More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group.
According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, the same day. Scottrade isn’t using Troy Group’s service any more, and probably won’t use it in the future.
Given that “the hack” was a matter of public record on October 25, and Scottrade knew about it, why did it take them a month to let their customers know what happened?
Given that Troy Group has other financial sector customers, has any of them sent notices to their customers? Which have, and which haven’t? Why? This issue was raised in a comment by Roy to an earlier blog entry.
Why isn’t Troy Group talking? Maybe it’s because the mainstream press hasn’t latched onto this one yet. I suspect that may change.
Am I the only one who sees potential parallels to CardSystems here? Troy Group’s market cap is $26,000,000.
Finally, a confession. Remember the Simpsons episode where the Comic Book Guy is totally into everything having to do with the Radioactive Man movie? Well, if security breaches are Radioactive Man, I am the Comic Book Guy, and I can’t believe I missed the Troy Group press release. This is exactly why mandatory reporting to governmental agencies (as New York’s law requires) is a good idea.

EFF: Why Bother With DMCA comments?

The EFF has decided that the DMCA “rulemaking process is simply too broken” for them to bother commenting on it any further. See “DMCA Triennial Rulemaking: Failing Consumers Completely:”

EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful consumer uses for digital media that are encumbered by DRM restrictions. For example, we asked that DVD owners be allowed to skip those “unskippable” ads at the beginning of DVDs. We asked that people who bought copy-protected CDs be allowed to get them to play on their computer. We asked that consumers be allowed to bypass region coding to play a DVD purchased in another part of the world. The Copyright Office rejected all of these proposals.

This year, we are not submitting any proposals. Where consumer interests are concerned, the rulemaking process is simply too broken. For example:

(Well, see the full post for examples.)

Netgear WGPS606 and Mac Printing

I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package.

It turned out to be something of a bear to configure, and tech support has not been very helpful. I finally got it all working. A bunch of technical details and gripes are after the break.

Continue reading

NJ’s Strong Privacy Law

not-for-identification.jpgApparently, I woke up on the right side of the bed, and am just handing out kudos left and right today.

Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses.

Social Security numbers will be out as all-purpose identification numbers, forcing businesses, colleges, unions, insurance companies, police departments and other public agencies to purge files and shred documents.

Those maintaining computer databases will be required to act quickly and publicly in case of security breaches under the new law – among the strongest in the nation.

See “Shredding identity theft” in the North Jersey News. The article does a fairly good job of addressing the costs. I’d like to see more about how this is transferring costs back from consumers to the businesses that put them at risk, but I’m happy to see improvements.

Via Chris Hoofnagle, who also points to a great table of security freeze and notification laws at New Jersey PIRG.

UNC Addresses Risk Systemically, Rather than Piecemeal

Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system.

Kudos to UNC for getting this right, and taking the opportunity to fix a major problem before it struck. From “Social security number removed as student id.”

TSA to Revise Rules

[Updated with data from NYT]

A new plan by the Transportation Security Administration would allow airline passengers to bring scissors and other sharp objects in their carry-on bags because the items no longer pose the greatest threat to airline security, according to sources familiar with the plans.

The TSA’s internal studies show that carry-on-item screeners spend half of their screening time searching for cigarette lighters, a recently banned item, and that they open 1 out of every 4 bags to remove a pair of scissors, according to sources briefed by the agency. Officials believe that other security measures now in place, such as hardened cockpit doors, would prevent a terrorist from commandeering an aircraft with box cutters or scissors.

From “TSA Would Allow Sharp Objects on Airliners” (Washington Post). I’m very pleased to hear this. I’m curious: Will I be allowed to bring my swiss army knife again? [Update:No!] (When I flew back and forth to Tel Aviv, the last question Israel airport security always asked was “Do you have anything that could be considered a weapon. I always carried a swiss army knife as a carryon, and told them. They, properly, never cared.)

[The New York Times has an article with more details, “Significant Changes in Air Passenger Screening Lie Ahead.” More focus on finding explosives, more random searches, still no knives.]

(Photo from

Centers for Disease Control Want To Track All Travel

In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes:

Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted.

In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. airline passengers a year traveling on more than 7 million flights through 67 hub airports.

There’s more quotes from the article after the break.

