[A floor vote on this dangerous piece of legislation may happen as early as this Wednesday. This is a disaster in the making relating to flagrant disregard of privacy issues, data access without warrants, unconstrained dissemination and reuse, etc. The potential downsides are almost too numerous to list here! PGN] Greetings. A few days ago, in this message: http://lists.elistx.com/archives/interesting-people/200604/msg00134.html I commented on Attorney General Gonzales' recent statement regarding data retention, and the alarming slippery slope that I feel this represented. Now, this article: http://news.com.com/Congress+may+consider+mandatory+ISP+snooping/2100-1028_3-6066608.html?tag=st_lh reports that a Democratic Congresswoman is proposing to fast-track a bill or amendment to *require* essentially permanent retention of users' Internet activity data (until at *least* one year after the user *closes their account*). For long-term users, this means effectively permanent retention. Again, I must note the supreme ironies. It was only a few months ago that people were screaming bloody murder about DoJ demanding Search Engine records — a demand that apparently only Google had the backbone to appropriately resist, noting the sensitivity of the data involved. This controversy triggered calls (including in some legislative quarters) for a law mandating the destruction of much related data after some reasonable, relatively short interval, with appropriate designated exceptions for R&D, business development, and the like. Now, by waving the red flag of fighting child pornography, seemingly intelligent and usually well-meaning legislators appear ready to create the mother of all big-brother database laws, a treasure trove of personal data that will ultimately be available for every fishing expedition under the sun. For those persons who trust the government not to abuse such data, I hasten to note that these kinds of infrastructures, once in place, tend to be self-perpetuating, and will be available to *future* governments as well, including administrations who might not be as "benign" as the current one. The article referenced above correctly notes the comparison with the McMartin Preschool child abuse witch-hunts of years ago. Hysteria over the abhorrent and real problem of child porn is being used to potentially decimate broad and critical privacy rights — with the high probability of negative effects and consequences that are almost impossible to overstate. If we do not maintain a balance between law enforcement goals (including but not limited to child abuse issues), and privacy rights, we will be flushing those rights we've had as law-abiding citizens down the toilet — all in the name of seemingly laudable goals. The Internet is rapidly becoming involved in most technology-based human communications. The sensitivity of Internet user activity data can be enormous. Broadly mandated data retention would move us drastically toward the realm of previously unimaginable "nightmare" scenarios (such as requiring the recording of all telephone calls, or the installation of government cameras in bedrooms — both actions that could indeed be useful for law enforcement purposes). Without wishing to sound melodramatic, I strongly assert that if we don't take a stand now, we are likely to see the wonders of the Net repurposed into shackles that have the potential to undermine the very basis of our fundamental freedoms. Lauren Weinstein +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR People For Internet Responsibility - http://www.pfir.org DayThink: http://daythink.vortex.com email@example.com http://lauren.vortex.com
This Ad is REALLY SCARY.... http://www.adcritic.com/interactive/view.php?id=5927 [Illustrative of what is to come? Worth viewing if you have not yet seen it (it's been around for a while). PGN]
Some computer professionals will need to get a Private Investigator license just to continue doing their computer work. I imagine this will also apply to accountants and auditors, in fact anyone who analyses data that is on computer systems, on behalf of some other company, and perhaps people who work at software houses, computer retailers, whoever does repairs to computers, installations of new stuff. We will have to be asking suppliers of firewall, anti-virus, anti-spam, anti-spyware etc. if they have a PI license, otherwise it might be illegal to buy their products, and if there are no such suppliers, then it may be illegal to be protected against the cyber-criminals. Companies will need to get an opinion from their lawyers, with respect to filing annual reports with the state and with government regulators. We are supposed to swear this data is correct under penalty of perjury, but it was derived by accounting and computer experts, not Private Investigators, but now it is illegal to get such data from people who are not Private Investigators? Does this also mean that Police Department personnel need to get a PI license before they may testify in court? From Security in the news. https://thei3p.org/pipermail/security-news-html Forensic felonies, *The Register*, 26 Apr 2006 A new Georgia law aimed at private investigators now ``extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony''. The ``law requires all private investigators in the State of Georgia to be licensed'', and is ``intended to prevent people from simply opening up shop and claiming to be PIs.'' However, the ``problem lies in both the definition and interpretation of what services can only be offered by a licensed PI, and how that extends into the electronic world.'' Forensic experts, by definition help individuals and business owners to find, the `cause and responsibility for ... losses and damage to ... property'', which is exactly how the law describes the duties of private investigators, meaning that under the new law forensic experts would be committing a felony in the course of their usual trade. Other states will similar laws include California, Arizona, Utah, Nevada, Texas, Delaware, and New York. An exception allowing attorneys, and those working directly under, as well as any in- house experts a business may have, provides protection for some. http://www.theregister.co.uk/2006/04/26/law_change_for_pis
