Monthly Archives: May 2006

8.9% Identity Loss

Adam Shostack adds up the latest threat government has provided for us:

8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws about credit freezes out of it.

8.9%, Adam Shostack, Emergent Chaos, 26 May 2006.

This is a pretty good illustration of why depending on social security numbers for authentication is a bad idea. It’s also a pretty good example of why government can be the biggest security threat: it has greater scale and resources than most other entities. And a pretty good example of how the most rudimentary security would have provided sufficient resilience to prevent such a theft. Simple prevention measures are often the best risk management.


K-12 Social Networking

In a previous post, I mentioned that government sometimes seems the biggest security threat. This is partly because government often doesn’t the consequences of what it does. Here’s an interesting example of unintended consequences: the No Child Left Behind Act producing incentive for K-12 social network sites.
The exchange of information among the key K–12 decisionmakers — parents, teachers, principals, superintendents, and elected school officials — is a huge challenge today. Quality information and communications are becoming more valuable as options increase for parents and accountability increases for teachers, schools, districts, and states. The Internet gives people access to nearly infinite content and information, but with all the additional information and choices, there are more decisions to make for Web browsers and users. Logistical help is needed for reaching people who can be reference points and explanation givers. Being Internet savvy alone will not suffice. The convergence of NCLB realities with the Internet’s ever expanding capabilities offers a window of opportunity to build a social network website service that is suited for K–12.

K–12 encounters the Internet, by Paul DiPerna First Monday, volume 11, number 5 (May 2006),

Many K-12 schools already have floating technical advisors, usually one of their own teachers who is technically savvy who goes around and advises the others. This article seems to be proposing to take the next step of interconnecting such people and information across school systems.


Good Intentions Still Need Monitoring

Sometimes it does seem that governments can be the biggest security threat:
The bill aims to speed up the process by which redundant laws are changed and allows them to be amended on ministers’ orders, without parliamentary scrutiny.

The Commons Regulatory Reform Committee said it was “the most constitutionally significant bill” for some years.

“[The bill] provides ministers with a wide and general power that could be used to repeal amend or replace almost any primary legislation”
Andrew Miller MP

It is pressing for the power to monitor all laws amended by ministers, so it can veto any it decides need further parliamentary intervention.

The committee also wants certain laws protected from the changes.

Red tape law ‘must not be abused’ BBC, 6 February 2006

In the U.S. we supposedly have such protections, written into the Constitution and its amendments. Continue reading

Economics of Net Neutrality

Here’s an article about a report that purports to provide economic analysis of economic benefits if net neutrality is not enforced in the United States:
The debate over the long-term effects of eliminating net neutrality is distinctly emotional. On the one hand, supporters of net neutrality argue that abandoning neutrality would mean the end of the free Internet society. They argue that large broadband access providers in conjunction with a few powerful content providers could use commercial and technological power to dictate the portfolio of content that end users – including consumers and businesses – could access on the Internet, how suppliers could do business over the Internet, and how much they pay for access.

On the other hand, those opposed to making net neutrality part of telecom law counter that the levels of investment required to deploy infrastructure that can cope with bandwidth-hungry applications can be supported only if operators are able to charge for delivery of those services. They also contend that any law enshrining net neutrality would be inappropriate, as government cannot predict how the economy might evolve, and that any restrictive law could have unintended consequences (as in stifling broadband development of broadband applications).

Net Neutrality Dollars and Sense Simon Sherrington | Analyst, Light Reading, 1 May 2006

OK, I’m always suspicious of any “analysis” that tars one side as being “emotional” while characterizing the other side as rationally “figuring”. Continue reading

Their Capers’ Public Fields

I always say that one thing I learned from writing books is that no matter how you write something, somebody will find a different way to interpret it. Spire Security Viewpoint read my Their Capers’ Social Fields as a plea to keep social security numbers more confidential. I wrote it using social security numbers as an example of how any widely used identity key won’t ever be kept confidential, so using such a common key is a bad idea.

Anyway, SSV has an interesting comment:

We need to turn this argument on its head and make all SSNs public record. Then, we can work towards a real solution that can protect the individual.
Yes, good idea. If SSNs were public, it would be so obvious that they’re horrible keys to use for security that maybe organizations would stop doing so.


Liberty vs. Tyrrany

Bruce Schneier provides a basic answer to a very common question:

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: "If you aren’t doing anything wrong, what do you have to hide?"

The Eternal Value of Privacy By Bruce Schneier, 02:00 AM May, 18, 2006 Wired

After rehearsing a few true yet not deep enough comebacks that people sometimes use, he gets to the heart of the matter:

Cardinal Richelieu understood the value of surveillance when he famously said, "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." Watch someone long enough, and you’ll find something to arrest — or just blackmail — with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies — whoever they happen to be at the time.

Not to mention what about when you sometimes speed at night on that empty road, or forget to fasten your seatbelt, or wrote something on the net uncomplimentary about a political candidate that your boss favors, or….

How do you know you haven’t done anything wrong, in somebody’s eyes?

Continue reading

Their Capers’ Social Fields

"What’s your social?" How many times have you heard that question, from credit card companies, doctors’ offices, and just about every other type of organization? Perhaps you were confident that all these organizations are keeping your "social" completely confidential. I’m not so confident about that, and here’s evidence that they’re not:

Security experts held a contest this month to show just how quick and effective Google hacking can be. During a technology security-industry meeting in Seattle, contestants using only Google for less than an hour turned up sensitive information — potentially useful for financial fraud — on about 25 million people. They dug up various combinations of people’s names, dates of birth, Social Security numbers, and credit-card information, including some card numbers apparently left exposed by the U.S. Department of Justice.

Identity Theft Made Easier Hackers Use Simple Tricks With Google, Yahoo Searches To Tap Personal Information By Kevin J. Delaney, Staff Reporter of THE WALL STREET JOURNAL,,,, 29 March 2005

This just adds to all the recent cases where organizations have lost massive sets of identity information on millions of people because they didn’t keep even rudimentary security over them.

What can you do?

Continue reading

Liability for Not Reporting?

Although this is not the kind of liability I’ve been advocating, it might be of some use:

The Cyber-Security Enhancement and Consumer Data Protection Act of 2006, introduced this week by House Judiciary Chairman James Sensenbrenner (R-Wis.), would punish companies for failing to notify the Secret Service or the FBI of an electronic database breach if that archive holds information on 10,000 or more people or data on federal employees. Under the bill, violations would be punishable by fines and prison sentences of up to five years.

Bill Would Criminalize Failure to Report Breaches, Brian Krebs on Computer Security,, 11 May 2006

This bill, H.R. 5318 could produce some useful data, but, as the article notes, it’s not clear what good it will do if the feds don’t do anything with the data.

The article notes that the FBI has bumped cybercrime up on its priority list, and there have been some high profile convictions of bot herders lately. Those are both good things.

However, government funding for such investigations and prosecutions is still a drop in the bucket compared to the military budget, and there’s still no real liability for vendors of the software that enables most of the exploits bot herders use. And the article makes another general point.

Continue reading