Tuesday, November 18, 2003

Reducing your exposure running DVArchive on linux

I recently got a ReplayTV 5040 for a steal on closeout at buy.com and just love it. One of the most attractive features is how it is network-aware by default and that the community has created some great free software for integrating with it. I have been using DVArchive to expand the capacity for recording without having to violate my ReplayTV warranty by hacking the hardware. DVArchive enables your PC to act as a software-based ReplayTV unit for replay, archival, vending photos, as well as playing recorded mpegs remotely on your PC.

However, I was horrified at the suggestion in the DVArchive FAQ that on UNIX "you must launch DVArchive as root" if you want to enable the functionality that allows serving shows back to your ReplayTV, or to other DVArchive programs running on your network. The real reason for this is that DVArchive (due to inflexible ReplayTV design) must bind to port 80 for ReplayTV units to access the HTTP server there that vends out the mpeg files. And to do this, you normally have to be root.

Well, you could just use sudo or worse, log in as root and run DVArchive as root. But, being a security person, this was not a pleasing thought.

So, I came up with a better way that runs DVArchive as an unprivileged user on the system. I do this by using port forwarding to forward connections to port 80 up to an alternate, unprivileged high port.

Fortunately, DVArchive allows you to specify a different TCP port to listen to instead of port 80. Now, it will bark at you that what you are doing is probably going to prevent ReplayTV units from accessing files on your DVArchive server but you can safely ignore these because you've got port forwarding up your sleeve.

1) Set that port to some open high TCP port under File -> DVArchive Properties... -> Server by changing the "Server Port" setting. I used 13198 in this example and in the attached startup script.

2) Install the attached startup script (see the Extended Entry text for the full script) as root to /etc/rc.d/init.d/dvarchiveforward

3) Edit dvarchiveforward and change MYIP to point to your IP address of your DVArchive server and change the IPTABLES binary location, if necessary.

4) On a RedHat 7.x - 9 system (or any other that has chkconfig) you can active this script at boot time by running (still as root):
/sbin/chkconfig --add dvarchiveforward

5) You can then check to make sure that this script was activated by running:
/sbin/chkconfig --list dvarchiveforward
You should see output like:

dvarchiveforward 0:off 1:off 2:on 3:on 4:on 5:on 6:off

6) Now, start this script so you don't have to wait for a reboot for it to work:

/sbin/service dvarchiveforward start

7) Check to see that the port forwarding entries were inserted correctly

/sbin/iptables -t nat -L

target prot opt source destination
DNAT tcp -- anywhere yourhostname tcp dpt:http to:

target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere yourhostname tcp dpt:http to:

8) Now, you can try accessing archived shows on your DVArchive server from your ReplayTV. All should work just fine.

Here is the /etc/rc.d/init.d/dvarchiveforward script:

# dvarchiveforward -- script to enable port forwarding so that I can run DVArchive as
# a non-privileged user. Why doesn't firestarter let you do this kind of portfw
# chkconfig: 2345 06 95
# description: DVArchive port forward script by Jason Axley
export IPTABLES=/sbin/iptables
export MYIP=
export MYPORT=13198
case "$1" in
# This forwards local port 13198 to port 80 so that we don't have to run
# DVArchive as root to bind to port 80!
# doing this below doesn't work for connecting to localhost. Use the other entries instead
#$IPTABLES -t nat -A OUTPUT -d $MYIP -p tcp --dport 80 -j REDIRECT --to-ports $MYPORT
#$IPTABLES -t nat -A PREROUTING -d $MYIP -p tcp --dport 80 -j REDIRECT --to-port
$IPTABLES -A PREROUTING -t nat -p tcp -d $MYIP --dport 80 -j DNAT --to $MYIP:$MYPORT
$IPTABLES -A OUTPUT -t nat -p tcp -d $MYIP --dport 80 -j DNAT --to $MYIP:$MYPORT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$0 stop;
$0 start;
echo "Usage: $0 {start | stop | reload}"
exit 1

Saturday, August 30, 2003

Sony Style Warning needs a Warning?

Within the past month or so, I received a warning from Sony about fraudulent e-mails claiming to be from Sony but that actually were not. The deceptive e-mails were designed to lure Sony customers into divulging personal information at a fake Sony site. It "falsely indicates that it is from SonyStyle.com" and "includes a link to a bogus SonyStyle.com registration site"

So, I was shocked to notice that the e-mail from Sony that was supposedly warning about deceptive e-mails and URLs was itself guilty of using apparently deceptive or "fraudulent" URLs!

Within the text, it contained a couple of URLs that, in the HTML version of the e-mail, deceptively show up as www.sonystyle.com, but in fact pointed to some other site at m0.net. Here is one of the deceptive URLs from Sony:


Not to mention that the From address of the e-mail was also from the same site: [email protected]

Should you trust the warning e-mail? Sure. The contents are benign enough. Just think twice about clicking those links or replying to the e-mail! Sony is surely using a company to send out the mass e-mailings and to track the "click-through" responses, but that seems like a pretty poor choice in this context!

Friday, August 29, 2003

Fox not "Fair & Balanced" in First Amendment treatment

This is such a great line.

In Courtroom, Laughter at Fox and a Victory for Al Franken

Judge Chin said the case was an easy one, and chided Fox for bringing its complaint to court. The judge said, "Of course, it is ironic that a media company that should be fighting for the First Amendment is trying to undermine it."

You can buy the book here:

Saturday, August 23, 2003

SPAM filter comparisons

SPAM is a truly egregious problem. This article does some analysis of popular spam filtering software. It is no surprise to me that signature-based programs tend to have slightly higher false positive rates and that Bayesian filters work best when trained properly, and have low or zero false positive rates.

I use bogofilter and have a corpus of thousands of spam messages that I have received, going back 6 or more years. It works great. I don't have to keep checking my spam bucket for false positives all the time and occasionally have to retrain if I get a false negative but online life is much better than before bogofilter. I was constantly having to scan through the spam bucket to pick out false positives.

freshmeat.net: Category Reviews - Spam Filters

Monday, August 18, 2003

OpenLDAP/OpenSSL stupidity

Sorry for not keeping up. Been enjoying the summer too much!

Anyhow, I thought that my experience in trying to get openLDAP 2.0.x working with TLS would be of interest to someone because the solution was so orthogonal it is unbelievable.

I have working OpenLDAP servers with TLS on two other machines so was baffled when I tried /etc/rc.d/init.d/ldap start and got [FAILED] with a very similar configuration to the others. Permissions on the TLS files are very finicky so I tried tweaking those--but nothing was working. I tried strace on the slapd binary but that did not offer any clues. I was able to get it to work by running slapd in debug mode on the command line, but in that mode it was ignoring the -u ldap so was running as root. So that told me there was some sort of permissions problem. But where?

Setting up syslog for openldap (not on by default, unfortunately) indicated these errors in the syslog logfile:

Aug 18 22:07:21 funhouse slapd[29220]: daemon: socket() failed errno=97 (Address family not supported by protocol)
Aug 18 22:07:21 funhouse slapd[29220]: daemon: socket() failed errno=97 (Address family not supported by protocol)
Aug 18 22:07:21 funhouse slapd[29220]: main: TLS init def ctx failed: 0
Aug 18 22:07:21 funhouse slapd[29220]: slapd stopped.
Aug 18 22:07:21 funhouse slapd[29220]: connections_destroy: nothing to destroy.

Hmmm. Not too helpful. I googled on these messages and didn't find a thing that helped. I tried all kinds of permissions tweaking to no avail.
Adding SLAPD_OPTIONS="-d 6" to /etc/sysconfig/ldap offered up these gems of wisdom:

TLS: could not load verify locations (file:`/etc/openldap/ssl/cert/cacert.pem',dir:`').
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:106
TLS: error:0E064002:configuration file routines:CONF_load:system lib conf_lib.c:91
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:662
TLS: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:missing asn1 eos by_file.c:284
main: TLS init def ctx failed: 0
slapd shutdown: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

WTF? So it looks like some permissions problem with /etc/openldap/ssl/cert/cacert.pem. But that file is world-readable. Does openLDAP think that it needs write perms to that file? Okay--wish granted. Nothing.
What finally turned me onto the final solution was the last line "X509_load_cert_crl_file..." The OpenSSL library is trying to find a CRL file. Why would it be having trouble (I don't have a CRL for my CA)? Poking around /usr/share/ssl I noticed that openssl.cnf is not world-readable. Well, I knew that. But most things that need it start as root and then drop privs and it hasn't been a problem. Let's just for the heck of it chmod 644 the file and try again.

