Tuesday, May 31, 2005

Diebold Optical Scan Vote Counters also manipulation-prone

According to a report by BlackBoxVoting, the widely-used Diebold version 1.94 opti-scan system is shockingly easy to manipulate. There are so many flabbergasting findings in this report that I cannot do them justice in a summary, and urge you to read the whole report.

Tallahassee, FL: "Are we having fun yet?"

This is the message that appeared in the window of a county optical scan machine, startling Leon County Information Systems Officer Thomas James. Visibly shaken, he immediately turned the machine off.

Diebold's opti-scan (paper ballot) voting system uses a curious memory card design, offering penetration by a lone programmer such that standard canvassing procedures cannot detect election manipulation.

The Diebold optical scan system was used in about 800 jurisdictions in 2004. Among them were several hotbeds of controversy: Volusia County (FL); King County (WA); and the New Hampshire primary election, where machine results differed markedly from hand-counted localities...

The testing demonstrated, using the actual voting system used in a real elections office, that Diebold programmers developed a system that sacrifices security in favor of dangerously flexible programming, violating FEC standards and calling the actions of ITA testing labs and certifiers into question...

None of the attacks left any telltale marks, rendering all audits and logs useless, except for hand-counting all the paper ballots.

For example, Election Supervisor Ion Sancho was unable to tell, at first, whether the poll tape printed with manipulated results was the real thing. Only the message at the end of the tape, which read "Is this real? Or is it Memorex?" identified the tape as a tampered version of results.

In another test, Congresswoman Corrine Brown (FL-Dem) was shocked to see the impact of a trojan implanted by Dr. Herbert Thompson. She asked if the program could be manipulated in such a way as to flip every fifth vote.

"No problem," Dr. Thompson replied.

"It IS a problem. It's a PROBLEM!" exclaimed Brown, whose district includes the troubled Volusia County, along with Duval County -- both currently using the Diebold opti-scan system.
Thanks to pointers from The Importance of... and Freedom to Tinker Dashlog.



The ChoicePoint Syndrome

In a post to RISKS DIGEST, Robert Ellis Smith collects recently reported wholesale privacy breaches.

To appreciate THE CUMULATIVE EFFECT, Privacy Journal newsletter in its May issue compiled the following list of breaches of sensitive personal information, disclosed just since January. It's not an atypical list for a three-month period, but breaches are obviously getting more press attention...

*** A free copy of the current issue of Privacy Journal is available through orders@privacyjournal.net. Specify e-mail copy or hard copy (and include a mailing address).

Labels: , , , ,


Friday, May 27, 2005

Patent Pending

Robert E. Filman has published (in Internet Computing) a brief and very readable overview of laws involving patents, copyright, trademarks, trade secrets, and other "intellectual property," and how they got to be the way they are.
The critical thing to keep in mind about this issue is that IP is a social fiction. (Property is itself a social fiction, but that's another column.) The Schiavo case was about life and death (and the nature of both), and whether or not you believe in posting the Decalogue in every courtroom, there is considerable ethical unanimity that (with varying exceptions) killing people is a bad idea. However, while the commandments prohibited stealing, the text is more cleanly understood as prohibiting the theft of physical property, such as asses and wives, than more abstract things, like copyrights and patents.

The notion of IP is one that has evolved, as opposed to being obvious. For example, society doesn't recognize every intellectual invention as worthy of legal ownership -- you can invent a scrumptious recipe, and I can freely cook the same dish. Similarly, we don't accord ownership of IP the same unequivocal status as physical property: If you buy a physical book, you and the closure of your inheritors own that book into the indefinite future, but if you've written anything besides Peter Pan, you and your inheritors will eventually lose your ownership.



Thursday, May 26, 2005

GAO Report on Cyber-Security

The Government Accountability Office has prepared a report to Congress on progress and limitations of the Department of Homeland Security's efforts in cyber critical infrastructure protection and national information security.

Results in brief [emphasis mine]:
As the focal point for critical infrastructure protection, DHS has many cybersecurity-related roles and responsibilities that are called for in law and policy. These responsibilities include developing plans, building partnerships, and improving information sharing, as well as implementing activities related to the five priorities in the national cyberspace strategy:
(1) developing and enhancing national cyber analysis and warning,
(2) reducing cyberspace threats and vulnerabilities,
(3) promoting awareness of and training in security issues,
(4) securing governments’ cyberspace, and
(5) strengthening national security and international cyberspace security cooperation.
To fulfill its cybersecurity role, in June 2003, DHS established the National Cyber Security Division to serve as a national focal point for addressing cybersecurity and coordinating the implementation of cybersecurity efforts.

