March 2007 Archives

2007 EFF Pioneer Award

Last Tuesday I accepted my EFF Pioneer Award. Here's an audio of my speech, and here's a blog report from the event.

I am very pleased to receive the award, and am simply stunned by this quote from Cory Doctorow:

Technology could never achieve what the fundamental values of a democratic society can attain. We can change the world with the power of ideas. I defy you to read Bruce’s incredible essays and not have it change the way you think about the world.

EDITED (4/6): Here's a video.

Posted on March 31, 2007 at 10:19 AM13 Comments

Crazy Eddie Financial Fraud

This is an old article -- from 2000 -- but the sidebar (at the end) describing how the electronics store Crazy Eddie committed massive financial fraud is fascinating.

There are numerous ways to classify financial statement frauds. Our research divided them into five principal, but related, types. One of the most outrageous aspects of the Crazy Eddie's fraud is that he used all five methods. This is how he did it.

Posted on March 30, 2007 at 6:33 AM20 Comments

Mennonites and Photo IDs

Mennonites are considering moving to a different state because they don't want their photo taken for their drivers licenses. Many (all?) states had religious exemptions to the photo requirement, but now fewer do.

The most interesting paragraph to me is the last one, though:

And in Pennsylvania, Dr. Kraybill said, a law requiring photo identification to buy guns has prompted many Amish hunters to hire non-Amish neighbors to buy guns for them.

Sounds like the photo-ID requirement is backfiring in this case.

Posted on March 29, 2007 at 2:54 PM67 Comments

Security Plus Privacy

The Royal Academy of Engineering (in the UK) has just published a report: "Dilemmas of Privacy And Surveillance: Challenges of Technological Change" (press release here) where they argue that security and privacy are not in opposition, and that we can have both if we're sensible about it.

Recommendations

R1 Systems that involve the collection, checking and processing of personal information should be designed in order to diminish the risk of failure as far as reasonably practicable. Development of such systems should make the best use of engineering expertise in assessing and managing vulnerabilities and risks. Public sector organisations should take the lead in this area, as they collect and process a great deal of sensitive personal data, often on a non-voluntary basis.

R2 Many failures can be foreseen. It is essential to have procedures in place to deal with the consequences of failure in systems used to collect, store or process personal information. These should include processes for aiding and compensating individuals who are affected.

R3 Human rights law already requires that everyone should have their reasonable expectation of privacy respected and protected. Clarification of what counts as a reasonable expectation of privacy is necessary in order to protect this right and a public debate, including the legal, technical and political communities, should be encouraged in order to work towards a consensus on the definition of what is a 'reasonable expectation'. This debate should take into account the effect of an easily searchable Internet when deciding what counts as a reasonable expectation of privacy.

R4 The powers of the Information Commissioner should be extended. Significant penalties -- including custodial sentences -- should be imposed on individuals or organisations that misuse data. The Information Commissioner should also have the power to perform audits and to direct that audits be performed by approved auditors in order to encourage organisations to always process data in accordance with the Data Protection Act. A public debate should be held on whether the primary control should be on the collection of data, or whether it is the processing and use of data that should be controlled, with penalties for improper use.

R5 Organisations should not seek to identify the individuals with whom they have dealings if all they require is authentication of rightful access to goods or services. Systems that allow automated access to a service such as public transport should be developed to use only the minimal authenticating information necessary. When organisations do desire identification, they should be required to justify why identification, rather than authentication, is needed. In such circumstances, a minimum of identifying information should be expected.

R6 Research into the effectiveness of camera surveillance is necessary, to judge whether its potential intrusion into people's privacy is outweighed by its benefits. Effort should be put into researching ways of monitoring public spaces that minimise the impact on privacy -- for example, pursuing engineering research into developing effective means of automated surveillance which ignore law-abiding activities.

R7 Information technology services should be designed to maintain privacy. Research should be pursued into the possibility of 'designing for privacy' and a concern for privacy should be encouraged amongst practising engineers and engineering teachers. Possibilities include designing methods of payment for travel and other goods and services without revealing identity and protecting electronic personal information by using similar methods to those used for protecting copyrighted electronic material.

R8 There is need for clarity on the rights and expectations that individuals have over their personal information. A digital charter outlining an individual's rights and expectations over how their data are managed, shared and protected would deliver that clarity. Access by individuals to their personal data should also be made easier; for example, by automatically providing free copies of credit reports annually. There should be debate on how personal data are protected -- how it can be ensured that the data are accurate, secure and private. Companies, or other trusted, third-party organisations, could have the role of data banks -- trusted guardians of personal data. Research into innovative business models for such companies should be encouraged.

