Lowering Ourselves

It occurs to me that when a senior US governement lawyer says:

foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to “gross physical abuse.”

that they are in direct contradiction to the US Constitution

Read Chris Beck’s “CBC News: Flyers passing through U.S. have few rights, Arar judge told” for an analysis of how.

I remember when I was in Tel Aviv, a strike shut down the airport. Our travel agent found us tickets from Amman to London to Boston. It was only when we had the tickets in hand that we saw a stop in ‘DAM.’ It turns out DAM is Damascus, Syria. One of our party was Israeli. We joked that it would be no problem: they’d take him off the plane, torture him for a month, and then let him go. No problem. We changed the tickets, because we didn’t want to deal with crazy Syrian officials while in a transit lounge.

It’s quite sad that the US is treating people in a way that we feared Syria might. There’s no moral justification for forcing someone to enter the US, then denying they’re legally in the US, while denying them the protection of law against the actions of the government:

If passengers are deemed to be inadmissible, they have no constitutional rights even if later taken to an American prison. Mason told Judge David Trager that’s because they are deemed to be still outside the U.S., from a legal point of view.

“Someone who’s inadmissible is in the same category as the people that the CIA snatches and grabs from other countries,” said Barbara Olshansky, a lawyer for the U.S.-based Center for Constitutional Rights, which is suing a number of U.S. officials on Arar’s behalf.

“You are fair game for however executive branch wants to treat you.”

Mason said the interpretation means travellers can be detained without charge, denied the right to consult a lawyer, and even refused necessities such as food and sleep.

To put it another way, once you give up the rule of law, as Ms. Mason has, it becomes challenging to explain how the actions of the United States differ from those of a kidnapper.

But beyond sad, this helps derail any hope we have left of being a positive force in the world. How can we tell the Iraqis that they should take our advice about how to build a society when we behave like this?

Flogging The Simian Is Back

In “A Life, Observed,” I mentioned that I’d been enjoying “Flogging The Simian,” and that she’d left due to privacy issues. Well, she’s back, and so are her “PDBs,” her summaries of what’s interesting: ‘” read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events.” I usually find stuff I’d otherwise miss.

Trick-Or-Treaters To Be Subject To Random Bag Searches

America’s Finest News source reports, “Trick-Or-Treaters To Be Subject To Random Bag Searches:”

“Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of ‘tricks’ to extort ‘treats’ from unsuspecting victims,” Chertoff said. “Such scare tactics may have been tolerated in the past, but they will not be allowed to continue this Halloween.”

While he would not elaborate on the specific threat, Chertoff said his office had “heard a couple spooky tales,” and indicated that there was good reason to believe that Americans face “a very ghoulish scenario” this October.

Code/Data Separation

As I mentioned in my “Blue Hat Report,” I want to expand on one of my answers I gave to a question there. My answer involved better separation of code and data. I’ve since found, in talking to a variety of folks, that the concept is not so obvious as it seems to me.

The basic idea is that when opening a document, a program has to make a decision on how to treat various bits of it. When the bits are jumbled together, its harder to make the right decisions. It’s also harder to write security wrappers that will parse for things like Javascript or Office document macros, when those can be scattered throughout the document. The parser needs to understand the whole document, in the way that the receiver will, rather than just the code parts.

So if we were to separate code and data the way we’ve separated presentation and data into CSS and HTML, we should give serious thought to breaking out an HTML ‘script’ section. Yes, this would be hard, involving standardization and there’s a huge back-compatability issue to be dealt with. But it seems to me that a separate script section would mostly or completely break cross site scripting attacks.

Similarly, with MS Office moving to an XML data format, it would be great to have an explicit “macros” setting at the top of the document. (I haven’t checked to see where macros can occur in the current definition, but my belief is they can be scattered through the file.) [Update: See Kevin Boske’s comment, apparently Microsoft is doing this.]

Several years back, I had a conversation with the person responsible for macro security in Office. I really wanted “tell me more” to link, not to the help, but to either a static analysis of the macros, or their content. Through the conversation, I was convinced that that was a great idea for a few hundred, or maybe even a few thousand people, but I was unable to suggest a dialog box that would give a typical user useful decision-making context and data.