While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified in federal law and policy, and it has much work ahead in order to be able to fully address them. For example, DHS
(1) has recently issued the Interim National Infrastructure Protection Plan, which includes cybersecurity elements;
(2) operates the United States Computer Emergency Readiness Team to address the need for a national analysis and warning capability; and
(3) has established forums to foster information sharing among federal officials with information security responsibilities and among various law enforcement entities.
However, DHS has not yet developed national threat and vulnerability assessments or developed and exercised government and government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. Further, DHS continues to have difficulties in developing partnerships—as called for in federal policy—with other federal agencies, state and local governments, and the private sector.

DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. Key challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cybersecurity roles and capabilities; establishing effective partnerships with stakeholders (other federal agencies, state and local governments, and the private sector); achieving two-way information sharing with these stakeholders; and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS has identified steps that can begin to address these challenges.

However, until it effectively confronts and resolves these underlying challenges, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our nation’s critical infrastructures, and our nation will lack the strong cybersecurity focal point envisioned in federal law and policy.

We are making recommendations to the Secretary of Homeland Security to strengthen the department’s ability to implement key cybersecurity responsibilities by completing critical activities and resolving underlying challenges...

DHS agreed that strengthening cybersecurity is central to protecting the nation’s critical infrastructures and that much remains to be done. In addition, DHS concurred with our recommendation to engage stakeholders in prioritizing its key cybersecurity responsibilities. However, DHS did not concur with our recommendations to identify and prioritize initiatives to address the challenges it faces, or to establish performance metrics and milestones for these initiatives...

For example, the strategic plan for cybersecurity does not include initiatives to help stabilize and build authority for the organization. Further, the strategic plan does not identify the relative priority of its initiatives and does not consistently identify performance measures for completing its initiatives.

As DHS moves forward in identifying initiatives to address the underlying challenges it faces, it will be important to establish performance measures and milestones for fulfilling these initiatives.
See also Brian Krebs' report in the Washington Post.

Labels: , , ,


Organ donation is better!

The headline of a San Francisco Chronicle article had me going:

Alzheimer Victim Sold 11 Organs

Not quite in the league with the classics of the Columbia Journalism Review regular feature "the lower case," such as

Squad helps dog bite victim


Red Tape Holds up Bridge

but momentarily disorienting.



Wednesday, May 25, 2005

"Emergent Chaos" on fraud-by-impersonation

A good post by Adam Shostack. Here's a small excerpt:

The trickle of breach announcements that started with Choicepoint has grown to a stream. Soon, it will be a deluge, and it will change many things.

First, it will change the way credit is granted. Today, with a name and social security number, I may be able to get credit. If I add to that an address, phone number, or date of birth, I'm set. Some enterprising lawyer is going to look at the number of news articles around the fraud, the number of people whose personal information has leaked, and find a court that will agree that using only data that's been leaked like that is careless, and that the costs need to be shifted from the consumer onto the bank.

What will replace it will likely be a scoring based system, based on odds that you are you. Some people will suggest that a national ID card would help here, but they're wrong. Any single factor that is used to loan money will be attacked, because that's where the money is.



House Armed Services Committee on the decline of DOD research

Committee markup of FY2006 appropriation bill.

American Institute of Physics commentary.

The committee regards defense science and technology investments as critical to maintaining U.S. military technological superiority in the face of growing and changing threats to U.S. national security interests around the world. The budget request is $2.2 billion (or 24 percent) less than the $13.1 billion provided for fiscal year 2005 and is approximately $28.0 million less than the fiscal year 2005 request ($240.0 million less when adjusted for inflation). The committee notes that the budget request is 2.5 percent of the total defense budget request (compared to 2.6 percent of the request in fiscal year 2005) and does not meet the goal of 3 percent established by the 2001 Quadrennial Defense Review...

The committee is deeply concerned about sustaining and maintaining DOD science and technology infrastructure, about the projected loss to the defense science and engineering work force over the next ten years of an estimated 13,000 scientists, mathematicians, engineers, and technicians, and about the actions necessary to enable the Department to recruit and maintain a skilled and trained defense science and engineering work force...

Despite the positive aspects of DOD's science and technology program, the committee is concerned about long-term projections for reductions in DOD science and technology as a percentage of total obligation authority, and in short-term trends in the science and technology accounts of some of the military departments and defense agencies. The committee cannot emphasize too strongly the need for the Department to maintain a strong and robustly funded science and technology program that will provide the advanced technologies needed to assure technical dominance of our armed forces on any current or future battlefield.



