Scottrade, Millions of “E-secure” system users, SSNs, account numbers, etc, “hacker”

Info is spotty on this, but according to a WFMY TV News report,

Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands.
Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders.
A letter to customers says a hacker broke into the E-secure system which transfers money from customer’s bank accounts to their investment accounts.
The letter says the breach happened October 25th.
One local Scottrade customer, who wishes to remain anonymous, says he got the later on November 25th.
“Who knows when the information will drop off from whoever hacked into the system,” the man says. “Who knows if information is up on a chat room right now being sold to the highest bidder.”

But never fear. “Scottrade officials say despite access to the information, they aren’t certain the hacker actually took the information.”
[Adam adds: Brian Krebs has more details in “Brokerage Firm Hack Endangers Investors“]

Books: “Innocent Code” and “19 Deadly Sins”

19sins.jpg innocent-code.jpg
I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out entire concepts which are now almost mainstream. Why code is insecure, how to build processes around secure code, what an exploit is, etc, etc. This made those books long, and sometimes uneven in their quality. They were also long. They were long enough that they were read only by security enthusiasts (or people who worked at Microsoft, who were required to have a copy of LeBlanc and Howard’s Writing Secure Code.)

Both IC and 19DS are shorter. Stacked together, I think they’re smaller than many of the earlier tomes. They’re both designed for programmers to read. Both are focused on patterns of exploitable flaws. IC is focused on web programming. How to do authentication, how to process requests, how to write error messages. 19DS is broader. I have nits and arguments with the technical details of each. But for a broad audience of programmers who haven’t read the earlier works, either or both of these books will be not only highly educational and eye opening, they’re short and thus likely to be read.

Those organizations which haven’t yet set up their secure coding practices could do far worse than buying both of these as holiday gifts for their developers.

Innocent Code : A Security Wake-Up Call for Web Programmers, by Sverre H. Huseby, and “The 19 Deadly Sins of Software Security by David LeBlanc, Michael Howard and John Viega.

Make Mine Sony-Free

sony-free.jpg
As the holiday and gift-shopping season arrives, I’d like to talk about what not to get me (or really, anyone on your list). A bad gift is really painful to receive. You have to put on a fake smile and pretend to be happy, and then go return the thing at the first opportunity.

My bad gift list for this year is defined by one word: Sony. Sony has turned deeply, maliciously, anti-consumer. They no longer believe that the customer is always right, but that the customer is a vicious cheat out to steal from them. This is not only shown by the Sony-BMG rootkit your PC by playing the music you’d bought (Cory Doctrow’s Sony Rootkit Roundup: Part I, Part II, Part III.)

It shows up in the PlayStation Portable, which will only play Sony-approved content. Every time clever engineers figure out how to make the device more useful, Sony breaks not only the new devices coming out of the factory, but inserts malicious code into games you buy. Without your permission that malware changes the device you’ve paid for to make it less useful.

This isn’t a new problem. Sony crippled the Mini-disc format, which is a great format for recording live music. My friend Dave ran into trouble after he and his band recorded the music they’d written and performed onto a Mini-disc. He couldn’t get his music off his minidisc in digital form. (More on the problem at this Politech post.)

So please, when considering what to buy me (or anyone else) this year, buy me gifts that I’ll enjoy, not gifts that will piss on my shoes. Help keep my holiday Sony-free.

[Previous Sony posts include: “Sony’s Rootkit and the DMCA,” “Macs and Sony’s Rootkit” and “Sony, Respecting Their Customer.”]

Happy Thanksgiving!

pilgrim-hat.jpgAs you enjoy your Turkey, recall that the Pilgrims who ended up in Plymouth were fleeing the Anglican church, England’s state religion. The English church, of course, split from the Roman church so that Henry VIII could get a divorce. The little people, however, were not allowed the chance to split their churches in quite the same way, unless they fled to someplace ‘less’ civilized. Unfortunately, and perhaps ironicly, the Puritans, despite their experiences in the Netherlands, were not seeking freedom of conscience, but the chance to impose their views. This lead to the founding of Boston, and there, an accumulation of people who saw liberty as a blessing, and eventually, further unfortunate results for the powers of the English monarchs. All of which might be seen as emerging from a bits of chaos.

So I give thanks that today, leaders don’t arbitrarily change the rules under which we live to satisfy their personal desires. At least, they don’t do so nearly so often.

Happy Thanksgiving!

My Software is Mine.

People often become emotionally entangled with the software they use. It’s not a geek-only thing, although geeks often become more entangled with a broader range of the software they use. Normal people speak of “My Excel is screwed up,” or feel bad that their Sony CD has messed things up for them.