R9 Commercial organisations that select their customers or vary their offers to individuals on the basis of profiling should be required, on request, to divulge to the data subjects that profiling has been used. Profiling will always be used to differentiate between customers, but unfair or excessively discriminating profiling systems should not be permitted.

R10 Data collection and use systems should be designed so that there is reciprocity between data subjects and owners of the system. This includes transparency about the kinds of data collected and the uses intended for it; and data subjects having the right to receive clear explanations and justifications for data requests. In the case of camera surveillance, there should be debate on and research into ways to allow the public some level of access to the images captured by surveillance cameras.

The whole thing is worth reading, as is this article from The Register.

Posted on March 29, 2007 at 11:11 AM13 Comments

Teenagers and Risk Assessment

In an article on auto-asphyxiation, there's commentary on teens and risk:

But the new debate also coincides with a reassessment of how teenagers think about risk. Conventional wisdom said adolescents often flirted with the edges of danger because they felt invulnerable.

Newer studies have dismissed that notion. They say that most teenagers are quite cool-headed in assessing risk and reward -- and that is what sometimes gets them in trouble. Adults, by contrast, are more likely to rely on experience or gut feelings than rational calculation.

Asked whether it would ever make sense to play Russian roulette for a million dollars, for example, most adults immediately say no, said Valerie F. Reyna, a professor of human development and psychology at Cornell University.

But when Professor Reyna asks teenagers the same question in intervention sessions to teach smarter risk-taking behavior, they often stop to calculate or debate, she said -- what exactly would the odds be of getting the chamber with the bullet?

"I use the example to try to get them to see that thinking rationally like that doesn't always lead to rational choices," she said.

Of course, reality is always more complicated. We can invent fictional scenarios where it makes sense to play that game of Russian roulette. Imagine you have terminal cancer, and that million dollars would make a huge difference to your survivors. You might very well take the risk.

Posted on March 29, 2007 at 6:48 AM47 Comments

Al-Qaeda or Teens?

From The Onion:

"In this day and age, it's important for law-enforcement officials to consider global threats as well as local ones," Steinhorst said. "We could be dealing with an al-Qaeda sleeper cell attempting to collect information that they could use to plan a terrorist strike or some of those goth kids who knocked over that mailbox. Neither group has any respect for the law."

Excellent parody.

Posted on March 28, 2007 at 3:45 PM16 Comments

Body Armor for Children

In the UK, parents are buying body armor for children.

One type of risk we consistently overestimate is risks involving our children.

Posted on March 28, 2007 at 1:18 PM49 Comments

Singapore's Vast Data Mining Program

Details are here. What's troubling to me is that even though Congress pulled funding for the program, it was developed elsewhere and now may be sold back to the U.S.

Posted on March 26, 2007 at 3:44 PM21 Comments

The U.S. Terrorist Database

Interesting article about the terrorist database: Terrorist Identities Datamart Environment (TIDE).

It's huge:

Ballooning from fewer than 100,000 files in 2003 to about 435,000, the growing database threatens to overwhelm the people who manage it. "The single biggest worry that I have is long-term quality control," said Russ Travers, in charge of TIDE at the National Counterterrorism Center in McLean. "Where am I going to be, where is my successor going to be, five years down the road?"

TIDE has also created concerns about secrecy, errors and privacy. The list marks the first time foreigners and U.S. citizens are combined in an intelligence database. The bar for inclusion is low, and once someone is on the list, it is virtually impossible to get off it. At any stage, the process can lead to "horror stories" of mixed-up names and unconfirmed information, Travers acknowledged.

Mostly the article tells you things you already know: the list is riddled with errors, and there's no defined process for getting on or off the list. But the most surreal quote is at the end, from Rick Kopel, the center's acting director:

The center came in for ridicule last year when CBS's "60 Minutes" noted that 14 of the 19 Sept. 11 hijackers were listed -- five years after their deaths. Kopel defended the listings, saying that "we know for a fact that these people will use names that they believe we are not going to list because they're out of circulation -- either because they're dead or incarcerated. . . . It's not willy-nilly. Every name on the list, there's a reason that it's on there."