FBI Says Past Failure Guides New Attempt to Modernize Computers

A news article by Bloomberg reports on the launching of a second try:

Of the $170 million the FBI spent on the project it abandoned in April, about $105 million was lost on services and equipment that can't be reused, FBI Director Robert Mueller told a Senate appropriations subcommittee in February. Yesterday, he told the same subcommittee that the bureau would avoid repeating its mistakes in its next effort, dubbed "Sentinel."

The failed project, called "Virtual Case File," was vaguely defined at the start, changed on the fly after the Sept. 11 attacks, didn't have stable oversight by the FBI and suffered from misunderstandings between the bureau and Science Applications, according to statements by leaders of both organizations and reports by analysts...

Sim and other experts who studied the costly failure said the FBI neglected to define requirements at the project's inception, then failed to guard against what FBI Chief Information Officer Zal Azmi called "runaway scope."
Now, if they can just avoid the Second-System Effect...



LexisNexis Security. NOT!

A report in Wired indicates that it did not require much skill to steal 310,000 personal identity files from Lexis/Nexis.

"You start looking at an account that's been logged into 500 times and generated 9,000 reports, for example, that's a lot of information (to examine)," Sibley said. "I'm just saying it's not one group that's compromised LexisNexis. Their security is really bad. This isn't a situation where you're talking about needing an überhacker to compromise (the system). Their passwords weren't as secure as your average porn site. I think it didn't take a genius to break them. Although I think the way the hackers did it was creative. We'll give them style points."

Labels: ,


A Matter of Public Record

A Washington Post article about one tactic to raise attention to the enormous amount of what people think of as private, personally identifying information that is easily available to anyone with access to the Internet.

Betty (but call her BJ) Ostergren, a feisty 56-year-old from just north of Richmond, is driven to make important people angry. She puts their Social Security numbers on her Web site, or links to where they can be found...

Her formula is simple: Target a county, locate personal data on hundreds of residents, send them letters telling them how much of their personal information is or might be exposed online, and urge them to pressure their local officials.
Of course, the horse is long gone from this barn, but an amazing number of organizations are identity theft enablers, acting as though knowing some subset of name, address, telephone number, Social Security Number, and mother's maiden name prove that you are who you say you are.

Labels: , ,


Monday, May 23, 2005

Hacking the American Power Grid

Part 1, Part 2, and Part 3 of an article in Red Herring explain why "Security experts warn it wouldn’t be hard for a cyberpunk or terrorist to turn off the lights in a large portion of the U.S."

The U.S. power grid, with its billions of dollars worth of electrical lines, switching stations, and electrical generators, is like a big shiny toy for computer hackers.

Imagine the attraction to a teenage computer nerd of flipping the light switch to the Northeast corridor when he doesn’t have a date for the prom. This attractive nuisance has Washington spooked and is developing into an opportunity for startup security companies.

Power companies rely on a complex relay of information between delivery stations to regulate electrical flow. They send commands back to these stations to control the voltage and amperage allowed to flow to consumers. It is a network, just like the Internet. And just like the Internet, it is subject to attack.

"Just thinking about it makes me feel almost sick," said Justin Bingham, a security expert and CTO of software startup Intrusic. "This is stuff I can’t live without. It isn’t some internal database someplace."

Grid operators monitor and control the flow of electricity via computer networks called Supervisory Control and Data Acquisition (SCADA) systems. These systems once operated in a vacuum using language that only experts understood. The power companies and the government thought they were safe.

But several new developments have made SCADA systems vulnerable. When power companies hook their business computers to the Internet, and then plug the business computers to the SCADA computers, critical systems can be exposed to viruses and worms.

Standard software doesn’t help, either. Power companies used to buy their control systems from a series of disparate vendors. A hacker could expect to run into at least five different types of computer networks and would have to know many different communications protocols.

Industry consolidation has led to standardization on one or two well-known systems with well-researched security holes. Hacking one system takes less expertise than hacking seven.

Labels: , , ,


Ho, Hum. Another personal data theft

An article in the Wall Street Journal reports MCI as the latest culprit. As long as the consequences for the custodian of the information are small, we can expect a continuing stream of such data protection lapses. And it's kind of hard to totally opt out of the economy.

A laptop containing the names and Social Security numbers of about 16,500 current and former employees of MCI Inc. was stolen in Colorado Springs last month, marking the latest in a string of incidents in which companies have lost control of customer or employee information.

