Friday, February 28, 2003

BSA joins ranks with RIAA in threatening without cause

The BSA (Business Software Alliance) is now taken to sending out threatening letters based on the results of a web/ftp spider search for the word "Office". The RIAA has done similar things in searching for "pirated" music by keyword and then automatically mailing.

From the BSA letter:

"What was located as infringing content:
Filename: /mandrake_current/SRPMS/ (199,643kb)
Filename: /mandrake_current/i586/Mandrake/RPMS/ (35,444kb)" thread

Anyone have a clue stick handy?

Wednesday, February 26, 2003

Microsoft Spyware?

tecChannel reverse-engineered Windows Update to find that it can spy on other installed applications. It is unclear whether it actually does spy though. Although an article at The Inquirer claims as much.

They are offering a utility that you can run yourself to spy on the spyware. You have to pay 1.99 Euro for the full article and get the software included. A summary can be found for free though at The Inquirer.

"The information can pass on to Microsoft a list of all of the software installed on an individual's computer, including software manufactured by other manufacturers."

There is a slashdot story as well.

An article update shows a dump of what a hardware configuration looks like being sent to Microsoft.

More on Santa Clara E-voting

Just heard an NPR story on the Santa Clara e-voting saga. A vote today did not decide on whether they would only go with a system with a paper ballot. Only to test such a system.

The Sequoia company representative (the chosen product) admitted that they only agreed to add the paper ballot because they listen to customer demands. He didn't think it was necessary though.

"Officials in California's Santa Clara County learn that those who know computers best have the biggest concerns about them. That county, home to Silicon Valley, is deciding on an electronic voting system. But a computer scientist fights to keep old-fashioned paper in the voting process. NPR's Andy Bowers reports."

Listen here:
Real Audio link

Check out the 128 pages of documentation. page 13 is interesting and the discussion on page 23 that the "prevailing view is that proprietary source code should not be readily available for obvious security [ed: obscurity] reasons"

Page 27 has a discussion of the "security" for modem data transmissions of vote totals in the ES & S iVotronic product. It's good for a laugh. Here's their modem "security":

1. "Transmission...uses an ES&S proprietary protocol that includes proprietary data format and checking....If a standard PC with a modem attempts to link up with a Data Acquisition Manager (DAM) Host, the modems will initially link up but no intelligible information will be received by either unit."

Don't know about you but that gives me warm fuzzies. Of course this is not unlike things that I see in RFPs for other kinds of technology all the time. You would (and should) expect more from such a critical system though.

2. "To add additional security..." [as if 1 is not enough] "...there is an eight-position password built into the protocol"

They go on to say that there is a time period--not a number of failed attempts--that governs disconnect if the correct password is not entered. So, it sounds like someone could brute-force. Is 8-position just numeric, or does it include alpha too?

I could go on but don't want to ruin it for you.

Homeland "Security" measures coming under fire

I heard someone talk about how in the 50's and 60's everyone was building bomb shelters for protection against nuclear attack and fallout but now people are being told that some tarp and duct tape are all that is needed.

The question was asked, "Who is going to protect us from Tom Ridge, and his bumblers in the Dept of Homeland Security..."

[IP] More bad advice from Tom Ridge...

NPR : Duct and Cover?

Now it's 8 million credit cards stolen

"In what is believed to be the biggest credit card hacking incident so far, Omaha-based Data Processors International, which processes transactions involving Visa, MasterCard, American Express and Discover Financial Services for merchants, said in a statement that it had "recently experienced a system intrusion by an unauthorized outside party."

Yahoo! News - FBI Probing Theft of 8 Million Credit Card Numbers

Tuesday, February 25, 2003

ACM joins opposition to TIA

There is a story in this month's ACM MemberNet publication on the ACM's opposition to Total Information Awareness (TIA).

This isn't exactly news, because the ADM letter was drafted on Jan 23. The latest status on the EPIC TIA page was Jan 24 when Amendment 59 was included in a bill to impose limits on TIA. However, the requirement that the government simply provide a report in order to continue funding seems weak. There isn't anything defining what content within the report would be satisfactory. It sounds too much like corporate privacy policies. It doesn't matter what is in them, so long as the company abides by it. The report could say exactly what privacy advocates fear most and TIA will still be funded. However, the catch-all requiring congress to approve use of TIA is a step in the right direction.