Get that? There's someone who deliberately puts wrong names on the list because they think the terrorists might use aliases, and they want to catch them. Given that reasoning, wouldn't you want to put the entire phone book on the list?

Posted on March 26, 2007 at 2:05 PM35 Comments

10,000 Fake British Passports in One Year

This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren't fake passports; they're real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.

The weak link in identity documents is the issuance procedures, not the documents themselves.

Posted on March 26, 2007 at 6:46 AM36 Comments

Friday Squid Blogging: Readying the 1000-lb Squid for Science

Interesting challenges:

"It's got to be thawed out slowly. You can't put hot water on it, you've just got to thaw it out naturally," says Te Papa's mollsuca collections manager Bruce Marshall.

To minimise handling of the precious specimen, the colossal squid will probably have its temperature raised, over days, in the tank in which it will finally be "fixed".

"We don't want to move it too much," says Marshall.

"When a thing like that is in the water, it's neutrally buoyant.

"But, of course, when you get it out of the water, you've got a big lump of weight and you could try lifting it and your hands would go right through.

"Already it's got puncture marks from the net."

Once un-frozen, the creature will be fixed, or embalmed, and then a long-term preservative will be used.

"What I mean by a fixing tank is a tank that you lay it out in, in a natural position, and you then make all the adjustments -- align all the arms, pack out the body and all of that. Then you have it in a, say, 5% formalin solution.

"It will require the biggest tank of anything we've got."

In further news, it might be microwaved. It's actually a hard problem; how do you ensure that the defrosted parts don't rot while waiting for the rest of it to defrost.

Posted on March 23, 2007 at 4:10 PM14 Comments

Misplacing the Blame in Personal Identity Thefts

Really good article:

In a recent dissection of the connection between gaming and violence, the term "folk devil" was used to describe something that can be labeled dangerous in order to assign blame in a case where the causes are complex and unclear. The new paper suggests that hackers have become the folk devils of computer security, stating that "even though the campaign against hackers has successfully cast them as the primary culprits to blame for insecurity in cyberspace, it is not clear that constructing this target for blame has improved the security of personal digital records."

Part of this argument is based on the contention that many of the criminal groups that engage in illicit access to records are culturally distinct from the hacker community and that the hacker community proper is composed of a number of subcultures, some of which may access personal data without distributing it.

But, even if a more liberal definition of hacker is allowed, they still account for far less than half of the data losses. The report states that "60 percent of the incidents involve missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online."

Those figures come from analyzing the data while eliminating a single event, the compromise of 1.6 billion records at Axciom. The Axciom data loss is informative, as it reveals how what could be categorized as a hack involves institutional negligence. The records stolen from the company were taken by an employee that had access to Axciom servers in order to upload data. That employee gained download access because Axciom set the same passwords for both types of access.

Posted on March 23, 2007 at 10:29 AM18 Comments

Dutch eVoting Scandal

Interesting:

His software is used with the Nedap voting machines currently used in 90 per cent of the electoral districts, and although it is not used in the actual vote count, it does tabulate the results on both a regional and national level.

According to the freedom of information disclosures, Groenendaal wrote to election officials in the lead up to the national elections in November 2006, threatening to cease "cooperating" if the government did not accede to his requests.

Posted on March 23, 2007 at 6:12 AM24 Comments

American Express Patenting Tracking People via RFID

Interesting story. I don't know how serious AmEx is about this, but it certainly is a good illustration of the possibilities of the technology.

Posted on March 22, 2007 at 3:31 PM26 Comments

Diplomatic Immunity

Interesting article about diplomatic immunity as a "get out of jail free" card in Germany.

Shopping for free involves no legal consequences for the roughly 6,000 diplomats in Berlin and their families. Protected by diplomatic immunity as guaranteed under international law, members of the diplomatic service have all sorts of options not available to others. They can ignore red lights without fear of being fined, race through a speed trap drunk, bully the maid or refuse to pay the workman's bills.

Berlin's public prosecutor's office registered about 100 such offenses last year, including theft, traffic violations, fleeing the scene of accidents, and inflicting bodily harm. No one is keeping precise statistics. Those who get caught need only show their red diplomatic passport to get off scot-free in most cases.

Of course they're being counterfeited:

It seems like everybody wants one of those nice red "get out of jail free" cards these days: Senior prosecutor Karlheinz Dalheimer warns that "counterfeit diplomatic passports have been a major problem recently."

