“ist nicht verfgbar”

So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future.

Oh, and we lost the SSNs of everyone who had included them in their comments. Sorry, Pete and Dennis!

Dennis Lormel’s Authoritarian Streak

In a post at the Counter-terrorism blog, “National Security Letters…An Important Investigative Tool for the FBI” Dennis Lormel writes:

The Inspector General (IG), U.S. Department of Justice, has issued a report delineating audit findings identifying significant deficiencies in NSL recordkeeping and reporting processes. This determination is quite troubling and inexcusable.

Troubling and inexcusable? Well, you’d expect me to disagree. More important is that FBI DIRECTOR Robert Mueller doesn’t go that far. NPR said he accepted the findings were basically accurate, and the Washington Post reports in “Lawmakers Vow Hearings on FBI Errors:”

While acknowledging that the inspector general’s report identified “serious problems,” Mueller offered assurances that “the number of abuses is exceptionally small” compared to the overall number of national security letters, and he asserted that “no one has been damaged” by the shortcomings.

So, Mueller says that the report identifies real problems. Lormel calls the report it ‘inexcusable.’ How is the truth ever inexcusable?

And my liberties are damned well at risk when the FBI runs rampant, even if they don’t happen to step on people’s toes as they do it. Lormel’s assertions that it’s ok to break the law as long as no one is hurt don’t hold water when the FBI is investigating criminals. They shouldn’t hold water when it’s the FBI breaking the law.

Update: The associated press report is headlined “Gonzales, Mueller Admit FBI Broke Law,” and the the report is at “A Review of the Federal Bureau of Investigation’s Use of National Security Letters.”

Update 2: changed ‘it’ to ‘the report’ for clarity.

Power Tends to Corrupt

The Justice Department’s inspector general has prepared a scathing report criticizing how the F.B.I. uses a form of administrative subpoena to obtain thousands of telephone, business and financial records without prior judicial approval.

The report, expected to be issued on Friday, says that the bureau lacks sufficient controls to make sure the subpoenas, which do not require a judge’s prior approval, are properly issued and that it does not follow even some of the rules it does have.

See “U.S. Report to Fault F.B.I Over National Security Letters” in the New York Times.

It’s a sad day when even the Justice Department’s own inspector general is a terrorist sympathizer who won’t whitewash the department’s actions. Can’t we replace him with Scooter Libby? He’s loyal. Oh, wait, he’s in jail. Which will soon be said of lots of loyalists.

[Update: more at “Frequent Errors In FBI’s Secret Records Requests” in the Washington Post.]

Choicepoint’s Error Rate

Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.”

Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:”

At his insurance company’s request, ChoicePoint gathered the sum total of Ray’s credit, what he owes for his car, his house, credit cards and other purchases. “It says my grand total of indebtedness is $426,000. That’s about five times what I currently owe,” Ray says.

Some debts Ray paid off showed as though they hadn’t been paid at all. “This was a boat loan” for $50,000, Ray says. “I paid it off over a year ago.”

He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. “My data had not been updated. It was incorrect. My employer was incorrect,” Ray says.

ChoicePoint disputes that any errors were made.

See also my May 2005 posting, “Choicepoint Analyses:”

Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the “garbage in, garbage out” problem, has been defined away.

and finally, don’t forget Deborah Pierce’s work in “Data Aggregators:
A Study of Data Quality and Responsiveness

100% of the reports given out by ChoicePoint had at least one error in them.

The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.

[Update: Just after posting this, I came across “Where’s Waldo? Spotting the Terrorist using Data Broker Information:”

In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.

Good thing Ray’s inaccurate data was “only” used to deny him credit.]

[Update 2: Choicepoint’s Chuck Jones disagrees; please see comments.]

Privacy Fears Come True, Again

privacy-area-of-the-future.jpgTwo reports in the New York Times: “Driver’s License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry” and “Warnings Over Privacy of U.S. Health Network.” Naturally, we’ll have that sorted out by the time the system ships. No reason for you to be worried that your health records will be automatically scanned to see if you have nasty diseases. And we certainly won’t be sharing them with the DMV or the cops, to see if you have liver problems, from too much drinking. They’ll be as secure as your driver’s license.

See “All non-trivial privacy fears come true.”

Photo by Everydayeating, representing the privacy areas of the future.

Responsible Disclosure and Months of Bugs

I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying:

I whole-heartedly back these projects as long as their done professionally, i.e. as long as they respect responsible disclosure.

