Category Archives: Security

NSL: Internet Archive Exposes Lack of Security in National Security Letters

Brewster_Kahle_20021120.jpg The Internet Archive has for a decade been a cornerstone of the Internet, and the FBI was foolish to try to break it:
The FBI has withdrawn an illegal National Security Letter seeking information from an online library and has lifted a gag order that until Wednesday prevented any discussion of the information request.

Lawyers from the American Civil Liberties Union and Electronic Frontier Foundation helped the Internet Archive push back against what they say was an overly broad and unlawful request for information on one of its users. The FBI issued its National Security Letter in November, but ACLU, EFF and Archive officials were precluded from discussing it with anyone because of a gag order they say was unconstitutional.

After nearly five months of haggling, the FBI eventually withdrew its NSL, which requested personal information about at least one user of the Internet Archive. Founded in 1996, the archive is recognized as a library by the state of California, and its collections include billions of Web records, documents, music and movies.

Watchdogs prompt FBI to withdraw ‘unconstitutional’ National Security Letter, Nick Juliano, therawstory, Published: Wednesday May 7, 2008

The article goes on to say that the FBI has issued 200,000 National Security Letters, that almost none of those NSL have been challenged, yet every single time someone has challenged an NSL in court, the FBI has withdrawn it.

How do these NSL represent “Security”?

In any case, National Security Letters were authorized by the mis-named Patriot Act. Brewster Kahle has shown us how a real patriot acts: Continue reading

CCTV Security Fad Fails

CCTV2_228x342.jpg London probably has more security cameras per square inch than any other city, and:
The billions of pounds spent covering Britain with CCTV cameras has been an “utter fiasco” and failed to slash crime, Scotland Yard’s surveillance chief has said.

Detective Chief Inspector Mick Neville said a Metropolitan Police pilot project found just three per cent of street robberies in London were solved using CCTV images.

He claimed the vast swathes of money spent on cameras had been wasted because criminals don’t fear the cameras.

Billions spent on CCTV have failed to cut crime and led to an ‘utter fiasco’, says Scotland Yard surveillance chief, Just 3% of street robberies in London solved, By DANIEL BATES, Daily Mail, Last updated at 13:48pm on 6th May 2008

Needless to say, there are numerous efforts planned to make the cameras pay anyway.

The basic problem is:

But Mr Neville also castigated the police and claimed officers can’t be bothered to seek out CCTV images because it’s “hard work”.
CCTV is not the only security fad that hasn’t panned out:
For every 800 DNA samples being added by the police – including those taken from innocent people – only one crime is being solved.
We’ll see if either of these white elephant programs get terminated. I’m not holding my breath.

-jsq

Paypal Says Old IE is Like Car Without Seat Belt: EV SSL blocking

bullet-details-ev-ssl.jpg
The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.

“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.

Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.

BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17

Now on the one hand, I think EV SSL is color-coded checklist security candy: Continue reading

European Parliament Votes for Internet Freedom and Security

Sometimes a legislative body gets the picture and shows some spine:
Despite last minute attempts by the French government to divide them, European MEPs today voted decisively against “three strikes”, the IFPI-promoted plan to create a class of digital outcasts, forbidden from accessing the Net if repeatedly accused by music companies of downloading infringing content.

In a vote held today, hundreds of MEPs supported language which declared termination of Internet access to be in conflict with “civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness”, all core values of the European Union.

… And Guy Bono, the author of the report, had this to say in the plenary:

“On this subject, I am firmly opposed to the position of some Member States, whose repressive measures are dictated by industries that have been unable to change their business model to face necessities imposed by the information society. The cut of Internet access is a disproportionate measure regarding the objectives. It is a sanction with powerful effects, which could have profound repercussions in a society where access to the Internet is an imperative right for social inclusion.”

European Parliament to Sarkozy: No “Three Strikes” Here, Posted by Danny O’Brien, EFF, April 10th, 2008

The European Parliament voted for social inclusion, participation, and human rights over profits for a tiny group of companies. That wasn’t hard. Even if the vote had gone the other way, it wouldn’t have produced any real security for the tiny group, and the way it did go, it produces far more security for everyone else. Maybe the U.S. can get the message.

-jsq

Censorship as Security: GoDaddy Delists Cop Rating Web Site

ratemycop_2.jpg This is security?
A new web service that lets users rate and comment on the uniformed police officers in their community is scrambling to restore service Tuesday, after hosting company GoDaddy unceremonious pulled-the-plug on the site in the wake of outrage from criticism-leery cops.

GoDaddy Silences Police-Watchdog Site RateMyCop.com, By Kevin Poulsen, ThreatLevel, March 11, 2008 | 8:42:42 PM

Heaven forbid we should have public oversight of public servants.

This is customer service? Continue reading

New School: New Book by Adam Shostack

51jF+BW+JAL._SS500_.jpg Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.
We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven’t read the book yet, since it’s not published yet, but if it’s like the material he posts in his blog, it’s a good thing.

One of his commenters doesn’t get it: Continue reading

Availability Is Not Security If an Abandoned Sea Anchor Cut the Cable?

art.cable.jpg I see in some fora people are still arguing that security involves countering malicious actors, and availability alone is not security, even if people are depending on availabity.

Were all those recent cable cuts in the Med. and the Persian Gulf not security issues, even though some of the affected companies are now planning to spend $300-400m on physical security to fix the problem?

If the culprit had been a Russian mobster or Al Qaeda or the CIA rather than (in one case) an abandoned ship anchor, then it would have been security, but now it’s not?

-jsq

Publicity about Internal Fraud: Still an Issue after 30 Years

top_hansom_cab.gif Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn’t adequately protect taxpayers’ information and promises to do better. His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)

Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That’s why corporations fear a breach reporting reputation system. That’s also why we need one.

-jsq ~

Liberty vs. Control (Not Privacy vs. Security)

secretsandlies.jpg Bruce Schneier hits the nail on the head:
If privacy and security really were a zero-sum game, we would have seen mass im migration into the former East Germany and modern-day China. While it’s true th at police states like those have less street crime, no one argues that their ci tizens are fundamentally more secure.

We’ve been told we have to trade off security and privacy so often — in debate s on security versus privacy, writing contests, polls, reasoned essays and poli tical rhetoric — that most of us don’t even question the fundamental dichotomy .

But it’s a false one.

Security and privacy are not opposite ends of a seesaw; you don’t have to accep t less of one to get more of the other. Think of a door lock, a burglar alarm a nd a tall fence.

What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites, Bruce Schneier, Wired, 01.24.08 | 12:00 PM

There’s more, all well worth reading.

Here’s the gist:

The debate isn’t security versus privacy. It’s liberty versus control.

You can see it in comments by government officials: “Privacy no longer can mean anonymity,” says Donald Kerr, principal deputy director of national intelligen ce. “Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.” Did you catch that? You’re expected to give up control of your privacy to others, who — presumabl y — get to decide how much of it you deserve. That’s what loss of liberty look s like.

Haven’t we lost enough already?

-jsq

Money Buys Security in the UK?

HMRC lost data on 25 million taxpayers last year, and now:
HM Revenue and Customs (HMRC) admitted “high profile” individuals must submit forms by post because they are judged to require extra protection.

But critics said equal treatment should apply to all 3m self-assessment users.

‘Double standard’ on data safety, BBC News, Saturday, 26 January 2008, 17:35 GMT

I wonder if what the high profile individuals get actually is any more secure?

-jsq