Posted on March 22, 2007 at 1:44 PM36 Comments

Incompetence at the Border

Tom Kyte, Oracle database expert, relays a surreal story of a border crossing into the U.S. from Canada:

He clicks on it and it asks for a password. He looks surprised and says "it needs a password". I was like - that is OK, I have it, here you go... Now he is logged in. But -- my desktop looks a tad different from most -- there is no IE on the desktop, just the recycle bin and a folder called programs -- nothing else.

He really doesn't know what to do now. No special searching software, nothing. He looks at me and says "you know what we are doing here right?". I said -- not really (I knew what we were doing, I read the news and all, but just said "no"). "Well" he says "we are looking for pornography". Ahh I say... Ok, no problem.

But he is stuck. There is nothing familiar. So he clicks on the start menu and finds "My Pictures". You know, if I was into that -- that is precisely where I would stick all of my porn -- right there in "My Pictures". He goes into it -- and sees all of my folders. And all of my pictures, which we looked at. He said "wow, you travel a lot", I said "yup".

Posted on March 22, 2007 at 10:39 AM62 Comments

The Ultimate Movie Plot Threat: Killer Asteroids

There's not enough money to track them:

NASA officials say the space agency is capable of finding nearly all the asteroids that might pose a devastating hit to Earth, but there isn't enough money to pay for the task so it won't get done.

The cost to find at least 90 percent of the 20,000 potentially hazardous asteroids and comets by 2020 would be about $1 billion, according to a report NASA will release later this week. The report was previewed Monday at a Planetary Defense Conference in Washington.

Congress in 2005 asked NASA to come up with a plan to track most killer asteroids and propose how to deflect the potentially catastrophic ones.

"We know what to do, we just don't have the money," said Simon "Pete" Worden, director of NASA's Ames Research Center.

The hardest risks to evaluate are the ones with very low probability of occurring and a very high cost if they do. Large-scale terrorist attacks are like that; so are asteroid collisions.

Posted on March 22, 2007 at 6:03 AM35 Comments

Google's New Privacy Rules

It's a good change, but I'm not sure it is enough. I'd really prefer it if Google deleted the information after a shorter time.

Posted on March 21, 2007 at 1:51 PM20 Comments

Stealing Data from Disk Drives in Photocopiers

This is a threat I hadn't thought of before:

Now, experts are warning that photocopiers could be a culprit as well.

That's because most digital copiers manufactured in the past five years have disk drives -- the same kind of data-storage mechanism found in computers -- to reproduce documents.

As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

Posted on March 21, 2007 at 12:10 PM20 Comments

Stealing and Reselling Phone Minutes

Interesting new variation of phone fraud:

For the telecoms, the profit is in using VoIP to deliver calls from one phone to another. That requires a "gateway" server to connect a carrier's phone network to the Net. Phreakers break into these gateways, steal "voice minutes" and sell them to other, usually smaller, telecoms. Many of these firms then sell printed phone cards or operate call centers. "It's a great racket," says Justin Newman, CEO of BinFone Telecom of Baltimore, which has been stung by phreakers.

Posted on March 21, 2007 at 11:20 AM12 Comments

Citizen Counter-Terrorists

The greater Manchester police want everyone to help them find terrorists:

In a new anti-terror drive, a tip-off hotline is being relaunched and an advertising campaign will urge people to report any suspicious behaviour. It asks:

* Do you know anyone who travels but is vague on where they're going?

* Do you know someone with documents in different names for no obvious reason?

* Do you know someone buying large or unusual quantities of chemicals for no obvious reason?

* Handling chemicals is dangerous, maybe you've seen goggles or masks dumped somewhere?

* If you work in commercial vehicle hire or sales, has a sale or rental made you suspicious?

* Have you seen someone with large quantities of mobiles?

* Have you seen anyone taking pictures of security arrangements?

* Do you know someone who visits terrorist-related websites?

* Have you seen any suspicious cheque or credit card transactions?

* Is someone is asking for a short-term let on a house or flat on a cash basis for no apparent reason?

This reminds me of TIPS, the ill-conceived U.S. program to have meter readers and the like -- people who regularly enter people's homes -- report suspicious activity to the police. It's just dumb; people will report each other because their food smells wrong, or they talk in a funny language. The system will be swamped with false alarms, which police will have to waste their time following up on. This sort of state-sponsored snitchery is something you'd expect out of the former East Germany, or the Soviet Union -- not the U.K.

