JaBbA's Hut

The good news: The laptop containing the private VA records of 26 million veterans has been recovered, and it appears that the thief never got access to the data.

The bad news: This was not a matter of an employee violating policy. Someone gave this guy permission to take a laptop full of private information home. Clearly, government entities haven't gotten the message that identity information protection is critically important. And if the goverment doesn't get it, neither does private industry.

Newly discovered documents show that the VA analyst blamed for losing the laptop had received permission in 2002 to work from home on data from included millions of Social Security numbers on a laptop from home.

"From the start, the VA has acted as if the theft was a PR problem that had to be managed, not fully confronted," said Rep. Bob Filner, D-Calif. "They're trying to pin it on this one guy, but I think it's other people we need to be looking at."

Bruce Schneier has published an article succinctly stating the case for why privacy rights are so important:

The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"

Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

JaBbA says check it out.

After doing some research, I'm going to try to see if OptOutPrescreen.com really works. It's not a phishing scam, it's a legitimate site run by the credit bureaus. It asks for a lot of info, but of course, they already have that info. The Privacy Policy gave me a little pause (see extended entry) but it really doesn't give them any more rights to your info than they already have.

I'll try to track just how many "pre-approved" offers I get over the coming months - word is this will take about 2 months. Then we'll see if this really works.

It just boggles the mind that people can be so careless....

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records.

In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home.

They say the data is encrypted and in proprietary formats. I really hope so.

The idea of a mega-database is Bad Enough:

To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.

But the name of that Georgia Company?

Choicepoint.

32,000 consumers personal information including names, addresses and Social Security numbers were illegally accessed by using the user name and passwords of a company that has a contract with the data aggregator.

This email has been making the rounds:

Check this out:


This is upsetting but I thought I should pass it along. Check your
drivers license. Now you can see anyone's Driver's License on the
Internet, including your own! I just searched for mine and there it
was.. . picture and all!! Thanks Homeland Security! Where are our
rights?


I definitely removed mine. I suggest you do the same.
Go to the web site and check it out. Just enter your name, city and
state to see if yours is on file. After your license comes on the
screen, click the box marked "Please Remove". This will remove it
from public viewing, but not from law enforcement.

It's followed by a URL Go to the URL, and you get a screen including this form:

Seems safe enough, just name, state and city, right? And it's a joke...

So why has it been reported as a Phishing site? Why is it blocked by the Netcraft Toolbar?

Well, think about it. You have just

- Given someone some information about yourself
- Shown yourself to be willing to click on links in emails sent to you

Spammers and Phishers have a LOT of information about you. You think they can't link that info you just gave to your email address? Dream on. I'd almost guarantee that spreading this hoax is helping spammers build better, more effective lists. And I wouldn't be suprised if a lot of people doing this find themselves the target of a Phishing attack - using a bank specifically in your city.

DON'T forward jokes, you never know what's behind them.

The SEC has just come out with a warning to protect your online investment accounts. Apparently people are losing thousands of dollars to thieves armed with keyloggers.

The news in the ID Management world for some months now has been the UK Government's plans for a National Identity Database. It is almost universally reviled for it's obvious potential for abuse and the fears of using the wrong technology.

I just finished reading a fascinating article, in plain english, about the need for, and characteristics of, a Root Identity system. Talking about what an eID should be:

If you adopt this line of reasoning you find that in order to function in this capacity the eID must have some specific properties:

- it must be able to bind out to other processes
- it must specifically be able to facilitate an irrefutable link between its user and itself
- it must be able to participate in authorisation procedures, in my view without leaking any identity information - helping to answer the question: is this individual allowed to do this in this context? In most cases you do not need identification to answer this type of question
- it should be able to facilitate authentication processes without compromising identity - allowing anonymity or pseudonymity most of the time is a fundamental requirement of any eID system in a free society
- it should be able to uniquely represent the legitimate holder (and only the legitimate holder) in public key cryptographic protocols - a consequence of the two points above
- it should be able to participate in identification processes if identification is required and legitimate
- it must not depend on irreplaceable personal characteristics, in the sense that the system as such must be able to cope with the problem of compromised or lost/changed characteristics
- the token containing the eID must be replaceable without unwanted consequences, or as a corollary, theft or loss of a token must not enable impersonation
- all its functions, including any disclosure of information in the token, must be fully controlled by the owner

Basically, an eID should provide Authorization for most activities (buying Alcohol, Using a credit card) and Authentication when appropriate (Applying for credit, questioning by authorities) without ever giving out any information without the holder's consent. A huge challenge.

At the same time, the token needs to be able to be used by the owner, under any circumstances. The conclusion is that there is only one biometric that is unchanging through life, will not be affected by injury or age, and is irrefutable - DNA. There are huge security and technological challenges to using DNA as the bases for an eID, but it will eventually become the only solution.

JaBbA says check it out. From Kim Cameron.

Sunbelt Software has handed over to the FBI a large file it recovered from a server which contained large amounts of very sensitive data stolen by CoolWebSearch spyware:

Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information, he said. The bank information included details on one company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash, he said.

