Monday, August 29, 2005

A message from The church of the Flying Spaghetti Monster


My new greeting will have to be: "May you be forever touched by His Noodly Appendage"

Since a judge in washington today just ruled that it is okay to post the 10 commandments on government property in some cases without posing a "threat to the religious freedoms of the citizens", this would be a great time to get some of the Flying Spaghetti Monster commandments on public land. Fair is fair, right?

One of my new favorite words is Pastafarian

Friday, August 19, 2005

Security reading list

A book that I am reading right now:

Between Silk and Cyanide A true story of cryptography in the field during WWII.

A free 900 page eBook from Microsoft Press: Improving Web Application Security: Threats and Countermeasures

You may want to just buy a paper copy since it weighs in at 3-4 inches of paper (I have a copy of the "real" book and it's big).

Another book that sounds interesting:

Secrets of Computer Espionage: Tactics and Countermeasures "Covers electronic and wireless eavesdropping, computer surveillance,
intelligence gathering, password cracking, keylogging, data duplication, black bag computer spy jobs, reconnaissance, risk assessment, legal issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to
detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in the workplace, and computer fraud crimes. "

Security books to check out

Secrets of Computer Espionage: Tactics and Countermeasures

by Joel McNamara

Covers electronic and wireless eavesdropping, computer surveillance,
intelligence gathering, password cracking, keylogging, data duplication,
black bag computer spy jobs, reconnaissance, risk assessment, legal
issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to
detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in
the workplace, and computer fraud crimes.

ISBN 0-7645-3710-5
384 Pages
June 2003

RSS feed for traffic conditions data and maps

The technical details of how to find your local traffic feed are at

It's pretty easy to set up your own URL. Here's one for Seattle that I'll have to put on my blog somewhere...

New Research: Cats can't taste sweets

Very interesting.

Genetic flaw leaves felines without sweet tooth

Now, there's a scientific theory explaining, at least in part, why cats have such snobby eating habits: genetics.

Researchers at the Monell Chemical Senses Center in Philadelphia and their collaborators said Sunday they found a dysfunctional feline gene that probably prevents cats from tasting sweets, a sensation nearly every other mammal on the planet experiences to varying degrees.

Geocentrist Challenge

Catholic Apologetics International is challenging people to provide proof that the earth revolves around the sun.

CAI will write a check for $1,000 to the first person who can prove that the earth revolves around the sun. (If you lose, then we ask that you make a donation to the apostolate of CAI). Obviously, we at CAI don't think anyone CAN prove it, and thus we can offer such a generous reward. In fact, we may up the ante in the near future.

Why are they doing this, well one reason:

if it can be proven that, after the Church clung so tenaciously to the view that the sun revolves around the earth, but that now the Church finally has to admit she was wrong about one of its more authoritative teachings in the seventeenth century, this does not bode well for convincing modern man to abide by the Church's official teaching on ANY issue.

Evidence of the expanding US totalitarian state

From John Gilmore to the cryptography list:

> one that is all too relevant today. The pertinent question is no longer
> whether Americans spied, but rather how highly educated, intelligent men
> and women failed to comprehend the true nature of Stalinist communism, and
> why they were willing to risk their lives and imperil the security of their
> families, neighbors and friends to commit crimes on behalf of a foreign
> power opposed to the basic tenets of modern society.

This was a good observation, but the next sentence muddled it with
typical American self-blindness.

> Answers to similar
> questions, regarding educated Muslims with experience of life in Europe and
> the U.S. like those who led the 9-11 and Madrid attacks, are essential to
> constructing a defense against 21st century terrorism.

