Inside Carnivore

Ryan Singel has a long article in Wired: “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates.”

I was pretty stunned at some of the numbers:

FBI endpoints on DCSNet have swelled over the years, from 20 “central monitoring plants” at the program’s inception, to 57 in 2005, according to undated pages in the released documents. By 2002, those endpoints connected to more than 350 switches.

Today, most carriers maintain their own central hub, called a “mediation switch,” that’s networked to all the individual switches owned by that carrier, according to the FBI. The FBI’s DCS software links to those mediation switches over the internet, likely using an encrypted VPN. Some carriers run the mediation switch themselves, while others pay companies like VeriSign to handle the whole wiretapping process for them.

This isn’t about a few wiretaps. This is a large scale surveillance process management infrastructure.

Go read it, and then call your Congressman for comment.

Heresy of the Day

Riffing on Adam’s last post, it has been amusing to watch the whole problem with Senator Craig. However, as I’ve chomped my popcorn, there’s been one thing I keep thinking: what if the guy’s telling the truth?

What if he was stupidly caught for not doing much of anything, and the stupidly plead guilty in the naïve hope it would go away?

Yes, I know that some gay activists have said that it’s been an “open secret” that he’s gay. Many people believe that if someone is rabidly anti-gay, then it’s likely that there’s something fueling that rabidity. They think that the rabid person’s Kinsey Scale Rating might be a positive number. I am one of those many people. But rumors that amount to, “oh, I bet he’s closeted” about someone who is anti-gay contain no information. That sort latent hypocrisy is now cliché.

I also realize that when they arrested Ted Kaczynski I thought, “Hey, what if they found the other lone wacko in Montana who hates the modern world and likes blowing things up?” My track record on my own doubt-spirals is bad enough that I have to make baseball metaphors to defend it. Batting .250 is good! Really!

Nonetheless, what if the Senator is telling the truth?

I am suspicious of a policeman who is sent in to investigate lewd behavior and finds it in a non-obvious form. Not because I think he’s got ill intent of his own, but because of selection bias. I believe he’s a guy just doing an icky job — cleaning out the restrooms. He’s there to find lewd behavior and from that lens, he found it, and it even plead. And yet I hear Tom Lehrer singing in my head:

…filth (I’m glad to say) is in
The mind of the beholder
When correctly viewed
Everything is lewd.
I could tell you things about Peter Pan
And the Wizard of Oz, there’s a dirty old man

Or Batman and Robin, for Pete’s sake.

I will also admit that being the contrarian that I am, watching the Republican leadership scattering from gay-cooties like roaches from the kitchen light also makes me ask if the guy was caught for foot-tapping in a public place. If he were a bearded, swarthy young man who was nabbed for terrorist-lite behavior and stupidly plead guilty to a lesser crime and yet denied doing anything, we’d have eyebrows up, so why not this?

In The Daily Kos, kharma brings up the same issue by telling an old joke. It is is important enough that you read it that I will reprint here and not merely link to it:

Two weeks ago, the kids and I went on a trip to visit friends in San Antonio, Texas. On the way we stopped at a rest area just off the interstate. What happened next made me very uneasy…

I was drinking coffee heavily so that I would stay awake and needed to relieve myself pretty badly. I pulled into a rest area, locked the car doors, left the kids sleeping in the car, and went into the restroom. When I entered I noticed it was unoccupied except for a pair of sneakers visible under the second stall.

As I unzipped at one of the urinals and began to relieve my burning bladder I heard a voice say “Hey, what’s up?”. I looked around and there was no one else in the restroom. After a moments hesitation, I answered “Not much”.

A little time went by and he says, “What ya doing?”.

I didn’t feel very comfortable talking to someone in a stall but I didn’t want to be rude and answered, “Uh…we are heading to San Antonio to visit friends.”

“Want to come over?”, he says.

At this point I am really uncomfortable and I finish up and scoot over to the sink to wash up. “No I don’t think so.”, I replied. Wow, was this something else. I had never even had someone next to me with a wide stance before and now I’ve got someone in the stall asking me over!

