The New York City Police Riots

… The arrest of Mayor Wood was ordered. Captain Walling of the Metropolitan Police was sent to arrest the Mayor but was promptly thrown out on his ear. Wood occupied City Hall protected by 300 of his Municipals who resisted a force of 50 Metropolitans sent there to arrest him. Later that day 50 Metropolitan Police descended on City Hall with night sticks in hand to carry out the order. The Municipals ran into the street and the two factions fought each other. The Metropolitans retreated. 52 policemen were injured, one crippled for life. The Metropolitan Police Board then called in the National Guard who surrounded City Hall. The Mayor finally submitted to arrest but soon returned to office released on minimal bail.

From Ubanography, but I didn’t believe it, until I found confirmation at the official website of New York City.

I’m really tickled to know that New York had two rival police forces. Thanks to Ian Goldberg for mentioning it.

Gartner to Visa, MasterCard: Play fair

Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard:

* MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly unequal treatment of different types of retailers, such as Sam’s Club, and processors, such as CardSystems.

An excellent point, well worth repeating.

Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict how such documents can be used.

But your fingers aren’t government issued. So the same logic doesn’t apply. Now Government Computer News reports that “DHS shoves fingerprint tech forward:”

The Homeland Security Department is working with the departments of Defense and State, the FBI and the Commerce Department’s National Institute of Standards and Technology as well as technology vendors to develop a new generation of 10-finger “slap capture” units for fingerprint collection.

DHS pushing new generation of readers. A “10 finger slap reader” is a reader that’s designed to rapidly read fingers without a need to roll each one for a good read. The new technologies are also supposed to be AFIS compatible, which will be tricky.
The trouble with these five agencies coming together is that they create a predictable, profitable market to encourage R&D spending. Once that money has been spent, these systems will be put in place all over the place.

I’m opposed to driving down the cost or efficiency of bulk fingerprinting. It should remain an expensive process to discourage its use. The cleared, desensitized functionaires who are putting forth what they label a challenge are also putting forth subsidies for a future privacy invasion infrastructure. In many ways worse than that, they’re sending a clear message that “visitors are no longer welcomed, they’re made to feel like suspects in a criminal investigation.

One question to ask is, what happens when everyone tries to do this and use fingerprints as authenticators? When the same authenticator is widely used, it becomes easy to steal. I know that many of my employment agreements have included security policies such as not re-using a password, Does anyone have contract forbidding re-exposure of biometrics? (I’d be happy to help someone create one.) What happens when all ten of your fingers have been claimed by companies whose terms of service forbid you from using that finger elsewhere? Will you be required by contract to resist fingerprinting after arrest?

(Thanks to GCN for the `neutral’ headline, and Alice Marshall for the pointer. Fingerprints by, of, Tow Zwierz, on Flickr. Click the image for the large version. [Updated: Sorry to misspell your name there Tow.)

How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.]

Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, I’m fond of the flexibility that computers give me to do all sorts of things, some of them stupid.

I think that we need to do more to make security usable, to set the defaults right, and to reduce the desensitization that so many products engage in.

What’s worse, auditors and consultants love to insist that you train your users about the importance of security. And that means that training material like Ben Rothke’s “Computer Security: 20 Things Every Employee Should Know” may well be useful.

I have a fondness for little books. That it is hard to write concisely is a subject I intend to talk about quite a bit. Rothke’s ’20 Things’ is best understood as a collection of short essays, a page or three in length. Each is easily digested and understood, and the book as a whole is a fine component of an education program until we start creating better products. It is a little book in the very best of ways. In other words, you ought to be buying this book, and its sequels, for a long time to come.

Mossberg’s Mailbox

This week’s Mossberg’s Mailbox has a great point, that I can’t resist sharing: “However, I feel compelled to note that, if you allow your Internet usage to be totally ruled by security fears, you may miss out on a lot.” He then goes on to discuss some of the always on benefits such as automatic updates and online backups while you sleep. Mr Mossberg doesn’t discuss the potential risks of leaving your computer on more often, but given the current rate of exploitation, I think this is really an irrelevant concern. Let’s hear it for some sane thought on risk.

Two on the Iraqi Army

A spokesman for the American military command that oversees training of the Iraqi forces also said that while he did not know the security forces’ ethnic mix, he believed that there were more Sunni troops than the election data suggested.

From the New York Times, “Election Results Suggest Small Role For Sunnis in Security Forces.” Contrast with the details from Knight Ridder “How the story was reported:”

(More after the break. Split strangely to allow me to test a change.)