For comparison's sake, here's a similar program that I actually liked.

Posted on March 20, 2007 at 12:26 PM44 Comments

Volvo's "Heartbeat Sensor"

Here's a great example of security theater:

The Personal Car Communicator (PCC) is your car key's smart connection with your Volvo S80 applying the latest in two-way radio technology. When in range, you'll always know the status of your car. Locked or unlocked. Alarm activated or not. If the alarm has been activated, the heartbeat sensor will also tell you if there is someone inside the car. The PCC also includes keyless entry and keyless drive.

I'll wager that it will sell, though, because it taps directly into people's fears.

Does anyone know how it works? Sound? Something else?

Posted on March 20, 2007 at 10:46 AM60 Comments

U.S. Patent Office Spreads FUD About Music Downloads

It's simply amazing:

The United States Patent and Trademark Office claims that file-sharing sites could be setting up children for copyright infringement lawsuits and compromising national security.

"A decade ago, the idea that copyright infringement could become a threat to national security would have seemed implausible," Patent and Trademark Director Jon Dudas said in a report released this week. "Now, it's a sad reality."

The report, which the patent office recently forwarded to the U.S. Department of Justice, states that peer-to-peer networks could manipulate sites so children violate copyright laws more frequently than adults. That could make children the target in most copyright lawsuits and, in turn, make those protecting their material appear antagonistic, according to the report.

File-sharing software also could be to blame for government workers who expose sensitive data and jeopardize national security after downloading free music on the job, the report states.

What happened? Did someone in the entertainment industry bribe the PTO to write this?

Report here.

Posted on March 20, 2007 at 6:58 AM26 Comments

Social Engineering Diamond Theft

Nice story:

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp's diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

[...]

Mr Claes said of the thief: "He used no violence. He used one weapon -- and that is his charm -- to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

"You can have all the safety and security you want, but if someone uses their charm to mislead people it won't help."

People are the weakest security link, almost always.

Posted on March 19, 2007 at 3:42 PM22 Comments

Terrorist Bus Drivers

I thought we were done with this scary-story-but-nothing-to-worry-about stuff:

The FBI has issued an "informational bulletin" to state and local officials saying to watch out for people tied to extremist groups trying to earn licenses to drive school buses.

The Associated Press reports that members of the unnamed extremist groups have succeeded in gaining the drivers licenses, but a Department of Homeland Security official told FOX News that "at this time there is no evidence that any of these individuals have got these jobs, or got hold of school buses."

"There is no plot. There is no threat. And parents and children can feel perfectly safe," FBI spokesman Richard Kolko told FOXNews.com.

Wacky.

EDITED TO ADD (3/20): Cory Doctorow has some more terrorist possibilities not to worry about.

Posted on March 19, 2007 at 1:51 PM40 Comments

Privacy Law and Confidentiality

Interesting article: Neil M. Richards & Daniel J. Solove, "Privacy's Other Path: Recovering the Law of Confidentiality," 96 Georgetown Law Journal, 2007.

Abstract:

The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis "invented" the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual's "inviolate personality." English law, however, rejected Warren and Brandeis's conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law's divergent paths reveals that each body of law's conception of privacy has much to teach the other.

Posted on March 19, 2007 at 6:39 AM8 Comments

For Sale: Fake Work Authorization Card

You can buy a fake U.S. Employment Authorization card (here's a real version) for $200.

Notice how all the security features of the card are faked -- very well.

Posted on March 16, 2007 at 1:07 PM30 Comments

BT Interview on Security

As part of BT's Big Thinkers series, Esther Dyson interviewed me and two other people (Risto Siilasmaa, Chairman of F-Secure Corporation; and Michael Barrett, PayPal's CISO) on network security issues. It was interesting and fun.

The other interviews in the series are here.

Posted on March 15, 2007 at 3:03 PM6 Comments

Making Another 9/11 Impossible

I'm tired of headlines like this:

New autopilot "will make another 9/11 impossible"

Why are people so narrowly focused? The goal isn't to protect against another 9/11. The goal is to protect against another horrific terrorist incident.

Stop focusing on the tactics, people. Look at the broad threats.

I've written about this particular countermeasure before.

Posted on March 15, 2007 at 7:42 AM55 Comments

Find Out if You're on the "No Fly List"

I'm not. Are you?

Soundex works, generally, by removing vowels from names and then assigning numerical values to the remaining consonants.