As I reached for the paper towels to dry my hands I hear, “Hey man, can I call you back? There’s some asshole in the bathroom answering every thing I say.”

So I ask again: what if the guy’s telling the truth?

Senator Craig and the Behavior Detection Officers

…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door.

Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame.

After a man in the adjacent stall left, Craig entered it and put his roller bag against the front of the stall door, ”which Sgt. Karsnia’s experience has indicated is used to attempt to conceal sexual conduct by blocking the view from the front of the stall,” said the complaint, which was dated June 25.

Idaho Senator Says He Did No Wrong.”

My first thought on hearing this was that Sgt. Karsina clearly flies less than I do, because there’s no other place to put your bag other than against the stall door, and important TSA security advisories tell you not to leave your luggage unattended.

Now, I don’t know about you, but I’m worried about the police in our airports. They just might not have enough to do. Odds are good that Karsina was deployed to the airport to watch for terrorists, and other serious threats. That there were no visible terrorist threats makes it easy to re-deploy him to things that people might be complaining about, like perverts in the bathrooms.

When we add additional “behavior detection officers” (“that’s right, your honor, he was behaving”), what’s going to happen? They’re going to detect freaks and hippies and peace protesters.

A major problem with secret rules is that they tend to come to reflect prejudices of the day, like gays. A problem with very low frequency problems is that it’s hard to stay focused on them, rather than the pervs in the bathroom.

It seems odd to me that people have sex in airport bathrooms. You have to go through security to get there, other people will be walking in. But if there are complains of people having sex in the bathroom, the right solution would be to have a bathroom attendant, not a cop. (As Kip Esquire points out.)

[Updated: struck the word "self" before "important TSA security advisories" and corrected "Senators" to "perverts." Emergent Chaos apologizes for the chaos.]

Evolve or Die

Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages it becomes insecure.
This is most readily apparent with web applications, but is true for any code base. I’ve worked with several clients who brought in organizations such as @stake, ISS, isec partners, etc several years ago for an assessment and then addressed all the found problems. Time goes by and customers using applications like NT Objectives and Watchfire start sending in bug reports. So the client calls me up and says something like: “What happened, those security guys we hired years ago must have been crappy, suddenly customers are calling up claiming we are insecure! How can that be? We haven’t changed the code in those modules in ages!”
The explanation is pretty straight forward. The state of the art of finding vulnerabilities has moved forward and the clients’ controls for dealing with vulnerabilities has stayed the same. As a result, the source code has naturally regressed and become more vulnerable over time, much like a piece of machinery wears out over time. We like to say that old, well understood, well tested code is far better than new code and while in general I’m inclined to agree, one needs to remember, that well tested means adjusting the tests to keep up with the advancement of vulnerabilities.
While this regression is inevitable there are some things that can be done to slow it down. Most notably, practices that reduce the attack surface as much as possible by implementing applications with least necessary privilege and the other security principles of Saltzer and Schroeder. Similarly designing filters to permit acceptable data as opposed to attempting to enumerate bad behavior will also get you a long way in the right direction, but in the end, you have to just keep on testing.

Harvard Business Review on Breaches

Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.”

The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses on the manner in which Flayton Electronics decides what to do, how to interact with LEO, and how/if to communicate the alleged data breach consisting of potentially thousands of their customer’s credit cards.

Both Chris’ article and the HBR article are worth reading.

Security Advantage? I Don’t Buy It.

As quoted in Ken Belva’s blog, Larry Gordon writes:

However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s).

While I’m sympathetic to the claim, let’s ask how an organization “can distinguish itself as having better information security than its competitors.” (In this post, I’m explicitly not speaking for or about my employer, who I think is doing a great job investing in security, eg, by paying me.)

How can a potential customer make a decision about security? As a consumer, I might look to funny television advertising, or other forms of marketing. But marketing isn’t a good signal: it’s equally easy for a firm to invest in marketing their security effort if they do little, or nothing as it is to market if they invest in a security development lifecycle. As an enterprise, I might consider spending a little money on a critical analysis of the software under consideration, but that’s expensive, and I might cynically believe that the results will all be on the order of “this stinks!”

