When it's safer to lie

ComputerWorld has an article by Paul F. Roberts about the inherent weakness and dangers of "knowledge based authentication." This refers to the canned questions that many online entities use as secondary authenticators (e.g., when you need to recover a lost password).

For some time now, I've adopted the practice of making up harder-to-guess answers to such questions, e.g., saying that my first pet's name was OhMyGod, or that my mother's maiden name was Smithereens. It is important to give a different answer to each site, so that compromise of one site does not provide access to the others who use the same question. Of course, I then have to keep a record of what I have told each site, but I have control of that record.

You might think that if I can keep a per-site record of secondary authenticators, I can keep a per-site record of passwords. Of course, I do that, too, but you'd be surprised at how often I have to ask for a password reset, or a site de-authorizes my password, or some such thing, requiring using the secondary authenticator.

By the way, like most security professionals, I've stopped even trying to use memorable passwords for websites. I use machine-generated random strings of ten upper and lower case letters and digits. There are nearly 10^18 (a billion billion) of them, so guessing a random one is impractical for anyone with less resources than the NSA. By contrast, the success rate in the game of 20 Questions suggests that most people only have about a million memorable facts in their heads, and that there's a lot of overlap between different players' millions.

Loss of personal data on still on the rise

An article by Mark Boslet in the San Jose Mercury News reports that 2007 was 40% worse than 2006, in terms of number of reported personal data breaches in the US; however the number of records compromised grew sixfold, to 128 million.

There's a good chance that at least one of those compromised records was yours.

"We think people are going to learn from their mistakes, but they aren't," said Mary Monahan, senior analyst at Javelin Strategy & Research, a Pleasanton research firm.

This is a clear example of market failure; more government intervention will apparently be needed to counter widespread organizational complacency. We would hardly know anything about it at all if California had not enacted its notification law.

But that was before we went public.

"Don't be evil."

Then.

Security, Economics, and the Internal Market

Ross Anderson, Rainer Böhme, Richard Clayton, and Tyler Moore have just published a 114-page study commissioned by the European Network and Information Security Agency (ENISA). The executive summary contains 15 recommendations for the European Union, most of which are just as appropriate for the United States.

We recommend that the EU introduce a comprehensive security-breach notification law.

We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.

We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.

We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.

We recommend that the EU develop and enforce standards for network-connected equipment to be secure by default.

We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.

We recommend security patches be offered for free, and that patches be kept separate from feature updates.

The European Union should harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions.

We recommend that the European Commission prepare a proposal for a Directive establishing coherent regime of proportionate and effective sanctions against abusive online marketers.

ENISA should conduct research, coordinated with other affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online.

We recommend that ENISA should advise the competition authorities whenever diversity has security implications.

We recommend that ENISA sponsor research to better understand the effects of Internet exchange point (IXP) failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience.

We recommend that the European Commission put immediate pressure on the 15 EU Member States that have yet to ratify the Council of Europe Convention on Cybercrime.

We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model.

We recommend that ENISA champion the interests of the information security sector within the European Commission to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms.

Thanks to Bruce Schneier for the pointer.

More Antarctic melting

Now it's the Wilkins Ice Shelf. Good New Scientist article by Catherine Brahic.

A thin strip of ice, just 6 kilometres wide, is all that is holding back the collapse of a huge ice shelf in Antarctica, according to glaciologists.

The Wilkins ice shelf – previously some 16,000 square kilometres in area – has been disintegrating fast. On 28 February, an iceberg 41 km long and 2.5 km wide broke off the ice shelf. This triggered the runaway disintegration of a further 570 square kilometres of ice.
"I would be very surprised if it survives more than a couple more melt seasons," says Ted Scambos of the University of Colorado, US.

Other researchers, including David Vaughan of the British Antarctic Survey, believe it could be gone within weeks. "The ice shelf is hanging by a thread – we'll know in the next few days or weeks what its fate will be," he says.

More news of Wilkins.

You can't cook a frog gradually, but maybe a civilization can cook itself?

2008 inductees to National Inventors Hall of Fame

The 2008 inductees to the National Inventors Hall of Fame (and their honored inventions) include

• Robert Adler, Television remote control
• Amar Bose, Feedback control for noise cancellation headphones
• Willem Einthoven, Electrocardiograph
• Erna Schneider Hoover, Computerized telephone switching
• Amos Joel, Cellular telephone system

Partially filling the DARPA gap

Good analysis by Peter Harsha on the Computing Research Policy Blog.

