Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”)
Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim that a rapid response to the incident is proof that the Canada’ s privacy laws are working as intended, the reality is that Canadian law is simply ill-equipped to deal effectively with such incidents.
In light of the privacy breach, the public might naturally expect that the Privacy Commissioner of Canada has the powers to address the issue. She does not.
[Update: If I'd been able to find the page which Arthur provided in a comment, I wouldn't have written this quite like this.]
It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he quotes Google’s password advice:
- Don’t use a password that is listed as an example of how to pick a good password.
- Don’t use a password that contains personal information (name, birth date, etc.)
- Don’t use words or acronyms that can be found in a dictionary.
- Don’t use keyboard patterns (asdf) or sequential numbers (1234).
- Don’t make your password all numbers, uppercase letters or lowercase letters.
- Don’t use repeating characters (aa11).
What jumps out at me is that this is all negative: Don’t do this, don’t do that. This from a company famed for usability. What it should say is “Create a password by choosing a phrase, and use the first letter of each word of the phrase. (capbcapautfloewotp).” I’m pleased to be able back that up with experimental results, in the form of Jianxin Yan, Alan Blackwell, Ross Anderson and Alasdair Grant’s “The Memorability and Security of Passwords — Some Empirical Results.”
Now, if you take that advice, it is only possible to violate rules 1 (using the example) and 5 (using all lower-case letters). So rather than offering one bit of good advice and a caveat, they offer six caveats, and no advice on what to do.
As an aside, I wanted to link to the password change page, but trying to get there, When I finally found it and clicked the “password” link, I was told my session was invalid. Repeatedly. So if Google actually offers positive advice, I wasn’t able to find it.
Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that he was one of the fellows of whom Pericles spoke when he said “We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality.”
Hoder was denied entry to the United States, in part based on things he wrote in his blog about where lives. (At least that’s the given reason.) Not six months ago, he and I shared beer in Nashville. He told me he frowned on the anonymous blogging project I was working on: That blogs need a touch of humanity for them to be credible, and that a name is part of that. I told him that nasty, repressive governments would harass bloggers who used their real names.
In two bits of closely related news, Curt Hopkins is hard at work building the guides for anonymous bloggers in a variety of countries. He could use help with technical review from people other than myself. (When we started the project, I expected it to be fairly technical; it turns out that writing and translation are more important, and I’m glad to see Curt on those aspects of things. We may build some technology later.) He also has a really good post “Why the Harassment of Bloggers by Repressive Governments Will Increase in the Coming Year.” I don’t think this is an instance of that; here the US was enforcing immigration policies, and using blogged information to help it make decisions.
There are more mundane reasons, like you might not want the HR department of a company you’re applying to to find your blog. A friend has just started the “ClueChick” blog to offer up advice for those seeking love via Craigslist (and other) personal ads. She’s decided to leave her name off the ads, and I applaud her privacy sense.
(The mask is by Aidan Campbell.)
As most parents of young children would no doubt attest, when driving with “precious cargo” — lives you particularly want to protect — you typically take extra precautions. Special safety seats with five point harnesses, specialized mounting hardware, taking that bit of extra care that maybe you wouldn’t if driving alone.
Well, that may all be well and good for the protection of those who’ll get stuck with the tab for today’s tax cuts for the wealthy, but for the most special passengers in an especially dangerous neighborhood, United States Representatives visiting Iraq, extra special care is needed. What might that care be, you ask? Why, driving in a steel box with no cushioning an bolts sticking out, of course! Also — passengers are free not to wear seat belts, and the appropriate way to drive is very fast and aggressively, right down the middle of the road, in order to “deter oncoming motorists”.
Thing is, occasionally those oncoming motorists drive big trucks, and play chicken better than you do. The result? Your precious cargo winds up in the hospital.
Money quote from uninjured Georgia representative Jim Marshall: “Shoot, this is more dangerous than the terrorists”.
More details at Editor and Publisher.
I sometimes feel that I have nothing to add to the “debate” around torture, other than the formerly-obvious “torture is ineffective and morally repugnant.” Nevertheless, I feel that keeping silent, or even allowing the debate to occur without adding my voice to the chorus of reason. So, some others’ posts this past week:
Info is spotty on this, but according to a WFMY TV News report,
Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands.
Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders.
A letter to customers says a hacker broke into the E-secure system which transfers money from customer’s bank accounts to their investment accounts.
The letter says the breach happened October 25th.
One local Scottrade customer, who wishes to remain anonymous, says he got the later on November 25th.
“Who knows when the information will drop off from whoever hacked into the system,” the man says. “Who knows if information is up on a chat room right now being sold to the highest bidder.”
But never fear. “Scottrade officials say despite access to the information, they aren’t certain the hacker actually took the information.”
[Adam adds: Brian Krebs has more details in "Brokerage Firm Hack Endangers Investors"]
I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out entire concepts which are now almost mainstream. Why code is insecure, how to build processes around secure code, what an exploit is, etc, etc. This made those books long, and sometimes uneven in their quality. They were also long. They were long enough that they were read only by security enthusiasts (or people who worked at Microsoft, who were required to have a copy of LeBlanc and Howard’s Writing Secure Code.)
Both IC and 19DS are shorter. Stacked together, I think they’re smaller than many of the earlier tomes. They’re both designed for programmers to read. Both are focused on patterns of exploitable flaws. IC is focused on web programming. How to do authentication, how to process requests, how to write error messages. 19DS is broader. I have nits and arguments with the technical details of each. But for a broad audience of programmers who haven’t read the earlier works, either or both of these books will be not only highly educational and eye opening, they’re short and thus likely to be read.
Those organizations which haven’t yet set up their secure coding practices could do far worse than buying both of these as holiday gifts for their developers.
Innocent Code : A Security Wake-Up Call for Web Programmers, by Sverre H. Huseby, and “The 19 Deadly Sins of Software Security by David LeBlanc, Michael Howard and John Viega.
As the holiday and gift-shopping season arrives, I’d like to talk about what not to get me (or really, anyone on your list). A bad gift is really painful to receive. You have to put on a fake smile and pretend to be happy, and then go return the thing at the first opportunity.
My bad gift list for this year is defined by one word: Sony. Sony has turned deeply, maliciously, anti-consumer. They no longer believe that the customer is always right, but that the customer is a vicious cheat out to steal from them. This is not only shown by the Sony-BMG rootkit your PC by playing the music you’d bought (Cory Doctrow’s Sony Rootkit Roundup: Part I, Part II, Part III.)
It shows up in the PlayStation Portable, which will only play Sony-approved content. Every time clever engineers figure out how to make the device more useful, Sony breaks not only the new devices coming out of the factory, but inserts malicious code into games you buy. Without your permission that malware changes the device you’ve paid for to make it less useful.
This isn’t a new problem. Sony crippled the Mini-disc format, which is a great format for recording live music. My friend Dave ran into trouble after he and his band recorded the music they’d written and performed onto a Mini-disc. He couldn’t get his music off his minidisc in digital form. (More on the problem at this Politech post.)
So please, when considering what to buy me (or anyone else) this year, buy me gifts that I’ll enjoy, not gifts that will piss on my shoes. Help keep my holiday Sony-free.
[Previous Sony posts include: "Sony's Rootkit and the DMCA," "Macs and Sony's Rootkit" and "Sony, Respecting Their Customer."]
Blame Tom Ptacek for ignoring my heroic efforts. My being off with family this week has nothing to do with it. Friday Star Wars Security posts will return next week, with the principle of Least Common Mechanism.
As you enjoy your Turkey, recall that the Pilgrims who ended up in Plymouth were fleeing the Anglican church, England’s state religion. The English church, of course, split from the Roman church so that Henry VIII could get a divorce. The little people, however, were not allowed the chance to split their churches in quite the same way, unless they fled to someplace ‘less’ civilized. Unfortunately, and perhaps ironicly, the Puritans, despite their experiences in the Netherlands, were not seeking freedom of conscience, but the chance to impose their views. This lead to the founding of Boston, and there, an accumulation of people who saw liberty as a blessing, and eventually, further unfortunate results for the powers of the English monarchs. All of which might be seen as emerging from a bits of chaos.
So I give thanks that today, leaders don’t arbitrarily change the rules under which we live to satisfy their personal desires. At least, they don’t do so nearly so often.