Even if I could analyze security, security is likely only one of several factors that contribute to my buying choices. It’s not clear that it’s a great source of competitive advantage. For example, in their early days, ebay and paypal invested in things other than security, and did spectacularly well on that decision.

See Ken Belva, “Dr. Gordon: Information Security can have a positive return.”

Lastly, I’ll mention series here in 2004 on the value of signaling as a means to address information asymmetry in “Security Signaling,” “Signalling by Counting Low Hanging Fruit,” and “Ratty Signals.” There’s some great comments.

The “Too Many Notices” Meme

There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a secret. “To prevent customers from being overwhelmed.” Even normally level headed folks like Deborah Platt Majoras buy into this.

I have a number of responses to this:

  1. We don’t stop notifying people of poorly manufactured products. I see lots of news about Chinese-made toys. I’m tired of hearing about them. But I don’t want the notices to stop.
  2. I’d like to see a number. How many notices is too many? A survey. Even an instance of a real person saying “I’ve gotten too many of these, I don’t know what to do, and I don’t want to know anymore.
  3. Trying to decide if a breach is risky is hard. We don’t have the data you need to make that assessment. We don’t have agreement on what bad outcomes to avoid. Arguing about these floors is an expensive distraction.

Photo: Overload, from ShutterStock.

Trespass and Forgiveness


A man in the UK has been arrested somewhat dramatically for illegally using a WiFi connection. The BBC reports it here as “Man arrested over wi-fi ‘theft’” and El Reg as “Broadbandit nabbed in Wi-Fi bust.” Each is worth reading.

The police statement is worrying. El Reg says:

Despite not having secured a conviction yet or even charged the man, DC Mark Roberts of the computer crime unit said: “This arrest should act as a warning to anyone who thinks it is acceptable to illegally use other people’s broadband connections.”

The worry is that the police seem to have decided what the TOS of the connection is for themselves. Bruce Schneier has said somewhat famously that his home wireless system is unprotected because he feels it is “neighborly.” Ross Anderson leaves his open because he feels it leaves doubt open as to who did what on his network. An RIAA fishing expedition, for example, would have a harder time sticking on either of them.

If, as DC Roberts seems to be saying, it is illegal to use any wireless that is not clearly marked as being open, how does someone declare their wireless as open? Do you need to put some statement in the SSID?

That is a fine answer, but it leads to a second question: would then, having an open wireless system with a generic name be an attractive nuisance? It’s a nuisance to have a swimming pool that is not fenced off, for example, because someone could stumble into it and fall in. In this case, an open wireless system is a nuisance because someone could stumble into it and commit a Computer Misuse without even realizing.

Could not then, there be civil or criminal penalties attached to putting up an unsecured wireless?

Or perhaps it be better for the police to only respond to complaints? That response could even include asking the complainer, “Have you put a password on your network?”

Photo courtesy of sholden.

No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out:

You know data security breaches are way too common when a company builds a business around customer notification of stolen information.

and he ends:

I applaud companies that comply with notification requirements. It’s the right thing to do. But I’d think twice about doing business with a company that signed up for such a service. It gives the impression that a breach as inevitable, and they are just giving up.

I have two main responses: First and foremost, the emergent market for advice and management of these issues is a good thing. Companies need help, and they’re getting it. The costs of handling a breach will start to fall, because expertise in handling them will become available. (There’s also the interpretation that companies are investing in designing and marketing products indicates that they don’t expect breaches to be a flash in the pan.)

My second response is that I believe that many breaches are inevitable, because we don’t talk about what goes wrong, and we have no way to test much of the pablum suggested as “security best practices.”

Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects:

Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is “clearly unlawful.”

“It’s of concern to us,” said Gerry Preddy, vice-president of the association. “We’ve had examples of files being lost [by ICBC].”

David Fraser, “BC auto body shops object to auto insurer’s credit-card policy,” quoting the Vancouver Sun.