I want the same answer about how not just the Washington elite, but
even army kids from Iowa, fail to comprehend WHY we prohibit torture,
provide fair trials and legal representation, due process of law, and
why we have a constitution or civil rights at all. Do they not
comprehend the true nature of a United States with arbitrary searches,
travel papers, pervasive surveillance, no effective Leg. or
Jud. checks on arbitrary executive power, no federalism checks on
unlimited federal power, indefinite imprisonment of US citizens at the
will of the President, indefinite imprisonment without trial of
non-citizens seized by force anywhere in the world, and wars of
occupation? It's caled an expanding totalitarian state, kiddies, and
every totalitarian stste tells its citizens how they are the freest
country in the world. Get out and compare for yourself!

Then tell me what the "basic tenets of modern society" are.

John Gilmore (posting from Greece)

PS: Add in a lapdog press too. Try reading the foreign press on the web.
They actually ask hard questions of pols and slam them for evading. And
all their sources aren't anonymous "highly placed govt officials".

And to go along with this, Perry Metzger had a very well put posting on why we should't blindly trust governments:

[email protected] writes:
> But nevertheless, I do not understand why americans are so afraid of
> an ID card.

Perhaps I can explain why I am.

I do not trust governments. I've inherited this perspective. My
grandfather sent his children abroad from Speyer in Germany just after
the ascension of Adolf Hitler in the early 1930s -- his neighbors
thought he was crazy, but few of them survived the coming events. My
father was sent to Alsace, but he stayed too long in France and ended
up being stuck there after the occupation. If it were not for forged
papers, he would have died. (He had a most amusing story of working as
an electrician rewiring a hotel used as office space by the Gestapo in
Strasbourg -- his forged papers were apparently good enough that no
one noticed.) Ultimately, he and other members of the family escaped
France by "illegally" crossing the border into Switzerland. (I put
"illegally" in quotes because I don't believe one has any moral
obligation to obey a "law" like that, especially since it would leave
you dead if you obeyed.)

Anyway, if the governments of the time had actually had access to
modern anti-forgery techniques, I might never have been born.

To you, ID cards are a nice way to keep things orderly. To me, they
are a potential death sentence.

Most Europeans seem to see government as the friendly, nice set of
people who keep the trains running on time and who watch out for your
interests. A surprisingly large fraction of Americans are people or
the descendants of people who experienced the institution of
government as the thing that tortured their friends to death, or
gassed them, or stole all their money and nearly starved them to
death, etc. Hundreds of millions of people died at the hands of their
own governments in the 20th century, and many of the people that
escaped from such horrors moved here. They view things like ID cards
and mandatory registry of residence with the local police as the way
that the government rounded up their friends and relatives so they
could be killed.

I do not wish to argue about which view is correct. Perhaps I am wrong
and Government really is the large friendly group of people that are
there to help you. Perhaps the cost/benefit analysis of ID cards and
such makes us look silly. I'm not addressing the question of whether
my view is right here -- I'm just trying to explain the psychological
mindset that would make someone think ID cards are a very bad idea.

So, the next time one of your friends in Germany asks why the crazy
Americans think ID cards and such are a bad thing, remember my father,
and remember all the people like him who fled to the US over the last
couple hundred years and who left children that still remember such
things, whether from China or North Korea or Germany or Spain or
Russia or Yugoslavia or Chile or lots of other places.


Who's fault is ID theft and financial fraud? Ask your bank.

Repeat after me: Identifiers are not Authenticators.

  • SSN: Identifies you, does not prove your identity. This is a claimed identity on its own.
  • Credit/debit Card Number: Identifies your credit card account, does not prove your identity. Possession or presentment does not prove that the presenter of this information is authorized to make use of it. But that doesn't stop the financial industry from using it as the payment authenticator...
  • ACH/Bank account and routing numbers: Identifies your bank account (along with the type, checking or savings). Again, possession or presentment does not prove that the presenter of this information is authorized to make use of it. Realize that you give this out to everyone and anyone if you send out checks since all the information to transfer money in or out of your account is right there on the check.
  • ITIN: From the IRS website:

    Are ITINs valid for identification?
    No. ITINs are not valid identification outside the tax system. Since ITINs are strictly for tax processing, IRS does not apply the same standards as agencies that provide genuine identity certification.
    ITIN applicants are not required to apply in person, and IRS does not further validate the authenticity of identity documents. ITINs do not prove identity outside the tax system, and should not be offered or accepted as identification for non-tax purposes.

