JaBbA's Hut

Bruce Schneier is one of the world's leading experts on security, the founder of Counterpane Security, the author of some of my favorite security books: Practical Cryptography, Secrets and Lies and, most recently, Beyond Fear. And someone I have had multiple opportunities to sit down with and talk about the state of security, both digital and real-world.

He has long made the point that our government and media are giving the terrorists exactly what they want by engaging in "security theatre", which has no real effect on safety. He spells it out again in his newest essay, What the Terrorists Want.

It's time we calm down and fight terror with anti-terror. This does not mean that we simply roll over and accept terrorism. There are things our government can and should do to fight terrorism, most of them involving intelligence and investigation -- and not focusing on specific plots.

But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership.

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.

Ever since Reagan declared a "War on Drugs" we have gotten used to thinking about this as a war - and, of course, Bush just loves to think about his legacy as a "War President". But The Clinton administration had it right - these people aren't an army, they're a criminal conspiracy and it is criminal investigation and intelligence work that will finally stop them.

JaBbA says check it out.

I stopped by the ATM today on my way home from work. Put my card in the slot and was about to type in my password when I saw something that brought me up short:



(Thanks, Diebold, for switching to Windows...)

I was able to click on the start button, bring up the control panel...and I stopped there. I'm not stupid enough to be messing with an ATM.

I went into the bank and reported it. My guess is the Windows patches were rolled out - probably a reboot would fix it. But you never know.

ANY time you see ANYTHING out of the ordinary on a computer, STOP AND THINK! And if you notice any ATM wierdness this week, leave a comment here...

JaBbA says let's be careful out there.

The Department of Homeland Security has issued a warning that all users should apply the new Microsoft patch immediately, especially for issue MS06-040, which is a vulnerability that can be exploited with no user intervention.

Is apparently the Red Cross motto, too.

In what sounds like a number of other incidents, a laptop computer containing the personal information of thousands of blood donors was stolen from a Texas Red Cross office.

But the Red Cross took the necessary precautions. The data was encrypted. And while I'm sure that sometimes people grumbled about how it was more difficult to handle encrypted data, they are now breathing a sigh of relief that the data is safe.

It's too bad that this is the exceptional story, rather than the norm. My organization has a few hundred mobile computers in the field - and we lose about 6 every year. If one were stolen for industrial espionage instead of a quick fence, we'd never know it. But since all the data on the mobile is encrypted, we don't have to worry about it.

JaBbA says encrypt your data!

A study released last week by the Brennan Center Task Force on Voting System Security concluded that the nation's most commonly purchased voting machines are vulnerable to software attacks. From c|net:

Rep. Rush Holt, a New Jersey Democrat who has introduced legislation to upgrade security for electronic voting machines, arranged to attend a news conference on Capitol Hill on Tuesday where the report was to be released.

Holt's bill has 192 cosponsors, most of them fellow Democrats, an aide said. He introduced the bill last year and it remained unclear whether Congress would enact it into law.

The measure would require all voting machines to produce a paper record voters could inspect to check the accuracy of their votes and election officials could use to verify votes in the event of a computer malfunction or other irregularity.

"Anything of value should be auditable," Holt said. "Votes are valuable, and each voter should have the knowledge and the confidence that his or her vote was recorded and counted as intended."

When discussing voting machines, I'm often asked if I trust ATM machines, because people equate ATMs and voting machines. The answer is no, I don't completely trust ATMs - but I do trust the auditing process at the banks and I check the records. Every transaction shows up the next day on a website, in my Quicken software, and on a paper copy at the end of the month. So I use ATMs because it's verifiable and documented. Same with web transactions, Paypal, Amazon, etc...

If there's something wrong with a banking transaction, I can challenge it and get my money back. My vote is no less valuable. When voting machines are verifiable, auditable and documented then I'll trust them. Until then, I'm voting absentee.

The good news: The laptop containing the private VA records of 26 million veterans has been recovered, and it appears that the thief never got access to the data.

The bad news: This was not a matter of an employee violating policy. Someone gave this guy permission to take a laptop full of private information home. Clearly, government entities haven't gotten the message that identity information protection is critically important. And if the goverment doesn't get it, neither does private industry.

Newly discovered documents show that the VA analyst blamed for losing the laptop had received permission in 2002 to work from home on data from included millions of Social Security numbers on a laptop from home.

"From the start, the VA has acted as if the theft was a PR problem that had to be managed, not fully confronted," said Rep. Bob Filner, D-Calif. "They're trying to pin it on this one guy, but I think it's other people we need to be looking at."

This came through on the SANS newswatch of security issues. From Computerworld:

Florida voter registration data can be vulnerable to theft, corruption, unauthorized access and alteration, despite the best efforts of elections officials, indicated a report by the Florida auditor general.

Do you still think the last few elections have been open and honest? Do you?