Santa Clara County: more clueless electronic ballot junkies

Santa Clara County faces key decision on electronic ballots

"The future of electronic voting may be rewritten this week in Santa
Clara County, where county leaders are weighing warnings that the
touch-screen voting machines they want to buy are more prone to error
and fraud than the systems they would replace."

"Sequoia's systems don't produce paper ballots that voters can verify,
and supervisors didn't ask for such a device in their bid
proposal. Vendors and election officials say paper ballots aren't
needed because the machines have internal safeguards, are certified by
federal and state governments and tested repeatedly before and after

Ack! Read the research! Read my rant! Just stop immediately and don't do anything yet!

"``We still believe they're secure,'' Assistant County Executive Peter
Kutras said Friday. ``There are not any issues that should cause
concern in terms of voter confidence.'' "

Good Grief.

This is also good press for the petition that David Dill at Stanford began. Hopefully they will listen.

Study shows Linux defect rate much better than commercial Unix

A study of TCP/IP code of various commercial and open source operating systems found that the defect rate in the Linux implementation was much better than others studied.

"The Linux defect rate was 0.1 defects per 1,000 lines of code,
Reasoning found. The rate for the general-purpose operating
systems--two of them versions of Unix--was between 0.6 and 0.7 per
1,000 lines of code. The rates for the two embedded operating systems
were 0.1 and 0.3 per 1,000 lines of code. "

Because of the very limited scope of this audit, and because who knows what specific defects were being tested out of the set of all possible defects, I would not be so quick to draw sweeping conclusions from it. However, it is very interesting in itself.

Study lauds open-source code quality

Scuba diving computer recall

From RISKS 25.57.

I have friends who dive and hope to get certified myself soon so this is of particular concern.

Date: 17 Feb 2003 05:35:20 -0800
From: [email protected] (Tom Race)
Subject: Scuba diving computer recall

[See also Risks in scuba equipment, Carl Page, RISKS-21.41]

In simple terms, a dive computer monitors the amount of nitrogen
in the diver's blood. Typically worn like a wrist watch, it tracks the
diver's depth and calculates the absorbed nitrogen according to a
mathematical model of the human body's various tissues.

If a diver surfaces too quickly with too much nitrogen in the body it is
released as bubbles within the blood or tissues, potentially causing
or death through Decompression Sickness (DCS). Divers typically rely
heavily on a computer to tell them when to surface to avoid DCS.

The manufacturer below is being sued over the mathematical model, which
a faulty assumption, or more likely a complete oversight. The model
embedded in this computer assumes that the diver on the surface
continues to
breath whatever gas mixture they were diving with. When the diver is
nitrox, a gas mixture containing extra oxygen and therefore less
than air, the computer will assume that they are releasing nitrogen at a
higher rate than reality. Over several dives and several intervals on
surface, the state of the mathematical model and the diver's actual
levels may become seriously different, and in the 'wrong' (more risky)

A failure of requirements specification or code inspection? The lawsuit
refers to a 'manufacturing defect'.

I have an interest, since I have a nitrox computer from the same
manufacturer. Fortunately mine is more recent, and I have not used it
gases other than air.