If macros were at the top of the XML, then I could do what I really wanted to do: Read the macro myself before opening the document. (I don’t trust that “disable macros” is fool-proof.) If I were writing a document firewall, I could make it faster and more effective.

One final point: Separating code and data allows the parsers to be smaller and more modular, which means faster and more reliable.

By separating code and data, not only do you gain security, but you gain performance and reliability. The sooner we start dealing with the back-compatability issues, the better off we’ll be.

The President Endorses This Blog


You might have thought that the White House had enough on its plate late last month, what with its search for a new Supreme Court nominee, the continuing war in Iraq and the C.I.A. leak investigation. But it found time to add another item to its agenda – stopping The Onion, the satirical newspaper, from using the presidential seal.

The newspaper regularly produces a parody of President Bush’s weekly radio address on its Web site (www.theonion.com/content/node/40121), where it has a picture of President Bush and the official insignia.

“It has come to my attention that The Onion is using the presidential seal on its Web site,” Grant M. Dixton, associate counsel to the president, wrote to The Onion on Sept. 28. (At the time, Mr. Dixton’s office was also helping Mr. Bush find a Supreme Court nominee; days later his boss, Harriet E. Miers, was nominated.)

Citing the United States Code, Mr. Dixton wrote that the seal “is not to be used in connection with commercial ventures or products in any way that suggests presidential support or endorsement.” Exceptions may be made, he noted, but The Onion had never applied for such an exception.

Silly Onion. Everyone knows the President reads and endorses Emergent Chaos, not the Onion. Who’d read anything with such a silly name?

From The New York Times, “Protecting the Presidential Seal. No Joke.

PS: Dear Mr. Dixon, I’d like an exception for satirical use, but couldn’t find a form on your web site.

Counting In Computer Security


Last week in “Notes from the Security Road,” Mike Nash wrote:

My favorite moment on the trip — which actually resulted in my circumnavigating the entire globe in just a week — was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise Linux 3. Steve held Red Hots candies for each vulnerability that he would have had to manage as a Red Hat customer in the last six months. Steve ended dropping quite a few candies on the floor with 217 Red Hots (for 217 vulnerabilities in the last six months) to hold. In contrast, Windows Server 2003 only had 32 vulnerabilities for the same period.

I find this to be a fascinating statement on a whole bunch of levels. Firstly, because it’s such a great visual. Red Hots slipping out of your hands, and bouncing around the floor. cotton-candy.jpg

But then I asked myself, what are those Red Hots? Are they just candy? As Red Hots they are discrete, countable bits of cinnamon goodness. But what is candy, but sugar (and in this case cinnamon)? The bag of sugar that goes into the Red Hots is just that, a bag of sugar which the Ferrara Pan Candy Company separates and crystalizes into Red Hots. But there are other ways to mix that sugar into candy. For example, when you take that same weight of sugar, melt it and add hot air, you get a big blob of cotton candy. (Unfortunately, I don’t have a cotton-candy machine, or you’d have a picture of how big they get.) Or if you melt 217 Red Hots together into a lump, you get something more densely packed, and more manageable. Perhaps its sad, but I’m spending a lot of time lately dealing with questions of taxonomies and atomic units in security configuration, and so I can barely help asking what they measured, and how they chose to divvy up the sweet mess that are vulnerabilities. It’s also interesting because (as I’ll explain) they happen to be slightly factually incorrect in the claim.

More after the break.

Continue reading

Business lobbies engage in rent-seeking. Masses not moved. Film at 11.

Various data protection bills to be consolidated?

[P]ressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories has slowed, the pressure inside the Beltway for preemption of state laws from business groups isn’t likely to stop.

USACM Technology Policy Web Log
In my earlier post on this, I said these bills were interesting in ways that transcend information security. What I had in mind was the textbook illustration they provide of interest group politics.
The ACM’s Tech Policy blog has had great coverage of all of this for a while. Highly recommended.

How Not To Train Users

To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them.