# /etc/rc.d/init.d/ldap start
Starting slapd: [ OK ]

You have got to be kidding me?!?! openssl.cnf must be readable by the ldap user! None of the log messages indicated this. You would think that there would be an fopen() call that would fail in trying to open this file... Well, there is. Looking at the strace output I find:

open("/usr/share/ssl/openssl.cnf", O_RDONLY) = -1 EACCES (Permission denied)
getpid() = 11271
getpid() = 11271
getpid() = 11271
getpid() = 11271
open("/etc/openldap/ssl/cert/cacert.pem", O_RDONLY) = 7
fstat64(7, {st_mode=S_IFREG|0644, st_size=3607, ...}) = 0
read(7, "Certificate:\n Data:\n V"..., 4096) = 3607

The fact that openLDAP kept trucking along after failing to open what appears for it to be a critical file diverted attention away from the real reason it would not start!

Friday, June 20, 2003

Best Buy Hoax notification

Here is an excerpt from an e-mail I got today. If you ever get e-mail purportedly from a company that asks for you to divulge personal information, there is a high likelihood that it is one of the many social engineering attacks running around. Popular ones try to snag AOL and eBay/Pay Pal users. Be wary of what e-mails and Internet sites you trust your personal information to!!


Late Wednesday afternoon, June 18, 2003, Best Buy became aware of an unauthorized and deceptive e-mail to consumers titled "Fraud Alert." That e-mail message, which requested personal information (i.e., social security and credit card numbers), claimed to come from the BestBuy.com Fraud Department. That message was NOT from Best Buy or any of our affiliates.

Best Buy is working with the appropriate law enforcement authorities to quickly resolve the situation. We are working to shut down sites affiliated with that unauthorized e-mail and Best Buy will work with law enforcement authorities to prosecute any perpetrators involved in this illegal act to the fullest extent of the law. If you replied to the fraudulent
e-mail in any way, contact your bank and/or credit card companies immediately.

No Best Buy systems have been compromised, and our online business is secure. The privacy of your personal information is of the utmost importance to Best Buy and any information you provide to us is handled according to our Privacy Policy.

Wednesday, June 18, 2003

Wal-Mart poised to dominate online DVD rental space

This does not look good for Netflix, which is too bad. They have been a great service.

Excite News

After a seven-month trial, Wal-Mart Stores Inc. has begun full-scale operations in its online DVD rental business, hoping to catch up with market leader Netflix Inc. (NFLX)

Customers order the movies online. Wal-Mart sends them from six distribution points, reaching 90 percent of the nation within two days, the company says.

Saturday, June 7, 2003

DOJ Inspector General Criticizes DOJ for Treatment of Immigrant Detainees

Courtesy of EPIC Alert 10.10. http://www.epic.org

[3] Inspector General Criticizes DOJ on September 11 Detainees

The Inspector General of the Department of Justice has released a
198-page report examining the treatment of people who were held on
immigration charges in connection with the investigation of the
September 11, 2001 terrorist attacks. The report details how the
Justice Department used federal immigration laws to detain 762
persons, mostly of Arab or South Asian origin, who were suspected of
having ties to the attacks or connections to terrorism, or who were
simply encountered during the course of the FBI's inquiry into the
attacks. The report highlights serious problems with the round-up and
treatment of the 762 detainees, including arbitrary detentions,
prolonged detentions, restrictive detention conditions, and in some
instances physical and verbal abuse. The Office of Inspector General
is an independent internal investigation unit within the Justice

The report, instigated by media reports and reports from human rights
organizations, paints a picture of chaos immediately following the
attacks, followed by a long period of negligence that left detainees
in administrative limbo. Only after details of the abusive treatment
emerged in the press did the Department begin to process the detainees
more quickly in January 2002. DOJ has not apologized for its actions,
but instead has taken the position that the crisis atmosphere
immediately after September 11, and the fact that all the persons
detained were in technical violation of immigration laws, makes it
"unfair to criticize the conduct" of Department officials. The
Department spokesperson said that, "We make no apologies for finding
every legal way possible to protect the American public from further
terrorist attacks." EPIC and a coalition of public interest groups is
litigating under the Freedom of Information Act to require disclosure
of the names of the detainees; the case is now pending before the D.C.
Circuit Court of Appeals.

According to the report, the Justice Department instituted a "no bond"
policy for all detainees connected to the terrorism probe after the
attacks -- even though immigration officials quickly questioned the
policy's legality. Without bail, terrorism suspects remained in jail
for an average of nearly three months, much longer than the FBI
projected before it cleared most of them for release, the report said.
In addition, detainees faced monumental difficulties and weeks of
delay before they were allowed to make phone calls and find lawyers.
Some were kept for months in cells illuminated 24 hours a day and were
escorted in handcuffs, leg irons and waist chains. Most of the
detainees were eventually found to have no connection to the terrorist

The September 11 Detainees Report, Office of Inspector General:


CNSS/EPIC v. Department of Justice (detainee FOIA case):


Tuesday, June 3, 2003

Anonymity Bibliography

If you are interested in research into the field of anonymity, check this site out.

The "goal is to set up something we can point at for people new to the field [anonymity] (and most of us are still new to the field, it seems), so they know which papers to look at to get up to speed. The ones I particularly recommend have boxes around them."

Anonymity Bibliography

Monday, June 2, 2003

Out for Dinner MATHEMATICS

This is very interesting. Supposedly only works in 2003. Anyone have the mathematical basis for this? I have a whole book with cool calculator games somewhere...




It takes less than a minute.......

Work this out as you read.

Be sure you don't read the bottom until you've worked it out!

This is not one of those waste of time things, it's fun.

1. First of all, pick the number of times a week that you would like to
have dinner out. (try for more than once but less than 10)

2. Multiply this number by 2 (Just to be bold)

3. Add 5. (for Sunday)

4. Multiply it by 50 - I'll wait while you get the

5. If you have already had your birthday this year add 1753.... If you
haven't, add 1752..........

6.. Now subtract the four digit year that you were born.

You should have a three digit number .

The first digit of this was your original number

(I.e., how many times you want to have eat out each week.)

The next two numbers are...

YOUR AGE! (Oh YES, it IS!!!!!)


CERT needs to plug leak

  1. Confidential bug report gets sent to CERT.
  2. CERT sends it out to their advanced ISA (Internet Security Alliance: pay for early warning) group (Jericho calls "a vulnerability cartel)
  3. The bug report is leaked out to the public, perhaps by an ISA member who was either compromised (if so, they would need more than CERT to help them...) or purposefully leaked it out

Jericho's comments on the ISN list were classic, especially:

"> CERT representatives declined to say when the organization planned
> to release official versions of the leaked advisories.

Even with leaked draft copies, CERT still can't release anything
ontime. Go figure."

Wired News: Leaked Bug Alerts Cause a Stir

Danger and absurdity of the TSA No-Fly list

John Gilmore points out how to have fun with bomb scanners by using hand lotion with Glycerine, or at least points out how easily such expensive equipment can be rendered useless. If equipment has any significant number of false-positives, be sure that it, or procedures, will tune out any hope of finding a real needle in the haystack.

Also, if you notice an "S" on your boarding pass, prepare for extra scrutiny at the airport. The TSA believes, based on often erroneous matching, that you are a member of its "Selectee" list of people who need additional security measures.

