Thursday, December 29, 2005

A Timely Start

Perl.com has an excellent article on speeding up Perl programs: what we can and can't help with:

tile imageA well-written Perl program should, in theory, beat a shell script, right? In theory. In practice, sometimes the details of your Perl installation have more to do with why your program is slow than you might believe. Jean-Louis Leroy recently tracked down a bottleneck and wrote up his experiences with making Perl programs start faster.

(A Timely Start via Perl.com.)

Wednesday, December 28, 2005

Are Computer-Security Export Controls Back?

Schneier on Security: Are Computer-Security Export Controls Back?:

I thought U.S. export regulations were finally over and done with, at least for software. Maybe not:

Unfortunately, due to strict US Government export regulations Symantec is only able to fulfill new LC5 orders or offer technical support directly with end-users located in the United States and commercial entities in Canada, provided all screening is successful.

Commodities, technology or software is subject to U.S. Dept. of Commerce, Bureau of Industry and Security control if exported or electronically transferred outside of the USA. Commodities, technology or software are controlled under ECCN 5A002.c.1, cryptanalytic.

You can also access further information on our web site at the following address: http://www.symantec.com/region/reg_eu/techsupp/enterprise/index.html

The software in question is the password breaking and auditing tool called LC5, better known as L0phtCrack.

Anyone have any ideas what's going on, because I sure don't.

(Via Schneier on Security.)

Tuesday, December 27, 2005

Identity Information Theft versus Identity Theft

Kim Cameron's Identity Weblog: Identity Information Theft versus Identity Theft:

Dave Kearns'still has a'bee in his bonnet about'my use of the phrase "Identity Theft".' He takes Sun's Sara Gates and me to task in a surrealistic'portrait of'us as'dopplegangers mezmerized by opinion polls.'''

If I understand'him right,'he is arguing'that'"identity theft" sensationalizes something banal and inevitable.' We should'drop'the phrase'and talk in terms of'property theft.' Property theft being as old as the hills, why should theft of information stored on computers surprise anyone?''Dave seems to think that'attempting'to'eliminate theft'of any kind'is about as likely to succeed'as'attempts to eliminate sex, drugs or rock and roll.' So why waste effort?

Similarly, he wants us to'return to the notion of good old fashioned'fraud, perhaps not as'venerable as pure property theft, but still an activity with a long past and clearly unrelated to what we, as technologists, might do or not do:

"Only once we're past the discussion of property theft mis-named as identity theft can we get to the real problem - identity fraud and how to combat it. But identity fraud happens one instance at a time, so it isn't as sexy for the budding Pulitzer Prize winner to write about."

As usual with Dave Kearns, there is an undeniable truth to what he says.' We have to admit that it is not actually "an identity" which is stolen in a data breach, but rather identity information which might potentially be used for phraud.' But so what?' The words don't matter as much as the underlying phenomena.

Apparently to underline his point Dave links to a press release from'ID Analytics, Inc.' When I went to their site I found this:

"The findings detailed in the cornerstone 'National Data Breach Analysis' indicate that different data breaches pose different degrees of risk. In fact, certain types of data breaches may not present a high degree of risk to your customers.

Wow!' That's a relief.' But wait.' Bad news:

"If your organization has suffered a data breach, the implications are serious:

  • Erosion of customer trust
  • Undesirable publicity
  • Legal/regulatory liability
  • Added financial obligations or responsibility

Ah.' But maybe good news:

"Realities of a Data Breach

"After conducting the first-ever post-breach data analysis into a series of separate data breaches, ID Analytics is in an unprecedented position to help organizations truly asses the degree of risk associated with a breach they have experienced. While data breaches can be the first and most serious issue facing an organization, the findings detailed in the cornerstone "National Data Breach Analysis" indicate that different data breaches pose different degrees of risk. In fact, certain types of data breaches may not present a high degree of risk to your customers.

Scientists can help me!

