Monthly Archives: January 2008

Liberty vs. Control (Not Privacy vs. Security)

secretsandlies.jpg Bruce Schneier hits the nail on the head:
If privacy and security really were a zero-sum game, we would have seen mass im migration into the former East Germany and modern-day China. While it’s true th at police states like those have less street crime, no one argues that their ci tizens are fundamentally more secure.

We’ve been told we have to trade off security and privacy so often — in debate s on security versus privacy, writing contests, polls, reasoned essays and poli tical rhetoric — that most of us don’t even question the fundamental dichotomy .

But it’s a false one.

Security and privacy are not opposite ends of a seesaw; you don’t have to accep t less of one to get more of the other. Think of a door lock, a burglar alarm a nd a tall fence.

What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites, Bruce Schneier, Wired, 01.24.08 | 12:00 PM

There’s more, all well worth reading.

Here’s the gist:

The debate isn’t security versus privacy. It’s liberty versus control.

You can see it in comments by government officials: “Privacy no longer can mean anonymity,” says Donald Kerr, principal deputy director of national intelligen ce. “Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.” Did you catch that? You’re expected to give up control of your privacy to others, who — presumabl y — get to decide how much of it you deserve. That’s what loss of liberty look s like.

Haven’t we lost enough already?


Money Buys Security in the UK?

HMRC lost data on 25 million taxpayers last year, and now:
HM Revenue and Customs (HMRC) admitted “high profile” individuals must submit forms by post because they are judged to require extra protection.

But critics said equal treatment should apply to all 3m self-assessment users.

‘Double standard’ on data safety, BBC News, Saturday, 26 January 2008, 17:35 GMT

I wonder if what the high profile individuals get actually is any more secure?


Microsoft Ditches VBA for Security?

For some time I’ve been noting Dan Geer’s point that Microsoft faces a dilemma: stick to backward compatibility including many security vulnerabilities, or fix the holes and lose backwards compatibility. Looks like they’ve done the latter with Office:
Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.

However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That’s worth complaining about.

Microsoft Has Trouble Programming the Intel Architecture, by mordaxus, Emergent Chaos, 16 Jan 2008

The poster immediately goes on to sneer at OpenOffice for allegedly not being able to do things Office can do (without ever mentioning specifics) and at Keynote because everybody uses PowerPoint (while acknowledging that “Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize”).

When Microsoft can manage to annoy even slavish users like that by breaking backwards compatibility, MSFT has a problem. No doubt no VBA in Office isn’t the last straw, but it isn’t the first, either.


Google to be Dragooned Into U.S. Wiretapping?

68EEC-dragoon.gif I’d wondered when the feds would think of this:

"Google has records that could help in a cyber-investigation, he said," Wright adds. "Giorgio warned me, ‘We have a saying in this business: `Privacy and security are a zero-sum game.’"

A New Internet Wiretapping Plan? Steve Bellovin, SMBlog, 15 January 2008

Their saying is wrong, as Bellovin points out:

The risks are quite similar to those posed by CALEA: this is an intentional vulnerability which can be exploited by the wrong people. (That’s what happeed to the Greek cellphone network.)

But some people believe the saying anyway, and will act on it, unless they are stopped.


Dissenting Breaches

breach_increase.png Adam is rightly pleased as punch that people are trying to estimate breach trends, even though that’s really hard to do when you just don’t have reliable breach reports.
The bottom line is that if we want to make any sense out of data, we need more transparency and mandatory disclosure so that we can get ALL of the numbers on ALL of the incidents.

Congress, are you listening yet?

Second look: What kind of year was 2007 in terms of data breaches? Chronicles of Dissent, 3 Jan 2008

EU, are you listening? Japan? China?


Mastery and Secure Coding

Brooks extended:

Each thing we are trying to push for in secure coding these days requires mastery, Cardspace, static analysis, threat modeling, web service security, and friends are very deep individual domains, and when applied to an enterprise they get wide as well. Let me underline that – to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.

So what I have seen work well is using a decentralized, specialist team approach with a very specific agenda and goals. Note the team can be very small, 2 or 3 people even if they are empowered.

Go Wide and Deep, Incrementally, Gunnar Peterson, 1 Raindrop, 10 JJan 2008

Not only can’t you make a late project on time by throwing people at it, you can’t really make a project secure by throwing people at it.


Canadian Breach Reporting

michael_geist.gif Michael Geist’s top tech law issue for Canada for 2008 is:

Security Breach Reporting Rules Are Introduced. Scarcely a week went by last year without a report of a security breach that placed the personal data of thousands of Canadians at risk. Last spring, a House of Commons committee acknowledged that the country needs mandatory security breach disclosure legislation that would require organizations to advise Canadians when they have been victimized by a breach.  A public consultation on the issue concludes next week and new regulations will be introduced before the summer.

Eight Tech Law Issues To Watch in 2008, Michael Geist, Tuesday January 08, 2008

That would be a good thing.


Phishing Verified

jeremy_clarkson.jpg Or is it really phishing when the victim first broadcasts his bank account details?
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a “storm in a teacup” after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” he said. “I was wrong and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for going after the perpetrators.


PS: Seen on BoingBoing.

Hammers to be Outlawed in UK

parliament_logo.gif What can you expect when public, press, and government think “hacker” means criminal?
The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

A revamp of the UK’s outdated computer crime laws is long overdue. However, provisions to ban the development, ownership and distribution of so-called “hacker tools” draw sharp criticism from industry. Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

UK gov sets rules for hacker tool ban, Consultants in frame? Definitely Maybe By John Leyden, The Guardian, Published Wednesday 2nd January 2008 15:54 GMT

How long will it be before a simple traceroute gets you not only disconnected from your ISP but also clapped in jail for “hacking”?

It gets better: Continue reading