So, because of this mess, you need to know how to protect yourself. Know your rights about bank account fraud.

Perry Metzger's posting to the cryptography mailing list recently about the problems of financial fraud were spot on:

John Denker writes:
> My point here is that knowing who I am shouldn't be a
> crime, nor should it contribute to enabling any crime.
> Suppose you know who I am. Suppose you know my date of
> birth, social security number, and great-great-grandmother's
> maiden name. As Spike said, so what?

I tend to agree. It is equally ridiculous to use a credit card account
number as the "secret" to authorize a transaction, since that "secret"
has to be given out several times a day.

> It's only a problem if somebody uses that _identifying_
> information to spoof the _authorization_ for some
> transaction.


> And that is precisely where the problem lies. Any
> system that lets _identification_ serve as _authorization_
> is so incredibly broken that it is hard to even discuss
> it. I don't know whether to laugh or cry.

Again, yes.

However, I would like to make one small subtle point. In fact, what
you are complaining about is not the use of identification for
authorization -- that is a totally separate and equally sad discussion
-- but the use of widely known pieces of information about
someone to identify them. The issue is that the bank pretends only you
would know your mother's maiden name, not that the bank would only let
you withdraw funds. A piece of information that is not widely known
but which can be used to establish your identity -- such as a private
key only you should know -- is probably fine.

So, rephrasing, the problem is not that secret information isn't a
fine way to establish trust -- it is the pretense that SSNs, your
mom's birth name or even credit card numbers can be kept secret.

> Identifying information cannot be kept secret.

I'd amend that to "things like your name, your SSN or your account
numbers cannot be kept secret..."

> There's no point in trying to keep it secret. Getting a new SSN
> because the old one is no longer secret is like bleeding with
> leeches to cure scurvy ... it's completely the wrong approach. The
> only thing that makes any sense is to make sure that all relevant
> systems recognize the difference between identification and
> authorization.

I have to agree yet again (with my caveats about the terminology you
are using).

This is yet more reason why I propose that you authorize transactions
with public keys and not with the use of identity information. The
identity information is widely available and passes through too many
hands to be considered "secret" in any way, but a key on a token never
will pass through anyone's hands under ordinary circumstances.


Several stories that prove the world is going crazy

First out of the gate:

Fedex sued a loyal customer for posting photos of furniture he made for himself out of Fedex boxes on the web. Get this, they used arguments to try to scare him. Welcome to the doghouse FedEx. You've got great company, such as Cisco and Oracle.

Some highlights:

  • They tried to use the DMCA in their claims. But were complaining about trademark issues. Copyright law does not cover trademarks. Next!
  • They tried to make some claim that he was violating the terms of service of in his use of the boxes.
  • They tried to claim that he was obviously posting the photos for personal financial gain. Get this--because he posted them to a .com website instead of a .net. Good thing I'm on a .net so they can't sue me!

Furniture Causes FedEx Fits

Also in the WTF files. A Doonesbury strip was recently pulled for using a real, albeit crude, nickname for Karl Rove. The papers claimed it was "in bad taste".

Some pull 'Doonesbury' over Rove moniker

The strip itself:

Next on the list. Jason Coombs had a great rant on Bugtraq about computer forensics professionals who are testifying against defendants who may well have a legitimate defense -- the "the trojan ate my homework" defense. He takes issue with claims that a forensics investigation could reasonably ascertain whether a past action was performed by a human or a trojan horse or other malware:

The fact that malware authors aren't cooperating with the computer forensics industry by making sure that it's easy to distinguish between the actions of malware and the actions of a human computer user, combined with uninformed expert opinions like those shown below, is resulting in innocent people being put behind bars, and people like Marcus Lawson who think they know what they're doing but clearly do not are helping to get innocent people convicted by spewing nonsense.