*The Mainichi Shimbun* reported that information on about 66,000 subscribers (including names, addresses, phone numbers, dates of birth, and e-mail addresses) was leaked onto the Internet. This resulted from an employee copying the data onto his own computer, which was thought to have been infected with a virus that exploited a vulnerability in the *Share* file-sharing application. [Source: *The Japan Times*, 28 Apr 2006; PGN-ed] http://search.japantimes.co.jp/cgi-bin/nn20060428a3.html
We're informed that identity may be stolen up to 7 years after the present theft. And a colleague asked "if laptop be retrieved, will we be told?" -- as if they'd never heard of copying. LF Date: Fri, 21 Apr 2006 14:32:44 -0400 From: Drexel Special Announcment <firstname.lastname@example.org Subject: Your Free CreditWatch Program has been Extended to Two Years As you know, Drexel has been informed by Deloitte & Touche, an independent firm that has conducted regular audits of our financial statements since 2001 that a laptop computer stolen from an employee of Deloitte & Touche contained files with personal information on current and retired Drexel employees, including Social Security numbers and birth dates. [Lengthy plug for Equifax Personal Solutions omitted... PGN] Leonard X. Finegold, Physics, Drexel University, Phila. PA 19104 L@drexel.edu 1-215.895.2740
Iron Mountain Inc. has apologized for losing personal data, including Social Security numbers, for as many as 17,000 Long Island Rail Road employees and former employees. [Source: Chris Reidy, *The Boston Globe*, 28 Apr 2006; PGN-ed] http://www.boston.com/business/globe/articles/2006/04/28/data_storage_firm_apologizes_for_loss_of_railroad_data_tapes/
A bomb scare that lead authorities to evacuate security checkpoints for two hours at Atlanta's Hartsfield-Jackson International Airport on 19 Apr 2006 was reported by the Transportation Security Administration director as the result of a "software malfunction". The detected device was part of a routine test, but apparently could not be located. The software was supposed to follow up with a "This is a test" message, but apparently failed to do so. [Source: cnn.com, 20 Apr 2006; PGN-ed] http://www.cnn.com/2006/US/04/20/atlanta.airport/index.html You've probably seen this one a few times (certainly since it got picked up by Slashdot), but it seems strangely reminiscent of the SAC/NORAD incidents of June, 1980 and November, 1979 (particularly the 1980 incident). (See http://www-ee.stanford.edu/~hellman/Breakthrough/book/pdfs/borning.pdf and Neumann's "Computer-Related Risks" book.) The risks seem obvious here - whether testing the alertness of operators (as the Atlanta incident) or the systems (as in the 1980 SAC incident), we have to think about the consequences of test data on operational systems...
In the 21 Apr 2006 issue of *The Washington Post* there is a story about a man in suburban Maryland who was suffering chest pains and called 911. But before he could tell the operator where he was, he passed out. The emergency squad responded to the address shown for the phone number, but it was the main building for the company and the main was in an adjacent building. The emergency personnel searched the building but did not find anything. He was found dead in his office ten hours later by a cleaning crew person. So the identification information shown by some systems to the 911 centers is linked to the main switch and its location and not the physical location of the unit making the call. http://www.washingtonpost.com/wp-dyn/content/article/2006/04/20/AR2006042001923.html [This is not unusual, and clearly needs to be recognized as a risk. PGN]
The National Highway Traffic Safety Administration and the Virginia Tech Transportation Institute tracked the behavior of drivers in 100 vehicles equipped with video and sensor devices. The results: Inattentiveness caused by drivers using a cell phone, applying makeup, and being distracted from the road — all caught on videotape -- cause nearly 80 percent of crashes and 65 percent of near-crashes, according to the study. Each distraction carried a different risk of causing crashes or near crashes: reaching for an object increased the risk by nine times; drowsiness by at least four times; and applying makeup by three times. The one-year study ... cited cell phone use and drowsiness as the major causes of distraction. [Source: Kathy Uek, *Metrowest Daily News*, 21 Apr 2006; PGN-ed] http://www.metrowestdailynews.com/localRegional/view.bg?articleid=127986
> An interesting one this. Unless this got misprinted somewhere, they must > have gone to 64-bit arithmetic to issue bills this big. Far more likely is that their billing system is written in COBOL, and uses BCD arithmetic. In fact, since errors of a fraction of a penny are significant in telephony billing, I sincerely hope that they use BCD, and don't run the risk of binary representation errors. See also <URL:http://www2.hursley.ibm.com/decimal/>. This is how financial arithmetic should be done, and it's worth noting that the sample benchmark code simulates a telco billing system. http://www.pobox.com/~meta/
Any printable format can be counterfeited; even if the bank sent a protected PDF (and the protection worked), it could just be replaced with an entirely user-generated PDF. There are two methods for a bank to supply something that resembles proof of a transaction: 1. Digitally sign a statement of transaction. This has the weakness that most people can't verify the signature. 2. Provide a token (preferably opaque) that when entered into the bank's web site, provides the bank's view of the transaction as shown in the bank's records.
