Do Audit Failures Mean That Audit Fails In General?

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception.
In his most recent post, How many rotten apples will spoil the barrel, he asks:

So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are sufficiently valuable to overcome the ones that are bad. That is, one totally fraudulent result can be absorbed in a million good results. Or, if something is audited, even badly or with a percentage chance of bad results, some things should be improved, right?

This is a fascinating question. How do we measure how well Audit works? Are we, in fact, better off Auditing even with the issues we’ve recently faced? Or as Ian puts it:

How many is a few? One failed audit is not enough. But 10 might be, or 100, or 1% or 10%, it all depends. So we need to know some sort of threshold, past which, the barrel is worthless. Once we determine that some percentage of audits above the threshold are bad, all of them are dead, because confidence in the system fails and all audits become ignored by those that might have business in relying on them.

We clearly need someone with a Levitt-eque mindset who can come up with a creative way of solving this measurement problem we have on our hands…

Wells Fargo vs Wells Fargo


You can’t expect a bank that is dumb enough to sue itself to know why it is suing itself.

Yet I could not resist asking Wells Fargo Bank NA why it filed a civil complaint against itself in a mortgage foreclosure case in Hillsborough County, Fla.

“Due to state foreclosure laws, lenders are obligated to name and notify subordinate lien holders,” said Wells Fargo spokesman Kevin Waetke.

Being a taxpayer-subsidized, too-big-to-fail institution, it’s possible that one of the few ways for Wells Fargo & Co. (WFC) to know what it is doing is to notify itself with a court filing. (“Wells Fargo Bank Sues Itself“)

As your attorney, I advise you to buy lots of Wells Fargo stock.

(My attorneys will be ensuring that Dave Birch is appropriately notified that I appreciate his pointing this out.)

Origins of time-sync passwords


In “Who Watches the Watchman” there’s an interesting history of watchclocks:

An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a night watchman’s position in both space and time for the duration of every evening. It also generates a detailed, permanent, and verifiable record of each night’s patrol.

The market for these devices was well established when John Brainard Ken Weiss invented the SecurID token. In fact, either John or Vin McLellan told me that the reason Security Dynamics built a time-based system was so that it could play in the wandering guard market. The guard needed the SecurID to write a code in a book, and with that, you could determine when he was at a given watch station. Only later did they discover that their device had value for information security. [Update: Vin corrects some of my historical details in the comments.]

Security Dynamics did an impressively good job of building a complete system, and an ecosystem for their devices, but creating plug-in authentication modules for all sorts of things. Frankly, their security wasn’t really great in any theoretical sense. There were relatively obvious flaws like Mudge’s ‘listen and guess’ attack on the last digit being sent over a cleartext channel. His “Vulnerabilities in OTP’s – SecurID and S/key” was presented at DefCon IV, but I can’t find a copy of the paper. There were more difficult to find flaws as I pointed out in my “Apparent Weaknesses in the Security Dynamics Client Server Protocol“. Later Biryukov, Lano and Preneel presented “ Cryptanalysis of the Alleged SecurID Hash Function.”

What John, and later Art Covellio understood far better than Mudge or I understood at the time was that the security didn’t really matter all that much. The system and its components needed a baseline of security, and they invested in that, and beyond. They had their system reviewed by top outside experts. They needed to be able to handle the baseline questions about someone tampering with the card, and the algorithms and protocols were kept secret in accordance with practice at the time. (John told me that I settled a debate between their engineers and marketing when I published them. Had I known that, I would have included the hash function in my paper, but on advice of counsel I’d removed it. He called it “waving a red flag in front of Security Dynamics just because you can.”)

What did matter was that their customers were doing better than static passwords, and they mostly delivered, unless Bart Preneel or I was your adversary.

Security Dynamics also won on the usability of the system, relative to other tokens. Some alternatives, implemented challenge/response systems. To use them, you needed to enter a challenge, then press enter, your PIN and then enter, and then type in the response. All prompts and errors were in an 8 character LCD display. It was hard to deploy to real people.

Another advantage that Security Dynamics delivered was integration into everything. They had a server of their own. Clients to replace /bin/login on a dozen unixes, Netware and a GINA plugin for Windows. Radius and TACACS integration. They made themselves the easiest system to actually deploy. That’s important. A system with much greater security and double the cost of deployment would have been hard to justify.

Anyway, Security Dynamics was a good enough business that when they went to get an RSA license, it turned out to be “easier to buy the company than to get a license.” (As Art Covellio says in this Hearsay podcast with Dennis Fisher.)

And at the end of the day, developing products that people can actually understand and deploy for their protection and risk management is what it’s about. Knowing where to start innovating is a key part of that.

Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.

The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.

“My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”

So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”

We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.

My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”

For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.

Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.

Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts:

The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling:

Question 1: Are we willing to give anything up?
Question 2: Are we willing to do anything different?
Question 3: Are we willing to take any blame?
Question 4: Are we willing to give any guarantees?

I’d trade 3 & 4 (today) for are we willing to broadly share information about outcomes? I understand that the review (which I’ve yet to read) calls for effective information sharing, which is a goal I support. Will the government lead, and share its own information?

Before we can get to blame and guarantees, we have to have something beyond “best practices” to work from. Without knowing which practices work and which don’t, it makes little sense to distribute blame or to offer a guarantee.

