Page 491

Cat Smuggler

Not a cat burglar, a cat smuggler.

Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body.

Another article, with video.

A prison spokesperson was quoted by local paper Estado de S. Paulo as saying: “It’s tough to find out who’s responsible for the action as the cat doesn’t speak.”

Tags: ,

Posted on January 8, 2013 at 1:36 PMView Comments

DHS Gets to Spy on Everyone

This Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name:

The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation.

Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans “reasonably believed to constitute terrorism information” may be permanently retained.

Note that this is government data only, not commercial data. So while it includes “almost any government database, from financial forms submitted by people seeking federally backed mortgages to the health records of people who sought treatment at Veterans Administration hospitals” as well lots of commercial data, it’s data the corporations have already given to the government. It doesn’t include, for example, your detailed cell phone bills or your tweets.

See also this supplementary blog post to the article.

Tags: , , ,

Posted on January 8, 2013 at 6:28 AMView Comments

Details of an Internet Scam

Interesting details of an Amazon Marketplace scam. Worth reading.

Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it’s all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you’re afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error.

The second email hypes the urgency, trying to get me to pay quickly. I did not reply, but if I had, the next step in a scam like this is to sweeten the deal if I were to act immediately, often by pretending to ship my non-existent camera with a bonus item (like a cell phone) overnight if I give them payment information immediately.

Of course, if I ever did give them my payment information, they’d empty my checking account and, if they’re with a larger attacker group, start using my account to traffic stolen funds.

Tags: , ,

Posted on January 7, 2013 at 6:31 AMView Comments

Classifying a Shape

This is a great essay:

Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You don’t have to use spheres—cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets—but spheres are pretty common.

[…]

Imagine the scenario: you’re a security officer working at Los Alamos. You know that spheres are weapon parts. You walk into a technical area, and you see spheres all around! Is that an ashtray, or it is a model of a plutonium pit? Anxiety mounts—does the ashtray go into a safe at the end of the day, or does it stay out on the desk? (Has someone been tapping their cigarettes out into the pit model?)

All of this anxiety can be gone—gone!—by simply banning all non-nuclear spheres! That way you can effectively treat all spheres as sensitive shapes.

What I love about this little policy proposal is that it illuminates something deep about how secrecy works. Once you decide that something is so dangerous that the entire world hinges on keeping it under control, this sense of fear and dread starts to creep outwards. The worry about what must be controlled becomes insatiable ­ and pretty soon the mundane is included with the existential.

The essay continues with a story of a scientist who received a security violation for leaving an orange on his desk.

Two points here. One, this is a classic problem with any detection system. When it’s hard to build a system that detects the thing you’re looking for, you change the problem to detect something easier—and hope the overlap is enough to make the system work. Think about airport security. It’s too hard to detect actual terrorists with terrorist weapons, so instead they detect pointy objects. Internet filtering systems work the same way, too. (Remember when URL filters blocked the word “sex,” and the Middlesex Public Library found that it couldn’t get to its municipal webpages?)

Two, the Los Alamos system only works because false negatives are much, much worse than false positives. It really is worth classifying an abstract shape and annoying an officeful of scientists and others to protect the nuclear secrets. Airport security fails because the false-positive/false-negative cost ratio is different.

Tags: , ,

Posted on January 3, 2013 at 6:03 AMView Comments

Apollo Robbins, Pickpocket

Fascinating story:

“Come on,” Jillette said. “Steal something from me.”

Again, Robbins begged off, but he offered to do a trick instead. He instructed Jillette to place a ring that he was wearing on a piece of paper and trace its outline with a pen. By now, a small crowd had gathered. Jillette removed his ring, put it down on the paper, unclipped a pen from his shirt, and leaned forward, preparing to draw. After a moment, he froze and looked up. His face was pale.

“Fuck. You,” he said, and slumped into a chair.

Robbins held up a thin, cylindrical object: the cartridge from Jillette’s pen.

Really—read the whole thing.

EDITED TO ADD (1/6): A video accompanying the article. There’s much more on YouTube.

Tags: ,

Posted on January 2, 2013 at 8:44 AMView Comments

Terms of Service as a Security Threat

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it’s worth thinking about the security threat stemming from terms of service in general.

As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our service providers can do, both with the data we post and with the information they gather about how we use their service. The agreements are very one-sided—most of the time, we’re not even paying customers of these providers—and can change without warning. And, of course, none of us ever read them.

Here’s one example. Prezi is a really cool presentation system. While you can run presentations locally, it’s basically cloud-based. Earlier this year, I was at a CISO Summit in Prague, and one of the roundtable discussions centered around services like Prezi. CISOs were worried that sensitive company information was leaking out of the company and being stored insecurely in the cloud. My guess is that they would have been much more worried if they read Prezi’s terms of use:

With respect to Public User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content on and in connection with the manufacture, sale, promotion, marketing and distribution of products sold on, or in association with, the Service, or for purposes of providing you with the Service and promoting the same, in any medium and by any means currently existing or yet to be devised.

With respect to Private User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content solely for purposes of providing you with the Service.

Those paragraphs sure sound like Prezi can do anything it wants, including start a competing business, with any presentation I post to its site. (Note that Prezi’s human readable—but not legally correct—terms of use document makes no mention of this.) Yes, I know Prezi doesn’t currently intend to do that, but things change, companies fail, assets get bought, and what matters in the end is what the agreement says.

I don’t mean to pick on Prezi; it’s just an example. How many other of these Trojan horses are hiding in commonly used cloud provider agreements: both from providers that companies decide to use as a matter of policy, and providers that company employees use in violation of policy, for reasons of convenience?

Tags: , ,

Posted on December 31, 2012 at 6:44 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.