Friday, May 20, 2005

Anecdotal study of data aggregator quality - Data Aggregators: A Study of Data Quality and Responsiveness

Results of a study conducted by PrivacyActivism show that data aggregators have significant problems with accuracy and responsiveness, potentially serious issues for an industry already under fire for massive security breaches.

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it.

To go along with my other post on data aggregator service efficacy, another set of nails in the coffin. Keep in mind that this is anecdotal. However there was at least another study that I can't find a reference for that found something like 80% of entries had errors.

Anyhow, more fuel to the fire from real-life experience with ChoicePoint data was the voter roll purging debacle:

The Department of State awarded a $4-million contract to Boca Raton-based Database Technologies Inc. (now ChoicePoint Inc.) to find improperly registered voters in the state's database. Database Technologies cross-checked voter lists with federal and state databases to find illegal voters by matching names, birth dates and other characteristics.

Mistakes were rampant.

Tuesday, May 17, 2005

Washington State Getting Tough on Rampant Spyware Problem

Slashdot | Washington State Outlaws Spyware

the Governor of Washington signs a a bill outlawing spyware (bill history) which imposes penalties of $100,000 per violation.

This is a step in the right direction. I am not sure if it will be effective due to jurisdictional and technological issues with tracking, identifying, and prosecuting purveyors of spyware. The anti-spam legislation in the state and federal laws has not exactly dramatically curbed spam. But this clarification of the computer crime statutes is helpful to avoid ambiguity.

Also of interest to me now is that Washington also passed an anti-phishing law.

Monday, May 16, 2005

Identity theft is okay...if done by the state

Ohio Agents Use Woman's Identity in Strip-Bar Sting: Internal Affairs at

This is absolutely unbelievable! Imagine if the state was to damage your reputation or financial status (e.g. FICO score or credit worthiness) due to the unauthorized use of your identity!

Nasal said the ploy was legal because a change in Ohio's law the previous year aimed at curbing identity theft. The law allows police to use a person's identity within the context of an investigation, he said.

The problem of identity theft is the persistent lack of decent capabilities in the financial industry to reliably authenticate claimed identities. I don't have a perfect solution, but continuing with the status quo of allowing people to just claim an identity (not prove it) and then trying to keep plugging fingers in the dike to keep this information "private" (_identifying_ information that is allowed to be used as _authenticating_ information) rather than implement a real authentication solution is solving the wrong problems. And they wonder why identity theft is increasing in double-digit percentages every year...

A message to ChoicePoint customers: just how helpful is the data you are buying?

The Five Most Shocking Things About the ChoicePoint Debacle - CSO Magazine - May 2005

Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses--this when the company itself helps other businesses verify cred[entials of employees or others using the data in their databank].

A great point that has been lost in a lot of the reporting. Just how useful is the service they provide when they were spoofed over 50 times by fraudulent users?

These companies always beg the question of which entities are authorized to be their customers to "legitimately" obtain this kind of sensitive data about people? What would stop me from paying to get the data on anyone they had? What criteria would they establish to prevent just anyone from getting at this data? Or, do they not care as long as you have the cash?

ChoicePoint likely would love to keep the focus on how this was just an isolated case where these 50+ users fooled them. But does it even matter that the identities were fraudulent? Would it have been okay if I signed up with my own identity and obtained information on these 145,000 people instead?

RFID Passport security proposal: defeating the purpose?

Schneier on Security: RFID Passport Security

"The solution would require an RFID reader to provide a key or password before it could read data embedded on an RFID passport's chip. It would also encrypt data as it's transmitted from the chip to a reader so that no one could read the data if they intercepted it in transit."

The devil is in the details, but this is a great idea.

I have to agree with some of the posters to Bruce Schneier's blog that this is certainly not a "great idea".

  1. This seems to entirely defeat the purpose of "contactless" passport data reading. If you have to scan the passport physically, it would be more secure to forego RFID entirely and put all of the data in a contact-based reader. This would offer greater privacy protection. Of course, it doesn't have the RFID "bling" so would be entirely rejected by technophiles.

  2. Again, the devil is in the details, but once someone has read your key, they can now access and decrypt your passport data remotely anytime they want. What keeps those keys secure after they have been accessed? Are there going to be passport "skimming" attacks as with magstripe credit cards?

  3. Attackers abroad can still use RFID "presence" to detect which tourists are Americans, even if they could not read the data on the passport. Thus RFID would seem to still increase risk to Americans rather than make us safer. Funny how that works with these newfangled "security" measures being imposed by the government.

Here is a related article on the government caving to privacy advocates. Feds Rethinking RFID Passport

Penguins not on terrorist watch list - Slideshow

The American public can rest easy now that these penguins have been rigorously vetted by the TSA. Someone managing the Terrorist Watch List must have recently seen one of the Batman movies. That was _just a movie_.


Friday, May 13, 2005

IPSec ESP protocol flaw discovered

NISCC Vulnerability Advisory IPSEC - 004033

From what I have read on this, the flaw in ESP only will affect you if you are using ESP for confidentiality protection only (no integrity check in ESP) and are relying on other layers for integrity protection (e.g. AH or the application layer). I would never recommend you configure IPSec in this manner. Confidentiality protection without integrity protection in the same layer is not very useful IMHO. And it can be dangerous, as this flaw indicates.

