to “need-to-know” personnel. He added a fourth layer of physical security, but that still didn’t make him feel comfortable. “These were standard IBM mainframe tapes,” he said. “It didn’t take anything special to read them.”

I found this really interesting because our anonymous source tosses off the idea that reading a tape is easy. This is in stark contrast to everyone who reports breaches, who goes on and on about how hard it would be to read their DLTs.

This expert didn’t give that nonsense a second thought. Journalists should be more skeptical, and so should you.

Interestingly, there’s a second tie to Cohen’s book. In it, he lays out how the Athenians, worried about the taxman, created private banking. The taxman has rarely worried about the welfare of the taxed.

[Update: An anonymous correspondent points to “Who Must File Magnetically,” which points to IRS publication 1220. Encryption is specifically forbidden (“Do not send encrypted data.”), and the tape format is clearly documented. See part C.05 on page 35 of the PDF, or printed page #29.]

Photo: IBM 3410 tape system. Image courtesy of IBM. Story via PogoWasRight.

Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:”

The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data:, the Privacy Rights Clearinghouse (PRC), and the Identity Theft Resource Center (ITRC).

Then Thomas Claburn writes “Data Breaches: Getting Worse Or Better?” in Information Week:

The year 2007 may or may not have been a record-setting year in terms of data breaches. Whether it was or wasn’t depends on how one counts.

Then Dissent followed up again, in “Second look: What kind of year was 2007 in terms of data breaches?

Perhaps it would be more conservative to conclude that we simply don’t know whether the total number of incidents rose, fell, or remained the same (because of the lack of a national disclosure law), but with media sources claiming that it was “record year” in terms of number of incidents, I thought it important to point out where the data do not support that assertion.
lots of analysis elided
The bottom line is that if we want to make any sense out of data, we need more transparency and mandatory disclosure so that we can get ALL of the numbers on ALL of the incidents.

I’m so eager to jump into this conversation, but have other writing that I need to finish. So go read what Dissent wrote, and I’ll just comment on how excited I am to see the emergence of all of this analysis around breach notices.

One man’s vulgarity is another’s lyric

DOYLESTOWN, Pennsylvania (AP) — A man who wrote a vulgar message on the memo line of a check he used to pay a $5 parking ticket has apologized in writing, leading police to drop a disorderly conduct charge against him.
David Binner sent the check after receiving a $5 parking ticket. He calls it “a temporary lapse of judgment.”
Clerks were offended by the message, and the disorderly conduct charge was filed because the comment was obscene, police Chief James Donnelly said.
“He was contrite enough to offer an apology, and I think that satisfies the people who were insulted by it,” he said.

Associated Press, via CNN
So what vulgarity was so “obscene” the police had to step in?

“The F-word isn’t what it used to be,” attorney [for the check-writer] Keith Williams said. It doesn’t have a sexual connotation anymore and so can’t be considered obscene, he said.

I guess that about says it. Meanwhile, the local police Chief explains that clerks were “insulted” when they saw this naughty, naughty expression while they were being paid from the public purse.
As an idealistic youth, I read Cohen v. California. So should the Chief:

The ability of government, consonant with the Constitution, to shut off discourse solely to protect others from hearing it is, in other words, dependent upon a showing that substantial privacy interests are being invaded in an essentially intolerable manner. Any broader view of this authority would effectively empower a majority to silence dissidents simply as a matter of personal predilections.

Cohen v. California, 403 U.S. 15 (1971)