The computer was stolen from a car that was parked in the garage at the home of an MCI financial analyst. An MCI spokeswoman said that the laptop was password protected but declined to say whether the employee information was encrypted. She also declined to say whether the employee, who wasn't identified, was authorized to carry such information on a laptop.

Labels: ,


Sunday, May 22, 2005

Cultural roots of personal computing

John Markoff has written a wonderful book about the cultural roots of the personal computing revolution, What the Dormouse Said.

I don't agree with everything in the book, but "I was there" for some of the formative period, and I know a lot of the people who show up in the book, and John largely gets it right. I learned more I that didn't know about people that I did know than from any book I can recall. And I definitely agree with John's main thesis, that a revolution is shaped by, and needs to be understood in terms of, the culture(s) in which it is rooted.

However, there are two points on which the book failed to convince me:

First, and I admit that I am biased by my participation, I think John over-rates the influence of the Homebrew Computing Club and the Personal Computer Company relative to Xerox's Palo Alto Research Center (PARC). Most of those he mentions who shaped the emerging PC industry (with the notable exception of Jobs and Woz) came from PARC (or SRI), with little or no involvement in Homebrew and PCC. And the hundreds of Altos were enormously influential, not just in Xerox, but also in the White House and in several leading universities. Of all the cultures John describes, he does least well at describing that of PARC. Perhaps he thinks that's already been done adequately elsewhere, or perhaps it's a symptom of not accepting its importance.

Second, I think that the technologies developed at SRI and PARC had a much stronger influence on the PC revolution than psychedelics and other aspects of the counter-culture. Networking was critical to all that followed, as were graphical user interfaces, ubiquity, laser printing, etc.

I can think of four killer apps that have brought us to the present state:
1) Spread sheets. Credit to neither side. Neither culture was much interested in budgets. PARC's machines were certainly powerful enough, had anybody thought it was interesting, but Homebrew's computers were not.
2) Desktop publishing. Despite the PCC incidents described, I think desktop publishing was mostly driven by PARC, with bitmap displays, WYSIWYG editors, device-independent document descriptions (later PostScript), laser printing, etc.
3) Email. PARC developed the first email system (Grapevine) where addresses referenced domains, rather than machines, and you could read your email from any machine.
4) The Web. Credit to Engelbart (see also), Nelson, and van Dam, not Homebrew and PCC.

In hindsight, the critical aspects of the PARC environment were that it was network-centric (everything was connected to everything else), ubiquitous (you could use any Alto in any office as your personal machine and they were everywhere), and had high-bandwidth user interaction. (One of Bob Taylor's key insights was that the eye is the fastest way to get information into the brain.) But most critical was that it was the machines that served the people, not vice versa. When I started there, I used to feel guilty when I let my Alto sit idle! And as Don Knuth said, "The best thing about the Alto is that it doesn't run faster at night."

But read the book and decide for yourself.

Labels: ,


Friday, May 20, 2005

41 Groups Oppose Homeland Security's Weak Privacy Rules

A coalition of 41 groups, including Electronic Privacy Information Center, American Civil Liberties Union, Council On American-Islamic Relations, and People For The American Way, submitted comments opposing the Department of Homeland Security's plan to exempt a vast database from legal requirements that protect privacy and promote government accountability. The coalition stated that the agency's plan leaves individuals without the ability to correct inaccurate information and without protection against possible abuse of the database.

According to DHS, the Homeland Security Operations Center Database ("HSOCD"), will serve as "a single, centralized repository for gathered information." The agency seeks broad exemptions from key fair information principles such as the Privacy Act of 1974 requirements that an individual be permitted access to personal information, that an individual be permitted to correct and amend personal information, and that an agency assure the reliability of personal information for its intended use. These exemptions would allow DHS to track and profile individuals, including American citizens who seek to aid homeland security investigations, with little accountability.

For this database, DHS proposes to deny individuals the civil remedies they have against an agency for failure to comply with its obligations under the Privacy Act. Providing individuals with the right to judicial review is crucial because the new database will have information not only about suspected criminals, but also about people who offer information about terrorism, as well as current and former DHS employees and contractors. Though the Privacy Act requires an agency to provide reasons why the database should be exempted, DHS has not yet provided an explanation.

Full details.

Labels: , , ,


The first good news for computing researchers in the FY 2006 appropriations cycle

Peter Harsha, in a CRA blog posting, notes that the House Appropriations Committee has budgeted significantly more than the Administration requested.

"The Committee recommendation is $246,055,000, an increase of $39,000,000 over the budget request. The additional $39,000,000 is provided to support the Office of Science initiative to develop the hardware, software, and applied mathematics necessary for a leadership-class supercomputer to meet scientific computation needs."