Well Michael, then you shouldn’t be supporting any of the three major projects to date. From the PHP MoB’s FAQ:

4. Does the PHP Security Response Team know about these issues?
They got prior notification for many but not all of the bugs. Therefore some of the bugs are already fixed in the latest PHP releases and some not. Even when PHP developers get prior notice they usually endanger their users by commiting fixes to the PHP CVS tree and then they do not release new security fixed versions for several months.

So not responsible disclosure there. What about the Month of Apple Bugs?

4. Are the issues being reported to the vendor before public disclosure?
Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called ‘responsible disclosure’ is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end. ‘Responsible disclosure’ exists when the vendor doesn’t deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don’t trust Apple on these matters due to the track of incidents and unpleasant situations surrounding their policy on product vulnerability handling.

So not only is MOAB not doing responsible disclosure, they are actively against it. Guess you’re not supporting them either.
Well what about the granddaddy of them all, the Month of Browser Bugs? This one is the trickiest because they don’t specifically call out their process anywhere obvious. However, several of the posts are tagged with dates when the issue was reported to Microsoft. Others say things like that they’ll be added to the OSVB later and contain no date when they were reported to the vendor. I can only assume that they were not.
So, which projects is it that you are supporting again?

Emerging dating paranoia

When Adam asked me to guest blog on “Dinner, Movie — and a Background Check — for Online Daters“, I promised him I would do it. And then I read the article and couldn’t think of what to say about it. I’m something of a self-proclaimed expert of internet hookups (as anyone who reads ClueChick, my blog, knows) but that’s pretty much never in the kind of context where a background check would make sense.
This whole article seemed like a bit of a non-starter for me. On the one hand, come on, people, are we really this paranoid? And on the other hand, if only people would stop being lying jerks, we wouldn’t need this sort of thing. But I kept thinking about it (and Adam kept bugging me to write this post), and I’m opinionated enough that if I keep thinking about something, I’ll eventually come up with some things to say about it.
So, first, it’s really a shame that people should ever feel the need to do a background check on someone they think they want to spend the rest of their life with. I mean, come on! If you can’t trust this person to tell you the truth, how can you trust them to do all those other minor things about lifelong partnership, like, oh, I don’t know, tell the truth, be respectful, share a life? Call me crazy, but isn’t this getting things off on the wrong foot?
On the other hand, as the article indicates, plenty of people discover things about their mates by doing this check, so, apparently you can’t trust everyone. (Damn!) Well, that’s not news, and there may be a place for this sort of checking up on a new lover, but I wonder about the validity of the businesses providing this service. After all, despite the entirely trustworthy business and information practices of businesses from MasterCard to your local hospital, I have to wonder if I really trust a big corporation to tell me the things I want to know about the person I want to love. Is this really the best way to go about digging for information? I’m not sold.
Finally, and perhaps the biggest issue, to my eyes, is the possibility that people will use this sort of thing instead of common sense tools like their brains and hearts. Yes, a background check might pull up some tidbit of information that I might otherwise never know, but it can’t tell me that my newfound love is the person I want him to be. A lack of data, after all, is not necessarily a positive finding.
So, call me old-fashioned, but I’ll be sticking with the good old getting-to-know-you routine. And, sure, that means I’ll pester your friends for information about your past, but you can be sure that my friends will expect the same from you.

“Free the Grapes” Externalizes Risk

grape-press.jpgOr so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.”

The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.

So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:

Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.

So there’s no reason to add this step. The very next step ensures that wine won’t get into the hands of our corruptable youth.

This is two steps backwards: We’re creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that’s already covered.

Free the grapes? How about free the people from this nonsense?

Photo: “A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)” by mharrsch.

Chaos and Piracy on the High Seas

This repo man drives off with ocean freighters

“I’m sure there are those who would like to add me to a list of modern pirates of the Caribbean, but I do whatever I can to protect the legal rights of my clients,” said Hardberger, whose company, Vessel Extractions in New Orleans, has negotiated the releases of another dozen cargo ships and prevented the seizures of many others

and “Activist a ‘pirate,’ not eco-terrorist:”

A Japanese whaling ship caught fire after being chased and harassed by Watson’s fleet, the ships and volunteers of the Sea Shepherd Conservation Society, which not only rammed the whaling boats but fired smoke canisters and ropes to entangle the propellers.

Japan announced Wednesday that it was ending its whaling season early because of the fire, which killed a crewman. Although the blaze came a day after Watson’s group pulled back for lack of fuel, and there’s no alleged connection, Japan calls Watson a terrorist.

