Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:”

“What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” – The Prime Minister, Hansard Column 1181, 21/11/07

These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ian, you’re too kind. It’s not a fairy-tale view, it’s contempt for the public, and a belief that they can be spun into believing anything.

Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains:

In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information[1] by business operators (“Information Handlers”).

A presentation by Morrison & Foster, “Data Security and Incident Notification: The Impact of Foreign Law” tells us:

You may have obligations under Japanese privacy law if:

  • You are affiliated with a Japanese company or institution.
  • You use or have access to employee or student information maintained in Japan.
  • A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.

To date, I’m aware of breach disclosure laws in 38 US states and Japan. Are there others?

There’s got to be an IT secret handshake


I’ve been in the hotel I am in for over a week now. It is a European hotel that has wireless, and you have to get an access card and type a six-character string into an access web page. That authenticates you, and you can go.

The problem I have today is that I can browse the net completely. But I can’t do anything else. No email, no vpn, no ping, no traceroute, no nothing. If I telnet to a useful port on my own servers, I get a syn/ack/syn and no flow.

My hypothesis is that whatever does a redirect on port 80 to get you to the authentication web page is broken.

I’ve talked to first-line tech support at the provider who let it slip that he thinks its in the firewall at the hotel. This is consistent with my evidence. However, he won’t let me talk to anyone who actually knows what “ping” is. I have talked to someone at my front desk, who has talked to the local IT person, and we’ve had mediated back-and-forths.

If I could actually talk to someone who knows what a web redirect is or even what a “port” is, I could let them know. If I knew the URL of the authentication page, I could tell them the problem. The local IT guy is presently talking to the ISP, but I told the gal at the desk that I’m an IT person, too, and if their IT guy will call me, then I will help explain the problem.

As a matter of fact, while writing this, I just connected to an https url, which redirected me to the authentication page, and now everything is working. This is how you’re reading this today. So I know what their problem is and can tell them how to fix it. They just have to know that I know, and that I’m not a mere luser.

We need an IT secret handshake. Perhaps Randall Munroe can help. Remember those old stories about the Freemasons in some pickle or another who suddenly showed the handshake? We need one.

Update: The gal at the front desk has called back. The ISP and the local IT people have decided this is actually my problem. However, she also says that another guest has this problem. I explained this as much as I could to her, and told her to tell the other guest to go to an SSL web page to fix it.

Photo courtesy of photos.tjweb and selected because it matched a search for “authentication web page”

Banksy Would Be Proud

In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered despite having taped into the electrical and network systems.

Getting into the building was the easiest part, according to Klausmann. The squad allowed themselves to be locked into the Panthéon one night, and then identified a side entrance near some stairs leading up to their future hiding place. “Opening a lock is the easiest thing for a clockmaker,” said Klausmann. From then on, they sneaked in day or night under the unsuspecting noses of the Panthéon’s officials.

Their presence only became known when they revealed themselves so the curators would know to wind the clock. This is far from the first project Untergunther has undertaken.

Klausmann and his crew are connoisseurs of the Parisian underworld. Since the 1990s they have restored crypts, staged readings and plays in monuments at night, and organised rock concerts in quarries. The network was unknown to the authorities until 2004, when the police discovered an underground cinema, complete with bar and restaurant, under the Seine. They have tried to track them down ever since.

So keep an eye on the news, you never know where they’ll pop up next.

Is 2,100 breaches of security a lot?


There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors:

THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone.

And 41 laptops – many containing sensitive financial details relating to members of the public – were stolen from employees at HM Revenue and Customs (HMRC) over the last 12 months, demolishing any notion that the loss of two computer discs containing the details of child benefit claimant was a “one-off” error.

There’s a scene in one of the Star Trek movies that’s stuck with me. Captain Kirk is walking around San Francisco and needs some cash. He goes into a pawn shop to sell his glasses, and the guy offers him a hundred bucks. Kirk looks at him and says “Is that a lot?” He doesn’t have the context to understand the number that he’s been given.

When I hear that HMRC has had 2,100 breaches reported, I’m forced to ask, “is that a lot?”

To put the number in context, we need three things:

  • What is a breach? Does it include, for example, leaving your screen unlocked when you go to the restroom? We can’t understand what 2,100 breaches mean without knowing what is being counted.
  • How big is the department? If it’s 10 people, then that’s a breach a day. If it’s 2,100 people, then it’s a breach a year. (As an indicator, page 7 of the HMRC 2007 departmental report indicates that their IT department supports 110,000 workstations and 120,000 mailboxes.) So it seems that they’re at about 1 “breach” per 50 employees per year.
  • How does this compare to other organizations? Do other departments of Her Majesty’s government breach at the same rate? That seems lower than the US Government reported rate of one per hour, but actually, 2,100 breaches is about one per hour per business day for HMRC. So does HMRC leak at the same rate as all of the US government, or are we seeing different definitions of breaches?