Tom Race

- - - - - - - - - - - -
Uwatec, Scuba Pro and Johnson Outdoors Subject of Class Action Seeking
Product Recall; 5 Feb 2003
Dive industry leaders Uwatec and Scuba Pro, and their parent company,
outdoor equipment conglomerate Johnson Outdoors, Inc., have been sued in
federal court by a former authorized reseller, Robert Raimo, seeking a
mandatory recall of all Aladin Air X Nitrox dive computers manufactured
before 1 Feb 1996. The suit seeks certification as a class action on
of all owners of the dive computers, and all persons who acted as
dealers, wholesalers or distributors of the dive computers.
The suit claims that 1995 model Aladin Air X Nitrox dive computers have
manufacturing defect that prevents the computer from switching from
underwater to surface, or air mode when the user returns to the surface.
a result, the computer continues to calculate a diver's decompression
obligations as if the diver were breathing enriched air, or nitrox,
containing as little as 50% nitrogen, while on the surface, instead of
properly calculating the diver's decompression obligations and
while the diver is breathing air, which contains 78% nitrogen. This
causes the computer to underestimate residual nitrogen loads, and to
overestimate the diver's safe repetitive bottom times, thereby
increasing the diver's risk of contracting decompression sickness
The suit alleges that the defect is likely to affect experienced divers
making multiple nitrox dives in a single day to maximize bottom time,
as those conducted on increasingly popular "live-aboard" dive vacations
exotic locations, far away from the nearest treatment centers capable of
saving the life of a diver stricken with decompression sickness.
The so-called "air-switching defect" was first described in an internal
Uwatec memo dated 30 Jan 1996, which warned one of the company's test
about "the faulty Aladin Nitrox". The memo described how to manually
override the defect so the diver could safely use his computer until it
replaced by Uwatec. After this memo was sent to Uwatec's U.S.
they drafted a product recall notice. However, the suit alleges the
were fired before they could issue the recall notice, and the defendants
have maintained a "conspiracy of silence" ever since.
Copies of the 1996 memo and recall notice are attached as exhibits to
complaint and may be viewed on the News section of the Web site of
attorney, David Concannon, at
Raimo was stricken with Type II decompression sickness after using a
model Aladin Air X Nitrox on four nitrox dives off Bonaire in Apr 2002.
is the former owner of two retail dive centers in New York.
According to Concannon, the suit was filed as a class action only after
Johnson, Scuba Pro and Uwatec rebuffed Raimo's requests that the
issue a voluntary recall. The suit was filed in Oakland, California
four other lawsuits filed by divers alleging they were injured by the
model computer are currently pending there and are scheduled for trial
Nov 2003.

Someone compromised 1% of all visa and mastercard account numbers

A 2-17-2003 very short Reuters story reports that Over 5 million Visa/MasterCard accounts hacked into

"More than five million Visa and MasterCard accounts throughout the nation were accessed after the computer system at a third party processor was hacked into, according to representatives for the card association"

This story by the BBC has more details

Great. Why were the account numbers on Internet-accessible systems. And why were the accounts not stored encrypted at the third party?

5 million accounts is about 1% of the 560 million total cards in circulation. This is huge.

Orange alert status = terror for students

From RISKS 22.56

"Date: Thu, 13 Feb 2003 05:46:37 -0500
From: "Rebecca Mercuri"
Subject: Risks of Doing Homework

At the faculty meeting at Bryn Mawr College on 12 Feb 2003, we were
informed that a student at Haverford (our affiliated College) was arrested over
the weekend when he was trying to do his homework assignment in
As part of the Cities project, he was taking photographs of SEPTA (our
regional transit authority) facilities when he was arrested, detained
for a few hours, and eventually released. Haverford administration is working
to try to ensure that this event not be a part of the student's permanent
police record. Apparently taking photographs at transit facilities is
cause for arrest during "Code Orange" alert, the authorities explained.
Faculty were advised to be careful about assigning "field trip" projects during
such alerts.

Rebecca Mercuri, Bryn Mawr Computer Science"

Not only N. Korea can have nukes

A Wired article describes an unbelievable story of reporter Noah Shachtman trivially breaching the physical security at none-other-than Los Alamos National Laboratory described as "the world's most important nuclear research facility".

"On Saturday morning, I slipped into and out of a
top-secret area of the lab while guards sat, unaware, less than a
hundred yards away."

Mobile mp3 quandary

What to buy...

For my birthday, I'm looking to buy myself a digital music jukebox player/recorder. There are plenty of options, but none of which meet all of my requirements.

I'm going to play the wait-and-see game for a while. There are some new Minidisc players coming out that are candidates as well, although the tradeoff is smaller capacity to get a smaller form factor and jog-proof mechanism.