This undermines the ability of the criminal court system to convict those who are truly guilty, and keep them convicted on appeal.

And finally, How many laws do you have to break to get fired in the Department of Homeland Security? Since this ran, we now know that the DHS has now deleted the data that they illegally obtained from data miners. So now, americans have no way of knowing if the TSA had used data about them illegally. A group from Alaska is suing the government now.

Using threat modeling featured in new OWASP WAPT

This will be something to look forward to. I have not seen much of the theory of threat modeling end-to-end put into practice effectively or completely. And much of what I have seen of threat modeling really should be baked into the SDLC process and something that project teams do as part of normal development efforts (why are security people doing separate data flow diagrams, for example?).

From Threatsandcountermeasures:

The next release of the OWASP Web Application Penetration Test (WAPT) guide will include a section on using threat modelling effectively

Threat Modelling and security testing

ZDNet's "apology" to Google

Gotta love brit humor! This is great tongue-in-cheek commentary at its best.

The background: UK published details about Google's CEO using public information found on...Google (aka Google hacking). Google wasn't happy about this, so they banned Google employees from speaking to reporters for a year. Absurd!

But, fortunately, ZDNet UK has apologized for the whole matter, although it is covered with loads o' sweet syrupy sarcasm.

ZDNET.UK's "apology" to Google

Clearly, there is no place in modern reporting for this kind of unregulated,
unprotected access to readily available facts, let alone in capriciously
using them to illustrate areas of concern. We apologise unreservedly, and
will cooperate fully in helping Google change people's perceptions of its
role just as soon as it feels capable of communicating to us how it wishes
that role to be seen.

$25, and a bit more green for an X.509 certificate

That sounds like quite a deal actually. Verisign still charges an exhorbitant amount of money for bits that do the same thing.


From Peter Gutman to the Cryptography Mailing list
Subject: How much for a DoD X.509 certificate?

$25 and a bit of marijuana, apparently. See:

Although the story doesn't mention this, the "ID" in question was the
DoD Common Access Card, a smart card containing a DoD-issued
certificate. To get a CAC, you normally have to provide two forms of
verification... in this case I guess the two were photo ID of dead
presidents and empirical proof that you know how to buy weed.

The cards were issued by Yusuf Khalil Jackson, a man with a long
criminal history (including, ironically, identity fraud):

John Pike, Global "The notion that we're going to let
somebody with this type of criminal record, with no background check
on him
and give him the ID card machine defies understanding."

Jackson admitted to making about 30 of the ID cards:

John Pike: "The good news is that it looks like some of these people
just doing it so they could go to a bar and claim to be over 21. The
news is that you don't know what else some of these other people might

One of the cards was later "seized from a Pakistani national" by the

Bowens: "That's the nightmare of it. The cards themselves are not
counterfeit. They're authentically made but they've been issued in an
unauthorized manner for profit or ideology or a little of both."

This sort of thing doesn't bode well for Real ID either. These cards
were real ID too.


Homeland security: getting smarter or staying stupid?

Getting smarter:

Chertoff is a good guy. When I heard this NPR interview I remember thinking, holy crap, someone who gets it. Security is about tradeoffs and with limited resources, making the most cost effective and rational decisions based on risk and threat analysis.

TSA may move to reallow knives, etc. back on aircraft.
Threats Reassessed To Make Travel Easier for Public

The stay-seated the first and last 30-minutes of a flight rule is also going away, due to reasoned analysis:[email protected]/msg01084.html

Staying stupid:

(proposing requiring passports to enter the US from Canada)[email protected]/msg01280.html

Looks like getting smarter may finally win out.

Favorite words that probably aren't words




To go along with other new entries in the Oxford English Dictionary

You can have lots of fun at Unwords