While it's great news that two of the titans of the IT industry are stepping up to fill some of the gap left by DARPA's withdrawal, their $20 million investment over 5 years represents just a tiny fraction of the DARPA shortfall. The difference in DARPA funding for university computer science between 2001 and 2004 was $91 million annually ($214 million in FY 01 to $123 million in FY 04 in unadjusted dollars), and anecdotal evidence suggests that shortfall may be even larger now. The Microsoft-Intel investment is a bold move and big commitment to address a key challenge in computer science that's a primary concern for the two companies in the future. But it doesn't represent a sustainable alternative to filling the hole left in the IT R&D portfolio created by DARPA's absence.

U.S. unprepared for ongoing cyberwar

This story by Bob Brewin in GovExec.com says that we're already engaged in cyberwar, but aren't anywhere close to prepared.

"Cyberwarfare is already here.... It's one of our major challenges," said Defense Deputy Secretary Gordon England on Monday at the annual National Community Service and Legislative Conference of the Veterans of Foreign Wars.

"I think cyberattacks are probably analogous to the first time, way back when people had bows and arrows and spears," he said. "And somebody showed up with gunpowder and everybody said, 'Wow. What was that?'"

England made his comments the same day that the Pentagon released a report saying that the 2007 cyberattacks against its networks and those operated by other governments around the world "appear" to come from China.

During a Senate Armed Services Committee hearing last week, Sen. John Thune, D-S.D., asked National Intelligence Director Michael McConnell if the United States was prepared to deal with threats against military and civil networks and information systems. "We're not prepared to deal with it," said McConnell, identifying both China and Russia as adversaries who are attempting to penetrate U.S. information systems.

Army Lt. Gen. Michael Maples, director of the Defense Intelligence Agency, agreed with McConnell and told the panel that a key threat facing this country is the "sophisticated ability of select nations and nonstate groups to exploit and perhaps target for attack our computer networks."

Sorry, lost your tax return

This story speaks for itself.

Census Bureau's $2 Billion overrun

This post on a ZDnet blog says that the US Census Bureau faces cost overruns up to $2 billion on an IT initiative replacing paper-based data collection methods with specialized handheld devices for the upcoming 2010 census. The Bureau has not implemented longstanding Government Accountability Office (GAO) recommendations and may therefore be forced to scrap the program. Harris Corp., the contractor associated with this incompetently managed initiative, was awarded a $600 million contract to develop the handhelds and related software.

Managing an $11 billion initiative is a daunting task and unforeseen problems are inevitable. Nonetheless, the GAO, going back to January, 2005, repeatedly identified significant procurement, management, and operational risks associated with this project. For reasons unknown, the Census Bureau chose not to follow these recommendations.

An accurate census in 2010 is of enormous importance, affecting (among other things) the allocation of Congressional seats and funds in many federal programs for the next decade.

Quite a lot more relevant information here.

NJ election officials call for evoting investigation

A ComputerWorld article by Robert McMillan reports that a group representing county clerks in New Jersey has asked the state's attorney general to step in and investigate voting discrepancies observed in e-voting machines used in last month's presidential primary election.

"We want to know what the problems were and how do we fix them," Michael Dressler, the group's president, told IDG News Service.

Clerks from a half-dozen New Jersey counties reported discrepancies in the voting tallies generated by approximately 60 of the state's Sequoia Voting Systems AVC Advantage e-voting machines during last month's election. In most cases the discrepancy involved a one- or two-vote difference between the paper tape logged by the machine and the number of votes stored in the computer's memory cartridges.

Sequoia blamed the discrepancy on pollworker error and said the problem could be fixed with a software update, but state clerks wanted a third-party investigation.

Last Tuesday, Dressler's group asked Princeton computer science professor Edward Felten, a respected critic of e-voting systems, to examine the Sequoia machines. That plan was abandoned, however, after Sequoia threatened legal action against Felten and the county that offered to provide the systems, saying that such a review would violate the company's licensing agreement...


According to Joanne Rajoppi, the clerk with Union County New Jersey that had offered Felten the systems, Sequoia's explanation is not good enough. Her county has been using the Sequoia machines for about a decade, without incident. "We never had this problem in 10 years," she said. "Why did this problem never occur in another primary?"

Because only five or six counties double-checked their e-voting results, it's unclear how widespread the voting issues really were in New Jersey, Rajoppi said.

Updated to add: Ed Felten gives a very clear explanation of the nature and seriousness of the problem.

Supermarket chain exposed 4 million card numbers.

According to this story in the New York Times, the Hannaford Brothers supermarket chain has reported a security breach that potentially exposed 4.2. million credit and debit card numbers. However, only 1,800 cases of resulting fraud have been identified so far.