This has been the basis for the Computer Assisted Passenger Pre-Screening System (CAPPS) and it is horrendously inadequate and matches far too many names. To see just how poorly Soundex performs, visit nofly.s3.com and type in your name to assess your chances of being on the No Fly or Watch List. This is the only known publicly available site for checking your name against potential terrorist identities and databases. It was developed by S3 Matching Technologies of Austin, Texas. The company's database technicians merged the best known data on terrorists with the Soundex system to create the site.

Posted on March 14, 2007 at 7:51 AM60 Comments

The Difficulty of Profiling Terrorists

Interesting article:

A recently completed Dutch study of 242 Islamic radicals convicted or accused of planning terrorist attacks in Europe from 2001 to 2006 found that most were men of Arab descent who had been born and raised in Europe and came from lower or middle-class backgrounds. They ranged in age from 16 to 59 at the time of their arrests; the average was 27. About one in four had a criminal record.

The author of the study, Edwin Bakker, a researcher at the Clingendael Institute in The Hague, tried to examine almost 20 variables concerning the suspects' social and economic backgrounds. In general, he determined that no reliable profile existed -- their traits were merely an accurate reflection of the overall Muslim immigrant population in Europe. "There is no standard jihadi terrorist in Europe," the study concluded.

In an interview, Bakker said that many local police agencies have been slow to abandon profiling, but that most European intelligence agencies have concluded it is an unreliable tool for spotting potential terrorists. "How can you single them out? You can't," he said. "For the secret services, it doesn't give them a clue. We should focus more on suspicious behavior and not profiling."

Posted on March 13, 2007 at 5:42 PM43 Comments

Airport Credentials Manipulated to Commit Crime

Some airport baggage handlers used their official credentials to bypass security and smuggle guns and marijuana onto an airplane.

This kind of thing is inevitable. Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner.

But there are ways of minimizing this risk.

Posted on March 13, 2007 at 3:30 PM23 Comments

FBI Issued Illegal National Security Letters Under USA PATRIOT Act

A new Justice Department report concludes that the FBI broke the law in its use of the Patriot Act to secretly obtain phone, business, and financial data about people in the U.S.

The Justice Department's inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval.

The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do not require a judge's prior approval, are properly issued and that it does not follow even some of the rules it does have.

From the Associated Press:

The FBI's transgressions were spelled out in a damning 126-page audit by Justice Department Inspector General Glenn A. Fine. He found that agents sometimes demanded personal data on people without official authorization, and in other cases improperly obtained telephone records in non-emergency circumstances.

The audit also concluded that the FBI for three years underreported to Congress how often it used national security letters to ask businesses to turn over customer data. The letters are administrative subpoenas that do not require a judge's approval.

[...]

Under the Patriot Act, the national security letters give the FBI authority to demand that telephone companies, Internet service providers, banks, credit bureaus and other businesses produce personal records about their customers or subscribers. About three-fourths of the letters issued between 2003 and 2005 involved counterterror cases, with the rest for espionage investigations, the audit reported.

Shoddy record-keeping and human error were to blame for the bulk of the problems, said Justice auditors, who were careful to note they found no indication of criminal misconduct.

Here's the report (mirrored here), and here's a BoingBoing post on the topic; also, this Wired article. And this by Daniel Solove.

Posted on March 12, 2007 at 3:55 PM33 Comments

Interview with Sandia Whistleblower

Interesting interview with Shawn Carpenter, the Sandia National Labs whistleblower who just won a $4.3 million lawsuit for wrongful termination.

What prompted you to conduct that independent investigation into the Sandia intrusion in the first place? As a network intrusion detection analyst, I regularly used similar "back-hacking" techniques in the past to recover stolen Sandia password files and retrieve evidence to assist in system and network compromise investigations.

We were able to better defend our networks as a direct result of the intelligence we gained. I authored in-depth analyses of these intrusions that were sent for reporting and educational purposes to the Department of Energy's (DOE) Computer Incident Advisory Capability (CIAC), investigators at the DOE Inspector General (IG), Sandia Counterintelligence, DOE Cyber Counterintelligence, Sandia IT management and my entire department. Even to a novice, it was obvious after reading the analyses how intelligence was gleaned on the adversaries.

For example, phrases substantially similar to this were used in my reports: "I used their credentials to access the systems in Brazil and China, identify their hacking tool caches, and [pulling] down all of their tools, e-mails and other information to aid in their identification." Numerous exhibits of these activities were presented at trial for the jurors. In a meeting with them after the verdict was rendered, even the less cyber-savvy folks understood what the e-mails represented.