This is clearly a bad breach, a meaningful one for the UK, and it will influence what emerges from the many discussions around breaches, breach disclosure and computer security.

To me the most important lesson is that we’re unable to say if this is one of the worst breaches, or simply one one of many bad ones. Like Captain Kirk, we don’t have the context to understand the number.

Credits: Yorkshire Post story via Pogo Was Right. Image: “Forest and Sky,” showing comet Holmes shining a bit more brightly than the many stars. Photo by Vincent Jacques, via Astronomy Picture of the Day, and begging the question: is this a comet, or a star?

HMRC Data discs on EBay

Quite possibly the funniest infosec joke seen in 2007.

Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to
“Her Majesties Audit Office – Child Benefits Section” and marked
They were obviously surplus to requirements.
I haven’t read the data myself. The database appears to have approximately 25 milion records in it, but is password protected, so it is impossible to read it and it’s definitely impossible to extract any bank account data from it.

El Reg has it all.

A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:”

Alistair Darling has apologised for the “extremely serious failure”, which has exposed all Child Benefit recipients to the threat of identity fraud.

and the Times Online’s “Moment’s blunder puts half the country at risk.”

In June, 2007, I wrote “It’s not all about ‘identity theft’,” and if you’ll indulge me, I’d like to repeat myself:

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

The issue here is not ID theft risk. The data in the CDs don’t lead to that. The issue is a massive breach of public trust by Her Majesty’s government, and over that, people are rightly outraged.

[Update: I may have spoken too soon on the question of “can this data lead to ID theft in the UK.” See the comments.]

Breach Disclosure of the Zeroeth Millennium


The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings.

The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome.

Although their home address has been made public, it is unclear if the Roman founders lost any other personal information such as tax ID numbers, bank information, or date of birth.

In related news, two disks in the UK have been lost with the personal details of 25 million Britons including “name, address, date of birth, National Insurance number and, where relevant, bank details.” This is everyone in the UK who receives a tax deduction from having children.

HMRC Paul Gray resigned over the incident (as if that will help). Liberal Democrat Acting Leader, Vince Cable, clucked: “why does HMRC still use CDs for data transmission in this day and age?” proving that he doesn’t read this blog. Mr Cable as well as Shadow Chancellor George Osborne predicted the end of the National ID Database as a result of this loss.

Commissioner of Obvious Information, Richard Thomas, said: “this is an extremely serious and disturbing security breach” and Chancellor Alistair Darling pointed out that at least no one had had fiber-optic endoscopes pushed into their houses unlike those Roman foundlings.

Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment:

Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.”?

Let’s assume for a moment that, in fact, there is no one that currently fills this role to everyone’s satisfaction. Furthermore, let us assume that (at least for certain large vendors) that while the extant systems more or less works, everyone wishes it were smoother and easier.
How do we improve the situation? Vendors really don’t like the vulnerability markets, researchers, quite understandably, fear liability and users just want fixes. How role for a vulnerability disclosure agent straddle this three sided fence? It seems to me that ideally, the agent would be a respected disinterested third party who was preferably a not-for-profit who didn’t accept funding from either vendors or researchers. Coming from the corporate side, that sounds like a good balance to me. What say you? Does this make sense? Are there pitfalls I’m missing?

The costs of liability

It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems.

I don’t think this is a trouble-free idea. There are lots of complexities. As one example, are open source vendors going to be liable? Fyodor, who writes and gives away nmap? What about Apple, when they include a package, say bind or bzip, both of which were included in their latest security update. Including such third party software allows Apple to provide basic functionality at lower cost.

Now, the UK Information Commissioner has proposed that doctors who lose laptops with patient data could be subject to a £5,000 fine.

Mr Thomas said: “If a doctor, or hospital [employee] leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence.”

The commission can currently issue enforcement notices but these “do not impose any element of punishment for wrongdoing”. But Lord Lyell of Markyate, a former Attorney-General, said it would be disproportionate to criminalise doctors for losing a laptop.