Stay tuned.

This is a problem that won't go away until all companies processing financial information are put on the hook for all resulting losses, and are made to realize that they are on the hook. (Sarbanes-Oxley for the shopping and working public.) As with so many other things, public outrage is losing its force from sheer repetition of the offence.

UK ISPs to sell users' private browsing information

This shocking post by Mike Scott in RISKS DIGEST deserves the widest possible publicity--and condemnation of the plan.

Three major UK ISPs apparently are in advanced talks with a company called Phorm, intending to let Phorm monitor all unsecured web traffic to and from their users. The expressed intent is to offer an "improved browsing experience" through better targeted web advertising, and anti-phishing protection - thereby "improving" one's internet security. One, BT, has already trialed the system...

Phorm claim the data is summarized and anonymized; regular readers of RISKS will I'm sure be aware that true anonymization is exceedingly difficult--and in fact this scheme would give ready access to identities should anyone take the trouble. Quite apart from being a breach of trust by the ISPs involved, it appears to drive a coach, horses and a whole army through protection offered by assorted UK legislation, including the Data Protection Act, Computer Misuse Act, Regulation of Regulatory Powers Act, etc, etc. It will if nothing else provide a central point for cracking to obtain information about these ISPs' users.

Edited on 4/9/08 to add: Phorm is also seeking deals with US ISPs. For more technical detail on what Phorm is doing and why it is pernicious, see "Phorm's All-seeing Parasite Cookie."

Translate the net for the whole world

I know, it's simply too easy to ridicule existing machine translation services. But Microsoft Research is trumpeting a new advance, so I thought I'd look again.

Here is the result of translating the first few of their paragraphs into German:

Leute benutzen auf der ganzen Erde das tägliche Internet, um Waren oder Dienstleistungen zu kaufen, um zu Information zu suchen, Ablenkungen zu finden.

Aber ist das World Wide Web wirklich weltweit?

Es ist schwierig, den Fall zu bilden. Schätzungen behaupten, dass ungefähr 70 Prozent Webseiten heute in der englischen Sprache verursacht werden, während der Prozentsatz der nicht-Englischen Lautsprecher schneller als der der englischen Lautsprecher wächst. So was, wenn Sie nicht Englisch sprechen? Oder was, wenn Sie tun und Sie finden eine interessante Seite geschrieben auf Deutsch? Oder Russe? Oder Chinese?

Microsoft-Forschungsziele zu bitte.

If you find that hard to read, here's their translation back to English:

People use the daily Internet on whole earth, in order to buy goods or services to find in order to search to information, diversons.

But the World Wide Web is really world-wide?

It is difficult to form the case. Estimations maintain that approximately 70 per cent of web pages is caused today in the English language, while the percentage of the non-English loudspeakers grows faster than that of the English loudspeakers. So which, if you do not speak English? Or which, if you do and you find an interesting side written on German? Or Russian? Or Chinese?

Microsoft aims of research too ask.

If German is too hard, let's try Portuguese:

Os povos usam pelo mundo inteiro o Internet diário, para comprar bens ou serviços, para procurarar pela informação, para encontrar diversões.

Mas é o World Wide Web verdadeiramente mundial?

É difícil fazer o caso. As estimativas reivindicam que aproximadamente 70 por cento dos Web pages estão criados hoje na língua inglesa, quando a porcentagem de altofalantes não-Ingleses crescer mais rapidamente do que aquele de altofalantes ingleses. Assim que se você não fala o inglês? Ou que se você faz e você encontra uma página interessante escrita no alemão? Ou russo? Ou chinês?

Alvos de pesquisa de Microsoft a por favor.

And back:

The peoples use for the entire world the daily Internet, to buy good or services, to procurarar for the information, to find diversions.

But it is the truily world-wide World Wide Web?

It is difficult to make the case. The 70 estimates demand that approximately percent of the Web pages are created today in the English language, when the percentage of not-English speakers to grow more quickly of what that one of English speakers. As soon as if you do not say the English? Or that if you make and you find an interesting page writing in the German? Or Russian? Or Chinese?

Targets of research of Microsoft please.

I have two concerns about such machine translation services:

1. Under copyright law, a translation is a "derivative work." Wholesale translation and publication without the permission of the copyright holder appears to be a violation of copyright law.
2. If someone reads one of these translations and acts on it, who is legally responsible for any errors? E.g., accidental libels, inaccurate description of products, risible renderings of serious literary works or policy whitepapers, ...