What were you hoping to achieve through this investigation? My objective started out with a purpose similar to the other investigations I engaged in while at Sandia. The difference in this instance was that the rabbit hole went much deeper than I imagined.

In late May of 2004, one of my investigations turned up a large cache of stolen sensitive documents hidden on a server in South Korea. In addition to U.S. military information, there were hundreds of pages of detailed schematics and project information marked "Lockheed Martin Proprietary Information ­ Export Controlled" that were associated with the Mars Reconnaissance Orbiter. Ironically, Sandia Corp., the private company that manages Sandia National Laboratories, is a subsidiary of Lockheed Martin Corp. It was this discovery that prompted my meeting with [supervisors] and when I was told that "it was not my concern." Later, I turned it over to the U.S. Army and the FBI and helped investigate how it was taken and where the path led.

Posted on March 12, 2007 at 6:56 AM29 Comments

Changing Generational Notions of Privacy

Interesting article.

And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reade or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not.

So it may be time to consider the possibility that young people who behave as if privacy doesn’t exist are actually the sane people, not the insane ones. For someone like me, who grew up sealing my diary with a literal lock, this may be tough to accept. But under current circumstances, a defiant belief in holding things close to your chest might not be high-minded. It might be an artifact—quaint and naïve, like a determined faith that virginity keeps ladies pure. Or at least that might be true for someone who has grown up "putting themselves out there" and found that the benefits of being transparent make the risks worth it.

Shirky describes this generational shift in terms of pidgin versus Creole. "Do you know that distinction? Pidgin is what gets spoken when people patch things together from different languages, so it serves well enough to communicate. But Creole is what the children speak, the children of pidgin speakers. They impose rules and structure, which makes the Creole language completely coherent and expressive, on par with any language. What we are witnessing is the Creolization of media."

Posted on March 9, 2007 at 7:28 AM21 Comments

Copycats

It's called "splash-and-grab," and it's a new way to rob convenience stores. Two guys walk into a store, and one comes up to the counter with a cup of hot coffee or cocoa. He pays for it, and when the clerk opens the cash drawer, he throws the coffee in the clerk's face. The other one grabs the cash drawer, and they both run.

Crimes never change, but tactics do. This tactic is new; someone just invented it. But now that it's in the news, copycats are repeating the trick. There have been at least 19 such robberies in Delaware, Pennsylvania and New Jersey. (Some arrests have been made since then.)

Here's another example: On Nov. 24, 1971, someone with the alias Dan Cooper invented a new way to hijack an aircraft. Claiming he had a bomb, he forced a plane to land and then exchanged the passengers and flight attendants for $200,000 and four parachutes. (I leave it as an exercise for the reader to explain why asking for more than one parachute is critical to the plan's success.) Taking off again, he told the pilots to fly to 10,000 feet. He then lowered the plane's back stairs and parachuted away. He was never caught, and the FBI still doesn't know who he is or whether he survived.

After this story hit the press, there was an epidemic of copycat attacks. In 31 hijackings the following year, half of the hijackers demanded parachutes. It got so bad that the FAA required Boeing to install a special latch -- the Cooper Vane -- on the back staircases of its 727s so they couldn't be lowered in the air.

The internet is filled with copycats. Green-card lawyers invented spam; now everyone does it. Other people invented phishing, pharming, spear phishing. The virus, the worm, the Trojan: It's hard to believe that these ubiquitous internet attack tactics were, until comparatively recently, tactics that no one had thought of.

Most attackers are copycats. They aren't clever enough to invent a new way to rob a convenience store, use the web to steal money, or hijack an airplane. They try the same attacks again and again, or read about a new attack in the newspaper and decide they can try it, too.

In combating threats, it makes sense to focus on copycats when there is a population of people already willing to commit the crime, who will migrate to a new tactic once it has been demonstrated to be successful. In instances where there aren't many attacks or attackers, and they're smarter -- al-Qaida-style terrorism comes to mind -- focusing on copycats is less effective because the bad guys will respond by modifying their attacks accordingly.

Compare that to suicide bombings in Israel, which are mostly copycat attacks. The authorities basically know what a suicide bombing looks like, and do a pretty good job defending against the particular tactics they tend to see again and again. It's still an arms race, but there is a lot of security gained by defending against copycats.

