“It fell off the truck. No, really.”

Via news.com.au:

BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck.
The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, the Seven Network reported tonight.
The bank has apologised to customers for the security breach.

40 Million Pounds Sterling Stolen from British Bank

As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued local guards and loaded the money onto a truck. By all reports, this was well coordinated and the entire effort took less than a couple of hours in actual execution time. This reminds me of an old Yiddish saying that my father is fond of: “To a thief, there is no lock.”
[Edit: Made title more clear]
[Update: According to Forbes, three people have been charged by police already, including a bank employee.]
[Update 2: One person, the three I mention above are from a 2004 heist that looks very similar]
[Edit 2: The 2004 heist used very similar MOs. Police think they may be linked events]
[Edit 3: (It’s one of those days) The three people referenced in the original update were arrested in relation to the 2004 heist. An unrelated person was arrested today with regard to this current heist.]

In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)


In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

Thanks to Ryan Singel for the link to “CardSystems Solutions Settles FTC Charges.” The clown picture is by Fabiana Valgôde. There’s some security analysis after the jump.

Continue reading

Ephemeral port security

By now, most have heard about Dubai Ports World, a foreign entity, assuming control of operations at various U.S. ports. The arguments around this transaction are predictable and uninteresting. One thing that is clear is that the Committee on Foreign Investment in the United States (CFIUS) is legally mandated to consider such deals. In fact, if their consideration extends beyond 30 days, a more comprehensive 45-day investigation is required, and if that elapses, the President must personally make the decision on the matter and report to Congress.
In reading about the operations of the CFIUS in Forbes, I was struck by the following:

Along with clearing up the law’s vagueness, there’s a strong case to be made that CFIUS should have more time to review a complex deal. At present, an investigation automatically kicks in at the end of 30 days. A September 2005 report from the Government Accountability Office found a concern among CFIUS members that the stigma of an investigation could dampen foreigners’ desire to invest in the U.S. In particular, if an investigation isn’t resolved by the end of the 45 days, the president must make a decision and deliver a report to Congress.
The fear of stigma creates a perverse incentive to squeeze perhaps the most complex reviews into a 30-day window. All told, only about 20 of the 1,500 companies reviewed by CFIUS have been given a 45-day investigation. Only twice since 1997 has the president reported to Congress on a CFIUS review.

That second paragraph says alot. People will not voluntarily act to make themselves look bad if they can avoid it inexpensively.
If I were writing a law about, say, security breach disclosure, I’d bear that lesson in mind.

Updating Windows Mobile Phones

old-phone.jpgNothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile phone companies have taken an innovative approach to the problem: They ignore it. It makes perfect sense to them. If a hacker bricks your phone, they’ll sell you a new one, with a new two-year lock-in.

I suspect this is frustrating to the authors of phone software, who have their own brand to consider:

Artak Abrahamyan , Technical Support Specialist from i-Mate, responded to my email requesting when they’d be releasing MSFP [Microsoft Security & Feature Pack] updates …Although I requested information about which devices would be receiving updates, he didn’t provide that information. My hope is that it will be for all of the Windows Mobile 5.0 devices that i-Mate has released so far. Looks like we’ll see this in early March. (From “Smartphone thoughts“)

This ‘innovative’ approach to preventing customers from getting at a patch has many upsides in fewer software variants running, higher assurance for the telco, and more time for worm writers to hone their attack code.

I am reasonably confident that my phone has security issues. (I’m not slamming Microsoft here–I’m reasonably confident that all software I’ve ever touched has security issues.) However, I have a phone running Windows Mobile, and so I’m aware of my failure to patch. I’d like to see a mobileupdate.microsoft.com that allowed me to bypass this telco nonsense and get patches.

[Update: While I’m talking about telco security, let me mention the idiots at Cingular, who insist that caller-id is a good way to authenticate me to my voice mail, and refuse to give me a way to add a password. If you don’t understand why that’s a bad idea, “this google search” may enlighten you. Take a look at those ads.]
(Phone box photo by Alex Segre, on Flickr.)

Dan Kaminsky on Sony and Anti-Virus

Read “Learning from Sony: An External Perspective” on Dan’s blog:

The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources with an insufficient security return on investment. It can finally shed this reputation, or it can wait for the rest of the security industry to finish what Sony started. Is AV useful? The Sony incident is a distressingly strong sign that it is not.