Intel Hypterthreading leads to security bug

Hyper-Threading considered harmful

This is an interesting case where a hardware flaw can be used to subvert software security.

I find it fun to ask vendors who create their own OS and processors for appliances how they ensure things such as memory page protection. I get a lot of blank stares. They often focus entirely on the macro-level security in their software and have spent little to no time addressing the basic hardware and OS-level security issues that are taken for granted by software authors.

Tuesday, May 3, 2005

Spam blocking update

So, like everyone, I get a LOT of spam. Over the past year (May 15 2004 - May 3 2005), I have received and processed a total of 120878 emails.

Here is how the mail I received breaks down:

notspam (ham): 14092 (11.7%)
probably-spam: 76925 (63.6%)
suspected-spam: 29154 (24.1%)

The statistics are somewhat misleading. I switched in August of 2004 to calling all mail marked over a particular spam threshold "probably spam" and suspicious mail as "suspected spam", when before everything was "suspected spam". So, until I do further analysis, the suspected spam pot is a bit fuller than it should be.

What this shows is that only about 12% of my email is legitimate, leaving the other 88% as mostly, well, crap. The legitimate mail will actually a bit higher because some of the mail that gets quarantined as suspected spam is actually legitimate, but not all of it. I have to look at mail that falls into the suspected spam bucket and retrain bogofilter if the mail is really spam or legitimate (in which case, I set up a new whitelist entry)

The spam solution that I have today works very well. It is a combination of a whitelist along with Bogofilter in tri-mode so that Bogofilter tags mail as either notspam, suspicious, or pretty sure it's spam. A solution with just Bogofilter was still fairly accurate, however, false positives were unacceptable to me. Also, it is a chore to weed out the wheat from the chaffe with the volume in spam compared to the very infrequent false positives. So, a whitelist turned out to be a necessary evil to keep known legitimate mail from making it into the spambucket (which, with bogofilter, until you correct the database, can negatively impact every future spam decision)

Bogofilter relies on a 72 megabyte database of spam tokens, generated from hundreds of thousands of spam messages that I have kept since 1997 (about every single spam I have ever received from every mail account I've had).

False negatives used to be a problem until I got my bogofilter database properly tuned and caught many classification errors that were made that I had missed that were throwing off the classifications. My Bogofilter database is now 72 megabytes and works a lot better than the old 17 megabyte list from long ago. All in all, it is a great solution.

Another governmental PDF "redaction" blunder

The Washington Monthly

here's a question: do you think the Italian computer whizzes will be any more competent than their American counterparts when they release their report? The U.S. report is full of redactions, as you can see in the picture above, but once again an American agency has used the searchable PDF format to distribute a report, and all you have to do is save the report as a text file in order to recover all the redacted parts.

The curious Will of God

Pat Robertson's contradictory theology: God won ... [Media Matters for America]

So, God doesn't control the natural world around us--that just works on its own volition, according to Pat Robertson. But, "in terms of human affairs, I do think he answers prayer". Specifically, Pat was saying that those evangelicals who are praying for bigoted, religious zealots to be placed in the supreme court could have their prayers answered and a Godly intervention, but in cases, such as the Tsunami, where God could have protected tens of thousands of human lives, God won't get involved. Apparently human life is not a "human affair"?

God doesn't "change the magma" or "wind currents" but he does change human minds on issues regarding the selection of US supreme court justices. Talk about a micro-manager...

Sunday, May 1, 2005

Car Crunch History

So, within the past week, my brand new car got crunched in a parking lot while I was attending a security conference. Here are some photos:

I really did park straight...


In the distance, you can see the semi that did the damage

After the car was moved back into the spot. You can see the skid marks showing that the car was moved at least two feet.

What happened was that the truck driver (53 foot semi) had tried to take a tight right turn and the back left corner of the truck swung wide and clipped my trunk, hitting first the left tail light and continuing across, pushing the car two feet into the car in the next stall. The driver didn't even know he had hit the car. The double skidmarks from the trailer showed that he had also gone up on the curb in the parking lot right after the trailer hit my car.

The body shop guys keep saying that the car is a novelty. Nobody has seen a trunk get destroyed so thoroughly without severe rear-end body damage. The trunk lid took the brunt of the damage.

My sister pointed out that every car I've owned has been hit by someone. The sordid history:

  • 1984 Nissan Sentra: Hit & run in school parking lot the first day I drove it to high school

  • 1988 Honda Accord Coupe: Hit & run in Redmond Town Center parking garage while at work.

  • 1994 Toyota Pickup: Rear-ended while at a metered ramp on I-405. The other guy's car was crunched. The truck had a great bumper and didn't suffer any damage, fortunately.
  • 2004 Infiniti: Hit and dragged two feet by a 53 foot Serta mattress truck


My brother-in-law found a Serta Sheep #86 that arrived on my doorstop unexpectedly yesterday. This is hilarious! A quote from the fictional sheep:

"Of course Serta is bad...very bad...maybe the most evil force in the whole universe."

"In the spirit of all that is fair and just, have pity on me."

For the record, I have no issues with the driver or Serta. I just think it's a funny story. I haven't been too inconvenienced. Thanks for insurance!

Funniest error message - Read The F***ing Manual Reference Library

If you go directly to this link, you will be presented with a hilarious error message, complete with apropos image. I got a kick out of this.