The Senate has yet to act, but the tea leaves look promising...



Thursday, May 19, 2005

Bill Moyers' speech to the National Conference for Media Reform

This is rather long, but worth reading in its entirety.

"... I want to tell you about another fight we’re in today. The story I’ve come to share with you goes to the core of our belief that the quality of democracy and the quality of journalism are deeply entwined. I can tell this story because I’ve been living it. It’s been in the news this week, including reports of more attacks on a single journalist — yours truly — by the right-wing media and their allies at the Corporation for Public Broadcasting.
As some of you know, CPB was established almost 40 years ago to set broad policy for public broadcasting and to be a firewall between political influence and program content. What some on this board are now doing today — led by its chairman, Kenneth Tomlinson — is too important, too disturbing and yes, even too dangerous for a gathering like this not to address.
We’re seeing unfold a contemporary example of the age-old ambition of power and ideology to squelch and punish journalists who tell the stories that make princes and priests uncomfortable..."

Labels: ,


Searches, Arrests in Lexis/Nexis, Paris Hilton thefts

A story in the Washington Post by Brian Krebs reports on a law-enforcement response to the widely-publicized information thefts, and includes information on how they were accomplished.

"The LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom only knew each other through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her computer keyboard.
According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' login information may have been similarly stolen, the law enforcement source said...
Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions. In February, ChoicePoint Inc. said fraud artists had posed as Los Angeles businessmen to access personal information about at least 145,000 people."



Wednesday, May 18, 2005

Another Massive Personal Information Theft

[Update: COMPUTERWORLD now puts the figure at 676,000.]

According to an article in COMPUTERWORLD by Todd R. Weiss, another personal data theft has been disclosed, this one involving more than a half-million people.

It seems that your personally identifying data isn't safe anywhere anymore. Be afraid. Be very afraid. (And tell your Congresscritter.)

"Electronic account records for some 500,000 banking customers at four different banks were allegedly stolen and sold to collection agencies in a data theft case that has so far led to criminal charges against nine people, including seven former bank employees. Hackensack Police are continuing their investigation into the theft by a crime ring that apparently accessed the data illegally through the former bank employees. Hackensack police Det. Capt. Frank Lomia said the investigation into the crime ring is still under way.
'This thing's getting bigger and bigger,' Lomia said. 'It's still growing. The banks are uncovering more accounts than we knew about.' "

"Police allege that Lembo used his home as an office for DRL Associates and that he had hired several upper level bank employees to access data, including names, account numbers and balances, from the banks... The ring had operated for more than four years, with Lembo's profits reaching several million dollars, police said."

Recent posts:
More Identity Theft Scams
Email scam targets White House workers
The Five Most Shocking Things About the ChoicePoint Debacle
Phishing figures show rise in Trojans
Goodbye to Privacy

And don't forget:
"You have zero privacy, anyway. Get over it."
--Scott McNealy

Labels: , ,


Cybersecurity Still Not a Priority

Peter Harsha's post in the CRA blog analyzes the House-approved budget for the Department of Homeland Security, and finds it wanting in the area of cybersecurity.

"Despite a $213 million increase to the Department of Homeland Security's Science and Technology Directorate in FY 2006 and a report from a presidential advisory committee noting the dangerous lack of support for cyber security research at DHS, the House approved a cut to cyber security research activities at the agency as part of the FY 2006 Homeland Security appropriations bill. The House approved the President's request of $16.7 million for cyber security research in FY 2006, a decrease of $1.3 million from the FY 2005 enacted level... There will be a couple of opportunities to address the cut to cyber security research as the bill moves through the appropriations process. The Senate has yet to act on its version of the bill."

In the classic "pay (a little) now, or pay (a lot) later" trade-off, the US still seems to be opting for the latter.

Labels: , ,


Tuesday, May 17, 2005

More Identity Theft Scams

An article in the Wall Street Journal discusses "Evil Twins" and "Pharming."