Secretly Admiring

Quick! Name the speaker:

In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing that says the government says I’m over 18. This trust ecosystem has so much good designed for privacy. This thing is amazing, where you can prove who you are to a third party and then, in the actual usage, they don’t know who you are. A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy – or not give up your privacy except in extreme cases.

No, it’s not Austin Hill, circa 1999. I’d be happier if Zero-Knowledge had made us all rich, but I’m happy that the ideas that we evangelized, and that Credentica and others are building…I’m happy that these ideas are spreading to the point where Bill Gates presents them in an interview. There’s a great many longtime former cypherpunks out there, helping people imagine a better future.

That imagining is important. Phillip Hallam-Baker (who has the best roundup of the RSA Cryptographers Panel I’ve seen) quotes Ron Rivest:

It takes about 15 years for ideas to go from concept to use. Identity based crypto may be becomming the right approach to authenticated email.

What happens along that 15 year path is that a lot of small companies come along, build great new technologies that solve a part of a problem, and then eventually, through iteration, creative destruction, skill and luck, one of them builds something that really does a great job for customers.

[Update: Corrected the spelling of Phillip Hallam-Baker’s name.]

Metadata strike again!

Brian Krebs wrote about a botnet and the 733t d00d who ran one, nom de hack 0x80. Well, turns out the doctored on-line photo the Washington Post ran contained metadata identifying the gentleman’s rather small home town. Coupled with information in Krebs’ article concerning businesses near 0x80’s residence, identifying the young criminal would seem a foregone conclusion.
The Inquirer reports further.

Book Review: The Stag Hunt and the Evolution of Social Structure

Brian Skyrms’ The Stag Hunt and the Evolution of Social Structure
addresses a subject lying at the intersection of the social sciences, philosophy, and evolutionary biology — how it is possible for social structures to emerge among populations of selfishly-acting individuals.
Using Rousseau’s example of a Stag Hunt, in which hunters face a decision between a less-risky but less-rewarding individual hunt forhare, or the more-risky but more-rewarding cooperative hunt for stag, Skyrms addresses three emergence of social structure as a product of three distinct effects:

  1. Location

  2. Signaling

  3. Association

Two chapters on each of these, plus an initial chapter introducing the stag hunt in elementary game-theoretic terms and describing its relevance to task at hand comprise this thoroughly enjoyable 150-page volume.
Readers like myself, who approach Skyrms’ book having read Axelrod’s The Evolution of Cooperation (or much of the voluminous literature it spawned), will hesitate at Skyrm’s choice of an assurance game (as the stag hunt is known in more prosaic circles) to model the growth of societal organization, preferring the familiar Prisoners’ Dilemma. Drawing from the political philosophy of Hume, from recent re-examination of John Maynard Smith‘s haystack model of the evolution of altruism, and from experimental economics, Skyrms’ justifies his choice in the first chapter.
Next, Skyrms discusses the relevance of Location, as egoistic actors repeatedly play divide-the-dollar against randomly-selected partners, and against neighbors arrayed on a lattice (as in, for example xlife). In the latter scenario, rapid movement toward a “just” equilibrium of even division is observed. Here, as throughout the book, Skyrms reinforces the timeless relevance of the theme he treats (in this chapter, with allusions to distributive justice discussion by Aristotle and Kant). This tactic runs the risk of distracting the reader, or making the writer seem like a name-dropper or pedant, but Skyrms uses it to very positive effect.
In the book’s next chapter, the dynamic behavior of local interactions in a stag hunt game among actors with different degrees and kinds of knowledge about the previous successes of others is discussed. This establishes a fuller picture of how the spatial structure affects the macro-level outcome. Since I read this chapter while waiting for a plane, I focussed less on the details and more on the main idea, which is that outcomes vary depending on the breadth of actors’ vision in considering whom to imitate, and on how small the set of neighbors with whom they may interact is. Here, the book’s first part ends.
Part II concerns Signals. The second of its two chapters considers the evolutionary dynamics of a stag hunt with “cheap talk” — a player’s strategy is not only whether to hunt stag or hare, but also what signal to send, and how to respond to signals he receives. The preceding chapter concerns itself with the development of social conventions, using as its first example language itself. How can language have come about, since the only way to communicate the extremely complex convention which speech represents is via speech itself? In considering this, Skyrms draws on David Lewis and presents in 14 pages a demonstration of how a system of logical inference can evolve, presupposing nothing (such as rationality, intentionality) that has not been observed at the level of a bacterium! That is cool.
The book’s third and final part concerns Association. In the first of its chapters, actors strategies are fixed (in contrast with the entire book until now, in which they evolve), and the interaction patterns among actors are allowed to evolve. Will groups of “friends” form? Will they be long-lived or ephemeral? How does this depend upon chance, length of memory of good times or of slights? Interesting reading, but by now one’s expectations are high! The final chapter considers simultaneously evolving strategies and interaction structures.
I enjoyed this book immensely. Its power derives from its inter-disciplinary foundation, its unflagging clarity of exposition, and the sheer magnitude of the question it tries (with some success!) to answer.
Inasmuch as the ubiquity of the computer, and the interconnectedness it affords so many people has focussed attention on the sorts of issues discussed in this small but important volume, Skyrms’ has produced a work directly relevant to most of those who are reading this (here is proof(?)).
Personally, I feel the value transcends mere pragmatic utility.