Be sure to check out EPIC's site, "Documents Show Errors in TSA's "No-Fly" Watchlist"

-----Original Message-----
From: John Gilmore [mailto:[email protected]]
Sent: Sunday, May 18, 2003 3:25 PM
To: Jason C Axley Exchange
Subject: Re: The War on David Nelson

> > ... people who want to see if their name is on either list or who
> > want to make a complaint, can call the agency's contact center at
> > 866-289-9673 or send an e-mail to [email protected].
> Since this inquiry will no doubt result in a listing where none
> existed, I would suggest that everyone reading this make an inquiry -
> *especially* those of us with very common names. Let the system break
> it's own weight.

If you want to break the system under its own weight, I also suggest
using lots of "Kiss My Face" honey scented hand cream. Someone
recently told me setting off the nitrogylcerin censors (oops, I mean
sensors) at that spot where they wipe down your bag with little pads
and then put them through a quick chemical analysis. When she set it
off, they went down a checklist of "Did you do X recently?" until they
got to "Did you put on hand cream recently?" They let her through, of
course; you probably can't blow up an airplane with hand cream. The
problem was with their sensorship, not with her.

If even 1% of travelers refused to show an ID, the system would also
break down under its own weight. Do your part. There is no law or
regulation that requires you to show ID. You are all being sheep for
violating your own privacy, for no reason, when ordered by people who
have no authority. Demand that they show you such a law, and refuse
to show ID until they identify one. As you go up the chain of
command, you will find that you have the option to be searched rather
than show an ID. In regimes where the laws are secret, the only way
to find out what the law is, is to not follow orders.


PS: I doubt that sending a complaint to TSA results in them adding you
to the no-fly list. It's random and arbitrary, but not THAT random
and arbitrary. If you want to see the complaints of some of the
ordinary people who TSA mousetraps every single time they enter an
airport, (not just the David Nelsons), check EPIC's FOIA results. The
dozens of complaints forwarded via Congresspeople are well worth


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[email protected]

Is the price right for your freedom?

How do you measure a cost-benefit for the new security measures or of your liberty? It is hard to even come up with a causal link from the "increased" security measures (ask me about the absurd experience I had in LAX...) to increased safety, let alone quantifying such a benefit.

There is also a discussion at http://www.plastic.com/article.html;sid=03/03/12/06265215;cmt=42

NYTimes.com Abstract

In an unusual twist on cost-benefit analysis, an economic tool that conservatives have often used to attack environmental regulation, top advisers to President Bush want to weigh the benefits of tighter domestic security against the ''costs'' of lost privacy and freedom.

Secure programming in UNIX HOWTO

David Wheeler has put together a set of design and implementation guidelines for programming securely in several languages. The document is actually in a ton of different formats, even ones suitable for Wireless devices. So, take yours with you and learn it well!

Secure Programming for Linux and Unix HOWTO

There is also a set of overview slides that are definitely worth a look.

ACLU DMCA case against N2H2 is a loss for freedom

This is a very disturbing development and more reason why the DMCA has a chilling effect on speech and freedom to do legitimate research.


N2H2 Inc. can use the Digital Millennium Copyright Act (DMCA) to stop a researcher from attempting to reverse engineer its Web filtering product, a judge ruled last week.

Harvard Law student Benjamin Edelman says he wants to crack the filtering tools to test them. Edelman planned to hack into N2H2�s cryptography-protected list of filter parameters, but, fearing prosecution, sought court protection. Edelman and the ACLU believe filters, used at libraries and schools, limit free speech.

In a written decision, U.S. District Judge Richard Stearns found "no plausibly protected constitutional interest� that would overcome �N2H2's right to protect its copyrighted property from invasive and destructive trespass."

N2H2 didn�t respond to requests for comment. Edelman says no decision has been made on appealing, but adds that N2H2�s public list of filtered sites isn�t enough for rigorous testing.

�Suppose you wanted to know which .gov sites are classified as pornography. Or to see what sites N2H2 calls pornography this week, that last week were not,� he says. �N2H2's online database site would not allow any of these kinds of research, but you can see why it would be important.�"

Bid to Expose Porn Filters Loses



"U.S. gov't blindly trusts the antivirus industry"

I love the quote below and the 15 claims about how shady the Antivirus industry is are great, especially #7, "expect applause when you release hundreds of security patches for your product each year;"

Vmyths.com- Truth About Computer Virus Myths & Hoaxes

"The Pentagon should not protect a weapon system with software written by people they'd never trust. Yet they do."

Low-bandwidth application DoS attacks

Interesting work and something that I can't seem to get many people to pay attention to. Not all DoS attacks are bandwidth exhaustion attacks. DoS attacks can be thought of generically as resource exhaustion or suppression attacks. This does not necessarily require using a large amount of bandwidth.

The traditional thoughts on DoS attacks cause people to believe that normal modes of monitoring systems will catch DoS attacks early just because it would be hard to not notice such brazen resource consumption. However, low-flying attacks could possibly cause DoS attacks that are more difficult to detect without finer-grained application-level monitoring than is often employed.

This work documents attacks on the complexity of applications themselves to cause DoS.

Denial of Service via Algorithmic Complexity Attacks

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have ``average-case'' expected running time that's far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

Hussein can hide WMD but not his money

William Raspberry from the Washington post asks a great question:

"Why would Hussein, facing annihilation, take the bother to hide his chemical and biological weapons so carefully that we still haven't found them, while leaving his millions of American dollars right where we could find them?"

If WMD are there for defense purposes, they have to be readily-available to provide a benefit to the holder. Accounts indicate thousands of tons of WMD and production capabilities should be all over the place but -- nothing. However, we find his stash of cash fairly easily.


MCI to build new GSM network in Iraq

MCI gets $500 million to build a new GSM network in Iraq. There are a couple of interesting aspects to this:

a. The sensible GSM network was chosen amid staunch lobbying by Qualcomm junkies to build an "American" CDMA network. Hooray!

b. MCI is not a wireless telephone company. Why are they getting to build a wireless network from scratch instead of other wireless carriers? They were actually a reseller of AT&T Wireless before their accounting scandals.

The Register: MCI wins Iraq gig, shovels $500m to shareholders

"Politicians lie, new study shows"

Well, we definitely agree on the point, �Politicians need to be more honest about lying� Perhaps they should go for more of the honest and less on the lying at the same time.

Politicians lie, new study shows

IN A STUDY described in Britain�s Observer newspaper, Glen Newey, a political scientist at Britain�s University of Strathclyde, concluded that lying is an important part of politics in the modern democracy.

Friday, May 30, 2003

Juxtaposition rockets to top of Google results

Juxtaposition has rocketed to the top of the Google search results for the word 'juxtaposition'! Strange, given that Juxtaposition is nary a few months old.

Sadly, a link search (for link:juxtaposition.axley.net) returns no hits though.


Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes

The paper is 81 pages long but based on the abstract, it appears like important work. I hope that this will be taken to heart by policy shapers.

Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes

This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably na�. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.

Thursday, May 29, 2003

Reflections on DRM

Article on the restrictions imposed by the DRM inherent in Apple's AAC file format.

From my perspective, $1 per song is way too expensive, especially when the product you get is inferior to a track of a physical CD. A short list of the problems:

  1. It is in a lossy format. For most people this is not an issue from a quality perspective, but converting to another format is very likely to be necessary in the future and would either not be possible or would be suboptimal without the original. That is supposed to be the beauty of digital music--you can keep migrating it to the latest technology without having to pay for the "license" to listen again.
  2. It does not include liner notes or artwork. I point this out because from a value perspective, you are not getting the same deal as it is made out to be (you cannot simply divide the total CD cost by the average number of tracks to come up with the value of a single digital music file).
  3. It is encumbered by DRM. It is said that the real meaning of DRM is Digital Restriction Management. DRM-encumbered songs are surely not valued in the resale marketplace because many (these AAC files seem to be no exception) won't even let you resell them because of the platform restrictions. You can resell your CD just fine however.

None of these disadvantages appear to be reflected in the cost of much online music that I see.

I would think that the true value of a single digital, lossless-encoded, non-DRM-encumbered track to be more like $0.50/track. You do not have to pay for distribution costs or manufacturing costs or artwork costs, etc. The value of these new digital distribution models should lead to savings for the consumer, not less value for more money.