Many of the records being uploaded also contained eBay account information, he said. Among the highly personal bits of information Sunbelt was able to retrieve from the server were one family's vacation plans, instructions to a limo driver to pick up passengers from an airport and details about one computer user with a penchant for pedophilia.

Well, Mr. Doghorse has an entertaining comment - and an informative site - on the British National ID Card.

Link from Bruce Schneier, and then his next entry was on how hard it is to actually find out if database data is misused, which is of course a wholly appropriate followup.

The "Free" spyware scans advertised on the Internet, which I've been warning about for years, have finally been shut down. The FTC has frozen all the assets of Trustsoft, whose Spykiller product has been ripping people off for a long time.

JaBbA says about freakin' time.

As long as I'm nitpicking, I had to put this in.

Kim Cameron's very interesting whitepaper The Laws of Identity gives those of us dealing with Identity Management a great place to start the conversations. An excellent read, and some good points (although as "Architect of Identity" for Microsoft Corporation, I keep seeing Kim in a Sith cloak

But there is one ironic word mistake. Talking about how Enterprises use identity:

The differing contexts of discreet enterprises lead to a requirement

Now as much as I like to think that Enterprises have my privacy in mind:

dis·creet Pronunciation Key (d-skrt)
adj.

1. Marked by, exercising, or showing prudence and wise self-restraint in speech and behavior; circumspect.
2. Free from ostentation or pretension; modest.

[Middle English, from Old French discret, from Medieval Latin discrtus, from Latin, past participle of discernere, separate, to discern. See discreet.]

I think Kim meant that the enterprises were distinct, not circumspect:

dis·crete Pronunciation Key (d-skrt)
adj.

1. Constituting a separate thing. See Synonyms at distinct.
2. Consisting of unconnected distinct parts.
3. Mathematics. Defined for a finite or countable set of values; not continuous.


[Middle English, from Old French, from Latin discrtus, past participle of discernere, to separate. See discreet.]

One of the biggest problems web surfers struggle with on a daily basis is the multitude of identities we have to maintain. At every web site we are asked to create a username and password. The email address has become a defacto Globally Unique Identifier (GID) by it's very nature. Unfortunately, people tend to reuse familiar passwords, often based on dictionary words and people's names. Those passwords, reused over many websites, make us vulnerable if any one of the webmasters maintains those passwords in an insecure manner. One online community gets hacked, and the next thing you know your credit card has charges run up or your bank account is empty.

The solutions available to the average web surfer have usually involved some kind of "key chain" - a password keeper like Oubliette that can keep hundreds of different passwords encrypted. (BTW, I highly recommend Tranglos' KeyNote too). But you still have to invent good passwords, and if you don't have your computer it doesn't do you any good.

Enter Eric Jung and his Firefox Extension PasswordMaker. This awesome little program allows you to remember exactly ONE password, and will generate a unique password for every website. It does this by combining your strong password with the domain name of the website, then taking the hash of the combined string. Hashes, by their nature, are one-way algorithm - it is impossible to predict which strings will generate a specific hash, and it is impossible to get the original string back from the hash. So, for example, if my password is "Password Maker is a Wonderful Program" (nice and long, but definitely not very strong), the generated password for jalcorn.net is 344b3201, but the same password generates the hash 145a8088 for microsoft.com. Unpredictable, non-reversible, and secure.

As a firefox extension, it's always available - hit Ctrl-`, type in the master password, and the domain password is copied to the clipboard for entering into the site. But what if you're not using your own machine?

No problem. There's a javascript version of the program. Because it's javascript, it's client-side only, and your master password is never submitted over the internet. Need a command-line version? I use this perl script:



I highly recommend the use of this utility to generate unique passwords for every website.

JaBbA says do more than check it out - install it, use it.

From the SANS Newsbites, some good news for once:

New York state Attorney General Eliot Spitzer has filed a lawsuit against Intermix Media Inc. for allegedly installing spyware and adware on people's computers without their knowledge. According to the lawsuit, New York residents downloaded 3.7 million programs, including games and screen savers, from Intermix web sites, but they were not properly notified that the downloads also contained spyware and adware. Intermix senior VP and general counsel Christopher Lipp said such practices are part of Intermix's past, and were established under prior leadership and that the company has ceased distributing the programs in question of its own volition in April 2005. The lawsuit follows a six-month investigation.

This will set precedent for all future spyware prosecution, so it's important they get this right.

Apparently, prisoners in Oregon are more clueful than the people running the prisons:

Here's another twist on identity theft: They're doing it from behind bars. Until recently, visitors to the Oregon State Penitentiary had to give prison officials their Social Security numbers and other information for background checks, but now it appears inmates gained access to the info and sold it. The state Department of Corrections has placed at least two inmates in disciplinary segregation and continues to look for more, and little birds say inmate clubs have been shut down after visitors' personal information was found in their offices. So far, the known civilian victims include volunteers from North Portland's Overstreet Powerhouse Temple who were doing Bible outreach inside the prison. Not only that, but the union representing corrections officers at the prisons, AFSCME, says three of its members have also been victimized; the union is pushing legislation to combat the problem.

Here's a simple rule. Don't store information if you can't secure it.