Mr Thomas said the intention was not to prosecute for a single incident, but that for gross negligence there was “a need to have some deterrent in place”. He said anyone holding personal data should know the basics of “encryption” to protect that material. (“Doctors may be prosecuted if their laptops are stolen,” Times Online, UK)

I’m with Lord Lyell here, and think that there’s a great deal of specific thinking to be done before we should impose more liability for software flaws. Software creators, including Mozilla, know that it’s hard to make bug-free software, so my employer probably thinks similar things.

Possibly related, “Government ignores Personal Medical Security.”

Via PogoWasRight.

Why can’t the CIA hire guys like this?

The Telegraph is concerned that

The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends.
The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand of a high-level intelligence official.
While the Telegraph is loath to reveal at which personal web site Mr. Allan wrote of his personal history — including his love for the Grateful Dead — a simple Google search locates it trivially. From what I saw there, the guy seems intelligent and cool. Perhaps some of the juicier bits have been removed, but much of what the Telegraph goes on about was easy to find, so I don’t know.
Call me naive, but I think the value in seeing the head of a spy agency as a thoughtful human being outweighs the danger wrought by having his address known publicly.
[Photo credit, Ken Towner (via Alex Allan’s secure undisclosed web site)]

Controlling Water

In Controlling Water, Dana writes:

…Alex Stupak, […] dropped this bombshell in my ear with the casual effect of a little bird chirping their daily song.

With no prompt, he said simply, “You know, it’s really just about controlling water,” and walked away.

This simple phrase had the power of a plot changing hollywood one liner, too few words with more effect than realistically possible, delivered at a turning point at which you can see the characters shift indelibly. These words have shifted me.

These “magic white powders” that are given to modern technique, xanthan gum, gellan gum, agar agar, and various modified starches, are simply put, controlling water. And by controlling water, we are controlling texture.

While this fact was a revelation to me, what was even more thought provoking, was how much of my pastry work up to this point was based off controlling water. And it’s not just me folks, it’s you too.

Making desert. It’s all about controlling water. Cool.

Posted in art

Bye-Bye Pay By Touch!


I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus:

Pay By Touch, which has made a major push in POS biometric payments, is backing off that business, according to a report in the current issue of The Nilson Report, a major payments newsletter.

Tip of the hat to StoreFrontBackTalk, “Pay By Touch Giving Up On Biometric POS?

A quick clarification: “POS” is industry-speak for “Point of Sale,” not “Piece of Shit.” We apologize for any confusion.

[Update: Evan now relays the news that “Pay By Touch (is) In Bankruptcy Proceeding(s).”

Photo: Escaped Monkey‘s password, posted to Flickr.

How to Blog a Talk

Blogging about your own presentations is tough. Some people post their slides, but slides are not essays, and often make little sense without the speaker.

I really like what Chris Hoff did in his blog post, “Security and Disruptive Innovation Part I: The Setup.”


I did something similar after “Security Breaches Are Good for You: My Shmoocon talk.” I posted a PDF of the slides. I think the PDF is less effective, because you can’t skim it, search it, or excerpt it as easily as with Hoff’s HTML version.

Nice work, Chris!

Wednesday Privacy Roundup

Privacy in the EU has been hugely in the news in the last week. Check these out:
European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic US Visit and datasharing of flight passenger information.
Data Protection Act doesn’t ban parents filming the school play.
Europe’s top privacy regulator has said that European privacy laws will need to be overhauled in just five years’ time.

I would expect that some five years down the road, we need to see some changes in the existing framework,” said Hustinx, the European Data Protection Supervisor (EDPS). “Where? Not in the principles, although some parts perhaps need to be revisited, my emphasis would be we need more flexible arrangements to make it work better, to make it more effective.

The European Commission has published a plan to compel EU members to gather more information on air passengers travelling in and out of the EU in what it says is an attempt to combat terrorism. Of course, it’s never that simple:

Statewatch editor Tony Bunyan said that the increased monitoring was unwarranted. “This is yet another measure that places everyone under surveillance and makes everyone a suspect without any meaningful right to know how the data is used, how it is further processed and by whom,” he said. “Moreover, the profiling of all airline passengers has no place in a democracy.”

Back on August 1st, the Office of the Privacy Commissioner of Canada, released guidelines for handling breach disclosures. Key Steps for Organizations in Responding to Privacy Breaches lays out the definition of a breach and a high level process for dealing with breaches, starting with containment, moving through assessment to notification and finally prevention of future breaches.
To assist with the process, the Commissioner also released the Privacy Breach Checklist which takes the guidance from the first document and reproduces it in an easier to follow format at the time of an incident occurring. This checklist in particular would be a great starting point for any incident response team dealing with privacy breaches.