But even so, it's important to understand which aspect of the crime will be adopted by copycats. Splash-and-grab crimes have nothing to do with convenience stores; copycats can target any store where hot coffee is easily available and there is only one clerk on duty. And the tactic doesn't necessarily need coffee; one copycat used bleach. The new idea is to throw something painful and damaging in a clerk's face, grab the valuables and run.

Similarly, when a suicide bomber blows up a restaurant in Israel, the authorities don't automatically assume the copycats will attack other restaurants. They focus on the particulars of the bomb, the triggering mechanism and the way the bomber arrived at his target. Those are the tactics that copycats will repeat. The next target may be a theater or a hotel or any other crowded location.

The lesson for counterterrorism in America: Stay flexible. We're not threatened by a bunch of copycats, so we're best off expending effort on security measures that will work regardless of the tactics or the targets: intelligence, investigation and emergency response. By focusing too much on specifics -- what the terrorists did last time -- we're wasting valuable resources that could be used to keep us safer.

This essay originally appeared on Wired.com.

Posted on March 8, 2007 at 3:23 PM41 Comments

Sky Marshals in Australia

Their cost-effectiveness is being debated:

They've cost the taxpayer $106 million so far, they travel in business class, and over the past four years Australia's armed air marshals have had to act only once — subduing a 68-year-old man who produced a small knife on a flight from Sydney to Cairns in 2003.

I have not seen any similar cost analysis from the United States.

Posted on March 8, 2007 at 7:37 AM54 Comments

The Doghouse: Sniffex

It's nothing more than a homeland security scam: a dowsing rod for explosives. That, and a pump-and-dump stock scam.

The site is down, but Google has a cache.

EDITED TO ADD (3/11): Much more here.

EDITED TO ADD (3/19): More info here.

Posted on March 6, 2007 at 7:51 AM78 Comments

Friday Squid Blogging: Life of a Squid

PZ Myers reguarly blogs about squid; here's an interesting post. It seems that squid grow up fast and die young, and are replacing some slow-maturing fish in the oceans.

Posted on March 2, 2007 at 2:42 PM2 Comments

Canadian Anti-Terrorism Law News

Big news:

The court said the men, who are accused of having ties to al-Qaeda, have the right to see and respond to evidence against them. It pointed to a law in Britain that allows special advocates or lawyers to see sensitive intelligence material, but not share details with their clients.

In its ruling, the court said while it's important to protect Canada's national security, the government can do more to protect individual rights.

But the court suspended the judgment from taking legal effect for a year, giving Parliament time to write a new law complying with constitutional principles.

Critics have long denounced the certificates, which can lead to deportation of non-citizens on the basis of secret intelligence presented to a Federal Court judge at closed-door hearings.

Those who fight the allegations can spend years in jail while the case works its way through the legal system. In the end, they can sometimes face removal to countries with a track record of torture, say critics.

And that's not the only piece of good news from Canada. Two provisions from an anti-terrorism law passed at the end of 2001 were due to expire at the end of February. The House of Commons has voted against extending them:

One of the anti-terrorism measures allows police to arrest suspects without a warrant and detain them for three days without charges, provided police believe a terrorist act may be committed. The other measure allows judges to compel witnesses to testify in secret about past associations or pending acts. The witnesses could go to jail if they don't comply.

The two measures, introduced by a previous Liberal government in 2001, have never been used.

"These two provisions especially have done nothing to fight against terrorism," Dion said Tuesday. "[They] have not been helpful and have continued to create some risk for civil liberties."

Another article here.

Posted on March 2, 2007 at 6:54 AM11 Comments

Faking Hardware Memory Access

Interesting:

[Joanna] Rutkowksa will show how an attacker could prevent forensics investigators from getting a real image of the memory where the malware resides. "Even if they somehow find out that the system is compromised, they will be unable to get the real image of memory containing the malware, and consequently, they will be unable to analyze it," says Rutkowska, senior security researcher for COSEINC.

Posted on March 1, 2007 at 1:33 PM19 Comments

Boston Police Blow Up Traffic Counter

Is the Boston police trying to become a national laughing stock?

It's not just the Mooninite blinkies. In 2004, the Boston police harrassed a protester by pretending he might be standing on a bomb.

I'm beginning to think that something is seriously wrong with the police chain of command in Boston.

Boston PD: Putting the "error" in "terror."

Posted on March 1, 2007 at 6:27 AM78 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..