Read Peter Gutmann’s “US Banks: Training the next generation of phishing victims” on the Cryptography mailing list.

As translation, “To save a buck, we’re going to make it even harder to tell if you’re at a real Bank of America site, or a fake. We care about your privacy.”

Flock’s Progress

Posted by Adam

Lots and lots of people are commenting on the first public release of flock. After I met Bart Decrem, he was nice enough to let me into the alpha, and so I’d like to offer a slightly different perspective, about what’s changed, and the rate of change.

I think that examining what’s changed in a few months is valuable, because it tells you about how agile and responsive a company will be.

First things first: The new home page. The explanations of how to use get started are new, and a great help.

Next, the blog editor in which I’m typing this. Its now a window, as opposed to a tab, which makes a lot of sense. Some old features which made things hard to use are gone, and I like the new editor a lot more. Tooltips would rock, as would a way to see what’s
being trackedback. It would also be nice to apply my blog’s css to a post as I edit, but I can see how that might be tricky.  (Let me also note that when I saved this blog post, quit Flock, and re-opened it, each period followed by anything other than a newline had a question mark after it.)

It now has an integrated history search. Browser history search is awesome, as I’ve talked about before, and integrating it into the browser makes lots of sense. Integrating it into the browser history is really a nice idea, although Retrospective’s ability to display context is also cool.

Finally, it feels much more responsive than it did before.

I think its solid progress, and I’m quite glad to see someone thinking about taking the browser to a new level.

Sessions Bill/Breach Monday

In ‘honor’ of the Sessions bill (see “The hand is quicker than the eye” and “Adding Silent Insult to Injury (Senator Sessions’ ‘privacy’ act)“), we offer up stories about three breaches. Under Sessions’ bad law, the state of Georgia would not be coming clean with its residents, nor would the California school system.

I think its coincidence that two of the three breaches today are by government agencies, but this bill puts business ahead of the American citizenry.

5.2% of Georgia residents to get Notice of Stolen Personal Data

State officials on Friday began notifying 465,000 Georgians that they might be at risk of identity theft because of a government security breach detected in April.

Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. But she said officials are alerting 244,000 motorists and 221,000 retired teachers, state employees, school employees and others who participated in the state Health Benefits Plan in 2002 that a former GTA employee downloaded their personal information to his home computers.

Officials say they have yet to determine why Siddiqui wanted the information or why it appears not to have been used in three years.

Since the breach was uncovered, the GTA has changed its policies on employee access to information, Goldberg said. GTA employees also are required to sign a form promising not to disclose or misuse any information they have access to through their jobs.

From The Atlanta ‘Bugmenot‘ Journal Constitution, “465,000 Georgians at risk for ID theft.” I’ve mentioned this story before in “Georgia DMV, employee Asif Siddiqui, ‘hundreds of thousands,’” and “Asif Siddiqui Update.” Georgia population 2004 estimate (8,829,383) from US Census Bureau.

California Schools, “tens of thousands” of Student Records, Default Passwords

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.

The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.

From “Software glitch reveals private data for thousands of state’s students
S.F. administrators close program to update passwords
.” Reporter Nanette Asimov was good enough to respond to my email and clarify that the ID numbers in question are not SSNs, making this far less bad than it could have been.

There’s a lesson there for businesses that are still using SSNs as identifiers. There’s also a lesson that some of the California privacy laws are having positive effects. I’ve discussed the positive effects of 1386 frequently, but also SB 168 (forbidding use of SSNs as identifiers in some places). California’s legislature is doing a good job of shifting the legal rules surrounding capturing and relying on government-authenticated identification information. We’re not where we ought to be, but we’re getting there.

Montclair State University, 9,100 SSNs, Exposed Files

Due to what Montclair State University officials are calling an
“inadvertent error,” the social security numbers of 9,100 Montclair
State University students were made available online for nearly five
months, putting each student at risk for identity theft and credit

Etc, etc, files found by a student ego-surfing on Google. Read “Negligence At MSU Exposes 9,100 Students to I.D. Theft” for more, and note the word “negligence” creeping into a story. Via InfoSecurity News