One of the reasons that people become enraged by spyware is the interference with what ought to be a private space. It is, after all, called a personal computer, and peope extensively personalize them. An important and worrisome trend is your computer responding to commands from outsiders. Recently, AOL added two “buddies” to my buddy list on AIM. What the hell? It turns out that AIM synchronizes buddy lists with the mothership, and that there are good reasons for this. (Thanks to Len for explaining that to me.) But it was deeply offensive, and the Pebble and the Avalanche has a good analysis in “Putting the ‘Mess’ in Instant Messaging: AOL Makes a Big Mistake.

Another instance of this is web sites that think you should write your password on paper instead of a nice, semi-secure, encrypted keystore like KeyChain. (Hello, Citibank!)
JWZ, who knows a thing or two about browsers, offers suggestions for fixing this bug in Safari in <form autocomplete=”yes, dammit”>. [Update: fixed link.]

Australian Minister Vanstone on Stupid Security

An Australian Senator has created a bit of a kerfuffle by saying what everyone has thought in private. Bruce Schneier comments:

During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy.

Implied? I’ll say it outright. It’s stupid. For all its faults, I’m always pleased when Northwest Airlines gives me a real metal knife, and I am always annoyed when American Airlines still gives me a plastic one.

“Has it ever occurred to you that you just smash your wine glass and jump at someone, grab the top of their head and put it in their carotid artery and ask anything?” Senator Vanstone told her audience of about 100 Rotarians. “And believe me, you will have their attention. I think of this every time I see more money for the security agencies.”

Since it’s become time to talk about these things, I’ll add eye glasses to the weapons list. It’s not that glasses or wine bottle are really scary weapons. In fact, box cutters wouldn’t let you take over a plane by mid-morning on September 11, 2001. Its good to see those in power saying these things.

Book: Who Becomes a Terrorist and Why

who-becomes-a-terrorist.jpgI found “Who Becomes a Terrorist and Why” in a used bookstore for $2.99, and it was worth every depressing penny and more. The book is a US government funded study from 1999. It’s not clear if this work would be possible today or not. Much of the body of the book is a an academic style literature survey. Academic work from a variety of fields is summarized and integrated into a whole. The conclusion, unfortunate for those who want to put us all into a big database and see who pops out, is that there is no one personality type, and no one background that seems to unify those who become terrorists. Men and women, rich and poor, Christian, Islamic, and atheist: All have become terrorists.

There is, however, one important determinant: People who blog about terrorism don’t commit terrorist acts. So may I please keep my damned shoes on?

[In response to a question from Ian Grigg, it turns out the book is online at “Who Becomes a Terrorist and Why.” (1.5mb PDF. Google offers up an HTML version.)]

Aspirin and the Regulation of Medicine

aspirin.jpgAs we discuss the effects of various laws designed to protect us from various and sundry, we often lose track of the real, tangible benefits of liberty that we’re giving up. They’re sometimes hard to see, in the same way the Internet was hard to see in the early 90s. It was here, but most people didn’t know about it. Bad laws could easily have prevented the rise of the web (and the reams of pornography it brought), or free, interconnected email (and the spam it brought). Many people would never have realized they were missing anything.

It’s one of the unfortunate things about limiting freedom: its hard to know what you might have had. There are many medicines that you can not buy in the US because of the FDA, and some which you can only because they predate the FDA. A prime example is aspirin. There’s an interesting article about this in Medical Progress Today:

As a drug discovery researcher, I can tell you something that might sound crazy: many of these older drugs would have a hard time getting approved today. Some of them would never even have made it to the FDA at all.


The best example is aspirin itself. It’s one of the foundation stones of the drug industry, and it’s hard to even guess how many billions of doses of it have been taken over the last hundred years. But if you were somehow able to change history so that aspirin had never been discovered until this year, I can guarantee you that it would have died in the lab. No modern drug development organization would touch it.

(Via Marginal Revolution.)

Deborah Davis and the Denver “Public” Transit System

On the 9th of December 2005, a Denver woman is scheduled to be arraigned in
U.S. District Court. Her crime: refusing to show ID on a public bus. At
stake is nothing less than the right of Americans to travel freely in their
own country.
The woman who is fighting the good fight is named Deborah Davis. She’s a 50
year-old mother of four who lives and works in Denver, Colorado. Her kids
are all grown-up: her middle son is a soldier fighting in Iraq.
One morning in late September 2005, Deb was riding the public bus to work.
She was minding her own business, reading a book and planning for work, when
a security guard got on this public bus and demanded that every passenger
show their ID. Deb, having done nothing wrong, declined. The guard called
in federal cops, and she was arrested and charged with federal criminal
misdemeanors after refusing to show ID on demand.
She hasn’t commuted by public bus since that day.