"ID Analytics Services

"ID Analytics Breach Analysis Services involve a series of rigorous analytical assessments made possible only through the use of ID Analytics' patented Graph Theoretic Anomaly Detection (GTAD®) technology and the membership-based ID Network™.

  • Isolate Data Breach.'' Following an initial confidential briefing, ID Analytics fraud experts will help determine which customer identities must be analyzed for risk of identity theft.
  • Identity Risk Assessment. ID Analytics' scientists, leveraging the power of the ID Network, will employ GTAD technology to determine if the isolated customer data set has been misused in an organized fashion. Organized misuse is a reliable indication of the potential for ongoing identity theft. If no organized misuse is detected, ID Analytics will deliver documented certification that the customer data set, as of that date, shows no indications of being misused in a suspicious or fraudulent manner.
  • Victim Action List. If organized misuse is detected, ID Analytics will produce a list of impacted identities, allowing the breached organization to deliver victim assistance directly to those that need it.
  • Ongoing Monitoring. ID Analytics will continually monitor the entire breached customer data set to detect any further misuse of sensitive identity information, both for previous and new victims.

"Benefits

  • Receive reliable indication of whether or not breached data is being used to perpetrate identity fraud or identity theft.
  • Determine the risk of harm associated with a data breach and devise risk-adjusted actions.
  • Deliver effective and specific communications to impacted customers regarding anticipated harm and remedies pursued.
  • Ensure a conclusion to the breach episode through ongoing protection and certification.

"Data breaches are an unfortunate reality in the information age. Even organizations that have invested enormous sums in security are not immune to the threat.

"ID Analytics can discretely assist organizations in understanding the true impact of a data breach to its customers, which can lead to informed and appropriate decisions about how to manage the aftermath."

Sorry -'I forget why the existence of a company paying "scientists" to discreetly "ensure a conclusion to breach episodes"'really proves'Dave's point that all we are dealing with here is a glitch on the PR machine.

I'think'our systems are being attacked more methodically, from more directions, more often and by a more professional'enemy than has ever been the case, and I think these attacks will, if nothing else changes, get progressively worse over the next couple of decades.' This leads me to think it's time to ring the alarm bells and act.''Who cares if we say "identity theft" or "identity information theft", as long as the alarm bells sound?'

Whatever we call it,'our systems are being breached, and we need to work to make them qualitatively more resiliant.' The proposals for an identity metasystem for the Internet are intended to'bring about'a'holistic alternative to the current ad hoc environment.

In the meantime, there will be more breaches, and those writing about them will not be Chicken Littles yelling that the sky is falling.

[tags: , , , ]


(Via Kim Cameron's Identity Weblog.)

Internet Explorer Sucks

Schneier on Security: Internet Explorer Sucks:

This study is from August, but I missed it. The researchers tracked three browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were "known unsafe." Their definition of "known unsafe": a remotely exploitable security vulnerability had been publicly announced and no patch was yet available.

MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole.

Firefox was 15% unsafe. There were 56 days with an unpatched publicly disclosed security hole. 30 of those days were a Mac hole that only affected Mac users. Windows Firefox was 7% unsafe.

Opera was 17% unsafe: 65 days. That number is accidentally a little better than it should be, as two of the upatched periods happened to overlap.

This underestimates the risk, because it doesn't count vulnerabilities known to the bad guys but not publicly disclosed (and it's foolish to think that such things don't exist). So the "98% unsafe" figure for MSIE is generous, and the situation might be even worse.

Wow.

(Via Schneier on Security.)

Idiotic Article on TPM

Schneier on Security: Idiotic Article on TPM:

This is just an awful news story.

"TPM" stands for "Trusted Platform Module." It's a chip that may soon be in your computer that will try to enforce security: both your security, and the security of software and media companies against you. It's complicated, and it will prevent some attacks. But there are dangers. And lots of ways to hack it. (I've written about TPM here, and here when Microsoft called it Palladium. Ross Anderson has some good stuff here.)