Continue reading

Mariott Vacation Club, 206,000 records, backup tape

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company.

Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company’s Orlando headquarters or whether they were simply lost.

From the Washington Post, via CSO Online.

London and Terror Threats

The BBC reports that the Mayor of London says “there had been 10 attempted attacks since 11 September 2001, two of which had come since the 7 July bombs.” (“Threat to London ‘disorganised’“) Where are the perpetrators? Are they free, because of insufficient evidence? Are they in jail? Were they killed by security forces? Claims such as these matter, and need to be backed by evidence.

Also in the BBC, a long article regarding security in mass transit, “The unlikely enemy of the terrorist:”

…public transport is much harder to protect. There were nearly one billion journeys made last year on the UK’s network, which has 2,500 mainline railway stations and one of the biggest underground systems in the world.

The design is a triumph of convenience, so passengers hop on and off buses, Tubes and suburban trains without the check-in desk or long queues familiar to air travellers. And the stations are built to ease the passage of millions of people each day, with open spaces and multiple entries.

Those Boy Scouts…Always Building Nuclear Reactors


Now 17, David hit on the idea of building a model breeder reactor, a
nuclear reactor that not only generates electricity, but also produces new
fuel. His model would use the actual radioactive elements and produce real
reactions. His blueprint was a schematic in one of his father’s textbooks.

Ignoring safety, David mixed his radium and americium with beryllium and
aluminum, all of which he wrapped in aluminum foil, forming a makeshift
reactor core. He surrounded this radioactive ball with a blanket of small
foil-wrapped cubes of thorium ash and uranium powder, tenuously held
together with duct tape.

From “TALE OF THE RADIOACTIVE BOY SCOUT,” found via a comment by Tom Holsinger on the Radiation Surveillance thread on Volokh Conspiracy. It turns out that the article has been turned into a book (The Radioactive Boy Scout). Picture from this site.

13 Meter Straw Goat Met His Match

goat-frame.jpgI am deeply saddened to have missed this story until now:

Vandals set light to a giant straw goat Saturday night in a central Swedish town, police said, an event that has happened so frequently it has almost become a Christmas tradition.

It was the 22nd time that the goat had gone up in smoke since merchants in Gavle, 150 kilometers (90 miles) north of Stockholm, began erecting it to mark the holiday season.Police spokeswoman Margareta Olander said officers received a call just after 9 p.m. to report that the goat was ablaze.

From “Vandals burn giant Christmas straw goat in Sweden, again,” via Charlie Stross.

Relentless Navel Gazing, Part 6

navel-gazing.jpgI’ve made a bunch of changes to style and template stuff. Most noticeable should be that post titles are now links to the posts. There’s also a whole lot of consistency improvements for the Moveable Type 3.2 software. The one remaining change is to bring full (extended) entries into the RSS feed.

That Mt3.2 software has this cool “include” feature, and I was fairly aggressive about moving a lot of complex code into modules that get pulled in. I hope that the folks at Six Apart will consider making modules of more and more of their default templates, because it will make life a whole lot easier.

Please let me know if I’ve broken anything.

BancorpSouth, 6500 debit cards, unknown

In a report remarkable for what it doesn’t say, WLBT TV of Jackson, MS reports:

A possible security breach has one bank giving customers new debit cards. BancorpSouth is sending out new cards to about 6500 customers.
The vice president of the banks security department says account numbers were either lost or they were somehow hacked into.

From The Northeast Mississipi Daily Journal comes word that an unnamed merchant, not the issuing bank itself, was breached:

The Daily Journal reported Friday that BancorpSouth had notified about 6,500 customers in recent days that their MasterMoney debit cards “may have been compromised.” The bank is sending the customers new cards.
BancorpSouth officials noted late Friday in a release that their bank was not the only one with the problem. The release said “other banks across the country are facing a situation in which a small percentage of customers’ debit cards and credit cards have been compromised.”
Account numbers were either lost or hacked into, said Cathy Talbot, president of BancorpSouth’s security department. “It wasn’t BancorpSouth, but with a merchant,” she said in the story in Friday’s Daily Journal.
The merchant wasn’t identified by MasterCard International.

So, MasterCard knows who got 0wned, but they won’t say, leaving an issuer to assume the worst. Sounds similar to something we noted earlier. Meanwhile, the cardholders are already being phished.
Update 01/03/2006: The 12/30/2005 American Banker reports that, according to Visa, the merchant affected by this breach is not Sam’s Club.