And don't get me started on how absurd paying $1-2 for monotonic ringtones is. Why don't labels give those away for free as a promotional tool, ala radio? They just don't get it.

TidBITS: Apple Changes the Face of Digital Music

e-voting interview reveals serious risks to election integrity

This scares me as a security professional. This especially scares me as a resident of Washington State.

Some gems from this interview with representatives from Sequoia systems:

Miller: "On the touch screen -- we do have the hand recounts of close races too."

Harris: "On a machine with no voter-verified paper trail?"

Miller: "Well, there's no way to do a hand recount on a DRE."


Harris: "But the positive, which can be proved, is that every election system that's ever been used in the USA has, at one time or another, been tampered with. And what we do know is that $800 million has gone toward contributions to candidates. So certainly we can predict that someone will try to tamper with a programmer. And therefore, what I'm asking, is what safeguards do we have in place to make sure that, if someone tampers with a program or a CD update --"

Miller: "I think we've gone as far as we can go."

Black Box Voting: Ballot - Tampering in the 21st Century - Interview with Paul Miller & Kathryn Ferguson (Sequoia)

Another ill-conceived set of tax refunds

1. Companies fraudulently overstate earnings
2. Companies pay tax on those fake earnings
3. Companies get caught, restate earnings
4. Companies want refunds of taxes paid on those earnings
5. Unbelievably, they get the refunds!

Firms Want Refunds Of Tax on Fake Profit (TechNews.com)

Sunday, May 25, 2003

BMW 7 series WindowsCE crash traps driver inside

A post to the IP and Risks lists is a harbinger of things to come as more and more complexity and computer-controlled systems get added to everyday devices without ensuring the same kind of quality and safety engineering. We can only hope that Ford and other car companies will not be successful in overturning laws requiring mechanical connections for safety-critical systems like steering, braking, etc.


Date: Tue, 13 May 2003 17:31:11 -0700
From: "Robert J. Berger"
Subject: MS Windows crash traps Thai politician in car (From Dave
Farber's IP)

Crashed Computer Traps Thai Politician, 14 May 2003

Thailand's Finance Minister Suchart Jaovisidha had to be rescued today
inside his expensive BMW limousine after the onboard computer crashed,
leaving the vehicle immobilized.

Once the computer failed, neither the door locks, power windows nor air
conditioning systems would function, leaving the Minister and his driver
trapped inside the rapidly heating vehicle.

Despite the pair's best efforts, it took a full ten minutes before they
able to summon the attention of a nearby guard who freed the two men by
smashing one of the vehicle's windows with a sledgehammer.

A report (http://www.bangkokpost.com/Business/13May2003_biz12.html)
published in the *Bangkok Post* indicates that the vehicle was Mr
Jaovisidha's own BMW 520 which was being used while his state-supplied
Mercedes, was being repaired.

BMW's more up-market 7-series range uses a computer system called
which has Microsoft's WindowsCE at its core.

Did Mr Jaovisidha narrowly miss being killed by the blue windscreen of

Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868

IP Archives at:

[At least 33 readers have noted this one thus far. TNX! PGN]

Making Telemarketers Cry

A great Telemarketer Suing HOWTO by attorney Mark Eckenwiler from Washington D.C.

How To Make A Telemarketer Cry (or, Suing Bozos for Fun & Profit)

"In November 2002, a telemarketer called my home in D.C. at 5:24 a.m. This is the story of how that call cost him $500."

Friday, May 23, 2003

"If You Want To Win An Election, Just Control The Voting Machines"

A couple more sites working against all-electronic voting machines:


Also, an article discussing a situation that, if true, is truly egregious:

The senator who won the election in Nebraska allegedly "was the head of, and continues to own part interest in, the company that owns the company that installed, programmed, and largely ran the voting machines that were used by most of the citizens of Nebraska."

The bigger issue, in my opinion, is not whether the senator had rigged his election but the fact that we are entirely unable to verify whether this occurred or not. With a voter verifiable and recountable audit trail, we could.

Can Microsoft Be Secure?

I sure hope so. I have high expectations for Windows 2003. We'll see how things progress.

I want to know who the companies are that were surveyed... I assure you mine wasn't one of them.

Commentary: Can Microsoft be secure? | CNET News.com

Customers worry about Microsoft's security: Seventy-seven percent of respondents to a Forrester survey cited security as their top concern about deploying Windows. Despite those concerns, 89 percent of users are still deploying sensitive applications like financial transaction systems and medical records databases on Windows.

Horrible precedent: Guantanamo detainees have no US legal recourse

[IP] Stuart Taylor's column today --"Falsely Accused 'Enemies' Deserve Due Process

Couldn't say it better myself. And regarding those lists of "known or suspected terrorists", Bruce Schneier said it best, "there is an incentive for law enforcement to put people on this list, but no incentive for them to take people off. So the harrassment continues."

"It ought to be unnecessary to say this, but even *correctly* accused
enemies of the state deserve due process -- not least because due
process is the best way of determining whether they were, in fact,
correctly accused."

Facial recognition systems "improve"

[IP] NIST rates facial recognition systems

"The three top-rated systems verified identities correctly 87 percent to 90 percent of the time with a false-alarm rate of 1 percent. When NIST specified a false-alarm rate of 0.1 percent, the success rate dropped to between 79 percent and 82 percent."

From the report itself:

"Typically, the watch list task is more difficult than the identification or verification tasks
alone. Figure 8 shows detection and identification rates for varying watch list sizes at a false alarm rate of 1%. For the best system using a watch list of 25 people, the detection and identification rate is 77%. Increasing the size watch list to 3,000 people, decreases the detection and identification rate to 56%."

This means that such systems would still result in fingering plenty of innocent people as terrorists.

A practical, statistical look at the civil rights implications of this problem, endemic to the NCIC database as well, can be found in the April 2003 Crypto-Gram

In related news, from an earlier Crypto-Gram:

"The SmartGate facial recognition trial at Sydney Airport has suffered
an embarrassing setback, when two Japanese visitors fooled the system
simply by swapping passports.

Handset security flaws on the horizon

Software quality, especially data input filtering, is critical for mobile devices; especially devices that do not typically have user-updateable software.

News: Mobile phone hacking expected to spread

United States-based security company @stake has released a security advisory detailing a Denial of Service (DoS) vulnerability in the Nokia 6210 GSM mobile phone, and although the flaw isn't serious it could be a sign of worse things to come.

DRM threat analysis shows futility in DRM mechanisms

This analysis shows how DRM solutions are ineffective because they [attempt to] address the wrong threat model.

"Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model -- they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don�t solve the problem they complain about."

Freedom To Tinker: DRM, and the First Rule of Security Analysis

Catching up...

I've been so busy with work and other things that I have amassed a large queue of articles and little nuggets over the past few months. You'll probably see some old news come through that I still wanted to share or comment on.



Insider attack nails shut Janteknology's coffin

Evidence of the damage that insider attacks can wreak. Ironically, this was a security software distributor.

It's unbelievable how often I hear things like:

"Well you have to trust your employees/administrator/etc!"
"But we're behind the firewall!"

I even noticed Microsoft's STRIDE threat model does not include the threat:

Misuse of granted privileges.

Whoops. People all too often don't look inside their own organizations at the threats all around you. Insider attackers are a difficult, and perhaps not entirely solveable problem. It is much easier for someone to attack your network when they are already on it than through your firewall over the Internet. Your firewall rejects access, but then your HR department allows it. They will even give a potential adversary a computer, cubicle, network access, badge, etc.!

You have to consider this angle in designs and in how you manage privileges and maintain audit trails.

"Security software distributor, Janteknology, has shutdown amidst dramatic circumstances, its battle to survive tough market conditions ended by industrial sabotage."

News: Security firm shuttered by sabotage

Museum of Unworkable Devices

" This museum is a celebration of fascinating devices that don't work. It houses diverse examples of the perverse genius of inventors who refused to let their thinking be intimidated by the laws of nature, remaining optimistic in the face of repeated failures."

A truly fascinating site.