A paypal phish just came in that had some interesting features. Using Firefox with NoScript, I connected to the site and it tried to redirect me. With NoScript on it didn't succesfully redirect but it presented me with a "Go here" link. I did so, and got the attached screen - note that it tried to replace my addressbar but failed, creating a new addressbar instead.

Netcraft identified the site as a Phish.

I'd like to see what this does to IE but I don't have a virtual machine right now and don't want to allow the site to hack my real machine.

JaBbA says DON'T Check it out!

I haven't written about 419 schemes in a long time. They're very old and I see them constantly - I've become sufficiently inured to them that it takes something quite extraordinary to get me to notice.

So it was quite a surprise that a Canadian Bank Manager fell for one so badly that he advised a customer that the windfall she had received was legitimate - and it cost her $40,000CAN.

To be sure, this one was targeted, via cell phone and involved some serious identity information leaks. But a financial professional should know that these cash-up-front schemes are criminal.

JaBbA says check it out, and learn from it.

Bruce Schneier has published an article succinctly stating the case for why privacy rights are so important:

The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"

Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

JaBbA says check it out.

I was forwarded another email with another dumb idea - that somehow if we buy only half the gas we usually do each time it will "back up" the system and cause prices to fall.

I actually didn't find it on snopes (I submitted it), but it is on BreakTheChain.org and other places. I won't repeat it here, but the email goes into this long explanation on how a farmer caused eggs to come down in price by buying 2 eggs a day instead of a dozen a week.

This one is dumber than most, simply because of the obvious fact - if you buy only half the gas, you'll have to make twice as many trips to the gas station. Unless, of course, you also cut your driving in half! Since most people spend money on coffee, gum and snacks while they're filling their cars, the gas stations would LOVE it if you made twice as many trips.

The only way to make prices fall is to use less gas.

Or get the Republican Oil Machine out of office.

I found a pump-and-dump spam in my folders that had an email address to stop being on their list.

So I sent an email from a new address at 7:26pm to that address.

Any bets on how fast they start spamming the new address?

I'm in Chicago for the Anti Phishing Working Group (APWG) Spring meeting. I'm speaking on a panel entitled Moving Toward A Tipping Point in Email Authentication: Arbitrating the Remediation of a Global Application. We'll be discussing how to get some email authentication method for anti-spam and anti-phishing to be adopted by the Internet.

JaBbA's gone big time

This one's been circulating for years, but with gas prices the way they are, it's really starting to heat up. Unfortunately, it's completely bogus, just like every other "Send this to everyone you know" email. (edited for brevity)

GAS WAR - an idea that WILL work

This was originally sent by a retired Coca Cola
executive It came from one of his engineer buddies
who retired from Halliburton. It's worth your
consideration.

...

Phillip Hollsworth offered this good idea. This makes
MUCH MORE SENSE than the "don't buy gas on a certain
day" campaign that was going around last April or May!
The oil companies just laughed at that because they
knew we wouldn't continue to "hurt" ourselves by
refusing to buy gas. It was more of an inconvenience
to us than it was a problem for them. BUT, whoever
thought of this idea, has come up with a plan that can
really work. Please read on and join with us!

...

I am sending this note to 30 people. If each of us
send it to at least ten more (30 x 10 = 300) ... and
those 300 send it to at least ten more (300 x 10 =
3,000)...and so on, by the time the message reaches
the sixth group of people, we will have reached over
THREE MILLION consumers

....

If this makes sense to you, please pass this message
on. I suggest that we not buy from EXXON/MOBIL UNTIL
THEY LOWER THEIR PRICES TO THE $1.30 RANGE AND KEEP
THEM DOWN. THIS CAN REALLY WORK

Please Forward on and Re-Post! Can't hurt to try

Remember, check Snopes. They usually have the straight scoop. In this case:

Economics Prof. Pat Welch of St. Louis University says any boycott of "bad guy" gasoline in favor of "good guy" brands would have some unintended (and unhappy) results.

. . . Welch says the law of supply and demand is set in stone. "To meet the sudden demand," he says, "the good guys would have to buy gasoline wholesale from the bad guys, who are suddenly stuck with unwanted gasoline."

So motorists would end up . . . paying more for it, because they'd be buying it at fewer stations.

And yes, oil companies do buy and sell from one another. Mike Right of AAA Missouri says, "If a company has a station that can be served more economically by a competitor's refinery, they'll do it."

Right adds, "In some cases, gasoline retailers have no refinery at all. Some convenience-store chains sell a lot of gasoline — and buy it all from somebody else's refinery."

After doing some research, I'm going to try to see if OptOutPrescreen.com really works. It's not a phishing scam, it's a legitimate site run by the credit bureaus. It asks for a lot of info, but of course, they already have that info. The Privacy Policy gave me a little pause (see extended entry) but it really doesn't give them any more rights to your info than they already have.

I'll try to track just how many "pre-approved" offers I get over the coming months - word is this will take about 2 months. Then we'll see if this really works.