The transcribed press conference is online. I don’t think I’ll have a chance to analyze the 8 parts of the proposed rules at Control of Communicable Disease Proposed 42 CFR Parts 70 and 71. My expectations are that:

  1. The travel industry, already half-bankrupt, can’t afford $160 million in additional costs. That will kill this, unless the CDC steps in to fund the effort to invade all of our privacy.
  2. The data collection will be mandatory, with penalties for lying, but no penalties for re-use of the data. Acceptable uses will including updating the airline’s marketing databases. The marketing value of the data will fall far short of that $160 million.
  3. The discussion of the data in the proposed rules and the media analysis will assume the use of ‘PNR’ data. The analysis will completely ignore the reality that PNRs contain lots of non-passenger information. This is well documented by Ed Hasbrouck, and routinely ignored because acknowledging it would drive the cost of these implementations through the roof.

Continue reading

Web Browser Developers Work Together on Security

Adam’s post earlier today on efforts to improve browser security, reminded me about this post on George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines:
1) “Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already.”
2) “KDE will furthermore look to remove 40 and 56 bit ciphers, and we will continually work toward preferring and enforcing stronger ciphers as testing shows that site compatibility is not adversely affected.”
Kudos, to all involved. It’s great to see some serious effort being made in this direction.

Meet The New Browser Security, Same as the Old Browser Security?

toolbar.jpgThere’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which starts from the wrong place:

Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.

I think that defining the issue as stronger identity standards is likely to worsen the problems of phishing and pharming. A higher bar to jump over will simply mean that when phishers jump that bar, they’ll be more successful, because more indicators will act to re-assure users. That higher bar will be operated by ‘Certification Authorities,’ (CAs), whose focus will be keeping costs down. This is not helpful to the consumer whose identity is being stolen. The value of that identity (and the credit granted) is more than any business would like to spend on a digital certificate. So we need to move security, in a usable way, to the control of the consumer who is at risk. To do that, we need better persistence of identity information.

That is, we want the bank we visit tomorrow to be the same bank we visited yesterday. More validation by the CA doesn’t achieve that. It achieves a tighter bond between the name on the certificate, and the name on the server. Frank Hecker has a long post, “CAs, certificates, and the SSL/TLS UI” in which he outlines what the extended validation system might be. He also refers to Tyler Close’s “Petname,” which I wasn’t aware of. The idea is that you nickname a site. I think that’s awesome, and a better direction than more reliance on CA processes.

Persistence of identity can be hard, because the identity of a website is often made complex. But that doesn’t mean it’s the wrong solution, only that businesses will have to put effort into helping customers make it work. The import of this effort is less open to question when your customers are threatening to go back to the more reliable brick store fronts. As Tyler Close demonstrates, its possible to build something that works in the consumer’s model of the world. “That’s right, I’ve been to this site.”

This is a user-centered, rather than a CA-centered approach. The user-centric approach means that the security target is distributed. Further, local names means that the user is drawn into making security persistence decisions. (Whether that’s a good idea is open to question.) But the user could be encouraged to name sites, and then bookmark them. (I discuss the value of bookmarks as a persistence tool in “Preserving the Internet Channel Against Phishers.”) Will this work better than the CA model? It’s hard to say without actually observing users in testing.

The “trusted certificate authority” model has had a decade or so to demonstrate its value. It’s time we tried something else.

Effective Privacy Law Requires Penalties

Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”)

Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim that a rapid response to the incident is proof that the Canada’ s privacy laws are working as intended, the reality is that Canadian law is simply ill-equipped to deal effectively with such incidents.

In light of the privacy breach, the public might naturally expect that the Privacy Commissioner of Canada has the powers to address the issue. She does not.

Don’t Tell People What Not To Do!

[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.]

It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he quotes Google’s password advice:

  • Don’t use a password that is listed as an example of how to pick a good password.
  • Don’t use a password that contains personal information (name, birth date, etc.)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (asdf) or sequential numbers (1234).
  • Don’t make your password all numbers, uppercase letters or lowercase letters.
  • Don’t use repeating characters (aa11).

What jumps out at me is that this is all negative: Don’t do this, don’t do that. This from a company famed for usability. What it should say is “Create a password by choosing a phrase, and use the first letter of each word of the phrase. (capbcapautfloewotp).” I’m pleased to be able back that up with experimental results, in the form of Jianxin Yan, Alan Blackwell, Ross Anderson and Alasdair Grant’s “The Memorability and Security of Passwords — Some Empirical Results.”