The Museum of Unworkable Devices

weblogs.com RPC error fix

You may have seen this error crop up in your movabletype blog:

Ping 'http://rpc.weblogs.com/RPC2' failed: HTTP error: 500 read timeout

I found plenty of sites through google where people were asking about this but nobody offered a solution that I saw. Well, I found a solution that was posted on the MT support forum just an hour or so ago:

movabletype.org : Support Forum

below is a unified diff so that you can patch your site. The patch seems to work most of the time, although I have had at least one of the same errors crop up. That could have been due to something else though.

--- XMLRPC.pm Tue Feb 11 16:15:03 2003
+++ lib/MT/XMLRPC.pm Fri May 23 16:29:04 2003
@@ -68,8 +68,12 @@
"HTTP error: [_1]", $res->status_line ));
my $content = $res->content;
- my($error, $msg) = $content =~
- m!flerror.*?(\d+).*message.*?(.+?)!s;
+# quick fix to weblogs.com RPC error in activity log. See blog entry for details.
+# my($error, $msg) = $content =~
+# m!flerror.*?(\d+).*message.*?(.+?)!s;
+ my($error) = $content =~ m!flerror.*?(d+)!s;
+ my($msg) = $content =~ m!message.*?(.+?)!s;
if ($error) {
return $class->error(MT->translate(
"Ping error: [_1]", $msg ));

Creationist debunking at your fingertips

An Index to Creationist Claims

An online Index to Creationist Claims that debunks many of them, with references.

ACM Testimony to Congress against DMCA's chilling effect

USACM co-chair Barbara Simons spoke out against sections of the DMCA during recent Congressional review of the DMCA's anti-circumvention provisions.

ACM MemberNet

You can also read the transcript of Simons' testimony

"During a time when our nation is devoting unprecedented resources to homeland security, we should be eliminating laws such as the DMCA that encourage insecurity,"

Voter Confidence and Increased Accessibility Act

Voter Verification Newsletter -- Vol 1, Number 3

"Federal Legislation Introduced!

Rep. Rush Holt of New Jersey has introduced a bill requiring a voter-verifiable paper trail.


The Voter Confidence and Increased Accessibility Act of 2003.

"We cannot afford nor can we permit another major assault on the integrity of the American electoral process," said Rep. Rush Holt. "Imagine it's Election Day 2004. You enter your local polling place and go to cast your vote on a brand new 'touch screen' voting machine. The screen says your vote has been counted. As you exit the voting booth, however, you begin to wonder. How do I know if the machine actually recorded my vote? The fact is, you don't."

Folks, this is what we've been waiting for! Please contact your U.S. Representative ASAP and ask them to support this bill and consider co-sponsoring it.

Let everyone know about this pending legislation."

Thursday, May 22, 2003

'E-mail-wrap' license

Like 'click-through' or 'clickwrap' licenses before, Lawrence Lessig publishes what may be described as an 'e-mail through' or 'e-mail wrap' license:

welcome spammers

Illogical rantings on "under God" issue

I couldn't pass this one up.

Miami News-Record - Gerald Stone Column

" At a time when we need God and religion in our lives more than ever, the U.S. Supreme Court is poised to strike down the words �under God� from the Pledge of Allegiance."

I'll add some clarification to this statement:

"we" = you and those who believe as you do
"our lives" = the lives of you and those who believe as you do.

It was a bit unclear. It sounded like you are representing non-Judeo-Christians.

And more God in your life requires "under God" in the national pledge of allegiance? Does not follow...

"This poor excuse for a human must have been off his medication for a long time."

I can hardly begin to respond to this fallaciousness. Now I really know that you never read the court decision text.

"the Supreme Court will probably hear the case sometime this year and you can expect �under God� to be taken out of the pledge.

The Bush administration, in its petition to the high court, argues that the Pledge is not like a prayer or invocation. They're the only ones making sense. But, the atheist-inclined liberals will probably get their way."

So, anyone who agrees with the court's decision, for whatever reason, is painted as "atheist-inclined" and a "liberal". That is such an enlightened viewpoint.

And why is it that many Republicans want the government to be involved in actively furthering a particular faith but in most other aspects of life (e.g. gun control) they want to be left alone?

Logic error in Texas DPS record destruction "rationale"

Talking Points Memo: by Joshua Micah Marshall

"The DPS [Department of Public Safety] appears to have violated Texas state law by destroying the records. To justify this, they point to a federal regulation which a legal expert says is plainly inapplicable. And the very regulation they're trying to hang their hat on seems to bar the original conduct itself."

This whole story is unbelievable. I'm still waiting for what assistance they requested and perhaps received from the department of Homeland Security... There is a possible criminal investigation ensuing.

Taxed logic...

Warren Buffet writes:

Dividend Voodoo (washingtonpost.com)

Putting $1,000 in the pockets of 310,000 families with urgent needs is going to provide far more stimulus to the economy than putting the same $310 million in my pockets.

When you listen to tax-cut rhetoric, remember that giving one class of taxpayer a "break" requires -- now or down the line -- that an equivalent burden be imposed on other parties. In other words, if I get a break, someone else pays. Government can't deliver a free lunch to the country as a whole. It can, however, determine who pays for lunch. And last week the Senate handed the bill to the wrong party.

Supporters of making dividends tax-free like to paint critics as promoters of class warfare. The fact is, however, that their proposal promotes class welfare. For my class.

Questions of Mass Distruction

"Look, if there are no WMDs in Iraq, it means either our government lied us to us in order to get us into an unnecessary war, or the government itself was disastrously misinformed by an incompetent intelligence apparatus. In either case, it's a terribly serious situation."

TOMPAINE.com - Questions Of Mass Destruction

Monday, May 19, 2003

RHP livejournal web board

Check out a new place to discuss the Red House Painters and get news.

a red house painters & mark kozelek community's Journal


Here is a 176-page PDF paper on the fallacy of polygraph exams (a.k.a. "lie" detectors). I have not read up on this subject in some time but this looks to be a good read.

Lie Behind the Lie Detector

Stupid Security

Found out about this great site through this month's Crypto-Gram newsletter. It posts articles on -- you guessed it -- all the stupid security measures people come across.

Stupid Security: Exposing Fake Security Since 2003

Tuesday, May 6, 2003

e-voting systems assailed

A great article with some perfect quotes from leading advocates and experts for voter verifiable audit trails. Also, there are some documented cases of voting machine errors in the article.

New Voting Systems Assailed

New Voting Systems Assailed
Computer Experts Cite Fraud Potential

By Dan Keating
Washington Post Staff Writer
Friday, March 28, 2003; Page A12

As election officials rush to spend billions to update the country's
voting machines with electronic systems, computer scientists are
mounting a challenge to the new devices, saying they are less reliable
and less secure from fraud than the equipment they are replacing.


"These systems, because of the level of testing they go through, are
the most reliable systems available," said Michael Barnes, who oversaw
Georgia's statewide upgrade. "People were happy with how they


But the scientists' campaign, which began in California's Silicon
Valley in January, has gathered signatures from more than 300 experts,
and the pressure has induced the industry to begin changing course.


Critics of such systems say that they are vulnerable to tampering, to
human error and to computer malfunctions -- and that they lack the
most obvious protection, a separate, paper receipt that a voter can
confirm after voting and that can be recounted if problems are

Officials who have worked with touch-screen systems say these concerns
are unfounded and, in certain cases, somewhat paranoid.

David Dill, the Stanford University professor of computer science who
launched the petition drive, said, "What people have learned
repeatedly, the hard way, is that the prudent practice -- if you want
to escape with your data intact -- is what other people would perceive
as paranoia."

Other computer scientists, including Rebecca Mercuri of Bryn Mawr
College, say that problems are so likely that they are virtually
guaranteed to occur -- and already have.


"If the only way you know that it's working incorrectly is when
there's four votes instead of 1,200 votes, then how do you know that
if it's 1,100 votes instead of 1,200 votes? You'll never know," said

Because humans are imperfect and computers are complicated, said Ben
Bederson, a professor of computer science at the University of
Maryland, mistakes will always be made. With no backup to test, the
scientists say, mistakes will go undetected.