"Many consumers have grown savvy to 'phishing' scams, which use fake emails that appear to come from banks or other businesses to con recipients into supplying personal data over the Web. So fraudsters have come up with new tricks to steal identities online that are even harder to detect...
Evil twins are wireless networks that pretend to offer trusty Wi-Fi connections to the Internet like those available at some coffee shops, hotels and conferences. On a laptop screen, an evil-twin Wi-Fi hotspot can look identical to one of the tens of thousands of legitimate public networks that consumers log on to every day, sometimes even copying the sign-in page. But that's just a front, and fraudsters who set up the connections attempt to capture any passwords or credit-card numbers that consumers using the link may type.
In pharming, thieves redirect a consumer to an imposter Web page even when the individual types the correct address into his browser. They can do this by changing -- or 'poisoning' -- some of the address information that Internet service providers store to speed up Web browsing. Some ISPs and companies have a software bug on their computer servers that lets fraudsters hack in and change those addresses... Pharming victims type the legitimate address in their Web browsers and end up at phony sites anyway...
'All of the burden rests with the user, who's probably the least able to fix these things or recognize them,' says Mr. Ullrich."

Labels: ,


Monday, May 16, 2005

Getting R&D Back on Track

An editorial in Chief Executive joins the chorus.
Increasingly, U.S. researchers in industry, academia and government are playing it safe. The kind of freewheeling basic research that spawned new industries—from genetic engineering and the integrated circuit to wireless telephony and e-commerce—is in serious decline.

Industrial basic research has failed to demonstrate a return on investment that satisfies the ravenous appetite of Wall Street for quarterly earnings growth. So companies have increasingly directed capital to applied research and development, rather than basic invention and innovation.

This is no secret. But what is less well known is that university basic research has withered in many important fields, especially in the physical and information sciences, and engineering. The federal budget deficit is likely to stagnate recent growth in funding medical research.

In short, we are losing our collective will to fund basic science. When the visible fruits of these investments may not pay off for 20 years or more, we tend to forget why we need to make these investments in the first place. These days, shareholders keep stock only about eight months. Is it any wonder that investors have no interest in backing basic research for the long term?



Sunday, May 15, 2005

Arizona Man Steals Bush's Identity

A spoof post by the ONION satirizes a very real problem.

"This is incredibly frustrating," Bush told reporters Tuesday. "Not only does this guy have my credit-card information, he has my Social Security number, all my personal information, and the launch codes for a number of ballistic intercontinental nuclear missiles. I almost don't want to think about it."

"I feel so violated," Bush added.

Bush said he has canceled his credit cards and changed the national-security codes, but he labeled the process a "total nightmare."

"It's a huge ordeal," Bush said. "Everything will be straightened out eventually, but my credit rating and political capital are down the tubes. I asked the FBI, and they aren't even sure how long this guy's had my identity. For all I know, he's started up his own oil refinery somewhere in Alaska."



Thursday, May 12, 2005

Need a brothel? Ask Google

An interesting observation from The Register.

"Our recent revelation that Google maps in the UK had redrawn the entire world according to George Bush provoked much merriment among Reg readers. Naturally, some of you then got down to pushing the fledgling system to its absolute limits."

The results for my ZIP code are equally surprising.



Tuesday, May 10, 2005

Email scam targets White House workers

Article in the Washington Post.

"Online scam artists are getting bolder with each passing day. A new e-mail scam is making its rounds online, trying to trick White House employees into handing over their personal and financial data at a fake banking Web site. The scam, which falls into a type of Internet crime called 'phishing,' targets White House employees who bank online with The White House Federal Credit Union, according to an alert published Monday by Websense Security Labs. The White House Federal Credit Union also is used by many lawmakers on Capitol Hill..."

"As always, be very wary of any e-mail requesting your personal information. If you have any doubts, pick up the phone and call the customer service number to get confirmation."

Labels: ,


Monday, May 09, 2005

US Getting a National ID Card

Bruce Schneier has a good post on why this is a bad idea whose time has come, i.e., it's going to happen.

"The United States is getting a national ID card. The REAL ID Act establishes uniform standards for state driver's licenses, effectively creating a national ID card. It's a bad idea, and is going to make us all less safe. It's also very expensive. And it's all happening without any serious debate in Congress.

"I've already written about national IDs. I've written about the fallacies of identification as a security tool. I'm not going to repeat myself here... A national ID is a lousy security trade-off, and everyone needs to understand why. Aside from those generalities, there are specifics about REAL ID that make for bad security..."

See also USACM's letter to Senator Lamar Alexander (R-TN) on the topic.

Labels: , ,


Sunday, May 08, 2005

The Climate of Man

If you still have any doubts about the scientific consensus about man-made global warming, or what the US is (not) doing to stave it off, the New Yorker has published a three-part article by Elizabeth Kolbert in its ANNALS OF SCIENCE section. (The article is no longer available through the New Yorker site, but has been published as a book, Field Notes from a Catastrophe .)