More information at Papers Please.

Book: Secure Architectures with OpenBSD

secure-architectures.jpg
Jose Nazario gave me a copy of Secure Architectures with OpenBSD this summer. I’m way behind with book reviews, and I wanted to start with this one.

I’m a fan of the OpenBSD project. Not only for their efforts around security, but also because they put a great deal of effort into the documentation. I’ve been using OpenBSD for quite some time, and even when I’m on a different unix, I often start with the OpenBSD man pages. However, I do that a former systems administrator. I got my start with SunOS 3 and 4 (not to mention NeXTStep), all of which were BSD operating systems. So I’m very comfortable in the BSDs. Quoting from the introduction:

OpenBSD feels different than many other UNIX systems. Its filesystem layout is more controlled and is designed primarily for security and functionality, rather than to satisfy the needs of the marketing department.

Furthermore, OpenBSD attempts to adhere to its BSD 4.4 roots and do things “the BSD way” when possible. Many commercial and even some other free operating systems have adopted many System V features and characteristics.

If you’re not familiar with the BSD way, it can be confusing and hard to navigate. This book serves as an admirable introduction, giving the reader a roadmap and orientation. If you’re a Linux user, you should get this book, and use it as a guide to OpenBSD. It’s a very nice system, not to mention a way off much of the patching treadmill.

More on “Freedom To Tinker, Freedom to Learn”

negroponteslaptop.jpgIn “Freedom To Tinker, Freedom to Learn,” I made some assumptions about the user interface for the $100 laptop. In “Alan Kay at WSIS,” Ethan Zukerman explains that Alan Kay will be doing much of the user interface design work:

Kay began by explaining that most people aren’t using computers to do the most important things they’re able to do, by which I think he means that we’re not using computers to explore, experiment and discover. Mentioning that he, Nicholas and others working on the hundred-dollar laptop were getting older, he suggested that he was getting sick of computer “vendors who don’t realize there are children in the world.

Kay puts forth the interesting proposition that “our brains aren’t designed for thinking – they’re designed for survival” – for making quick decisions, which aren’t neccesarily the correct decisions. He sees this as a major barrier to doing science – it’s taken until fairly late in human history that we’re willing to challenge our own perceptions, and “received wisdom” and carry out our own experiments. He offers a critique of Wikipedia as a teaching tool – the article on gravity doesn’t teach you about gravity – it’s a set of assertions organized in a story, not designed to help you learn about gravity. (It seemed like an odd swipe to take at Wikipedia, given that Jimmy’s never billed it as a teaching tool, and given the extent to which Negroponte has indicated that Wikipedia will likely be core to what’s distributed with the machine.

If I were a dictator, there’s no way I’d allow a machine designed by Alan Kay to teach into the hands of thousands of schoolchildren. I’d declare it to be either a tool of the devil, of Western cultural imperialism, or blasphemous. Maybe even all three. There’s few things scarier to than a generation of children who have learned to observe and analyze.

(Photo from Mobile Africa.)

Google buys Riya, Steamrollers Your Pictures’ Anonymity

beer.jpgRiya is a Redwood City startup that makes facial recognition software. Rumor from Om Malik says Google is buying them. I believe that this purchase has some of the farthest reaching privacy implications we’ve yet seen from Google.


Anonymity, in its most literal meaning of “without a name,” is the current state of many photographs on the web. The ability to do silly things, and be photographed, and share those photos with friends, is valuable. Also valuable is the ability to not share those photos with employers or parents. One very common way to do that is to put no names on the photos. Another is to protect the photos with a password, but that takes work to set up, and work to maintain.

There’s an expectation (right or wrong) that anonymous photos are just that: Even if someone finds them, its unlikely to be anyone who can identify those pictured. That no one will re-attach a name, because it’s not worth the effort.

Cue Google, with the world’s largest server farm, and a facial recognition technology they think works.

It’s often been stated that no one has a right to privacy in public, but we have had a very practical anonymity. That’s been fading away for a while, but the trend will accelerate. Look for everyone, not just politicians and Supreme Court nominees, to be asked to answer for their behavior thirty years ago.

Oh, and I have no idea who those women are, but I bet Google has their phone numbers. If you ask real nice, they might give them to you.