While I don’t think what Watson is doing is right, I think it’s wrong to call him a terrorist. He’s not attacking random uninvolved bystanders, which is a requirement for terrorism. He is engaging in something approaching privateering, which, alas, went out of style over 150 years ago.

It doesn’t seem that the US has actually signed onto the Declaration of Paris, which might mean that Congress could issue this fellow a letter of marque, allowing him to legally attack Japanese whalers. (I do seem to recall some UN treaty banning the practice, but can’t find it.)

The United States used privateers in the war of 1812, and there’s interesting information about how that worked in a book review post at Mountainrunnner, “Book Review: The Abolition of Privateering and the Declaration of Paris.”

Photo: The Finale, by cynroux.

Iggy Pop on Chaos

iggy pop.jpg

[Iggy] wouldn’t tell me who he was talking about specifically, he said, but he believes that the rock business is too big, run by people who know nothing about it.

Wasn’t that always the case?

“No,” he said, decisively. “The people I met at the top in 1972 tended to be crackpots from the fringes of the lowest parts of the entertainment industry. And they tended to know their stuff. Jac Holzman” — the president of Elektra, the Stooges’ old label — “was a former record-store owner in the Village. The guy who ran the very biggest talent agency in New York had ties to the pinball industry, I guess you could say. They could really screw an artist up, but they weren’t just someone from Legal.”

He started warming to the subject: the real subject of the song, he said, was “a fairly loosely aggregated industry-slash-palace guard that has coalesced around the corpus of something called rock, and that something has grown to have something to do with units of digital information, and filling a parking lot.” He paused. “It’s impressive. It’s brutally compelling, sometimes. But it’s not enjoyable.”

From the New York Times, “We have jumped the shark” no, wait, their title is “Same Stooges. Different World. Finer Wine.

Photo: The Lizard King, by Caroline Bonarde.

Posted in art

DST is Coming, Run For Your Lives!

Marvin The Martian

In a week, the US and Canada are changing when they go to Daylight Savings Time. It must also be a slow news time, as well, because I’ve read several articles like this, “Daylight-Saving Time Change: Bigger than Y2K?

When Y2K came around, a number of us quoted Marvin the Martian (now of the Boston Police Department) on this: “Where’s the kaboom? There was supposed to be an earth-shattering kaboom!” So I think that’s going to be a big “yes” on the question. Any positive number is bigger than zero, so no one’s going to be embarrassed for over-reporting.

Eweek also said, “Our story tries not to turn this into a Chicken Little exercise, but it does lay out the reasons why this could be huge.” Oh, please. Any time someone says they’re not trying to be Chicken Little but — you know they’re being Chicken Little, and so do they.

Might there be problems? Ayup. I have to fly that Sunday, and I’m even less pleased than I would be otherwise. There will be screwups. But really, it’s an hour. There will be people late to things, and we’ll cope.

I think this latest change is monumental stupidity, and I’m someone who thinks we should just go to year-round DST. Before, there was one week difference between Europe and North America in DST. Now there’s — eesh. I don’t know, yet. Regularizing them would have made much more sense, despite my belief that more DST is better. Heck, we ought to stop saving it and invest for the increased return.

No RFID In Real ID

So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including:

While some expected Homeland Security to require the licenses to have smart cards or RFID chips, DHS instead proposes a 2D bar code (magnetic stripe) similiar to those used on many licenses. That information will not be encrypted.

The FAQ (also linked to by 27 B Stroke 6) goes into more depth about both of the above facts, saying:

The regulations propose the use of the 2-D barcode already used by 46 jurisdictions (45 States and the District of Columbia). DHS leans towards encrypting the data on the barcode as a privacy protection and requests comments on how to proceed given operational considerations.

I can’t begin to describe how happy I am to hear that RFID is not part of the proposed new standard. It is delightful to see that our objections have been heard and that we will be protected from proximity based attacks. I’m sure it doesn’t hurt that 45 of the states and Washington DC already use 2D barcodes, thus making that portion of the standards much more palatable and reducing the costs in that realm.

More On Secure Banking

Continuing our tradition of bringing you the news before it’s fit to print, Chris covered “The Emperor’s New Security Indicators” in “Why Johnny Can’t Bank Safely.”

Don’t miss Andrew Patrick’s “Commentary on Research on New Security Indicators,” Alan Schiffman’s “Not The Emperor’s New Security Studies,” or Alex’s “Bad Studies, Bad!

As an aside, Chris used the useful “paper” as his link text, rather than “The Emperor’s New Security Indicators,” which made it a real pain to search for the paper.