"I'm not concerned about elections that are a mess," Dill said. "I'm
concerned about elections that appear to go smoothly, and no one knows
that it was all messed up inside the machine."

"We're not paranoid," said Mercuri. "They're avoiding computational
realities. That's the computer science part of it. We can't avoid it
any more than physical scientists can avoid gravity."

Seattle-area volleyball site

Scott Marlow maintains a very cool site on Seattle-area Volleyball programs, gyms, groups. http://www.seanet.com/~swmarlow/volleyball.html

Saturday, March 22, 2003

Juxtaposition mobile edition!

I just found out some very simple instructions and a sample template to make a parallel WML version of this site for viewing on my mobile phone (I do work for a wireless phone company, after all). Check out the result: Juxtaposition mobile edition

I started by finding this WAP & WML thread at movabletype.org

This discussion pointed me to two solutions for two different problems:

  1. Nicely Toasted Mobile, which generates wml versions on-the-fly for WAP-based mobile devices
  2. Mark Pilgrim's solution which was designed for more intelligent mobile form factors, like the palm. This is how you can create Avant-Go compatible content for offline browsing with tools like Plucker.

I chose the first option as this is the one that I really find lacking right now--the ability to view my own site from my Ericsson t68i. I can view the regular site just fine (with the exception of the style sheet, because Pocket IE does not support CSS...) in my Siemens SX56. But cannot even coax the Ericsson to view the RDF version.

I made just a couple of tweaks to the Nicely Toasted template to customize the content and make it generic enough to be used for any other blog, including: making the Home URL relative, changing the blog name using the tag <MTBlogName>

I think that the next step will be to further customize the template to include hyperlinks to the rest of the story content.

Friday, March 21, 2003

Users tricked into believing a Nokia upgrade hoax

"Nokia 7650 upgrade - hoax

An internet hoax is traveling round the internet that purports to be a
press release from Nokia offering an upgrade for owners of the Nokia
7650 handset to support a series of new features.

The press release says that "Nokia today announced after months of
speculation and rumours that it will be re-releasing it's flagship
Symbian OS phone, the 7650, with the long awaited increased memory

The new 7650 will remain branded as 7650 but will have the added feature
of an MMC expansion bay and support for Bluetooth Audio."

There is a web site address for the press release, that at first look,
does look like a Nokia web site address - but the @ symbol in the middle
of the URL actually causes browsers to ignore everything before it, and
the remainder of the address is a web page on a totally different
server. "

One of the URLs looks like this, so you can see how someone could be easily tricked into believing it as legitimate:


The page no longer works, but you need to be very diligent online and can't trust everything you read. Someone could easily hide this URL in some inocuous text so you would not easily notice the underhandedness: Nokia fake press release

Read more about these same techniques that spammers often use to trick you at Stupid Spam Tricks.

Black-box testing your brain

New Scientist

"The world's first brain prosthesis - an artificial hippocampus - is about to be tested in California."

This is the result of black-box testing the hippocampus--the part of your brain that encodes "experiences so they can be stored as long-term memories". It has proven to be elusive to its exact workings, but by treating it as a black-box and mimicking its response to inputs, scientists were able to devise a mathematical model that they could program onto a chip which could replace a malfunctioning hippocampus.

Some of the ethical issues are discussed in the article as well.

Space Elevators: fact or fiction?

A slashdot article about a book (see below) researching whether the sci-fi Space Elevator could be practically manufactured is out:

This is some of the fruits of ongoing NASA-sponsored research.

What is a Space Elevator, you ask? A superstrong elevator "shaft" stretching from earth and anchored to a geosynchronous satellite in outer space that an elevator would ride upon to carry payloads outside of our atmosphere.

"carbon nanotube fibers are both strong and light enough that a 100,000 km elevator, constructed of a 2m wide carbon nanotube "ribbon," could be constructed in 10 years for a cost of US $6 billion, and be capable of lifting a 13-ton payload to geosynchronous orbit once every few days. If feasible, it would present a stunning breakthrough in space accessibility, and likely usher in a new age of space development and exploration."

Slashdot story

Fuel cells coming to a laptop near you


InfoWorld:�Toshiba prototypes methanol fuel cell for laptops:�March 05, 2003:�By�Gillian Law:�End-user Hardware

SSL Patent suit update: victory for SSL!

A press release on RSA's website announces that a unanimous verdict was reached on all infringement claims in favor of the defendants, RSA Security Inc. and Verisign Inc.

RSA Security | RSA Security Wins SSL Patent Infringement Trial

Analysis of the educational initiatives outlined in the national cybersecurity strategy

Rob Slade takes an in-depth look at what the National Cybersecurity Strategy is for security education and doesn't really find much. To summarize:

"we [the U.S. Gov't] can't do it alone, so we're not going to do anything"

"How will it happen?"

"Focus or force?"

"Security awareness cannot be promoted by establishing contests where nobody will compete."

"Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon"

"Subject to budget considerations. No further comment needed."

"What incentive do those companies have to do so? "

"How about funding?"

"OK, the government doesn't want to help or fund certification, but wants to dictate what the certification is for."

"I imagine AV and firewall vendors will be delighted that the government will be advertising for them"

The document seems to say a lot but does not seem as if it will actually do anything.

Read the full analysis in Risks 22.63, article 1

Thursday, March 20, 2003

Duk Koo Kim


I recently purchased the one and only vinyl album that I own. I had to do so, even though I do not own a turntable, because it is a 1000 copy limited release single. It contains two versions of the same beautiful song, called Duk Koo Kim, by Mark Kozelek of the Red House Painters. This is one of my favorite RHP songs. Reading the history about Duk Koo Kim makes the song that much more poignant and sad.

Duk Koo Kim - Wikipedia

A tragic turn of events that reads more like Shakespeare than real life. One death leads to several others and radical changes to the world of boxing.

E-voting banter between scientists

There was voluminous and heated discussion on the cryptography mailing list about the dangers of the paper audit trail for e-voting that is being pushed by the e-voting academic experts. The instigator and perpetuator of the discussion was Ed Gerck.

His main criticism was that the paper audit trail does not address the problems of massive external vote tampering by extortion (vote this way and prove you voted this way or I'll kill you) or vote selling (vote republican, prove it to me, and I'll pay you $$). He is afraid that the paper audit trail will be just the thing that can be photographed as proof of your vote to enable these system.

Rebecca Mercuri replied:

"The whole idea of photographing paper ballots is a straw man. It is akin to saying that people
will just run through red lights anyway so we shouldn't place them at intersections."

This seemed to sum up my thoughts on the complaint. He seemed to be arguing for throwing the baby out with the bathwater, saying "[printing paper receipts] creates problems that are even harder to solve than the silent subversion of e-records"

He included criticism later on that a paper audit trail does not really make e-voting systems any better than existing paper-based systems and seemed to argue that it is academically uninteresting. I think that this is exactly the point though: nobody has yet come up with an entirely electronic voting system that solves the fundamental problem that a paper audit trail solves. It may be unsatisfying, but what I think is far more unsatisfying are the voting districts that are ignoring this academic result and swapping out systems with unverifiable ones. People need to understand the limits and risks of electronic systems.

Rebecca's most interesting statement for me was:

"The salient requirement of Democratic elections is that the voters must be assured that their ballots are recorded and tabulated as cast. If the process is such that it can only be understood by a team of
scientists with Ph.D.'s, the average citizen can have no confidence that their voice is being heard."

She ended her posting with a response to the criticism:

"I have never said that the paper balloting solution is a perfect one, but it provides assurances in a human-accessible format that is a considerable improvement over both the black-box systems and the chad-based ones.If you can devise a system that is equally user-friendly and has the same ability for independent auditing, then please do so."

The discussion ended with that.

In Happier Times...

This is hilarious. It must be making its rounds on the Internet today. Thought it would bring a bit of levity to the current world situation.

Friday, March 14, 2003

Risks of background checks

There is a trend after 9/11 to perform more background checks on individuals as a requirement for all kinds of things--employment being a major. Data integrity issues are probably the biggest risk with these kinds of checks. Who has your data? Where did they get it from? How do you know it is accurate? How can you correct mistakes?