The most promising product is the Neuros, although some poor design decisions, including only providing USB 1.x support, may kill this one before it gets started. The promise for me is the ability to have both a memory-based player and a hard-drive based player in one. I could take it to the gym without the hard disk pack, but still be able to add the disk for roadtrips or just the daily commute. The built-in FM transmitter is another great feature.

PC Firewire iPod
Creative Nomad Jukebox Zen
Creative Nomad Jukebox 3
Archos Jukebox Multimedia 20
Bantam Interactive BA1000

Friday, February 21, 2003

New SSL active MITM attack

In a paper researchers at the Security and Cryptography Laboratory of
Swiss University (Lasec) EPFL demonstrate a timing-based attack on CBC
cipher suites in SSL and TLS.

The attack assumes that multiple SSL or TLS connections involve a
common fixed plaintext block, such as a password. Since credit cards
numbers are normally sent to a secure server only once this particular
attack has little or no chance of success.

When checking emails, using for example an Outlook Express 6.x client,
using a secure connection passwords are sent periodically as email is
checked. This leaves the door open for an attack. "

The attack relies on the protocol being a bit too chatty in providing information . There are many limitations that make this not especially critical, although IMAP/POP clients like Outlook exacerbate the risk because they will happily keep resending your encrypted password to the server if it does not succeed.

The Register article

Peter Gutman, of cryptlib fame, posted some client-side coding suggestions to ensure that you are not at risk, regardless of whether your server is vulnerable or not:'

- Don't retry a connection repeatedly if it fails the first time (I
guess you don't do that anyway, but some programs like Outlook try automated
repeated connects).

- Add random whitespace to the initial messages so the password isn't
always at a fixed location (that is, sprinkle extra spaces and tabs and
whatnot around in the lines you send up to and including the password).

-- Snip --

This changes the padding on each message containing the password, making
the attack rather more difficult, and has the advantage that you don't need
to convince the party running the server to update their software.
Depending on how much stuff you can send per message, you can vary it by quite a bit.
In the POP case the "PASS xxx" would be a single message so you don't have
quite that much leeway, but it looks like you can add enough whitespace to
make the padding random. Someone else on the list posted a followup to say he'd
tried it on two servers and they had no trouble with the whitespace.

There is an excellent technical summary that I'll have to dig up and post later. It listed out all of the limitations that could mitigate your risk.

Citibank trying to silence ATM PIN security research

Citibank is trying to prevent the disclosure of new scientific research that has apparently broken ATM PIN confidentiality protection wide-open. This is even in the face of "phantom" charges appearing on people's accounts that banks refuse to reverse, claiming that their system is so secure that users cannot repudiate such charges.

"The card's issuer says that's not possible, because their ATM network
is secure, and is suing the couple to recover the nearly $80,000 that
was charged against the card. "

The raw archived information:

Protocol Analysis, Composability and Computation

There is a slashdot discussion

There is an eWeek article too: Attack Exposes ATM Vulnerabilities

Well-known cryptographer Ross Anderson offered this testimony in the case:
""In addition to being published material, derived from open sources,
and of crucial importance to the defendants' case, the vulnerabilities
are likely to be crucially important in other cases brought in the
U.K. and elsewhere over disputed ATM transactions," Anderson wrote in
his letter. "Bond plans to incorporate much of this material into his
Ph.D. thesis. It is spectacularly unfair for the applicant to ask you,
in effect, to prohibit Bond from including in his thesis a scientific
discovery that he has already published.""

Slag your drives to thwart data recovery

A recent MIT study of 129 used hard drives indicated that people leave a treasure trove of data behind on their discarded computers.

This begs the question of how can you securely dispose of old hard drives? Well, the typical answers are to use a secure wiping program or degaussing, but these are not 100% effective.

Some people have come up with a foolproof method called Drive Slagging which involves melting down the platters and essentially creating aluminum ingots.

Not exactly do-it-yourself though :-)

Thursday, February 20, 2003

eBay rolls clock back to 1984

"Big Brother is watching you - and documenting
eBay, ever anxious to up profits, bends over backward to provide data to law enforcement officials"

Buyer (and seller) beware...