> What do folks know about securing PDF documents? I know that encrypted and > password-protected PDFs are fairly easily cracked Obviously, the only way of handling this is to digitally sign the PDF, and get the recipient to check the signature. However, if you put a legible note to do so on the PDF itself, the mand-in-the-middle attacker might remove that while falsifying the date...somewhat of a catch-22. In this context, it remains unclear whether the functionality built into the reader allows one to display _only_ the signed portion of the document. If not, the attacker can add additional (unsigned) objects that overwrite some of the displayed data with whatever she needs for her purposes. Technically, the signature will be verified, but the recipient perceives something different from what is signed - the What-you-see-is-what-you-sign problem. There are, of course, ways to work around it (also in the context of PDFs), but they require investment and additional work at both ends of the chain. Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen +49 201 437 52 52 email@example.com http://www.mediasec.com
> ... "Rather interesting," said Lewis Carroll, spokesperson for the > university, "several college buildings are quite off their correct > location." Unfortunately, initial estimates for moving the buildings and > roads to correct these discrepancies are too expensive, so, as Carroll > puts it, "we will have to put up with these problems, but we will annotate > the map to show where these placement errors occur." By coincidence (presumably!), the following item appeared in the uk.railway Usenet group recently. Background is that Colne and Skipton are two small towns in northern England, about 30 miles/50km north of Manchester; they are only about 12 miles/20km apart, but the railway line between them was closed some years ago, so although they retain their stations, traveling between them by train means taking an amazingly circuitous route — you could probably do it quicker by bicycle. Date: Wed, 12 Apr 2006 13:45:32 +0100 From: firstname.lastname@example.org (Steve Broadbent) Newsgroups: uk.railway Subject: Re: Clitheroe-Hellifield > Why did that line close in the first place? Was it something to do with > the (now abandoned) plan to extend the motorway? When I was chairman of the SELRAP re-opening campaign group (www.selrap.org.uk), the story we were told that held sway locally was that a BR [British Railways] network map was shown to Barbara Castle, then Minister of Transport, which showed, erroneously, the Skipton-Colne line missing and thus closed. Thus rather than admit the error to the Minister, the line was duly closed. It was not closed as a result of Beeching [plan for rationalisation of UK's railways in 1960s], it did not close till January 1970
> I imagine that there will be a consumer market for this. Oh yes! > * Then the next society development will be that objects where RFID was > inserted for purposes of identification, like in ID cards, Passports etc. > will malfunction because someone had used the RFID Zapper on them, > rendering those people's ID unusable for the intended purposes. Indeed so. And what are the issuers' and verifiers' fallback positions when this happens, be it inadvertently or on purpose, either by the holder or by a third party? At least ICAO has now woken up to the problem and is actively pursuing such fallback positions. Imagine an A380 load of passengers waiting at US immigrations, and somebody uses an RFID zapper on the crowd, perhaps to make it easier for some of the passengers to enter the US illegally. People are already not amused by the prices they have to pay for the "RFID- enhanced" ID documents (above 100 Euro / 125 USD), which is about 3-5 times the current pricing. Lifetime issues are also a continuing problem - nobody believes the chips will last the 10 years that are these documents' lifetimes now. For frequent travelers, even the promised three years will be iffy. > * Then stores, and other institutions, will have to institute rules that > people are not allowed to enter their premises carrying an RFID Zapper, so > as to prevent unauthorized usage on the store merchandise. That won't help some other, commercially relevant scenarios. As a variation of the above, consider me running a pharmaceuticals warehouse for a whole saler in a commercial district, with my competitor on the adjoining property. Everytime a truck drives up to unload, I activate my device that will zap perhaps 30% of all RFIDs in the packages that are being unloaded. Now consider all ramifications of this, both business and regulatory. It's a nightmare. Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen +49 201 437 52 52 email@example.com http://www.mediasec.com
The gist of the item is correct, but the fact of the matter is that it's not 3DES itself that is causing the problems. The 20-year old magnetic stripe infrastructure is the root cause, and moving to chip-and-PIN is the fix that everyone except the USA is in the midst of adopting. In stereotypical and steadfastly arrogant fashion, USA banks are refusing to move to chip- and-PIN, whilst at the same time refusing to accept any international liability for not doing so. Have our cake and eat it too, anyone? Softwood lumber, anyone? It's widely expected that magstripe skimming fraud will migrate to and become a significant distinguishing feature of the US retail marketplace, if it isn't already. Of course, any costs - either way, to deploy chip or continue to swallow increasing magstripe fraud - will continue to be externalized by the Banks to their retail consumers: you and me. However, the article is absolutely right on one account: there's no way to go chip-and-PIN without 3DES. If that requires a Windows update to effect, well, the US Supreme Court made that risk assessment for all of us some while ago.