In fact, with TPM, your bank wouldn’t even need to ask for your username and password -- it would know you simply by the identification on your machine.

Since when is "your computer" the same as "you"? And since when is identifying a computer the same as authenticating the user? And until we can eliminate bot networks and "owned" machines, there's no way to know who is controlling your computer.

Of course you could always “fool” the system by starting your computer with your unique PIN or fingerprint and then letting another person use it, but that’s a choice similar to giving someone else your credit card.

Right, letting someone use your computer is the same as letting someone use your credit card. Does he have any idea that there are shared computers that you can rent and use? Does he know any families that share computers? Does he ever have friends who visit him at home? There are lots of ways a PIN can be guessed or stolen.

Oh, I can't go on.

My guess is the reporter was fed the story by some PR hack, and never bothered to check out if it were true.

(Via Schneier on Security.)

Monday, December 19, 2005

The Military is Spying on Americans

Schneier on Security: The Military is Spying on Americans:

The Defense Department is collecting data on perfectly legal, peaceful, anti-war protesters.

The DOD database obtained by NBC News includes nearly four dozen anti-war meetings or protests, including some that have taken place far from any military installation, post or recruitment center. One "incident" included in the database is a large anti-war protest at Hollywood and Vine in Los Angeles last March that included effigies of President Bush and anti-war protest banners. Another incident mentions a planned protest against military recruiters last December in Boston and a planned protest last April at McDonald's National Salute to America's Heroes -- a military air and sea show in Fort Lauderdale, Fla.

The Fort Lauderdale protest was deemed not to be a credible threat and a column in the database concludes: "US group exercising constitutional rights." Two-hundred and forty-three other incidents in the database were discounted because they had no connection to the Department of Defense -- yet they all remained in the database.

The DOD has strict guidelines (.PDF link), adopted in December 1982, that limit the extent to which they can collect and retain information on U.S. citizens.

Still, the DOD database includes at least 20 references to U.S. citizens or U.S. persons. Other documents obtained by NBC News show that the Defense Department is clearly increasing its domestic monitoring activities. One DOD briefing document stamped “secret” concludes: "[W]e have noted increased communication and encouragement between protest groups using the [I]nternet," but no "significant connection" between incidents, such as “reoccurring instigators at protests” or "vehicle descriptions."

Personally, I am very worried about this increase in military activity inside our country. If anyone should be making sure protesters stay on the right side of the law, it's the police...not the military.

And it could get worse.

EDITED TO ADD (12/16): There's also this news :

Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials.....

Mr. Bush's executive order allowing some warrantless eavesdropping on those inside the United States including American citizens, permanent legal residents, tourists and other foreigners is based on classified legal opinions that assert that the president has broad powers to order such searches, derived in part from the September 2001 Congressional resolution authorizing him to wage war on Al Qaeda and other terrorist groups, according to the officials familiar with the N.S.A. operation.

And:

....officials familiar with it said the N.S.A. eavesdropped without warrants on up to 500 people in the United States at any given time. The list changes as some names are added and others dropped, so the number monitored in this country may have reached into the thousands over the past three years, several officials said. Overseas, about 5,000 to 7,000 people suspected of terrorist ties are monitored at one time, according to those officials.

This is a very long article, but worth reading. It is not overstatement to suggest that this may be the most significant violation of federal surveillance law in the post-Watergate era.

EDITED TO ADD (12/16): Good analysis from Political Animal. The reason Bush's executive order is a big deal is because it's against the law.

Here is the Foreign Intelligence Surveillance Act. Its Section 1809a makes it a criminal offense to "engage in electronic surveillance under color of law except as authorized by statute."

FISA does authorize surveillance without a warrant, but not on US citizens (with the possible exception of citizens speaking from property openly owned by a foreign power; e.g., an embassy.)