In typical New Yorker style, it tells you more than you realized you wanted to know. Here's a small sample:

The National Academy of Sciences undertook its first rigorous study of global warming in 1979. At that point, climate modelling was still in its infancy, and only a few groups, one led by Syukuro Manabe, at the National Oceanic and Atmospheric Administration, and another by James Hansen, at NASA’s Goddard Institute for Space Studies, had considered in any detail the effects of adding carbon dioxide to the atmosphere. Still, the results of their work were alarming enough that President Jimmy Carter called on the Academy to investigate. A nine-member panel was appointed, led by the distinguished meteorologist Jule Charney, of M.I.T.

The Ad Hoc Study Group on Carbon Dioxide and Climate, or the Charney panel, as it became known, met for five days at the National Academy of Sciences’ summer study center, in Woods Hole, Massachusetts. Its conclusions were unequivocal. Panel members had looked for flaws in the modellers’ work but had been unable to find any. 'If carbon dioxide continues to increase, the study group finds no reason to doubt that climate changes will result and no reason to believe that these changes will be negligible,' the scientists wrote. For a doubling of CO2 from pre-industrial levels, they put the likely global temperature rise at between two and a half and eight degrees Fahrenheit. The panel members weren’t sure how long it would take for changes already set in motion to become manifest, mainly because the climate system has a built-in time delay. It could take 'several decades,' they noted. For this reason, what might seem like the most conservative approach—waiting for evidence of warming in order to assess the models’ accuracy—actually amounted to the riskiest possible strategy: 'We may not be given a warning until the CO2 loading is such that an appreciable climate change is inevitable.'

It is now twenty-five years since the Charney panel issued its report, and, in that period, Americans have been alerted to the dangers of global warming so many times that volumes have been written just on the history of efforts to draw attention to the problem. (The National Academy of Sciences alone has issued nearly two hundred reports on global warming; the most recent, 'Radiative Forcing of Climate Change,' was published just last month.) During this same period, worldwide carbon-dioxide emissions have continued to increase, from five billion metric tons a year to seven billion, and the earth’s temperature, much as predicted by Manabe’s and Hansen’s models, has steadily risen. The year 1990 was the warmest year on record until 1991, which was equally hot. Almost every subsequent year has been warmer still. The year 1998 ranks as the hottest year since the instrumental temperature record began, but it is closely followed by 2002 and 2003, which are tied for second; 2001, which is third; and 2004, which is fourth. Since climate is innately changeable, it’s difficult to say when, exactly, in this sequence natural variation could be ruled out as the sole cause. The American Geophysical Union, one of the nation’s largest and most respected scientific organizations, decided in 2003 that the matter had been settled. At the group’s annual meeting that year, it issued a consensus statement declaring, 'Natural influences cannot explain the rapid increase in global near-surface temperatures.' As best as can be determined, the world is now warmer than it has been at any point in the last two millennia, and, if current trends continue, by the end of the century it will likely be hotter than at any point in the last two million years.

In the same way that global warming has gradually ceased to be merely a theory, so, too, its impacts are no longer just hypothetical. Nearly every major glacier in the world is shrinking; those in Glacier National Park are retreating so quickly it has been estimated that they will vanish entirely by 2030. The oceans are becoming not just warmer but more acidic; the difference between day and nighttime temperatures is diminishing; animals are shifting their ranges poleward; and plants are blooming days, and in some cases weeks, earlier than they used to. These are the warning signs that the Charney panel cautioned against waiting for, and while in many parts of the globe they are still subtle enough to be overlooked, in others they can no longer be ignored. As it happens, the most dramatic changes are occurring in those places, like Shishmaref, where the fewest people tend to live. This disproportionate effect of global warming in the far north was also predicted by early climate models, which forecast, in column after column of FORTRAN-generated figures, what today can be measured and observed directly: the Arctic is melting.

Read it and weep.

Labels: ,


Friday, May 06, 2005

The Imagination Drain

The Los Angeles Times weighs in with an editorial on US funding of basic research.

"The Pentagon fumble in which military officials essentially published on the Web the full version of a supposedly censored report was news last week. But occurring beneath the news radar is a more fundamental cyber-security problem: the Bush administration's cutting the funding of university-based information technology research by nearly half over the last three years.
Since 1961, the Defense Advanced Research Project Agency, or DARPA, has distributed IT research dollars in largely open-ended grants to universities. The grants encouraged basic research aimed not at marketable innovations but at basic scientific mysteries. DARPA and its investments have paid off handsomely nevertheless.
Its legendary role in developing the Internet as a free-for-all instead of a commercially owned space is widely known. Less so are its militarily and commercially important developments, such as global positioning satellites, the JPEG file format for efficiently storing photographs and Websearching technologies like those later refined by Google."