They can be done in one of two ways. My home town of Arlington County, Virginia is using them. First, the cars are put out on the street, legally parked, unlocked, with the keys in the ignition. Someone comes by, sees the car, gets in and drives off. Within one block the car is disabled and locked. The thief (and anyone with them) is busted red handed for stealing a car. Faced with them caught locked in the stolen car and video evidence of them getting into and driving off a car they have no legal right to be in, they always plead guilty. My understanding is that when the immobilization feature is used it is done while the police are watching that particular vehicle and it's done within a very short period of time, say a block or two of the person driving off, the idea (I presume) is the police are going after the "low hanging fruit" of casual joyriders. (Please don't think I'm considering this lightly. I've had a vehicle robbed from maybe ten years ago, and I had a (different) car stolen a couple of years ago. I had the unfortunate privilege of getting the vehicle back, the guy who stole it was caught (unfortunate because the car wasn't worth very much but was fully insured and it would have been better for me if the insurance company had paid me for the legitimately stolen car) and the fortunate privelege that the guy who stole it learned his lesson, he went out, found work and actually paid me back for all of the damages I had to repair on the car. The county sent me a check a few months ago.) In the secondary case, cars are allowed to be stolen by professionals, who now move them to walk-away parking lots where they leave them for a while in case the vehicle has Lojack or other tracking systems to see if the police come after them. The police let the vehicle sit, and when the other thief comes to get it, they follow it to its destination and bust the chop shop operator (most vehicles are stolen for rendering because it's worth more disassembled as parts than the vehicle as a whole and the parts are untraceable). In this scenario, the police are not going to immobilize the vehicle or trap the driver because they want the driver to get wherever it's going so they can bust him (or her) and the theft ring. > But presumably no one thinks of prosecuting an attacker who was not also > caught attempting to attack a real server. Or do they? If you can catch them. Clifford Stoll tells in his book "The Cuckoo's Egg" about his efforts to discover why there was a 75c discrepancy in billing records on the computer system he was managing, and this lead him on an intercontinental chase for a cracker who was breaking into various systems and using some as gateways to others in an attempt to cover his tracks. A lot of cyber attacks are being run by botnets in which the operator sends one command out to a bunch of other "compromised zombie" computers that are then committing DDOS attacks, sending spam, storing warez, etc. Because they are using a non-logging intermediary, it's much harder to catch them. You have to find the zombies they are using, then trace the incoming traffic from those zombies (if you can). If the guy uses enough intermediaries it may be damn near impossible, at least for DDOS attacks. Basically, you need to "follow the money." Where there is spam being sent, someone is paying for the advertising, they need to be squeezed to find out whom they are using; if someone is doing a DDOS attack there almost certainly be an extortion demand, and the answer is to watch for whomever is coming to collect the money by flagging the transaction so they can be nabbed. In both cases it's the same: catching someone who has to be physically present to commit the crime is trivial; they have to be there to steal the car and (in the other case) they have to be at some physical location to pull extortion payoff money from a transfer agent. Compare that to catching someone who is using ten or twenty thousand compromised computers in ten thousand locations that may be in places as much as 1/2 way around the world from their actual location.
Please report problems with the web pages to the maintainer