Va Pbaterff Nffrzoyrq, Whyl 4 1776

My usual celebration of Independence day is to post, in its entirety, the Declaration of Independence. It’s very much worth reading, but this year, there’s a little twist, from a delightful story starring Lawren Smithline and Robert Patterson, with a cameo by Thomas Jefferson. Patterson sent Jefferson a letter which read, in part:

“I shall conclude this paper with a specimen of such writing,” he boasted, “which I may safely defy the united ingenuity of the whole human race to decypher to the end of time….”


Well, perhaps it didn’t last until the end of time, but the cipher apparently lasted until now, which is pretty darn good.
There’s an article in
Harvard Magazine, and one in American Scientist, but it’s behind a paywall. Finally, the Wall St Journal has an article, which mentions, both without linking to either.

I think what I really like about this story is how a mathematician bothered to send his new ciphertext to the author of Virginia’s statue on religious liberty (as our third President preferred to be remembered). Having just finished Steven Johnson’s very enjoyable “The Invention of Air,” I’m struck by how broadly engaged with science and the useful arts the founders were. I think that sending an encrypted letter to President Obama would get you … well, I don’t really want to think about it, having just read the Declaration.

Thoughts on Iran

Our love affair with the Iranian Tweetolution has worn off. The thugs declared their election valid, told their armed representatives to

Sorry, next tweet: go impose some law or order or something, and it was done.

Well, as it often turns out, there was more to it than fits in 140 characters, and the real story is far more complicated. There’s a good write up from StratFor, “The Real Struggle in Iran and Implications for U.S. Dialogue:”

This is because the real struggle in Iran has not yet been settled, nor was it ever about the liberalization of the regime. Rather, it has been about the role of the clergy — particularly the old-guard clergy — in Iranian life, and the future of particular personalities among this clergy.


The key to understanding the situation in Iran is realizing that the past weeks have seen not an uprising against the regime, but a struggle within the regime. Ahmadinejad is not part of the establishment, but rather has been struggling against it, accusing it of having betrayed the principles of the Islamic Revolution. The post-election unrest in Iran therefore was not a matter of a repressive regime suppressing liberals (as in Prague in 1989), but a struggle between two Islamist factions that are each committed to the regime, but opposed to each other.

The Punch Line Goes at the End

The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the style of a slot machine.

According to reports, the manufacturer of the ATM pressured Jack’s employer, Juniper, to pressure him to withdraw the talk.

I certainly roll my eyes at this. It doesn’t do a lot of good to pressure someone to withdraw their talk.

But even more so, if you’re giving a talk, it behooves you to save the showmanship for the stage. I mean, come on.

Last year, the big cancellation was the team of MIT students who broke the Boston MBTA Charlie Card system. There was a legal injunction put against them that spoilt their presentation. The fault, in my opinion went to them for naming their talk, “How To Get Free Subway Rides For Life.”

Imagine that you are a judge who is interrupted from an otherwise pleasant Saturday by panicky people who want an injunction against a talk with such a dramatic name, you’ll at least listen to them. You decide that sure, no harm to society will come from an injunction from Saturday ’til Monday, and you’d be right. No harm came to society, DefCon was merely a little less interesting.

Now imagine that you are the same judge and you’re asked for an injunction against the talk, “A Practical Cryptanalysis of the Mifare Chip as Implemented in the MBTA.” That one can wait until Monday, and the talk goes on.

In a similar gedanken experiment, imagine that you are the VP of Corporate Communications for the XYZ ATM Corp. You learn that in a few weeks, someone is going to do “ATM Jackpot” with one of your ATMs in some show in Vegas. Despite the fact that someone else in the company approved it, what do you? You pressure them to cancel. Duh. If you don’t, then you’re going to spend most of August reassuring people about your products, your boss is going to be really ticked at you (after all, isn’t it the job of Corporate Communications to control these things?), and it’s just going to be no fun. This is also why you’re paid the big bucks, to make embarrassments go away.

This is why if you are a researcher, you do not name your talk, “ATM Jackpot” you name it “Penetration Testing of Standalone Financial Services Systems.” It is only on stage that you fire up the flashing lights and clanging bells and make the ATM spit out C-notes for minutes on end. That would get you all the publicity for your talk that you want, and you actually get to give it.

Remember, do as I say, not as I do. If you have a flashy Black Hat talk, put the punch line at the end of the joke.

Rebellion over an ID plan


What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of livestock movements from birth to the slaughterhouse.

“This plan is expensive, it’s intrusive, and there’s no need for it,” Mr. Platt said.

The New York Times reports that not even cattle need Real ID in”Rebellion on the Range Over a Cattle ID Plan.” There’s a web site, which is tracking things like

Oklahoma is now mandating Premises ID for anyone wanting participate in the Swine Shows. One more tricky little way that they make “voluntary” into mandatory.

Image: IstockPhoto

Unthinkable Foolishness from TSA

“Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the script while I stood there, without any personal items, identification or ticket, which had all been confiscated.

“The minute I saw the faces of the agents, I knew I was in trouble. The first page of the Unthinkable script mentioned 9/11, terror plots, and the fact that the (fictional) world had become a police state. The TSA agents then proceeded to interrogate me, having a hard time understanding that a comic book could be about anything other than superheroes, let alone that anyone actually wrote scripts for comics. (From Boing Boing, “Comics creator stopped by TSA for carrying script about writer under suspicion by TSA

Issues of Unthinkable are only $3.99 each, a bargain! Why not pop over to Boom studios and support the artist?