I reviewed a background check service that is used for credit checks mainly and was surprised to see that they offered the ability to check against the _____________________

This is a case of just not doing a very thorough query of the information in the first place. Reminds me of the recent erroneous (and perjurious?) BSA complaint against OpenOffice based on an inaccurate search query and lack of human sanity-checking of the result. "The computer said there was a match. And computers don't lie..."

Date: Thu, 6 Mar 2003 18:14:45 -0800 (PST)
From: Max Power
Subject: Identity mixup: NZ teacher identified as prostitute

Michelle Garforth (Dunedin, NZ) applied to be registered as a teacher, after
finishing four years of training. She was notified that she was "likely" to
be a prostitute convicted on four charges, including two assaults, based on
a computer match of her maiden name and birthdate. Despite going to the
police and submitting to fingerprinting that demonstrated she was not the
person in question, she was not cleared until weeks later -- after her local
Member of Parliament had intervened. [Source: Prostitute mix-up shocks
teacher, by Ruth Berry, 06 March 2003; PGN-ed]

Thursday, March 13, 2003


New IEEE Security and Privacy magazine

I will have to check this out. Although, I have several piles of other publications to whittle down first.

"The IEEE Computer Society has created a new magazine called "Security and Privacy" specifically for the security community The magazine intends to present a balanced mix of scientific research and practical security discussion. "

Risks of public Internet access terminals

This story about 16M Yen (~$136,000) stolen from someone's CityBank online banking service after the user's password was compromised at an Internet cafe highlights the tremendous risk of insecure client computers. It does not make a darned bit of difference what crypto strength you were to use, it is so trivial to install a keystroke capture device that nobody would ever notice that will catch everything before it is encrypted.

"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench." -- Gene Spafford

The trend toward SSL-based VPNs and Internet-enabling everything under the sun leads to uncontrolled client-side access that significantly increases this risk. Gartner is "bullish" on these SSL-based VPNs but I'm not convinced that their convenience outweighs the increased risk in many cases. You would need to deploy token authentication at a minimum with these solutions but you would still be at risk of general data compromise. In any company with a large amount of employees, training everyone to not use their personal computer, a library computer, an Internet cafe computer, etc. to access such a solution would be difficult and not entirely effective. Users will choose the convenience over security much (all?) of the time.

Full story below and at CNN.com

Date: Fri, 07 Mar 2003 00:40:28 +0900
From: Chiaki Ishikawa
Subject: 16M Yen stolen from sniffed bank passwords at Internet Cafe
On March 6th, two men have been arrested for illegally transferring 16
million YEN from someone's CityBank online banking service account to a
third party account and then take the money from it, Tokyo police announced.
>From the descriptions of newspaper articles, it seems that one of the
culprits has installed keyboard sniffer programs on about hundred PCs at a
dozen or so Internet Cafes in Tokyo and Kanagawa prefecture (south of
Tokyo). He has regularly visited the cafes and brought back the recorded
data with him, and searched for ID/password, and other identification
At the charged man's home, the police has found ID/password for 719
accounts, and about a couple of hundred user profiles meant for dating
One such ID/password for a man's City Bank online banking service was used
to transfer 16 million Yen to a different account at another bank from which
the money was withdrawn.
This is the first time that a keyboard sniffer is implicated in a large
scale ID theft in Japan, from what I know.
It beats me, though, why anyone wants to use a PC at Internet cafe for one's
banking service. (We should assume doing something on it, like writing a
memo, for example, is akin to writing on a memo pad on a desk at a public
library under which a carbon paper may be secretly placed to record
information and we never know. For that matter, even without the carbon
paper, we often can see the telephone number, etc. left by the previous user
by looking at the indented marks on the next paper sheet, don't we? )
I think the general public should be taught more about the security
implications of various Internet services, which may look useful and handy
on the surface, but may not be so attractive if the security implications
are taken into account. I think it should be the responsibility for the
service provider to tell such risks, but I am not sure how to go about
writing a law because "risk" is a relative thing.
This has been a busy week for computer security professionals in Japan.
First the computer system for handling nations's flight plans collapsed on
the morning March 1st. Then a large credit card company, Oriental Corp.,
announced the leak of 15,000 user profiles to a member of an underground
gang group who blackmailed the company and was arrested. Then this
I hope the general public will start to pay more attention to the computer
security issues thanks to these high-profile incident. (The ID theft using
keyboard sniffer was the front page head line article in the evening edition
of *Asahi Shimbun*. It occupies about 1/5 of the paper and is very

Krispy Kreme grossly overcharges 28 customers

From RISKS 22.61.

"A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers. Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase. "

The PGN comments simply made the posting though:

[These charges were actually APPROVED, and of course also blew the
customers' credit ratings for a few days. Amazing!
``The $84,000 charge, were it legitimate, would have purchased over
170,000 ... doughnuts, enough to stretch over 9 miles if placed
end-to-end.'' ...

Date: Tue, 04 Mar 2003 19:31:54 -0500
From: "Fuzzy Gorilla"
Subject: 28 Krispy Kreme customers each charged over $84,000
A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers. Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase. KK blamed Heartland Payment Systems,
which processes their credit-card transactions. [Source: KRQE News 13,
Albuquerque, N.M., 19 Feb 2003; PGN-ed]
[These charges were actually APPROVED, and of course also blew the
customers' credit ratings for a few days. Amazing!
``The $84,000 charge, were it legitimate, would have purchased over
170,000 ... doughnuts, enough to stretch over 9 miles if placed
(But a few days later, the doughnuts might have settled into substantial
paving bricks. Or do Krispy Kremes have a shelf-life of years, like
the bread and chocolate used in Des(s)ert Shield?) Of course, stacked
vertically, they would reach almost 2 miles high.
Somehow, the name ``Heartland'' seems incompatible with the concept of
Krispy Kremes, unless it is related to a hospital with the same name.
[Three sentences back, I have added "(s)" in the archive copy,
inspired by Mike Yuhas. PGN]

VoteHere whistleblower lawsuit and other e-voting madness

BlackBox Voting is reporting on a whistleblower lawsuit filed here in Washington state by a software engineer against his former employer VoteHere. He alleges that he was wrongfully terminated to silence his complaints while third party "certification" of the VoteHere system was being conducted. The lawsuit enumerates many of the system's flaws that he documented in defect reports. It is a must-read.

In other unbelievable news, Santa Clara County, CA and Collins County, TX both voted for electronic voting machines without paper audit trails against all sound advice from experts around the world. Santa Clara County reportedly cited the same kinds of "certifications" as evidence that the system is okay without the voter verifiable audit trail.

Wednesday, March 12, 2003

Music wish list

I've been compiling a text file with my queue of music to get next and thought that I should share. It would also be much nicer to manage through MovableType with the MTAmazon plugin and the MTMacro plugin.

Friday, March 7, 2003

Big brother is all around you

ABCNews is reporting that several police agencies are under fire for domestic spying. Those of you who think that the government can have all the power it thinks it wants without checks and balances should take heed that this certainly breeds abuses. Read this article. See the trend toward more domestic spying. Be afraid.

I hope that Seattle maintains their current ban on this practice.

ABCNEWS.com : Is Police Spying Back in Fashion?

Dumb criminal award candidate

Just hilarious if this suspect was truly the robber.

"A California man who got away after allegedly sticking up an Aurora Avenue North video store a couple of weeks ago apparently couldn't leave well enough alone."

The Seattle Times: Local News: Robbery suspect nabbed during return visit to store

COPA ruled unconstitutional!

The Washington Post has a story about the victory for free speech handed down by the 3rd U.S. Circuit Court of Appeals on Thursday. They upheld a lower court injunction blocking the law (COPA) as being too squishy to withstand constitutional muster.

"Previously, the 3rd Circuit had ruled the law unconstitutional on grounds that it allowed the legality of Internet content to be judged by "contemporary community standards."

Also see discussion at
Slashdot | Appeals Court Rejects Child Online Protection Act, Again

See the full decision here. Monitor any future developments at EPIC's site

Note: Updated on 3-12-03 to change content to reflect CIPA to COPA. This law acronym alphabet soup is just as bad as telecom's! A CIPA announcement came out recently but this was supposed to be about COPA...