"Though administration officials say they are calling for a 5.5% increase in the government's total R&D budget for next year, virtually every dollar of that is earmarked for "deliverables" — Pentagon-speak for technologies that can be quickly deployed in a particular military arena.
DARPA was created at the height of Cold War paranoia. It was founded, however, on trust — on a belief that the United States could achieve global leadership only by attracting the best and brightest minds. The new regime typifies a very different philosophy, based less on faith in ideas than on a desire to narrow and ultimately suppress them."

Labels: ,


An Endless Frontier Postponed

An excellent editorial by Ed Lazowska and Dave Patterson in Science magazine.

"Next month, U.S. scientists Vinton G. Cerf and Robert E. Kahn will receive computing’s highest prize, the A. M. Turing Award, from the Association for Computing Machinery. Their Transmission Control Protocol (TCP), created in 1973, became the language of the Internet. Twenty years later, the Mosaic Web browser gave the Internet its public face. TCP and Mosaic illustrate the nature of computer science research, combining a quest for fundamental understanding with considerations of use. They also illustrate the essential role of government-sponsored university-based research in producing the ideas and people that drive innovation in information technology (IT).
Recent changes in the U.S. funding landscape have put this innovation pipeline at risk. The Defense Advanced Research Projects Agency (DARPA) funded TCP. The shock of the Soviet satellite Sputnik in 1957 led to the creation of the agency, which was charged with preventing future technological surprises. From its inception, DARPA funded long-term nonclassified IT research in academia, even during several wars, to leverage all the best minds. Much of this research was dual-use, with the results ultimately advancing military systems and spurring the IT industry. U.S. IT research grew largely under DARPA and the National Science Foundation (NSF). NSF relied on peer review, whereas DARPA bet on vision and reputation, complementary approaches that served the nation well."

Labels: ,


Thursday, May 05, 2005

The Five Most Shocking Things about the ChoicePoint Debacle

A good article in CSO Magazine is forceful, and focuses on the implications for corporate security officers.

"At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant. That same month, February, saw stories that had bigger numbers (Bank of America, 1.2 million names and Social Security numbers) and more sex appeal (T-Mobile, Paris Hilton) than the predictable details of the ChoicePoint case. Thousands of victims, compromised Social Security numbers, an arrest on charges of identity theft. Yada yada yada.
But somewhere along the way, the ChoicePoint saga became the spark that caused an explosion.
Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses--this when the company itself helps other businesses verify creds.
Maybe it was that the people whose information was compromised weren't customers of ChoicePoint, just accidental citizens of the vast databases of the Alpharetta, Ga.-based information broker.
Maybe it was the way that ChoicePoint behaved after the breach: from an initial, bumbling response that smacked of marketing, to a changing story about what had happened and how the company was responding, to the revelation that top executives had sold millions of dollars worth of stock between the time the fraud was discovered and when it was announced to the public.
Or maybe it was this last twisted bit of irony: ChoicePoint chairman and CEO Derek V. Smith had recently written two books about how individuals can protect themselves in the information age.
You can't make this stuff up."

Labels: , , ,


Tuesday, May 03, 2005

Phishing figures show rise in Trojans

An article in Computerworld offers mixed news about phishing.

"The latest figures from the Anti-Phishing Working Group (APWG) offer cold comfort for anyone concerned about phishing. Although the number of attacks seems to have reached a plateau, phishing e-mails appear to be getting more sophisticated. In March, the total number of unique phishing e-mails reported to the organization was 13,353, a 2% increase on the figure for February. Although the volume of phishing e-mails has increased dramatically in the space of the last year -- mostly in the month of December -- the number has shown a marked leveling off in February and March and could now have peaked for the time being. In place of volume, however, there appears to be an increase in the breadth and sophistication of attacks. During March, the number of unique phishing sites increased 6.9% to 2,870, while the number of brands hijacked went up to 78 from 64 in the previous month."

"The APWG has started analyzing different types of phishing attacks and is now able to provide some sketchy figures that chart the rise of Trojan-based key-logging. Between November and December of 2004, when it started tracking them, the number of new key-loggers was running at one or two new variants per week, hosted on 10 to 15 new Web sites per week. By February and March, this had risen to eight to 10 key-loggers per week from around 100 Web sites. These attacks are initiated in a number of ways. In addition to the conventional e-mail routine, which invites e-mail users to click on a link to a Trojan-infected site, scammers are now using instant messaging to issue invites."

Labels: ,