FISA also says that the Attorney General can authorize emergency surveillance without a warrant when there is no time to obtain one. But it requires that the Attorney General notify the judge of that authorization immediately, and that he (and yes, the law does say 'he') apply for a warrant "as soon as practicable, but not more than 72 hours after the Attorney General authorizes such surveillance."

It also says this:

"In the absence of a judicial order approving such electronic surveillance, the surveillance shall terminate when the information sought is obtained, when the application for the order is denied, or after the expiration of 72 hours from the time of authorization by the Attorney General, whichever is earliest. In the event that such application for approval is denied, or in any other case where the electronic surveillance is terminated and no order is issued approving the surveillance, no information obtained or evidence derived from such surveillance shall be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in or before any court, grand jury, department, office, agency, regulatory body, legislative committee, or other authority of the United States, a State, or political subdivision thereof".

Nothing in the New York Times report suggests that the wiretaps Bush authorized extended only for 72 hours, or that normal warrants were sought in each case within 72 hours after the wiretap began. On the contrary, no one would have needed a special program or presidential order if they had.

According to the Times, "the Bush administration views the operation as necessary so that the agency can move quickly to monitor communications that may disclose threats to the United States." But this is just wrong. As I noted above, the law specifically allows for warrantless surveillance in emergencies, when the government needs to start surveillance before it can get a warrant. It explains exactly what the government needs to do under those circumstances. It therefore provides the flexibility the administration claims it needed.

They had no need to go around the law. They could easily have obeyed it. They just didn't want to.

(Via Schneier on Security.)

Wednesday, December 14, 2005

Bill Will Keep New Drivers Off Phones

The Wisconsin Legislature is considering Assembly Bill 120, which would ban new drivers from using their cell phones while driving. In related news, AB 121 will ban parents from driving with children; AB 122 bans driving while listening to music; and AB 123 bans driving while not staring bug-eyed at the road.

Weakest Link Security

Schneier on Security: Weakest Link Security:

Funny story:

At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. "All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade," says fish. "It seems that the use of a security badge was no longer adequate protection.

"So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are).

"Present all three, and the door beeps and lets you in."

One by one, the doors are brought online. The technology works, and everything looks fine -- until fish decides to test the obvious.

After all, the average member of the public isn't likely to forge a security badge, guess a multidigit number and fake a thumb scan. "But what happens if you just turn the handle without any of the above?" asks fish. "Would it set off alarms or call security?

"It turns out that if you turn the handle, the door opens.

"Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default."

Remember, security is only as strong as the weakest link.

(Via Schneier on Security.)

Friday, December 09, 2005

Planet Perl: Leon Brocard: Open source zealots: ...

Planet Perl: Leon Brocard: Open source zealots:

This is something I've seen on other projects, but never experienced myself before until now: open source zealots. These are people who will complain for months that if project Y were open source, then they would hack on it and improve it. To get them to stop whining, you open source the project and of course all the people who said they would contribute code do not. A month a whining and no code! As pointed out in the London.pm meeting yesterday, it's not a total loss: at least they've stopped whining ;-)

The fog effect in RealLife looks particularly good today - almost as good as in the latest Harry Potter film. Here's hoping that no dragons come swooping out of this fog...

ObPerl: Image::Imlib2 doesn't support blending two images together, so I had to use Image::Magick yesterday, erk!

(Via Planet Perl.)

Schneier on Security: E-Hijacking:

The article is a bit inane, but it talks about an interesting security problem. "E-hijacking" is the term used to describe the theft of goods in transit by altering the electronic paperwork:

He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. “These tapes were not lost – they were stolen,” Spoonamore said. “Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves.” He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.

Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from “secure” to “standard” while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to “secure” and three signatures were uploaded into the system to appear as if proper procedures had been followed.

“What’s important to remember here is that there is no such thing as ‘security’ in the data world: all data systems can and will be breached,” Spoonamore said. “What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security.”

This is interesting. More and more, the physical movement of goods is secondary to the electronic movement of information. Oil being shipped across the Atlantic, for example, can change hands several times while it is in transit. I see a whole lot of new risks along these lines in the future.