Tuesday, March 4, 2003

AOL customers: buyer beware

Many of the attacks described are social engineering attacks and not computer security holes. I can't believe the mumbling attacks--hilarious! Social engineering attacks are very hard to defend against, especially with huge callcenters like AOL must have.

AOL customers beware your privacy. AOL not only makes it easy to get on the Internet, they make it easy for others to get on the Internet as you too!

"Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL's 35 million users. "

Wired News: Hackers Run Wild and Free on AOL

SSL under patent dispute

The March 3 Security Wire Digest and Reuters are reporting that:

"Leon Stambler, who has won financial settlements from companies such as
National Cash Register, First Data and Openwave Systems, seeks up to $20
million in the federal suit, being heard in Delaware. "

"Certicom and Openwave each paid $400,000 plus ongoing royalty fees for their licenses and First Data paid $4 million, he testified. "

He is suing RSA Security and Verisign now, trying to extract money. Ugh.

The companies are arguing that his invention (patented in 1992) is distinct from SSL. SSL was developed in 1994 and patented in 1997, according to the Reuters article.

The Reuters story is here

Wireless hackers invade!

"Two Alberta men with a passion for locating and mapping wireless
computer networks have come under the scrutiny of Canada's spy agency."

"The press release, which also included Mr. Kaczor's name and contact information, featured the tongue-in-cheek headline "Wireless hackers invade Red Deer!""

High-tech hobby falls under CSIS suspicion

Monday, March 3, 2003

Debate on copyright vs. innovation at Stanford

[IP] Pondering Value of Copyright vs. Innovation

"Technology scholars, business leaders and policy makers gathered at California
conferences this weekend to argue whether a mismatch between two different technologies and the legal policies that govern them could inhibit free expression and innovation. "

""We have ceded too much power to copyright owners," said Ms. Lofgren, who plans on Tuesday to reintroduce a bill that would amend the 1998 law. "People are afraid to proceed on innovative measures.""

Outlawing Encryption under PATRIOT II

Among other nasty things, the US government is trying to make the use of encryption while committing a crime over a computer a new crime that would add 5 years onto your sentence, if convicted.

"If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony. [RFF - I'd also include using GSM cell phones with the built-in encryption....]"

The ACLU has a section-by-section analysis for the full dose of insanity.

[IP] Outlawing Encryption under PATRIOT II

Several members of congress have sent an open letter to John Ashcroft chiding him for the administration's handling of PATRIOT II. The Justice Department is being very secretive about this new act, even lying to congress about its existence even though it has been leaked on the Internet.

From the FoxNews story:

"If there's going to be a sequel let's find out what it's going to be" before reading about it in the newspapers, Leahy said, accusing the Justice Department of lying to his staff about whether a new bill was in the works.

Ari Gets Laughed Out of WH Briefing Room

[IP] Must Read and See: Ari Gets Laughed Out of WH Briefing Room]

Join in laughing Ari Fleischer out of the briefing room. Start at about 30 minutes into the tape when Ari is being repeatedly questioned about US diplomat quotes that some aid packages are being offered to Mexico and Columbia relating to their upcoming UN Security Council votes.

Google removes "illegal" site from its index on request

Seth Finkelstein has details on a troubling case about someone in Chester county in the UK complaining to google about a site run by someone calling themselves "Chester the Molester" as an illegal paedophile site that they found by searching for "Chester Guide" on google. The site, in fact, was not illegal at all but a list of "sick humor" that included a link to a humor article entitled, "Chester's guide to: picking up little girls".

So, all it takes is for someone to make a complaint, for google to not really research it, and you can get someone's site removed from google's cache.

[IP] Google removal - Chester's Guide to Molesting Google

Truth in music on its way?

Senator Ron Wyden (D) from Oregon is pitching a simple idea to lead to a market-driven solution to the DRM problems being imposed on consumers: to require music companies to disclose to consumers the restrictions they will impose on the consumer's use of the product.

"When customers know, for example, that the compact disc they're buying is technologically rigged so they can't rip MP3 files from it for use on a portable player, they won't buy it. Eventually, these informed customers will demand change in the copyright laws."

[IP] Truth in labeling

Senator Seeks Full Copyright Disclosures

Sunday, March 2, 2003

Dell cost cutting with Sun to Linux switch

Wow. This may help spur other cost-conscious companies (perhaps my employer too) into making the switch.

"Currently, our order management, customer transaction information, manufacturing flow, and software downloads (as a part of our build-to-order manufacturing process) all involve Sun-based Unix systems. But that's all being moved to Dell-based systems running Red Hat Linux and Oracle 9iRAC. So far, 14 Sun systems are gone and the plans are to complete the 'Sun setting' exercise this year."

Dell, Sun execs trade jabs over Unix viability

Vespa Madness

A must have: Vespa Screensaver. Windows-only, of course.

Interested in buying one for me? I could handle the platinum, dragon red, or cobalt blue one. The local dealer location

Or, I can at least hope to win one from Starbucks. This is the perfect excuse to buy more coffee :-)

Worm press release template

Keep this handy for the next MS Worm. Posted to RISKS 22.53: .
[From Pete Lindstrom, Spire Security, [email protected]]

*<adjective> Computer Worm <verb> Internet*

In the wee hours of <date>, a <adjective> computer worm spread <adverb>
throughout the Internet. Dubbed <silly name> because <ridiculous reason
that doesn't explain anything about how it works>, and also known as
<another random name> and <another random name>, the worm has infected
an estimated <number> systems within <length of time>. Experts are
calling this worm the most <adjective> since <date in the past>.

The worm exploits a hole in <Microsoft product name> that was first
identified <number> months ago by <security company name>...

In an attempt to secure the planet, <same company> released detailed information about
the vulnerability and how to exploit it. They also mentioned how to fix
it, but apparently <noun> listened. Coincidentally, the worm that
exploited this hole was also first identified by <same company>. Even
more coincidentally, they make a product to protect against <noun>.
"Actually, it's not really a <noun>, it's a <noun>," said <Pete
Lindstrom, or some other person seeking publicity>. " A true <noun>
works by <random filler that nobody will read>."
The worm's payload <verb> every system by <verb ending in -ing> the
<noun>. Comparatively speaking, this is much worse than <another worm>
but not as bad as <another worm>. The computers of <place> were hit the
hardest. Current damage is estimated at <dollar figure more than the GNP
of two-thirds of the world's nations>. " This worm has the potential to
<something or other>," said <Pete Lindstrom, or some other person trying
hard to come up with something interesting to say ;-)>. " It just goes
to show you that <another something or other>."
Though there is no way to protect against this particular bug, experts
recommend trying <longshot one> or <longshot two>, neither of which
matter, since nobody will do it anyway.

Friday, February 28, 2003

BSA joins ranks with RIAA in threatening without cause

The BSA (Business Software Alliance) is now taken to sending out threatening letters based on the results of a web/ftp spider search for the word "Office". The RIAA has done similar things in searching for "pirated" music by keyword and then automatically mailing.

From the BSA letter:

"What was located as infringing content:
Filename: /mandrake_current/SRPMS/OpenOffice.org-1.0.1-9mdk.src.rpm (199,643kb)
Filename: /mandrake_current/i586/Mandrake/RPMS/OpenOffice.org-libs-1.0.1-9mdk.i586.rpm (35,444kb)"

OpenOffice.org thread

Anyone have a clue stick handy?

Wednesday, February 26, 2003

Microsoft Spyware?

tecChannel reverse-engineered Windows Update to find that it can spy on other installed applications. It is unclear whether it actually does spy though. Although an article at The Inquirer claims as much.

They are offering a utility that you can run yourself to spy on the spyware. You have to pay 1.99 Euro for the full article and get the software included. A summary can be found for free though at The Inquirer.

"The information can pass on to Microsoft a list of all of the software installed on an individual's computer, including software manufactured by other manufacturers."

There is a slashdot story as well.

An article update shows a dump of what a hardware configuration looks like being sent to Microsoft.