True.com Sent ‘Race-Customized’ Valentines


How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how True.com could know which version of its e-mails to send to which users?

So writes Hannah Rosenbaum in “True.com Uses Adult List to Send Targeted Valentine’s Day E-mail.” I’m going to disagree. It is wrong to track the color of people’s skin and use it as part of your decision making process. It’s wrong at the surface, and it’s wrong in very deep ways. It may even be wrong with explicit consent, which ‘True’ certainly didn’t have.

Speaking of wrong, I’d mentioned the lovely people at ‘true’ before, in “Choicepoint, March 21.” I wonder if their data on race is any better than their criminal background histories? Siteadvisor’s one data point per person is a beautiful way to watch the flow of data behind the scenes, but it fails to capture the rich tapestries of our lives, the poor quality of the data (what we used to call garbage-in, garbage-out), or how companies cope with the chaos.

Police Chiefs Gone Wild

Harold Hurtt has suggested that surveillance cameras be placed “in apartment complexes, downtown streets, shopping malls and even private homes”, according to this story in the Seattle Post Intelligencer. In response, I hereby found….

The Hurtt Prize

The Hurtt Prize is a $1120 (and growing) reward for the first person who can provide definitive videotaped evidence of Houston police chief Harold Hurtt committing a crime, any crime. This evidence will posted here and forward to the Huston Police Department along with a demand that action be taken.

(Via Dave Farber’s IP list.)

The Leaf of Trust

leaf-of-trust.jpgOne of the most interesting and controversial aspects of Phil Zimmerman’s PGP was that it avoided any central repositories of information, relying instead on what Phil labeled the “web of trust.” The idea was that Alice “trusts” Bob, and Bob “trusts” Charlie, there’s some transitive trust that you can establish.[1] (I’m going to stop putting trust in quotes, but keep using it in the sense of this web of trust.) These trust relationships are one way and publicly expressed in the form of signatures. That is, Alice indicates her with Bob by means of signing Bob’s key. Bob may choose to sign Alice’s key, but doesn’t have to.

Setting aside all of the security properties of the idea, it creates a fascinating set of published data around social networks. In “Wotsap: Dissecting the Leaf of Trust,” Jörgen Cederlöf writes:

After implementing the group matrices I figured it would be nice to see the group matrix of a much larger group. (If you are a mathematician, the Web of Trust is a large directed graph where the vertices are called “keys” and the edges “signatures”. There are four different types of signatures, just think of them as four colors of the edges. The group matrix is the adjacency matrix of this graph. You probably want to take a look at the FAQ, especially the part about MSD.) I generated a PNG image with the keys sorted in MSD order and expected little more than random noise. When I first saw the result I thought I had done something wrong, but a little bit of thinking revealed that the resulting leaf-like shape was perfectly natural, almost unavoidable.

Thanks to Nicko for pointing out the emergent properties of the web of trust.

[1] I attempted to quantify that in a message to the cypherpunks list, “reputation credts.” Rafe pointed out that the system could be made to oscillate, and I abandoned it. In retrospect, I’m pretty pleased with what I wrote, even if the system wouldn’t have worked–there’s a lot that’s still applicable to reputation and social networking and identity projects.

Branded Security

branded-security.jpgFor quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.)

I am FORCED to ask, HOWEVER , what the average consumer is supposed to make of this? (“I can make a hat, and a boat…”) Who is this VERISIGN, and why might I care?

The word Verisign isn’t a link. It’s not strongly tied to what I’m seeing. (Except for the small matter of legality, I could make this site pop up that exact same dialog box.) It is eminently forgeable, there’s no URL, there’s nothing graphical.

Nevertheless, it probably pre-sages such dialog boxes popping up next to the colored URL bar, and confusing the message they’re trying to send.