Ha'aretz - Article

Wednesday, February 19, 2003

TurboTax copy protection mucks with sectors on your hard disk

DRM is getting even more annoying, dangerous, and insidious. Intuit thought that it would be necessary to utilize a product called SafeCast to prevent unauthorized copying of its popular TurboTax product. Extremetech did some testing and found that SafeCast copy (not copyright) protection relied on modifying sector 33 on your hard drive outside of your operating system. This is not necessarily a Good Thing ™

TurboTax Test Results Part II

What to do now? Should you use TurboTax or switch to a competitor's product? Well, Intuit has been listening to the complaints and have offered some concessions, including assurance that a version of TurboTax that won't require "activation" to utilize will be released after October 2003, allowing SafeCast to be uninstalled when TurboTax is uninstalled.
TurboTax: So What Do I Do Now?

Timeline of the problems and Intuit's response Most interesting here was this note that "Analysts sharply question Intuit about TurboTax product activation." when they reported their quarterly results on February 13.

Monday, February 17, 2003

To Thwart the Identity Thieves

There is an excellent article in BusinessWeek on what is supposed to be the fastest growing crime in the U.S.: Identity Theft. I agree that only radical reform will solve the problem. However, I always think that the solutions focus on symptoms of the problem disclosure of customer identifying information) and not on the root cause of the problem (insufficient authentication (i.e. PROOF of identity) requirements by credit issuers). Your identifying information should not have to be secret. That is the mark of an insecure system.

The biggest problem with identity theft is the human element though. Consumers really don't want the additional security that would prevent identity theft because of the additional hassle it would cause them. I hear all the time about people who get offended by having to show I.D. for financial transactions--even when it is explained why this is necessary. It must be that people are natuarally trusting and to have someone challenge their authenticity is offensive. Perhaps it takes becoming the victim of identity theft to actually see that there are rational reasons to have better security...

I do like the idea of a market-driven solution. There are plenty of areas where the market fosters very poor security. Government mandates can change this tide and force novel approaches, like the one in this article.

BW Online | February 11, 2003 | To Thwart the Identity Thieves

Richard Forno let go; rants about Symantec

Richard Forno was let go by Symantec, coincidentally right after he had politely complained in a letter about the extremely inefficient payment procedures they brought with them to SecurityFocus.

I really enjoyed his commentary so I hope to see him show up somewhere else soon!


Computer Security and Intelligence web links

The - Computer Security and Intelligence website has, according to the author, "little nuggets" of information he finds "interesting enough to post online".

The most interesting thing that I found there (so far) is where people are betting on current events, such as whether or not Saddam will still be in power as of March 31.


The Myth of Security at Canada�s Airports

Senate Committee on National Security and Defense in Canada recently released a report on the new airport security measures.

Entitled, "The Myth of Security at Canada�s Airports"

"...measures have reassured many travellers that security has been tightened at Canadian airports since the tragic events of September 11, 2001. The problem is that there has been little or no improvement to huge security gaps that persist behind the scenes in the Canadian travel industry. "

There is also a full-disclosure debate arising over whistle-blowers who may point out that money or effort is being misdirected:

"Our basic premise: You can be sure that ships really will sink if they have a lot holes in them. And those holes aren�t likely to get patched unless the public applies pressure to get the job done. They certainly aren�t patched yet. "

Security measures should be able to withstand scrutiny.

Fifth Report: The Myth of Security at Canada�s Airports

Saturday, February 15, 2003

Viacom won't run anti-war ads

With all of the millions of protesters out there this weekend, you would think that Viacom would not be opposed to a fairly popular viewpoint being broadcast. However, they have refused to run an anti-war ad by and have given an alleged lame rationale.

The organization was going to pay for the ads just like any other entity would. Interestingly, "According to Boyd, the donations came rolling in�after just two hours the group had met its goal." They raised $75,000 through an e-mail campaign in 2 hours!

Billboard Ban

Viacom won't run the ad but you can view it on's website.'s poster: ad:  Inspections Work.  War Won't

Friday, February 14, 2003

Reckless Administration May Reap Disastrous Consequences

Senator Robert Byrd made this excellent speech on the negative consequences of the Bush Administrations actions and policies.