Now, if you take that advice, it is only possible to violate rules 1 (using the example) and 5 (using all lower-case letters). So rather than offering one bit of good advice and a caveat, they offer six caveats, and no advice on what to do.

As an aside, I wanted to link to the password change page, but trying to get there, When I finally found it and clicked the “password” link, I was told my session was invalid. Repeatedly. So if Google actually offers positive advice, I wasn’t able to find it.

Hoder’s Denial

Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that he was one of the fellows of whom Pericles spoke when he said “We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality.”

Hoder was denied entry to the United States, in part based on things he wrote in his blog about where lives. (At least that’s the given reason.) Not six months ago, he and I shared beer in Nashville. He told me he frowned on the anonymous blogging project I was working on: That blogs need a touch of humanity for them to be credible, and that a name is part of that. I told him that nasty, repressive governments would harass bloggers who used their real names.

In two bits of closely related news, Curt Hopkins is hard at work building the guides for anonymous bloggers in a variety of countries. He could use help with technical review from people other than myself. (When we started the project, I expected it to be fairly technical; it turns out that writing and translation are more important, and I’m glad to see Curt on those aspects of things. We may build some technology later.) He also has a really good post “Why the Harassment of Bloggers by Repressive Governments Will Increase in the Coming Year.” I don’t think this is an instance of that; here the US was enforcing immigration policies, and using blogged information to help it make decisions.

There are more mundane reasons, like you might not want the HR department of a company you’re applying to to find your blog. A friend has just started the “ClueChick” blog to offer up advice for those seeking love via Craigslist (and other) personal ads. She’s decided to leave her name off the ads, and I applaud her privacy sense.

(The mask is by Aidan Campbell.)

Defensive driving

As most parents of young children would no doubt attest, when driving with “precious cargo” — lives you particularly want to protect — you typically take extra precautions. Special safety seats with five point harnesses, specialized mounting hardware, taking that bit of extra care that maybe you wouldn’t if driving alone.
Well, that may all be well and good for the protection of those who’ll get stuck with the tab for today’s tax cuts for the wealthy, but for the most special passengers in an especially dangerous neighborhood, United States Representatives visiting Iraq, extra special care is needed. What might that care be, you ask? Why, driving in a steel box with no cushioning an bolts sticking out, of course! Also — passengers are free not to wear seat belts, and the appropriate way to drive is very fast and aggressively, right down the middle of the road, in order to “deter oncoming motorists”.
Thing is, occasionally those oncoming motorists drive big trucks, and play chicken better than you do. The result? Your precious cargo winds up in the hospital.
Money quote from uninjured Georgia representative Jim Marshall: “Shoot, this is more dangerous than the terrorists”.
More details at Editor and Publisher.

On Torture

I sometimes feel that I have nothing to add to the “debate” around torture, other than the formerly-obvious “torture is ineffective and morally repugnant.” Nevertheless, I feel that keeping silent, or even allowing the debate to occur without adding my voice to the chorus of reason. So, some others’ posts this past week:

  • In Jack Balkin’s “Luban and the real debate about torture” he first excerpt from David Luban’s article (“Torture, American-Style“) in today’s Washington Post, then goes on to extensively explain and then dissect the Bush administration’s position:

    Luban’s article is a helpful corrective to a debate that Administration officials– including the President of the United States– have repeatedly and willfully confused with their Orwellian doublespeak. They have tortured the English language so they can treat others cruelly. We shouldn’t let them get away with either practice.

  • Jim MacDonald quotes General and Secretary of State Colin Powell; Admiral Stansfield Turner, former head of the CIA; 39 year CIA veteran and Moscow station head Burton L. Gerber. Quoting MacDonald’s summary of Tortuous Thinking:

    So the question remains: Why is the Bush White House so strongly in favor of torture that they’re threatening to veto a defense appropriations bill that merely reaffirms the policies that are supposed to be already in place? Why do they want a policy in place that not only diminishes America’s international prestige, not only makes the job of gathering intelligence more difficult, not only betrays our national values, but in practical terms flat doesn’t work?

  • At Flogging the Simian, Soj has been translating European press articles on the CIA’s secret jails into English: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8.

    (Unfortunately, FTS displays much better with Javascript turned on. Without that, the sidebars are way too big in Safari.)