Wednesday, April 20, 2005

Appropriate, yet unfortunate, commentary on the times we live in

Daily Howler: Coulter makes ''errors'' like other scribes breathe. But store-bought John Cloud couldn't find them

ERNSTEIN WATCHES THINGS FALL APART: Congratulations to Carl Bernstein, perhaps our frankest press bigfoot. On last evening’s Special Report, Jim Angle cited a recent speech by the Watergate worthy:

ANGLE (4/19/05): Former Washington Post reporter Carl Bernstein, who helped break the Watergate story, says journalism nowadays is squandering the public's trust, insisting the, quote, "triumph of the idiot culture in news, particularly TV news, has weakened journalist drive for the truth."

At a press convention in Kansas, Bernstein said, quote, "The consequences to a society that is misinformed and disinformed by the grotesque values of this idiot culture are truly perilous. For the first time in our history," he went on, "the weird, the stupid, the coarse, the sensational and the untrue are becoming our cultural norm, even our cultural ideal."

Thursday, April 14, 2005

Reverse Surveillance

Wired News: Surveillance Works Both Ways

At this year's Computers, Freedom and Privacy conference in Seattle, Steve Mann enlisted volunteers to film those who were filming them in local Seattle businesses. They got varied responses. I think this would be really useful in airports to monitor what the TSA does. But, I bet they would not be so happy about that.

"The totalitarian regime is the regime that would like to know everything about everyone but reveal nothing about itself"

"What I argue is that if I'm going to be held accountable for my actions that I should be allowed to record ... my actions," Mann said. "Especially if somebody else is keeping a record of my actions."

Monday, April 11, 2005

Getting to the root of ID theft problems

There is an article on ID theft causes that has a great summary of the fundamental factors in ID theft from entities entrusted with your private data They can't steal data you don't have

We have observed that some of the sensitive data that gets stolen fits into one of several categories:

  • Data that was never needed

  • Data that was needed but should never have been stored

  • Data that was originally needed but was kept far beyond its useful life

  • Data that should never have been stored in an unencrypted form

At some point, the question "Did you consider not having this data" is going to become a standard part of lawsuits. If you're an IT manager, are you planning for that day?

I had actually included these questions in a decision tree for my corporate privacy strategy. Most people go right to the "encrypt" sensitive data and don't back up and ask these more fundamental "behavioural" questions that actually are often a) more effective at solving/eliminating the problems and b) have less drawbacks than simply "encrypt everything everywhere, but still store it".

I've seen the "encrypt everything everywhere" mantra effectively require "copies of encryption keys everywhere", which gives your corporation a false sense of security. "The data's encrypted", the executives say. However, if you cannot implement secure key management (you have to know that you need to do this, then have the knowledge to design the solution to be effective and manageable, then you have to be able to implement it across diverse groups who don't all understand cryptography...), then you effectively have the keys to decrypt the data right next to each of your excessive, unnecessary encrypted copies of that sensitive data.

Beware the buzzword-compliant solution!

Friday, April 8, 2005

Loose lips when reporting privacy breaches

Computer theft may expose data on 180,000 patients - Computerworld

APRIL 08, 2005 (COMPUTERWORLD) - A San Jose-based medical practice has notified about 180,000 current and former patients about the theft of their personal information contained on two computers stolen from its offices during a burglary March 28.

And recall the other recent privacy breach due to a lost laptop:

Stolen UC Berkeley laptop exposes personal data of nearly 100,000

By MICHAEL LIEDTKE, AP Business Writer
Tuesday, March 29, 2005

A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

Now, some have pointed out that the California law SB 1386 that required these organizations to disclose their privacy breaches has the unintended consequence of notifying the thieves of these laptops that there may be information on those laptops that would be worth far more than the laptops themselves--something that is probably not the primary goal of most laptop thieves. However, I actually think that with these two cases that the organizations erred in disclosing too much information about the details of the breach.

Nothing that I read into SB 1386 says that you have to say exactly HOW the breach happened. The requirement in the law is simply that you have to "notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.", where "'breach of the security of the system' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

So, the law requires that you notify the affected parties that

a) there was a breach, or
b) you have reason to believe that the affected party's personal information was disclosed

IANAL, but do yourself a favor and be sparing with the details of your next breach.

Thursday, April 7, 2005

Defeating fingerprint force

Carjackers swipe biometric Merc, plus owner's finger | The Register

Carjackers swipe biometric Merc, plus owner's finger
By John Lettice
Published Monday 4th April 2005 13:52 GMT

A Malaysian businessman has lost a finger to car thieves impatient to get around his Mercedes' fingerprint security system. Accountant K Kumaran, the BBC reports, had at first been forced to start the S-class Merc, but when the carjackers wanted to start it again without having him along, they chopped off the end of his index finger with a machete.

Okay, I knew this would happen someday and this is evidence that it finally happened. Biometrics ("something you are") should only be used as a convenient _IDENTIFICATION_ mechanism as a necessary, but not a sufficient condition for _AUTHENTICATION_ of users. This is why multi-factor authentication is still important with Biometrics so you couple the "something you are" with "something you know" or "something you have".

Additionally, you should be wary of biometric hardware that can often be trivially fooled or, as this one, are unable to adequately tell the difference between "live" and "dead" or "not-live" biometric data. Else, you could be risking more than your security: the well-being and safety of your users.

Tuesday, April 5, 2005

Big brother may be watching your WLAN

The Feds can own your WLAN too : TomsNetworking :

Also a slashdot discussion of this technique, which essentially cracks WEP implementations that are vulnerable to weak keys and uses some nice "features" of some APs to get the AP to send out additional encrypted packets to improve the speed of the attack. They can crack WEP in minutes. Pretty interesting...

Friday, April 1, 2005

"Terri's Law" Unconstitutional

At least there is some good and rationality left in the world. This is great.

Daily Kos :: Political Analysis and other daily rants on the state of the nation.

the legislative and executive branches of our government have acted in a manner demonstrably at odds with our Founding Fathers' blueprint for the governance of a free people - our Constitution. Since I have sworn, as have they, to uphold and defend that Covenant, I must respectfully concur in the denial of the request for rehearing en banc.

Making fun of Schiavo "protestors"

This is priceless. Click on the link and look at the pictures where someone mingled with the crowd, holding a sign saying "We are idiots" for the media to see.

kill_terri: Fun at the expense of nutbag Christians