Some gems:

"To contemplate war is to think about the most horrible of human experiences. On this February day, as this nation stands at the brink of battle, every American on some level must be contemplating the horrors of war.

Yet, this Chamber is, for the most part, silent -- ominously, dreadfully silent. There is no debate, no discussion, no attempt to lay out for the nation the pros and cons of this particular war. There is nothing. "

"This Administration, now in power for a little over two years, must be judged on its record. I believe that that record is dismal."

"Calling heads of state pygmies, labeling whole countries as evil, denigrating powerful European allies as irrelevant -- these types of crude insensitivities can do our great nation no good. "

Thursday, February 13, 2003

ABA taking a stand against Bush Administration

A Feb 10 American Bar Association resolution "urges Congress to ensure, through appropriate legislation, regular and timely oversight, and expanded
reporting requirements, that the FISA is used only when the government
has a significant foreign intelligence purpose -- as required by the
USA PATRIOT Act -- and not to circumvent the stricter Fourth Amendment
warrant requirements applicable to ordinary searches and surveillances. "

The ABA also lambasted the Bush Administration for denying so-called "enemy combatants" the right to meet with counsel. The vote was overwhelming, but not unanimous. About 70 or so ABA members voted against this measure.

Excerpt from EPIC Alert 10.03.

Patriot 2: Encryption an aggravating circumstance?

Declan McCullagh asks a good question on the cryptography list:

When encryption is omnipresent in everything from wireless
networks to hard drives to SSH clients, might the basic effect of such a
law [Patriot 2] be to boost potential maximum prison terms by five years?

It is a terrible idea to presume that using encryption is an aggravating circumstance. "Why are you using encryption? You must have something to hide..."

Original SAFE Act:
Leaked new Patriot Act 2 draft:

World's Most Stupid Security Measures

"Human rights watchdog Privacy International has launched a quest to
find the World's Most Stupid Security Measure. "

There were some preliminary examples in discussion on the cryptography mailing list.

E-voting in Washington: say goodbye to election integrity

"The most important question to ask is this:

With respect to this year's all-electronic voting machines, is there any meaningful evidence that the vote you cast was correctly recorded -- that is, evidence that there were no misconfigured systems, accidents, internal fraud, etc.? For almost all of the existing systems (with the exception of one that actually incorporates the Mercuri Mechanism, namely, Avante), the answer is an UNEQUIVOCAL NO. This is an untenable situation if you believe in election integrity, IRRESPECTIVE of your party affiliations."

-- Peter G. Neumann

Electronic voting is very, very dangerous. Don't even get me started on Internet voting. There is only one known product on the marketplace that has done their homework and implemented the correct mechanism for ensuring election integrity that the research community has identified (the Mercuri Mechanism, above).

There are tons of published cases of errors and delays caused by electronic voting that has been done around the country in practice, including more votes being counted than registered voters in the precinct.

Here is one list:
And another:

Washington State is even looking at Internet Voting:

I heard and saw Sam Reed talking about an Electronic Voting pilot in Washington State on the news. Here's a press release:

This is an area that fascinates me because of all of the research that has gone into this area that public officials ignore on the dangers and how to do this correctly. They are often giving way too much credence to vendors that tell them all is safe. I would love to ask the people doing these pilots how they plan to assure voters of the integrity of the election, especially when e-voting machines are often closed-source and cannot be reverse-engineered because the companies claim trade secrets and will probably sic the DMCA on you.

When I get some time, I need to write some letters to representatives in this state. I will include these folks:

Sam Reed, Secretary of State
Dean Logan, Director of Elections ([email protected])
David M. Elliott, Assistant Director of Elections

To find the representatives in your district, check out

In the meantime, there is a petition that you can sign up with:

A ton of big-name researchers and security experts have already signed it.

And two renowned experts in electronic voting:

Rebecca Mercuri, Ph.D. (been researching for over a decade). " Her position statement:

Peter G. Neumann (moderator of the ACM Risks Forum): and a paper at
His excellent summary of the issue:

Avi Rubin has also written a paper on this topic:

NPR also just ran a segment on the risks of electronic voting during Morning Edition Feb 10, 2003