Choicepoint Roundup for Today (Feb 26)

  • Chris Walsh has a really good comment on yesterday’s roundup.
  • HCS asks, was Choicepoint going to be the data provider for the new national ID card?
  • Ed Bott finds that birds of a feather flock together: A company that falsely claimed that ICSA labs had certified their tool has an SSL certificate issued by everyone’s favorite vendor.
  • David Lazurus comments on the “We’re a victim” stance Choicepoint is taking. (Via Dan Gillmor.)
  • Greg Palast has discovered who charged New York $12m to identify DNA fragments of the WTC victims. (Via Logical Voice.)
  • The Altanta Journal Constitution reports that Georgia’s attorney general has issued an ultimatium to Choicepoint. In a separate article, they report that Experian is seeing an uptick in paid subscribers to their credit monitoring service. Gosh, it must be nice to sell both bricks and windows. (Use Bugmenot for a login.)
  • Chapell has some thoughts on long term impacts.
  • and finally, today’s Two Minutes Hate are brought to you by … Vocal Minority.

What’s with this Dialog?

This dialog box is modal. It has no “take me there” button. Even having taken notes, I couldn’t figure out how to follow the instructions. You can “clear formatting” and make spell checking work again. A double-feh at Redmond. I take back all the mean things I said about Firefox this morning.

Two Minutes Hate

So everyone seems to be accepting at face value the claim that Choicepoint was scammed by Olatunji Oluwatosin and colleagues not yet named. But let’s step back, and ask, was there a scam? Why did these folks need to cheat? Was it habit, or necessity? What was really needed to get a Choicepoint account of this sort? (And given that they’re changing it, wha will be needed?) Could I set up Adam’s Background Checking tomorrow, and be able to access this data?

Choicepoint claims to traffic in public records, so really, what’s stopping me? Why shouldn’t they be selling me this stuff? Can I use the stuff they’d sell me for identity theft? Where are the non-public bits? What’s the need for a scam?

Choicepoint Roundup for Today

  • The Associated Press has a story “Burned by ChoicePoint breach, potential ID theft victims face a lifetime of vigilance” (actually, we all face a lifetime of vigilance, as these companies make buckets of money by gossiping about us.). The money quote:

    Many victims are dumbfounded by the dearth of federal and state laws aimed at protecting their credit histories and other information about them that data brokers gather and sell to institutions including news organizations, banks and, increasingly, companies vetting prospective employees. Victims are also frustrated by the amount of time it takes to re-establish identities.

  • How can I not link to an article titled “Lycos and meet-markets are latest thieves of personal identities, souls and dreams“?
  • Cutting Edge of Ecstasy
    draws a choice quote from this NYTimes story. On Feb 16th, Chuck Jones said:

    ‘California is the focus of the investigation and we don’t have any evidence to indicate at this point that the situation has spread beyond California.’ Is he the same guy that wrote their slogan?

  • The US Senate will be holding hearings on information brokerage. (Via this Wired roundup story. I expect bad law will be the result. It’s too bad that these companies have dug in their heels, rather than collaborating on a much needed law to regulate themselves.)
  • The New York Times has more on Senator Schumer’s position.
  • Monkey McGee gets a Choicepoint press release dumped in his comments.
  • Mercury Rising comments that the mainstream media isn’t covering the Florida debacle, in which Choicepoint played an important role.
  • Public Domain Progress has a nice roundup interspersed with lots of analysis.
  • The Atlanta Journal Constitution reports that Choicepoint execs have been dumping their own stock since this started.

Roger McNamee on Sarbox

Roger McNamee has an article on how Sarbanes-Oaxley is hurting public companies by making their guidance more conservative than it should be.

It’s hard for executives to avoid providing some form of guidance – investors generally insist on it – but they have a big incentive to understate the outlook early in the fiscal year.  As annoying as the recent sell-off must be to executives, it is the lesser of two evils.  No executive wants to invite shareholder litigation by falling short of aggressive guidance, so most execs put out the lowest guidance they think they can get away with.  As the year progresses, the guidance window gets shorter and shorter, and the trend line in fundamentals provides investors with greater confidence in the outlook for the year.

When you combine that problem with the increased bar for a company to go public, which I wrote about in Sarbox and Venture Capital, the damage done by laws passed quickly becomes increasingly clear. Which is all the more reason to take our time and write a decent privacy law in the aftermath of Choicepoint.

Finding Security Issues

In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled.

The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, if you have a section of web that’s database driven, and can result in infinite looping, of no value to either the search engine or your site. It can also be used to say, “please don’t index these ‘secret’ documents.” Now, those documents are not only not secret, but they’re now being pointed to, so someone gathering data can find it. They’re not an attacker, you chose to put that data on the web without any protection.

Similarly, directory listings being enabled may or may not be a security issue. You may want all users to be able to see all the documents in a directory. You might have made a mistake.

When building automated vulnerability scanners of any sort, these issues raise thorny questions. This applies across the spectrum, from Nessus-style credential-free scanners that look for known vulnerabilities, to Nikto, looking for classes of common implementation flaws, to static code analyzers like Splint. You’ll always find things which may or may not be ok in context. A system running a web server may be running your corporate web server, or it may be running, forgotten, on a developers desktop, full of flaws. That strcpy(foo, bar) may never see attacker-provided data. The creators of these tools try to categorize and describe what they’ve found to help their users. Consultants offering a service around the tools can learn what questions to ask, to help sort through the issues faster, and focus on those that matter.

Similarly, an outsider looking at T-Mobile, Choicepoint, or PayMaxx suffers from trying to interpret what they see, perhaps trying to explain to a company that they’re not trying to hack the site, but that they stumbled across the issue.

I often see things which make me question “Hey, is there a serious security issue here?” and the answer is usually determinable within 5 minutes. Since I’m trying to do business with the company (which is why I’m on their site), I’d like the issue fixed.

Mature disclosure models need to improve not only the researcher side, but the way vulnerability reports are received. (“Press 9 to report a security problem with our web site.”)

Small Bits of Chaos: Conferences and What Would Dylan Do?

This Concealled I conference in Ottawa March 4-5 looks really good.

Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework:
I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.)

Who did this: Privacy Enhancing Technologies, May 30-June 1. Security and Economics, June 2-3. Feh.

Today’s Choicepoint Roundup

  • The Privacy Rights Clearninghouse has an extensive sheet on what to do if you’re a victim of Choicepoint’s failure to secure data.
  • SoftReset calls for banning the use of SSNs for non-government purposes. I take a slightly more moderate view: Anyone using the SSN is already subject to GLB liability.
  • Random Thoughts on Politics comments that Choicepoint is really an end-run around controls on government monitoring of citizens.
  • The folks with
    the Google ad
    have sued Choicepoint in the past, over the FL drivers license thing. (That’s an interesting background link, even if you’re not in Florida.)

  • Richard Smith, a longtime privacy advocate and security bug finder, sends a note to the Web Application Security list, explaining that he’s found many problems with Choicepoint sites.
  • Coverage is getting broader, as Red Herring covers things. Which raises the question, who notified whom? Reuters claims that the authorities notified Choicepoint, while Choicepoint claims they notified the authorities. Let’s see…who has motive to lie?
  • The Atlanta Journal Constitution reports that California is wondering why the notifications took so long. Was it not due to law enforcement requests?
  • Stefan Brands steps away from the noise and explains what identity providers should learn.