(Via Schneier on Security.)

Friday, December 02, 2005

EFF: Breaking News: Diebold Attempts to Evade Election Transparency Laws:

EFF Goes to Court to Force E-voting Company to Comply With Strict New North Carolina Law

Raleigh, North Carolina - The Electronic Frontier Foundation (EFF) is going to court in North Carolina to prevent Diebold Election Systems, Inc. from evading North Carolina law.

In a last-minute filing, e-voting equipment maker Diebold asked a North Carolina court to exempt it from tough new election requirements designed to ensure transparency in the state's elections. Diebold obtained an extraordinarily broad order, allowing it to avoid placing its source code in escrow with the state and identifying programmers who contributed to the code.

On behalf of North Carolina voter and election integrity advocate Joyce McCloy, EFF asked the court to force Diebold and every other North Carolina equipment vendor to comply with the law's requirements. A hearing on EFF's motion is set for Monday, November 28.

"The new law was passed for a reason: to ensure that the voters of North Carolina have confidence in the integrity and accuracy of their elections," said EFF Staff Attorney Matt Zimmerman. "In stark contrast to every other equipment vendor that placed a bid with the state, Diebold went to court complaining that it simply couldn't comply with the law. Diebold should spend its efforts developing a system that voters can trust, not asking a court to let it bypass legal requirements aimed at ensuring voting integrity."

On November 4, the day that voting equipment bids to the state were due, Diebold obtained a temporary restraining order from a North Carolina superior court, exempting it from criminal and civil liability that could have resulted from its bid. EFF, with the assistance from the North Carolina law firm of Twiggs, Beskind, Strickland & Rabenau, P.A., intervened in the case on behalf of McCloy, the founder of the North Carolina Coalition for Verified Voting. In a brief filed Wednesday, EFF argued that Diebold had failed to show why it was unable to meet various new election law provisions requiring source code escrow and identification of programmers. North Carolina experienced one of the most serious malfunctions of e-voting systems in the 2004 presidential election when over 4,500 ballots were lost in a voting system provided by Diebold competitor UniLect Corp. The new transparency and integrity provisions of the North Carolina election code were passed in response to this and other documented malfunctions that have occurred across the country.

The North Carolina Board of Elections is scheduled to announce winning voting equipment vendors on December 1, 2005.

For the brief filed in the case:
http://www.eff.org/Activism/E-voting/20051117_Diebold_v_NC_Motion.pdf

Contact:

Matt Zimmerman
Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

(Via EFF: Breaking News.)

Schneier on Security: FBI to Approve All Software?:

Sounds implausible, I know. But how else do you explain this FCC ruling (from September -- I missed it until now):

The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves.

No, really. In an obscure "policy" document released around 9 p.m. ET last Friday, the FCC announced this remarkable decision.

According to the three-page document, to preserve the openness that characterizes today's Internet, "consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement." Read the last seven words again.

The FCC didn't offer much in the way of clarification. But the clearest reading of the pronouncement is that some unelected bureaucrats at the commission have decreeed that Americans don't have the right to use software such as Skype or PGPfone if it doesn't support mandatory backdoors for wiretapping. (That interpretation was confirmed by an FCC spokesman on Monday, who asked not to be identified by name. Also, the announcement came at the same time as the FCC posted its wiretapping rules for Internet telephony.)

(Via Schneier on Security.)

Schneier on Security: The Human Side of Security:

A funny -- and all too true -- addition to the SANS Top 20:

H1. Humans

H1.1 Description:

The species Homo sapiens supports a wide range of intellectual capabilities such as speech, emotion, rational thinking etc. Many of these components are enabled by default - though to differing degrees of success. These components are implemented by the cerebral cortex, and are under the control of the identity engine which runs as me.exe. Vulnerabilities in these components are the most common avenues for exploitation.

(Via Schneier on Security.)