“Illegal Political Activity”

handcuffs.jpgSomething is seriously wrong when the New York Times has an article “I.R.S. Finds Sharp Increase in Illegal Political Activity,” and fails to mention the free speech issues associated with the claptrap coming out of Congress:

While pointing out the extent of the problem, the agency published more guidance for nonprofit organizations, including examples of what is permissible and what is not. Mr. Everson warned that the agency would be more aggressive in addressing illegal political activity as election campaigns moved into full swing.

I don’t need guidance about what is permissible if I have freedom.

The future belongs to the quants

The title is of course stolen from Dan Geer.
By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database.
In dismissing the case with prejudice, the court took note of an earlier case:

The facts of this case are closely analogous to Stollenwerk v. Tri-West Healthcare
Alliance, No. Civ. 03-0185, 2005 WL 2465906 (D. Ariz. Sept. 6, 2005). In Stollenwerk,
the defendant’s corporate office was burglarized and a number of items stolen, including
computer hard drives containing the personal information of defendant’s customers.
In support of their negligence claim, two plaintiffs relied on the opinion of an expert who
described their injury as “an increased risk of experiencing identity fraud for the next seven
The district court expressly rejected the expert testimony because
“the affidavit of plaintiffs’ expert conclusorily posits that plaintiff’s risk of identity fraud is
significantly increased without quantifying the risk.???

(emphasis mine)
IANAL, and I apologize to any lawyers reading this for my selective quotation and elision of case citations and footnotes. I have no opinion on the merits of this case because I do not know the law, particularly the case law.
That having been said, the juicy part is the part I emphasized — you want to say you were harmed because you were put at increased risk? You need to quantify that risk. I may be reading too much into this, but this looks to me like the judge in Stollenwerk was saying “Don’t bring me experts who draw conclusions they don’t back with data. Don’t give me a ‘red-yellow-green’ dashboard. I want to see how much additional risk you now are burdened with”.

New Products, Emerging From Chaos

impressionist-london.jpgIn a trenchant comment on “Secretly Admiring,” Victor Lighthill writes:

Not to disrespect Ron Rivest or Credentica’s Stefan Brands, but patenting your ideas in crypto is, historically, a great way to ensure that it takes them 15 years to go from concept to use.

While there may be important grains of truth in this, and while I’ve railed against patents, and think the system is substantially flawed, I don’t think patents are the mainstay of what holds back new products.

Continue reading

Subject: Attention! Several VISA Credit Card bases have been LOST!

You know breaches are reaching the public consciousness when spammers use them to make money. I got this in email yesterday, along with a URL that I don’t feel like linking. Banks would do really well to send less email with the words “click here,” and more saying “visit our site using a bookmark.”

Good afternoon, unfortunately some processings have been cracked by hackers, so
a new secure code to protect your data has been introduced by Visa. You should
check your card balance and in case of suspicious transactions immediately
contact your card issuing bank. If you don’t see any suspicious transactions,
it doesn’t mean that the card is not lost and cannot be used. Probably, your
card issuers have not updated information yet. That is why we strongly
recommend you to visit our website and update your profile, otherwise we cannot
guarantee stolen money repayment. Thank you for your attention. Click here and
update your profile.

(I added the logo.)

“It fell off the truck. No, really.”

Via news.com.au:

BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck.
The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, the Seven Network reported tonight.
The bank has apologised to customers for the security breach.

40 Million Pounds Sterling Stolen from British Bank

As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued local guards and loaded the money onto a truck. By all reports, this was well coordinated and the entire effort took less than a couple of hours in actual execution time. This reminds me of an old Yiddish saying that my father is fond of: “To a thief, there is no lock.”
[Edit: Made title more clear]
[Update: According to Forbes, three people have been charged by police already, including a bank employee.]
[Update 2: One person, the three I mention above are from a 2004 heist that looks very similar]
[Edit 2: The 2004 heist used very similar MOs. Police think they may be linked events]
[Edit 3: (It’s one of those days) The three people referenced in the original update were arrested in relation to the 2004 heist. An unrelated person was arrested today with regard to this current heist.]

In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)


In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

Thanks to Ryan Singel for the link to “CardSystems Solutions Settles FTC Charges.” The clown picture is by Fabiana Valgôde. There’s some security analysis after the jump.

Continue reading

Ephemeral port security

By now, most have heard about Dubai Ports World, a foreign entity, assuming control of operations at various U.S. ports. The arguments around this transaction are predictable and uninteresting. One thing that is clear is that the Committee on Foreign Investment in the United States (CFIUS) is legally mandated to consider such deals. In fact, if their consideration extends beyond 30 days, a more comprehensive 45-day investigation is required, and if that elapses, the President must personally make the decision on the matter and report to Congress.
In reading about the operations of the CFIUS in Forbes, I was struck by the following:

Along with clearing up the law’s vagueness, there’s a strong case to be made that CFIUS should have more time to review a complex deal. At present, an investigation automatically kicks in at the end of 30 days. A September 2005 report from the Government Accountability Office found a concern among CFIUS members that the stigma of an investigation could dampen foreigners’ desire to invest in the U.S. In particular, if an investigation isn’t resolved by the end of the 45 days, the president must make a decision and deliver a report to Congress.
The fear of stigma creates a perverse incentive to squeeze perhaps the most complex reviews into a 30-day window. All told, only about 20 of the 1,500 companies reviewed by CFIUS have been given a 45-day investigation. Only twice since 1997 has the president reported to Congress on a CFIUS review.

That second paragraph says alot. People will not voluntarily act to make themselves look bad if they can avoid it inexpensively.
If I were writing a law about, say, security breach disclosure, I’d bear that lesson in mind.

Updating Windows Mobile Phones

old-phone.jpgNothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile phone companies have taken an innovative approach to the problem: They ignore it. It makes perfect sense to them. If a hacker bricks your phone, they’ll sell you a new one, with a new two-year lock-in.

I suspect this is frustrating to the authors of phone software, who have their own brand to consider:

Artak Abrahamyan , Technical Support Specialist from i-Mate, responded to my email requesting when they’d be releasing MSFP [Microsoft Security & Feature Pack] updates …Although I requested information about which devices would be receiving updates, he didn’t provide that information. My hope is that it will be for all of the Windows Mobile 5.0 devices that i-Mate has released so far. Looks like we’ll see this in early March. (From “Smartphone thoughts“)

This ‘innovative’ approach to preventing customers from getting at a patch has many upsides in fewer software variants running, higher assurance for the telco, and more time for worm writers to hone their attack code.

I am reasonably confident that my phone has security issues. (I’m not slamming Microsoft here–I’m reasonably confident that all software I’ve ever touched has security issues.) However, I have a phone running Windows Mobile, and so I’m aware of my failure to patch. I’d like to see a mobileupdate.microsoft.com that allowed me to bypass this telco nonsense and get patches.

[Update: While I’m talking about telco security, let me mention the idiots at Cingular, who insist that caller-id is a good way to authenticate me to my voice mail, and refuse to give me a way to add a password. If you don’t understand why that’s a bad idea, “this google search” may enlighten you. Take a look at those ads.]
(Phone box photo by Alex Segre, on Flickr.)